Next Investors logo grey

A$5.7M capped WHK renews US$2.4M contract. US Department of Defence makes supply chain cyber security mandatory.

|

Published 19-DEC-2024 12:32 P.M.

|

13 minute read

Disclosure: S3 Consortium Pty Ltd (The Company) and Associated Entities own 14,706,087 WHK shares and 5,250,000 options at the time of publishing this article. The Company has been engaged by WHK to share our commentary on the progress of our Investment in WHK over time.

Last week our micro cap AI and cybersecurity Investment, the A$5.7M capped WhiteHawk (ASX:WHK), signed a 2-year, US$2.4M contract extension

...with a “top 5 global social media company”.

(WHK can’t reveal the name due to sensitivity around cyber security... but you can probably guess who it is)

A contract RENEWAL of this size shows that the WHK’s AI cybersecurity tech is valuable to customers.

After a full year of usage, this giant organisation decided they like WHK’s tech enough to renew for 2 full years.

WHK’s cybersecurity tech helps huge organisations monitor and mitigate cybersecurity risk across their supply chains.

Giant organisations like government, defence, and Fortune 500 companies with big sprawling supply chains.

Most giant organisations treat cybersecurity seriously.

Third party supply chains are their vulnerabilities.

Cyber attacks often happen through weak points in an organisation's supply chain.

(the number of supply chain attacks doubled in 2024 compared to 2023, at an estimated cost of ~US$50BN).

WHK’s supply chain cybersecurity tools make it easier for giant organisations to evaluate their cyber security protocols and make improvements to protect against costly cyber attacks via their supply chains.

For years, the US Department of Defence has been preparing to mandate supply chain cybersecurity.

Some companies have voluntarily started implementing it, but many lag behind.

Even while voluntary, WHK managed to sign deals with giant organisations in US government and US Defence industrial base

On December 16th (3 days ago) it became mandatory across US defence.

It is called Cybersecurity Maturity Model Certification (CMMC) Program and it is “designed to enforce the protection of sensitive unclassified information shared by the Department with its contractors and subcontractors”.

Next Investors Image

(Source)

This long awaited US government directive has finally been implemented - which will mandate that US government defense contractors have cybersecurity technology in place across their supply chains.

Exactly what WHK offers.

(We’ve been waiting a long time for this, and WHK has the products to ensure that the ~300,000 government defense contractors are ready for CMMC)

We expect an increase of interest in WHK’s offering as this directive becomes enforceable over the next 6 to 12 months.

WHK’s current market cap is A$5.7M (at 0.9c/share).

WHK recently raised $1.7M at 1c/share, and also plans to pay off a big chunk of its Lind debt.

(this is that Lind convertible note that has been weighing on the WHK share price for a couple of years - great to see it being reduced)

2024 is already shaping up nicely for WHK relative to last year's revenue with US$2.1M contracted relative to 2023’s US$1.8M.

In October, WHK forecasted it can deliver US$3-3.5M in revenue this Calendar Year.

WHK has previously said that it needs to get to US$3.5M in annual revenue to be cash flow positive - and it's getting quite close to that now.

So with last week’s US$2.4M contract win (US$1.2M per year for the next 2 years) we now have a decent chunk of forward revenue locked in - a good base to work from.

Most of WHK’s other contracted revenue comes from a US$700K per year cybersecurity contract with the US Department of Defence

(another pretty major organisation that is hard to get ‘in’ to).

With a +US$20M sales pipeline, we think WHK only needs a couple more deals like last week’s extension to give it the financial breathing room needed to really scale.

(and start being able to raise “scale up” capital at materially higher share prices, instead of “stay alive” capital at low prices like the last couple of raises we invested in)

We have been Invested in WHK since a pre IPO round way back in 2016, and have followed the progress of the company and re-Invested over the last eight years through various ups and downs.

Since the IPO we have continued to average down on our position.

We think the recent share price performance has a lot to do with a slow sales cycle and more recently a convertible note facility from Lind that the company’s capital structure has had to digest.

With a US$20M+ sales pipeline, we think even 10% of that market in signed deals could get WHK into a cash flow positive position and see the company’s share price moving in the right direction again.

Tech companies can scale quickly, and once at scale, can throw off significant amounts of cash.

For this reason they can attract higher earnings multiples.

The first step for WHK though is proving to investors that it has a sustainable business model - which means hitting operating cash flow break even.

Below is a slide from an October WHK presentation which outlines its previous revenue figures since 2018.

(we’ve marked the slide up to show what additional revenue WHK needs to bring in during 2024 and beyond to achieve this):

Next Investors Image

With US$2.4M (over two years - US$1.2M per annum) locked in already, we are backing WHK to get a few more deals done and get the business into a cashflow positive position over the next 12-18 months.

WHK’s current revenues can be broken down into a few very large contracts, and a number of smaller ones...

  • “Top 5 global social media company”, at US$1.2M per year
  • US Federal Government, at US$700K per year and up to $600K in services
  • About 5-10 US$50K-$100K deals offering the Cyber Risk Program.

The big chunky deals that make up the majority of WHK’s revenues are very hard to secure.

BUT once WHK does sign up a big customer they can become sticky long term users, and the contract values are generally large.

Especially now that the US DoD has mandated mitigation of cyber risk across supply chains.

This is the benefit of large, difficult to obtain contracts - the lifetime customer value is high.

We have seen companies in the past show a lot of promise, develop great technology over many years, but the share price languishes due to taking a long time to sign new customers, shareholders lose patience and sell.

... then the share price makes a big comeback once the contracts finally start coming in and the shareholder register is refreshed.

(Ideally we first try to get into a tech stock at this inflection point)

This is what we hoped for with WHK in 2023 and 2024, but it might be that 2025 is finally the year for WHK.

This is part of investing in small caps - things take longer than you expected.

Of course there’s no guarantee as well - WHK is a small company and is a high risk investment.

At the start of the year WHK had three promising $1M+ deals in the pipeline with strategic partner Peraton.

Peraton is a massive US government IT services contractor with US$7BN in annual sales revenue.

It appears from WHK’s latest quarterly announcement that each of these $1M+ deals are still “live”, but have been delayed.

The US$2.4M deal with the “top 5 social media company” signed last week sets WHK up very nicely for 2025...

We hope that the company can continue to close a number of larger, stickier deals and capitalise on the potential influx of defence contractors that need to upgrade their cybersecurity.

Our WHK Big Bet

“WHK becomes a $500M technology by securing new contracts and partnerships as legislation and public pressure force governments and companies to invest in cybersecurity”.

NOTE: our “Big Bet” is what we HOPE the ultimate success scenario looks like for this particular Investment over the long term (3+ years). There is a lot of work to be done, many risks involved - just some of which we list in our WHK Investment Memo. Success will require a significant amount of luck. There is no guarantee that our Big Bet will ever come true.

The above was written some time ago when WHK was capped higher - right now a $500M market valuation looks very far off for WHK.

For WHK, as a first step that we would be very happy with, we want to see the company sign some long awaited large contracts and re-rate to ~$30M market cap - which is ~5x from current prices - a more realistic near term goal in current market conditions.

New cybersecurity rules approved this week could spark “sales rush” for WHK services...

After a number of years, a new US Department of Defence rule has finally been put into place and will become enforceable during 2025.

By the middle of 2025, all contractors to the US Department of Defence will likely need to have some level of cybersecurity in place (depending on how exposed they are to sensitive information).

As WHK investors, we have been waiting over four years for this news.

In 2010, the U.S. Department of Defence (DoD) recognised the huge cyber risks that come from having more than 300,000 companies as part of the US Defense Industrial Base supply chains.

These companies often hold sensitive information and it can be hard for the DoD to monitor the cybersecurity of each of these companies.

In order to create a standardised framework it developed the Cybersecurity Maturity Model Certification (CMMC), to assess the DoD’s contractors and subcontractors’ security and cybersecurity capabilities.

These rules have been in development for years) but as of this week, they are now in effect:

Next Investors Image

(Source)

What do these new rules do?

Essentially, these new rules means that any contractor or subcontractor that does business with the U.S. DoD will require CMMC certification for cyber security.

Depending on what level of exposure the contractor has will determine the level of cybersecurity that they need.

Each contractor to the US Department of Defence will need SOME level of cyber security by mid-next year in order to secure defence contracts.

And WHK is in a prime position to provide this service.

WHK has already worked with a number of companies to help their compliance under these new rules.

Although the rules are in effect now, the implementation of the rules will likely take effect mid 2025 when they will be ratified into defence contracts.

So, that is +300,000 US Defence Contractors that will need to upgrade their cyber security over the next 6 months.

Urgently...

And we could see more defence contractors rushing to update their cyber security in order to comply with these new rules.

... WHK has an “off the shelf” solution...

Although the market hasn’t quite picked this up yet, these new rules could be a big sales catalyst for WHK to implement this service.

We are hoping that WHK can capitalize on this development.

How will the new rules be implemented?

The CMMC will be rolled out in a phased approach with phase 1 requiring a self-assessment.

Phase 2, for which timing still to be determined, will require either self-assessments or third party certifications.

All third-party CMMC certification for these Defence Industry Base companies will be good for three years, and contractors will be required to provide confirmation of compliance annually.

WHK can provide solutions for both phases — as a third party assessor and in assisting the DoD supply chain companies in conducting their self assessment.

These companies are not currently at all equipped to conduct self assessments alone.

WHK extends US$1.2M annual contract for two more years - total US$2.4M

In December last year WHK signed a US$1.2M deal with a “Top 5 Social Media Company” for Third Party Risk Management (TPRM) services.

Last week, the company extended the contract for another 2 years for a total contract value of US$2.4M.

This contract now has a total value of US$3.6M to WHK and is external validation of the company’s services.

Mysterious “Top 5 Social Media Companies” like the one WHK signed an extension with are certainly important blue chip clients to have - even if WHK can’t explicitly say which one it is.

And it shows that WHK’s product has value in the eyes of a mega-cap company.

But what exactly does WHK’s product do for this company?

A lot hinges on WHK’s TPRM or Third Party Risk Management.

At a high-level, the TPRM services product that WHK provides is a process of identifying and mitigating risk based on external vendor partnerships.

Think of it a bit like a dashboard that provides monitoring and analytics on third parties that interact with a global tech company’s tech stack.

AI helps with the generation of data used by an Application Programming Interface (API) for monitoring these third parties, measuring the level of risk associated with their technology.

An API is a type of software interface that helps computers talk to each other, with large amounts of data.

The daily volume of attacks on APIs has been growing at a rapid pace - with over 100M attacks daily around the world occurring every day (Source).

So given WHK has its own API for measuring third party risk - it makes sense why the company can’t talk specifically about who it is working for.

Risk has long been the space that WHK works in for these unnamed large tech companies.

These large global tech companies aren’t a single monolith of technology - there can be hundreds or thousands of third party vendors that they work with whose technology interacts with the tech stacks of these giant companies.

These interaction points can expose companies to cyber risk and new attack vectors - so WHK’s products and services help mitigate this risk by identifying potential problems before they can be exploited.

Here’s an image which we think represents how WHK’s products and services work:

Next Investors Image

Increasingly, these threats are sophisticated and so WHK is using AI and automation to tailor its products and services to the problems at hand.

Indeed, these attackers may themselves employ AI and automation to achieve their goals.

We’re glad that WHK is moving towards greater use of AI and automation - and we think it is definitely in keeping with current trends in cybersecurity.

Again in terms of deal value - the US$2.4M a year contract is a big contract for the company - and more of the same or even better contracts could go a long way towards improving WHK’s fortunes.

What’s next for WHK?

Convert sales pipeline into signed deals 🔄

Next we want to see WHK close some of the larger $1M+ deals in their $20M sales pipeline.

We also want to see WHK drive sales with US Department Of Defence contractors now that new CMMC rules are being put into effect.

What could go wrong?

Sales/Delay Risk

Large, lumpy cybersecurity contracts, like the ones that WHK is looking to secure, can take longer than expected to be signed.

WHK relies on the cash generated from these deals to support operations.

If deals are taking longer than expected it puts pressure on the WHK balance sheet and investor sentiment.

Funding / Dilution risk

WHK, like all small cap companies, is subject to funding and dilution risk.

Capital raises can lead to dilution and may take place at a discount to market prices, reducing the value of WHK shares.

Capital may not be available depending on the market, and may need to be secured through a variety of instruments which can undermine the financial and share price performance of the business.

Market Risk

The market could sell off or a bear market could continue for longer than expected taking the WHK share price down with it.

Our WHK Investment Memo

Along with the key risks, our WHK Investment Memo provides a short, high-level summary of our reasons for Investing.

In our WHK Investment Memo you’ll find:

  • WHK’s macro thematic
  • Why we Invested in WHK
  • Our WHK “Big Bet” - what we think the upside Investment case for WHK is
  • The key objectives we want to see WHK achieve
  • The key risks to our Investment thesis
  • Our Investment Plan


General Information Only

S3 Consortium Pty Ltd (S3, ‘we’, ‘us’, ‘our’) (CAR No. 433913) is a corporate authorised representative of LeMessurier Securities Pty Ltd (AFSL No. 296877). The information contained in this article is general information and is for informational purposes only. Any advice is general advice only. Any advice contained in this article does not constitute personal advice and S3 has not taken into consideration your personal objectives, financial situation or needs. Please seek your own independent professional advice before making any financial investment decision. Those persons acting upon information contained in this article do so entirely at their own risk.

Conflicts of Interest Notice

S3 and its associated entities may hold investments in companies featured in its articles, including through being paid in the securities of the companies we provide commentary on. We disclose the securities held in relation to a particular company that we provide commentary on. Refer to our Disclosure Policy for information on our self-imposed trading blackouts, hold conditions and de-risking (sell conditions) which seek to mitigate against any potential conflicts of interest.

Publication Notice and Disclaimer

The information contained in this article is current as at the publication date. At the time of publishing, the information contained in this article is based on sources which are available in the public domain that we consider to be reliable, and our own analysis of those sources. The views of the author may not reflect the views of the AFSL holder. Any decision by you to purchase securities in the companies featured in this article should be done so after you have sought your own independent professional advice regarding this information and made your own inquiries as to the validity of any information in this article.

Any forward-looking statements contained in this article are not guarantees or predictions of future performance, and involve known and unknown risks, uncertainties and other factors, many of which are beyond our control, and which may cause actual results or performance of companies featured to differ materially from those expressed in the statements contained in this article. S3 cannot and does not give any assurance that the results or performance expressed or implied by any forward-looking statements contained in this article will actually occur and readers are cautioned not to put undue reliance on forward-looking statements.

This article may include references to our past investing performance. Past performance is not a reliable indicator of our future investing performance.