JII Compounders #12: Cyber Security Cloud 4493

Buyback of up to 2.43% s/o announced; but net cash still equals 19% of market cap

May 28, 2026

Good morning, everyone. Today’s post is on Cyber Security Cloud (¥17.6bn market cap), trading at 11.9x forward EV/EBIT with 26.0% operating margins (as of Q1 FY12/26), with revenues growing more than 25% for six consecutive years.

Cyber Security Cloud is a subscription security software company that protects web applications from cyberattacks and unauthorized access. Customers pay monthly or annual fees for products like Shadan-kun, a cloud-based web application firewall, and WafCharm, which automatically manages AWS WAF rules so security teams do not have to tune and maintain them manually. Structurally, the business is somewhere between Cloudflare’s application-security function and a cloud-operations tool distributed through AWS Marketplace, but adapted to Japan’s web-security market.

The pitch for Cyber Security Cloud is that the stock is priced like a small-cap SaaS name with platform risk, but the underlying business already has the shape of a higher-quality compounder: about 90% of revenue is recurring, churn is around 1% per month, and Q1 FY2026 operating margin reached 26.0%. The market is focused on whether AWS dependence makes the model fragile, but the next twelve months should give clearer evidence through pricing, retention, and capital allocation. If management can show that margin durability holds, AWS-linked products remain sticky, and cash is deployed without breaking its integration discipline, 11.9x forward EV/EBIT looks undemanding for a company with this growth history.

1. Durable recurring engine

The first reason the stock matters is the quality of the base business. Roughly 90% of revenue is recurring revenue, Q1 FY2026 ARR was ¥5.19bn, and monthly churn was just 1.03% for Shadan-kun and 0.94% for WafCharm. That supports unusually strong economics for a company of this size: operating margin was 26.0% in Q1 FY2026, versus full-year company guidance of 20.0%. Just as important, CSC is one of only two listed companies in Japan to post six consecutive years of 25%+ growth in both revenue and operating profit.

2. AWS dependence cuts both ways

The key debate is whether AWS is a threat or a moat. As of Q1 FY2026, AWS-linked products accounted for roughly 57% of CSC’s total ARR, or ¥2.97bn out of ¥5.19bn, so the platform-dependency concern is real. But the bull case is also tangible: 13 of 15 AWS Premier Tier Service Partners are CSC sales partners, 4,035 users in more than 100 countries had adopted CSC’s Managed Rules for AWS WAF as of December 2025, and the company detected more than 2 billion attacks in 2025 alone. That attack data feeds CSC’s proprietary AI engines and helps it keep improving the rules customers rely on. If AWS expands native tooling but WafCharm churn stays stable, the market may have to give more credit to CSC’s value-added layer.

3. Catalysts are now visible

The near-term setup is more concrete than the valuation suggests. Management is already raising prices across several products, with WafCharm having seen unit-price increases for about 30% of users due to rising AI bot traffic, and JII flags Q2-Q3 2026 as the first window where ARR trends should show whether pricing lifts revenue without pushing churn higher. On top of that, the company announced a buyback on May 22, 2026 of up to 250,000 shares, capped at ¥450mn, and it still holds ¥3.64bn of cash with net cash equal to 19% of market cap. That gives CSC room to keep running its proven small-deal M&A playbook while investors watch whether the February 13, 2026 medium-term plan toward ¥20bn revenue and ¥4bn operating profit by FY2030 starts to look credible.

Click here to download the buyback disclosure on May 22 (in Japanese)

Click here for the full post: https://jpinv.com/en/compounders/4493/

JII Compounders

Discussion about this post

Ready for more?