Hi everyone, and welcome to ABG Investor Days. My name is Nikola Kalanoski, and I'm an equity research analyst here at ABG. With us today, we have John Vestberg, CEO of Clavister. He will present to us the company for about 20 minutes, and then we'll have an opportunity for a Q&A for about five minutes. And with that said, John, the floor is yours.
Thank you very much. Nice being here. I think we can all agree that we live in very turbulent times right now. From a cyber point of view, we at Clavister would like to talk rather about cyber war than the typical cyber threats or cyber risks that you typically hear about in the media. Reason being, there is a real cyber war going on. If you look at what Clavister is doing, we have set out a mission for ourselves to cyber protect Europe. And we know that that is quite a bold statement coming from a small vendor like Clavister, but we do believe there is merit to a statement like that. Reasons being the following. You all know the geopolitical tension happening in the world right now, especially close to Europe. With the new presidents in the US, this might increase even more.
We have concrete wars raging near the borders of Europe. The need for European cyber defense has never been greater than today. And in fact, Europe is really pushing the narrative of European cybersecurity solutions. Clavister today is one of the very few European vendors that can provide a portfolio of solutions and products that can really fight the cybercrime. Typically, we are up against the huge US incumbent vendors, but within the scope of Europe and within the scope of customers with mission critical applications, defense, telecom, energy, public administration, Clavister is really one of the few that can deliver that type of product. Maybe a little bit of a cliché, but cybersecurity today is a team game. It's about trust more than product. Product is important, but trust is as important.
Years back, you could fight cyber crime with a fire and forget or single point of technology installation. You had an intrusion, you bought a firewall, you had a virus problem, you bought an antivirus solution. Those days are long gone. Now, basically as a customer, you select a cyber security vendor, you select a partnership, a partnership for many, many years to come. With that said, what Clavister can demonstrate, first of all, is building on more than 25 years of cyber security investments. So we're not a startup. We've been in the industry for a long time. We've built solutions over a long time. We can demonstrate trust from that perspective. We have also been able to attract blue chip customers, quite impressive ones, I would say. BAE Systems, Nokia, Ericsson, those types of customers.
But in the type of customers we are addressing, when we talk about mission critical applications, when we talk about defense, telecom, and so forth, third party accreditations, third party recognition is important. Even though we have fantastic customers, fantastic track record in terms of technology, you still have to prove your worth of existence using third party accreditations. So over the past years, we've spent quite significant time in addressing accreditations. And as we all know, accreditations, third parties that basically vote for your products, vote for your existence, literally. I'll just talk about a few of them that are important. Recently, we got included in NATO's product catalog. So NATO has an agency called NCIA that is the cyber or information security part of NATO.
They have a product catalog where they basically certify products that are known to be sufficient and good to be used in NATO environments. We got included in that. We are a member of today's five different European Defence Fund projects where the European Defence Fund is researching and investing in research with actors like Clavister, BAE Systems, Rheinmetall, and so forth. So that gives us a good insight into the industry. It gives us a good network and, of course, some proper R&D financing as well. Trust is only one thing, however. Of course, technology products have to be state of the art. Again, we're building on 25 years of tech investments. And in this context, among investors, I think it's important to state that over these 25 years, we've invested north of SEK 700 million of software, mainly software R&D.
The majority, the vast majority of that investment is still part of Clavister's IPR. We have a very, very little degree of sunk cost, which is quite remarkable over 25 years. As a consequence of this, we've been building what we refer to, a bit bold statement, but claiming that we have the most robust cyber security solutions. How can we claim that? Well, first of all, it comes from a technology heritage, the fact that we've been building our products and our tech in a certain way over very many years. We've taken the route on building our products in-house, meaning most vendors in this world, they base their products on a cocktail of different components, different third party components, maybe outsourcing to Asia and so forth. We've done nothing of that. We've built the entire product portfolio in-house in Sweden.
That has been costly, of course, but it has resulted in Clavister owning the full stack of IPR, giving us full flexibility of licensing, giving us the fantastic gross margins that we're able to demonstrate. But even more important, it gives security and robustness. If we look at some third party numbers, these are official numbers you can also research yourself, looking at the amount of publicly known vulnerabilities or security issues that are found in security products. In this context, few vulnerabilities is good, obviously. And as per end of June, Clavister could demonstrate only five publicly known vulnerabilities over the course of 25 years, whereas the huge American vendors in their products, quite different perspective, quite different picture. Even more important, I would say, within the scope of critical infrastructure and mission critical applications is the robustness that the products can really demonstrate.
So if we look at the overall install base of Clavister products, the average uptime is close to eight years, which means basically the products operate and operate, and you need essentially a power outage to kill our products. That is important, of course. Being in cyber means having to be on top of a lot of new threats all the time, being on top of innovation at all times. I already mentioned that we are part of a number of EDF research projects. We recently, a couple of years back, we acquired a very interesting AI, ML technology. All companies, of course, have an AI story today. We are not an exception. We acquired a very nice AI technology, being a Chalmers research startup project, which is now patented on a European level.
This brings AI capabilities to all our products, which means that we can in real time detect advanced threats, zero-day threats, anomalies on a level which really none of our competitors can do. Super important and super proud that this type of technology is being developed in Sweden. Typically, you see this only from the U.S. Sweden is our home base, obviously, but we have presence as well in parts of the rest of Europe. We have a partner network that provides sales support and professional services on our products, being represented more or less in all countries in Europe. So we have a fantastic reach with our products. I mentioned earlier, we focus on mission critical applications. What does that mean in practice? Well, it means four distinct customer groups. Public administration, so that's your typical municipalities, regions, state agencies within Europe.
It means energy and utilities, so basically the actors that provide our daily energy. It means defense and telecom. So four customer groups that have one important thing in common. A successful cyber attack against any of these actors will have catastrophic consequences for society. In defense, even lethal consequences for individual soldiers. Just giving you, in respect of time, a snapshot of what we do in one of these areas within the energy and utilities area. What are the market drivers, the growth drivers? Well, first of all, of course, again, the geopolitical situation. Threat actors from Russia, from other nations, they are attacking European infrastructure, European energy grids, basically to weaken society, perhaps to prepare for an invasion or whatnot. Another market driver is the NIS2 Directive, the new EU directive that becomes national legislation this year and next year.
One of our larger customers in this area is the German RWE, the second largest energy company in Germany. They had a challenge to basically build up a green energy structure in Germany and at the same time making sure that you have full control, security, operation, monitoring of all the distributed power plants they have in Germany. After a tender process, they eventually selected Clavister, which means that we are now located in hundreds and hundreds of power plants, solar cell parks, windmill parks, and so on across entire Germany, with encrypted communication, secure communication to a network operating center in Düsseldorf. Practical example of how our products are being used in the scope of critical infrastructure, and obviously, this is an area where, again, robustness, security is super essential. If our products would fail, Germany's energy production would literally fail. That's what's at stake here. Another area, defense.
Obviously, it's no surprise that the defense budgets are just exploding, going through the roof. If we look at the cyber spending in defense, we're looking at $63 billion by 2032. Massive, obviously. We have, in that bigger scope of market, we have selected a niche, which we call tactical security, which essentially means security being deployed on a more near field level, near tactical level, on vehicles, on naval ships, on airplanes potentially, on individual soldiers. Basically, areas which are undergoing a lot of digitalization right now and where the market is basically just exploding. One of our key reference cases is with BAE Systems, where they have equipped all of the CV90 vehicles being produced in Sweden with Clavister products.
So in each and every CV90 infantry fighting vehicle, there are two to three Clavister products, hardware and software combined, protecting the vehicle, protecting the soldiers basically against cyber attacks. And again, this is an area where a successful cyber attack would mean that the vehicle would literally stop. And you can imagine if CV90 stops in Donbas in Ukraine, you can figure out what's happening. Super critical. If we move on to some financial numbers and looking at Q3, starting with order intake. Order intake is by definition a bit lumpy in Clavister. There is a base business in Clavister, which comes from our products being sold to the civilian side, if you like. Again, municipalities, public sector, energy companies, a fair degree of enterprise companies as well. This provides a stable, steady growth for us. There is a strong seasonality. Q4 is always the strongest quarter for Clavister.
And then our business with telecom and defense by nature adds lumpiness on top. So that's obviously why you can see Q4 last year stands out extremely aggressively with large defense orders coming in. In terms of order book, we have roughly SEK 230 million, mainly coming from defense and telecom orders. The turnaround time for more civilian type of orders are typically within one to two weeks, so that typically doesn't show up in our order backlog at all. If we then move to net sales here, thankfully we can show a much smoother ride with going back a number of years, a fairly slow growth rate, even flattish, that turned into single digit growth, which has recently, over the past one and a half year, turned into double digit growth, and we're sort of approaching the 20% year-on-year growth that we have as a target.
If you adjust for currency effects, there is some currency headwind given SEK to euro and SEK to US sales, but around 20%, that's where we are operating right now in terms of growth. The majority of our sales is software licensing, and 70% of our revenues are recurring in terms of recurring licensing or ARR, if you like. Our sales is distributed over many contracts, 20,000 active contracts. So there is a broad base of steady recurring revenue growing. Typical contract length, 12 months. You might consider 12 months to be a bit low. This is by design. In the past, we had three years, even five years contracts that created a negative lock-in for us. Basically, we were unable to increase prices. We had much less flexibility.
Reality is most all customers that invest in a Clavister product or a Clavister solution, that is quite a work to install products, operate products, and then you're up and running. That creates stickiness. So after 12 months, customer is not moving away anyway, even if the contracts are only 12 months. So with an average contract length of 12 months, we can have much more flexibility. We can have constant price increases on a reasonable level, of course, and be much more dynamic. Gross profit, we operate on 80% gross margin. That has been our target for a quite long time, and there is maybe a single quarter in the past three years that we missed that target, but around 80%. Worth mentioning when you look at Clavister, and this might be contradictory, but still worth mentioning, in periods of high growth, our gross margins are depressed.
Reason being, when we ship new products, when we ship new solutions to customers, they are heavily centered around hardware in the beginning, and then comes the long tail of software licensing revenue that continues to tick over contract period. Given that hardware, of course, is sold to a smaller margin, that creates a sort of depression on gross margin initially in that quarter. Then it picks up following software licenses. From an OpEx point of view, worth mentioning again, all our products are standardized, non-bespoke. We don't do any custom development for a single customer. We might have customer-funded development, but that is then distributed on all our customers. The cost drivers we have in Clavister are first and foremost additional sales, investing in more sales capacity, more sales capability.
We have around EUR 4 million or SEK 40 million of capitalized development annually, and that is a level that we're sort of comfortable with as of now, at least. We did a number of cost optimizations starting already in 2022. We reduced our run rate OpEx with 25%, quite massive cost down, which has led to quite an interesting development. So top line growing with 20%, OpEx decreasing with, of course, EBITDA taking a fantastic leverage from that combination. So moving back even one year earlier, we were operating at not so fancy minus 55% of EBITDA. Last quarter, we closed at plus 25%. And important to note, we are not satisfied. Well, we are satisfied with the development, but 25% is not an end goal when it comes to EBITDA. It's a milestone, but we would like to see this trend continue, of course. Final slide.
Our ambition is to be, again, operating at 20% or above in net sales growth, 80% of gross margins. We are already there, and 20% plus of adjusted EBITDA margin and operational cash flow, which is also what we have been demonstrating in the past quarters in 2024.
So with that. Excellent. Thank you very much, John. So you mentioned the increasing importance of technology origin, and you brand yourself as made in Sweden. Could you perhaps give us a little bit of an overview or update on the competitive landscape in that context?
Right. Well, again, as I mentioned, the main large competitors within the cybersecurity market are US, some Israeli, but mainly US. If we look at the European market, well, there are a few niche players. You could see Clavister as a small niche player, of course, but you don't see too many, let's call it incumbent vendors that we fight with. So typically, when we engage in larger tenders, it is against the large U.S. players. And in the customer groups we're targeting, the sort of European origin is a strong advantage in this environment, at least.
Yep, that makes a lot of sense. And then on financials, you're targeting sales growth of at least 20% per year, and you're now, of course, close to that level. It's been supported by some growth in defense, as you mentioned, and that came from some low levels. What do you think are the key drivers of growth going forward?
Well, basically, to summarize it, defense contracts are one. We still have not seen recent defense contracts kicking in on our P&L yet. That's still to come in 2025 and 2026 and onwards. All the operational changes we've made in the past two years, they have just started to show growth impact. So we sort of continue to see that, and of course, selected investments in sales, that's something that yields result, maybe not in the first quarter, but two to three quarters in, that's demonstrating growth as well.
Very clear. I think what's very interesting here is the scalability of the business model. So you grow rather quickly. You explain the dynamic of high growth, low margins initially, but then you get the recurring portions, that software. So you have these relatively high gross margins of about 80% today. How do you expect to scale on OpEx going forward? Can you scale a lot with the existing staff base, or are there any necessary changes to that?
Absolutely. So the OpEx increase that we might see going forward are mainly related to sales capacity. So selected investments in sales headcount, basically growth enablers from a sales standpoint. Just to make a sort of reflection, we brought in the huge defense contract in Q4 last year of SEK 170 million. The additional OpEx to support that contract is one headcount, not more. Even if we add more contracts on the same magnitude, we don't need to scale OpEx. It's standard products. I think that's the key takeaway.
Yeah, so one extra headcount on 170 million contract. That's scalable.
Yeah. It is.
Wonderful. And just to wrap up, we're almost out of time. What do you most look forward to in 2025?
I think the thing I'm looking forward to, and this might come as an inside-out perspective because I know how much is cooking in Clavister. If you look at Clavister from an external point of view today, not looking at the quarterly reports, looking at website, looking at product material, looking at marketing, you see one Clavister. That, in my view, is representing Clavister as it looked like three, five years ago. What's cooking behind the surface or beneath the surface is representing what we are today. And I think all of that will be exposed in 2025. So I'm really looking forward to get a fresh brand message, marketing message, and really exposing the good tech we have in a much, much, much better way.
Wonderful. So we're all excited about Clavister 2.0 in 2025.
To some extent, yes.
Perfect. Well, thank you very much, John.
Thank you.
Very helpful. And thank you to everybody else for listening in.