Cybersecurity Companies Are Raking in Millions. Many Don’t Turn Profits.

Public markets are rewarding the sector as corporations ramp up digitizing their operations and investing in cybersecurity to ward off a surge in threats. The dynamic is pushing Mr. McClain, who tries to balance profitability and growth, to lean in the latter direction to stake SailPoint’s claim on a booming market.

“There is kind of a land grab,” said Mr. McClain, whose company posted net losses for each of the past two fiscal years while accelerating revenue growth. SailPoint’s share price has more than tripled since March 2020.

WSJ Pro Cybersecurity reviewed regulatory filings from companies in the Nasdaq CTA Cybersecurity Index, selecting firms that primarily do business in security and excluding those that make most of their revenue from other things, as well as firms that are based abroad and report less regularly to the U.S. Securities and Exchange Commission. Of the 26 companies selected, 17 posted net losses for their most recent fiscal year under generally accepted accounting principles, and 12 reported net losses for each of their three latest fiscal years.

Still, the price of shares in an exchange-traded fund that tracks the index has jumped about 50% over the past 12 months as many of the companies have posted annual revenue growth rates well into double digits.

To be sure, it isn’t unusual for businesses to take a while to become profitable, or to be unprofitable yet have their shares go up. Electric-vehicle maker Tesla Inc., founded in 2003, recorded its first full-year profit in 2020. Last month, the company surpassed $1 trillion in market value after its stock price more than doubled over the past year.

Many cyber vendors are in the red as they race to find new customers, pumping money into sales and marketing, boosting research and development, or gobbling up competitors. For those companies, profitability remains a long-term goal.

The upshot is that investors are pouring funds into many unprofitable publicly traded cybersecurity businesses. Paul Auvil, chief financial officer of cyber company Proofpoint Inc., warns that some weaker firms’ valuations could collapse.

“This doesn’t end well,” said Mr. Auvil, whose company went private this year in a $12.3 billion acquisition by private-equity firm Thoma Bravo. Proofpoint had reported net losses of more than $100 million for each of its three fiscal years before going private.

The most valuable publicly traded cybersecurity business is CrowdStrike Holdings Inc., which has a market capitalization of more than $63 billion. The cloud security and incident-response company has reported net losses totaling $375 million for its past three fiscal years, but its annual growth rate hit 81% or higher in each of those periods. CrowdStrike reported $874 million in revenue for the 2021 fiscal year.

CrowdStrike declined to comment, citing a quiet period before its next earnings announcement.

Investors are piling into high-growth tech companies as more of daily life moves online. In the cybersecurity industry, a sharp increase in ransomware attacks, espionage campaigns and other hacks has sparked a new wave of public- and private-sector spending.

The current rise in threats outpaces previous cycles that powered cyber investment, such as surges in computer viruses, intellectual property theft and information warfare, said Dave DeWalt, founder of cyber-focused venture-capital firm NightDragon LLC. The question, he said, is when the pendulum will swing back.

“Whenever threat cycles reach those levels, man, do you see growth,” said Mr. DeWalt, former chief executive of cyber firms FireEye Inc. and McAfee Inc. “Whenever they dip, people on Wall Street ask what the health of that company is from a bottom-line perspective.”

FireEye, now called Mandiant Inc., has reported net losses every year since going public in 2013. In June, it sold the division housing its network, email and cloud security products, as well as the FireEye name, for $1.2 billion. Now focused on cyber-incident response and a virtual cybersecurity platform, it has rebranded as Mandiant, recycling the name of Kevin Mandia’s company, which it bought in 2013.

Mr. Mandia said he initially envisioned such a sale on the first day he became CEO in 2016, fearing the security-products unit could drag down the company’s overall growth rate. The split will allow the firm to focus on its strength in investigating breaches and better target its spending in high-growth areas to avoid diminishing returns, Mr. Mandia said. “You’ve got to figure out where that line is. That’s the art form.”

The company has gained prominence for its role in responding to incidents such as the hack of SolarWinds Corp. software last year and the breach of Colonial Pipeline Co. in May .

Mandiant’s third-quarter results Thursday showed a net loss of $68 million and 22% year-to-year revenue growth, an uptick from the previous quarter.

Net losses rarely hinge on one factor. Many startups offer employees equity as part of their compensation, creating a double-edged sword that companies must face if they hit it big in public markets.

“When you have high-growth companies that have valuable stocks, stock-based compensation becomes large,” said Jay Chaudhry, chief executive of San Jose-based Zscaler Inc. In its 2021 fiscal year, the cloud-security company shelled out more than $258.5 million on such compensation and related expenses—almost as much as its net loss of $262 million for the period. Zscaler is valued at $46 billion.

While Splunk Inc. Chief Executive Doug Merritt sees packages of stock options as key to attracting talent, he recently began trying to cut such costs by offering new employees other perks instead, such as enhanced health benefits, or seeking candidates less demanding of equity.

“We all need to get to profitability,” said Mr. Merritt, whose data-monitoring firm was founded in 2003, went public in 2012 and reported a net loss of $908 million for its latest fiscal year. “And it’s ideal if it doesn’t take 20 years.”

Cyber firms have also stepped up acquisitions, which can come with multimillion-dollar costs beyond the purchase price. For identity-management firm Okta Inc., the $6.5 billion purchase of Auth0 Inc. in March is expected to “significantly increase” expenses due to hiring more people and expanding operations, the company said in its most recent regulatory filing. Okta declined to comment further.

Expenses such as acquisition costs and stock-based compensation drag down companies’ bottom lines. But many firms exclude such sums when providing investors with adjusted earnings.

While Columbia, Md.-based Tenable Inc. incurs net losses when measured with generally accepted accounting principles, the firm turns a profit if viewed through a non-GAAP lens. Chief Financial Officer Steve Vintz said the adjusted metrics provide a better snapshot of the money coming in and going out of the business daily.

Tenable last year generated $44 million in free cash flow, money that remains after operating and capital expenditures. “Cash flow don’t lie,” Mr. Vintz said.

At SailPoint, the identity-management firm valued at $4.5 billion, Mr. McClain said he has had to increase spending to shift the company from providing security tools used in offices to selling software accessible via online subscription.

The trick, Mr. McClain said, will be satiating Wall Street’s appetite for growth while creating a business model that can last when the market puts more emphasis on companies’ profitability.

“Now, I’ve still got to run a business that doesn’t blow up,” he said.

Write to David Uberti at [email protected] and James Rundle at [email protected]