Initiation of Coverage · Cyberoo S.p.A. · CYB · Euronext Growth Milan

Cyberoo: The Deadlines Are the Demand

A fiscal year stretched to fifteen months makes every headline growth rate incomparable, and the extra quarter added almost nothing: on the company's own like-for-like figures, the January–March 2026 stub contributed roughly €1.7m of cybersecurity revenue against a 2025 monthly average of about the same. Underneath, monthly EBITDA fell by roughly 30% while margin dropped eleven points. The genuine news is working capital — receivables from the largest shareholder fell from €11.5m to €2.6m — but €5.3m of that left by offset rather than cash, and an unconsolidated leasing subsidiary with a €15m facility now sits beside the group's receivables machinery. No rating.

Download PDF

Larix Research · No rating. This note carries no recommendation or price target. It is an examination of the results for Cyberoo S.p.A.'s fifteen-month fiscal year ended 31 March 2026, as presented by the company on 30 June 2026. Full disclosures at the end.

Why this company, and why now

Cyberoo S.p.A. is an Italian cybersecurity group listed on Euronext Growth Milan since October 2019 — a managed-detection-and-response provider built around a 24/7 security operations centre (the Cypeer and CSI services), with a compliance data hub (Titaan), advisory services (Docetz), and a security-awareness training platform (Keatrix), recently packaged together as "ORBIS", an integrated offering aimed at the European mid-market. The Italian cybersecurity market grew 12% in 2025 on the Politecnico di Milano observatory's figures; Cyberoo's like-for-like growth ran ahead of it.

The market capitalisation is roughly €65m at about €1.57 per share. The 52-week range is €1.25 to €3.04 — the share has roughly halved inside a year, over a period in which the company reported double-digit like-for-like revenue growth, a net cash position, and a sharp reduction in its most-discussed balance-sheet item. That combination — a derating against apparently improving disclosures — is precisely the kind of situation this firm exists to examine.

On 29 June 2026 the board approved the accounts for a fiscal year of exceptional duration: fifteen months, from 1 January 2025 to 31 March 2026, following a change of fiscal year-end to 31 March. The comparative period is the ordinary twelve months of 2024. Every headline percentage in the results therefore compares fifteen months of activity with twelve — the company says so itself, in a footnote. This note is an attempt to do the arithmetic the footnote invites.

Three findings organise it:

  1. The calendar changed, and with it every growth rate. Headline cybersecurity revenue of €22.35m is up 24.4% — over fifteen months. The company's own like-for-like figure is +15%. Work backwards from those two numbers and the extra quarter (January–March 2026) contributed roughly €1.7m of cybersecurity revenue, marginally below the 2025 monthly average.
  2. EBITDA fell in absolute euros despite three extra months of trading. €8.56m over fifteen months, against €9.72m over the twelve months of 2024. Per month, that is roughly €0.57m against €0.81m — a decline of about 30% in run-rate — with the EBITDA margin down 11.5 points to 27.4% and net profit down 41% to €2.57m.
  3. The receivables position genuinely improved — but by transformation as much as by collection. Receivables from Sedoc Digital Group, the company's largest shareholder and principal distribution partner, fell from €11.53m to €2.56m. Of that €8.97m reduction, €5.29m was executed in March 2026 by purchasing a portfolio of trade receivables from Sedoc and settling by offset — exchanging one exposure for many smaller ones, at a 7% discount to face, with no cash changing hands.

Against these stand a real regulatory demand cycle, distribution agreements with credible partners, and a total-receivables line that moved in the right direction by any reading. We take both sides seriously.

Fifteen months, and what they do to a percentage

The company reports, for the fifteen-month period: value of production €31.23m (+24.85%), sales and services revenue €27.71m (+21.37%), cybersecurity revenue €22.35m (+24.4%), managed services €5.17m (+10.1%). It states that cybersecurity revenue growth was +15% on a comparable twelve-month basis.

Those figures are internally consistent, and they permit a derivation the presentation does not make. If 2024 cybersecurity revenue was €17.97m (€22.35m ÷ 1.244) and calendar-2025 like-for-like growth was 15%, then January–December 2025 produced roughly €20.7m — leaving approximately €1.7m for the January–March 2026 stub. The monthly average across 2025 was about €1.72m. The extra quarter, in other words, ran at or slightly below the prior year's average pace.

The first quarter of an Italian enterprise-IT year is seasonally soft, and a March year-end will now make Q4-heavy budget flushes fall mid-year in Cyberoo's new calendar; we do not treat the stub as proof of deceleration. But the burden of the observation stands: the fifteen-month presentation makes the headline rates larger without making the business any bigger, and the one quarter of genuinely new information in this report — the first quarter of the new fiscal calendar — was ordinary.

The cost line moved first

The starker series is profitability. EBITDA of €8.56m over fifteen months is €1.16m less, in absolute euros, than the €9.72m produced in the twelve months of 2024. On a monthly basis the decline is roughly 30%. The margin on value of production fell from about 39% to 27.4%. Net profit fell 41% to €2.57m — over a period 25% longer.

The company's explanation is investment: development of Keatrix, strengthening of the national and international distribution channel, R&D on new projects, and artificial intelligence. This is a coherent account, and some of it is externally visible — the V-Valley (Esprinet group) and Cometa distribution agreements are real contracts with real counterparties, Keatrix's NeLP methodology won an industry award, and the Albanian and Ukrainian service subsidiaries acquired in June 2025 added delivery capacity in lower-cost jurisdictions.

But an investment-year narrative has a testable implication: the spending should be discretionary, and the margin should come back. The presentation offers no bridge quantifying how much of the eleven-point margin decline is growth spending versus mix, pricing, or the cost of the new subsidiaries. Until the audited annual report provides one, the honest description is: like-for-like revenue grew 15%, and the profit and loss account absorbed all of it, and more.

The shareholder across the table

Sedoc Digital Group S.r.l. is simultaneously Cyberoo's main shareholder and one of its main business partners. Since July 2024 it has acquired Cyberoo solutions through the national distribution system, and for several reporting periods the receivable from Sedoc was the most scrutinised line on Cyberoo's balance sheet: €11.53m at 31 December 2024.

At 31 March 2026 that figure is €2.56m — a reduction of €8.97m that the company describes, fairly, as ahead of the recovery trajectory previously presented to investors. The composition of the reduction deserves as much attention as its size. On 16 March 2026, two weeks before the fiscal year closed, Cyberoo purchased a portfolio of trade receivables from Sedoc — nominal value €5.7m, consideration €5.29m — with the price settled by offsetting against the amounts Sedoc owed Cyberoo. The company's stated rationale is sound as far as it goes: a concentrated exposure to one related party becomes a diversified portfolio of claims on many end customers, improving risk distribution.

What the transaction did not do is bring in cash. Roughly 59% of the year's reduction in the Sedoc receivable was achieved by exchanging it for other receivables — claims on the customers of the shareholder's distribution business, purchased at a 7% discount to face value, in a transaction agreed between related parties and settled by bookkeeping entry. The remaining reduction, and the parallel €4.95m fall in total trade receivables (€20.18m to €15.23m), was assisted by two factoring lines — the existing BPER Factor agreement and a new one with Crédit Agricole Leasing and Factoring — and by a December 2025 distribution agreement with Cometa that introduces "structured payment deferral mechanisms" between end-customer collections and partner terms.

None of this is improper, and all of it is disclosed — the company presents it as a transparency strategy, and the direction of travel is genuinely better than a year ago. But collection, factoring, offset, and deferral are four different things, and the presentation reports them as one improvement. Even after it, trade receivables of €15.23m stand against sales and services revenue running at roughly €22m annualised — in the region of two-thirds of a year's billings before any VAT adjustment, against 88% at the end of 2024. Better; still remarkable for a subscription-heavy services business.

Cyberoo Capital, off to the side

In December 2025 Cyberoo incorporated Cyberoo Capital S.r.l., a wholly-owned "advanced leasing" subsidiary with a dedicated financing facility of up to €15m approved by the board, whose purpose is to let partners offer Cyberoo solutions against periodic payments, "reducing upfront investment barriers and facilitating customer adoption."

Cyberoo Capital is not consolidated in the accounts to 31 March 2026, on grounds of recent incorporation and limited significance. On a stand-alone basis it reported revenue of €0.56m, EBITDA of €0.53m, and cash of €0.97m.

We would simply note what a captive finance vehicle is: a mechanism by which the group's own balance sheet — one step removed — funds its customers' purchases of the group's own services. The Cometa agreement explicitly routes through it. When the vehicle consolidates, its receivables become group receivables again; until then, the group's reported working-capital improvement and its customers' extended payment terms coexist without meeting on the same page. A €15m facility is material against a €65m market capitalisation and €17.73m of group liquidity. This is the single disclosure we will read most carefully in the audited annual report and in the FY2027 accounts, when the subsidiary's first full year must be either consolidated or explained.

What the regulatory calendar is worth

The demand story requires no generosity, because the calendar is public. The AI Act's high-risk system requirements bite on 2 August 2026; the Cyber Resilience Act's 24-hour vulnerability-notification regime on 11 September 2026; the NIS2 minimum-security-measures deadline on 31 October 2026; DORA's ICT testing and supplier-audit regime is already in force for financial entities. Each of these conscripts mid-market European companies — Cyberoo's stated target — into buying exactly the categories Cyberoo sells: managed detection, compliance tooling, governance advisory, and workforce training. The ORBIS packaging of four products into one vendor relationship is a rational response to a real procurement problem, and the distribution build-out (V-Valley domestically, with stated potential extension to Esprinet's Spanish operations) is the right structure for reaching buyers too small to serve directly.

The net financial position supports the effort: net cash of €0.84m, with total liquidity of €17.73m. The implied gross debt of roughly €17m and the two factoring lines temper the comfort — a company that factors its receivables and finances its customers through a leasing vehicle holds cash that is partly the mirror of obligations elsewhere — but there is no solvency question here of the kind we examined at Wolftank.

Valuation: what the market is paying for

At roughly €65m of market capitalisation and approximately break-even net debt, the enterprise trades at about 9x annualised EBITDA (€8.56m × 12/15 ≈ €6.85m) and something over 30x annualised net profit. On the 2024 margin structure — 39% EBITDA on €25m of value of production — the same enterprise would be at roughly 6.6x. The entire valuation debate is therefore the margin question from the cost section above: if 27.4% is an investment-year trough that reverts toward the high thirties as Keatrix and the channel mature, the current price is undemanding for a business growing mid-teens in a regulation-driven market. If 27.4% is the new structural margin of a more competitive, channel-intermediated business, the share is adequately priced after its fall. The company's own materials assert the first reading; the accounts to 31 March 2026, taken alone, are consistent with either.

Three questions the published disclosures leave open

  1. On what terms do the factoring lines transfer risk? Whether the BPER and Crédit Agricole facilities are with or without recourse determines whether the €4.95m reduction in trade receivables is a transfer of risk or a financing of it — and how much of the €17.73m liquidity is matched by contingent obligations.
  2. Who owes the purchased portfolio? The €5.7m nominal portfolio bought from Sedoc consists of claims on Sedoc's distribution customers for cybersecurity services. What is the ageing and concentration of those obligors, and to what extent do they overlap with Cyberoo's own current or prospective channel — such that the group now carries credit exposure to the same end-market twice, once directly and once through the purchased book?
  3. When does Cyberoo Capital consolidate, and what will it hold? How much of the €15m facility has been drawn, what assets sit in the vehicle beyond the reported €0.97m of cash, and will the FY2027 accounts consolidate it — bringing its lease receivables onto the group balance sheet from which the improvement narrative has just removed €5m of trade receivables?

Risks to both views

To the sceptical reading: the margin decline proves to be front-loaded channel investment that normalises within two fiscal years; the purchased portfolio collects at or near face, retiring the related-party question; regulatory deadlines in August–October 2026 produce the demand acceleration the calendar implies; the March year-end's first full-year comparison (to 31 March 2027) shows clean like-for-like growth with margin recovery, and the derating reverses from a €65m base.

To the constructive reading: the margin does not come back, revealing 2024's 39% as the artefact of an under-invested, related-party-assisted period rather than the business's steady state; the purchased receivables age badly; Cyberoo Capital's consolidation returns to the balance sheet what the improvement narrative removed; the Ukrainian delivery subsidiary faces operational disruption; and the mid-market's regulatory spending materialises more slowly than its deadlines, as compliance dates are deferred — as European implementation dates have been before.

Sources and method

This note is based on Cyberoo S.p.A.'s presentation of annual financial statements for the fiscal year ended 31 March 2026, published 30 June 2026, and the accompanying disclosures regarding the period's exceptional fifteen-month duration; on the company's public announcements of 19 June 2025 (acquisition of Cyberoo Global AL sh.p.k. and Cyberoo Global UA l.l.c.), 4 November 2025 (merger of MFD International S.r.l.), 9 December 2025 (Cyberoo Capital facility), 16 December 2025 (Cometa distribution agreement), and 16 March 2026 (purchase of trade receivables from Sedoc Digital Group); and on market data from Euronext Growth Milan as of early July 2026. All figures are as reported by the company or derived arithmetically from reported figures; where derived, the derivation is shown in the text. The audited annual report for the period was not available to us at the time of writing; we will revisit the questions above when it is. We have had no contact with the company prior to publication.