Feltl and Company Research Department. Please see important disclosures on pages 13 to 15. 225 South Sixth Street, Suite 4200 Minneapolis, MN 55402 1-866-655-3431

Security/Software August 27, 2008

Financial Summary Company Description

ArcSight, Inc. (ARST $10.04)

Enabling Security Information Event Management HOLD

Key Points: • Enabling Better Security through SIEM. ArcSight is the leading provider of network

data reconnaissance, intelligence and threat response software and systems, also known as Security Information & Event Management (SIEM). Its vendor neutral systems integrate with hundreds of third party network devices to monitor, collect and synthesize all forms of network data, across geographies, providing centralized, real-time visibility and control of various network “events.” Combined with advanced correlation algorithms and analytical engines its products are ideal for enhanced network security management, internal and external threat mitigation and corporate/regulatory policy compliance. ArcSight products help today’s network security and compliance applications work better.

• SIEM is a $9.5 billion market in the U.S. Alone. According to the 2005 U.S. Economic Census, there were 19,329 large non-government firms and 2.24mm small non-government firms in U.S. critical infrastructure industries. Assuming each large firm purchased the Enterprise Security Management (ESM) platform suggests an addressable market of roughly $3.9 billion in the United States, alone. Further, an 8% market penetration of the small-middle SIEM market in the U.S. exceeds $5.5 billion. Importantly, these estimates don’t include government or international opportunities. Consequently, we believe the Total Addressable Market (TAM) in the U.S. exceeds $9.5 billion. Gartner believes ArcSight currently enjoys the highest market penetration.

• High Growth Rates, Cash Flow and Profits. ArcSight grew FY’08 revenue 45% to $101.6mm from $69.8mm and generated $13.5mm in FY’08 operating cash flow. Looking forward, management forecasts FY’09 revenue of $124-$128mm, representing 22.4%-26.0% growth. Guidance also calls for FY’09 non-GAAP EPS of $0.20-$0.26. We currently forecast FY’09 revenue and non-GAAP EPS of $126.2mm and $0.25, respectively. We expect strong growth trends to continue, forecasting FY’10 revenue and non-GAAP EPS of $157.5mm and $0.44.

• Reasonable Valuation ahead of Q1’09 Results. Our research shows Tier-2 comps trade at 51x forward non-GAAP EPS estimates and 3x forward revenue. Excluding a significant high-outlier, however, the group trades at about 20x forward EPS. In our opinion, the group trades most consistently on sales. Thus, we have established a $14.00 price target for ARST, assuming it will trade at 3x our FY’10 revenue estimate. However, while we are bullish on the stock long-term, we are somewhat tentative ahead of the upcoming Q1’09 report and have initiated with a HOLD rating. While cyber security and compliance are major spending initiatives in both government and the financial industries, budgets in both verticals are currently thin. Moreover, after its February 2008 $9.00 IPO, roughly 13.7mm ARST shares became freely tradable on 8/13/08.

Investment Recommendation:

We believe the TIEM market is large, growing and natural, as current state-of-the-market security systems are inadequate. We believe ArcSight currently represents the state-of-the-art in TIEM, enjoying independent recognition and industry leading traction. ArcSight is growing quickly, is profitable and has a healthy balance sheet. However, ARST may be reasonably valued, especially with a potential stock overhang in a brutal market. Consequently, while we have established a $14.00 target and are bullish long-term, we rate the stock HOLD, pending potentially constructive Q1’09 results or other data. We could become more constructive as potential near-term risks abate.

Jay M. Meier jmmeier@feltl.com

(612) 492-8847

Rev(mil) 2008A 2009E 2010E

Jul $19.9 $26.5 Oct $24.6 $32.8 Jan $27.7 $31.6 Apr $29.4 $35.3 FY $101.6 $126.2E $157.5E P/Sales 3.24x 2.60x 2.08x

EPS 2008A 2009E 2010E

Jul ($0.09) ($0.03) Oct $0.04 $0.09 Jan $0.14 $0.06 Apr $0.02 $0.13 FY $0.11 $0.25E $0.44E P/E 91x 40x 23x

Price: $10.04 52-Week Range: $13.00-$6.35 Target: $14 Rating: HOLD Shares Outstanding: 32.8 mil Mkt. Capitalization: $329mil Ave. Volume: 125,000 Instit. Ownership: 18% BV / Share: $1.68 Debt / Tot. Cap.: 0% Est. LT EPS Growth: 30%

ArcSight is the leading provider of network data reconnaissance, intelligence and threat response software. Governments and enterprise use ArcSight platforms to better mitigate internal and external threats, as well as better manage and control regulatory and policy compliance. ArcSights third party, vendor-neutral applications create real-time “control center” visibility of the entire network environment, reducing risk, while creating efficiencies.

Page 2 ArcSight Corporation (ARST) 8/27/08

Company Description: ArcSight is a leading provider of network data reconnaissance, intelligence and threat response software and systems. Its primary addressable business application is Security Information & Event Management. Its vendor neutral and interoperable systems integrate with hundreds of third party network devices to monitor, collect and synthesize all forms of network data, across geographies, providing centralized, real-time visibility and control of various network “events”. Along with advanced correlation algorithms and analytical engines, the ArcSight platform diagnoses potential relationships between seemingly disparate events. These attributes make ArcSight products ideally suited for enhanced network security management, internal and external threat mitigation and corporate/regulatory policy compliance forensics and enforcement. Governments and enterprises use ArcSight products to better defend against cyber attacks, control compliance violations and manage risk. ArcSight products help today’s network security and compliance applications work better. Corporate History & Details

The Company was incorporated in Delaware in May 2000 as Wahoo Technologies, Inc. and changed its name to ArcSight, Inc. in 2001. ArcSight launched its first product in January 2002 and made its first sale in June 2002. In June 2006, ArcSight acquired Enira Technologies, LLC, which developed the predecessor products to the Company’s TRM and NCM products. ArcSight released its Logger product in December 2006. Its headquarters are located in Cupertino, California, with offices in Burlington MA, Atlanta GA, Lewisville TX, Ontario Canada, London, Paris, Hong Kong, Beijing, Singapore and Tokyo. The Company’s Initial Public Offering occurred in February 2008. As of 4/30/2008, the Company had 335 employees, with 123 in sales, 202 in R&D, 40 in services, 30 in support and 41 in administration. 49 employees are located outside the U.S. and none were represented by a union. As of 4/30/2008, the Company has sold products to over 500 customers, including Fortune Top 5 companies and U.S. Govt. Agencies like the FBI, CIA, DISA, Army and Air Force. While U.S. Government Agencies represent about 20% of annual revenue, ArcSight has no 10% customers. Roughly 51% of revenue comes from ArcSights installed base. Security Information & Event Management (SIEM) SIEM can be loosely described as monitoring, collecting and processing network data to detect anomalous activity or “events”. In general, various activities on the network produce relatively predictable data “events”. As individuals “log-on”, for example, their PC’s and related network infrastructure produces specific event data. That data can be recorded as a “log”. Log data can be stored, retrieved, reviewed and interpreted to describe past events. The existence of specific log data allows us to prove, even at a criminal forensic level, that a network event occurred. Further, log data events can be predictive, in that we can know what log data to anticipate under certain network circumstances or that’s related to specific network events. Conversely, we can also know what log data should not exist under certain circumstances. Thus, log data can be used to form “behavioral profiles”, or activity templates, against which to measure network activity. Material deviations from such template expectations could indicate potentially improper activity on the network, including corporate policy violations, regulatory compliance violations or even criminal activity like cyber attacks or theft. For example, an employee is granted certain network access privileges and predictable log data is produced when an employee accesses those privileges. If log data shows the employee is doing something inappropriate, investigations could be launched and corrective action can be taken. A primary function of network security should be monitoring network log activity in real time and generating warning alerts as potentially inappropriate log data is detected, as with a “central control center”. So, for example, if real-time log data suggests that an employee is attempting to enter an inappropriate domain or inappropriately download sensitive data, the system could warn compliance, prompt for further action or even automatically initiate a defense response. Thus, network security may become a bit more proactive, rather than purely reactionary, backward facing and command reliant.

Page 3 ArcSight Corporation (ARST) 8/27/08

SIEM is Network related Risk Mitigation

Gartner breaks the SIEM market into two distinct applications, Security Event Management (SEM), the real-time collection and analysis of security event data for threat management and incident response, and Security Information Management (SIM), the analysis and synthesis of log data, typically for internal compliance and security purposes. Functionally, the main difference between SEM and SIM is location. Practically speaking, both SEM and SIM monitor network event data to enable stronger defense of inappropriate activity. The primary rationale behind both SEM and SIM is risk mitigation, regardless of whether its compliance related risk or crime related risk. Thus, for our purposes, we don’t differentiate between SEM and SIM, but rather group all “risk” related network events in the SIEM market. To this end, SIEM capability can be broken down into a few basic functions:

1. Data Collection and Filtering. Information must be gathered to examine and, since most network data is routine, the system must distinguish between normal events and anomalous events. Better reconnaissance enables better intelligence.

2. Data Event Correlation. Data reconnaissance is useless without proper synthesis to understand potential relationships. Intelligence is gained by the creation of data that didn’t appear to previously exist. Correlation describes the potential relationship between seemingly unrelated events. Better intelligence enables better prognosis.

3. Normalization, Taxonomy and Reporting. Establishing a relationship between potentially disparate events does not automatically imply trouble. Data must be measured against normal or typical activity to determine severity. To this end, event and data categorization enables more rapid future intelligence and response. Better prognosis enables better response and mitigation.

4. Response. The system could generate automated response or threat mitigation recommendations, or even automated action. Better response and threat mitigation enables lower business risk and, potentially, more consistent and profitable results.

SIEM is a $9.5 Billion Total Addressable Market in the U.S. According to the U.S. Economic Census, in 2005 there were roughly 6.0 million firms and 7.5mm business establishments in North America, defining an “establishment” as a facility location where paid employees conduct their responsibilities. Further, there were approximately 2.26 million firms within critical infrastructure industries like energy, transportation, education, healthcare, and financial. The listing does not include any level of government. There were 2.24mm firms with fewer than 500 employees and 19,329 firms with greater than 500 employees in the critical infrastructure space. Since civil ID background checks are now mandatory in most U.S. critical infrastructure industries, we assume each “critical infrastructure firm” is a strong candidate to minimally invest in SIEM. We believe ArcSights core product, its ESM system, costs $200k-$300k for a basic installation. Assuming each large critical infrastructure firm, those with over 500 employees, purchased the ESM platform for $200,000 suggests a Total Addressable Market (TAM) of roughly $3.9 billion for the United States, alone. Of course, this does not account for small to middle market businesses. McAfee Corporation recently sponsored a survey of small to medium sized businesses (SMid). The survey of 500 IT managers suggested that SMid market businesses under appreciate the threat of cyber attack and other compliance related IT issues. According to the survey, 44%-52% of respondents believed their firm was not a viable target for cyber attacks. This was because they believed they weren’t big enough, or they otherwise didn’t present an economically viable resource for cyber criminals. However, roughly 32% of respondents admitted being attacked more than four times by cyber criminals in the last three years. Moreover, roughly 26% of those attacked took at least one week to recover from the attack. Therefore, we assume these attack victims are strong candidates to purchase SIEM capabilities from ArcSight. Applying these percentages (26% of 32% of the

Page 4 ArcSight Corporation (ARST) 8/27/08

sample set) to our SMid market critical infrastructure census tally reduces the potential U.S. SMid market to approximately 186,000 candidates (2.26mm (32%) (26%)). ArcSight sells application specific appliances, with limited capabilities relative to the ESM platform, to small to middle market firms (SMid) for $30,000-$120,000 each. Assuming each of our 186k candidates purchases an appliance for $30,000 supports a TAM of roughly $5.6 billion for SMid companies in the United States.

Thus, we estimate ArcSights Total Addressable Market for its SIEM offerings in the United States is approximately $9.5 billion.

Number of Firms, Number of Establishments, Employment, and Annual Payroll by Employment Size of the Enterprise for the United States, Sectors (large employment size groups) - 2005 SOURCE: 2005 County Business Patterns. For information on confidentiality protection, sampling error, nonsampling error, and definitions, see http://www.census.gov/epcd/susb/introusb.htm and http://www.census.gov/csd/susb/defterm.html.

NAICS Sector Enterprise Size Firms Establishments Employment Payroll ($1,000) All Sectors Total 5,983,546 7,499,702 116,317,003 4,482,722,481 (including those not listed) <500 employees 5,966,069 6,420,532 58,644,585 2,012,581,741 >500 employees 17,477 1,079,170 57,672,418 2,470,140,740 Utilities Total 6,660 17,326 633,106 46,292,766 <500 employees 6,459 7,937 109,175 5,764,524 >500 employees 201 9,389 523,931 40,528,242 Manufacturing Total 288,568 333,460 13,667,337 600,696,305 <500 employees 284,536 298,286 6,038,792 227,207,868 >500 employees 4,032 35,174 7,628,545 373,488,437 Transportation and Total 169,086 211,150 4,168,016 154,375,938 Warehousing <500 employees 166,946 176,625 1,586,501 52,421,618 >500 employees 2,140 34,525 2,581,515 101,954,320 Information Total 75,261 141,290 3,402,599 203,129,725 <500 employees 74,147 80,837 890,289 46,565,598 >500 employees 1,114 60,453 2,512,310 156,564,127 Finance and Insurance Total 259,983 476,806 6,431,837 446,739,512 <500 employees 258,310 307,021 2,128,868 124,287,962 >500 employees 1,673 169,785 4,302,969 322,451,550 Admin, Support, Waste Mngt, Total 320,252 369,507 9,280,282 255,399,069 and Remediation <500 employees 316,766 327,089 3,619,717 101,086,459 >500 employees 3,486 42,418 5,660,565 154,312,610 Educational Services Total 72,410 80,486 2,879,374 82,522,976 <500 employees 71,293 75,074 1,294,428 33,014,630 >500 employees 1,117 5,412 1,584,946 49,508,346 Healthcare Total 599,392 746,600 16,025,147 589,654,273 and Social Assistance <500 employees 595,641 668,593 7,748,761 269,349,560 >500 employees 3,751 78,007 8,276,386 320,304,713 Accommodation and Total 462,983 603,435 11,025,909 156,041,233 Food Services <500 employees 461,168 500,969 6,611,592 84,859,803 >500 employees 1,815 102,466 4,414,317 71,181,430 Total Critical Infrastructure Total 2,254,595 2,980,060 67,513,607 2,534,851,797 Industries, excluding Govt. <500 employees 2,235,266 2,442,431 30,028,123 944,558,022 >500 employees 19,329 537,629 37,485,484 1,590,293,775

Page 5 ArcSight Corporation (ARST) 8/27/08

Patents & Products ArcSight has four issued patents and a number of patent applications pending in the U.S. and internationally. Its issued patents expire in 2024 and 2025. We believe these patents relate primarily to the Company’s correlation and connector capabilities, which we view as the heart of ArcSights product offerings. Correlation, scalability and interoperability are key selling points for ArcSight. ArcSight products include: • Enterprise Security Management (ESM) is the core offering. Commonly described

as a “mission control center”, ESM provides a centralized, real-time view of disparate network components, data traffic and “events”. The ESM platform integrates with up to 275 products from 100 vendors, collecting potentially massive amounts of network event data. It correlates the events, looking for potentially meaningful relationships and prognosticates potential threat scenarios for mitigation. The ESM system identifies and prioritizes high-risk activity and presents a consolidated view of threats to the business. We believe ArcSight sells the basic ESM platform for $200,000-$300,000. Typically these revenues are 66% product, 10% services and 23% maintenance, which can recur. Historically, customers have installed the core ESM platform initially, but expanded the footprint across the entire enterprise over time. Consequently, revenue from expansion within the installed base has historically represented 51% of total revenue. This fact also suggests our TAM estimates could be grossly underestimated. The Company offers preconfigured, application modules for sale along side the ESM platform. These modules include:

o ArcSight Compliance Insight and Insider Threat o ArcSight Pattern Discovery o ArcSight Interactive Discovery

• Appliance sales provide ArcSight with an opportunity to sell more effectively into the

small and middle markets. Recognizing the viability of its core capabilities as stand-alone products, the Company offers pre-packaged application specific appliances to address niche verticals within the broader SIEM enterprise market. Appliances sell for $30,000-$120,000 each. The Company currently offers several appliances, including:

o ArcSight Logger provides customers with an easily searchable log data repository. Logger is available in a variety of feature sets and capacities, but is generally oriented around the collection and storage of event data to support compliance and security requirements. Logger appliance configurations include Sarbanes-Oxley and Payment Card Industry (PCI) oriented packages. The Company is developing packages around IT governance, Federal Information Security Management guidelines and identity management.

o ArcSight Threat Response Manager (TRM) enables customers to quickly reconfigure network control devices to remediate compliance, security and business risks,

Page 6 ArcSight Corporation (ARST) 8/27/08

consistent with an organizations policies. TRM can identify, quarantine and filter undesirable users and systems at the individual port level. In other words, if the system identifies a potential threat, it can proactively close down the specific network node associated with the threat.

o ArcSight Network Configuration Manager (NCM) automates the audit of network topology, maintaining protected records of all prior configurations for purposes of rollback, audit and compliance reporting.

• Maintenance & Professional Services include post-sale installation and implementation, project planning and advice on use cases. Training services are also offered. Professional services typically represent 10% of a standard ESM deployment, while maintenance can represent 23% and can recur.

Competition and Market Position SIEM is inherently a function of security and, realistically, should be an embedded feature of a comprehensive platform. Unfortunately, a stand-alone SIEM market exists because traditional cyber security products don’t work properly. Firewalls and antivirus technologies, for example, cannot adjust in anticipation of emerging threats. This is because antivirus works by recognizing attack specific virus “signatures”. Absent a known signature, traditional antivirus technology would not perceive anything unusual or potentially wrong within the environment. Thus, the AV industry can issue updates of known signatures only after an attack occurs. Moreover, the cyber security industry is not standardized. Stakeholder offerings don’t easily interoperate and are typically sold as proprietary, sole-source solutions. Yet, because of its recent emergence, neither large security solutions providers, nor niche product vendors sufficiently address SIEM or security in general, for that matter. Thus, the SIEM market is fragmented and conflicted in the same ways the cyber security market is fragmented and conflicted. ArcSight benefits by this fragmentation and conflict.

First, large system solution vendors are beginning to offer SIEM functionality as a feature of their proprietary suites. However, SIEM tends to highlight the inherent flaws in those traditional offerings. Moreover, anchored with massive sunk costs in non-standardized solutions, these large vendors tend to de-emphasize SIEM in lieu of their solution offerings. Consequently, large system solution vendors don’t typically offer cutting edge SIEM capabilities and customers must accept broad reaching system solutions comprised of potentially inferior capabilities to achieve system continuity. Conversely, smaller niche security vendors also typically offer proprietary and sole-source capabilities. While these offerings can be technically superior to the equivalent feature inside a large solution vendor offering, they don’t typically address multiple network nodes or vulnerabilities outside a

Page 7 ArcSight Corporation (ARST) 8/27/08

unique network stack. For example, while the niche vendor might offer a superior email security solution, it might not have a firewall solution at all. Thus, customers interested the highest quality solutions must piecemeal a state-of-the-art solution together from separate vendors, incurring potentially higher costs over time and exposing themselves to potential vulnerability gaps. ArcSights vendor neutral architecture and advanced connector technology enables customers to deploy disparate best-of-breed security solutions across the entire network without necessitating potentially inferior capabilities or vulnerability gaps. Moreover, ArcSight products go beyond pure security to non-security business risk mitigation, creating value beyond what pure-play security vendors are capable of addressing.

While ArcSight products take advantage of the proprietary and competitive dynamic of the cyber security space, SIEM competition does exist. ArcSights core capabilities are the collection and correlation of data. The primary source of competition stems from the security customer’s internal development efforts to patch together a best-of-breed quilt of capabilities. As we have discussed, this implies the avoidance of a sole-source system solution, which, by default, describes a market opportunity for ArcSight. Not surprisingly, those large vendors are beginning to develop rudimentary SEIM capabilities. CA, Cisco, Symantec, EMC, IBM, McAfee, Symantec and Novell have each made SEIM related acquisitions and offer an ESM similar product. Today, RSA Security, a division of EMC Corporation, is likely the most significant system solution competitor.

Page 8 ArcSight Corporation (ARST) 8/27/08

Similarly, many niche competitors offer products related to log management tools. These companies tend to be privately held and smaller, including LogLogic, Sensage, AccessData, Bit9, BigFix, Catbird, HBGary, NitroSecurity, Secerno, and Trigeo. However, we believe the proverbial “cat” may be out of the bag regarding log management. We believe a swelling of log related security solutions, compounded by a distinct lack of capabilities from larger system solution vendors sets the stage for a consolidation cycle in the space. According to the Gartner Magic Quadrant Report (May 2008), “ArcSight continues to be the most visible SIEM point solution vendor in competitive evaluation and has the largest installed base.” Gartner also suggests that ArcSight has the broadest SIEM product set, but suggests that the ArcSight solution, especially the ESM, is relatively sophisticated and can present challenges to deploy. Despite this, with ArcSights superior and vendor neutral capabilities, we are comfortable in our view that ArcSight is pre-eminent in the SIEM space. However, given the infantile nature of the industry, with large market opportunities relative to such small penetrations, we feel a market share discussion is unproductive at this point. Sales Model & Growth Initiatives The Company markets and sells its products primarily through direct sales, but also through value-added resellers (VAR) and systems integrators. The majority of sales are made

through the direct sales organization. As of 4/30/08, ArcSight had 123 sales staff. The selling process is a typical enterprise software sales cycle and requires a sales team. The initial ESM sale can take six months from the prospect identification, but sometimes takes over 12 months. Government sales are typically generated through large integrators and the Company leverages non-exclusive channel partners and distributors to penetrate international markets and to market appliance based products like Logger. The Company anticipates growing the business through a four-tier plan:

• Acquire new customers through direct sales, VARs and distributors. • Expand existing customers. • Develop new applications, including new appliances. • Broaden its distribution to international and small/middle markets.

On 8/19/08, ArcSight announced a partnership where McAfee will integrate the ArcSight Event and Log management solutions into the McAfee E-policy Orchestrator Suite.

Page 9 ArcSight Corporation (ARST) 8/27/08

Recent Results, Guidance & Our Outlook: ArcSight enjoys very high organic growth rates and profitability. On June 19, 2008 ArcSight reported record Q4’08 revenue of $29.4mm and grew 16% from $25.4mm in Q4’07. Q4’07 revenue included $4.2mm in favorable vendor-specific objective evidence (VSOE) adjustments. Excluding the Q4’07 VSOE adjustment, Q4’08 revenue grew 38%. During the quarter, the Company enjoyed bookings of roughly $39.2mm and increased deferred revenue by over $9.2mm. Quarterly operating expense was unusually high as sales & marketing expense ballooned by an additional $1.9mm with higher than expected bookings. Q4’08 GAAP EPS of ($0.04) included $1.643mm in amortization and FAS123 related expense. This compared to Q4’07 GAAP EPS of $0.13. Q4’08 non-GAAP EPS of $0.02 compared to Q4’07 non-GAAP EPS of $0.16. FY’08 revenue of $101.5mm compared quite favorably to FY’07 revenue of $69.8mm. GAAP EPS of $0.08 compares to FY’07 EPS of ($0.03). However, FY’08 non-GAAP EPS of $0.12 compares favorably to FY’07 non-GAAP EPS of $0.07. ArcSight generated $2.1mm in Q4’08 operating cash flow and closed the quarter and year with $71.9mm in cash after raising $45.9mm in cash through its IPO in February 2008. ArcSights balance sheet is relatively clean and healthy, with DSOs of 82 days, DPOs of 57 days, no debt, $47.0mm in working capital, and a current ratio of 1.8. ArcSight provides near-quarter and fiscal year guidance, along with some incidental modeling assumptions. Q1’09 (July) revenue is expected to be $26.0-$28.0 million, representing 31-41% growth. Non-GAAP EPS is expected to be ($0.06)-($0.02). FY’09 guidance calls for revenue of $124-$128 million and non-GAAP EPS of $0.20-$0.26. Our view of ArcSight is quite constructive over the long-term. However, we are somewhat tentative initiating ahead of Q1’08 results. First, while cyber security and compliance are major spending initiatives in both government and the financial industries, budgets in both verticals are currently thin. Given the Company’s typical sales cycle, one could argue that bulging Q4’08 deferred revenue would benefit Q2’09 more than Q1’09. Consequently, we forecast Q1’09 revenue and non-GAAP EPS of $26.5mm and ($0.03), which is slightly below consensus. We forecast FY’09 revenue and non-GAAP EPS of $126.2mm and $0.25, which is in line with consensus. Second, with ArcSights February 2008 $9.00 IPO, roughly 24.2mm ARST shares came off legend on August 13, 2008, with roughly 13.0mm shares freely tradable and solidly in the money. Valuation, Price Target & Rating: At $10/share, ARST trades at roughly 23x our FY’09 non-GAAP EPS estimate and 2.1x our FY’09 revenue estimate. There are several comps that are similar enough for a high confidence relative valuation analysis. As of August 25, 2008, Tier 1 comps trade at 13.3x forward non-GAAP EPS and 2.3x forward revenue estimates, while Tier 2 comps trade at 51.2x EPS estimates and 2.96x forward revenue, respectively. Comparing ARST to Tier 2 comps supports price targets of $22.50 (51.2x our $0.44 FY’10 estimate) and $14.20 (2.96x our $158mm FY’10 estimate). We note, excluding a high outlier would reduce our FY’09 EPS-based price target to $9.00. Additionally, the Tier 2 comps trade much more consistently on sales. Thus, we have established a $14.00 price target assuming ARST trades at parity to our Tier 2 comps, based on forward revenue. However, while our $14.00 price target represents a 40% potential return from current levels, our tentative view over the near term causes us to initiate with a HOLD rating ahead of the Q1’09 results. Our rating is potentially subject to change, pending constructive Q1’09 results or other data. Consequently, we have initiated coverage of ARST with a HOLD rating and a $14.00 target. Conclusion: We believe the TIEM market is large, growing and natural, as many current state-of-the-market security systems are inadequate. We further believe ArcSight currently represents the state-of-the-art in TIEM, enjoying independent recognition and industry leading traction. ArcSight is growing quickly, is profitable and has a healthy balance sheet. However, ARST may arguably be reasonably valued, especially with potential near-term headwinds and stock overhang in a brutal market. Consequently, while we have established a $14.00 target, we rate the stock HOLD, pending potentially constructive Q1’09 results or other data. We could become more constructive as potential near-term risks abate.

Page 10 ArcSight Corporation (ARST) 8/27/08 =

Page 11 ArcSight Corporation (ARST) 8/27/08

Page 12 ArcSight Corporation (ARST) 8/27/08

Page 13 ArcSight Corporation (ARST) 8/27/08

Analyst Certification I, Jay M. Meier, certify that the views expressed in this research report accurately reflect my personal views about the subject company and its securities. I also certify that I have not been, am not, and will not be receiving direct or indirect compensation related to the specific recommendations expressed in this report. Important Disclosures: The analyst or any member of his/her household does not hold a long or short position, options, warrants, rights or futures of this security in their personal account(s). As of the end of the month preceding the date of publication of this report, Feltl and Company did not beneficially own 1% or more of any class of common equity securities of the subject company. There is not any actual material conflict of interest that either the analyst or Feltl and Company is aware of. The analyst has not received any compensation for any investment banking business with this company in the past twelve months and does not expect to receive any in the next three months. Feltl and Company has not been engaged for investment banking services with the subject company during the past twelve months and does not anticipate receiving compensation for such services in the next three months. Feltl and Company managed did not participate in the subject company’s IPO. Feltl and Company has not served as a broker, either as agent or principal, buying back stock for the subject company’s account as part of the company’s authorized stock buy-back program in the last twelve months. No director, officer or employee of Feltl and Company serves as a director, officer or advisory board member to the subject company. Feltl and Company Rating System: Feltl and Company utilizes a four tier rating system for potential total returns over the next 12 months.

Strong Buy: The stock is expected to have total return potential of at least 30%. Catalysts exist to generate higher valuations, and positions should be initiated at current levels. Buy: The stock is expected to have total return potential of at least 15%. Near term catalysts may not exist and the common stock needs further time to develop. Investors requiring time to build positions may consider current levels attractive. Hold: The stock is expected to have total return potential of less than 15%. Fundamental events are not present to make it either a Buy or a Sell. The stock is an acceptable longer-term holding. Sell: Expect a negative total return. Current positions may be used as a source of funds.

Other Publicly Traded Companies mentioned in this Report: Computer Associates (CA $23.78 NR) EMC Corp. (EMC $15.31 NR) McAfee, Inc. (MFE $39.13 NR) Symantec (SYMC $21.64 NR) Blue Coat Systems (BCSI $18.16 NR) CheckPoint Software (CHKP $24.48 NR) SourceFire Corp. (FIRE $7.70 NR) Guidance Software (GUID $5.97 NR) Secure Computing (SCUR $4.20 NR) Websense (WBSN $22.02 NR) Verisign Corp. (VRSN $31.14 NR)

Page 14 ArcSight Corporation (ARST) 8/27/08

8/27/2008 Ratings Distribution for Feltl and Company

------ Investment Banking ------ Number of Percent Number of Percent of Rating Stocks of Total Stocks Rating category SB/Buy 23 70% 2 9% Hold 8 24% 0 0% Sell 2 6% 0 0% 33 100% 2 6%

08/27/08 Hold Target: $14.00

The above represents our ratings distribution on the stocks in the Feltl and Company research universe, together with the number in (and percentage of) each category for which Feltl and Company provided investment-banking services in the previous twelve months.

Page 15 ArcSight Corporation (ARST) 8/27/08

Date Nature of Report Rating Price

Target 08/27/08 Initiation @ $10.04 HOLD $14.00

Feltl and Company does make a market in the subject security at the date of publication of this report. As a market maker, Feltl and Company could act as principal or agent with respect to the purchase or sale of those securities. Valuation and Price Target Methodology:

There are several comps that are similar enough for a good relative valuation analysis. As of August 25, 2008, Tier 1 comps trade at 13.3x forward non-GAAP EPS and 2.3x forward revenue estimates, while Tier 2 comps trade at 51.2x EPS estimates and 2.96x forward revenue, respectively. Comparing ARST to Tier 2 comps supports price targets of $22.50 (51.2x our $0.44 FY’10 estimate) and $14.20 (2.96x our $158mm FY’10 estimate). We note, excluding a high outlier would reduce our FY’09 EPS-based price target to $9.00. Additionally, the Tier 2 comps trade much more consistently on sales. Thus, we have established a $14.00 price target assuming ARST trades at parity to our Tier 2 comps, based on forward revenue. Risks to Achievement of Estimates and Price Target:

• ArcSight is dependent on its ability to market its systems. Any problems, including unforeseen problems, could cause revenue to be less than expected.

• ArcSight sells its products largely to government agencies and large corporations. Its growth plans include diversification away from large stakeholders by enhancing channel sales with resellers and distributors. If ArcSight fails to diversify or otherwise meet its goals, revenue could be less than expected.

• Competition from both small and large technology companies, including ArcSight partners, could inhibit ArcSights ability to sell effectively into the SIEM market. If this happens, ArcSights revenue could be less than expected.

• ArcSight recently completed its Initial Public Offering (IPO) and certain shareholders were restricted from selling their stock until August 13, 2008. As of August 13, 2008, 24.2 million shares of ARST stock became available to sell, with almost 14 million shares freely tradable. If shareholders sell enough stock aggressively, shares of ARST could fall materially.

• Overall changes in demand for security technology, or changes in macro-economic environments could change overall spending on ArcSight products.

• Readers should recognize that the risks noted here do not represent a comprehensive list of all risk factors or potential issues, nor all factors that may preclude achievement of our forecast or price target. Additional risk factors exist and are outlined in the Company’s SEC filings

Other Disclosures:

The information contained in this report is based on sources considered to be reliable, but not guaranteed, to be accurate or complete. Any opinions or estimates expressed herein reflect a judgment made as of this date, and are subject to change without notice. This report has been prepared solely for informative purposes and is not a solicitation or an offer to buy or sell any security. The securities described may not be qualified for purchase in all jurisdictions. Because of individual requirements, advice regarding securities mentioned in this report should not be construed as suitable for all accounts. This report does not take into account the investment objectives, financial situation and needs of any particular client of Feltl and Company. Some securities mentioned herein relate to small speculative companies that may not be suitable for some accounts. Feltl and Company suggests that prior to acting on any of the recommendations herein, the recipient should consider whether such a recommendation is appropriate given their investment objectives and current financial circumstances. Past performance does not guarantee future results. Additional information is available upon request.

225 SOUTH SIXTH STREET• SUITE 4200 • MINNEAPOLIS, MINNESOTA 55402-1834

(612) 492 8800 • (866) 655 – 3431 MEMBER SIPC & NASD

INSTITUTIONAL SALES: (866) 338-3522

Thomas Pierce Senior Vice President – Institutional Sales

(612) 492-8817

Dugan Buffington (612) 492-8862

Mark Hagen

(612) 492-8846

Ryan Quade (612) 492-8807

Jack Zipoy

(612) 492-8860

EQUITY CAPITAL MARKETS DIRECTORY

RESEARCH DEPARTMENT

Clinton H. Morrison, CFA Director of Equity Research

(612) 492-8878

Ernest W. Andberg, CFA (612) 492-8836

Jay M. Meier

(612) 492-8847

Mark E. Smith (612) 492-8806

Shawn P. Bitzan (612) 492-8816

TRADING: (866) 777-9862

Joseph G. Fredericks Manager, Equity Trading

(612) 492-8888

William W. Koop (612) 492-8830

Thomas Walters (612) 492-8829

Elliott Randolph

Institutional Sales Trading (612) 492-8867

Cory Carlson

Institutional Sales Trading (612) 492-8858

Luke J. Weimerskirch

Institutional Sales Trading (612)492-8832