Welcome to SSH Communications Security's Capital Markets Day 2025. My name is Aino Virolainen. I am a part of the SSH Finance team, and I handle our investor relations. Today, I will be guiding you through this event. We will very shortly begin with the opening words from our Chairman of the Board, Henri Österlund, who will actually be joined by a surprise guest. After their opening words, our CEO, Rami Raulas, will kick off the presentations. After the first two presentations, we will have a short break. At the end of the event, we will have a Q&A session where our leadership team members will be answering your questions. The ones following us online can ask questions by using the form on the event page.
The ones present here, you can either just raise your hand during the Q&A session and ask the question here yourself, or you can use one of the QR codes in the room to ask questions through the form. I think we are ready to start, so I will give the floor to our Chairman of the Board, Henri Österlund.
Thank you, Aino. Welcome also on my behalf. Today, we will hear an update on our strategy and the Q3, and obviously what's going to happen with Leonardo and going forward. That's obviously the big thing everyone is here for. Last time we had a Capital Markets Day, I mentioned PrivX and asked the participants to pay close attention to our development within the PrivX software. I'm glad to tell that we have been making good advance, especially on the PrivX software suite. Now, I would like to add to your attention also NQX. NQX is a project we have been working for a long time. The first commercialization of it was, I think, 2020, but it has been slow in picking up. Now, with the Leonardo partnership, I do have quite a lot of confidence in us succeeding with the NQX as well.
Today, I'm very honored to have a special surprise guest here. Tatu Ylönen will be telling about the invention of the SSH protocol itself. SSH protocol is today the backbone of Internet security, and Tatu is the man behind it. He invented it and then also the founder of SSH. Tatu, please join us and share some of the key moments on finding the SSH protocol.
Thank you, Henri. I was a database researcher back in 1995, working at the Helsinki University of Technology. I also had a company, and there was a hacking incident in the university network where thousands of usernames and passwords were found on a machine that was listening to all traffic on the network, basically the whole Finnish University Network, catching usernames, catching passwords. Those, at that time, were all transmitted in clear text. There were some passwords from my company when it was found. I started thinking, what can I do to securely connect between my university office, between my company office, and between my home? I basically started reading on cryptography, learning how to build networking software, and walked really long days for three months and published SSH 1.0 in July 1995 as open-source software. It caught on. It solved a major need.
There were basically daily or weekly cases of password sniffing, as this was called. Hackers were getting usernames and passwords from the network. SSH made it very easy for users to have encrypted sessions where they, from one computer, use another computer over the network safely. All the traffic is encrypted. All the passwords and usernames are encrypted, and the computers authenticate each other so no one can go in the middle and break the encryption. It did some other things more easily. If you wanted to run graphical applications remotely, it was very important to run applications in supercomputing centers, for instance, in university environments. Universities started teaching it to their students because it was easier for the students to use. It included compression. At that time, people were using modems and slow links.
I remember one user sending me a message saying, "Wow, I think my modem just upgraded itself." It was these kind of small things that made it very usable and made it spread. By the end of 1995, I was getting 150 emails per day from people who were asking questions, wanting support, several companies asking if they could start selling it, and places like the University of California at Berkeley, one of the top universities in the world, asking if they could buy commercial support services for it. That's when I started SSH, founded the company in December 1995. Since then, we grew pretty rapidly. Initially, SSH, the Secure Shell, was the main product for these secure connections. We also started early on doing network encryption using IPsec technology. We helped standardize the technology, and that's what's now being used in the NQX product, for instance.
We were in user authentication early on already in SSH, and now controlling privileged access or access for users with PrivX. Growing from these roots over 30 years, expanding, and the world, of course, has expanded. There were many fewer computers and many fewer computer users in the 1990s than there are now. It was before the Internet became mainstream. Even though we still already had Internet, we already had the web. It was just smaller, and most people still didn't know of it yet. That's how the company started, and we grew 100%+ in each of the first five years. It was a very exciting ride. Now, I'd like to invite Rami to tell more about what the company is doing today and where we are going. Thank you.
Thank you. Thank you, Tatu, for a couple of things. Thank you for your invention. It has done a lot of good for the world. Still, by the way, actively used for connecting connected cars like Teslas, windmill park accesses, still strongly alive. Thank you for hiring me many years ago. I really enjoyed the journey here. We've been doing a lot of things since the kind of past five years. We started to move, make a kind of strategic move to business market areas where we saw growth opportunities. I'll talk a little bit more about that. Since the last CMD, two years ago, we put a lot of effort in execution and kind of operational excellence in sales and marketing, building partner networks, kind of getting more feet on the ground to resell our products to customer bases.
That, of course, today we celebrate, and you can see my celebration colors of Finnish and Italian colors for the celebration of Leonardo becoming our strategic partnership with Leonardo and Leonardo becoming the largest investor in this company. I will also talk a little bit more about that. Let me take you through a little bit how we arrived here and where we are just right now and how are we heading moving forward. Buckle up. Maybe just a quick view, quick look at kind of our financial performance in the past year. We've been steadily growing. We have been steadily improving our EBITDA. Software industry is kind of in a simple manner. The more you sell, the more profitability you create unless you spend recklessly, which we definitely do not do. All the investments are carefully thought through.
Of course, our aspiration is to grow much higher on a much higher rate than we've been growing so far. I like Tatu's early days growth numbers, but maybe that's a little bit too high aspiration, but certainly we want to accelerate the growth. Let's understand a little bit about our global reach first. We are a global company in regions. Just over half of the business is in Europe. Maybe you remember we made an acquisition of a company for secure communication, Turvaviesti in Finnish, four years ago. U.S.A. is just over a third of our business, used to be the biggest market. We've been struggling a little bit in growing our U.S. market, and we are now in a turnaround mode. Shawn McAllister, youthful and aggressive guy, is turning it around.
We have built a new team there, and I have moved our product marketing heading and doing into the U.S. I appreciate American marketing a bit more than our humble Finnish marketing altogether. Then Asia, Asia- Pacific, where it has been our growth. It's the smallest market, just over 10%, but we've been enjoying the highest growth rates there. In Q3, we grew in Asia 15%, in Europe 7%, and in the U.S., indeed now finally, we grew 3.5% measured in the United States of America's dollars. In euros, not so much because the U.S. dollar has weakened against euro recently. Now, of course, we have a strong partnership and presence out of Italy, which is global reach, but with Leonardo. We're adding a new flag to that. What do we then offer? What is the solution offering at the moment?
The value promise of the company is secure communication for and between systems, networks, and humans. It consists of, like Henri mentioned, the largest part and the fastest growing part, I would say kind of the main solution, which is PrivX, Privileged Access Management, secure access to critical environments, sensitive data. There's a big market called Privileged Access Management market, PAM market. I'll use that abbreviation moving forward, secrets and key management. Although our strategy is to help people move away from passwords and keys and actually do passwordless and keyless. I have told our IT department that if you take into use any new application, if the authentication to that is on password, I will not use it. It's just too unsafe. 80% of hacks and ransomware is based on secrets, credentials, mainly passwords, the right ones being in the wrong hands. The next area is network security.
How do you connect data centers? How do you connect different sites together? How do you connect OT, manufacturing sites to central headquarters, for instance? That has been our driver for post-quantum technology. Tatu's invention of authentication and encryption has stayed long alive, but there is a threat that it will be broken with quantum computers. The market overall is now moving through legislation, through standards, and through active work from companies like us to simply move us to post-quantum readiness or quantum-safe encryption, handshaking and encryption algorithms. That NQX has been the driver for that, initially developed for the military or defense market. Through the acquisition, SalaX , which we have then added more functionality to. I'll demonstrate a bit more examples of the solutions moving forward here.
Like I said, we put a lot of effort in turning around in terms of being able to grow faster than we've been doing so far. We've been renewing a lot of things. I kind of like the notion of where to play, where to focus, and how to win, what to do in a way. We've been, of course, following very closely what are the underlying trends, what are the market demands, where's the market going, where should we be? Are we safe, good where we are, or should we be going after some new opportunities on the market driven by legislation, regulation, driven by threats and vulnerabilities, or driven by other market needs? Market segments, I'll show you a picture of that. The solution domains, what are the kind of technological domains? Miikka Sainio, CTO , will talk more about that later on.
How to win, I'll come to that part separately as well. Let's have a look at the market segments where we are. We have traditionally been in, Tatu mentioned education market, certainly to some extent government market, IT technology companies, certainly retail logistics, the largest market for, for instance, key management. The market opportunity for key management arose from the consequence of the great invention is that I don't think Tatu ever imagined how many of these keys there will be in the world. Probably 10,000x more, millions more than you thought. Maybe there was not the idea how to manage them. We've developed a management solution to make sure that those keys are not rogue, they are not in the wrong hands, and they're not being misused. Healthcare overall. We can have a look at a few examples here.
As an example, a global large bank, by the way, who says that the biggest security threat in that bank is shared passwords. It's coming back to my notion about password security earlier. They, for instance, needed to take keys under control. When we scanned the environment initially, they thought they would have, I don't know, 50,000 keys. We found 5 million keys. That needs to be taken under control altogether. Nowadays, they automatically renew 1.5 million keys automatically per year. That's by the governance. You couldn't do that with Excel or manually changing those keys with keygen command. It has to be automated. A very unique solution, nobody else has good enough. There's a market leader on the market called CyberArk, which Palo Alto is now purchasing. They had purchased earlier a company called Venafi, which does the same, but we actually have a more comprehensive solution than that.
This is not only the legacy in finance. This is a new customer win from Q3, one of the top five fund management asset management company, over $70 billion in management, very modern in technology. Everything is run in automated fashion. It's all scaling up and down automatically in Kubernetes, kind of technology, kind of cloud-native technology, but in private environments. The only thing lacking for them was privileged access management, how to control access to the critical software development environments, the assets themselves, and then the infrastructure running their applications on. Very heavily AI-driven. They actually need a lot of AI capacity. Couldn't get it from the cloud. They built their own data center in Iceland and put that full of NVIDIA AI chips. The first use case for PrivX in that particular case was the access to the data center, secure access to the data center.
Now that case already has expanded as we speak. Apart from those traditional areas, we are not abandoning those. We see growth opportunities in those for sure, certainly. We've taken a deliberate decision maybe about five years ago to look for other markets. Timing is kind of surprisingly adept just before the aggression war from Russia to U.K.raine. This was about a year before that. Into defense market, which is now becoming the European economic driver, as we all know, with the hundreds of billions of investment in defense sector and industries in all nations. Federal government, we developed the American standard encryption technology approved and required by American standards. Critical infrastructure, electricity, water, wastewater. Actually, you don't need to wage a war or use cannons anymore. Just turn off electricity and water, and the society is down. It really has to be protected. Manufacturing, OT, manufacturing and supply chain.
You may have seen some recent ransomware and attacks in that area. These are the kind of new markets for us. We've been there now for a couple of years, and now I trust that we'll be able to grow more in there. Let's have a look at the defense market a bit more. We are deploying all of our solutions to the defense market. Actually, what I'm saying also internally is that if the most stringent, most demanding customer can and wants to use all of our solutions, then pretty much all other customers should be able to do the same. We've been talking about land and expand and cross-sell. Here's an example of very successful of that in the past four years or so. Now where we wanted to expand, of course, is into NATO. We got a NATO-approved vendor, BOA approval about a year ago.
Our products, especially NQX, I mean the network encryption devices need certifications, is being certified for NATO and EU secret. We will get those certifications. In all honesty, coming from a small country, even if you have a great solution, getting into the huge NATO market is not that easy. Now we have a major player to help us do that, which is Leonardo, which is one of the biggest vendors and supporters of NATO and very well appreciated in there as well. Talking about the critical infrastructure, public safety, surprise, surprise, these are the business areas where Leonardo is active and working on in that space. Very much aligned, nearly 100% aligned on where we have been focusing in the past years.
Focus on transportation, high-speed trains, secure access to those, digital twins, as we call so, preventive maintenance on bridges and railways and railroads, ports and logistics, energy production. That's the market opportunity now together with Leonardo to move forward, which we have already been doing on our own. If you have followed our press releases and customer cases, you've seen a lot of cases in those domains already before this has happened. Now, why is OT a big opportunity? It's a nightmare for manufacturing companies. I used to work for process industry for over 10 years before I came here. In the factory in Brazil or Chongqing or in China, we didn't talk about cyber. Didn't even recognize the word back then, 15 years ago. Now it's the biggest risk in the risk assessment of CFOs. Why?
Because, and this is data from Leonardo's global cybersecurity operations, what is the most attacked industry in the world? It is manufacturing companies and supply chain and logistics. Why? Because they are the least protected. There was no encryption. All the connections to control systems were not encrypted at all. In the past, if there was a password, the password was 01234 or 123456, which is, by the way, the most common password in the world, believe it or not. That has to be protected. Now we have also legislation in Europe. We have CER and CRA, and especially this NIS2, network information security legislation, which was passed as a legislation here in Finland as well last October, a year ago. That mandates companies to operate. Why? Because we don't want to see cases like that. You may have seen this Jaguar Land Rover.
They had to stop their production for over 36 days. Quite a bit of losses. Sent people home. Redo computing networks because they were tarnished. It has a big national impact as well. In the U.K., they contribute EUR 4 billion to the U.K. economy. They spend over EUR 9.2 billion in the U.K. alone for subcontractors, which employ 2,000 suppliers with nearly 200,000 employees. This is a big economical impact, not only for the company itself. I know for a fact that one of their subcontractors who do heating systems into cars, a German company, Eberspächer, had to shut down their whole production because of this. For them, it was the second time. First time they had to stop three years ago. That was like a week before they were supposed to start taking our solution into use to protect it. This is happening in real time as we speak.
That's a good market opportunity. We have lots of cases there. Now, what we have been doing, we have been developing OT solutions alongside what we call PrivX IT and PrivX OT. You see different kinds of, I'm not going to read through all these, don't worry, it's going to be in the material. The IT side has slightly different requirements than the OT side. In the OT side, it's more about site approval. The Shift Manager, Plant Manager, they are the people who need to approve access to those sites. There are standards, industrial standards, IEC 62443 and others that mandate that. To simplify the picture a bit, it's like two worlds. Earlier, there was the discussion that these are totally isolated. They are air-gapped from each other.
What has happened with Industry 4.0 and the Digitalization, collecting data, sensor data, IoT data from manufacturing into the cloud means that it's IT-driven. Not only production control systems, but also other edge environments are digitalized. It needs to be put together. We have a unique opportunity there because from the competition point of view, people are either in the blue corner or in the green corner. There are very few companies that know to do both. We're playing on that advantage. It's taken us a few years to develop that. Indeed, what is happening in there is that KuppingerCole, one of the leading analysts, you may have seen the press release of this yesterday on our webpage.
They assessed, I can't remember how many vendors there are, two, four, five, a dozen vendors in that space and rated us very high, just behind Palo Alto as a capabilities for OT security and secure remote access in all of the categories. A bit technical reading, but interesting reading for those who are interested in that. Very good kind of recognition of our capability by a leading analyst. Here's kind of a fairly recent use case from the summertime. Global, parenting is in Japan, a global supply chain operator, not operator, but machine maker, making robotics and automation systems for logistics. They chose us to use our PrivX OT technology and solution for accessing their delivered systems in a secure and audited way so they can prove to their customers that we've done this properly. This is what we did. Here's the audit.
Here's the recording of what we did. Indeed, we have quite a few others as well. Earlier, if you needed to adjust propeller navigation system or do update on the ship, you had to wait in the harbor for the ship to arrive. Now they connect over satellite link. There's a PrivX on every ship, and so you can do online automation for the ships, harbors. We'll come back to that in a minute. It's highly automated. There are no people in there. The problem typically is that with traditional access methods, you can access everything. There's no granularity. With our technology, those systems integrators and operators have been able to say, hey, these Chinese engineers can only go to the Chinese harbors, not to Los Angeles or Hamburg or Wolseley.
A couple of the top six paper and pulp companies have deployed PrivX OT for secure access to thousands of engineers for 40- 70 sites in four continents, very rapid deployments, very satisfied customers. I'm happy to announce another partnership as well here along those lines. We have made an agreement with Nokia. This will come into commercial play early next year. Nokia is offering an industrial edge mixing, industrial edge of 5G. There was about 1,000 delivered 5G networks from Nokia to ports, mines, manufacturing sites. Now we provide PrivX access technology to that industrial edge, very modern small computer connected to the 5G networks. This will be made available. We've had the first events, and so I'm pretty excited because the 5G network deployments in industrial environments are growing really rapidly. Nokia, for instance, and Ericsson and others are enjoying a lot of success in that area.
Just a few words on market drivers. I'm not going to do a FUD here, fear, uncertainty, doubt, or scare with all the kind of ransomware stuff. I think you can read about them every day. I just wanted to show now that it's this time of the year, I wanted to show you a weather map. This is from the National Cybersecurity Agency, Traficom here in Finland, about data breaches, phishing and scamming, malware vulnerabilities, automation attacks, network breakdowns, and espionage. It really looks like October weather or November weather in Finland. Not nice. You know the weather, you can wait for half a year, it gets better. Here you can't wait. You have to do something about it. Another look at it is that we now have access to Leonardo's, certainly, cybersecurity operations and data.
They are globally monitoring and have proper processes in place to follow hacktivism, cybercrime, and state-sponsored attacks. Actually, Supo Secret, what is it? Finnish Security and Intelligence Service and National Cybersecurity Agency issued their update on cybersecurity and said that, how did it go? A number of serious cases have more than doubled compared to the previous year. Several organizations have fallen victim to ransomware attacks. It's happening here as well. Of course, we have our own peculiarities under the sea. Let's have a look at our renewed solution portfolio then and how we are moving forward on that. There are three drivers that have been pushing us forward in terms of technology adoption and technology innovation. Zero Trust is a big thing happening. It hasn't happened yet in governmental environments or defense, but it's happening. Zero Trust definition in a loose way is never trust, always verify.
Don't have permanent accesses. Don't use passwords that can be stolen or sold or leaked or lost. Don't have connections open. Just do everything in just in time, just enough, in a matter that is only available when needed, only for the time needed. It's a big transition, and we are very much ahead of that with the PrivX technology. Quantum-safe, we'll talk a little bit more about that. Our Fellow Suvi Lampila and Principal Architect Tero Mononen will be having a dialogue with me later on today on that topic. We have been kind of secretly developing and using AI, large language models, deep learning, generative AI. Jussi Löppönen will be talking about it a bit more.
We released the first AI-based solution for PrivX called Weber, user and entity-based anomaly detection, which is analyzing the connections based on new AI technology and making alerts or making decisions if everything is okay and should be allowed. After that, we have been developing a lot more, but you'll hear more about that later on. These have been the underlying kind of technology trends and opportunities. I think it's an interesting discussion that is AI better for attacking or defending. For us, of course, it's a defensive tool set. How do we cleverly use it and what are the principles and governance in using AI for code development, code checking? I think Miikka will say a few words about that with Jussi. Who do we offer our, who is the market for our solutions?
It's whenever the data, it's kind of classification of data, whenever the data is secret, whenever it's confidential, whenever it's restricted. The question is, where is it? Who or what has access to it? Why should they have access to it? What is happening? What the heck happened? Kind of CSI forensics aftermath. That has led to a portfolio of solutions that I showed in the beginning as well, but I'll go a bit more in depth of them. Let's have a look at first on quantum-safe and NQX. Like I said, we started the development of that quite some while ago. There are a couple of drivers for that, and I'll just reveal them all from here. There is a mandate now to move to quantum-safe from legislation and regulation. Finance industry is a good way on that area. Defense is mandating that moving forward.
We'll talk about that a bit later in today's afternoon session. What we see happening at this start is from the defense market already years ago, is that customers and markets are now segregating routing networks and firewall networks from encryption networks. It's kind of two networks behind each other or on top of each other. Tunnel within tunnel or tunnel behind the tunnel, however you want to say it. In America, there's a standard from this, National Institute of Standards and Technology for that. The main reason is for performance reasons. The other reason is for security and vulnerability. You may have heard about AT&T being hacked. Chinese found a backdoor on Cisco and Fortinet devices. Now F5, which is one of the firewall vendors, was hacked there. A backdoor was found and the IP source code has been stolen.
Relying just on one vendor solution or one encryption network is no longer enough. It needs to be kind of easy transition to the quantum-safe environment. What we've been proponing and talking with customers is to move, add a layer. For instance, in OT environment where you didn't have any encryption, you could just add an encryption layer, encryption tunnel between the sites, and then everything is encrypted. Kind of simple way. High performance because when you do encryption, and especially high-speed environments, you cannot sacrifice performance. We had, for instance, a defense organization, non-European defense organization, has been testing or finished their testing on NQX. They got 97% through the network connection with quantum-safe encryption. With the leading other solution that they already have in use, they got 20%. Huge difference.
That comes from the architecture of NQX and the architecture of how we have developed it to scale overall. To scale from small boxes, you have a management interface and you have in and out. This is the smallest one. I could foresee this in a helicopter or in a tank or a fighter jet. It works also on 12 V all the way up to a data center level. This is heavy. Data center level, which has 64 parallel encryption running in there as well. We're not in the hardware business. We use standard hardware. Our solution is software, but it has to be run on some hardware, obviously. That's the family of NQX. There are a couple of use cases here. Werner, data center operator, chose to use our technology.
The main reason why they chose to deploy that between their racks, rack to rack or data center to data center, was customer demand for higher level security, classification, security classification, and then low latency and high bandwidth, so the performance of the system. There are other use cases as well, which we can serve data center to data center connections, connection from cybersecurity operation centers to customer environments, and of course, site to site, whether it's production sites or garrisons overall. So many new use cases, which we didn't have maybe three, four years ago. We've started to aggressively go after those markets as well in the past year and a half or so SalaX. Perfect coincidence that SalaX a room or safe room also in Italian. Actually, we got it from Portuguese, but nevertheless.
It's about some of the people here in Finland may know it from secure mail, secure sign, secure rooms, turvaviesti or turvaposti in Finnish. We've been doing well with that, but we needed to find a way to move to the next generation. It's clear that this secure messaging, ways of doing quick secure messaging, like when I do an insurance agreement, everything is done online, and then the agreement comes to me with secure mail because it has my social security number and home address. You can believe that in many countries, even here, you can do a lot with those details, like take a loan in my names, which will be quite bad. We see the market moving into kind of shared communication platforms, sharing platforms like Slack or Teams. There are many organizations and use cases where it needs to be secure.
The encryption needs to be in the customer's own hands, not in American clouds, not knowing who has the encryption ownership. We were using Slack, and we didn't realize that they were reading into our product development and source code development rooms to develop their AI. That's not good. We no longer use it, obviously. Used in many environments. Here's a couple of examples, kind of handling documents into the court. They are pretty sensitive. Actually, we have the whole chain of custody. We have police taking care of their customers and data, privacy data, all the way to the court handling of criminal cases to jail systems. They're called correctional services in some countries, politely. Kind of whole chain of custody protected with our solution. Here are a couple of examples. When you do your blood donation service, there's a privacy data there related.
HR information needs to be protected. Patient and healthcare information certainly is a big area there. Let me show you a few examples. This is an example of how you encrypt in an encrypted way, collect personal data. It's not Google Forms. It's secure encrypted. This is based on our technology. When I communicate with the government or with the military, I don't send them Microsoft Mail to talk about something secret. We have an encrypted channel with strong authentication. That's based on our technology. If I need to talk to the SUPO or the intelligence agency, I don't know, for a terrorism suspicion or whatever, that's pretty sensitive data. It has to be kept secret and anonymized. That's using our technology. Due diligence. We did an extensive due diligence with Leonardo. Now, would we put all the company-related documents, including proof of IPR ownership, into Google Drive?
God forbid, no. It has to be secured. It has to be only accessible to the people that have the encryption keys that are strongly authenticated. They're a very typical use case. Our Board Meeting with Henri, when we discuss on our board and board meetings, everything is in a secret SalaX e nvironment. Individual rooms. We have a room, and then we have a board room, and then some other teams. Securely encrypted documents shared only there. Nobody else can access them. By the way, if somebody joins, like now, Francesco DiSandro will join the board. He will not even see the history because he didn't have an encryption key yet. He will only see the future. It's really safe. Here's another cool example of SalaX connected with AI.
Now, I need to read here, you see, synthesized AI agentic workflow is what I'm going to show you. It's actually a really KISSE, keep it simple, stupid, example. I didn't know that in a company we sponsor earphones or screens and keyboards, sure, but also earphones. I said, I want to have some. I called my friend in SalaX , secure rooms, SSH IT superstore, and said, hey, I'd like to order Apple AirPods because they can translate automatically Italian simultaneously to me. They are cool. Then the bot came back, oh, hi, Rami. Yeah, you're eligible for those. We can sponsor you getting those. How does she know it? She talked to our HR system, which checked when it was the last time I had been reimbursed, if any. Okay, fine. I said, yeah, get these. He said, okay, yeah, we can get them. It's EUR 198.
Your company will reimburse EUR 150. Are you okay to pay EUR 48? Hell yeah, order them. Now I have them. This is all automatic. Earlier, it was manual work. AI plays a big role. Agentic AI plays a big role. This is using OpenAI and interfaces to connect system to system, and then the user interfaces are on SalaX Secure Messaging platform. There are so many applications, simple application cases like this around there, and a bit more complicated ones as well. We also introduced a new solution. You may have seen the financial information of that end of last year. It's now called FQX, which is secure file encryption. You have encryption in transit and you have encryption at rest. Where we are using that is mainly in the governmental environment where encryption keys are stored on government cards, or they could be also on these new YubiKeys.
Files can only be encrypted with those people that I want to share it. I need to find the persons I want to encrypt my files to, and then I want to encrypt it, and only they can open it since we need to exchange encryption keys. The normal way of using is to use PGP, Pretty Good Privacy, which is really complicated. I could not use it myself. It's so difficult for users to manage their own encryption keys and everything. It just doesn't work. Let me show you how it works. I just sent some files over to Pelin and Patrick yesterday. This is a new solution. See, I can do file encryption. I can select whether it's confidential, restricted, or personal, or public. Then I need to find who I send it to.
I decided to send it to Kai and Patrick and Pelin from our directory, which means that now we start to exchange encryption keys with each other. I added a few sensitive documents. Maybe from the names of the documents, you can see that they sound pretty sensitive. I'm not going to read out them loud. I just say, yeah, save it into this file, compress it, encrypt it. Now it's encrypted. Now I can share it in SharePoint or Google Drive because only those people, those three with the exchange encryption keys can open it. Nobody else. Now it's safe to put it in places where sensitive data otherwise is not safe to put. I have a file. I have my file for them, for your eyes only file for those people. Very simple. Once again, even I can use it. Last but not least, PrivX.
This is our growth engine. Q3, the growth of subscription business for PrivX was 17%. We have very positive feedback on customers and analysts on that. It's an innovative new generation solution. Many of the legacy competitive solutions are like 20 years old, modern technology. Let me show you a little bit more about that. We have a new customer case. Estonian Ministry of Interior manages access to police and border guard, a rescue board, and emergency response environment. Access controls to the critical information in those systems. There are others. A large European governmental institution which actually really wanted to have a European solution. A Japanese, this is Fujitsu, a managed service provider.
Now, I've been working for a Japanese company, actually Fujitsu, myself for over 10 years, and I can tell you, and I've been selling stuff to Japan in earlier companies, and I can tell you that if you can sell something to Japan, you have a quality product. That's a good testament or testimonial of that. eTail, one of the world's largest eTailers, having access to hundreds of thousands of servers automatically, which can go up and down, needs some modern technology. What does a PAM, privileged access management, then do in a really simple way? You have users, whether they are people or applications or systems. They need to have access to somewhere. Applications, databases, networks, servers, or control systems in operational technology and OT.
PrivX is the one in the middle controlling the access, making sure that only the right actors have access to the right targets and everything is authenticated, authorized, monitored, audited, and recorded. That's simply what these solutions do. Maybe instead of trying to explain it more, I'd like to show you a demonstration of that. Here's a user interface. It has many ways of authenticating, but I'm going to now act as a service engineer. I need to have access to a port. First, I need to authenticate myself. I need to authenticate. In the PC endpoint, I have a certificate which is hardened on the machine, and I can only open it with my biometrics. All right. Now I'm going to have access to PrivX, which is the access control to all target environments. Great. I'm in. Hey, wait, I have no privileges. I cannot go anywhere.
Least privilege is not enough. I need to ask for a permission. Let me ask for a permission for a service engineer role for manufacturing in the European environment. One hour is enough. I can do the job in one hour, and I can put my justification, job number, or ticket number there, and then I submit it. Hold on below. Jenny, who is in the harbor now as a Shift Manager, Jenny gets a notification to accept my request. Please accept it. Thank you. Within seconds, I will now have access to those places where the role granted the access, which in this particular case means the harbor device. I can open access to it. It will now monitor everything. I can have access to the truck lifts or container handling systems, and I can do my job, and Jenny can monitor it live. It can be recorded.
If there are any errors or mistakes, and if she notices that I'm completely crazy and I'm going to drive the crane into the ocean, she can just stop my work for so doing. Thank you very much. Now I can't do anything anymore. It doesn't look that complicated. I think I lost something in the microphone here. Somebody maybe. Just a second. All right. Here we go. Looks simple. The devil is in the detail. There's a lot of detail, of course, in there. There's plenty of things that privileged access management solutions do. I'm not even attempting to educate you on that. Just want to show you that there are a lot of things that we've been developing all the way to version 41. Here we go. For instance, one big topic is key management, as I mentioned, secrets management. The market leader for secrets management is HashiCorp.
We have now plenty of people looking for an alternative for that, and we have a solution for that. Now, why is this important for me to show you all these different requirements that the PAM solution needs? This is the criteria that analysts interpret when they rate and rank different vendors. Now we can proudly say that we meet the requirements of leading analysts. Surprise, surprise, a week ago, Gartner made some notion about that, and I'll show you that to you in a minute. Why is this important? We can shout as loud as we can on the bottom, making the greatest websites in the world, but customers mainly do their homework. They use AI to search. We need to be AI-optimized in our communication, which we are developing and have been developing. People listen to their peers. Peer networking and peer references are really important.
We've been running in a lot of events and putting our peer reviews out into the market, and they listen to these bloody consultants, whether they're wrong or right, but they do listen to them. I'm happy to say that we have now been able to qualify finally into the Gartner Magic Quadrant. This is where they kind of rate their vendors, and we deserve the honorable mention category in there. The only reason why we are not in a visionary category is that we don't have yet enough revenue. We need to grow faster to get into there, but we fulfill all the solution requirements. There's another one.
Coming back to the other analysts as well, they made a secrets management analyst as well, and we got once again, we got a category leader, top of the notch ratings from them as well on PrivX, more focused on the secrets management, way ahead of the market leader as well, which I mentioned earlier. Not to stop there, Infotech will come out with their analysis of PrivX. It will look like this. This will come in a couple of weeks, so this is kind of a sneak review. There will be a few more. We already have been in the cloud security market assessed, and now Industrial Cyber will release their analysis of different vendors for OT security, and we're going to get four out of five and be in the top corner there as well. Solutions are capable, which is good to have.
I just wanted to really briefly give you an idea of what are the segments we cover and where are we heading from there. Privileged access management is kind of the domain for PrivX. There are a lot of adjacent technologies and markets there. You can see some of them are secrets management, certificate management, workforce password management, secure service edge, zero trust network access. All of these are equally the same size of a market as the PAM market, apart from a few of them which are a bit bigger. Where are we? PrivX, we've been developing features to cover a bit wider area in that respect. We have a roadmap and strategic items where we are developing even further capabilities as we speak. We have some partners to complement our OT offering and multi-factor authentication programs.
Now, together with Leonardo , we are entering also further segments into that space. This is just simply the whole idea has been to construct a solution that can tap on a bit larger market and be a bit more holistic solution than just point solutions, which most of our competitors are. You see some familiar names there like that. All right, let me just finish off quickly how to win then. Solutions and services we talked about. I talked about voice of customer, very good net promoter scores, very good scores on our support and professional services. We help partners and customers in the initial deployment phases. Very satisfied on customer support when issues come. This is what peers say in the Gartner peer reviews. 94% recommendation rate, four and a half out of five. Customers are pretty satisfied. How do we then grow?
The biggest way to grow is to get more resources. I cannot afford to just hire 100 salespeople and expect them to deliver. We've been building systematically a partner network overall. You see some partners here. You see some exciting events with our partners as well. In Finland, we've contracted with Lloyd and Cinia, and you see some there from South Korea, Taiwan, Thailand, Japan, Central Europe. Bethlehem, a $6 billion company, Cancom is a $2 billion company, so larger, medium-sized partners as well. We've been onboarding and activating them. I'm happy to say that just this week and last week, we have signed three more new partners. Asgard, I can't pronounce it in Mandarin, in Taiwan, Comet in Vietnam, which is a huge growth market, and then starting from the Nordics, also Accenture. These partners are important, but the partner now is Leonardo.
Now it's been approved and executed this week. What is Leonardo all about? We may know Leonardo, $18 billion conglomerate, six divisions. We may know them more from the defense side, defense market. Their market cap has grown by a factor of five in the past two and a half years. That's a hot market, as we all know. Here's an example of the upcoming Michelangelo Dome, kind of European defense system where you monitor with the different satellite systems, whether it's infrared or radar or other systems, the tracking of flying objects, communicate with each other and down to the earth. You have land radars as well to monitor them, and then you communicate those informations to the shooting party, whether it's a small cannon or a missile, big cannon or a missile.
I mean, you don't want to use missiles to shoot down a drone, like some people are doing at the moment, as we know. It's an agile environment, and Leonardo is driving that as an open platform. Now, what does it actually mean in terms of systems? All the systems will be modernized, and cyber and communication is in the core of them. The next generation tank is a computer that shoots, which means that the connectivity and encryption to the tank has to be protected. This is the mid, I would say, mid and long-term opportunity for us to work with Leonardo to get our systems, like the smaller one here that I showed to those kind of systems. Now, where Leonardo is active is space, air, land, and sea.
They are developing the next generation solutions like sixth generation fighter cap, GCAP, or next generation tank together with Rheinmetall in partnerships. The whole model has been in partnership model. The key driver is multi-domain, so all of these are connected with each other, and there's a communication platform, command and control systems, and encryption in part of it. That is driven by the cyber and cybersecurity part. That is where we belong in the Leonardo picture here, part of the cyber as a partnership with the cyber and security. What does that then do? It's about cyber resilience advisory, global cybersecurity centers, protecting and migrating to secure cloud environments for digitalization, mission-critical communications, like we here in Finland have Virve network, if you're familiar with that for emergency rescue services. Really driving European economy, kind of made in Europe.
Our role is to be our portfolio to be there right in the core as a competent center here out of Nordic. They have also made agreements with other three Nordic companies as well for the Zero Trust and quantum-safe across the whole domains of Leonardo . Here's a picture of the cybersecurity center. It was a pleasure to be there near Rome. This is what it looks like. Very visual, massive, very professional. Now we can have access to that information and data. By the way, all of our solutions need to be used between the communication of such cybersecurity centers and customers. I guess it's time to summarize my apologetically long monologue here. Honestly, we want to grow faster than we've been growing so far, so it's been a bit modest. We are definitely on the growth path and want to accelerate the growth path. Customers take time.
The average time to decide on solutions like ours is nine t o 18 months, some even worse. In all honesty, a couple of the cases that I showed you here today, the lead time is only five months, and then they have purchased the next step already a month or two after that. There can be quicker cases as well, but you need to be in the dialogue early, right at the right time. I would say a year and a half is not unusual lead time. It is not going to explode overnight because first you need to find those potential customers, you need to put them in the pipeline, have the initial discussions, have the demonstrations, they will test the solutions, then we start to negotiate, and all of that takes some time.
Also, the growth in the U.S., overall revenue growth has been hampered a bit by weakening dollar as well. Miikka will talk a bit more about that. But really, the key moving forward is to activate the partners and now really leverage the Leonardo partnership. That is number one activity, number one thing for us now, no doubt about that. We've been able to increase our amount of new opportunities in this year alone, over nearly $22 million worth of new opportunities. The question is, how many of those do you win? Do you win 10% or 20% or 30%? How quickly do they then happen? It will show a bit more slowly in the revenue because we sell in the subscription model, annually recognized revenue.
A deal book now will not have any impact on this month's revenue really anymore since we're already at the end of the month, but then moving forward. It's kind of a longer-term impact on the revenue, recognized revenue per self. We are redoing our marketing. You don't want to be a best-kept secret. That's why these industry analyst reports and positive assessments of us are important. That's why peer reviews from other customers to each other are important. I moved our marketing and product marketing into the U.S.A. Barbara is leading that. We now contracted a Californian agency to help us build a better digital face and marketing, simpler messaging as well. You'll see more of that late toward the end of this year and earlier next year. Indeed, to summarize what I started with, we certainly want to accelerate growth with responsible investments for growth.
The investments for growth will be in sales and marketing and in enhancing the solutions and services, obviously. We really are in the work of leveraging the magnificent partnership with Leonardo. We have people in Rome on the seventh floor already. We are working with all the line of businesses and customer engagements. The work has started now, but the real work really starts now. We already kind of took a jump start to that over the summer. All of this will take a bit of time. I would say cautioning that most of the customer deals will take that six, maybe more nine to 18 months. Certainly, our aspiration is to accelerate the growth moving forward. With that, I'd like to thank you for your patience for our growth and for my presentation length here today and welcome you to join the ride. Thank you.
I hand over to our CTO , Miikka Sainio.
Thank you, Rami. I'm going to talk a bit about how we move from secure protocols to holistic safety. Tatu started the day talking about how he invented the SSH protocol, and that is the starting point for everything that we have been doing for the past years. We have been building various products in and around the SSH protocol. How do we move from the protocols to actual more comprehensive solutions? I joined SSH now 10 years ago, so 2016, and February 2016. Back then, we had a collection of really good standalone products. From 2017 to 2020, we started building PrivX. Through PrivX to Zero Trust Suite, I'm going to talk a bit more about later. Quantum safeness, 2020, that became a kind of a thing or thing which we invested in or started investing in.
Operational technology came four years ago. The defense sector is now interested in Zero Trust and the kind of cybersecurity. I'm going to talk more about future and quantum safeness and machine identity going forward. In 2016, when I joined the company, we had a collection of really cool standalone products, but the portfolio was really fragmented. We had SSH client server solutions. We had U.K.M, which is for SSH key management, scanning massive SSH key infrastructures and taking them under control. We had CryptoAuditor, which was basically an application protocol level decryptor and auditing component. NQX was kind of the development had started, but it wasn't called yet NQX. Those products themselves were sold with Virtual Licenses. Deal by deal, we sold products. The technologies used in the products were different. We were kind of using different programming languages, different UI frameworks, different CI/CD pipelines. The portfolio was really fragmented. We also saw the early signs that the access and data security was moving towards consolidation. Customers were looking more and more for holistic solutions instead of point solutions. Because of this, we started building PrivX. It's part of the story. The computers, as we know it, are evolving. In 1995, when we started or when Tatu Ylönen started developing the SSH protocol and founded the company, the servers were actually physical boxes at the corner of your office or in your data center. You used Telnet or FTP or SSH or SFTP to actually manage those boxes. You connected to them and made configuration changes and stuff like that.
It's really wasteful to actually run servers or standalone servers which run one OS. Those servers were actually virtualized. You could run multiple operating systems on a single piece of hardware. When you did that, the natural next step is to actually lift and shift those virtual machines to the cloud because you don't really want to manage your own hardware. It makes no sense. You can just pay somebody else to do that. That led to Google Cloud and Amazon Web Services and Azure and so forth. This is the whole cloudification story. Those virtual machines in the cloud are now being broken down to applications which are running in the cloud. We are talking about containerization. Actual applications themselves are run on a very thin virtualization layer so that, again, you can maximize the hardware use.
The next step of that is that the applications or containers themselves are broken down to functions which are actually implemented in the cloud. You run pieces of the program in the cloud instead of full applications. The granularity and the nature of computers is changing. It's part of creating immutable infrastructures or infrastructures as code. Instead of managing and building infrastructures, you define them as pieces of code. You run that code and voila, you have an infrastructure. This is the need and the change that we as a company need to respond to. That means that when we say that we move from secure protocols to solutions, we need to move beyond SSH protocol. PrivX was born out of that, and it laid the foundation for Zero Trust Suite. PrivX provides a just-in-time ephemeral access to target systems.
It can be SSH protocol, it can be RDP protocol, it can be network access, it can be various different mechanisms, and it can support these automated CI/CD environments. The subscription model we introduced with PrivX also laid the foundation for recurring revenue on the overall portfolio. The way we build it, we build it to be integratable by design. The APIs are public, customers can easily integrate to the system and build new use cases to support their needs. Through PrivX, actually in 2017 and 2018, we became an early mover in Zero Trust Access Management. It wasn't called Zero Trust Access Management back then, or nobody had really coined the term or taken it into wider use yet. Zero Trust as a term was coined in 2010 by John Kindervag out of Forrester. It basically means, like Rami said, there's no implicit trust in the infrastructure.
All the connections, if somebody needs to access a system, be that a client or a user or anybody else, that connection is verified just in time when that connection is made. In 2011, Google actually published BeyondCorp, which was an architecture that proved you don't actually need VPN connections to create secure connections between users and the sites. You can use the user's identity and clever proxy servers and components to handle the connection securely. It was quiet for the next five or six years with Zero Trust until 2017. We actually launched PrivX, and we didn't initially market PrivX as a Zero Trust solution because that wasn't really a marketing term. What it did was very much Zero Trust. In 2018 and 2019, from that onwards, U.S. NIST formalized the Zero Trust architecture design. In 2019, the actual Gartner analyst joined the Zero Trust craze.
U.K. National Cyber Security Center endorsed Zero Trust. In 2020, CISA published Zero Trust maturity model. In 2021, traditional PAM vendors, our competitors, also joined the Zero Trust movement. They started marketing themselves as Zero Trust providers, even though they may still be based on password rotation or other ancient technologies. Going forward, U.S. Executive Order, which Biden did, mandated Zero Trust in federal agencies. From that onwards, OMB, EU NIST, DORA, and NISA NATO U.K. guidance for Zero Trust. The Zero Trust train really started going in the 2020s. We had been doing that already for four years at that point. Zero Trust creates value. It creates value for our customers. If you have a solution which provides multiple aspects of a cybersecurity posture, it means that you have a unified deployment. It's easier to adopt. You have less training you need to do to your user base.
You solve multiple challenges with one product. You basically don't need to handle multiple vendors, different subscriptions, or price books, and so forth. Basically, it's easier for the customers. Customers always love if they have a solution which solves many problems for them. It's policy-driven access. It supports compliance or customers being compliant. It scales for enterprise environments. It manages both legacy and modern environments. This is actually pretty important because we have competitors who manage legacy environments. We have competitors who handle modern environments, which are open source products. We have very few competitors who actually are as good as us in handling both legacy and modern environments and being deployed on-premise or in the cloud. For us, the value proposition is, of course, like I mentioned earlier, we had a collection of standalone products with different technology stacks.
Unified and shared technology stacks enable us to leverage R&D resources between teams or products or components in the solution. Obviously, if we have a customer who has deployed or taken use of one aspect of our suite, we can upsell or bring customers to deploy more products from that suite. It's much, much easier to expand at the customer than to acquire new customers. Rami already showed this on a high level. Networks, systems, humans, NQX, PrivX, SalaX. PrivX is Privileged Access Management, Secrets and Key Management, Secure Data Transfer. NQX is Network Security. Together, we create a solution with these to secure operational technology environments. SalaX is Secure Collaboration. Rami already talked quite extensively about that. This looks simple. Rami also showed a glimpse of these. Oh, sorry. Of course, all of these products are then part of the Zero Trust Suite.
All of these products also implement post-quantum cryptography. This looks quite simple, but this is what it actually looks like. There are quite a lot of features and different aspects to each of the products, be that Privileged Session Management or artificial intelligence or SSH key management. Like Rami was showing the PAM slide with all the adjacent sectors around it, as a CTO or as a company in cybersecurity, it's really critical for us to choose which sectors are we going for or which sectors are we aiming for because resources are finite. There's only so much that you can do of the overall pie. It's really important to wisely choose what you do.
Like Rami was saying, for example, if we talk about MFA or PQC, Zero Trust Network Access, PSM, it's also really important for us to talk the same language that the analysts like Gartner or KuppingerCole are talking because it also means that we are talking the same language that the customers are talking. When we talk about the specific feature, then everybody's talking about the same thing, and that simplifies things. Static credentials, shared, reused, mismanaged passwords, SSH keys are easy targets. SSH keys are especially problematic because they are just files. They can be copied quite easily in the infrastructure, and they can travel. You can easily create kind of lateral movement or lateral trust within the infrastructure, and that is problematic. Password rotation, which some of our competitors are offering, is really quite labor-intensive and compute-intensive.
We have seen customer environments which are doing 20,000 password rotations per hour, which is really error-prone and quite insane, to be frank. Stolen credentials, like real user accounts and passwords, are still the top cause for breaches. How are organizations hacked? If we take a look at the kind of, this is actually IBM X-Force Threat Intelligence Index from 2025. In 2024, valid accounts and phishing, making users do something that they were planning to do, so kind of phishing them to do something bad, accounted for 55% of the overall security breach landscape, which is a bit of a problem. This can be VPN accounts or application accounts and so forth. Of course, there's still exploiting public-facing applications, so there are vulnerabilities in the applications or misconfigurations. Valid accounts or user accounts are still the main mechanism for breaches.
What we actually propose to our customers is that they move beyond passwords with ephemeral access. They deploy PrivX, and then they authenticate the targets with short-lived certificates instead of passwords or SSH keys. What that also means is that the identity of the client or the user can be verified at the time of the actual action that is taken. For example, we can check that the user is connecting from a known network, office network. We can check that it's office hours. We can also impose other context limitations of the connection. We can do neural network-based machine learning to do user entity behavior analytics to block or alert if the connection seems abnormal, which actually lets us move from reactive cybersecurity to proactive cybersecurity. There's nothing to reuse. There's nothing to steal. It's actually true Zero Trust. We can actually extend this to network-level Zero Trust access.
Zero Trust network access, even for site-to-site connectivity, to kind of remove the always-on static site-to-site connections. That leads me to 2021. From cybersecurity to cybersafety, from IT to OT, which, of course, doesn't mean that we abandon IT. It means just that we apply the things that we have learned and build on the IT side to OT customers. We secure critical infrastructures with Zero Trust principles. We are seeing a new threat landscape. Like Rami was saying, factories, manufacturing, energy, utilities, energy grids, different kinds of industrial targets are being breached. The challenge is that the OT environments are often quite old. There's a lot of legacy access, a lot of legacy devices, unsecured protocols, unsecured user accounts. There's a lot of third-party access. A significant manufacturing facility may have hundreds, if not thousands, of contractors who need access to devices on the site.
Zero Trust solutions fit really well to this. It's granular, identity-based access, and just-in-time access. We are actually seeing significant customer adoption in the industrial verticals for this. There's an opportunity to sell both plant and infrastructure owners. I'm going to talk a bit more about that later. When we did this in 2021, due to customer demand, we actually became an early mover in OT cybersecurity. You may see a theme here. We are kind of an early mover in quite many relevant things, serving both infrastructure owners and vendors. If you have industrial sites, ports, manufacturing facilities, you have internal users within the corporate offices or perhaps within the sites themselves or different sites who need access to a device or, for example, a crane on the site, they can log into PrivX to get access to the site. PrivX is integrated to their identity provider.
The access is verified just in time. Are they still working for the company? Are they in the correct groups to be able to access the crane, for example? Is it a working day and so forth? Are they in the correct country? Should they be entitled to access that specific infrastructure? That is all quite simple. We also have equipment vendors, and they have a lot of infrastructure also running on those customer infrastructures. They need access to those for debugging or understanding if something's wrong with the device or doing firmware updates or basically just managing the devices. We can actually sell them PrivX to enable them to connect to all of these devices and customer infrastructure. We can pretty much sell to both sides of the table or provide a solution for both of the parties. Zero Trust network access.
Basically, we want to eliminate these always-on site-to-site tunnels. Rami mentioned the JR case in the U.K., which I don't know if it's still ongoing, but it was quite expensive and quite bad. Usually with these things, if one site is compromised, it means that there's a good chance that the attacker can move from site to site because of these always-on connections. What we want to do is provide just-in-time connections between the sites. A user from the corporate offices here requires access to the industrial site. They log into PrivX. They request access. The foreman or the plant engineer, floor engineer at the site can approve or disapprove the connection request. When they approve it, PrivX can tell NQX to actually establish an ephemeral identity-bound transport for the session. The connection doesn't exist until it's actually needed.
This is really important because it lets infrastructure owners limit the blast radius if one infrastructure component or site is compromised for some reason or another. The Aperture Sparehair case, for example, I think that when it was compromised three years ago, they had real trouble killing all the connections to their subcontractors and their other sites to actually limit the damage. What this does, it results in minimal attack surface and limits the blast radius and overall kind of stronger resilience for the OT site or OT infrastructure. Which industries are being attacked? This is, again, IBM X-Force report. Rami was showing Leonardo reports. This is IBM. We can see that the fourth year in a row, manufacturing is the most targeted industry for breaches or attacks. The challenge, of course, is that we have companies who are protecting themselves against state actors in effect.
We have hacker groups which operate under national protection from various countries and then target Western companies or companies here to take them down. The situation is quite asymmetric in that sense. OT security matters. We have been doing IT security. It's important. There are financial consequences if systems are down. The OT side is different in a way that they can't go down. They can't be compromised. There can be immediate real-life consequences. In true honesty, it is a matter of life and death. It is a bit different. We are seeing attackers increasingly targeting OT. Luckily, there's regulatory pressure to fix things, so NIST, CISA, and so forth, IEC 62443. Different regulatory mandates to make the OT environment safe, which is really good. One thing about the OT customers or the OT industry is that the barrier to entry the market or the customers, it's quite long.
It's quite difficult because you need to talk the same language as the OT guys do. When you get in, the customer relationships are actually long. They are quite good because if there's something that the OT guys hate, it's change. They like to keep things or they like to keep the status quo in a sense that they don't want to change systems because the infrastructures are so complicated and they are so difficult to update. One part of that is that whatever access management solution you deploy to OT, it needs to support the legacy devices. There are really old devices on the sites which need to be kind of protected. You encapsulate connections and you hide them behind jump hosts, which provide security and so forth. You do what you can to secure those environments because sometimes it isn't feasible or financially possible to update certain components.
At the same time, like Rami was saying, Industry 4.0 is coming, which means connected devices, automation, artificial intelligence. When you deploy an OT device, there's an on-premise component, but there's also a component in the cloud. The on-premise component needs to talk with the cloud component, and that doesn't really work with the kind of old established OT security models like Purdue, for example. Now SSH, the Cyber Defense company, is seeing the defense joining the Zero Trust era. Of course, defense has been using similar methodology in the past to provide security to defense infrastructures. Now we are seeing with the kind of Ukraine war and the rising cyber threats that more and more need for Zero Trust solutions in the Defense space are also needed. It's also part of because, like I said, tanks are basically computers with shoot.
They are becoming more and more complicated with connected components and more computers and so forth. You need to bring cybersecurity to the defense devices or equipment as well. We are seeing Defense Ministries in Europe and abroad accelerate Zero Trust adoption. At this point in time, we are quite uniquely positioned to provide proven Zero Trust and quantum-safe solutions. We are European. We are in Finland. We have a lot of European trust in us, and we have a capability to operate at the national security scale or level because we have been doing that. What I liked about what Tatu was saying earlier about how SSH protocol back in the day enabled users to do their tasks better. It was faster. It implemented compression and so forth. It's really important that whatever solutions we make, they are usable. They are practical.
They enable users to do their kind of real jobs or actual tasks more efficiently than if they weren't using the cybersecurity solutions. Users are like water. If the cybersecurity solution you have in place is too difficult to use, they'll just bypass it. Zero Trust as a kind of technology, as an idea, is becoming a matter of national resilience. Pulling it all together, we bet heavily on Zero Trust and quantum safeness in 2017, 2020. Now we are seeing an expansion from enterprise IT to OT to Defense. We feel validated in a sense that Zero Trust isn't a marketing term or a hype term. It's a future foundation for critical infrastructure. The fact that defense is adopting the principles as well signals long-term demand.
We are being seen as a kind of a strategic cybersecurity partner by Leonardo, for example, which means that we have an opportunity to become an early mover in cyber defense. Looking ahead, Gen AI is reshaping threats and defenses. Threat actors can use Gen AI for deep fakes and faking voice and creating phishing emails and all that. That's all kind of business as usual now. There is, of course, also on the defense side stuff that we can do to defend ourselves using AI. Jussi Löppönen is going to talk a bit more about that later. Quantum computing, quantum computers which come will impose a need for us to upgrade to quantum-safe cryptography.
One topic is that which we are part of a consortium already at the moment is controlling securely moving assets such as drones or, they could be tanks or they could be cars or kind of alpha robots, whatever. It's securely controlling those assets. That is becoming a theme. Through automation and agentic AI, machine identity in itself is becoming a challenge. We are seeing that certain environments, customers, companies, organizations may have hundreds, thousands of more machine identities than actual user identities because machine identities also need access to data. They need access to different systems. They need to have an identity on which that access is based on. We are already active in all of these domains. We have developments ongoing. The team, this seems a bit small because these are the guys. We had a kind of permission to publish the photo at this point.
We are 36 nationalities at SSH. All of our R&D is in Helsinki. We don't do outsourcing in core product development because we feel that it's important that we keep the knowledge of the systems that we build, the customer needs, and the customer kind of deployments in-house. Thank you. SSH was ready when the world needed us. We are kind of building solutions and trying to be ready when the actual kind of customer need rises. Thank you. I think Aino is now going to talk a bit more about the practicalities for the pause.
All right. Thank you very much. We will have now a short break, and we will continue in about 15 minutes. We will see you then. Welcome back to SSH Capital Markets Day 2025. Next up on our agenda, we have a presentation from one of our Principal Engineers, Jussi Löppönen. Jussi, the floor is yours.
Hello. Good afternoon to everybody. I will go through what we have today and some words about the future with AI solutions in SSH. The longer-term goal, I could say even shorter-term goal, is that AI will be embedded in everything we do at SSH. It involves internal processes, bringing tools to our internal processes, and then incorporating AI solutions to our cybersecurity products and solutions. I will describe what we have today in products and in our operations and then going forward. We have many tools helping our productivity today in use. You saw one example of this type of business process automation tool. We have several knowledge tools in use. Those are, of course, important since our products tend to be complex. The technologies are complex. AI can help our personnel to do more. Lots of things there which have happened.
We have a plethora of engineering tools in use, including the software engineering tools. We are also supporting our partner network with AI with the tools we have built in-house. On the product delivery side, we have had the PrivX anomaly detection in deliveries over two years. We also have an AI solution for helping our customers to analyze their SSH key audit situations. Instead of very complicated reports, the AI crafts them executive summary of the reports. I will cover a little bit more in depth the knowledge tools we today run across the company. The first tool we built was AI Product Assistant, which makes every single person in SSH expert on our products. It answers questions, whatever questions come in based on our product documentation.
The technology used here is so-called retrieval augmented generation, which makes the large language model to answer questions not from its internal memory, but based on products, providing accurate answers, high-quality answers. This has been now in use for over two years. It works very well. This tool was expanded so that our sales engineers can get the AI to answer customer requests for proposal technical questions. In benchmark against human-crafted answers, this tool actually reaches human level. Instead of doing lots of manual routine work, the sales support engineer can spend her or his time answering the more complex or more integration questions. The base questions are answered by AI. Very important for us is customer service AI assistant. It's an in-house built tool which connects to our document databases, to our internal knowledge bases. It can check from existing tickets at solutions how customer problem can be solved.
Again, no hallucinations, very accurate answers. It also has integrated AI search in use. It can fetch also information from because customers are using platforms which are documented on the internet. It can combine several things. The idea here is that the customer service human engineer saves a lot of work time. He or she doesn't need to search this information by themselves and saves many hours per each working day and can answer more tickets with higher quality because all the relevant answers are there in place. AI also drafts a template answer, but it needs to be always edited. In our domain, it's completely unfeasible to think that we could automate the whole customer service. It just is not possible. Finally, we also have AI helpers for our professional services consultants. From very complex technical reports, they can craft customer executive summary presentations. The benefit is saving time.
I would say that we have built like internal tools for the volume work that our personnel is doing. These tools actually help us to grow faster. It makes our personnel to be able to do more. A few words about going forward. How are we going to utilize AI in cybersecurity solutions? Maybe first giving some kind of landscape why cybersecurity is a rather challenging environment for AI. If you look at the marketplace, you have some limitations of the solutions available right now today. There are two main reasons for that. First of all, the amount of security data is just massive. It's petabytes. You cannot run it through GPT. All of that, it's just unfeasible. The cost would be insanely high. World's computers wouldn't be enough to do that. You need to use some intelligence and chunk it, et cetera.
Another thing is that the security solutions need to be so-called the word is context-aware to be able to flag some actor as a bad guy or some device to be compromised, et cetera. You typically need to correlate several things together. Of course, these various data sources are mixed in different places. There is no standard for the data formats, et cetera. Doing a solution with high enough context awareness is challenging, which has led to the current AI solutions tending to have rather high false positive amounts, flagging actors as being malicious when they are not. A contributing factor is, of course, that the bad guys, state actors, etc., do not publish their attack vectors, so you need to use some creativity in creating your models. I already mentioned that more intelligence means more money it takes to run these things.
If you look at the AI market in cybersecurity today, AI often remains at the advisory level, not so much in real-time defense. This will change as we move forward. That was the challenge. Here comes the good news. We can utilize AI to do things that were not possible, for example, last year, to make new innovations, and we have some of them in the pipeline. We have this year created or trained our own—sorry, there was still one benefit before that. I already jumped to the next slide. The benefit is time to market. AI speeds innovation cycles dramatically. Those of us who work in new business development have seen during the last, say, one and a half years that the AI search tools have dramatically improved, and you have so much information, business intelligence information at your fingertips all the time that it is really amazing.
Even more importantly, AI accelerates innovation not only timing-wise, but you can do things that you could not do a year ago. You can use AI to create synthetic data not only for model training, you can use it for also making rule-based solutions, whatever. You can grant complicated data with AI, find patterns from there. There are lots of opportunities that were not available still some time ago. What I have found this year is that also the system engineering and software engineering AI tools have dramatically improved, enabling much, much more, how to say, automatic solution creation. It is unbelievable how fast you can move. You can actually do a prototype nowadays faster than you can convince your colleagues. I have many times just decided to do something with my team and then just show the prototype, and then people can draw their conclusion.
Is it worth taking into use or shall we dump it? Fail fast is one of the new theories there. If you find something useful to do, then time to market in the actual R&D is also faster. How have we then used all these fantastic tools? One thing we have done this year is we trained our own cybersecurity large language model. Why did we do it? There are lots of models available. We trained, let's say, rather small model. It's still a big model, reasoning model. Double digit billions is the size, which would allow us to do edge deployments and secure customer data. Of course, this is what our customers want. It's not a model for that we would go to host a model as a cloud service. It's a model that we could use as part of an agentic workflow in some of our products.
The research or the technical term we talk here is we downstream an open-source large language model to cybersecurity domain. The science is there. There are actually several algorithms to do that. Maybe the most famous is the Chinese-developed GRPO, algorithm reinforcement learning algorithm, how you can make AI to train AI. It works. You can, with a rather small team, do amazing things. Also, the libraries are there. Cloud distributed GPUs are available, et cetera. Compared to how much training we did, actually, the results were surprisingly good. Now we have put this thing into our toolbox. There is no plan at the moment. How do we commercialize it? We will look at it as part of our wider solution portfolio that in what places we could then enrich our solutions. It's actually quite, how to say, opens avenues for us to do quite significant innovations for our customers.
Also, why we are not so aggressive in time to market with this product is that these edge solutions are still in the maturing phase. You need NVIDIA chips or AMD chips in the computers. The industry is not yet there where these solutions are routinely used by our customers. Let's see what comes out of it. That is in our toolbox. In addition, we have been running this year this type of AI-powered innovation R&D process targeting new launch next year. I will not describe this solution today because we have still some loose ends. The idea here is that it's not a new product. We will not open a cloud service. It's an AI solution which will complement our existing product offerings to our existing customers, what Rami showed you.
When you are doing these AI things, you naturally find out that you get into the wider market than the privileged access market. It will also widen our market reach. Again, more news of that next year. We may see us one year from now again. Let's see what happened. I will keep this now very short because we were running a little bit late. We have done lots of things in AI. Many things are happening. AI enables us to do things that were not possible before. Looking forward to bringing the solutions to the marketplace. That's it. Thank you.
Thank you. Thank you, Jussi. It's really about leveraging AI in many areas. We've set up now in the company a protocol. We have a fireside chat on AI every two weeks where people are forced, me included, to present what they have learned and done with AI.
It's a company culture. We need to leverage it. Of course, Miikka's job and the development team's job is to make sure we see where we can responsibly use it so that we don't create more vulnerabilities by using AI. Great. The last presentation session here before the financials at the end is on this quantum-safe or post-quantum cryptography area. We've been talking a lot about it and who best to present it in a summary. We'll have a kind of a short panel discussion here. I'll gladly invite Suvi Lampila, our Fellow and Evangelist and our representative in Quantum Journey. Suvi will say a few words in the beginning. Then with Tero, we will sit down here in a moment.
I'm happy to say that the quantum-safe era is here. I've been at SSH for 24 years, and for the past three, four years, I've been working on this post-quantum cryptography related things at SSH. If you've ever heard me speak before, I've talked about more of the future or how we need it now. Now I'm talking about it that we're already in this era. What does it look like now? The post-quantum cryptographic transition that uses the quantum-safe cryptography, one of the misconceptions is that we would somehow need quantum computers for that. They're not needed. We don't need or wait for quantum technology or phenomena solutions to get quantum-safe. We need to get the post-quantum cryptography transition completed to get there. What drives this is the legislation and recommendations in the U.S. It's already a law. It's not a nice-to-have thing.
In Europe, their nation-states are going to be required to do their quantum roadmaps by 2026, got their ducks in order. Already in Finland, our national cybersecurity agency has stated that they won't accept anything but quantum-safe solutions for certification starting next year. Some of the nation-states are moving faster than others. It's not just the governments. For instance, in Singapore, the Monetary Authority is recommending moving to a quantum-safe world, and that governs like the financial industry. The full transition is something that needs industry-wide effort. No single company is able to do that. We've been involved with the migration of the post-quantum cryptography project at the National Institute of Standards and Technology for a few years now. A few weeks ago, I spoke at their panel at the PQC conference, and certain milestones have been completed.
Last year, we got to celebrate the first standards in the White House. Here in Finland, SSH was instrumental in getting the PQC Finland going. Now we have this Beyond the Limits of Post-Quantum Cryptography project. That's a three-year project, and SSH Communications Security is focusing on quantum-safe identity management on that side and enhancing our encryption systems on the quantum-safe side. There are projects like this EU Q-Prep project that I'm going to speak at their event next month, and that's intended for the public sector. The transition is accelerating. It's certainly not just like us preaching this thing. We're working with large organizations. It started with like 20 organizations when we joined the NIST PQC Migration Consortium. There's now 55. There's IBM, Microsoft, Google, AWS. We're all working towards this common goal. This is important. We can defend the data with quantum-safe encryption only in advance.
There are attacks that are retroactive. There's no other way around it. The good news is that the transition is already ongoing with the quantum-safe confidentiality. These lovely percentages are not, though, the whole picture because this only represents when people are using their browsers, how they're able to use quantum-safe connections. There is one country here in Europe that has an even higher percentage . Can anyone guess what that is? It has been mentioned a couple of times already today. Ukraine is leading with 48%. They have a very good reason to do so. The transition doesn't end here. Even if we get this part of the connection sorted out, we still need to sort out a lot of other connections, even in this web use case. The browsers are just one little corner of that transport layer security piece of the puzzle.
We need to get all of these other pieces sorted out in the confidentiality side. I'm proud to say that at SSH , we've pretty much tackled the top layer of this already. The bottom stuff, hence the signature algorithms, we need to sort those out next. Unfortunately, this is not an easy step. We are definitely working on that globally. There's a lot more connections, credentials that need to be sorted out. Also, the different kinds of use cases impose new requirements for what kind of credentials we're able to substitute the current existing ones. At SSH , I like to say that we don't sell promiseware. We actually sell these quantum-safe solutions already to our customers. We continue to do so in the future. Now, if I could have Rami and Tero, we can then continue with some discussion.
Have a seat. I'll invite Tero Mononen, Principal Architect, as well. Why don't we have a quick discussion about what does this actually mean? First of all, what is the quantum threat and risk? I mean, Tatu's invention was great. Why is it at risk? What is the reason for that?
Risk actually is the advent of quantum computers. The underlying algorithms that are used on the SSH and other things, the public key cryptography as we know it, it is based on the problems that are computationally easy for the quantum computer. We need to replace these because these algorithms failing would cause massive damage to the authentication and also confidentiality infrastructure of the internet as we know it, and also the digital society as we know it.
You're saying that quantum computers will be absolutely great in breaking all the encryption we've been building for decades.
That is kind of an overstatement. They will turn the complexity from exponential to polynomial. The quantum computer itself doesn't break the crypto. It is a small part that makes breaking crypto easier for a classical computer. It's a step that concurrently reduces the problem into an easier problem that is solvable.
When it comes to cryptography, when there is that feeling that or it's put under question, it's no longer usable. Even when the practical attack of a quantum computer is not reality, more likely in a few years to come, it doesn't change the fact that we don't need to move. We definitely have to move also from the point of view that those attacks are retroactive.
What is the impact? How serious is this?
This depends very much who you ask. We have customers who have had already several years ago, they had the need and wanted to get the quantum-safe confidentiality sorted out for their systems. There are others who don't really see the threat to them as an immediate threat. For all of us, it will still mean that by 2030, when those legislative mandates come into effect, we're all going to be faced with the transition.
Yes, indeed. This is a systemic problem. Everyone is impacted in a way or another. We as normal people, consumers, we don't really have to do anything for this. We don't have to worry about somebody else taking care of that. The service providers, they have lots of things to do in a similar manner as the critical business organizations, banks, anyone who is basically impacted by the critical entities and related legislation. They need to act. How serious is this today? Basically, the largest number of quantum computers has been able to so far factor is a two-digit number. These keys that we are talking about, they have something like 600- 900-digit RSA keys. Current quantum computers are still toys. There is a valid and substantial risk that the development on quantum computing will be able to produce a quantum computer that really can break these keys.
That's not the point, like you said, Suvi. It's getting prepared. The legislators and governments have simply stated that we will move in this direction regardless of the timeline or capability of quantum computers per se.
Vendors are looking at, we've already seen it with other vendors, that they are sunsetting some of their legacy products. This is the largest cryptographic update and modernization that we've done over the decades. As you saw, some of the percentage- like that ship has already left the port. We're already sailing toward this transition, and there's no stopping us.
How do we mitigate? How should we mitigate against this risk then?
The mitigation really is the post-quantum cryptographic transition. There are alternative ways that have been discussed. One is called quantum key distribution. That's a mechanism where quantum phenomena itself is used to communicate keys between devices. There are inherent things wrong in QKD. It is point to point. It actually is hop by hop, so it's not even an end-to-end secure mechanism. It requires substantial investments in the infrastructure, and that's not going to work. Our approach here is to use post-quantum cryptography, which is a software or hardware accelerated mechanism that runs on the devices over the communication channel that can be used that are already deployed. It doesn't require such major investments.
QKD is a nice lure for investors to throw money at it, but it's not really a practical use for common applications and data security as we are using computers and data and applications today.
It has very little production use cases. There's a reason why authoritarian states are in favor of this, because who wouldn't want to be the one in the middle to catch or either be in the position of the secrets or to be in the position to sabotage the connections.
How do we get there then? What is the journey? How long will it take? Is it costly? You have to change everything?
Yes, in practice, we do. Luckily, we get to do this in incremental steps, and there are clear steps that need to be done. First, the confidentiality and then the authentication side.
It is a massive systemic change project that is ongoing that will be implemented, as Suvi said, in two steps. That has clear timelines. We may be even able to meet these timelines. The standardization is pretty much ready. There are interoperable implementations on most issues that are needed. Now, it is time to implement. This implementation from SSH 's perspective is a good thing because it creates business opportunity for us.
We've seen that, like I kind of mentioned in my introduction already, a military or defense organization outside of Europe, a Central European major telecom operator, wanted to test, wanted to get their hands around real post-quantum or quantum-safe solution. There's real need already today for the solution. Luckily, we were, like Mika was saying, kind of an early mover, not pioneer, but early mover in that, maybe a little bit ahead of time, but better that than late.
Yeah, in this case, you have to be because one day when you get the call and somebody tells you that we've purchased your products and we've been using it for this and this many years, and now there is this valid threat that somebody claims that they have been able to break the classical encryption, you're going to be in a good position to say that if you took it into use in 2022 with our NQX or our PrivX or our key manager solution, you're good. Your secrets are still safe because you took that post-quantum cryptography into use in time.
What comes to that, what Suvi said, is there is one thing. These new post-quantum algorithms, these are still mathematical algorithms. In cryptography, it is based on the algorithms that are state of the art at the time they are developed. The traditional public key algorithms were state of the art when they were developed 60 years ago or 30 years ago. Now, these new algorithms are thought to be resistant both for classical attacks and for quantum attacks. This assumption may be broken.
It is kind of an upgrade to what we have been having.
It's an upgrade. The assumption on these algorithms may be broken. It's always the case on cryptography. Right now, we don't, at the moment, have any reasonable reason to believe that they would be broken. They might be in the future. That's also why we are implementing cryptographic agility to new products.
To be able to update all the time when you.
Indeed, so that we wouldn't have to do this Y2K project kind of upgrade ever again.
I would like to add that we also took the approach of making a hybrid implementation, combining the classical and the new quantum algorithm, so that if it's not quantum-safe, it's definitely going to be quantum annoying because you have to break both of them in order to get to the secrets.
Maybe to summarize, the threat is real, but it's manageable moving forward. Like you showed, the transition has already started. It's unstoppable in a way. It will happen broadly across all the systems and applications and data, step by step, once customers first put the priority in there. Let's call it inventory of things to be protected and encrypted. There's a kind of a priority order, obviously, with each customer. Regulation will mandate this. You said in the U.S., it's the law. It's more than regulation. Tero, you had the notion of how does Zero Trust combine with these regulations and quantum safety?
The NIS2 tool and CER and DORA all require that the impacted operators are working on a Zero Trust manner. They implement a Zero Trust approach on their environment. That Zero Trust approach also implies that they have to validate the third-party risk, evaluate it, and to mitigate that, use products that are known to be secure. The Cyber Resilience Act is another European act that comes into full effect at the end of 2027. That applies to secure system vendors, basically us. We have to create systems that are secure by default. The secure by default implies that the state-of-the-art crypto is used. That includes the post-quantum crypto.
It wasn't just fun for you guys and Miikka Sainio's team to develop these things. It's something we are mandated to do anyways. Maybe that's to summarize here that this is kind of a business enabler altogether. Not having quantum safety in all of our solutions, not building them, not being part of transition plans with customers would be stopping us from being able to be competitive. Thank you, Suvi. Thank you, Tero.
Thanks, Rami.
With that, we will move forward. We have a video greeting from Rome, from one of the Co-General Managers. Roberto Cingolani is the CEO of Leonardo, and then Carlo Quadroni and Simone Ungaro, who were here in Finland, by the way, some weeks back at an ambassador event. We had a bit of a party here. He is the Co-General Manager for Technology and Innovation. Let's play his greeting.
In the last two years, under the leadership of our CEO, Roberto Cingolani, Leonardo has launched a new strategic direction. The key feature of this new strategic plan is to position Leonardo as a stronger player in the market across the four domains where we operate as a multi-platform company, such as Space, Air, Land, and Sea. From this cyber perspective, Leonardo is strategically shifting towards more profitable markets by developing cutting-edge technologies and adopting a new business model, much more enabled by our proprietary products to bring distinctive value and represent a trusted partner for governments, defense organizations, and critical infrastructures. The agreement with SSH marks a significant step forward in strengthening Leonardo's position within the rapidly expanding cybersecurity market. This operation is part of a broader series of strategic initiatives launched by Leonardo in recent months across the Nordic countries, focused on consolidating our presence in the cybersecurity sector.
These initiatives include the acquisition of the Swedish firm Axiomatics to provide fine-grained and dynamic access control to protected systems, complementary to SSH's offering, the investment in the Swedish startup Canary Bit, a specialist in confidential computing and AI security, and finally, a partnership with the Danish company Arbit to deliver secure and high-speed data transfer solutions in multi-domain operations. Together, these initiatives strengthen Leonardo's international portfolio in Zero Trust and data-centric security, positioning the company as a key player in shaping the future of cybersecurity. We have called the scope of these collaborations the missing piece of the puzzle. SSH becomes Leonardo's key partner for Zero Trust privileged access management and quantum-safe network encryption, to integrate SSH's PrivX and NQX technologies into its unique offering for defense and government customers, including NATO, EU institutions and agencies, intelligence police bodies, and operators of critical infrastructures.
Together with SSH, I am totally confident that Leonardo will build a unique and made-in-Europe Zero Trust proposition that can be scaled at the NATO level. The agreement brings together SSH's advanced technology expertise with Leonardo's solution asset services and domain-specific knowledge, creating altogether a comprehensive capability to deliver future-proof security solutions in a context of rapidly evolving threats and increasingly stringent regulations. This partnership highlights Leonardo's commitment to strengthening Europe's strategic autonomy in the digital domain. By combining its technology expertise with the Nordic region's strong culture of innovation, Leonardo delivers advanced, fully European-made cybersecurity solutions. At the same time, this strategic move establishes a long-term presence in the Nordic region, where Leonardo is ready to bring a full range of capabilities and actively support the local innovation ecosystem.
I believe that together with SSH , Leonardo will pursue significant commercial initiatives, particularly in the protection of critical infrastructures, an area of paramount importance in today's very complex geopolitical environment, with expectations of generating substantial synergies and offering high-value integrated solutions to our customers in our respective countries and across Europe, also leveraging on Leonardo's global network. In particular, we already started working together on a solid commercial pipeline in Italy and in other target areas, which include, for instance, energy and utilities, transportation companies, governments, intelligence, and defense. As part of Leonardo's immediate effort to strengthen the collaboration, we are also working on an early adoption project, aiming to deploy SSH products across Leonardo OT plants in Italy. Protecting our company perimeter and our business networks is a matter of strategic importance.
It is not only about the scale but also about establishing a powerful reference that allows us to present our offering to complex clients in Italy and across the world with greater confidence and credibility. Beyond this project, our midterm vision is to leverage SSH products together with those of the Cyber Division to safeguard Leonardo's entire product portfolio. At the same time, they will become an integral part of the security suite that underpins all of the group's major programs. This collaboration holds great promise for success driven by numerous features and opportunities. Beyond the business prospects, Leonardo is genuinely excited to embark on this strategic journey with SSH in a field vital not only to our group but also to global security.
This initiative clearly demonstrates Leonardo's commitment to advancing sovereign technologies, and together with SSH , we will continue to pursue joint efforts that strengthen our mutual capabilities and promote a safer, more resilient Europe. I am very confident that together with SSH , we will build numerous success stories. I am really looking forward to this implementation.
Thank you, Simone. I'm not going to repeat. That was pretty self-explanatory. I just wanted to maybe highlight that since Leonardo did not have these kinds of technologies or solution offering in their portfolio, but the need for it, this really is much more than just an investment or a partnership. This is really an embedding of us as a competent center into the wider portfolio and go-to-market across all the Leonardo domains , which the work has already started. With that in mind, Michael Kommonen, our CFO , will finalize here before Q&A on our financial situation.
OK, thank you, Rami. Good afternoon to everyone here and everyone online. To start the financial update as kind of a segue from what Simone was talking about just a few moments ago, a short update to our Leonardo transaction where some significant progress happened this week. Just as a reminder, this was a deal that we announced on the first day of the third quarter, on July 1st, and it involved a strategic partnership with Leonardo and a EUR 20 million directed share issue. This transaction was subject to approval from the Finnish Ministry of Economic Affairs and Employment as subject to the foreign direct investment regulation. This deal closed two days ago, on Tuesday this week, after a regulatory review period that was somewhat lengthier than we anticipated.
When we announced the deal, we still had expectations that it would close within the third quarter, and we didn't fully make it. We are very happy that this transaction is now closed, and we can move further in our partnership with Leonardo. As part of the closing, Leonardo also appointed Francesco DiSandro as a board member in SSH. Francesco is the Senior Vice President of Strategy for Leonardo's Cyber and Security Solutions Division, one of Leonardo's divisions. Moving to the financials, we announced our third quarter earnings this morning. What we can see here is the longer trend. We had revenues of EUR 5.5 million in the third quarter. That was a growth of 4%. EBITDA was EUR 0.8 million, and EBIT was EUR 0.0 million. Profitability was quite close to the year-ago numbers of EUR 1.0 million and EUR0.1 million. One of the most important metrics we follow is our recurring revenue.
Total recurring revenue is the sum of subscription revenue and maintenance revenue. We also follow separately just the subscription revenue, as most of our new sales are sold in the form of subscription. The third quarter number was a bit disappointing. This decline can also be seen in the deferred revenue number for the third quarter, and it has to do with a couple of renewals, quite large, substantial, multi-year renewals, or in one case, a multi-year renewal, and in one case, a one-year renewal, which were delayed into the fourth quarter. On the other one of them, there's also expansion being negotiated, which then caused the delay of the renewal into the fourth quarter. Still, year- on- year, the recurring revenue developed positively.
Behind these numbers, something we haven't discussed much is that since around a year and a half ago, with the new management team in place, we've taken a slightly different approach to our R&D cost expenditure, or basically the accounting treatment of this cost. We've seen a lightening of our balance sheet since then. In practice, what has changed is we've taken a more prudent approach to our cost accounting. We record less of the R&D expenditure as investments and more of it as cost. If you look at our profit and loss statement, that will show in the way that we actually, even though our cash cost for overall cash cost has somewhat gone down following some savings initiatives we did last year, as a larger proportion of this cost is booked as cost and not as investment, it's actually not showing fully in the profit and loss statement.
At the same time, the depreciations and amortizations are continuing at the same pace. What you can see here is that our intangible assets have declined as we are depreciating and amortizing more on these than what we are actually adding in new investments here. In the short- term, this has burdened somewhat the EBITDA. In the long term, this will reduce our balance sheet, and it will also, in the longer- term, somewhat reduce the amortizations as there are less assets to amortize over time. With that, of course, we'll reduce the gap between EBITDA and EBIT. We received EUR 20 million this week as part of the investment, and many people are obviously wondering what we're going to do with this money.
I would say, in order of prioritization, the most important things we are doing is that we are using it to invest more in R&D and in sales and marketing. On the R&D side, we will be strengthening the R&D organization with an emphasis on further improving PrivX's competitive position on the PAM market. Like Rami was showing previously, there's a lot of adjacent markets to the PAM market. There's a lot of integrations that go into our PAM solution. When investing in these kinds of solutions, this will overall improve PrivX's competitive position and open more markets for us. We will also increase our sales and marketing resources and presence globally to drive demand, to become more known, to increase the deal amount going forward.
Finally, we will also use some of the proceeds to, over time, simplify our balance sheet and reduce the hybrid loan that is currently part of our equity. Our current offering and the partnerships we have, of course, particularly the strategic partnership we have with Leonardo, is clearly positioning us for growth. We see and we expect this sales growth to accelerate in 2026 and beyond. A lot of this, obviously, will come from the Leonardo partnership, as Simone was alluding to here previously. The annual sales growth will fluctuate somewhat. This is in part explained by the sales mix of subscription and license. In the case of license sales, we recognize the revenue immediately. In the subscription sales, this revenue is recognized over time. Of course, we continue to focus on subscription-based deals in line with our strategy.
We're not really changing that in any significant way, and we don't foresee any major change to the subscription license mix. Of course, in years where we have significant license sales, that will impact the annual growth rate and then potentially also comparisons for years following. In line with our current outlook for this year, for 2025, where we expect EBITDA and cash flow from operations to be positive, we expect those to remain positive in 2026 and improve in 2027 and beyond. OK, I think we are ready for the Q&A.
All right. Thank you very much, Michael. Before I go to any questions we may have in the chat, I'm going to ask, do we have any questions here in the room? Back there.
All right. [audio distortion] from Inderes. Hi. As you don't have specific growth targets, can you in any way verbally comment on those and how much maybe of the growth you are expecting from the Leonardo partnership?
Yeah, we don't give a kind of percentage guidance or million euro guidance. In Asia, 100% of our business is through partners. In Europe, more than half. In the U.S., about a third. Partner business is already significant. I anticipate that out of our pipeline of new opportunities, new deals, the majority comes from partners nowadays. My expectation is that the partnership with Leonardo is an equally large opportunity than our current partner network has been, if not even more. I've given the instruction, everybody, before this was closing, that we now spend half of our time with Leonardo. We're not abandoning our current channel and our current markets, obviously. There's a lot of growth opportunity in there. One example which we didn't publish per se, I posted it on my LinkedIn account, is that Leonardo just signed a frame agreement with the European Commission, 73 entities worth $300 million for the next years. Certainly, we want to be part of that and will be part of that.
All right. Regarding Leonardo, could you talk about the dynamics between SSH and the other cybersecurity companies that Leonardo has partnerships with, for example, Arbit, Canary Bit, and Axiomatics? Is there any competition between these partners, or is Leonardo pushing the sales with equal importance?
Yeah, I can answer the network side. We've been doing one part of network security, which is confidential and restricted-level network encryption. That's what NQX does and has certifications for that. You also have secret level and top secret and cosmic secret, which is a native side, which we don't do. We didn't have the resources to do it. Leonardo has solutions there. You have data transfer solutions, gateways, data diodes. That's what Arbit does, and they have the highest regulated standards available for themselves. Moving forward, the game here is to integrate those three: Leonardo's top secret, cosmic secret, Arbit network, network connectivity, and encryption from ourselves, to be able to offer a consolidated or joint offering. That will take some time, certainly. There's no overlap. They are complementing each other. Miikka can answer for policy-based access with Axiomatics and PrivX.
Yeah, I mean, you pretty much said what I was kind of planning to say. Leonardo has chosen the companies really well. There's very little overlap between the technologies or solutions per se. Of course, there are integration opportunities. Axiomatics, for example, may bring to the table something that we had already been planning on implementing to PrivX in the future. That's good. It's more about kind of figuring out the good integration points with the products and creating a holistic story for the customers.
All right. About Leonardo still, maybe if you could talk about how is Leonardo preparing or getting accustomed to selling SSH software products? As I understand, they have been mostly selling services. How much educational activities does it need from you?
Yeah, we've started that already. There's more than 120 people trained, educated. The next training session is on the 4th of November. That's going to be in Italian, which means that it's going to be Leonardo's own people training their own people on our solutions and products. That's how far we are getting at the moment. I will have my secret weapon, Massimo, joining that as well, so we understand what's being presented and can evaluate how well the education and training has gone forward. There are three layers of organization there that are engaged. They're massively excited, by the way, about working with us. It's kind of a new opportunity for those divisions. There are four lines of business divisions there within the cyber and security. There's kind of salespeople. I don't think we will train salespeople to be our product experts.
We've been a bit techy today, and we would be way too techy for those people. Then you have big teams, teams that are preparing the presentations and proposals. They have already understood really well. For instance, for one major traffic entity, very large in Southern Europe, the demonstration was done by Leonardo, not by us. That's already happening. Then you have technical teams, which is then to really handle the test, proof of concept testing, and then deployments. They have been trained. It's a continuous journey. That has started really, in my opinion, really well.
I understood that SSH products will be implemented in the physical security, for example, in jets and tanks eventually. Can you talk about the timeline on this?
Yeah, I mean, that's a long-term thing. We've started discussions with the Electronics Division, which is the core of that. Actually, helicopters belong to the Electronics Division overall. We have an opening with the GCAP project, which is the sixth generation fighter jet project. We started about two years ago. Now, with the joint venture between Rheinmetall and Leonardo for the next generation Leopard tanks, which the main customer will be the Italian Army, they are building up facilities in Italy to produce those. That project is now starting. For that project, we can be early movers in the planning stages of how digitalization and protection of digitalization is happening. This will be numerous years. I think, when will we see in Europe sixth generation fighter jets?
All right.
Not very soon.
Remains to be seen. Maybe about the overall growth areas that you mentioned, the Defense, Federal Government, Critical Infrastructure, OT. How large share of your revenues are these currently? Have they grown a lot faster than the group level?
Yeah, Michael, we checked that. We don't announce really for that. Of course, we can talk about it. I would say finance is still our largest sector, mainly driven by the key management solutions. Then Defense and Critical Infrastructure and OT security are in the top five already.
All right.
I can't rank them exactly, to be honest.
All right. Maybe one question about quantum safety. Could you talk about your kind of competitive advantages here? How unique is SSH offering in this area, for example, compared to competitors?
Mika can answer more. Let me say just a few words on the quantum safety and OT security, because we are bundling, combining PrivX and NQX. It's a faster way for customers to get to that. For instance, Walmart, which is a public reference for us on SSH and key management solution area, they are looking for a way to upgrade their whole supply chain and logistics to quantum-safe. It will take them years to do it, but they are looking. For the NQX itself, the quick opportunity there is that it can be just another layer on top of existing networks, so a quicker way for customers to deploy. That's why this Central European Telecom Operator and non-European defense operator wanted to test it out. I'm very impressed by the product. How we can turn that into business is still to be seen.
It's about kind of educating customers about the fact that they need to separate their firewalls and encrypt so that they have multiple layers in the security stack. They don't trust on devices from one manufacturer, but they have kind of a defense in depth. Anyway, it's part of the kind of Zero Trust ideology in a sense that you kind of add layers to the security so that one breach doesn't bring the whole infrastructure down. I think NQX performance-wise and the fact that it's quantum-safe and it's software-based and it's crypto-agile and all that, I think we are very well positioned in that space. Then having quantum-safe algorithms in other products also, we are kind of early movers also on that side of the things.
We also want to enable customers to, like I was talking about the OT devices, so OT devices are really difficult to upgrade in many cases. They are legacy devices. They are old. There won't be quantum-safe crypto algorithms for those devices. What you can do is encapsulate the connections and control systems to quantum-safe shells or tunnels with NQX or PrivX. That is what you can do. There's definitely going to be kind of a funny thing, like the end user or consumer browsers are going to be quantum-safe. Like 40% of the browsers are already quantum-safe. Cat videos are quantum-safe. What about the infrastructures which run power plants or manufacturing and all that? There's definitely work to be done there.
All right. Thank you. I'll give the floor for others.
All right. Thank you very much. I'll take a couple of questions here from the chat. There are a lot of regulations acting in your favor, like NIS2 or CRA. Can you explain which of these regulations that you consider to have the most impact on demand for your products? Is there any concrete timeline on when it can really be seen in new customer intake?
CER and CRA, these two other ones, Cyber Resilience Act and Network and Information Security Legislation, are the ones that are driving companies to follow certain principles and upgrade their environments to be more resilient. Resilience is the word here. That's already happening. It's a legislation in European countries already since about a year ago. It's a question of how quickly markets and companies are moving. I don't know. Maybe an example of that is that in the past six weeks, we have four new customer queries for OT security from Finnish companies alone.
All right. Thank you. You explained how you will use the proceeds from Leonardo. Having received a large pile of cash from the directed share issue with Leonardo, is M&A on the table?
I guess I don't think we want to further add to our solution product portfolio. Some of you have already asked the question that do we even have a too wide of a portfolio? A really good question. That's why we've been integrating them. Like I showed the example of defense, which can deploy and use all of our solutions. We're always open to looking at opportunities to grow. I don't think we're on the lookout for kind of technology stack acquisitions. I think we're a tech company. We spend about 40% in R&D. Maybe it's time to focus on the go-to-market and generating the revenue rather than more technology.
I think it's clearly below the priorities we listed previously on the use of the money.
All right. Thank you. Do you see any business opportunities within rapidly increasing stablecoin usage or generally in the crypto sector?
Miikka is probably the only one who can answer that one.
I think that crypto is basically based on infrastructure. What we do is provide secure access for building infrastructures for Gen AI, for crypto, for OT, or other kinds of legacy IT use cases or normal IT use cases. I think that for us, it would just be another kind of customer type or use case. I don't think that it's something that we need to specifically develop for. It's definitely something that we can probably help with if needed. I don't think that we have seen much business from the crypto side so far as well.
All right. Thank you. The partnership with Leonardo obviously has many positives. I'm curious about what risks you see with working with such an enormous partner like Leonardo. For example, do you see the risk that SSH will be just one of many vendors?
At the moment, that's not the challenge, because I think there's a lot of excitement. Like I said, I would even want to make a claim that all Leonardo customers need all of our products. There's a long-term game to be played there. I think the risk, if there's any, is the time of execution. How quickly can we get this into real business? The pipeline is growing already as we speak, and we've been talking to more customers. It's to get the capabilities of Leonardo 's organization to be self-sufficient also with our help toward the customer base. If there's a risk, the only risk might be that we manage our time properly. It's a huge organization, so that we don't get suffocated by hundreds and hundreds of queries per day. That's how we're organizing. We have a team in Rome, as I said earlier.
We have weekly business and technology follow-ups and technology now biweekly. We have combined the business cases. They manage their business cases in their CRM, which is then transported over to our system. We monitor those closely. We just want to now move to real business and customer cases as quickly as possible.
All right. I currently have still one more question here in the chat. I will ask again, do we have any more questions here in the room? There's one.
What can you talk about your pipeline today compared to, let's say, half a year ago or requests for proposals? Do you see how much increase already at this point of time, and how do you forecast that to happen next year?
That's a good question. Actually, a really good measure of are we going to grow, of course. It's not something we would publicly talk about. I can say here that we've added to our pipeline this year about EUR 22 million of new opportunities. We've closed over EUR 3 million of them by now. We have one quarter to go. They don't show in revenue because they are subscription-based. The aim is to add more to our pipeline. I think if we've been able to add EUR 2 million, EUR 2.5 million worth of value into the pipeline every month, I think with Leonardo, I would imagine that to be a little bit higher level, obviously, moving forward.
The average size of the deal or the request for proposals, to my understanding, at the last Capital Markets Day showed the average size of the customers, the top 10. To me, it seems still very modest. Rami, do you understand that? What do you feel that the top deals, could they be much higher than EUR 0.5 million or EUR 1 million currently you have? It is very important to understand that because the competitors show deals of EUR 5 million, EUR 10 million, and even higher.
Yeah, I mean, we have, I would say, three sizes of deals. We have small deals with under EUR 50,000. That should be kind of channel business on its own, right? We can't handle those individually. I would say medium-sized deals are between EUR 100,000, EUR 300,000 type of deals, which is predominantly where we are now with new deals. Why some of them are, and then the large deals, I would say, are half a million and up. Our biggest PrivX customer is about EUR 1 million at the moment, with a EUR 250,00 services on top. There needs to be, and I know there is an opportunity which we're working on to double that. I think it's realistic to say that the largest customers could be a couple of million. I don't see, apart from maybe major network infrastructure projects, which would be much higher than that.
This is kind of also a volume game. We need to have enough of these opportunities and deals. Coming back to these medium-sized deals, some of them start kind of small. Customers deploy further first, like this investment bank or funds management. They start with one use case. Now, they already ordered the second use case. Now, we are working on the third use case. That's unusually fast that we would maybe deploy three use cases, get up to about EUR 600,000, EUR 700,000 per year with one customer in three to four months. Normally, it takes closer to a year for customers to kind of expand their usage. That expansion is really important.
For instance, we have quite a few customers, like the North American service provider, who tossed away the market leader, CyberArk, and chose us because they got fed up with a lot of expenses in deployment that didn't work out. We got into the main of the domain. Now, they're already talking with us, can we do it also here and here and there? I think if we get into those kind of deals where customers are replacing, displacing, or partially taking our solution alongside an older solution, it will take a bit longer to grow there. Getting rid of a solution like this, because the life cycles of solutions like this are between five and eight years, right? Nobody buys an access management solution or network encryption for a year or two, like car leases. These are long-term projects.
It also means that dismantling and changing over to another product will take some time, between a year and a year and a half. Of course, we aspire to grow, like we said two years ago, we aspire to grow the average size of the deals as well. That is mandatory.
There is some sort of global tension between even Americans and Europeans. I wonder how you, Rami, see the opportunities or advantage of SSH in Europe compared to the big U.S. competitors. Is it only government, or are private enterprises also starting to prefer European solutions here? On the other hand, you mentioned that you have big ambitions to grow in the U.S. What would you say about that? Should you be regarded, with the help of Leonardo too, as a non-EU supplier, for example, in the U.K. and U.S.A., and maybe, for example, in Canada, that also has some tension between Canada and the U.S.?
Yeah, if I start from the North American market first, I mean, the tariff discussions and hassle has actually no impact on software business per se. We have an entity, and we also have a government entity in the U.S. We just introduced in the summertime a so-called FIPS version of PrivX, which means that it fulfills the requirements of the U.S. government standards in terms of cryptography, opening up some opportunities there. In the U.S., it's mainly how we get our marketing and demand generation sales and channel together. Leonardo has about 8,000 people in the U.S. They work with Boeing, Lockheed Martin. New York Police is using Leonardo systems for license plate registration, automatic scanning for license plates. We are starting to work now. We haven't achieved any deals or opportunities yet, but we are starting to work now with Leonardo also in the U.S.
They're very strong in the U.K., and that work has now also just started. They're very strong with the MOD in the U.K., in public safety in the U.K. That's certainly a focus market. When it comes to Europe, you heard Simone talk a lot about European for Europeans and European sovereignty. Certainly, like you said, Defense, I suppose, would want to be sovereign and non-dependent. Simply, the European technology in defense is behind. We all know that of Americans. It's going to be a combination of that. There's no between European and American in the defense side is collaboration. For public sector, public safety, infrastructure, certainly, it's a unique differentiator. We really only have one European competitor, a French company called WALLIX. They've changed their total marketing to be European only. No, I don't want to do that. I don't want to tout in America that we're Europeans.
In America, we are Americans, right? In Europe, we are Europeans. Certainly, there's an opportunity. In Italy, the government is following Nordic and Estonian digitalization and moving applications to the cloud, modern environment. It's a EUR 2 billion project. Leonardo has a large share of that. It's a project called PSN. We are now getting into the PSN catalog with our solutions. That will be a combination of, once again, coming back to my data classification, secret, confidential, restricted. The secret data will not be put in American clouds. Confidential data will be kept in private clouds. The restricted or public will be in well-guarded access to AWS or Azure or Google Cloud. It's going to be a combination like that. We have some customers, certainly in European administration, where they have chosen us because we are European. There's also that one. I wouldn't say it's for public, yes.
For business organizations, maybe less so. We have all seen now with these attacks on the network vendors and Microsoft stopping these judges to access the system because Trump told them not to allow it. There's a concern that who has control of access, who has visibility into their data, who owns the backdoors. I know that if a European company is sold to an American, the first thing it will be asked is to build a backdoor, Patriot Act. That's just how it is. I think in Europe, we think a bit differently.
All right. Thank you very much. As we are running out of time, I will take the last question here from the chat. If we talk about growth across your portfolio, PrivX stands out. Do you expect PrivX to be the main growth driver if we look a couple of years in the future as well? Do you expect NQX and SalaX to be equally as important?
At the moment, the market has a lot of clear demand. We've been able to develop the solution to a level that is well accepted on the market, in the Privileged Access Management market and PrivX market. I assume for the next couple of years, that will be the biggest driver. I see a lot of opportunities for network encryption and NQX, though. I assume those projects will take a little bit longer to turn into revenue. SalaX is a solid business from the kind of old-based. The secure messaging part is a new thing. We're going to announce the kind of new first customer engagements pretty soon on that. How fast we can grow it, we'll do our best. We'll see.
All right. Thank you very much for your answers and all the questions. I will give the floor to Rami for the closing words.
Yeah, just to thank everybody here at the place and online. As you can see, we are super excited about our technology. We have lots of it. We've been developing it. We have been spending a lot in R&D. I wouldn't say that we spent too much in R&D and forgot to sell it. I think we certainly have a moment now where the products are good enough. I mean, if we had solutions that are kind of not that good or that suck, it would be really difficult to grow. I don't see that as a problem at the moment. I think our challenge is to create the demand. It would be lovely for people, potential prospects, to come through the doors and windows to test and buy our products.
We also launched, by the way, now three versions, PrivX 3 and SalaX 3, just to get more people to see and test and try the product and then move to a commercial version, paying us later on. I think it's really a question of how we get our demand creation, awareness demand creation onto a totally different level, how we activate our existing partners. We have plenty of them. You saw three more today as well from Asia and Europe. Be successful fairly quickly with the execution of our solution base as part of Leonardo' s overall offering to their customer base and to new markets. I'm hopeful. I'm asking you maybe a bit of patience.
It would be cool if we could close more deals like these two that I mentioned, the trust fund and the MSP or ISP in North America, which we turned around in five to six months. It would be cool if all deals can be done that quickly. I think the reality is that many of the deals will take nine to 12, nine to 18 months. I think we have enough pipeline. We have the partnership in place to be able to grow. Now, it's in our own hands to execute it. With that, thank you very much. You'll be seeing us in our quarterly reviews moving forward.