All right, we're going to get started. Thanks, everybody, for joining. I'm Jason Ader with William Blair, and I'm pleased to introduce Jen DiRico, CFO of Commvault. Before we begin, I'm required to inform you that a complete list of research disclosures or potential conflicts of interest is available at our website at williamblair.com. Jen's going to go through some slides, and then we'll have time for Q&A.
Great. Thanks so much.
Thanks, Jen.
Hi, everyone. I'm Jen DiRico, CFO here at Commvault. I've been at Commvault for about a year. Prior to that, I spent almost a decade at Toast. I'm thrilled to be at Commvault and even more excited to tell you about a little bit of our story and then, of course, answer some questions. Before I begin, let me just flash our safe harbor statement. OK. Commvault sits as a leading player in the cyber resilience space. What is cyber resilience? It's the convergence between data protection and data security. In the age of cyber attacks, ransomware, increased multi-cloud complexity, and regulations, you truly can't have one without the other at this point. That is why cyber resilience is becoming a strategic priority for businesses.
CIOs and CISOs and multiple surveys have shared that cyber resiliency is at least a top two priority for them this year and beyond. Let me share a little bit about our platform and why we believe we are the leading player in this space. First of all, starting at the bottom of the slide, you'll see a whole bunch of workloads. Our breadth and depth of workloads surpasses anyone else in this space. From SaaS applications, AI data, Active Directory, M365, on-premise solutions, we cover over 40 workloads. Depth and breadth matter in this industry and is key to being cyber resilient. Why? Because ultimately, time to recovery matters. If you have to go to multiple different players and single point solutions, that time increases. In the name of keeping your business continuous, speed matters.
We back up the most amount of workloads out there, and we do it in an automated and scalable fashion. We are seeing more and more customers turn to Commvault to consolidate their workloads on us due to this depth and breadth and speed to recovery. Once you've covered the workloads, which is the bottom part of that slide, you then see we layer on security components, things like data security. What does that mean? It means we help customers identify what their most valuable and critical assets are. Second, we give customers the opportunity to test their cyber resiliency. We have customers that are testing every day. It's not a white paper exercise. It's truly, if I'm attacked, how do I recover? How quickly can I do it?
Lastly, when they're attacked, because at this point in the world we live in, it's no longer an if, it's a when, we give customers a clean space, a cyber recovery, to ensure that what they're bringing back from a data perspective is truly clean and not infected. Let's talk a little bit about why we win. I would say there's five points. The first point is ultimate choice and flexibility. Our architecture is such that we allow the customer to choose, A, how they want to consume our product, software, SaaS, or an appliance, and then wherever they want to write or back up their data, whatever cloud, whatever appliance, we've got them. That's the first thing. The second thing is depth and breadth. I talked a little bit about this on the last slide.
To truly be cyber resilient, you have to ensure that you can back up as many workloads out there. Third, it's not just enough about backing up the workloads. It's about actually recovering them and rebuilding things. We rebuild applications and Active Directory, key to being truly cyber resilient. We do this under a single pane of glass such that it doesn't matter where you store your data. Multiple clouds, multiple on-premise areas, doesn't matter. You can see it all in one single pane of glass. Lastly, we do it at the lowest TCO. That's what we do for our customers. Let me talk a little bit about why we're excited about the large and growing market that we reside in. I'll spend a little bit of time talking through each part of that market. Our overall market is we estimate to be $24 billion.
That breaks down in core data, backup, and recovery, which is about $12 billion, and then data security and cloud security, another $12 billion. Let's take the core backup and recovery section. Of that $12 billion, $9 billion is on-premise. That's a market that actually isn't growing very much, but there's a lot of take share happening. 30% of the market is still owned by legacy players that don't support a hybrid environment. While the market isn't growing, it's incredibly important from an overall cyber resiliency for our ability to take share. And we're doing that, and we've proven it. The remaining part of that data protection market is $3 billion in the cloud. 80% of new data will be stored in the cloud going forward. 80% of data actually right now is also not stored, not protected by a third-party backup. OK? It's a white space.
It's estimated to grow to at least $4 billion by FY2027. There is growth here in this overall. The overall total data protection market of $12 billion is growing high single digits. Now let's turn to the data security and cloud security piece. We estimate that to be about $12 billion. We are in the early innings of attacking this TAM. We've launched new products over the last 18 to 24 months, things like ThreatScan, SecurityIQ, some of our most recent acquisitions. This is white space. This is space where it will continue to grow high teens. Overall, the market, if you include the data protection plus the data security and cloud security, is estimated to grow 12% for the foreseeable future. Not only is this a large market, but it's growing, and we believe that we are well positioned to continue to take share.
It's underlying the reasons for our growth right now. Let me hit on a few highlights from our most recent quarter. First of all, I would say to you, overall, the way we think about our growth business is in particular the subscription revenue number. That grew 45% year over year. For those of you not familiar with the story, we also launched our SaaS platform five years ago. We began monetizing that in late 2020. We've grown that from $0 to $281 million in five years, 68% growth year over year this past year, signifying how we are capturing that cloud market that I talked to you about. Our SaaS net dollar retention, another metric we're incredibly proud of, sits at 127%. That's made up of 70% upsell, meaning data growth, customers protecting more data, and 30% cross-sell.
You may have heard me share a couple at our earnings call that in FY26, a key strategic priority for us will be our cross-sell motion. Only about 7,000 of the SaaS customers, 70% of them only use one of our SaaS products. We have close to 15 offerings. We are in the early innings of exercising that cross-sell motion, and we are incredibly excited about it. Lastly, we have done this all by being profitable, 20% plus margin over the last couple of years, 21%, 21.5% this past year. We believe we have continued to show that not only are we a growth company, we are doing it all profitably. I will close with a few things. One, we believe we are in a large and growing market, and we are absolutely positioned to take share.
Two, the secular demand trends that I talked about in the beginning, rise of ransomware, complexity of AI, rise of regulation, they're all supporting this growth. We are meeting the moment through investments in innovation, right? We have continuously been a leader in innovation, 1,000 plus, 1,100 plus patents. We are differentiated because we support really well in the on-prem, but as well in particular in the cloud. We can be the hybrid player of choice. Lastly, we have done it all very profitably, right? We have proven that this model is repeatable, sustainable, and scalable. With that, I will open up with the questions. Thanks.
OK. Thanks, Jen.
Yep.
Yeah, that was pretty efficient. So good job. I wanted to start out just on the competitive landscape because there's a lot of players in the backup market and the cyber resilience market. I think you talked a little bit about your differentiation. You have now you have two private companies, Veeam and Cohesity, that let's say are potentially public companies over the next couple of years. Rubrik just went public. There's a lot of other players. Like we actually had AvePoint present this morning, which is more kind of cloud, Microsoft, Microsoft Cloud backup. But how do you help investors sort of parse through the competitive landscape and understand, sort of grasp really what makes Commvault special?
Sure. I would agree with you. It's certainly a dynamic landscape right now. As I look at overall the market, I would say that I would go back to my point around 30% of on-prem share right now is owned by the legacy players, and they're donating share at this point. As we think about some of the newer players, right, each one of those has a specific spot in terms of where they play. For Commvault, though, I think what we do really, really well is focus on both cloud but hybrid enterprises that really, truly need both the beauty of the on-prem and the cloud market, right? Most enterprises out there are hybrid, right? They will put new data into the cloud, but they can't abandon their on-premise solutions, right? To be truly cyber resilient, you have to have that single pane of glass.
I think to the point of why we win, a lot of that is around scalability, full depth and breadth, covering all that full space at a strong TCO.
Great. On the cyber resilience story and I guess that convergence of security and backup, are you still mainly selling into kind of backup administrators, or is that changing in terms of who the customer is? Are you starting to sell more into actual security budgets and security teams?
Yeah. If I go back to November of 2023, that was when we came out at our first shift event and shared the cyber resiliency. That's when we started to see a flip towards more CISOs in the conversation. At this point, we see it being a joint conversation between CIOs and CISOs. I would go back to the premise. It's not just about backing your data up anymore. Those times are gone, right? We used to think about backup as a protection against hurricanes and floods and things like that. It's a different world we live in now. You can't just think about backup without thinking about, hey, how do I actually rebuild? How do I actually recover? That's where the CISO comes in.
I would also say that some of the products that I talked about, data security, Clean Room, cyber range recovery, those areas, that's where the CISO is really saying, OK, what can you do to ensure that when I'm attacked, hopefully I've done everything on my part to make sure that doesn't happen, but ultimately we all know that that's the case as people are just getting attacked despite all the best advantages, right, and goals. Ultimately, it's a combined conversation, and we see that kind of across the globe at this point.
Gotcha. OK. When you talk about some of the legacy players, where are their deficiencies and what is the thing that is driving your share and opportunity?
I mean, I think it goes back to a lot of those legacy players are just focused on the on-premise side of things. It's not just about, it's not enough to be focused on the on-prem, because that's where you have those things. You need a single point solution in the cloud, right? That defeats the time to recovery. That slows things down. I go back to, to be truly cyber resilient, you have to understand what is your minimum viable company and how quickly can I recover and rebuild that. If you have to go to multiple different places, which if you use a legacy player, you have to bring in someone who supports your cloud environment, a different person, a different company rather. That will slow the time to recovery down.
In addition to that, those legacy players do not provide the more cyber resilient features, Clean Room to be able to test, even more data security pieces. You do not really have a cyber resilience. You just have your data's backed up.
OK. So like air gapping and all that kind of stuff.
Yeah, exactly.
Right.
ThreatScan, SecurityIQ. We've been doing air gap for a while.
Yeah, I was going to say, you guys have been talking about that for.
For a long time, yeah.
A long time. OK, good. By the way, I don't know if you know, I've been covering Commvault since 2010. Just kind of.
It's a long time.
Just kind of crazy, yeah. I've seen the evolution of the company, and maybe we could talk about that next, especially on the go-to-market side.
Yeah.
We've seen sort of the perception change at Commvault. What do you think has driven? I mean, I know you're relatively new, but from your experience and from your conversations, what do you think has driven the perception shift, especially in the channel, where I would say like five years ago, maybe five, six years ago, Commvault was viewed as more of a legacy. They were actually viewed more in that kind of.
Absolutely.
On-prem legacy bucket,
Right.
Now you're in the conversation with all of the kind of the latest and greatest players. What do you think has driven that shift?
First and foremost, companies want to partner with people who are good executors. I think over the last two years, our execution has drastically improved. That is due to some of the organizational changes that we have made in terms of focusing sales teams on land and expand versus renewal. We have enabled and held the bar much higher around productivity. I talked about an FY2025 double-digit increase of our sales force from a productivity perspective. There is execution happening. There is also investment in the channel, partner enablement, right? We have spent a lot of time re-enabling partners who have been with us for a long time around what do we do now, trying to abandon that legacy perspective, right? Our platform pretty greatly. It takes investment to bring partners along on that journey, right? I think we are getting there.
I wouldn't say we're all the way there. I would say we've made big improvements. I would say in FY2026, we're still making investments around partner enablement and education to really, truly make sure that Commvault is positioned in the company that we believe we are with a security and cyber resilience focus.
Yeah, I think the other thing that I have observed is the pricing and packaging changes that you guys have made over the last five years.
Yeah.
Again, before your time, but like.
Sure.
That was a big point of feedback. People would say like Commvault's just like hard to do business with. There's too many SKUs. Like it's just too complicated.
I would say to you that that is an ever-evolving thing that we're working on, because on the on-premise side of the subscription, we do have bundles from everywhere, from operational to autonomous to cyber, right? If you look at our SaaS platform, I think we have incremental opportunity there as well in terms of because we now have 15 plus offerings on the SaaS platform that you could easily see a bundle of some sort at some point. I would say to you, the packaging absolutely made a big investment. As we think about making sure that customers are truly cyber resilient and purchasing that cyber autonomous bundle versus just the operational backup has been instrumental.
Where do you see the kind of the lowest hanging fruit for you guys on the go-to-market?
I would call it lowest hanging fruit at this point. I would say to you, I think the next opportunity for us is to continue to stretch into the cross-sell motion that I shared. We are in the early innings of that. Things like making sure the sales team is incentivized on selling more than one product, selling the products that we know will truly drive resilience for our customers, and ensuring that there's a portion of our team really focused on that cross-sell only motion.
OK. Yeah, I mean, like the one question that comes up on some of the security features that you and others have introduced is kind of like, wait, aren't you the backup guy? Like should I be buying security from you, or should we be buying security from more of a pure play security vendor? How do you overcome that?
I think it's about knowing that if you truly want to be resilient, there are different layers of security. We're not trying to replace the perimeter security. This is about making sure that it's a second layer of defense that from a data protection perspective and recovery, that if you have to fail back to a backup copy of your data, I would hate for you to have failed back to a copy of data that's been infected. That would be challenging. It defeats the entire purpose. You have to have security embedded and ensure that what you are bringing back, what you're relying on, is truly clean or you're back for square one.
Yeah. OK. I'm going to open it up in a second for the audience. I wanted to ask just about the backup modernization cycle that we're seeing right now, just to play devil's advocate a bit.
Sure.
Maybe we're like in the fifth or sixth inning of that modernization cycle. Once all of the legacy guys start to kind of bleed out and you guys and others take share from them, how do you sustain the growth, I guess, beyond when maybe that cycle starts to wind down? Is that something you guys think about?
Absolutely. I think it's about if you go back to the TAM I talked about, I look at that TAM in three sections, right? There's the on-premise piece where whether it bleeds out over three years, five years, two years, right? We know that there's a determined time that that donation of share will continue. Let's say it's between two to three years, right? Ultimately that serves the foundation of the growth for the next two to three, some of the growth for the next two to three years. You look at the cloud piece, that's growing 15%. We know from cloud data. In terms of supporting incremental cloud growth, the market itself is growing 15%. Our SaaS grew 68%, right? Our ability to take incremental share faster than the growing market because there's a lot of white space in there, right?
Then you turn your focus to the data security and cloud security side of things. This past quarter, we shared that 25% of our net new ARR in the quarter was cyber offerings. We were already showing that we can capture some of that market. It's early days, right? Ultimately, if I think about the long-term durability of the growth, I look at each one of these markets and how they're growing and how we're outpacing each one of them. Also, that supports the underlying growth for several years, I would say.
I mean, if the backup, the core backup market continues to grow high single digits, that's going to be very helpful because I don't know the historical numbers there, but I think it's definitely accelerated over the last few years.
It has accelerated, yes.
Yeah.
Yep.
Yeah. What do you think is the right?
No one's abandoning their on-prem right now, even though it's very saturated, but it's still growing 1%-2% because people are still putting more data on on-prem.
Yeah. Yeah. Data grows.
Data grows.
What do you think?
Whether we like it or not.
What do you think is the right growth rate, top line growth rate for the business over the next few years? I see Malik, just like his ears just perked up.
Don't worry. He's already nervous. I'm going to guide without saying it. Don't worry. I won't.
No, but like just give people a sense, like a ballpark, like where do you think the right growth rate?
Yeah, without sharing. I mean, and I would say before I answer that question, I think people are asking, what does the long-term model of this business look like, both top and bottom line? And we hear that, and we are going to find the right time to share that over time. I would say to you, it's not I just walked you through the overall market that we play in is growing 12%-13%, inclusive of the puts and the takes, right? I don't think it's unreasonable to assume that we can sustain low to mid-teen growth for the next couple of years at least.
OK. I want to talk about leverage because you guys have been in this sort of 21% range for a while. When do you expect to see more leverage in the business?
First, I would say we're in that 20 range on purpose, right? That was a very, we looked at in FY2025, we made purposeful investments to accelerate our growth. We did exactly what we said we were going to do. The market continues to grow. When I looked at the data and the team said, you know, when we are in a decision, we win a lot of the time. We also know there are decisions that are happening that we're not even getting invited to. We're not even in those decisions. If we believe those decisions are going to happen for the next couple of years, we should invest behind that to capture those, right? I think that's what you're seeing in 2026, not at the same exact rate of 2025, but we're still investing.
If I zoom out, I don't think it is unreasonable to assume that this business could be mid-20s EBIT margin over the medium to long term. Right now, we really value our ability to capture the market because we know that when we capture customers, it's relatively sticky, right? It's a trade-off of probably two points for growth, one point for margin. It's not that I'm looking the other way on margin in any way, shape, or form. The other thing I would say to you is we've grown our SaaS platform, right? That carries a very different margin profile than the on-prem and the subscription term license. We've still managed to keep gross margins in the low 80s, right? We're very focused on optimizing, right?
I think we also know where the levers are in the business that over time we can build back into. We are really focused on making sure that we can capture the growth. We are overall really proud of the performance so far.
As you should be. Like my last question before I open it up is just how long have you been in the seat now, CFO?
Since August, so a little less than a year.
A little less than a year, OK. In your opinion, what is the most underappreciated aspect of the Commvault story?
Yeah, so I would say hands down that we are a growth company. If you look at our FY2025 results, our ARR grew 21%. That's inclusive of a perpetual piece of that that's declining about 10% year over year. Our subscription ARR, which makes up about 84% of total ARR, grew 31% last year. We're poised to, the guidance is 24% this year. Ultimately, I think that that is the best place to look at the growth of the company. Ultimately, we are very much well positioned to take share and continue to be a sustainable growth company.
OK. Anyone have any questions for Jen? We're also going to do a breakout upstairs for those that are shy. We do have a question over here from this gentleman.
Hey, Jen, I have a compound question.
OK.
Do you view Commvault as operating after the zero-day event or before with anomaly detection? Can you comment on your seed and SecOps integration?
Repeat the question.
Yeah, can you just repeat that question? What's the first part of it? I just can't hear you very well.
Do you view this after the zero-day event or?
Oh, after the zero. Do we play before or after the zero-day event? Yes.
Or is there overlap?
I would say there's overlap, absolutely. The fact of the matter is to ensure that customers can truly recover, right, and rebuild, it's important that the ThreatScan, those things are in place ahead of time. Absolutely, customers turn to us post the zero-day to get us back up and running, absolutely.
You're seeing SecOps integration?
Quite strong, actually, at this point in terms of actually who do we integrate with, et cetera.
Who are some of the partners that you guys have announced on the security side?
CrowdStrike, Palo Alto, two to come.
Other questions? All right, I guess I'll keep going. What do you say is the biggest investment focus for the business this year?
Sure. In FY26, we're going to continue to invest on the go-to-market side of things, whether that be increased sales capacity, because we know there's some territories that we're under-penetrated in, incremental investments through our partnership channel, back to some of the points around how do we show up with partners and how do they ensure that we're kind of there selling the security first side of things. Then brand. If you asked us a couple of years ago, I think a lot of people wouldn't even know who Commvault was, quite honestly. Our unaided brand awareness still has ways to go in terms of ensuring that when customers are looking for a solution like ours, our name comes to the top, right? We're being very pointed in that and ensuring that the ROI is strong.
I would say most of the investments sit in the go-to-market side of things to ensure that we can continue to keep up with the growth and capture the market.
OK, gotcha. What are your thoughts on kind of capital allocation, M&A? I know you guys have done a fair amount of M&A. What's your approach? You got a pretty good balance sheet, so.
Yep. I would say if Sanjay, our CEO, was sitting here, he would say over 30% has been under all of his terms. He would not classify himself as an M&A shop, per se. However, our capital allocation philosophy hinges on three pillars: M&A, share buybacks, and organic investment back into the business. Where we sit, the last two acquisitions we've done have very much been about expanding the depth and the breadth of our portfolio, Clumio and Cloud Rewind. From there, we know that there will be expected consolidation continued in the industry. Specifically on the point solutions, there's been a lot of point solutions that have come about over the last, let's call it, five or seven years that can absolutely potentially be a tuck-in for us over time.
We continue to keep our ear to the ground, just understanding what's out there, right? I will tell you, we're also very much focused on ensuring that the acquisitions that we've acquired bear fruit, and they're strong progress so far.
Any other questions? OK, the last question I'll ask you is, is there anything else we haven't covered that you want to leave the audience with?
I think I would just go back to, and I won't repeat what I said around the growth, but I do think that there is still a perception around us really playing in the on-premise and the legacy side of things. I would say we are absolutely a cloud-first company. Our SaaS platform is best in class. The growth is coming from. I would say, as we think about the long-term durability of the business, our ability to go after that cloud environment is pivotal, and we feel incredibly confident about it.
There's a lag between the perception and the channel and the investment community?
Yes, I would say that. Not everywhere, but in some places.
All right.
Awesome.
I think we'll wrap it up there. Thank you all for being here. We're going to go upstairs for the breakout. Where are we going, guys? Breakout?
We're going to Richardson.
Richardson for the breakout. OK, thanks everyone.