Hi, everybody. Thank you so much for being with us today. We are really excited to share with you our strategy and product session. I'm Suzanne DuLong. I lead the Investor Relations efforts at F5, and we are going to get started today. I'm going to take care of a few housekeeping items before we launch today's program. First, of course, there are the forward-looking statements. Our discussion today will contain forward-looking statements, which include words such as believe, anticipate, expect, and target. These forward-looking statements involve uncertainties and risks that may cause our actual results to differ materially from those expressed or implied by these statements. We have summarized factors that may affect our results in our SEC filings. We will also be referencing some non-GAAP numbers today for our full GAAP- to- non-GAAP reconciliations.
Please see the appendix of this slide, which will be posted to our IR portion of our website following the conclusion of today's live event. Our agenda today, we've got some great speakers for you. We're going to start out with Tom Fountain. He's our Executive Vice President of Global Services and our Chief Strategy Officer. He's going to talk about our customers' hybrid, multi-cloud, and AI challenges. We're then going to go to Arul Elumalai and Kara Sprague. Arul leads our BIG-IP efforts. He's the SVP and General Manager there. Kara is our Chief Product Officer. They're going to walk you through our portfolio transformation and the opportunity we see ahead. We'll then take a short break, about 10 minutes. Zeus Kerravala will join us from, he's an industry analyst from ZK Research.
We'll then wrap up with Frank for the financial recap, and François will join us on stage for Q&A. So with that, I will hand it over to Tom.
Excellent. Thank you, Suzanne. My name is Tom Fountain, and I'm EVP of Global Services and Chief Strategy Officer at F5. Thank you for joining today's strategy and product session. We want you to leave this session with seven key takeaways. First, our digital world is in crisis. The current multi-cloud Ball of Fire is untenable. Second, AI is an accelerant that will make the crisis exponentially worse. Third, to capitalize on this new reality, F5 invested early and transformed its portfolio. Fourth, F5's market opportunity is much larger and growing than it was five years ago. Five, F5's competitive position is stronger and more differentiated than ever before. Six, F5 is successfully executing land and expand motions across our portfolio. And seven, F5 is positioned for sustainable revenue growth and committed to double-digit earnings growth.
Before we speak to F5 strategy, I'll start by framing the context, for our customers' reality today. Apps power many of the most valuable brands of our time. Nearly half of the S&P 500 are either application-led or digital technology is a key source of differentiation in their business. Even for the others, digital technology is a key enabler of business processes. Applications are virtually everywhere in our lives today. They're how we bank, they're how we see a doctor, how we work remotely, how we get to dinner, or how we decide to have dinner sent to us. No matter where you look, apps run today's world. It's not surprising, then, that the number of applications is exploding. IDC and F5 estimate that there are 1 billion application instances in the world today.
Over the course of the next four years, that number's going to grow greater than 20% annually to 2.3 billion app instances. Along with this incredible growth in the number of applications will come incredible growth in application programming interfaces, or APIs. These APIs connect our application components together. While a typical application today might have only one or two sets of API interfaces in building the app, we expect this number to also grow substantially over the next several years. Managing this portfolio of apps and APIs is absolutely critical. Starting in the late 1990s, organizations spent over a decade collecting all of the applications from under people's desks and from branch offices and brought them to the data center. Building a traditional data center was challenging by standards of the day, but comparatively, a very simple model and approach: users connected to apps sitting in data centers.
As infrastructure as a service and software as a service rose in prominence, the prediction was that we would move all of these applications from the traditional data center into the cloud. Hybrid cloud was but a transitory state. It was simply a temporary place while we moved everything to the cloud in one form or another. The cloud promised a multitude of benefits, a highly automated environment, better suited to the business agility that was required, operational savings from automation and not having to invest for peak demand, better availability of services, and improved security. Yet almost everything about this prediction has proven wrong. Today's reality is far from the single location that was promised. Organizations often find themselves spread across multiple environments. F5's State of Application Strategy, forthcoming customer research, reports that 88% of all organizations operate across more than one of these environment types.
In fact, the average organization operates across 4.5 different types of environments. Most organizations have hundreds of applications, and this page illustrates the distribution of those workloads across all of these different types of environments. Of course, most organizations don't just have one of each of these types of environments. They might have multiple availability zones, or they might have multiple data centers or colo facilities for geographic distribution. It's not difficult, then, to see how the distribution of apps creates complexity. Graph theory tells us that something as simple as the number of connections grows quadratically as the number of environments increases. It's easy to see how these connections become overwhelming quite quickly. The problem, though, is actually even more acute: public cloud democratized access to infrastructure. Public cloud also helped to accelerate the emergence of modern application development.
In modern application development, we've taken these large monolithic applications and decomposed them into much, much smaller components of work. With that, then, we changed the architecture, and we moved from a three-tier architecture to a microservices architecture with small containerized components working in combination through APIs. Not only, then, are the apps distributed, but these app components are distributed. And each one of these app components has their own set of APIs and their own set of data. We at F5 have given this problem a name, and we call it the Ball of Fire . This Ball of Fire keeps getting worse. Mind you, an IT organization doesn't have just one Ball of Fire to worry about. They obviously must be worried and concerned about their ball of fire, but with partnerships, they now need to connect with many other parties' balls of fire.
What, of course, happens when you acquire a business? Suddenly, one Ball of Fire tries to consume another Ball of Fire . The result is an incredibly fragile and complex environment. Attackers, of course, exploit this complexity. While the defender must protect every asset every time, the attacker must find but a single point of entry. It's no wonder we read about security breaches almost daily. When it seems this Ball of Fire , though, couldn't possibly get any worse, enter the dawn of a new era: AI. We expect every new application will now be an AI-powered application. This will further drive each of the factors I've described already: more apps, even more APIs, greater distribution of apps and app components, and new and greater cyber threats.
To understand a bit about why this is the case, we don't need to look any further than the architectural diagram of a very simple AI application. AI applications are distinguished by two specific characteristics. First, AI applications are all modern applications. And as with all modern applications, they're componentized. But even more so than a normal modern application, these applications use APIs to access many AI models and many AI services. Our upcoming State of Application Strategy research concludes that API security is the single topmost issue customers face when rolling out AI-powered apps. The second major architectural shift that distinguishes AI apps is that they require many data sources: data for AI training, data for the app, data for AI inference. Data is central to AI. And since this data is inherently distributed, our multi-cloud connectivity problem just keeps getting worse.
AI-powered apps make the Ball of Fire even more complex and susceptible to attack. Adoption of AI-powered apps will follow a well-honed series of phases. For many organizations, last year was the first phase. It was characterized by experimentation with AI and starting to create models. The second phase, coming this year, will shift to building the infrastructure for these new models and for the applications. In the third phase, we'll begin to see broad enterprise deployment and the start of meaningful traffic volumes. The consequences of this Ball of Fire are very real: manual tasks, duplication of efforts across many silos, inconsistent security controls. Of course, each one of these environments requires its own technology stack and puts even more pressure on an already scarce talent supply. Of course, there's very real costs associated with cloud deployments.
But greater than any of these is really the consequence that it has on the speed of IT and the resulting impact it has on the speed and agility of business. A few years ago, the prediction was that we were in an inevitable journey to move every app from the data center to the public cloud. Yet for the vast majority of organizations, that's not their reality. Our digital world is in crisis. This current multi-cloud Ball of Fire is simply untenable. We at F5 saw this coming. Let me hand it to Arul to share the transformation of F5's portfolio to address this crisis.
Thank you, Tom. My name is Arul Elumalai. I am the Senior Vice President and General Manager for BIG-IP. As Tom said, the world changed. We saw that changing in front of our eyes because we were in that connection that was happening between the end user and the evolving Ball of Fire . That is what triggered the transformation of our portfolio to go solve this exact problem, and we are ready to do that now. Back in the day, when you accessed email, you were probably on your computer or what is called a terminal, and there was a server sitting in the data center delivering that messaging experience to you. It was a simple connectivity between one data center and one client called a client- service architecture. That required a set of services, and F5 was already there providing many of these services.
In fact, we even created the category called ADC. But what happened was when e-commerce emerged and the digital transformation started, we saw this journey. When you take your phone out today and do some online shopping, your picture, along with your account information, is being pulled from a central server sitting in an enterprise data center. That's where the master record is. At the same time, your shopping patterns and the queue that you're creating as you shop is sitting in a shopping cart application that is in a public cloud. That's the right place for the shopping cart app because analytics are churning on that application, giving the recommendations out to you.
And finally, there's an app that shows the same-day delivery status is being driven out of an edge location, probably close to your home, even showing the real-time status of how the truck with your merchandise is coming to your place. So what has happened? This digital experience has gone from one path to one location, becoming three different paths to three different locations. And what are the implications? The services that were required for that one data path, which I would call the lifeline of a digital experience, now have to be replicated for multiple data paths and locations. And they have to be kept synchronized. And some digital experiences have hundreds of experiences, not just three: applications that I talked about before.
If that shopping cart experience or the same-day delivery status experience that is coming to your mobile phone was a modern application being written using microservices architecture, there's a whole new level of complexity. You need even more services. So what happens is, to bring a single digital experience like online shopping, you need a full array of services that will connect applications across multiple locations. I want to pause here a little bit on what we have created. What you see here is the lifeline of a digital experience. That is the line through which traffic flows from the app to the user, from one business to another. If one of them breaks, that experience is not delivered. If one of them slows down, the entire experience is sluggish and users start leaving you.
And if one of them is compromised, it compromises the entire system across all locations. I'll give you one simple example. Taylor Swift announced the Eras Tour. 3.5 million people, Swifties, as I'm told, registered. And the presales opened up, and 1 million were invited to go and participate in the presale event. The server got 4 billion requests. 4 billion, 4 times the peak that the server has ever seen. The site crashed multiple times. Presales could not be done. The real sale of the general availability did not happen at all. The tour was canceled. Why? That one little thing called anti-bot that you see there did not do the job.
I have a story for every little thing out there: a financial organization losing its assets, users entering from one application in one particular site and thereby using it as an attack vector to go into another site. Each of those is controlled by those single things that are there across the string of services. It doesn't matter which industry, which sector, which region. Anybody who has a digital agenda is thinking about this. Anybody who's got users and businesses connecting to them via a digital channel are going and deploying these solutions. As a result, IT organizations are spending a bunch of time tying together and stitching together these different services. They're constantly tweaking and configuring them as the world around them changes.
And every time, every time there is a single change in one of them, that has to be replicated across all these data paths and all these locations. If you are an IT administrator, that is 35% of the time spent for you and your entire team. And even if you double the effort for you to get it right every time, it's a matter of chance. And that is what we saw happening as this digital evolution, took place and e-commerce led to application connectivity across different environments. So what did we do? As we saw this, we saw a need. In the layer of application and API, if we take that end to end, there was a need to offer a comprehensive set of services. So that irrespective of what the application is, it could be that traditional email application or the modern, shopping cart application.
These applications are sitting in multiple locations. How do we bring them all together over a comprehensive set of services? We have evolved our portfolio to do that. Firstly, BIG-IP, our flagship franchise. We have modernized BIG-IP and fundamentally re-architected it for the multi-cloud era, bringing cloud-like benefits to deployable solutions. We all witnessed the growth of cloud. It was one of the fastest adoptions in enterprise IT. Why did we adopt cloud? Why did customers flock to move their applications to the cloud? It could scale up and down on demand. That was TCO reduction. Its automation was one of the easiest. You got full-stack automation, and it came with multi-tenancy, where you can isolate applications, share the resources, and get the best workload running in the right place. But not all applications are moving to the cloud.
So what we are doing is taking the benefits of the cloud and bringing it to the on-prem solutions across hardware and across software. Our BIG-IP stack now that is in the market comes with built-in multi-tenancy by default. We have automation to do full-stack orchestration, and that is based on our API set that is already in the market. We had 36,000 downloads of that last year alone. And finally, when it comes to the whole idea of observability, we give a full view of observability of applications, of the tenant, as well as the hardware. And that is BIG-IP. We have spent hundreds of millions of dollars for the last few years re-architecting it for the modern era. These products are making their way into the market right now.
For example, when it comes to adopting these solutions, a service provider who wanted to do typical capacity expansion in their non-standard core broader hardware, but in their 5G transition, where they wanted a software form factor because they had to orchestrate and automate it because they were virtualizing and containerizing their solution, they picked our new software form factor. This fundamental re-architecture helped us get that opportunity. Beyond capacity addition and beyond refreshes, this is also opening up new use cases. Many of our customers using competitive solutions are also consolidating on us. So that way, in BIG-IP, when it comes to traditional applications, we have brought in operational simplicity. We have brought in the automation of the cloud, and that is securing our base and even strengthening our base when it comes to traditional applications. Well, that was a story.
In 2019, we saw the rapid adoption of modern apps, microservices-based apps. Much of the net new development was happening with this architecture, and we acquired NGINX. NGINX was a two-way win for us. Firstly, NGINX literally inserted us in the path between the user and the modern apps. That made NGINX a de facto application delivery solution for microservices-based and cloud-native applications, which is where net new applications were coming into the fold. At the same time, we also bolstered NGINX with the F5 application security capabilities. As a result, NGINX became the de facto solution to secure and deliver modern applications. This powerful combination across BIG-IP and NGINX gave us a way to secure and deliver modern applications and traditional applications in multi-cloud environments. We did not stop there. To bolster the security portfolio further, we acquired Shape. We acquired Volterra and Threat Stack.
These three acquisitions expanded our security capabilities in the application security area. But more importantly, it gave us a way to deliver these solutions as SaaS and managed services. So in addition to securing applications, we could now secure APIs. In addition to protecting the applications against humans, it also gave us the ability to protect against bot attacks. And that, when combined with the F5 application security stack that had web application firewall, DDoS, and access when it comes to user access from remote locations, we went and built the most comprehensive security stack. And this stack, the breadth that it offers in terms of application and API security, is unique to F5. In addition to that, this also gave us a view into how we extend into the edge.
Thereby, these acquisitions became the foundation of what we are bringing together as F5 Distributed Cloud, a SaaS and managed services offering. It's not just these inorganic options. We went and integrated even more of services and lighted up F5 Distributed Cloud. Today, we are also entering into the world of multi-cloud connectivity, where you have to connect applications across the different environments. With this portfolio, I could say that based on what we have today, we can secure and deliver any API and, and application in any location. We have made that possible. But at the same time, our bar is not to make it possible. Our bar is to make it ridiculously easy for our customers to go deliver these services and deliver the applications that are behind them. The whole idea is to change the paradigm.
Why does it take 14 weeks to bring a new application into the environment? How do we change the paradigm so that it can be done in an hour? When a configuration has to be changed to fix a security vulnerability, why does it take multiple days to go and propagate it across the different environments? Why can't we do it in minutes? Therefore, now, we are integrating across BIG-IP, NGINX, and Distributed Cloud to build the industry's first distributed application security and delivery platform. This is a game-changer. Why? Tom showed the Ball of Fire With this kind of a platform, you don't have to worry about where applications are sitting and what application architectures are being used. You deploy the application, and all the services are provisioned.
You don't even have to think about the interconnectivity of applications that is happening in the Ball of Fir e because the whole thing is abstracted. And when you go and set a policy in one location, this platform propagates it into all the locations where it is relevant. And it is not just around building this platform. We are bringing the full power of the AI assets that we have. F5 has had a history with AI. We have had learning models. We do behavior analysis. We have scoring algorithms. We use that in many of our security products when it comes to application security. The acquisitions that we had added to that. Shape brought in AI capabilities exclusive to bot. When we got Volterra, it had AI out of the box for API discovery. And finally, when we got Threat Stack, it brought in AI related to threat detection.
We are pulling that all together in order to power this platform. And when it comes to experience, there is a modern SaaS-based Distributed Cloud Console through which all our customers will get a single pane of glass to experience these services and synchronize these settings. It could be BIG-IP customers, NGINX customers, or Distributed Cloud customers. The experience of a single pane of glass is being powered with a Distributed Cloud Console. And that is the evolution that we took. So as of today, with what we have in our product portfolio today across BIG-IP, NGINX, and Distributed Cloud, we can say that we can secure, deliver, and optimize legacy applications, modern applications, and API in data centers, colocation, public cloud, and edge, and make them available as deployable solutions and SaaS. That opens up a new opportunity for us that is much larger than ever.
So our addressable opportunity as a result of this portfolio evolution and expansion is not increasing by a few basis points or by a fraction. It's by an order of magnitude. In our earlier days, we started with hardware-based solutions. We solved the problem of that era in the data center, primarily with our hardware solutions. The market opportunity was roughly $2 billion. And then when we did the software transformation, we got entry into the public cloud, and our software solutions grew along with the growth in public cloud. That expanded our market opportunity to $5 billion. And then when NGINX was acquired, that inserted us in the path for modern application security and modern application delivery. That made our market opportunity $11 billion. And now, with Distributed Cloud, we can do SaaS-based delivery.
We have a presence in the edge, and we have a much broader portfolio that includes Multi-Cloud Networking . That makes our addressable opportunity $16 billion. You would notice that this is a much larger market. But there's a point beyond that. It is growing at a pace that is of the order of 17% over the next few years. And if I have to dissect it in a slightly different way between the addressable market for our deployable apps and our SaaS apps, our deployable products, namely BIG-IP and NGINX, that market opportunity that is $11 billion today is growing to $16 billion. That's a 10% CAGR. On the other hand, if you look at the SaaS portfolio, Distributed Cloud that unlocks for us, that addressable opportunity is less than a third, and that's going to be more than a half. That is a 26% CAGR.
So that's the opportunity that we are looking ahead of us as we look into 2028. How is our portfolio well-positioned and differentiated to go capture this opportunity, and how are we executing against that? I'll pass it on to our Chief Product Officer, Kara Sprague, to break it down for us.
Thank you, Arul. So what does this mean? So what does this mean? You heard Arul say before that F5 is the only solution provider that can now secure, deliver, and optimize any app, any API, anywhere. And I want to talk about what gives us the confidence when we say this. And I'm going to do that by going through a number of different competitive sets that we play against and talk about what F5's differentiation is. So let's start with the traditional ADC and security players. These are players, you know, that F5 has competed with for many years, in the case of Citrix and A10, as well as players that are in the software ADC space like VMware Avi. And what we see from those players is their foothold and their strength continues to be as a deployable product in an on-prem or colocation environment.
That's why we've lit that up in the Ball of Fire . With F5's portfolio today, we are truly differentiated from these players. For one, we have a true hybrid multi-cloud offering versus what you see here with a very limited reach. So we extend into all of these other locations: the public cloud, the SaaS environments, the edge, whereas they do not. There's another big important differentiation against at least the couple here that have gone through change of control, which is F5 has been investing and innovating. You heard Arul talk about the $ hundreds of millions we've invested into BIG-IP innovation alone, let alone what's going on with NGINX and Distributed Cloud, versus these other players have had very limited innovation over the last few years. Certainly, going forward with their change of control, the innovation will become even lower.
Then the last difference here is that F5 is offering deployment and consumption model flexibility to our customers. What does that mean? That means that we will continue to offer our customers hardware-based solutions. We continue to offer them packaged software. We now have SaaS and managed services. And when I say consumption, it means that we will continue to offer our customers perpetual subscription and utility-based offerings, whereas these other players, and especially those who had gone under the recent change of control, have changed their customer playbook and are now very much constraining their customer choices. And that's very much to F5's benefit. So that's the traditional ADC and security players. The next group I'll talk about is the hyperscalers. So these are the large, public cloud players. We have offered. We highlight three of them in our Ball of Fire .
But here, I'm lighting up only one because the hyperscalers don't really extend into the other hyperscalers' environment. So technically, if you're going all in with a hyperscaler, you're very constrained to that hyperscaler-specific environment and the limited reach that they might have into other places. And so the F5 advantages against these other players when we're talking about hybrid multi-cloud challenges is, again, F5 is truly hybrid and multi-cloud, whereas these other hyperscalers have very much implemented security and networking capabilities that are specific to their own cloud. And when you talk to customers about their hybrid and multi-cloud challenges, you heard Tom highlight the operational silos. This is an example of what creates the operational silo is because the security and application delivery paradigm in one hyperscaler is different from the next. A second piece that makes F5 differentiated versus these is the environment-agnostic.
We are truly infrastructure-agnostic, whereas these other players do not have the same reach that we do into SaaS and into the edge. And then finally, F5 brings our heritage, which is our strength with on-premise deployments. And again, the public cloud players, while they have made some attempts to reach into customers' environments, and they do have some select offerings that do that, for the large part, when you talk to a customer and ask them what's running in their on-prem environment, it has nothing to do with what's running in the public cloud. The next competitive set that I'm going to talk about are the edge and CDN players. Again, I hope you know this might be getting redundant.
But what you can see here is that the edge and CDN players, they have lit up their own edge and CDN environment, but they do not have any reach into the public clouds. They don't have any reach into the SaaS players. They don't have any reach into on-prem environments either. And so, for example, if you're a customer that wants to start taking advantage of these application security and delivery services from an edge and CDN player, in a lot of cases, you actually end up hairpinning your traffic from your on-prem out to them and then back, which is highly inefficient. So what are the advantages of F5? Again, we are hybrid multi-cloud, whereas these other players have very, very limited reach to their own infrastructure.
Secondly is what I just talked about, which is we have much more opportunity for efficient routing with customers because of the flexibility of where we can be deployed versus the inefficient traffic routing that you see happen with them. The next competitive set are the Multi-Cloud Networking players. Here, what you have is, you know, you have a Cisco who's kind of like the big giant here and a handful of private companies. F5 has a number of advantages consistently across those players. Firstly, and I know this is quite nuanced on the page, but we have a focus at F5 on both the networking infrastructure, so the infrastructure across these distributed environments, but more importantly, connecting the applications that sit on top of that infrastructure. The other players do not reach up into that application layer.
And so that's what we mean when we talk about OSI layers 3-7 for F5 versus these networking players are only covering the OSI layers three and four. And then the second big differentiation from the Multi-Cloud Networking players is F5's emphasis on security. Arul talked about our best-in-class application security stack. These other players simply do not have it. They have nothing close. The next group I'm going to talk about are the multi-cloud app platform providers. And here, really, the one to highlight is VMware, now Broadcom. And the F5 advantages against these players is, again, the fact that we are truly hybrid and multi-cloud versus these other players that lack the Multi-Cloud Networking capabilities. So they might be offering customers an opportunity to have a consistent application environment, but they don't have the networking layer as well.
And F5 also, again, there's another distinction here in terms of our best-in-class security. The security offerings from the multi-cloud app platform providers are not there when you start talking about application security. So another competitive set there. And so I just went through a number of them. But I hope folks get the point now around why we feel very confident when we say that F5 is the only solution provider that secures, delivers, and optimizes any app, any API, anywhere. And that is a differentiated message and a differentiated capability from all of these other players that I just went through. So that's today. Now, I'm going to talk to you about where we are going and how our differentiation is only going to continue to get bigger. We are building the industry's first distributed application security and delivery platform.
Again, I'm going to use the Ball of Fire to talk through what that means. First, I'm going to start with our security capabilities. A key capability of this platform is an ability for a security team to basically secure all of the apps and APIs they have no matter where they are with a security policy that is consistent. Check. That is what we are providing. It will be a bit nuanced here, but you'll see the security elements disappear out of the Ball of Fire . The next thing that we are working on is offering connectivity for every user and application. We get that through our secure Multi-Cloud Networking capability that we already have today in the F5 Distributed Cloud Services offering. What does that mean against the Ball of Fire ? It means the hairball is gone.
The next thing, F5 now has the capabilities between BIG-IP and NGINX and Distributed Cloud to address all of customers' applications, all of their application architectures: the traditional, the modern, the AI-driven applications, all of them. And so what does that mean? A single platform can do this for customers regardless of where those applications are deployed. Boom. More simplification. And then the last area that we're working on as part of this platform, or at least the last piece that I will highlight, is what we're doing around the data and analytics, these green indications inside of the Ball of Fire . We are providing a platform with F5's AI Data Fabric that now gathers the telemetry and insights from all of the F5 product families to give customers a central place for visibility, analytics, and control. More simplification.
And as Arul shared, all of this will be accessible via the F5 Distributed Cloud Console so that users have a single pane of glass for all of this capability. So that's what we mean when we are talking about building the industry's first distributed app security and delivery platform. Well, what does this mean? And I want to echo back to what Tom shared in the overall context in terms of the major issues that customers have around the Ball of Fire . He talked about manual tasks. He talked about inconsistent security controls and operational silos, lack of available talent, and cloud costs, and inefficient traffic routing. With this platform that we are talking about, this distributed application security and delivery platform, you go to having automation of all of these manual elements. You have security policy that is consistent and operational policy that is consistent.
You don't need silos anymore because you have consistent settings across all of the different environments in which you're running. You have optimized talent alignment. In the old world, you had to have specific security skills for the AWSs, for the Azures, for the GCPs, for your on-prem environment. With the F5 platform, you only need security talent that is capable of one thing. And that's securing with F5's application security stack. And then finally, in this new model with this platform, it offers an opportunity for cloud savings and much, much more efficient traffic routing. That is what we mean when we talk about delivering for our customers ridiculously easy application security and delivery. All right. So I'm all right. So I'm next going to talk about where we're going with this from an AI perspective. We announced three things this week.
I'll just hit on those very briefly and talk about how they play into this platform. The first big announcement that we had this week is that F5 is going big on API security. You heard from Tom that the AI security challenge is API security. With F5's recent acquisition of a company called Wib, we have the most comprehensive set of API security capabilities in the market. We have the most comprehensive AI-ready API security solution. Why do I say that? Well, with the combination of Wib, F5 now has an API security solution that spans both build time and run time. We do API code scanning. We do API code testing and analysis. We do traffic analysis. We do protection and enforcement all in one platform and one solution. No other vendor can do that.
Another announcement that we made this week was around the AI Data Fabric. I talked about this a bit earlier before. What is this? Well, it's a capability for customers to stream all of their telemetry from their BIG-IP assets, from their NGINX assets, from their Distributed Cloud Services all into a single data lake so that that data can be used to enhance the services that the customers are consuming from F5 in terms of app security and delivery. That means improvements in the efficacy of their WAF, improvements in the efficacy of their anti-bot solutions, improvement in the efficacy of their API security solutions. That is what we're building with the AI Data Fabric. The third announcement we made was around an AI Assistant. This is an AI Assistant that we're making accessible via the F5 Distributed Cloud Console.
The idea for this AI Assistant is to provide customers with a natural language interface so that they can interrogate their app delivery and security data and also get recommendations about how to best manage their environment. So it will answer questions such as, can you tell me across all of my apps and APIs which ones are not covered by a WAF or an API security solution? That's really, really valuable information that most companies cannot answer today across their portfolio. Or can you please provide recommendations on how do I reduce the number of WAF signatures that I need because this thing is sucking up too much of my CPU? It will help them figure out how to consolidate and rationalize the different signatures and rules that they're applying in any of their security solutions for a much more optimized offering.
Or, hey, can you give me a recommendation about this new threat that I'm seeing? Do I need to do something to cover my apps and APIs because of it? It will provide an answer assessing their existing apps and APIs and saying whether that threat actually applies to them. That is where we are going with AI. The next thing I want to talk about is what kind of progress are we seeing within our customer base as we talk about this portfolio convergence and having customers enjoy and get value out of multiple solutions across F5's portfolio. So I'm going to talk about the land and expand motions that we are executing and what is the impact that we are seeing. I'll start with NGINX.
In just the last three years, we have basically doubled the number of customers that are both a customer of BIG-IP and NGINX. And what we see today is half of all NGINX customers are also BIG-IP customers. So we've seen great success in cross-selling NGINX into our BIG-IP base. Distributed Cloud. Again, over the same time period, what we see is that we have more than doubled the number of customers that are purchasing F5 SaaS and managed services that are also BIG-IP customers. And in fact, 63% of all of our SaaS and managed services customers are also BIG-IP customers today. So another very, very positive signal about cross-selling leverage and capability that we have. But let's blow this out and look across our entire portfolio.
How many of our customers at F5 actually are consuming multiple product families regardless of what the product families are? Let's start with just the top 1,000. If you look at the top 1,000 customers, what you see from F5 is incredible success having those top 1,000 customers adopting multiple product families from our portfolio. We've reached 44% in 2023. So big success in the top 1,000. OK, well, F5 has a lot more than 1,000 customers, right? Yes. We have almost around 20,000. This is nuanced. Then the graph looks the same size. But what we're actually seeing is if you look across the broad base of F5 customers, we have made great traction, but we're only at 7% penetrated in terms of our customer base that has adopted multiple of our product families. What does that tell me?
That there's tremendous upside and growth to go from that. So I hope it's clear from the stats that we've just shared that we're seeing great success already in the land and expand motions in terms of cross-selling from our BIG-IP base into NGINX, into Distributed Cloud, and in terms of looking at the traction across our customer set of having customers really buy into and get value out of this combined portfolio. So with that, I am going to call us to a break. We have 10 minutes, I believe. 10 minutes.
Kara, we're actually leaving out. We're running ahead of schedule. I know. Never happens. We are going to take a little bit of break. We will resume the schedule at 2:00 P.M. Pacific or 5:00 P.M. Eastern.
Excellent.
With the next part of our program, I am really happy to welcome to the stage Zeus Kerravala, who is going to give us an expert perspective as a third-party analyst.
All right. Thanks. All right. Thanks for the intro, Suzanne. And certainly glad to be here. By the way, do I have a little remote? Oh, I need that. Thanks. I thought it was like mind control, some kind of AI thing. So yeah. Just a quick intro on myself. I'm a long-time industry analyst. I've been running my own firm over 12 years. Before that, I was actually the chief research officer at Yankee Group for about 10 years. And before that, I was actually in corporate IT. I held a couple of CIO positions. I was in a VAR for a while. And from an analyst perspective, my coverage area is fairly broad, although I tend to focus only on trends and technologies that are highly disruptive to the status quo, right? So right now, obviously, it's a lot of everything's AI, obviously.
But then I do look at things like Private 5G and the impact of hybrid work and the whole impact that in fact, one of the trends I'll talk about is the shift in cloud that's happening right now. But it is a vastly changing industry right now. It's a lot more complicated than it used to be. And one of the interesting things for me as an analyst is the absolutes at which the industry seems to always talk about things. Like everything's moving to the cloud, right? And everything's going to be mobile or whatever. And you think back historically, that's never happened. We've never had a technology come in and swoop in and get rid of some legacy technology overnight. And in fact, I think it was just a couple of years ago that AT&T finally retired its X.25 network, right?
So these technologies do live on a long time. And because of that, the job for the IT pro has grown increasingly more complicated. Now, I think one of the things that's somewhat misunderstood too is the definition of cloud is changing, right? We've been talking about cloud in the analyst community for the better part of three decades, right? And if you think about the first phase of cloud, it wasn't even really cloud. It was just hosted applications. It just took the infrastructure off-prem. And that lasted for a long time, right? And then we moved to this model of centralized public clouds, right? And so for a while, we'd use one public cloud provider. But this was really the era of multiple clouds. And there's a big distinction between that and multi-cloud.
The way I describe it is multiple clouds are simply multiple centralized compute models that are managed and run independently. The application environments are completely different. But you can just think of it as multiple silos of cloud. Now, the big change in the industry and this has been happening for the last few years and has kind of grown in complexity as edge has grown is the shift to hybrid multi-cloud. It's also known as Distributed Cloud , Supercloud. I do a lot of work with Silicon ANGLE Media. And that's what they call it. But it's this concept that my application environment now is going to span by the way, can you start the timer so I know when I'm done? Because I tend to talk a long time. So it's an environment that spans public clouds, private clouds, edge locations.
That in fact, even with edge, when I looked at the F5 Ball of Fire , right? If you were to take edge out of that, it's still kind of this complicated mess, but not nearly as complicated as when you introduce edge. Once you introduce edge because everyone's got telcos have an edge, there's enterprise edge, there's IoT edge, things like that. It does get significantly more complicated. In fact, I would argue exponentially more complicated. And I think that's the transition we're going through right now is to this world of hybrid multi-clouds where companies are able to leverage the type of cloud resource they want, where they want. A big part of this driver is from a customer experience perspective, being able to move data to where you want it and so you're closer to the user.
Now, from a definitional perspective, I talk about most of this, but it is comprised of different types of cloud infrastructure. I think AI pushes this even further because instead of moving the AI to the data to AI, you want to bring the data as close to the user and as close to the compute infrastructure as you can. I think it does enable smarter, better analytics because now you have one set of data versus these disparate ones. And I think a lot of this what's interesting too with this is a lot of it's microservices, API, container-based, right? So the service has become a lot more ephemeral in nature. When you think of a decade ago when everything was largely virtual machine-based, these workloads you'd spin up would live in perpetuity, right?
Now you might spin up an edge service that runs for 20, 30 minutes and then gets deprecated. It doesn't mean you don't need a lot of the supporting service and security around it, right? It just means it's a lot more complicated to deliver. From an app complexity standpoint, that goes way up, right? So if you think of when apps are built, right? You've got all the supporting infrastructure around it, much of which F5 supports. You needed that in the data center, right? Then you needed it in the cloud. Now you need it at these edge locations that, like I said, can be ephemeral in nature. So you need to spin it up quickly, deprecate it. But then you need some kind of common management plane to make sure that the policies you push out are consistent across those, right?
So not only is the app development environment more complicated, so becomes the job of securing it and delivering the necessary services to make sure it runs optimally. Now, a lot of this is a forecast I've done recently looking at just how cloud spend is shifting over the next until 2029. You can see last year, edge was a very small part of it. It's grown to 17% of total cloud spend out in 2029. The legacy on-prem application, it's about a third today. That'll continue to shrink down. It's not going to zero though, right? That's the key, right? There's a lot of prognosticators and people I've collaborated with over the years that tend to think that that number is going to go to zero. It's certainly not, right?
So a lot of the edge growth is going to be stolen, I think, from private cloud and public cloud. But it is a form of that itself. There's no bigger proof point for that other than the fact that the public cloud providers all now have their own edge plays and private cloud plays, right? I remember when Amazon announced their private cloud stack at re:Invent, Andy Jassy was still the CEO of AWS then. I asked him in the analyst Q&A, they've been the poster child for everything in the public cloud for years. Why all of a sudden this pivot? He goes, because our customers wanted it, right? So if their customers want it, they're going to give it to them.
And so he recognized the fact that there is that level of complexity that they have to figure out how to manage within their own environment. But they're certainly not going to go manage that within the Azure environment or the GCP environment, right? And so that's where a company like F5 can actually have a role in trying to normalize that. Now, along with that evolution, the application delivery controller, which I think is a term that is well understood, although I think needs changing because it's more than just application delivery today. There's a lot of security in there. But it too has also evolved, right? So traditionally, we've had the hardware appliance, which is optimized for performance, which is deployed in your traditional data centers. It's done a great job over the years.
The role of this box historically was to be what I've characterized as the Rosetta Stone between applications and networking and now increasingly more security. So something's got to play that role. And it's funny, over the years, networking vendors have continually tried to buy their way into the space. Cisco tried it 3, 4 times. You remember Juniper bought Redline. Riverbed bought a company. And it's not just apps and it's not just networking. It's a combination of both, which is why I think the barrier to entry in this space has been so high historically. Then the virtual ADC came out and that became more optimized for agility. So if I move in a workload from one place to another, I need to remove all that supporting infrastructure with it like an ADC.
And so it allowed me to be able to take those services and move them as I move the server. But again, that was really deployed in a traditional data center, a hosting center, even public clouds to some degree. Then we moved to this containerized ADC and then API-level ADCs. And that really helped support the cloud-native environments. And even within the containerized ADC though, it's important to understand there's a difference between an ADC that's been containerized where each individual service can be spun up as a container versus a lot of the early days where people tried to take the entire ADC stack, push it into a container, but you really didn't get the speed that containers brought, right? And then of course, within today we're talking API level, which is really more for those distributed environments.
They become programmable and they become part of the coding environment. Now, last year I ran a survey looking at form factor and feature request in ADCs, right? And so if you look here, obviously the traditional on-prem legacy ADC is very widely deployed, 87% of customers. But you can see there's all the other form factors all the way down to containerized are seen fraction as well. I think this is simply a proof point that the different form factors are needed in different places. And then on the right side is the features people are looking for. The number one feature and this I was a little surprised. I thought automation would be a little higher on the stack, but it was a choose three type of answer. I think everybody needs better automation.
I think historically, not picking on F5 or peers like you, doing a lot of the tasks of spinning up virtual instances, adding virtual IPs and things like that was pretty administrator heavy. It's gotten a lot better over the last few years, but the more automation in IT, the better. Analytics, I think everyone's looking for better analytics. This concept of observability across the full stack has become a lot more widely accepted across IT. You have to have the ability to centrally manage. And then fourth though was security capabilities. And I think this is a part of F5's strategy that hasn't really been replicated by a lot of their competitors. Security is a part of this tool set now. And I think as that's one of the changes in the industry. Historically, this product category was a technology sold primarily in network administrators.
Even the security capabilities like WAF were tools that network administrators used. But more and more, it is SecOps that's looking at these tools. So eventually one day we'll have SecOps and NetOps come together and DevOps maybe. Certainly, the large enterprises have been adverse to it, but it does show the breadth of form factors as well as features continues to grow. This is necessary to support people's digital initiatives. Now, from an F5 perspective. F5 perspective, it's an interesting position the companies find itself in because in a way, you know François , I heard you speaking on stage, you're kind of a market of one, right? While there's a lot of point product vendors that compete with you at these different locations and for different services, F5's really the only one that's remained independent and has had the opportunity to go build a platform like this, right?
So if you think of the world of F5, so there's a few fundamental beliefs you have to have. If you believe hybrid multi-cloud's going to be the way forward, then you also need to believe that application development gets more complicated. And then the third requirement is that belief is that you do need to have that single service fabric, if you want to call it that, that delivers app services and security across that multi-cloud, right? F5's really the only company that can deliver that today. And part of it, I don't know, it's a good strategy, good luck. I mean, a lot of the competition, like I said, that was competing with you years ago have gone away. And part of that is just mismanagement by the acquiring companies.
I mean, Cisco is a company that, my God, took four shots at this with different companies and eventually threw in the towel and that they couldn't do it. And again, it's not something you need more than network knowledge to play in this space. And so I do think over the years F5's had a bunch of competitors pop up, but through, like I said, good luck or good execution, they've gone away. But I think what that gives them is the ability to address all the apps and services across the Distributed Cloud environment.
One of the things to think about from an investor standpoint is if you believe that AI is going to be the driving factor for competitive differentiation moving forward, then the moat that F5's created for itself actually widens because if administrators are going to use AI to do things like discover vulnerabilities and to be able to create new iRules or to understand where their app infrastructure perhaps needs an upgrade or where the security's weak or things like that, then that becomes not just AI prowess, but also data, right? So data is the underlying competitive edge that companies will have when it comes to AI because there's lots and lots of models to use and companies can pick and choose.
But the ability to take all that data, aggregate and create a single set of data is something that the breadth that F5's offerings have today gives them that I think is very unique in the industry. And I'm not sure how it would be replicated today. And so to me, AI is the most transformative technology that I've seen in my life as an analyst. And I think the feature and innovation acceleration gets faster and faster, the better the data that you have. And in data sciences, it's an expression that people say good data leads to good insights, right? And so the risk for IT pros that try and do this through some kind of point product approach is silos of data leads to fragmented insights.
Fragmented insights, I would argue, are worse than no insights because it's going to lead you to make decisions that perhaps are wrong because it didn't have a full understanding of that entire application surface area. I think from that perspective, this concept of the ADC platform actually is in line with the way the industry's heading. Now, one of the other questions I get from buyers is why can't I just use the cloud provider tools? AWS has got great tools. Azure's got great tools. But they're not ever going to address hybrid multi-cloud. They could, but it's not in their DNA for Microsoft to go want to support to go to support Amazon or support Google, right? Or vice versa. And even they would admit that they're going to provide a core set of tools for their customers to work in their environment.
If you want something more advanced, then you go to a company like F5, which is why you're available in the AWS marketplace, right? Because they're going to create really kind of a very basic offering and then anything more advanced. And that's across their entire portfolio, right? From contact center to storage, whatever. They provide a basic set of capabilities and then you can go up a tier and use some of their third-party partners. Because frankly, from their perspective, what do they care? You're spinning the meter, right? And so from their perspective, they're making money either way. So it's not really in their best interest, I think, to go try and take the business from a lot of their partners. But it does give customers a consistent operating model, which is not something we've ever had in corporate IT.
I think AI allows us to do this a lot simpler. I think the strong security portfolio works to their advantage. Like I said, there is just a lack of viable competitors today. I think part of that is just the way this industry's evolved over time. Lots and lots of companies have tried to jump in the space and make a part of a portfolio where it was really kind of a square peg and a round hole. So anyways, that's the end of my presentation. Here's my contact info. If there is anybody that wants to get a hold of me, you can email me. You can go through the IR team or just find me on social media. So thanks.
Thank you so much. I appreciate it.
Only if you like it. So look, Zeus, thank you so much. Really, really appreciate you sharing your insights on the changing dynamics of our core markets. We truly appreciate your attendance. I'm Frank Pelzer. I'm the CFO. It's always hard to be the last person up here and give you the financials when you've had so much excitement with everything else that's already happened before me. But I'm going to do my best and try. So Tom started today by telling you that the Ball of Fire , which illustrates the new reality for our customers' application infrastructure, is untenable. And AI is only adding accelerant to that fire because it exponentially expands the number of attack surfaces from apps and APIs that need protecting.
Kara and Arul explained how F5 has transformed its product portfolio through product development, acquisitions, and acquisition integration so that we are offering the only solution that combats the sprawl by delivering, securing, and optimizing any app, any API, anywhere. Now I would like to share with you the three core financial pillars that will drive our long-term success. First, we believe that the market opportunity and the product portfolio that we have built that Tom, Arul, and Kara discussed will allow us to sustainably drive mid-single-digit revenue growth for the foreseeable future. We also believe that we can gain operating leverage by growing our cost of goods sold and our operating expenses less than the revenue. Finally, we will continue to return cash to shareholders by using at least 50% of our free cash flow for share repurchases.
The combination of these three core financial pillars will drive double-digit non-GAAP EPS growth on a compound annual growth basis. Our financial North Star. Now, let's start with that first pillar, mid-single-digit revenue growth. We've talked about that in several ways. We've talked about we did 4% in FY23. We are going to be flat to slightly down in FY24, but we are going to grow mid-single digits in FY25 and beyond. Now, that's a combination of a couple of things. First, our product revenue is actually going to grow more than that. And we have signaled to you in the past that we do expect our services revenue growth to start to decline down to low single-digit growth. However, I can't underestimate or I can't stress enough the importance of our services to our customers and to the financial health of our company.
Over the past couple of years, we have grown that service revenue by 4% on a compounded annual growth basis. And you can see on the left-hand side of this chart that over 95% of that service revenue is recurring. Our global service revenue growth reflects the cumulative impact of consistently high attach rates, industry-leading renewal rates, and the expansion of new services. We had a particularly strong 7% growth from FY22 to FY23, reflecting the value that customers see of our services revenue in the renewal rates, as well as the price increases that we introduced in FY22. What's equally impressive is, through rigorous operating discipline, even with investments in new capabilities such as customer success, we have delivered strong services gross profit of close to $1.3 billion in FY23. At the same time, we have grown and maintained exceptionally strong gross margins of approximately 87%.
Now, this strong gross profit provides the investment engine needed for building our Distributed App Security and Delivery Platform, enhance our NGINX services, and introduce the next generation of BIG-IP. Now, I want to zoom down on four key financial operating metrics that we track to demonstrate the strength of our service business. If you start over on the left-hand side, well, for each of these charts, you're looking at FY21 compared to FY23. You'll see on the left-hand side of the charts that the initial attach rates for our services are consistently very high at 98%. When we take a look at our seven-year trailing renewal rates, we are at an industry-leading 76%, and that's up 2% from FY21. This reflects the value that customers place on our services, as well as demonstrates what we've been talking about is the recent sweating of our assets.
The duration, the third chart, reflects very much the same. In this, we're looking at the average age of our install base under maintenance, and it's now 51 months. That's up 4 months from 47 a couple of years ago. Again, this measure affirms the value customers see in our service, and the longer duration reflects what we believe is that temporary sweating of assets. And finally, we wanted to highlight the expansion that we see in our services revenue, particularly with our top 250 customers. You can see here that the compounded annual growth from 2021 to 2023 has actually almost doubled the rate at 7% of all of our services growth of 4%. So our largest customers like us a lot, and they are willing to spend dollars on these services. They are very important to them.
Now, all of this factors into the FY24 and FY25 outlooks that we shared with you in October. Let's start at the top line. In FY23, as I mentioned, we delivered 4% growth, and we expect FY24 to be flat to slightly down. We've guided FY25 revenue growth to return to mid-single digits. I remind you that normalized for the $180 million of backlog headwind in FY24, we would be growing revenue in mid-single digits. When I take a look at the Non-GAAP gross margins and operating margins, we will continue to increase those from FY23 levels. In FY24, we are reaching 33%-34% as we have guided, largely due to the component cost decreases in relation to what we had in FY23, as well as the reduction in force lapping period from April of 2023 to now.
When I take a look at FY25, gross margins will largely still see some effects of component price decreases, but gross margins will also increase because the mix of the revenue that we will get from our product revenue is probably more weighted towards software, which has a higher gross margin associated with it. We are also investing right now in IT initiatives that are going to improve our processes across the whole organization. We are piloting the use of AI technologies to drive efficiency specifically in our services, in our product development, and our sales and marketing areas. Going down one level to tax, as I've mentioned before, we do have a bit of a headwind in FY24 for our effective tax rate in comparison to FY23.
Taking into account that headwind, we did raise our outlook a couple of weeks ago from 5%-7% growth to 6%-8% growth of non-GAAP EPS. But if you normalize for tax rates, we actually will deliver over 10% growth on a tax-neutral basis. In FY25 and beyond, we expect to sustain double-digit non-GAAP EPS growth on a compounded annual growth basis. And finally, we will continue to use our free cash flow to return capital to our shareholders via share repurchase. In fact, over the last 3 years, we have returned 83% of free cash flow, delivering on our commitment of $500 million in FY21 and 2022, and over-delivering on our commitment of 50% of free cash flow at 58%. We started FY2024 well ahead of that 50% commitment by using close to 100% of our free cash flow for share repurchase.
As of the end of January, we still have over $770 million of share repurchase remaining under our authorized program. I will now turn the stage over to François, who is going to summarize and recap our key takeaways, as well as start the Q&A session.
Thank you, Frank. Well, thank you, Frank. My thanks to all of our presenters who will join me shortly for our Q&A. I just wanted to recap a few of the points that you heard today. First, you heard that the evolution of app distribution for large enterprises has really, truly created a crisis. It isn't just incremental. It is really untenable. We call it the Ball of Fire , but we're seeing across our customers this challenge grow more and more complex by the day. You've heard that AI will accelerate this phenomenon because AI workloads will be more distributed across more locations that will need to be protected, and AI workloads will also make heavy use of APIs. So that will accelerate the phenomenon we're seeing in the Ball of Fire . We've invested in our portfolio to be ready for this opportunity.
If you recall, 5 or 6 years ago, we had already started discussing and talking about hybrid and multi-cloud as what we perceive to be the future. That's what led us to make the acquisitions and the organic investments that we've made in the portfolio and the integrations we've done over the last couple of years. As a result of all of that, we see a market opportunity for F5 that is growing, that is, of course, much larger than where we were primarily when we were primarily an ADC hardware company. We think that our market opportunity is not only going to grow but accelerate over time. We now have a competitive position.
I think Zeus touched on that a little bit when he said, "We are a market of one." We are in a competitive position that we believe is very strong, both in our traditional ADC and application security market, but also in our ability to solve holistically for the Ball of Fire , which we don't see any other player really attacking in a holistic way today. The result of that is we're seeing acceleration in our expansion and cross-selling into a number of our customers, and that's giving us confidence for sustainable revenue growth over time. So those are the key messages from today. We're now going to move to our Q&A, and I'm going to invite Tom, Kara, and Frank back on stage. I will also invite Chad Whalen, who is our global head of sales, to join us on stage. Thank you.
Take a seat, and we will start taking questions. I think Suzanne will be routing questions to us.
First of all, thank you, everybody. We are going to go to Q&A. For those of you joining us on the webcast, you can ask questions through the Q&A tab on the portal where you've been viewing the webcast, and we'll read them here in the room. So please go ahead and use that. And also, for those of you in the room, we do have a couple mics, so please make sure to wait for the microphone so that those on the webcast can hear your question. Thank you.
There is a question in the room with Mina here. Okay.
Great. Meta Marshall, Morgan Stanley. I guess it's very impressive, the penetration of multiple products within the top 1,000 customers. Do you think that that's because those guys have the most complex environments or are trying to tackle them heads-on? Or why do you think that the penetration rate is so much higher with your large customers than it is as you go into the rest of the customer base?
I will start with that, Mina. First of all, generally, F5 target customers are large enterprises across all verticals. So they're typically companies that have hundreds of millions of dollars of revenue or above $1 billion and above dollars of revenue or above $1 billion and above. Within our largest customers, the chart we showed with the top 1,000 customers where we now see a penetration of 44% for customers that have more than 2 products, they typically have environments that are more complex. They typically have both traditional and modern applications, or they are modernizing traditional applications. That's what's causing them to deploy the BIG-IP that they already have and NGINX, or in some cases, they've started with BIG-IP, but they have some environments that were not protected and wanted a SaaS solution.
We're seeing that in our largest customers because they have environments that are more complex. However, there's also a go-to-market. So where our go-to-market resources are also more concentrated are on these top 1,000 customers. And so I think with time, you will see that we will be able to have a stronger penetration in the other customers as we educate our partners on the Ball of Fire and as they are able to also execute on these land and expand motions that we have started to execute on our top 1,000 customers. So there's just the number of resources that we can put in front of customers to execute these motions is somewhat constrained. And so with time, we'll be able to expand that beyond that. I think that's the other factor why you see more penetration there today than the other customers.
Maybe just as a follow-up to that, is that all about refining the partner and channel education programs, or are there kind of either prepackaged—not prepackaged solutions—but almost a recipe card for how that they can kind of sell or an easier sale that they can make to that segment of the market?
And so it is, and I'll take a first stab in, Chad, if you want to add to that, so it is, first and foremost, expanding the education across our channel partners, extending value proposition to all geographies, all segments, and enabling more of our partners in the field to be able to do that. Over the last, for example, just over the last three months, we have trained over 1,000 partners at F5 on Distributed Cloud to really accelerate the motion. That's an important part of what we have to do. The other part is creating the right product synergies that enable this cross-sale.
So if you look at a lot of the penetration that you see that we have achieved here has been primarily, I'm going to say, through commercial synergies, meaning we have created licensing programs that make it easy when you have one of our products to buy another one of our products, and you don't have to go through an entire new procurement exercise with all the friction that is associated with that. That has helped this penetration. But in the future, Kara mentioned that from a single pane of glass console, you will be able to experience your BIG-IP, say, on-prem solution or NGINX, and your SaaS solutions. And so when we do that and we make it easy, we remove friction in the product experience, that will also accelerate the cross-sale penetration into the customer base.
That's very comprehensive.
That's comprehensive?
Yeah. I would just add kind of the partner receptivity to this has really accelerated. François mentioned the amount of trained engineers that we've got done. We'll eclipse 1,500 by the end of this quarter, which is fantastic. The amount of new activity and what we call new PIO, which is partner-initiated opportunities, is coming in the better part of 40%-50% of the activity that we're seeing in the field. So we're expecting that to be a high-volume motion for us as we move forward.
Question from Ray.
Thanks. Ray McDonough from Guggenheim. So maybe for Kara, you mentioned that there's now one console in Distributed Cloud that can manage BIG-IP, NGINX, and other assets. And I'm assuming that's part of why you're retiring the Silverline console now. But how recent is that change, and how much work is left to be done to bring together all of the functionality and the capabilities into Distributed Cloud, or at least to be managed by that Distributed Cloud console?
Yep. There's still quite a bit of work. We do have a Distributed Cloud Console today. That is the console through which customers are consuming Distributed Cloud services. If you have captured any of the other sessions here at AppWorld, you'll see that the NGINX team showed how they're bringing together their NGINX One offering, unifying the management of all NGINX data planes within the Distributed Cloud Console. That's the first step. And you will start seeing evidence of BIG-IP now consolidating more of the BIG-IP capabilities and observability into the Distributed Cloud Console. But that is still work to be done.
Thanks. So maybe just a quick follow-up on the web platform. I think you guys highlighted and did a good job highlighting the unique capabilities inside that platform. But when you look across the environment, there's a lot of competitors talking about API security in general, right? So who do you think specifically addresses the API lifecycle closest to what you're trying to accomplish here? Is it the observability vendors? Is it some of the acquisitions we've seen from endpoint security providers? Is it Akamai and CDN peers? Who would you think most closely kind of provides that lifecycle for API management and security?
The closest that has the closest in having coverage is a startup, one startup specifically. When you start mapping, and we do have a map of the capabilities of the various players in API security, you're exactly right. There's a lot of, I would call them, specialists. So they're very specialist API security players. That's all that they do. And so they're able to go out there, and that's all that they talk about. And then there's some companies, and you mentioned Akamai, Cloudflare, who, as part of their Web App and API Protection suite, will say that they have API security in there. And regardless of if you're looking at those point solutions versus more of the platform players, the F5 API security solution with the combination of web is more comprehensive than any of those players.
And again, the four things that we look at for comprehensiveness for API security are: does it do kind of build-time API security, which is the code scanning, the code testing, and analysis? And does it do the runtime protection, which includes the traffic analysis and discovery? And does it do the actual protection and enforcement? Many of the other vendors, especially the point solutions, have to actually partner with a company like F5 that sits in the line of traffic to end up doing the enforcement. And with F5's solution, you do it all in one thing.
Great. Thanks.
Just to add to what Kara said about platform versus point solution. So to be very clear, our belief system is that API security will be consumed as part of platforms. Point solutions' API security, we don't think, are the answer, or we don't think are the winners down the road. The problem is, today, you have had to choose between API security solutions that are point solutions but closest to being comprehensive or platform players that have just basic, good-enough API security solutions. So the disruption that we're bringing to this is bringing API security as part of a platform but the most comprehensive API security solution in the market. Now, why that's important today? Because we're seeing all these apps being distributed.
It's going to be even more important in the near future because when you think about AI workloads, they are going to make very, very heavy use of APIs because they have to access data that is in different places. They have to access services from other workloads and different models. And so we think probably the most critical building block of security for AI workloads is going to be securing APIs. And that's why we have accelerated our investments in API security, both organically and through acquisitions as part of our platform.
Maybe a follow-up question. You talked about it briefly, but you have a combination of network buyers, security buyers, kind of DevOps folks. Just where are you finding the most traction, and where can you kind of find the right inroads to make sure you're talking to the right person or have the most success finding the right person within the organization?
Yeah. That's a great question. Obviously, we're servicing multiple personas, and we have a lot of gravity with the ones that we've done for a long time, which is kind of network center and security center. But since the acquisition of NGINX, we've been in the platform teams. We've been in the DevSecOps teams. We've been in the SRE teams. So we've had access to these types of individuals for quite some time. And what we find is that when we get into these discussions, especially with the large part of the market, which is what we covered earlier with Kara, they're actually bringing in their cross-functional partners because the problem set is so complex, they need the help. In fact, in many of these large entities, when we go in, we're meeting with sometimes six different functional groups at the same time for these very reasons.
So that's one of the major reasons, Meta, that we're able to actually get to the right buyers that own that opportunity is really even from the folks that we have gravity with on the network side, as an example. François, do you mean?
Nope. It's great. Thank you, Chad. Yep. Suzanne?
François, we do have a couple coming in on the web. The first one is, if F5's total available market is growing at a 17% CAGR, why wouldn't the top-line growth be in double digits?
That's a great question. Okay. So I think we ought to. I'm going to answer this in two blocks. So first of all, when we've talked about our growth rate, we've only talked about FY24 and FY25. And you could say that's relatively short-term. And that is based on what we see: current activity, current pipeline. Of course, we look at the growth rate in the market, but we look even more at our bottoms-up forecast and what we're able to see. When we look now, let's talk about our market growth rate. And we haven't given guidance for our growth rate beyond FY25. But of course, the market growth rates that we have given extend well beyond 2025. They go into 2028. So two factors there. While we see when you take the market, it's deployable and SaaS, right?
Deployable growing at, we say, 10% CAGR, SaaS growing at a 26% CAGR. The reality is you know that SaaS today is roughly 7% of our total revenues. So we are, of course, way more heavily exposed to deployable that has the lower growth rate. And even within the deployable space, we have a heavy weight on ADCs that have a growth rate that is less than the 10%. It's closer to the low of mid-single digits. So our growth rate in the near term is, of course, heavily marked towards where we have the biggest weight. But we do believe that over time, as more and more of our exposure and position shifts to these faster-growing areas, there's an opportunity for us, of course, to accelerate our growth rate down the road.
At a minimum, it gives us confidence that we can sustain, and that's the point, I think, Frank made very well, that our mid-single-digit growth is a very sustainable growth rate. That was one of two.
There are a couple. We'll do one more here, and then we can see if there's any more in the room. So diving a little bit deeper into that, there's a request to wonder whether or not we could give perhaps a little more color on the high single-digit product growth that we're expecting, specifically color on how to think about it in terms of systems and software.
Yeah. Do you want me to start on that one?
Okay. Call a friend.
So again, what we have talked about is FY24 and FY25. We've talked about FY24 in our software as being modest growth from what we did in FY23 but growing to double digits in FY25. And that growth is really driven by the renewal cycle that we see in our term subscription agreements. And we have a lot of visibility on that. We really love what we've seen in terms of that growth. I do believe, even beyond FY25, that we will continue to see that software growth be the core driver of where we are going to sustain higher than mid-single-digit revenue growth on the total base. Even mid-single-digit revenue growth on our base is more revenue than a lot of, I would say, midsize companies do in a year. And so it's impressive growth, but it will be accelerated by the software side of the business.
Thanks. Maybe Frank and I can appreciate if you don't want to turn this into a financial disclosure, but maybe you can help us understand you just talked about the renewal cycle on your term business, right? And obviously, you're early on in terms of those cohorts that are starting to renew. And I think it was maybe a quarter or two ago, you mentioned there was a net expansion rate of about 120%. Can you help us think through the components of the term business, whether that's coming from BIG-IP, software attach, or NGINX? And how sustainable do you think that 120% net retention rate is going out to fiscal 2025 and 2026?
No, I appreciate the question, Ray. Look, I tried to emphasize that it's not perfect data for us because we have to convert term into a ratable framework, and that's not really what our systems are equipped to do. So the rate I see is actually more than 120%, but I felt comfortable saying 120%. There is a portion of that, though, that is those early terms where we probably did not necessarily get it right in terms of sizing. I think Chad's team is doing a much better job in sizing it right out of the gate. I also think that we've seen as part of this is NGINX, part of its BIG-IP.
The NGINX side of the equation, we have seen some customers that probably started in low six figures and have turned into eight-figure-type opportunities for us because it was attached to the right application that just saw massive atmospheric growth. And so those opportunities don't happen across every single contract, but we do see that happening within that customer base. On the BIG-IP side, with the things that we've talked about, of BIG-IP Next and the next generation of BIG-IP, I see even more opportunity to expand that. And so I am really excited by entering the third term or the end term of these and just having that waterfall effect of those term agreements build upon each other and more and more of that revenue coming from the renewals as opposed to new business that give us just that much more visibility.
That makes sense. And just maybe a quick follow-up. I completely understand SaaS managed services, 7% of revenue. But obviously, you have I think it's $65 million or so that some of it that's going away, some of it that you hope to transition to Distributed Cloud. But when we strip out the potential churn, can you talk about what you're seeing on the gross renewal side of the SaaS business itself?
So we have not split that out in terms of disclosures. I'm not ready to do that now. We are tracking that metric internally, but again, it's relatively early in some of these cycles. We are happy with the renewals, the gross the GRR that we're seeing across most of the base. There are still some products where we'd like to see some improvements in those areas, but more to come.
Thank you.
Yep.
Maybe piggybacking on that and a question I asked earlier, just you've had a lot of success with these term agreements of at least getting people to try out multiple products. And I guess Cisco has had a lot of success bringing kind of ELAs and term agreements further down market. Just how have you guys thought about that? And is that one of the ways to kind of increase the penetration down market? And what are some of the hurdles to kind of introducing that further down market?
You want to go?
Oh, go ahead. Yeah.
It's a fantastic framework for us. It continues to have immense kind of customer traction across the board. Obviously, we started this from the top of the market because that's where we have a lot of gravity. But we've been very successful at taking it down market, and we'll continue to do so. From a motion or a go-to-market motion, it's one of the strongest motions that we have across the global organization. It's widely accepted in every theater across the globe, which is fantastic. Obviously, we started first-tier and had a lot more gravity in North America. But every single theater is participating and participating in volumes. And so our volumes, in terms of the numbers that we're doing, continue to go up quarter-over-quarter, year-over-year, measurably.
Clearly, the size and capability of these constructs are going to change as you go down market, right? So rather than eight-figure deals or seven-figure deals, some of them are smaller. And we're finding that right mix to bring the value to the customers. What I would tell you, though, is that even when we go down market, the customers are finding tremendous value. And they're getting that realized value out of these instruments, and we're continuing to get expansion into other opportunities. Some of the new platforms that you heard about with Distributed Cloud , we're just getting going in this motion. So I have a high degree of confidence that we're going to be very successful at attaching into the contracts that we already have and then establishing new contracts with that framework in place.
And a couple of thank yous, Chad. A couple are just building on the point Chad made to bring to life that it is very early days still in this cross-sell motion. So Distributed Cloud , for example, we shared on the earnings call in October that we had over 500 customers. None of these customers were won with Distributed Cloud being part of our Flexible Consumption Programs. That was only introduced in the last three months, where now anybody that has a flexible consumption program with F5 can attach Distributed Cloud into that consumption program. So the friction in cross-selling into that—we've just removed a big chunk of it, but only in the last couple of months. That's point one about the evolution of the cross-selling vehicles.
Point two is when we share with you that we have 7% of our total customers that have more than one product, that have two product families at F5. The thing that's interesting is if you want to think about expansion, yes, we can talk about it going to more customers and eventually going down. Eventually going down market, that's going to be one of the motions. Even within the 7%, the vast majority of them, they had a product from F5, and then they did in the last, say, 12-24 months, their first implementation with a second product, which has very low penetration. There are a number of customers who are here at AppWorld who have taken Distributed Cloud in the last 12-18 months.
They'll tell you, "Yes, we now have Distributed Cloud fronting 20 applications because we wanted to get used to it. But we've got the next 500 applications to roll onto this thing now that we have familiarity with it." So even within those customers that have two product families, we think there will be substantial expansion of usage of the second product family they've just taken on.
Can I add one additional thing? Which is, first of all, I talked about the expansion and coverage of the number of apps with Distributed Cloud , but equally, it's an extensible platform. And so we're expanding the number of services. So the two that we're focused on right now, we have two big use cases: Web App and API Protection , which includes a suite of four functions within it, which is web app firewall, distributed denial of service protection, anti-bot, and API security. There's a lot of customers we have of the Web App and API Protection that just have one of those four things today. And so that's one of the two use cases. We have a second use case around Multi-Cloud Networking . And again, there's two sub-offers within Multi-Cloud Networking and an opportunity to cross-sell there.
And then on top of that, we have a growing array of other capabilities, including now a generally available CDN offering as well as a DNS offering as well as an AppS tack offering for managing distributed apps. And so we're going to continue adding more services.
I have a good follow-up from the web on this thread. What is the greatest limiter or governor for F5 Distributed Cloud Services adoption?
That's a great question. Okay. So I would say I'm going to start, but I may have some additions from the panel. I would say probably the first one is awareness in the market. And we are at AppWorld with hundreds of our customers and partners here this week addressing this awareness issue. But I think a lot of the market, when thinking about F5, including some legacy customers of F5, think of F5 as hardware and software. But if they really want to have a SaaS solution, we're not necessarily the first partner that comes to mind. That's the first thing that we need to address. So I would say awareness is probably the biggest governor. And probably the second one is the number of trained resources in the field, whether they are F5 or our partners.
And by that, I mean technical consultants, technical sales folks who are able to engage in an opportunity very quickly and share out differentiation, demo the product. I think that's a second governor. And we're addressing that through a lot of training. The third one is probably scalability and presence. We have several dozen POPs today around the world, but there are a number of geographies where we don't have points of presence. We have sales teams screaming for us to put these points of presence in place very quickly. And I would say how rapidly we scale the platform is a governor. And then fourth is probably, as Kara touched on, the number of services on the platform. And I think as we grow the number of services, there'll be more use cases to get customers.
Probably, I would add a fifth one, which is the roadmap that Kara talked about, which is pretty soon, we are going to be able to have BIG-IP, existing BIG-IP. So we have 20,000 customers, as Kara said today. We're going to be able to have any BIG-IP or NGINX customer being able to experience BIG-IP and NGINX through the Distributed Cloud Console. When that happens, it's going to give them visibility to all these SaaS services without us doing anything, really, to all these SaaS services. And I think that will be potentially an accelerator of both awareness but also usage and buying Distributed Cloud. So I came up with five. I don't know if they're in the right order, but those are kind of the things that we are working on that we think will accelerate the growth.
Questions in the room?
Maybe just one more. François, it's been maybe, what, two or three years before you made a real large acquisition. I mean, you've done a couple of tuck-in acquisitions to add services and things of that nature. Is there anything within your portfolio at this point of solutions that you think you're missing where you really could accelerate either adoption or your go-to-market strategy with a larger purchase?
Well, what you've seen us do over the last so when we bought Volterra, this was a very substantial bet for us because we bought a company that had virtually no revenue. But we did it because we knew that we needed a SaaS platform to address the Ball of Fire . And when we looked at a number of companies in the space, we really, truly wanted an architecture that was entirely defined in software so that our Ball of Fire platform could address any workload, not just workloads that would run in our points of presence, but workload that would be in public clouds, on-premises, in private clouds, at the edge, and any edge, meaning not just the edge of a point of presence of an edge player, but the edge of a manufacturing floor or a critical care unit or a moving vehicle.
The universal, incredibly powerful capabilities of this architecture caused us to say, "We're willing to put $500 million into a company that has no revenue because on that architecture, we can bring a lot of F5 intellectual property and bring a large bouquet of services. And that architecture is going to serve us for the next 20 years." Now, what you've seen us do since that acquisition is we haven't made other major acquisitions, but where we have seen opportunities to accelerate some service offering on that existing platform, we have done so. Kara mentioned earlier the acquisition of Wib, which is API security, which is immediately going to be integrated into Distributed Cloud as an API security offer. We acquired a CDN company because a number of customers with security want caching, a company called Lilac, we acquired a while back.
Today, Arul and Kara mentioned our data fabric, which is going to ingest telemetry and insights from all these services and leverage AI to really make it way easier for customers to manage their applications. That data fabric came from Threat Stack. It was a core part of why we bought Threat Stack because the DNA was there to do that. So we have done these tuck-in acquisitions, and I would expect that there would be other opportunities to integrate small companies into our growing platform. Now, that's not to say that we may never do acquisitions of the size that we've done before. The space moves quickly. There may be areas in security where we feel we have to buy. We will always do build versus buy analysis. We've been very disciplined at that. We've done a lot of building over the last few years.
I think we've got more building to do. But I never rule out that there may be things where we want a bigger jump, a bigger leap forward that needs to be inorganic.
Excellent. Thank you.
You mentioned partners earlier. How has your partner strategy evolved as the portfolio has evolved?
Well, that's a great question. This has been actually in flight since the NGINX acquisition, right? And so we've done a real concerted effort across the globe to make sure that we're bringing in partners with the right capability sets to take us to market into the right opportunities. And what we've seen over the last number of years is kind of a change of that dynamic, right? And so you've seen the large, high-scale partners throughout each of the globes really acquire technology capabilities so that they can be full-suite offers. So that's number one. Number two is that it's an enablement aspect. And so we've done a very tightly integrated set of offers that is kind of build-buy nurture with our partners in all of the new offers, which is critical to keep them involved in the customers as they go through the buying cycle.
That is something that we've done. So we have purposely rationalized out our partners. We've moved from a business that is largely 5, 6 years ago, a transactional business to a continuous selling motion, right? In that selling motion, you have to have partners that are with you in this continuous selling motion. We've evolved our partner network to do that.
Maybe expand on the role we see for partners as we move into SaaS and managed services.
Yeah. We are a partner-first organization and will continue to be a partner-first organization. In fact, here at AppWorld, we have hundreds of our partners that have flown in from all over the world as well as the ones that are in North America. And the attendance that we already have for taking this on the road is already quite high from our partners and our customer community. And so our go-to-market, they are the route. They're going to continue to be the route. And we're designing our offers to be complementary with that route. And so you will see more of that with our partners that are. See more of that with our partners that are engaging very, very deeply in their own training and onboarding so that they can have a continuous loop of value to the end customers and stay in the engagement along the way.
That is part and parcel to F5. That's our route. We will continue to embrace that even with the SaaS-based offers.
You said it earlier, Chad, but I think it's worth repeating that when we look at the hundreds of customers that are already on Distributed Cloud, over half of them are opportunities that were initiated by our partners in the field. We are actually quite happy with the way that our partners are embracing the new value proposition. We've put the right incentives in place for them to be rewarded with these new models. We think that's going to accelerate with more integrations going between BIG-IP, NGINX, and Distributed Cloud.
I've got one more from the web. Given your commitment to return cash to investors, have you considered instituting a dividend as opposed to sticking with share repurchases?
Would you like me to start?
Yes, please.
We have talked about it at the board level, but still believe that with the current laws that are in place, cash is the most tax-efficient way of returning capital through share repurchases. Having double taxation on the dividend is not necessarily the most efficient way of returning capital to our shareholders. That's why it's been a primary focus of ours. That's why we continue to look at share repurchase as opposed to dividends.
Questions from the room?
I do have one more just for Frank. And again, I don't want to turn this into something you don't want to disclose or more financial focus. But your commitment to double-digit EPS growth is obviously everyone appreciates that. But when we start thinking about the cash flow side of things and free cash flow, you talked about the term renewal-based compounding and becoming a lot larger. Are there any guardrails to think about how your free cash flow margins can scale from here and where a steady state would be? I mean, is it appropriate to look back in time and say, "That's where we should benchmark our free cash flow margins," say, in fiscal 2026, 2027, 2028? Any kind of guardrails you would put around that?
Yeah. We have not guided to free cash flow. And so I'm a little hesitant to sort of get into a longer-term outlook, Ray, on what that means. It is a critical focus of ours. We do have dynamics with the terms where revenue is upfront and cash comes in in the back. And so that's just going to be a natural course on how the model evolves. Eventually, that will level itself out, as you said, as more and more gets to a normalized state in that regard. Also, it will get more normalized when the SaaS component of the revenue base grows to be a much more significant contributor than the 7% it is today. And so I do think we're maybe in that time frame where you're starting to see a normalization rate.
But we will have some fluctuations until then, just given the dynamics of term and when revenue comes in versus cash collections.
Thank you.
Yep.
I have one more from the web. You've quantified the growth you've seen in Distributed Cloud in the customer base. Can you add some qualitative color to what you're hearing from customers?
Yes, of course. Do you want to chat?
Go ahead and start.
Okay. All right. What are we hearing from customers? So number one is the vast majority of customers who have started using Distributed Cloud today use it for security. And Kara mentioned that actually, a good proportion of them only have one or two services of a much larger security bundle. What we're hearing from them, probably the most resounding feedback is ease of use, is you have made it way easier for us to create and deploy policies, to secure applications. We've had a lot of customers who were under attack, and within hours, the attack was stopped. Their applications were fronted with Distributed Cloud, the fact that it streamlined their operations and have more time to do other things. So making things easier was the goal.
And the feedback from customer is you have done that, which is what also gives us the confidence that once they start using a service and they see how easy it is to use the platform, they are going to use the next service and the next service. And perhaps that's the other thing we're seeing from the early customers is when we're starting to see them vote with their wallet in their use of it. So we've seen early customers, meaning those who started with Distributed Cloud in fiscal 2022 and maybe signed up for a one-year term. And we've had a number of them who, six or nine months into the term, come, and it's a substantial expansion because they want to put more application in front of Distributed Cloud, or they want to expand the services that are in front of it.
I would say ease of use and security efficacy are today the two probably big points of feedback from customers.
Yeah. And I would say the ease of use has really been a fantastic pivot to the expansion. In fact, as early as we are in the process, the customers that are growing the services is a significant portion. It's double digits that every single quarter are expanding the services. And it's because they're becoming familiar with what's available and how easy it is to use. So if they start out with just a web application-type firewall use case, they'll extend it into API. They might extend into DNS. And that's what we've seen is because of ease of use.
Well, thank you all for joining us here in San Jose or dialing from a number of other places and spending the last couple of hours with you. We hope we've given you more insights into our strategy, the evolution of our product portfolio, what's driving that evolution, what we're seeing in the market with the challenges that large enterprises are facing, and continue to build on our confidence and hopefully sharing with you our confidence that our double-digit earnings growth journey and mid-single-digit double revenue growth is durable and will be fueled by all of these developments in the market and in our portfolio. With that, thank you very much. We will close the webcast.