Thanks for joining us for F5's Analysts and Investor Meeting. I'm Suzanne DuLong, F5's Vice President of Investor Relations. We're really glad you've chosen to spend part of your day with us today. We have a packed agenda for you, featuring leaders from our portfolio and go-to-market teams. We also have a customer spotlight, and we'll wrap up with a Q&A session. Today's presentations will be available in the archive on the IR section of f5.com following the conclusion of today's event. Our discussions today will include forward-looking statements. These include words such as believe, anticipate, expect, and target. These forward-looking statements involve uncertainties and risks, which could cause our actual results to differ materially from those discussed or implied today. Please see this slide for the details or view our SEC filings. We will also use non-GAAP metrics during our discussion today.
Please see the appendix of the presentation for complete GAAP to non-GAAP reconciliation. Finally, we have no duty to update any information presented today. Again, thanks for joining us. Now, it's my pleasure to introduce our CEO and President, François Locoh-Donou.
Good morning or good afternoon, everyone. Thank you for being with us today. I am so excited to be able to address you as part of our 2020 Analysts and Investor Day. When we were in this forum two years ago, I laid out a vision for the transformation of F5. That vision was anchored in the belief that the world of application was about to undergo a massive revolution and that F5's strong industry position and our highly talented team would put us in a position to lead in this new era. Two years ago, I shared with you our strategy to transform F5 into the leader in multi-cloud application services, what we knew would be a criteria to compete effectively in this new era, and I am pleased to report that we have already achieved that important strategic objective.
Today, F5 delivers value to our customers across public cloud, on-prem environments, containers, private cloud environments, and anything in between, and our reach, our role, and our relevance has never been higher, and so, with that enhanced competitive position in both traditional and modern applications, we have unmatched insight into what our customers need next, and we can move decisively to pioneer the future of applications, and so, building on that strategic vision, I'm really excited today to share with you the next phase in our transformation journey, which is Adaptive Applications. Our customers today need to deliver these amazing digital experiences to their end users. That has become table stakes, but the underlying infrastructure that they have is complex, it's vulnerable, it's fragile, and so, that structure is simply untenable.
Now, applications are the lifeblood and DNA of F5, and as a result, we have been able to anticipate this shift and make the right investments to position us to be the ideal partner to solve this critical customer challenge. Adaptive Applications are going to create enormous value for our customers in the years ahead, as well as a significant growth opportunity for F5 in what we expect to be a $28 billion addressable market by 2023. Now, at the onset of this journey, I pledged to you complete transparency on our performance. And in the spirit of that transparency, I want to go back to the objectives we set at our March 2018 Analysts and Investor Day. And I'm pleased to report that we have overachieved in the areas of total revenue growth, software growth, software mix, and subscription mix.
This outperformance reflects an accelerating transition to a software-driven model, and the financial benefits of this strategy are going to be significant, but specifically, better quality top-line growth, driving sustainable double-digit earnings per share growth. Through this strategy, and specifically in the last couple of years, we made the choice to make deliberate investments organically, as well as two mission-critical acquisitions. In the short term, these investments put near-term pressure on our operating margins, but these investments have already started driving material returns in our business, and as a result, you're going to see our operating margins expand back up. I want to say a word about our systems business. Our systems business did decline faster than we originally anticipated, largely driven by the same forces that have propelled our software business to new heights.
And ultimately, with F5 exceeding in software mix and software growth, you're going to see our top line accelerate as the hardware declines moderate. Now, let me turn to the proof points of our strategy that point to we have reached an inflection point in our business. First, software transformation. Our software transformation is ahead of schedule. We have completely transformed our BIG-IP software franchise. And when you combine that with a successful integration of NGINX and Shape, we are already seeing improvements in the organic performance of our software. Second, we have also transformed our security business, and we are now the second largest application security business in the world.
We have totally transformed our organic security business, and with the addition of Shape, we have doubled our addressable market, and we're now the only company in the security space that can both protect application traffic and how an application is used. Third, when you look at a high mix of subscription software and you combine that with a stable and profitable services franchise, we have built a high-quality base of recurring revenues that will fuel future earnings and earnings growth. And lastly, our business is at an inflection point. We are on track to deliver sustainable double-digit EPS growth in our original 2018 timeframe. Ultimately, we measure the success of this transformation in terms of earnings and earnings growth. And this year, we are introducing the Rule of 40 as a benchmark to guide this transformation.
As more and more of our business becomes software, we feel that the Rule of 40 is the right guiding principles to balance or manage the interplay between growth and operating margins in a disciplined way, and when you combine that operating discipline with a very robust capital return program, we are set to deliver very strong shareholder returns starting in our Horizon 2, so as you can tell, I am very proud of what we have achieved over the last couple of years. It is clear from all the signals that we have reached an inflection point, and I believe the best is yet to come for F5 and our investors, and with that, let's get into the story. There are a few things I want you to take away from my presentation today.
I'm first going to share with you what our customers need to do in terms of engaging their users with these amazing digital experiences and why Adaptive Applications are so critical to their business. I'll then explain how F5 has transformed and positioned itself to lead in this new era with a unique combination of security, delivery, and analytics assets. And lastly, I will share with you the progress we have made on our transformation into a software and software subscription business and the data points pointing to an acceleration in the growth of our top line. And when you combine the way we've positioned the company, the addressable market we face, and the data points we're getting around the success of this transformation, we're not only positioned for, but absolutely committed to delivering sustainable double-digit EPS growth through our Horizon 2 and well beyond that.
Let's start and look at the type of experiences that we expect as consumers today. There are a few born-in-the-cloud large technology companies that have truly redefined the bar for application experience for consumers. Think about how you research your next purchase or how you access your financial and healthcare information today, or whether you are willing to wait very long when an application is slow. We, as consumers today, expect our digital experiences to be real-time, to be personalized, to be globally available, to be always on, to be intelligent, and most importantly, to be secure. And achieving that for a few large tech companies with all the resources is feasible, but for nearly every other enterprise, it's nearly impossible. And so, let's look at the complexity that sits behind the experiences that we have on our mobile devices.
And I'll start with, from the right of this diagram, looking at the digital experience that an end user has on their device. The front end of that experience is now commonly delivered from a public cloud. That experience typically will use services that are cached at the edge, such as ads or videos or photos. But the rich data that populates this experience, such as your transaction history or inventory levels or pricing, are typically in an app, like a CRM app or an ERP or a line of business application that is sitting on-prem. And so, you can see that experience traverses multiple environments.
Now, I want to zoom in on the financial services industry, for example, one of the big verticals for F5 and one of the quintessential digital experiences that all banks really want to offer is mortgage loan processing, but offering that on a digital basis. So, if you look at a mortgage loan processing application as an example, the front end that personalizes that experience is typically a modern architecture that's delivered from a public cloud. There are API calls that are made to the edge environment to surface a customer's credit score, and yet another set of API calls that are made back to a mainframe on-premises that will surface the customer's debt ratio. And all of that has to come together in a composite, elegant experience at the device.
Now, along the data path of that application, in each one of these locations where some elements of the application are, there are application technologies that are required to secure and deliver the app. These are the types of technologies that F5 leads in: application security and application delivery. Things in application security, it's things like web application firewall, anti-fraud, anti-bot technology, or denial of service technology. In application delivery, things like load balancers, ingress controllers, or API gateways. It's important to note, though, that the required application security and delivery technologies for traditional and modern applications are different and have evolved differently over time, and as a result, when you look at our customers, F5's customers, looking to build an end-to-end digital experience for their employees or their customers, they are using a different set of application security and delivery technologies across the different environments of this digital experience.
And that inconsistency creates significant technical and operational debt. Let me get into some of the examples of that. Firstly, those technologies are typically managed by different teams, and the handoffs between these teams are largely manual. And so, troubleshooting these digital experiences requires a lot of human intervention. And importantly, when you're trying to scale an application, because the modern digital experience increasingly has to be more dynamic. And if you're trying to make a lot of changes to an application in a day, and you're trying to do that across a large amount of services that make up that application, it's impossible to do that with an environment that is largely manual and requires a lot of human intervention. And so, these digital experiences today, because they are stitched together manually, are not scalable and are not dynamic.
Second issue is that the attack surface for these digital experiences has increased greatly as the applications become more distributed. And yet, at the same time, attackers are more focused on attacking applications because that's where all the value is created. And so, the sophistication of application attacks has increased greatly. And when you combine these two effects, there is a looming crisis on application security that makes these digital experiences extremely vulnerable. Lastly, you would want to have, for an application owner, end-to-end visibility into the performance of an application or the experience that users are having on that application. But unfortunately, a lot of the telemetry, the data that is in the application path, is trapped in each of those silos, and therefore, application owners do not have end-to-end visibility or insights into what's happening in the application in real time.
And all of these are challenges that our customers are facing today. And so, you'll look at the digital experience they have to deliver is table stakes, but what lies beneath is complex, it's vulnerable, and it's fragile. And so, our vision for Adaptive Applications is really visioning a world where our customers, not just a few large tech companies, but all enterprises around the world are able to deliver these amazing digital experiences. And what it takes is really applications and application portfolio that will adapt to their environmental changes on their own and in real time. We envision applications that automate redundant processes for greater efficiencies and eliminate a lot of the manual handoffs and the human intervention to be able to dynamically scale or change aspects or attributes of an application.
We envision applications that are securing all points of vulnerability along the chain and making changes to their security postures as the types of attacks change over time, and they're able to do that on their own by leveraging the right signals in the application data path. We envision an application that is able to expand and contract to respond to user needs, either geographically or user needs at a point in time, and is able to do that dynamically, and lastly, we envision applications where application owners have a lot of insights around the performance of the applications and therefore are able to modify an application based on these insights to increase the value that an enterprise gets from its applications or simply remove friction from the user experience. All of these aspects make up what we see as Adaptive Applications in the future.
Now, we have looked into the requirements for building Adaptive Applications, and we have identified four key requirements that will enable Adaptive Applications over time. The first is simplifying traditional app delivery for multi-cloud. Traditional applications are notoriously expensive to refactor and complex to migrate to public clouds, even though Adaptive Applications require that these traditional applications be able to live in software-first environments, whether it's private cloud with more automation or even public cloud. Doing that has been historically very complex, and simplifying that will accelerate the move to more dynamic and Adaptive Applications. Second is enabling modern app delivery at scale. Modern applications are more flexible, they're more dynamic, they are typically highly distributed, and the issue is deploying and delivering these applications at scales today requires very sophisticated skills and people who can use very sophisticated tools.
Making that available to more people by simplifying these tools or the use of these technologies will enable modern applications to be delivered at large scale and, again, accelerate the path to Adaptive Applications. We also have to secure every application anywhere, regardless of whether an application is in a public cloud or private cloud or on-prem, having the right security posture and adapting that security posture dynamically to deal with changes from attackers. And lastly, we want to unlock the value of application insights such that application owners can dynamically improve the experience that users have of their applications. And all of those requirements will be delivered and enabled by multi-cloud application security and delivery technologies.
So, we've looked at what's required to enable Adaptive Applications, and now I want to talk about F5 and how we have positioned F5 to lead with the assets that we have assembled as part of our portfolio. Now, before going into the next phase, I do want to spend a little bit of time in the past, but specifically to share with you that our core purpose has always been about solving our customers' most important application challenges. And as we evolve as a company, our core purpose will remain the same. So, if you go back to the late 1990s when F5 came to market, our customers were really the dot-coms, and their biggest application challenge was scaling their websites.
And so, we pioneered a technology called load balancing that allowed the dot-com to load balance these servers that were serving these web pages, and indeed, we solved their biggest application challenge. In the early 2000s, the dot-coms went away. F5 made a strong pivot to the large enterprise and service provider market, and their biggest challenge at the time was they had mission-critical applications that were starting to face the web, and they needed to scale and secure these mission-critical applications. F5 evolved and responded, and we solved their biggest application challenge by pioneering application delivery controllers that had the programmability components and the security components that were appropriate for addressing our customers' challenges at the time. And today, our customers' most important application challenges are evolving again, and it's about scaling, securing, and AI optimizing traditional and modern applications, effectively enabling these amazing digital experiences.
F5, as a result, is evolving to become a multi-cloud application security and delivery company. So, let's get into how we have managed that evolution. Two years ago, at our analysts and investors meeting, I shared with you that we intended to expand our reach into modern applications, but also expand our role beyond application delivery and into security and analytics. And over the last couple of years, we have done exactly that. So, if you look at where we were three years ago, we were primarily in application delivery for traditional applications. Now, we have done a lot of transformation in our BIG-IP franchise to enable and simplify the app delivery for traditional applications in multi-cloud environments.
That involved doing a lot of work on orchestration and automation and API-first environment, making our technology easy to consume in private cloud, making it easy to consume in public cloud, building all the subscription and commercial models that allowed our customers to consume our software with a lot less friction, and in doing so, we have simplified app delivery for multi-cloud environments and will continue to do so, but we have also extended our reach, both with organic developments and with the acquisition and successful integration of NGINX. We have positioned F5 to enable modern app delivery at scale, and we are now effective and relevant in modern application environments, specifically container-native application environments, whether they be in private cloud or public clouds. We have also extended our role specifically in security.
With the addition of Shape, we have doubled our addressable market in security, and we are the only company today that can protect the data and logic of an application as well as keeping an application secure and keeping an application online, and we have further extended our role, and we are in the early innings of that extension, leveraging the analytics and AI engine from Shape, feeding all of the telemetry that F5 gets as part of being in the data path of millions of applications and leveraging that telemetry and these analytics capabilities to provide insights to application owners that allow them to get more value from their applications or enhance the experience of their applications.
And so, when you look at what we've done over the last three years, we have now positioned F5 into a Total Addressable Market that is $28 billion, and specifically in front of a fast-growing market in modern applications, in security, and in application insights. Now, everything I've talked about really relates to the transformation in our portfolio and our technology strategy. But bringing Adaptive Applications to life is also about expanding our reach to new buyers and having the right conversations inside of the large enterprises that trust F5 on a daily basis. And so, we have completely recast our go-to-market approach to capitalize on this opportunity. And specifically, we have taken five important steps to recast our go-to-market approach. We have expanded our reach, of course, with security buyers, and we had already started doing that five years ago, but it has accelerated both organically and with Shape.
We have accelerated our pivot to software and subscription with the right incentives in our sales teams and the right commercial models that allow our customers to move to these OpEx models. We have done deep integrations with our public cloud partners on the technology front, but also in go-to-market activities and increasingly in joint product innovation. Where appropriate, we have enhanced our vertical specialization in areas like financial services or technology or the service provider space. And lastly, we are increasingly leveraging AI and data-driven models to target our offers and increase the productivity of our sellers. And so, you'll hear more about these five steps later on today. But when you look at what we've done in our go-to-market, we have now an opportunity to reach new buyers increasingly efficiently.
Now, the benefits of all this work are already visible in the acquisitions that we've made and the momentum we are seeing with both NGINX and Shape, so if we look at NGINX, we made that acquisition only 16 months ago, but we have already doubled the revenue. We have significantly increased the average deal size and grown the number of paid subscription customers, but I want to pause there because we also made some very deliberate decisions in the integration of NGINX. At the time we made the acquisition, we could have immediately focused on delivering cost synergies and cutting in the product investments, and we deliberately made the decision to not do that, but rather invest rapidly in product integration and product innovation so that our customers could see benefits from the combination of the two organizations much faster.
As a result, we have delivered new propositions to our customers, such as security on top of NGINX, more app visibility and management, and the NGINX Controller that allows modern applications to be deployed at scale in a simpler way. These innovations are accelerating the monetization of the platform. The great news about the decisions we made is we've already made all these early investments, and now we're seeing an acceleration of the top line, and we do not have to grow our OpEx linearly with the top line, and we're seeing significant operating leverage to come from NGINX. Now, the same is true, and we took exactly the same approach with Shape. Of course, the work we did on the go-to-market created growth in our ARR.
We saw 44% ARR growth only in the first eight months after the acquisition, increase in deal size, addition of new customers, but we also took the same approach about doubling down on innovation velocity. As a result, Shape has already launched two new products, but equally importantly, we've already delivered to our customers fast integration between the Shape portfolio and BIG-IP and Silverline from F5. The result of that is it is easier for F5 customers to see the value of Shape and consume the value of Shape with a lot less friction than if they were not part of F5, and that accelerates the top line for Shape even faster, and having made these investments early on, we're seeing the same operating leverage happen with Shape, with fast growth on the revenue, not commensurate with growth in OpEx.
So, those are early momentum on NGINX and Shape, and we made absolutely the right decisions to drive these investments early and now get the operating leverage. With that, I want to talk about the data points about the pace of transformation in our business and how these data points point to top line acceleration. When I look at the total transformation of F5, there are really three indicators that I look at and encourage you to look at, indicators of our long-term success. One is, of course, our software transformation, transforming the majority of our product revenue to come from software. Second is not just transforming to software, but becoming a software subscription business, and our target is for more than 80% of our software business to be subscription in time. Third, and equally importantly, is operating discipline.
As more and more of our business becomes software, we are using the Rule of 40 as our guiding principle to manage the interplay between growth and operating margins, and those are the three indicators that are going to deliver double-digit EPS growth over time. so, let's look at our software transformation. We have transformed our business at unprecedented pace over the last three years. More than 35% of our product revenue is now software, having grown at a rate of 44% over the last three years. but equally importantly, we have also transformed our software business to become a subscription business. and so, more than 70% today of our software business is actually subscription.
Now, I want to point out that those two aspects of our transformation, moving to software and moving to subscription, are really driven by the types of consumption models that our customers want as they start to move more and more of the traditional applications in multi-cloud, as they adopt more and more modern application architectures, and as they adopt more and more of security for their applications from F5. So, this business model transformation is absolutely a reflection of our execution of this vision of Adaptive Applications on the portfolio. Let me share with you more data points about this transformation.
We today have several thousand customers that are consuming F5 in the public cloud, and our public cloud business this year was greater than $100 million, having grown even faster than our software, and we expect our public cloud business to continue to do so as more and more of our customers adopt these multi-cloud environments, both for traditional and modern applications. Security is an absolutely critical element of this transformation. I shared earlier that we had become the second largest player in application security today, and we are a player at scale. More than $750 million of our revenues today are security.
Now, that includes standalone product security revenue, security product revenue that are attached to an ADC sale, so these are security bundles that are sold along with ADC, and then the service revenue that is attached to all these product sales is the third component of that business that has continued to grow faster than F5, so application security, absolutely core to our focus, and now a very significant portion and growing of our business. The third area I want to address is operating discipline. Now, I want to share with you there's a lot to digest on this chart, and so I really want to focus on the left-hand side of this chart, really looking at what's happened over the last three years, and I said we made some deliberate investments. We made deliberate investments to the tune of $230 million annualized to transform our business to software.
And that was a combination of accelerating organic software transformation, things I've talked about, orchestration, automation, virtual ADCs, moving to subscriptions and utility, and expanding our security portfolio, but also accelerating these inorganic investments with the acquisition and integration of NGINX and Shape. Now, we knew upfront that we needed to make these investments, which is why we started very early on some cost reduction initiatives to offset a portion of those investments. And we offset about $100 million of these investments with cost reduction initiatives that I will come to in a second. When you look at the balance of these investments versus the cost savings, we had a net negative impact on our operating income of about $130 million, which is why our operating margins have gone from 36% a couple of years ago to about 30% in our last fiscal year.
Now, if you turn to the right-hand side of this chart, and the great news about us having made these deliberate choices about making these investments early is we now find ourselves in a position where we do not need to make a lot of incremental investments, and yet the savings from the cost reduction initiatives that we started two years ago continue to grow, and as a result, we expect to gain operating leverage over the next few years and return our operating margins to the mid-30s over the horizon, so if I spend a little more time on the cost reduction initiatives, I said they have delivered over $100 million in annualized savings over the last three years, and we expect an additional $150 million over the next few years.
I will not get into all of these cost savings, but I will share with you that we have driven cost savings initiatives in every single area of spend at F5. Perhaps the biggest and most visible example of that is how we have rebalanced our resources around the globe. Three years ago, less than 5% of our resources were in low-cost locations. If you look at R&D and IT specifically, we have more than 30% of our resources today that are in low-cost locations, and we have looked at that across functions. In addition, we are also starting a set of new cost savings initiatives that will help us achieve the additional $150 million, including leveraging AI and automation to improve the productivity of our go-to-market effort and the productivity of our sellers.
And of course, probably like other companies, re-looking at our facilities cost in a post-COVID world and finding more savings there in our operations. So, you look at those three indicators and this operating discipline, and it drives our guidance for Horizon 2. And the bottom line of our guidance for Horizon 2 is that we are going to deliver double-digit EPS growth throughout Horizon 2. We also intend to reach the rule of 40 inside of Horizon 2, and that's driven by a couple of components. So, if you look at our top line growth, it's accelerating from 3%-5% in the FY 2018-FY 2020 to 6%-7% in FY 2021, FY 2022. So, where is that acceleration coming from?
It's coming from continued very strong growth in software, 35%-40%, and we have a lot of confidence in that growth because we have now built a broad base of subscription business, and we are starting to see this flywheel turn with a lot of momentum around renewals and True Forwards and expansions in a software subscription business, so we see strong growth in our software business. We also see the systems growth, or decline rather, which was in the double digits in the second half of 2019 and the first half of 2020. We have seen that growth moderate, and we expect to see it to continue to moderate in large part because an increasing portion of our hardware business is in fact security.
And when you combine those two factors with a very stable services business that we expect to continue to be in the low single-digit growth, we have a lot of confidence in our ability to deliver this acceleration on the top line. Now, you combine that with the operating discipline I mentioned and the operating leverage we expect to see from growth, including and combined with the cost reduction initiatives, we intend to expand our operating margins going to 32%-34% in FY22. So, when you summarize the three key indicators of software transformation, software subscription, and this operating discipline leveraging the Rule of 40 in our model, we are absolutely committed to delivering double-digit non-GAAP EPS growth throughout our Horizon 2. So, we've covered Adaptive Applications.
I've shared with you that all businesses now will need to deliver these amazing applications that engage their end users, and we call them Adaptive Applications. I've shared with you the work that F5 has done to position ourselves to lead in this new era, having assembled best-in-class assets in application security, delivery, and analytics, and I've shared with you some data points around the transformation of our business, the pace at which we are transforming, and the clear data points we have, giving us a lot of confidence in our top line growth acceleration, and when you combine these factors, we are not only positioned, but we are absolutely committed to delivering sustainable double-digit EPS growth, both in Horizon 2 and well beyond that. Now, before I turn over to the next part of the agenda, I want to talk about two other aspects of the strength of F5.
And the first one is our culture. Our culture is truly a core strength of the company that has made our past success and will make our future success. We cherish a few core behaviors, like helping each other thrive. We have a very collaborative culture at F5. We are very focused on our customers, and we call that obsessing over our customer needs. We are owners. We work every day to make F5 more agile, and we also work every single day to create a more diverse and inclusive F5. Those are behaviors that F5 employees have embraced and cherished and live every single day, and we live them in the context, all in the context of doing the right thing for each other, for our customers, and for our shareholders.
Now, this culture that we value so much at F5 was truly tested in 2020 because of the very difficult macro environment and, of course, the global health crisis. And I could not be more proud of how the F5 team stepped up, first for our customers, enabling tens of thousands of people around the globe to work remotely, but also focusing on our customers on the front line, our nonprofit partners, our healthcare customers, and our customers in education, and putting everything aside to make them successful. And then I'm also extremely proud of how F5ers have helped each other through this very difficult period. And our culture will be a very strong asset for us to continue to grow and prosper as a company. I also want to talk about our team.
One of the things that gives me extreme confidence in our future success is the exceptional quality of the F5 leadership team. Now, this is, of course, a team that has the right skills and domain expertise in terms of modern applications and traditional applications and security and fraud and go-to-market techniques and digital transformation. But it isn't just about their skills and experience. This is a team that is absolutely passionate about this transformation, that is committed to delivering on this promise to our customers, that is energized and energizing F5ers to deliver on this transformation. And so you will see some members of the team, but not all today, and I want to introduce our agenda with these members of the team in action.
The first four presentations that you will see today, Kara, Gus, Sumit, and Shuman, will really talk about the four requirements of Adaptive Applications and what F5 is doing specifically in these areas of traditional apps, modern apps, security, and application insights. Chad Whalen, Mika Yamamoto, and Tom Fountain will take you through the changes we have made to our go-to-market to reach new buyers more effectively, to transform our business into software, and how we're leveraging Customer Success as a new muscle at F5 to accelerate our software subscription business. Lastly, our CFO, Frank Pelzer, will share more details about our financials as well as our framework for capital allocation going forward. With that, I am now going to turn it over to Chad Whalen, our Executive VP of Worldwide Sales, who has the pleasure to welcome Mike Hughes from Target. Thank you so much.
Thank you, François. I'm pleased to have Mike Hughes join us today, who's been an industry executive in IT and infrastructure for many years, to come in and have a conversation not about what he's currently doing necessarily in his current capacity, but what he's seeing in industry trends that are with us. So, Mike, do you want to join me to the stage here?
I appreciate it. Thank you.
Yeah. Well, before we get started, why don't you tell us a little bit about what you're currently doing and a little bit on your journey? Sure. So, it's been an interesting about 20-ish years.
I don't want to date myself, make myself feel a little bit too old here, but about 20 years now that I've been working in the IT industry across a variety of disciplines, anything from infrastructure, currently for the last about nine years in the security space, just kind of a broad area and overview. I'm presently with Target Corporation today. I run a swath of the security engineering group for them, which is a fairly large portion of the organization dedicated to a number of solutions to serve Target's guests as well as our users.
Oh, fantastic, well, thank you for affording us this time. We're looking forward to getting some of your insights, so can you talk to me a little bit about what's going on from a transformation?
Many of our companies are going through that, and I'd like to get a handle from you on what the scale and what that journey really looks like from a technology leadership perspective.
Yeah. You know, it's been an incredibly interesting year, so you think about, we all had a normal journey planned for 2020. Obviously, the COVID thing is foremost on everybody's mind, so when we think about what's changed across the industry in scale, for us, the pandemic has had some winners and losers across the industry, and it's met some really interesting scale challenges for Target. We've talked a lot about the fact that our user base or our loyalty base has grown by over 10 million members in the last quarter. Our online sales are up close to 200%. Drive-thru pickup is up almost 700%. These are digital scale challenges that nobody anticipated coming into 2020.
Oh, without a doubt. Can you tell me a little bit about how you're dealing with the capacity planning for that? I mean, the notion of seasonality is no longer with us. Has that posed new challenges for you?
You know, it's been really interesting. We like to talk about the scale that we do business at. Now, obviously, anybody could read our earnings and see what we're talking about in those places. But we have now moved to a period wherein which those peak mountains that we used to have over the course of the year, those have really turned into the new norm, that new plateau. So, the challenges that we used to face were we'd say, "Okay, November, December, massive onslaught of sales," that's now become a lot of the new norm across the digital platforms because people are buying their groceries online, they're buying their durable goods online, their makeup, and things of that nature.
Oh, fantastic. Becoming an online business, I'm sure you've seen this in your time in IT. You know, can you talk to us a little bit about what's different over the last 10 years, going from kind of the physical premises now specifically into public cloud and what you see that as kind of directionally what you guys are doing moving forward?
You know, it's been really interesting. I've had the opportunity to work for a lot of iconic brands throughout my career. And one of the things that's been incredibly interesting is to see how people have approached public cloud, have approached scale, and things of those nature. That's really been the last 10 years, right? So, you have these companies that in some instances are, "I moved my thing to the cloud, and therefore I'm in the public cloud now," right? I just picked it up and I set it down and I moved it. But you're also seeing companies that are becoming and evolving towards tech companies. I would say that's where we are at Target today. We consider ourselves to be a technology company at the same time as a retailer, where we're not just moving our workloads, we're moving them in elastic and scalable ways.
So, we're taking advantage of the things that the public cloud platforms offer us, both from a scale perspective, but also from a cost and footprint reduction perspective when that scale isn't needed. So, that's been a lot of the last 10 years. And I think people, the winners are starting to be differentiated by people that can look at the problem in the notion of digital scale, which is a lot different from the notion of how we scaled when we were in physical data centers.
Oh, that's a great point. You know, public cloud is a strategic tenet for us at F5. And so getting your insight on really using it for that elastic capabilities and bursting capabilities makes a lot of sense. Can you give me an idea of what the scale of what you deal with and kind of a pseudo-peak type moment?
Yeah. So, you know, as we look through the holiday periods and as we would normally traditionally scale up, we would be looking at the hundreds of thousands of transactions per hour type of volume. And that's the type of scale that we would like to see across our platforms, not for the sole reason that we're going to consistently run at those volumes for 45 days, but we're going to burst into those volumes. We're going to have periods where we really grow and where we really scale into those volumes. So, when we think about it in that context, that's a lot of what we're talking about.
Okay. Fantastic. You know, you guys have had lots of partnerships with technology vendors, not unlike ourselves. Is there anything that you would recommend to us to maintain kind of our ability to work with you as you're developing your partnerships when you're venturing into these new arenas with public cloud or the like?
Yeah. It's been interesting. So, obviously, F5 is an iconic brand in the tech space. Consumer-wise, most people aren't going to be there, but if you're doing technology, people certainly know who F5 is. It's been really interesting personally watching the last probably four years right now because I knew what F5 was five years ago or four years ago. I certainly knew the capabilities of the BIG-IP stacks and those types of things. But then I started to collide with F5 acquiring things that I had bought as best of breed, right?
So, one of my prior companies, we were using Silverline as a DDoS protection service and a forward proxy service for us. F5 comes in and acquires it. It's like, "Okay, well, they were best of breed here and I had a best of breed here. Now they've acquired that." And that was kind of an interesting thing. And then more recently, there was the NGINX acquisition, which certainly exists in most of our platforms and has for a number of years. And then your most recent one was Shape Security, which I was lucky enough to be their launch customer about five years ago. So, I keep saying these best of breed solutions being acquired by F5.
What's really intriguing for us as we look at partnerships, you know, really in Target as we try to figure out how to do these things at scale and do the technology. We look for engineering organizations that can partner with our engineering organization where we can share that next-level understanding of the technology and where the industry is going. And as we do that, F5 has slowly, through these best of breed acquisitions, become a go-to partner, which has been really interesting.
Well, Mike, that's a fantastic insight for us. And that's part of what we're doing is we're continuing to expand our portfolio. You mentioned these deep technology engagements, which to us is critical. I mean, the closer we are to you to understanding what your requirements are today and what you're designing to, the better it is that we can have the technology roadmap to help you get where you need to go. You know, acquisitions has been a core tenet, but obviously F5 has been around for some time and has tremendous assets in the space of our BIG-IP franchise. When you look across a company like F5 and the different things that we're doing from managed security services with Silverline that you mentioned to Shape Security and now NGINX, is there any insights that you would give us in terms of coming in from a portfolio or consultative point of view across an organization such as yours?
Yeah. So, you know, kind of going back to what I talked a little bit about early on on how people look at going to the cloud, right? I either picked up a thing and I moved it and checked the box, I'm in the cloud now, right? Or you're coming to an organization that's really engineering and building for the cloud. I think that's one of the things that F5 has done a great job in the partnership and as we've moved forward is it's about engineering for the solutions and about buying the components that are valuable, right? So, as these acquisitions have occurred, completely abstract to us, right? We owned all of this technology prior to F5's doing these acquisitions. As you've acquired these things, they actually create an interlocking picture.
So, when we look at public cloud and we look across the industry, it's a really interesting thing in that your systems are now running as code, right? You're no longer buying something and integrating it together. You're no longer doing a singular purchase and buying something from an IBM-esque type operation, right? You're buying multiple systems and bringing them together. And the F5 technologies that have come together through these acquisitions have built a picture around that cloud elasticity and those cloud scaling problems, right? So, be it either through the ability to load balance, core tenet of F5, right? And that is certainly how you do that in the cloud to be able to protect cloud infrastructure like what's happening with the Silverline, or through, say, significant scale challenges for bot attacks, like with what Shape Security is doing. It's all designed to work at that cloud scale.
NGINX just happens to be the underlying web platform that we were all using prior to that to do web services to begin with, right? So, they all tie together seamlessly.
Oh, that's fantastic. And that's, you know, from our perspective, it's about our broadened portfolio from traditional apps to new modern apps in what we call a multi-cloud deployment scenario where security happens to be the tenet that you have to really have that consideration for. And that was just a fantastic answer. So, kind of wrapping things up, Mike, is there any other guidance that you would give to us and my team, right, from an F5 perspective on how to best engage with you moving forward? Yeah.
So, you know, as a company that really prides ourselves on our tech prowess and what we're doing in the industry, you know, we are generally we will build it before we will buy it, right? That's kind of one of our core tenets within our IT and security organizations. I think what has been really successful and what will continue the success is to continue to bring point solutions that solve scale problems that companies can't solve on their own and bring them with an engineering mindset, right? That's what your large companies are looking for. That's what your Fortune 300s are looking for. We need somebody that can engineer problems because we're not all snowflakes, but we are unique, right? And we need to design for those problems and we need to be a little unique in how we deal with them.
And so that's what I would say. I would say come forward with the engineering arm. You know, we've all heard, I get in security, there's a couple thousand new security vendors a year. I don't need a sales pitch. That isn't going to help. But if you bring us an engineering solution and you bring us engineering leadership that can help us walk through problems and challenges together, we succeed.
Fantastic. Well, Mike, this has been very insightful for me. Thank you for sharing all of your insights. I appreciate it. Thanks for the time today. Super. Have a great day.
Thanks, Chad. Hi, my name is Kara Sprague, and I'm the Executive Vice President and General Manager for BIG-IP at F5. And I'm going to talk to you today about how we're simplifying traditional app delivery for multi-cloud environments.
I'm going to share three points with you today, but let me get to the punchline first. The punchline is that we will continue to drive aggregate revenue growth in traditional apps, and to get there, there's three points I'm going to make. First, that traditional apps remain the dominant application architecture for most organizations. Second, the transition that we're seeing from systems into software for traditional apps is accretive to F5, and finally, BIG-IP's world-class application security, along with other characteristics, make it a leading solution across on-prem and public cloud, so starting with the first point, traditional apps remain the dominant architecture for most organizations. Let me describe a bit what's going on in today's application landscape because we see this as a tale of two apps. On the one hand, we have traditional apps, which are defined as monolithic client-server or three-tier applications.
Those include things like maybe your bank mortgage loan processing app, a payments processing engine, electronics, I'm sorry, hospital electronic health records, or Gen1 SaaS platforms, retail inventory management, and service provider 3G and 4G core networks. Those are all architected in a traditional sense. Now, in contrast, you have modern applications. Modern applications are distributed. They're cloud or container native. And examples of those include things like infrastructure as a service platforms. The leading cloud infrastructure as a service platforms are architected as a modern app, as are the Gen2 SaaS platforms. You can also think about content and media distribution platforms, consumer engagement front ends that are used by many organizations, as well as service provider 5G core networks look like modern applications.
It's important to recognize that at a technical basis and at an architectural level, there are these two different types of apps out there. The dynamics behind these different apps are very different. Again, with traditional apps, we're seeing a small number of apps, a relatively small number of apps, so 70 million in 2020, and it's growing moderately, 10% year over year to 90 million in 2023. Now, contrast that with what we're seeing in modern applications. Today, we estimate there's about 670 million modern app instances if you count what are the app instances used by enterprises, both in their own environments as well as in public cloud, as well as service providers. That's growing almost 40% year over year to 1.7 billion in 2023. There's a lot bigger number of those, and they're growing faster.
I'm going to talk today and really focus on traditional apps, and then when Gus comes to talk to us about NGINX and the other capabilities that F5 is delivering in the modern app space, he'll really focus on the second bucket, so in traditional applications, it's important to recognize that nearly every organization today manages traditional apps in addition to a growing mix of modern applications. One stat I'll throw at you is that 97% of respondents to F5's latest State of Application Services Report, so it's thousands of organizations represented across all industries and all geographies. 97% of those are still managing traditional apps. We also found that 76% of those respondents are managing a mix of traditional and modern apps. Now, this makes sense because many organizations are still very early in their adoption of distributed and container-native technologies. Some are still experimenting.
Others actually have proofs of concept out there, and then others might be moving a few applications into production, but in general, what we're seeing is that historically, many organizations have relied on their traditional apps as the fundamental foundation of their IT, and so, traditional apps remain a critical part of an organization's application portfolio. This is because they are generally running the most mission-critical capabilities. Think about it as this way. Organizations, when they started enabling much of their processes using applications and using IT, they chose their biggest, most important processes to automate or enable, and those got architected in a monolithic client-server or three-tier way, and those are the traditional apps, and then that fact makes it also true that it's difficult and expensive to change or refactor those apps now. In many cases, they're doing a really important function, and they're doing it relatively well.
And so, the priority for most organizations when they think about this bucket of traditional apps that they have is operational efficiency. It's how can they continue to keep that application running, keep it available, but reduce the total cost of ownership. Now, some companies, and actually many companies, are really looking at how we can migrate some of those applications to public cloud. And for the reasons I just described, many of them are thinking about doing that in a lift and shift mode, meaning they don't really change anything in the underlying application. And many are also looking at elements that they can modernize, meaning carving off maybe small portions of the app to be container native while leaving large portions of it still running in a traditional architecture. So, we've just described what's going on in the overall traditional app landscape.
Now, I'm going to talk about how this transition from systems to software for traditional apps is accretive to F5. App delivery for traditional apps is transitioning, and we're seeing that transition happen from on-prem systems, so physical hardware boxes that sit in a customer's data center, into software or virtual appliances, and that can be either on-prem software that, again, still sits in their data center, or it can be cloud-hosted software that sits in a public cloud. We're also seeing a model where some of these on-prem systems transition into Software as a Service or ADC as a service, but I won't spend too long talking about that because that's a small fraction of the transitions. Because when a customer wants to do that, generally it requires that they also refactor the application.
I'm going to spend most of my time talking about this move from on-prem systems into on-prem software and cloud-hosted software because that is the vast majority of transitions and does not require customers to refactor any applications. This transition from systems to on-prem or cloud-hosted software for traditional apps is accretive for F5. We get there by looking at the two dimensions of value. We're looking at price and we're looking at quantity. Let's look first at the on-prem systems to on-prem software transition. On the one hand, you have price. When a customer moves from an F5 BIG-IP hardware box to an F5 BIG-IP Virtual Edition, what we see in terms of price is we get roughly 83% the price in software that we do in hardware.
Now, that said, software has a better gross margin than hardware, and so the two are roughly gross margin equivalent, which is why we label price as roughly the same. Now, when we look at the units and the quantity, what happens when a customer moves from their on-prem hardware systems into on-prem software? What happens is they're not moving all of their applications at once. Oftentimes, we have many applications that are hosted on a single instance of BIG-IP hardware. And those applications might move at different times from the hardware into the software or the virtual edition. And so, what that means is that the customer is maintaining their investment in the on-prem systems at the same time that they are investing in a new entitlement for the on-prem software, which is why we say that the quantity is better.
Now, let's look at the other transition from on-prem systems into cloud-hosted software. On a price basis, this is actually an improvement for F5, and we say that because we see higher attach of our security and advanced capabilities into software that is deployed in public cloud, and so, in general, the unit price ends up going up, and then on a unit volume basis or a quantity basis, we also see an improvement there because customers not only see that dynamic of not moving all their apps at once, and so they're maintaining both the on-prem physical systems and the software entitlement, but they might have multiple software entitlements in order for them to run that application in multiple public clouds, and so there we say it's better both in terms of price and better in terms of quantity.
These dynamics that I just talked about are reflected in analysts' outlook for this market. What we see is that analysts are forecasting low single-digit growth in ADC systems and software on an aggregate basis. And so what you see is from 2020 to 2023 is moderate growth, 4%, but underneath the covers, it's a dramatic transition from systems-dominated market into software-dominated market. I'll add also, I mentioned before some of the growth that's going on in ADC as a service. So I'll share here some of the SaaS numbers. There is an exciting ADC as a service or SaaS market that is growing, and Gus is going to address that more when he talks about what we're doing in modern apps.
So the final point that I want to share is BIG-IP's world-class application security, along with other capabilities, makes it a leading solution across on-prem and public cloud. F5 BIG-IP wins in traditional apps, both in an on-prem and a public cloud world, for four big reasons. First reason is around its low total cost of ownership. I've said before, it does not require the app to be refactored. So if a customer is moving or migrating an app from their on-prem environment into public cloud, they don't have to change anything, and they can move that app faster, which generally gives them a higher return on value. A second reason for low TCO is that we offer skill reuse. Customers can use the same capability and expertise that they've built up over time in their on-prem environment in managing their app delivery capabilities in the public cloud.
And so we offer an overall low total cost of ownership. A second big reason that F5 BIG-IP wins is around our world-class application security capabilities. BIG-IP includes capabilities such as web application firewall, API security, distributed denial of service protection. We also include some amount of basic bot mitigation. We also have SSLO or our SSL Orchestrator, in addition to other security offerings, including identity and access management. And so we have a whole array of best-in-class application security capabilities that can be consolidated onto a single BIG-IP instance. And many customers enjoy using that and taking advantage of that because, again, that lowers their total cost of ownership and can also actually improve performance in their network because they're consolidating multiple devices into one. Another reason BIG-IP wins in traditional apps is because of its programmability and configurability.
And yes, here I'm talking about our iRules and also about the sophisticated number of knobs that customers can configure within BIG-IP. This is something that customers really, really enjoy. They've found that is incredibly impactful for them in terms of helping to bandage over issues that they run into with their applications and not having to ask their app development team to reopen an application to fix an issue that happens in the network. And so iRules are very vastly adopted and used for a wide array of very creative purposes. So BIG-IP remains one of the most programmable and configurable offerings that you can use in your network. And then the fourth reason is about multi-cloud deployment.
So BIG-IP can be deployed in all of the leading public clouds, including Azure, AWS, GCP, IBM, Oracle, Oracle, and we can manage deployments of applications across all of those environments using our manageability and automation. So let me share a couple of customer examples to really hit home why customers choose BIG-IP. This one is a media company, and they rely on F5 BIG-IP to scale applications across their on-prem and their cloud environment. What they're doing here is they're migrating some marketing applications that need to be able to support massive seasonality. And so they want the elasticity of public cloud, but they also want the low cost of maintaining a baseline amount of it in their on-prem environment. And so BIG-IP was chosen in this use case because of its consistency across on-prem and public cloud, and also because of its programmability.
In the consistency thing, the customer really enjoyed the fact that they could reuse their expertise that they had honed in their on-prem environment and apply that into their public cloud deployments. In terms of programmability, they really enjoyed the fact that they could use iRules consistently across the two environments, and it gave them much greater power and flexibility beyond what they saw with the native public cloud solutions. This was a big deal for F5 because it was a multi-cloud software deal, and it was consumed as a term subscription. Multi-cloud, it covered both a refresh of on-prem hardware as well as new software deployment in public cloud. The term subscription-based relationship future-proofed the customer investments because they're able to easily transition their entitlements from the hardware into additional software if they need to.
Let me spend a couple of minutes talking about our role in service provider because this is a big vertical for F5 BIG-IP. Now, F5 BIG-IP is deployed today for service provider 4G core networks as well as in their internal data centers and for their internal IT applications. And so you see that many of the top service providers use F5 BIG-IP for both of those use cases. What we're seeing as we move into 5G is an expanding role for F5 BIG-IP. This is because we offer seamless migration from hardware to virtual to containers and cloud. It's because we're the only service proxy in the market that spans both 4G and 5G core networks and offers support for critical service provider protocols. And it's also because we bring our best-of-suite approach here for cloud-native 5G functions, including security.
And as a customer example of that, Rakuten, we've shared publicly, is building their new 4G and 5G core network using F5 BIG-IP. So we've heard Rakuten's CTO talk about what they're trying to do is innovate at the speed of software and scale at the speed of cloud. And they chose BIG-IP to accomplish that. So BIG-IP offers the best-of-suite functions, a lower TCO, as well as deployment flexibility for Rakuten. In terms of the best-of-suite functions, when they aggregated all of their Gi- LAN functions into BIG-IP, they achieved a 60% TCO saving compared to the alternatives that they looked at. The software capability offers them flexibility because they can move between virtual and container-native deployment models across both their 4G and 5G, as well as flexibility in the subscription-based commercial model that we offered.
This was a big deal for F5 because, again, it was another multi-cloud software deal consumed as a term subscription, so it's a strategic win with a global innovator. Rakuten has been a tremendous partner for us and a reference, and it's opening the doors for many similar opportunities, and it's also been a great case study for us in terms of expanding to additional use cases, so we first closed the deal, I think it was Q3 of FY 2019, and subsequently, we've already had multiple million-plus term subscription deals that reflect how strategic our footprint is here and also increasing and long-term investment in BIG-IP from Rakuten, so in summary, I've shared with you that traditional apps remain the dominant application architecture for most organizations. This transition from systems into software for traditional apps is, in fact, a positive for F5.
And finally, BIG-IP's world-class application security, as well as other capabilities, make it the leading solution across both on-prem and public cloud. And what this all nets out to is the important thing, which is that we will continue to drive aggregate revenue growth in traditional apps. Thank you. I'm now going to introduce Gus Robertson. Over to you, Gus.
Thanks so much, Kara, and welcome everybody to AIM. My name is Gus Robertson. I was the CEO of NGINX prior to the acquisition by F5, and now I'm the SVP and GM of the NGINX product group. And I want to spend today with you spending some time talking about how we're enabling application delivery at scale for modern applications. What I want to share with you today is three key areas in which I think we're going to be successful.
Firstly, is we're chasing after a very large and fast-growing addressable market in modern applications. It's significantly more than just the application delivery controller market. Secondly, is that the business that we have at NGINX is very complementary and actually augments the current F5 business around BIG-IP servicing traditional apps. And then finally, because of NGINX's open-source footprint and our strategic approach to simplifying very complex modern applications, we believe we're very well positioned to go win this market opportunity. Let's get into it and have a look at how we're the market size and how we're addressing this market opportunity. First, I just wanted to share with you how modern applications came about. It all started with the large web-scale companies. They wanted to deliver amazing digital experiences over the internet and the public internet.
At the same time, we saw the pervasiveness of smartphones taking hold and broadband being used and Wi-Fi and 4G at the time and now 5G. And through all of these things happening in a perfect storm, these applications became part of our lives and the way that we interact every single day. And as a result of these consumer experiences from companies like Netflix and Facebook and Airbnb and Instagram and LivingSocial and all these other sites back in 2010 timeframe, every single enterprise now needs to be able to deliver experiences that look and feel the same. We call them Netflix-like or Facebook-like experiences. But they don't necessarily have the technical talent of these large web-scale companies. And so they need off-the-shelf tooling to be able to deliver these experiences. And that's where NGINX comes into play.
And as a result of this, we're seeing an absolute explosion in modern applications. While we're seeing still moderate growth in traditional apps, you can see that the growth is primarily around modern applications. And that's the market that together F5 and NGINX were going after here. Modern application delivery is more than application delivery controller. And as you can see here, it absolutely includes additional market areas such as API, API Gateway, and API Management because now you need to be able to authenticate and route traffic using API traffic. It also includes Software as a Service because many companies now are wanting to deploy their applications on the cloud and not wanting to have to manage these software tools themselves but have them hosted and provided as a service. It also includes new application architectures.
Fundamentally, at the heart of these new applications is a new architecture called microservices, and also you can use the terminology service mesh, which is a type of microservice architecture, and with this comes a whole lot of new tooling, so if you look at these markets together in aggregate, there's $3.5 billion of market opportunity today, and if you look at where that grows to 2023, it's growing to $7.6 billion of total market opportunity, and that's a CAGR of 29%, so very significant in size and very fast-growing. Secondly, I wanted to share with you that the business that NGINX is going after for modern applications is absolutely complementary to the F5 business, traditional F5 business, so what changed that caused these modern applications to become so prevalent in the enterprise?
Well, now because of these large web-scale companies and because of smaller startups nipping at their heels, large enterprises are under threat. And consumers are demanding the same experience that they get from their bank that they get from Netflix. They want to be able to take a photo of a check and deposit it. They don't want to have to go into a bank and do it manually. So as a result, enterprises are trying to catch up. They're trying to deliver new modern experiences. And they're having to bring new features and capabilities out every week, every day, and sometimes every hour. And this has caused absolutely a rapid frequency in terms of how we're developing and deploying software. So that change had a domino effect into other areas.
So the frequent changes then meant that we need to be able to deploy these changes on very fast runtime environments. And that's where containers came up as an alternative to virtualization. Containers can be brought up in milliseconds rather than minutes. And to be able to deliver these experiences at scale, we wanted to have unlimited compute resource. And that's where the cloud came in. So now we've got new infrastructure to support this new development model of rapid changes. And to do all this, we have to do it with machines, with scripting, with automation, not having humans in the middle slowing it down. And all of this resulted in a very different architecture. The architecture that we've had for the last several decades has looked like this: single monolith applications where all the features and capabilities were built into the single code base.
And new changes would come out maybe every six months or at most every three or four months because it had to be bundled together and everything had to work together in order for it to be deployed. And BIG-IP was used in front of these applications to help them scale into the many people that are using them, such as particularly the focus area in this timeframe was mostly in employees. Because if you think of that bank analogy, the application that was being used was by the teller to input the check information, not by the consumer putting it into their mobile phone. And so as a result of this application architecture, you had tens of apps, and you had tens of development teams, and you may be deployed in single digits a year.
And the governance of the tooling that you had to use was dictated to you by the company. And these were delivered across private networks, typically WAN and LAN. And you've deployed these to mostly employees, of which you maybe had thousands of. But for customer experiences, those customer experiences were websites that were mostly electronic brochureware. They weren't deep immersive digital experiences. And this is what changed. And as a result, we've seen some fundamental differences.
So if you look at what applications look like today, the architecture has changed from a single monolith into many discrete services within an application, each service being able to deliver a certain feature or capability and be able to scale independently of the rest of the application and updated independently of the rest of the application, which has enabled this web-based experience across the public internet and has been able to scale applications depending on how many users are using the application at any one time, so now we're seeing thousands of these services and apps within the enterprise and hundreds of development teams working on many discrete services or applications, and the changes per year are in the thousands, and the tooling that's being used is not being top-down governed, but actually developer-led.
The developers are bringing the tools that they learned at college that they feel comfortable with, that they can get the job done fastest with. And so as a result, we're seeing a lot of different tools being used in the enterprise. BIG-IP, of course, has transformed with this from hardware to software and more capabilities to be able to deliver across a new network, which is not private, but very public, the public internet, which brings with it its own stability issues and security issues now that you're on a public network. And we're now absolutely focused on customer apps. And digital transformation is all about driving revenue and customer engagement through these immersive digital experiences. So now it's no longer thousands of employees, but it's potentially millions of customers that are using your application. And they're wanting rich digital experiences.
They're wanting to be able to log in, see their data, see photos, see videos, see reviews, see recommendations. They want a complete experience. And for you to keep that customer, you have to deliver it. Because if you don't, a smaller startup will, or a larger web-scale company might. So you have to evolve and compete with this digital world. And so we're focusing very much these applications towards customer and customer needs. And as a result, we're also seeing that the device has changed. It's no longer just a laptop, but you're now having to service mobile devices, smartphones. And smartphones communicate many of these mobile apps via API calls. And API traffic is becoming as much of a problem for many enterprises as is normal HTTP traffic because API calls are not just being used by mobile apps.
They're being used for machine-to-machine traffic internally and to open up services to be able to be monetized externally, so API traffic is as important for many of our customers as normal HTTP traffic, and what we've also seen is through this change of these applications being broken up that the application delivery components that were usually sitting within that monolith have been abstracted out into a per-app tool chain that sits in front of these applications, things like load balancing, API Gateway functionality, ingress into a Kubernetes environment, sidecar proxy to be able to route traffic within that service mesh environment in Kubernetes, a WAF to be able to secure that application.
All of those discrete functions need to still be delivered on a per-service and per-app basis in addition to the role that BIG-IP is playing in front of all of the applications, protecting all the traffic coming into the enterprise and routing all that traffic across many of these discrete applications, so we're seeing that traditional apps are absolutely not going away. In fact, many of these new modern experiences are being built around traditional applications because the data still resides in some of these legacy apps, and breaking those applications into modern componentry is too expensive and often too difficult, and in a lot of ways, these applications are still very tightly coupled into the BIG-IP technology, so we're seeing that modern digital experiences are being built around these traditional apps, and so the NGINX business absolutely augments the traditional BIG-IP business.
And if I bring back the slide that François shared with you earlier around the complexity of location of these applications, you can see how this further exacerbates the problem for our enterprise. They're having to run both traditional apps and modern apps on their own data center or their own private cloud. They're having to deploy and manage apps in the public cloud. And in addition, we're seeing modern apps being built on the edge. And so together with the NGINX business and the BIG-IP business, we can solve for app delivery across both the traditional apps and the modern apps for the enterprise. Also, I want to share with you that through our open-source footprint, we're very strategically positioned to go win this modern application market. If you look at modern applications, the benefits are absolutely clear.
You get these immersive consumer experiences or customer experiences, and you get the business agility to be able to run fast and bring new features to market quickly so that you're not having some startup steal your business, but the challenges are also really clear. There's orders of magnitude more complexity, and because of this many, many more moving parts, it's very difficult to get visibility because every tool has its own control plane, its own vendor that's trying to provide more value around this individual tool, and when something goes wrong, you see a cascading effect of things going throughout the entire application, so where was the original cause of the problem? Root cause has become one of the biggest issues in this modern application environment, and these are the issues that we're trying to solve for at NGINX.
Because if you just look at the Cloud Native Computing Foundation , right, and this further shows you the problem, there's over 1,400 projects and products that developers can choose from that they can bring into the enterprise to go and help them build these modern application experiences, but think about that from an IT ops perspective, trying to manage these, govern them, make sure they're up to date, making sure there's no security vulnerabilities. It's a massive problem, so this is how we at NGINX help our enterprise customers with modern applications. Firstly, at the data plane level, we have a very lightweight footprint for our data plane. It's 200,000 lines of code or less. It's two megabytes of footprint, and it takes on multiple personalities. It can be a load balancer. It can be an API Gateway. As I said, it can be an ingress into Kubernetes.
It can be a sidecar in Kubernetes. It can also be a WAF. And so we've extended the open-source capability to all these additional personas that you can get if you buy our commercial offering. And through that, you can reduce the amount of complexity and tools that you need to deliver and bring modern applications to your customers. In addition to our data plane, we've brought a control plane that manages all of these personalities or use cases across the modern application as a platform. So you can deploy and manage these instances. You can get visibility of how traffic is being routed and where problems occur. And you can bring self-service capability to your developers so that central IT can still see the applications, see the traffic, and put governance and policies in place, but your developers can run as fast as they can write the code.
And that's incredibly important in this very agile and competitive environment. In addition to this, as I mentioned, developers are bringing their own tooling. And because NGINX is open-source, and we've been open-sourced since 2004, we've become the default web server on the planet. We service over 400 million websites and web applications around the world through our open-source technology. And we run over 70% of the busiest and most used and important websites in the world. So we've become the industry standard from an open-source perspective. So we're already in almost every enterprise on the planet today. But now, as I said, enterprises are facing these difficulties of complexity, of tool sprawl, visibility, and how we can help them solve that.
Well, as I mentioned, our commercial offering at the data plane level with NGINX Plus extends NGINX open-source from being just a web server and reverse proxy into all those other personalities and use cases I mentioned, reducing the amount of tools you need to use and bringing greater consistency across your application environment. Secondly, we've introduced NGINX Controller, a very sophisticated control plane that sits above all those personalities, bringing manageability and deployability across your application, visibility so you can see what's going on and where the problems occur, and self-service portal access for your developers to run fast. And through the work that we've done within F5 with the security team, we've been able to port the amazing security capabilities that have been built for BIG-IP with Advanced WAF onto our lightweight modern data plane to be able to be deployed for modern application environments.
So bringing security into modern apps further to the left, further to the development environment, so you can have true security end-to-end, which in this world is so important because we just see how any data breach gets put on the news, gets put in social media, and impacts the reputation of your company. So security is absolutely critical to these modern applications. And since becoming a part of F5, we're seeing great momentum. We're seeing that our average deal size has grown 57%. We've seen that the amount of subscribers, customers that we have has grown 23% within the enterprise. And through additional investment we've received in engineering capabilities, we're able to bring new products and additional products to market like NGINX Controller and NGINX App Protect, the security offering that we've worked on together with the F5 security team.
So if you look at the large addressable market opportunity we're going after here with modern applications and the fact that it's more than just application delivery control, but API, security, service mesh, and Software as a Service, if you look at the fact that NGINX is very complementary to the BIG-IP business in terms of building modern applications around and next to traditional apps, and the fact that we're open-source and have so much dominance in the open-source world, and through our simplicity of approach, we're able to help commercialize that open-source and save customers money and bring great value, we think we're incredibly well-positioned to go after modern applications and win this platform for F5 and for NGINX. I want to thank you all for your time and like to introduce my colleague, Sumit, to tell you more about our security offerings. Thank you.
Hi, I'm Sumit. I'm the Vice President of the Analytics Product Group here at F5. I'm also one of the co-founders of Shape Security. We couldn't be more excited about our opportunity to become a global leader in application security. There are three things that I want you to take away from today's presentation. The first one is that our strength in application security overlaps with the hottest security segment for the next decade in all of online security. The second is that our acquisition of Shape Security brings the most powerful application security in the industry to our immense installation base. And lastly, we're already a top 10 global application security based on fiscal year 2020 revenue. So let's dive in. Every decade has a hot security segment that delivers better returns than every other. In the early 2000s, the hot segment was network security.
In the mid-2010s era, the hot segment was endpoint security, growing from $3 billion to more than $10 billion. But now, in the 2020s, the hottest segment by far is application security, projected to grow from a little over $10 billion to well into the $30 billion range by the end of 2030. Let's dig a little deeper into that. Why is this target addressable market so huge? It's simple. It's because the applications are where all the value is. It's no longer the case that the perimeter is where criminals go to extract value out of enterprises. It's less the case that they go to the endpoint to extract value. Those things still needed to be safeguarded and secured, of course. But the majority of the value is moving into the application. Criminals know this. Enterprises know this. And that's why this TAM is so huge.
And if we dig a little deeper into that TAM, F5-specific subcomponent of that TAM is $8 billion in 2020, growing over the next three years to $15 billion by 2023. So you might be wondering, why is application security growing to such a degree? Let's look at two concepts: incidents and breaches. When we look at what drives enterprise spending in cybersecurity, it's these two things. Now, let's distinguish them. Incidents are things that happen that are dangerous and alarming, but that don't directly cause material harm in that moment. Incidents cause security teams to plan in an orderly fashion for future spending. So you can think of that as budgeted on-cycle spending. Breaches are things that are dangerous that actually cause you massive amounts of direct harm right then and there. Breaches drive unplanned off-cycle spending.
Let's analyze incidents and breaches based on some industry research that we've looked at and look at what really causes these things. so we took a look at 23,000-plus security incidents (these are those things that are dangerous and alarming but didn't cause harm) in 2019, and we ranked them by their cause. If you focus on the top, what you'll find is that more than 90% of the time, the causes of these incidents were application security. so the overwhelming majority of the time, the things that are top of mind for cybersecurity teams that drive their budgeted on-cycle planned spending are related to application security. Now, let's look at breaches. These are those things that cause actual direct harm. so we took a look at 3,000 of those. and again, if you look at the things that are on the top of the list, they're related to application security.
50% of the time, the causes of breaches that create tens of millions, hundreds of millions of dollars of direct financial harm to large enterprises were related to application security. And so what we see is that application security-related issues are the drivers of the most frequent incidents, those are the things that cause planned and budgeted spending, and of the most damaging breaches, which cause unplanned off-cycle spending. So let's map F5's portfolio against these top causes of incidents and breaches. Whether you look at the Advanced WAF, Silverline, Shape Security, the AI Fraud Engine capability, all of our capabilities in our portfolio are lined up to deal with the most frequent incidents and the most damaging breaches. Let me give you a different perspective on our portfolio. If you think about the things that application owners care about, it's actually pretty simple. They care about staying online with their applications.
They care about staying secure with their applications, and they care about protecting the data and the logic behind their applications, and so what you see, again, is that our products neatly line up against these major categories of things that matter to application owners. I'm going to give you one more view of our portfolio. We have the broadest and deepest portfolio. We took a look at some of our peers that are either CDN or edge-based, that are based in the public cloud, or who are independent software vendors themselves, and we compared the capabilities we have to the capabilities they have. We have the greatest number of things fully deployed, generally available, and mature that application owners care about relative to all of our peers.
Things like the ability to be multi-cloud and multi-CDN, things like the ability to absorb huge amounts of volumetric denial of service attacks, and things like the ability to deal with the most sophisticated fraud and abuse targeted attacks. Our portfolio is comprehensive against all of the things that matter to application security-related issues. Now, our acquisition of Shape rounds out our portfolio. It brings the most powerful capabilities in the industry to our huge installation base. I'm going to go back to that slide that I just showed you a moment ago. We already had strength in keeping applications online and keeping them secure. And what this acquisition of Shape brings to us is the ability to protect the data and the logic, we call those fraud and abuse issues, against the most sophisticated attacks in the world. So let's look at what that does to our portfolio.
It takes our portfolio, which was already very strong in protecting traditional and modern applications in an on-premises environment where we live in the data center and have a limited amount of visibility to the data, and takes us into the cloud. We're now able to serve traditional and modern apps no matter where they live and how they're constructed and route that traffic through the capabilities that we now have. It also adds a big data back-end analytic capability, which means that not only are we in the application data path of all of the information flowing through the application, we can process it in real time, make judgments about what we should do differently, and deliver differentiated actions to our customers, all in the context of a real-time security capability.
These two fundamental capabilities, as well as Shape's expertise in driving against fraud and abuse cases, are turbocharging and enhancing the entire rest of our portfolio. So we think of this as our newly enhanced portfolio. So what does our enhanced portfolio allow us to do? It allows us to sell more deeply within our installation base. Today, there are about 10,000, round numbers, active customers who have purchased at least one security offering from F5. There are another 8,000 who have not bought a single security offering. So our enhanced portfolio allows us to much more aggressively penetrate the 8,000 of our existing customers who haven't yet bought one of our security offerings. It also allows us to go broadly within those customers.
Going back to that 10,000-plus that have bought a security offering, we estimate that we have roughly 20% share of wallet in the area of application security. There's another 80-plus% that's untapped in areas that are relevant to our portfolio that our enhanced portfolio allows us to go address. So we can go more broadly to the customers we haven't yet given a security offering to, and we can go more deeply in the ones that have already done so by selling against more of the budget. The evidence of all of this is already coming true. In the last three months, we've seen the enhanced portfolio dramatically improve not only the number of wins, but the nature of wins, and let me take you through several of those.
Not one, but multiple state government websites that deal with things like unemployment claims were massively defrauded as people stayed at home due to COVID and indeed needed to file those claims. We were already inserted into several of those websites via our Silverline managed security capability, but we were able to bring our Shape capability to bear to deal with the very sophisticated fraud and abuse cases that arose because of the last three months' change in behavior. Moving into the middle, there's a massive top three global social media site that we already served from a load balancing and traffic routing point of view that we've now newly penetrated from a security point of view because of our enhanced portfolio. And lastly, there's a large banking platform provider in the U.S. that has thousands and thousands of mid-sized banks on its platform.
We were able to significantly expand our footprint and cover a great many more use cases within that platform because of our enhanced portfolio, so we couldn't be more enthusiastic and confident about what our enhanced portfolio allows us to do with our customers in the market. I want to move to the final section. We had over $750 million of actual security revenue in FY20, which makes us a category leader even looking at last year. Let's decompose that revenue for you. $275 million of that revenue comes from standalone security product revenue sold directly to our customers. Another $125 million comes from advanced ADC and other security offerings that are attached or part of our other bundles, and $350 million comes from security services associated with those first two categories, leading to $750 million in total revenue.
When we think about what fraction security makes as a total part of our portfolio, it's very favorable. Security is already more than a quarter of our total product revenue portfolio and is growing very rapidly. When we look at 2017 to 2020, we've had a 31% growth in product revenue. It's more than doubled since fiscal year 2017. That puts us in a very favorable position. When we analyze the application security-related revenue of a cohort of our peers and near peers, you see that our $750 million puts us very close to the top. So we're well on our way to becoming a global security powerhouse in the area of application security. I want to go back now to the three key takeaways. Our strength in application security puts us in the sweet spot of the hottest application security segment of the entire next decade.
Our acquisition of Shape turbocharges our entire portfolio and brings us to enhanced capabilities not only in the Shape products, but in the rest of our products. And lastly, we're already well on our way to being an application security powerhouse globally relative to our peers. Thank you very much. So you've heard about how we're delivering and securing traditional and modern apps. Now we'd like to talk to you about how we're unlocking the value of App Insights through data and artificial intelligence. This is an area in which we expect significant growth. And this is because of the fact that there are a number of key advantages that we have in the ability to leverage data and deliver greater app functionality through it. There are three main takeaways that we'd like you to get from this section.
The first is that we have a unique vantage point from which to leverage data. The second is that we're building on capabilities that we acquired in the form of Shape's data and AI systems. The third is that we already have products and services in market, and we're going to be launching more. To begin, let's talk about our unique vantage point into data. Now, there are three key elements in creating a great digital experience. Of course, you have to build the app itself, but you also have to deliver and secure that app effectively. But even doing those two things is not sufficient to be able to create a truly great digital experience. You have to operate that app and constantly understand how it's being interacted with.
You need to analyze the data which is flowing through it and optimize the app in order to be able to respond to what your end users want and create a truly great digital experience. Now, we know that there is a tremendous amount of data to analyze within applications. Every day, there is a huge amount of data which is created across the entire internet. What you might not be aware of is how much of this data is actually flowing through F5 components in the form of BIG-IP software and hardware instances, NGINX instances, and Shape infrastructure. Taken together, this amount of data is comparable to some of the largest data companies on the internet, and it allows us to touch nearly every user on the internet.
What we want to be able to do is create new capabilities that go much further than we've gone traditionally in order to be able to unlock the power of the data which is flowing through these components. Today, we analyze this data in a variety of different ways. In the context of BIG-IP and NGINX, for instance, we analyze the transactions and look for signs of security attacks, and application firewall components, our aWAF product, and other types of security and infrastructure rules like our iRules allow us to be able to act on the data which is going through those components.
In the context of Shape, we take this further, and we actually take telemetry and data from the components themselves into the cloud to be able to perform even more intensive types of data analysis to be able to deliver value in the context of fraud and abuse detection. Now, not only is the amount of data and the opportunity represented here immense, but the nature of the data that we're able to see is also unique. Because of the fact that web and mobile app interactions are essentially decomposed into individual transactions, and all of those transactions go through our data planes, what we're able to do is see infrastructure topology and configuration. We're able to understand the performance of that application. We're able to observe the way that cybercriminals direct attacks against those applications, and we're able to see the way that real users interact with those apps.
Finally, we're able to understand this behavior across multiple cloud environments, across hybrid environments, and of course, in data center environments. This gives us not only a very broad view of application and user behavior across the internet, but a very deep view as well, which is unique. Now, how do we truly unlock the power of this data? Well, it's through artificial intelligence, and the way that we do this is four simple steps. First, we leverage the power of this data by having visibility into it, by having our components in the data path and building functionality that allows us to be able to perform new types of analysis. The second is by using the data to train machine learning models that give us insights into the previous data that we analyzed in terms of application behavior.
The third is by having insights into future transactions based on the machine learning models that we've trained, and finally, we want to be able to automate actions on the basis of those predictions in order to make the applications function better than they have before. When you view our development plans over time, what you can see here is that we've gone from a business that delivers incredible functionality in the data path to bringing more and more of this data into components that allow us to perform this analysis and do so increasingly in the cloud, where we're able to make predictions, train machine learning models, and then deliver new types of services.
We do this today in the context of cybersecurity, fraud, and abuse with Shape products and services, but we want to be able to use this same data and telemetry to enable digital experience management, app performance management, and AIO ps, and analytics-enabled business services. And taken together, this represents an incredible market opportunity for us to deliver new types of application functionality. Now, as we do this, we know the importance of privacy in 2020 and beyond. When companies are engaged in GDPR and CCPA compliance and they're getting requests from their end users to invest in privacy-enabling technologies, we know that they need a platform that they're able to trust.
And that's why we're investing in multi-layered privacy controls that enable us to minimize data, aggregate it, anonymize it, and encrypt it in ways that allow our customers to be able to trust our platform more than any other platform out there. As we do this, we're not starting from scratch. We're extending capabilities that we acquired in the context of Shape's data and AI systems. And the reason that we're able to do this is because Shape had to solve a much larger class of problems than merely bot detection and fraud and abuse detection. In fact, when you think of fraud and abuse detection, it's a subset of general user analytics.
In order to be able to identify very sophisticated fraudsters, what you need to be able to do is analyze every single transaction which is going through an app and understand it better than any other analytic system out there. That's the only way that you're going to pick up on the very minute signs that indicate that a transaction is coming from a sophisticated fraudster as opposed to a real user, but that same set of technologies allows us to be able to understand all of the users that are interacting with that app much better than any other system that was previously designed, and the only way to be able to do this at scale is through artificial intelligence.
This represents an incredible opportunity for us to take a platform which solves a very wide class of problems and create new products and services on top of it and bring our Adaptive Applications' vision to life. So what does it mean to bring that vision to life? Well, if we compare it to self-driving cars, we want to go from a world where the operation of an application is a very manual process of turning steering wheels and pushing pedals into a world where the application essentially drives itself. And it not only drives itself from the point of view of the operation of the infrastructure, it drives itself from the point of view of delivering a constantly optimized digital experience for the application's end users.
This is something that we're already doing today in the context of Shape's technologies, where we're enabling customers to go from very low levels of cybersecurity automation, where they're engaged in a number of manual processes, to a process where nearly all of the transactions which they are protecting in their application are dealt with in a fully automated fashion. This has allowed us to bring a number of products and services to market already, and this is going to continue not only in the context of cybersecurity, but in a broader context as well. In the context of cybersecurity, we've become a market leader with Shape Enterprise Defense, which enables AI-based fraud and abuse protection at a higher level than has ever been possible before, taking applications which have more than 90% login fraud to nearly 0%.
And we've extended these capabilities in the context of the Shape AI Fraud Engine, a new product that allows us to be able to stop fraud anywhere in an application. But now we're going beyond cybersecurity. We have capabilities like NGINX Controller and Beacon that allow us to be able to use the data going through applications to be able to enable infrastructure changes and resolve issues not in hours, but in minutes. And we're using the data flowing through applications today to conduct new types of pilots that allow us to be able to optimize the behavior of an app using this interaction data. And some of these pilots have already demonstrated brand new types of effects, like a 2% lift in top-line revenue.
We know that customers of ours across the industry are aware of the importance and value of data, and they themselves are investing in the use of artificial intelligence to be able to leverage this power to improve their applications and their businesses. They're doing this across the board already, and they're planning on growing their AI efforts over time. Whenever we see companies across the entire industry engaging in the exact same set of activities, this cries out for a new approach, a services-based approach that delivers the same functionalities to them at a higher level. To borrow a phrase from Amazon, what we want to do is alleviate the undifferentiated heavy lifting involved in creating great digital experiences. And there is a tremendous opportunity for us to be able to do this.
When you look at even the most sophisticated internet services today, they exhibit levels of downtime that would be completely unacceptable for other applications like modern efficient electrical grids. App downtime alone costs as much as $2.5 billion annually across just the Fortune 1000. When we expand this to the entire industry and we also take into account the performance degradation and suboptimal customer experiences that come from applications not being as adaptive as they could be, we're able to see that there are billions of dollars in lost revenue here. And the Adaptive Applications vision is one which is worth millions of dollars every single year to any typical large enterprise. In conclusion, we have an unparalleled vantage point from which to leverage data. We're extending the capabilities that we acquired from Shape to be able to get to market as quickly as possible with these new generalized capabilities.
We already have a number of products and services in market that demonstrate our ability to execute on this effectively, and we're going to be launching more. As we do this, we expect to be able to open up brand new AI-driven markets, and we're going to see initial results from this in Horizon 2. Thank you.
Welcome. My name is Chad Whalen. I'm the Executive Vice President of Worldwide Sales. I'll be partnering today with Mika, our Executive Vice President, Chief Marketing and Customer Experience Officer, as we review reaching new buyers and growing customer value. There are three tenets to our overall presentation.
I will cover the first two, and Mika will cover off the last one, starting with our go-to-market execution and offers and how they have and will continue to accelerate our software growth, our public cloud partnerships as a strong route to market, offering differentiated solutions and offers, and extending our application expansion. Mika will cover off our digital revenue engine, the incremental revenue, and how we're reaching new buyers in an efficient way. With the takeaways, we will accelerate growth among new buyers with greater speed and resource efficiency. Let me start off with the first one, our go-to-market execution and the offers we have. Before we get into the presentation, let me ground us in some things that have taken place from a historical standpoint. Software transformations in the past have returned mixed results.
Let's take a look at some of the others that have endeavored in this journey and how far they have made it in their software transformation in terms of their overall product compositions. Starting at the bottom of the chart is HP. They were at it for 11 years and only got to 5% of their business in a software composition after spending billions of dollars in acquisitions. Next up is Dell. They were at it for a shorter period of time, eight years, were able to get all the way up to 21% of software composition and, again, spent billions in the acquisition to try to accelerate this pivot. Both ended up giving up before they became majority software businesses, and the question is, why? It was not the lack of money, strategic intent, or technology.
It was simply that they were never able to get the sales team and the GTM aligned to prioritize selling software. After many years with marginal success with their investors and the management team, they became fatigued. They lost interest, and they never got to the end state. Cisco is a bit of a different story. They're at 37% over 13 years, and all have also spent billions of dollars in their acquisition strategy. Their transformation is still underway in motion to this day. So what have we done? What are the deliberate steps that we took to recast our go-to-market motion to capitalize on new markets and maximize our growth? Well, firstly, we want to leverage our security portfolio to expand our reach to new buyers and new applications. With the explosion of new applications, security is top of mind for all of our customers.
Secondly, accelerating the pivot to software and our subscription offerings was all about tying ourselves to our customers' digital transformation and maximizing that opportunity with them as they're going through this motion of recasting their IT infrastructure, and then lastly is deepening our public cloud partnerships to bring a unified set of offerings for multi-cloud deployments for use case expansion. Mika will cover off the next two throughout her presentation, getting to new buyers with expanded portfolio. Security, a core tenet of our value proposition for our customers. As customers are increasingly adopting a multi-cloud strategy, securing those applications is mission-critical. We have the solution breadth that gives them the flexibility that they require. As a result, we've secured over 1,000 new security customers in the last 12 months in fiscal 20, with more than 50% of our FY 20 customers purchasing our security offerings. Software.
We are instrumental in supporting our customers on their digital transformation journeys. Between traditional and modern apps, we are pivoting the offering and flexibility that customers need. In fact, as we closed FY 2020, we had more software transactions than hardware. Over the last three years, we have grown revenue 44% predominantly with use case expansion, and in that same time period, we've had explosive growth in our subscription revenue. More than half of our customers in fiscal year 2020 purchased software offerings from F5. Public cloud, what are we doing with these partnerships from a differentiated go-to-market as well as use case expansion? Our customers continue their digital transformation journeys. They require a unified, ubiquitous experience between on-premises and cloud-based solutions. As such, we jointly collaborate to deliver these deeply integrated solutions with our public cloud partners.
This collaboration spans engineered and programmatic migration solutions and build-with offerings and go-to-market programs that give us uniqueness in the market. The premise behind this collaboration between us, whether it be GCP, AWS, and/or Azure, is to improve the customer experience. And this has been a core tenet of all of the offerings that we've put and the success that we've had with this business thus far. When you look at the result of actually what we've done of this joint collaboration, our public cloud business has been one of the fastest-growing software segments in the company, with a 78% three-year CAGR bookings growth. This last year, we did over $100 million in business in public cloud, excuse me. And new customer acquisition is up in every single geography.
We put a deliberate approach on public cloud as a strategic tenet of our go-to-market motion, and it has returned time and again, and we're expecting this momentum to continue for us as we move forward. This slide demonstrates success that we've had with two customer stories. The left-hand side of the slide is about our security posture. The right-hand side is around what we're doing in public cloud software. On the left-hand side is a significant government customer. And what you will see is, in the span of time over the last two years, there was significant expansion between an on-premises solution, between the first deployment that they have with security, to a massive expansion within security. On the other side of the chart is a very large multinational Software as a Service company.
What you'll see here is the deployment of our solutions across the public cloud is exploding over the last two years, utilizing our software both on-prem and in all geographic locations in a public cloud environment. Now, let me bring it back to the transformation chart that we started earlier in my presentation and layer in some of the performance that we've had. In only three short years, we've substantially changed the composition of our business, with 35% now coming from software. This is a result of a deliberate focus on executing software selling motions. We have the formation. We have the process and momentum to deliver continued acceleration in our software transformation. Now, I'd like to welcome Mika to review her section. Thank you.
Thank you, Chad. I'm Mika Yamamoto, F5's Chief Marketing and Customer Experience Officer. A focus we have moving forward is reaching new customers efficiently. Research shows that most B2B buyers are already 57% of the way through the buying process before they first meet with a seller. It is essential to target and reach customers digitally in a smarter way. The first three areas that Chad discussed will continue to serve as areas for growth with us. To reach new market segments and deliver strong growth, we are recasting our go-to-market approach. We will place an increased emphasis on specializing by vertical and focusing on data-driven, targeted outreach that leverages AI-powered predictive modeling to enable focus for our go-to-market efforts. As you heard from Gus, Sumit, and Shuman, we have untapped potential within the modern application, security, and insights markets.
This expanded portfolio allows us to extend our traditional reach among NetOps and SecOps professionals, where we will continue to simplify the traditional application delivery. We're placing emphasis on expanding into DevOps, AppDev, and DevSecOps communities to enable modern app delivery at scale with NGINX and Service Mesh. Focusing on CISOs to secure every app anywhere delivers outstanding opportunities for growth with Shape. Enabling CIOs to unlock meaningful business value for their organizations is key to developing strategic partnerships with our customers. Consider the 18,000 F5 customers Sumit highlighted as core expansion candidates with our rich security offerings. Among them, there are 10,000 security customers with whom we only have a 20% share of security wallet. We will telegraph our value to new buyers within these accounts.
For example, targeting CISOs who seek guidance from trusted thought leaders and peers in their pursuit of empowering the business to move fast but safely. F5 meets these needs by sharing our expertise and data insights to help make all security teams successful and by delivering security solutions that are adaptive to the threat landscape, powered by automation and AI, and simply securing remote access to applications. We take a vertical pivot among financial services, federal government, and service providers to deliver growth. For example, emphasizing the enablement of open banking initiatives among leading financial institutions. We support open banking with API security and API management technologies, as well as the new NGINX Service Mesh. With our integrated digital go-to-market approach, we are able to drive a focused path to sustained growth. As we've discussed, our portfolio opens a remarkable number of opportunities to expand F5 values within organizations.
If we picture, for example, the universe of financial services institutions on the planet, some are better fits than others for F5. Rather than treating this entire universe of customers the same, we are using data to focus on where we can deliver the most meaningful value with our portfolio. We are looking at common buyer characteristics from past deals where customers bought a broad range of products from our portfolio and where there were deal sizes that were fairly large, minimized churn, and high customer satisfaction to build and refine our ideal customer profiles. To build these profiles, we also look at what they currently own, their expansion potential, their revenues, their vertical, the number of locations and types of applications that they're placing in the market.
For example, an ideal profile for Shape-recognized are B2C companies with customers that are likely to make a purchase across multiple devices, like airline tickets, or B2C companies with customers who are likely to make repeat purchases through the year with the same device, cosmetics, for example. Here, we have a great promise to focus on airlines and retailers. These ideal customer profiles enable us to build our propensity models to put against a universe of potential customers to help us narrow in on cohorts of customers for focus. Those that have similar leads are more likely to see value with what we have to offer. But even those that are more likely to buy aren't all in the market to invest at any given moment. So we use third-party data to be able to monitor purchase intent behavior to determine how we engage our customers.
Being pushy with the sales approach when not buying is off-putting, but not providing enough information when a customer is actively seeking to invest makes us irrelevant. We look at what companies are downloading, their job descriptions, specific wording, and LinkedIn accounts of targeted customers to determine the best way to engage. We stay in front of them so they consider us when they have a need. Once they do show signs that they're ready to invest, for example, attending a competitor's webinar, visiting competitors' websites, or continuously visiting ours, we enable a personalized digital outreach approach and use scoring models to determine timing of when to place a customer on a priority call list for a seller.
When we hand these customers over to our sellers to call, we provide the background of all of their interactions with us in the past so that there's an understanding of interest for the best way to address our customer needs and have the most positive impact on their buying decisions. We recently did this with a top three athletic shoe manufacturer with Shape, and we were able to call and move to a proof of concept phase with them within weeks. This approach drives focus for our sellers to focus on customers most likely to buy, and we project to yield a 30% improvement in conversion rates and up to three times increase in overall key deal sizes over time. Here's an example of the value of expanding our reach to new buying centers within an existing customer. This is a very large investment management firm.
They were a historic NetOps customer and not a very large account for F5 despite their size. They were using BIG-IP for their on-premises B2B trading platform, and our historical customer just didn't see much value in the cloud. We expanded our relationship with a leader in the organization who was driving their efforts to shift their platform to the cloud. This led to a significant expansion for a BIG-IP and a net new expansion with NGINX. What you see on the right is a custom website developed to further extend our relationships within this account. We have identified specific individuals we are targeting with LinkedIn ads, for example, to drive them to this page.
Last fiscal year, this targeted approach among three financial services companies in the U.S. resulted in 70 net new senior-level relationships within our existing accounts that we're now building upon for growth in FY 2021 and beyond. Here's an example of moving into a more strategic position at a top 10 U.S. bank and one of competitive takeout. In 2019, this account spent about $1 million on Avi. This was prior to the announcement of NGINX acquisition by F5. They purchased Avi for its small footprint and ability to grow as needed within the environment. We developed our relationships with the NetOps and DevOps professionals as they worked on their software architecture for the bank. Now, with the acquisition of NGINX, we demonstrated to the bank that we had a more complete solution that could secure their environment and scale with them.
This created a far more compelling value proposition for the bank on what F5 could deliver end to end, and the Avi investment was no longer needed. What followed is the individuals that we were working with in NetOps and DevOps determined that it would be valuable for us to engage with their CISO. So this connection was only possible because of the completeness of our solution. Upon establishing the connection with our CISO, they were able to drive a project that would modernize their web security, and they ended up investing in VEs, AWAF, AFM, DNS, and SSLO. Because of the relationship with the CISO and CIO, we were able to secure NGINX with App Protect, API Gateway, Ingress, and Service Mesh into their 2021 budget. And now, we are meeting many of their strategic security needs.
This initial connection with the CISO has further developed to include an enterprise-wide approach to their security and application delivery. We're quickly moving into an adaptive application discussion with them. And now, we have a quarterly connection with the CISO and are working towards a cohesive adaptive apps approach to deliver further value for the customer and growth for F5. The innovation roadmap for our expanded portfolio, coupled with our focused go-to-market approach, will deliver ongoing momentum to realize 50% software revenue mix for F5 in terms of product revenue by the end of FY 2022. This is faster and farther than many comparable hardware companies who attempted the same transition. Our expanded portfolio provides us plenty of opportunity to deliver growth. We will accelerate this growth and therefore our transformation as a software vendor by leveraging data to engage new buyers with greater speed and resource efficiency. Thank you.
And now, I'd love to introduce Tom.
Thank you, Mika. Hello. I'm Tom Fountain. I'm pleased to share with you a few of the exciting aspects to our services business. I'd like you to walk away from this presentation with three key takeaways. First, we believe services is a fundamental component of our Adaptive Applications vision. Our services portfolio complements and reinforces our product strategy. And increasingly, we are using services as a tool to accelerate product sales. Second, our services offerings have long been recognized by customers as a unique differentiator for F5. These offerings deepen our customer intimacy and ensure customers realize the benefits our technology promises. As we grow our software subscriptions, the importance and value of services increases. And third, our service lines provide a durable source of revenue and margin. The operational results of our business have remained consistently strong, and we are continually optimizing our business to grow profitably.
Together, F5 Services is a robust and profitable source of revenue and margin and will remain so for the foreseeable future. Let me begin by sharing how we are extending our services capabilities to address the requirements of our Adaptive Applications vision. As an overview, we offer a comprehensive services portfolio. We serve a wide range of customer segments from smaller organizations to the most demanding enterprises and governments in the world. We take pride in consistently earning top marks for customer satisfaction and appreciate that customers view our services as a differentiator for F5. Our world-class offerings feature three primary service lines. Support services provide around-the-clock access to product and solution experts who support over 280,000 individual support obligations and respond to more than 130,000 customer cases a year.
These engineering professionals assist customers not only at the moment of greatest need, but they provide a range of premium services for ongoing and continuous access to dedicated support professionals commensurate with the mission-critical workloads F5 technology serves, offer global logistics to ensure customers have the product on the timetable and in the location required, and through F5's Security Incident Response Team , aid customers with planning their security defenses and, most importantly, responding to a crisis. With the rapid growth of our software subscription offerings, we've aggressively built a new Customer Success capability to ensure customers realize the business value they seek from our offerings. Finally, Professional Services execute 1,700-plus customer engagements a year and deliver more than 19,000 student days of training annually. We are applying each of these three service lines to support our Adaptive Applications vision.
As an example, let me expand on our use of Professional Services to further accelerate both service and product sales. While many think of Professional Services in the context of product implementation, we are increasingly applying our Professional Services capabilities on the front end of the sales cycle. We draw upon our deep domain expertise in applications to advise customers on the evolution of their application estate, recommend how solutions better embrace modern app dev practices, and co-design with customers' environment to satisfy those requirements. Elevating our role as a trusted advisor positions us for future product and services sales. F5 Services is widely recognized as a differentiator. Customers who have purchased our solutions value our deep expertise in application security and delivery. One of the most frequent questions from investors is the effect a more software-driven business has on services.
With several years of operating experience, we've seen a clear and consistent pattern emerge among customers who purchase our long-term software subscriptions. These customers frequently maintain or slightly slow their hardware purchases but rapidly expand their software usage such that their total product spend with F5 is similar or greater than it was previously. As a result, we therefore also sell more services, particularly recurring services, both through the layering of new support contracts and from expanding the range of services our customers purchase. I selected three case studies to illustrate this point. The first is a top European financial services firm which has continued to invest in data center hardware while rapidly buying both perpetual and long-term software subscriptions. The second is a North American retailer who is rapidly transitioning from hardware to software, yet their spend with F5 is fairly constant.
And the third is a large global software provider who slowed but did not stop their hardware purchases while rapidly expanding their use of F5's long-term software subscriptions. In each case, product bookings grew or was approximately flat, and recurring services bookings grew significantly. We see this pattern frequently and is evidenced in aggregate across our long-term software subscription customers. Our software product growth has further elevated the importance of a robust Customer Success capability focused on enabling customers to get the most from their F5 software subscriptions. Our Customer Success team frequently engages with customers well ahead of purchases and understands their business objectives. Once the customer completes their purchase, the Customer Success team then helps the customer accelerate their onboarding, encourages adoption and expansion, promotes other F5 products and services, and helps manage any at-risk renewals.
Looking back to 2017, a typical long-term subscription customer was expected to take 22 months to fully deploy the software instances associated with their initial license purchase. As a direct result of Customer Success and our actions to accelerate customers' use of our technology, we've improved that by an impressive 15 months. This not only improves the customer experience but unlocks new expansion opportunities. Last year, these same customers grew their long-term booking subscriptions with F5 by 14% annually. Finally, I'll speak to why our services business is a durable source of revenue and margin for F5. The graph on the left shows services revenue for the past three years, highlighting strong growth of 5% in FY 2019 and FY 2020 and a 5% CAGR over the period.
We achieved strong services growth through consistently high attach rates on initial sales in excess of 96%, industry-leading renewal rates, and expansion with new service offerings. In fact, more than 90% of services revenue is recurring in nature. Through rigorous operational discipline, even with investments in new capabilities such as Customer Success, we've delivered strong services gross profit in excess of $1.1 billion annually, expanded our gross margin from 86% to 87%, and grew gross profit by 5% CAGR over the period. Our more detailed operational results further demonstrate that services remains a durable business even through the rapid growth of software. At a high level, I decompose our recurring services revenue into three primary drivers. First, we've delivered consistent five-year attach rates for services across both hardware and software.
Though not shown in the graph, between FY 2018 and FY 2020, we saw our overall trailing five-year attach rate improve by two percentage points. Second, I look to our base of contracted obligations, which has grown 4% CAGR through strong renewals and new offerings. And finally, we've maintained a consistent contract lifespan of nearly six years. Much like our customers who are digitally transforming their businesses, we too are digitally transforming F5's service business. Digitizing more of our operations results in improved customer experience, lower cost to serve, and finally, margin expansion. As I noted in my opening, one, we are extending our services capabilities to address Adaptive Applications by complementing and reinforcing product sales with services. Two, services is a unique differentiator for F5, and we are continuing that tradition even as we grow our software business.
And three, our service lines provide a durable source of revenue and margin for the foreseeable future.
Thanks so much, Tom. Good afternoon, everyone. My name is Frank Pelzer, and I am the CFO of F5. It is a pleasure to follow all the great presentations today and share how the incredible efforts throughout the company are leading to accelerating revenue growth and sustainable financial success. Our team sees a massive market opportunity ahead of us, and we feel F5 is uniquely positioned to both win in our space and deliver value. There are three things I would like you to understand from my session. We are transforming our business at an unprecedented pace, driving top-line growth acceleration. Our transformation is well ahead of our expectations. We are at an inflection point where our past investments are positioned to yield operating leverage.
We expect to grow revenue faster than non-GAAP operating expenses, and finally, we are fully committed to a balanced approach to capital deployment, including returning capital to our shareholders. As François said previously, we are at an inflection point in the business where the strategic investments we have made over the last three years are going to drive sustainable double-digit earnings growth. Let me share with you some of the key performance indicators of our transformation. Our team has spoken quite a bit today about the current inflection point for F5. On this slide, I outline one way where we are starting to see our transformation manifest in our results. The benefits of our investments are beginning to materialize in our top-line revenue growth and in our product revenue growth.
Please note that we are delivering this acceleration while we are experiencing the traditional J-curve that occurs during the transition to subscription-based revenue. While we have been growing our subscription business simultaneously with the transition, that curve has been present underneath our results. We are now starting to see that growth really take off, and we expect this acceleration will continue. We also expect the subscription and recurring portions of our revenue, including renewals and True Forwards on our term subscriptions, to start to drive momentum going forward. The transition and inflection are especially apparent looking at our product revenue growth. I will note that in both of these charts, we are providing an illustrative view of our expectations in Horizon 2 based on the outlook François discussed earlier.
One of the most important takeaways from our 2018 analyst and investor meeting was that we were embarking on an evolution that would transform F5 into a more software-led company. We are delivering on that objective, and in fact, our software transformation is occurring at a faster pace than even we expected. Since 2018, we have taken software from 13% of non-GAAP product revenue to 35% in FY 2020. Importantly, our software revenue growth has come at a compounded annual growth rate of 44% over the last three years. This business is a significant driver of our growth, and we are quickly approaching the point where software will comprise the majority of our product revenue. Let us drill a bit deeper into our software subscription growth. Subscription-based consumption models are a very powerful driver accelerating on our top-line growth.
They are also improving the overall quality of our revenue and earnings. As part of our transformation, we adopted flexible consumption models that have enabled our customers to consume our solutions the way they choose. Historically, we sold software only on a perpetual license basis. Now, we offer annual subscriptions, term license subscriptions, utility-based consumption, and as-a-service offerings. This was no small undertaking and required retooling our back office processes and improving our sales team software and subscription fluency. As we mentioned in our Q4 earnings call, we have a renewals flywheel that is starting to turn with momentum and True Forward revenue opportunities on a sizable portion of our long-term subscription contracts. And you can see the results. Subscriptions have grown from just 20% of software revenue in FY 2017 to 71% in FY 2020, growing at 120% compounded annual growth rate.
The graph on the left shows the ramp of subscriptions as well as the fact that our perpetual software revenue has remained steady even as customers have embraced these new consumption models. As in our earlier view of total revenue and product revenue growth, we have included an illustrative view of what our software revenue in FY 21 could look like based on our guidance. Going forward, our software growth will continue to diversify thanks to this broader and growing base of subscription and SaaS revenue. As a result of subscription growth, we are growing our total recurring revenue base. In FY 20, 65% of our revenue was recurring. This includes the combination of revenue from recurring sources, including subscriptions, term agreements, utility purchases, and service maintenance revenue. The compounded annual growth rate on this business from FY 17 to FY 20 was 12%. Let me say that again.
Two-thirds of our revenue, $1.5 billion in recurring revenue, is growing double digits. As both François and Sumit discussed, you should no longer think of F5 as just the number one ADC company. Our application services portfolio is much broader, including leading application security capabilities. We have a top two position in the dynamic high-growth application security category. Our standalone non-GAAP security-related revenue has grown at a 31% compounded annual growth rate over the last three years. As of FY 2020, our standalone security offerings represented 27% of total product revenue. All of these KPIs highlight that we are transforming our business at an unprecedented pace. The F5 of today is a software company. We have close to a $450 million software product run rate business.
We are a leading security player with more than $750 million in total security-related revenue in FY 20, including attached security and related services revenue. With the portfolio we have built, we have a strong competitive position in the combined $28 billion 2023 market opportunity. In addition to driving substantial business transformation, we are at a pivot point where our investments are yielding operating leverage. We wanted to share our outlook on two time horizons: Horizon 2, which is our fiscal years 2021 and 2022, and longer-term targets, which you can think of as around 2025. Please note my comments here are on a non-GAAP basis. In Horizon 2, we expect software growth with a 35%-40% compounded annual growth rate, resulting in software comprising more than 50% of product revenue. We expect systems will decline in the high to mid-single digits on an annualized basis.
We expect low single-digit services growth as an increasing mix of our revenue comes from subscriptions, which have a higher weighting to product revenue. Considering these factors, we expect total revenue growth with a 6%-7% compounded annual growth rate over Horizon 2. Let us discuss margins. We expect a gross margin of approximately 85% in Horizon 2. We expect to see operating margin improvement during the course of Horizon 2 as a result of top-line growth and the benefits from the ongoing cost reduction initiatives François described earlier. For FY 2021, we expect operating margin between 31% and 32%. For FY 2022, we expect operating margin between 32% and 34%. As a result, we expect to drive double-digit EPS growth in Horizon 2.
We also expect to achieve our goal of the Rule of 40, where top-line growth and operating margin add to at least 40 during Horizon 2. Over the longer term, even as the law of large numbers starts to kick in on software growth, we see it continuing to grow more than 20%. We expect software will become more than 75% of product revenue. We expect we will continue to see high- to mid-single-digit decline in our annualized systems revenue. We expect low single-digit growth to flat services revenue due to the mix shift of our revenue from perpetual to subscriptions. The combination of these top-line components will yield total revenue growth in the range of 8%-9%. Shifting the margins, we would expect to see some benefits of our software transition and the scale of the Shape business, driving gross margins to the mid- to upper 80s.
We expect to maintain the Rule of 40 over the long term, with operating margins in the mid-30s contributing to double-digit non-GAAP EPS growth. We are also taking a balanced approach to capital deployment. As we have said throughout the day, F5 is at an exciting inflection point in our business. We have been in investment mode as we have been transforming F5 to be more software-driven. The success of our transformation and the resilience of our business in these uncertain times has put us in the position to accelerate the return of capital to shareholders. In FY 2021, we are committed to an accelerated share repurchase program of $500 million. Further, during FY 2022, we are committed to another $500 million in share repurchases. And beginning in FY 2023, we intend to return 50% of free cash flow to shareholders via share repurchases.
I want to take a second and really underscore this point. This transformation has exceeded our expectations, but these efforts, then coupled with a global pandemic, have created a bit of an uneven capital return program. With the confidence behind our momentum, as you have heard today, we are absolutely focused on delivering on these commitments. As we continue to execute on our transformation, we also expect to pursue targeted M&A to accelerate our Adaptive Applications vision and top-line momentum. A key tenet of our approach to acquisitions is to create operating leverage through F5 scale and infrastructure. We are mindful of maintaining our momentum here, and we would not consider any M&A that would negatively impact our Horizon 2 non-GAAP operating margin and EPS guidance. In summary, we are committed to sustainable double-digit EPS growth, and we are well positioned to achieve this objective in Horizon 2.
As I mentioned on our third quarter FY 2020 earnings call, we believe we hit the trough in operating margins and expect revenue to grow faster than non-GAAP operating expenses. The momentum we are delivering through our transformation plan will continue to accelerate this operating leverage over the longer term. We are committed to a balanced approach of returning cash generated from the business through share repurchases and future M&A. We believe there continues to be substantial value creation opportunity for our shareholders as we execute on the plan that we have shared with you today. When comparing ourselves to other high-growth application security and services companies, we are achieving scale at impressive revenue growth rates, in many cases faster than our peers, while maintaining top 10 percentile non-GAAP operating margins compared to the technology industry as a whole. We are going to move to the Q&A session shortly.
If you have not already submitted your questions in the Q&A window on your video player, now would be a great time to do so. Before we begin the Q&A session, however, I will turn the floor back to François for some closing thoughts. François?
Well, before we go to Q&A, I wanted to thank you again for spending time with us today. I want to leave you with four key reasons to invest in F5. First, we are positioned in front of a massive market opportunity, an addressable market of $28 billion, and within that market, we are the only multi-cloud player with the assets in security, delivery, and analytics. Second, we are at a company that has a software transformation that has reached an inflection point.
We are approaching more than 50% of our product revenue being software, and we have already transitioned the vast majority of our software business to be a subscription business. Third, we're about to deliver significant operating leverage, growing our revenue faster than our operating expenses because we made very deliberate investments in the past that are paying off in terms of operating leverage. And we're also positioned to deliver a very robust capital return program based on the resiliency of our business and the confidence we have in our generation of cash flows. And fourth, we have a team of exceptional quality that is passionate and determined and energized about this transformation and ready to deliver. And so F5 is really an attractive opportunity to invest in a company that's ready to deliver sustainable double-digit non-GAAP EPS growth starting now and for the years ahead.
With that, we'll go to Q&A. Thank you. Very good, so welcome to our Q&A session, which I will moderate here with Frank, and executives and presenters are available to answer questions as well, so we'll start with our first question, our first question today, and so your solution set has grown significantly. Who do you consider your primary competitors today? I'm going to take this question and ask Kara Sprague to answer the question, Kara.
Great, well, we're increasingly competing on a best-of-suite basis, and what I mean by that is that customers are seeking technology and solution providers that can address a broad range of needs in application delivery and security, providers that enable both traditional and modern applications, and also providers that span the core, edge, and client in order to support their multi-cloud, hybrid, and edge considerations.
And there's many players with technologies that address slivers of these customer needs. For example, the edge players with their application delivery and security technologies that don't reach into the cloud or the data center, or point players in security. There's very few players, however, that are well positioned to address the core customer pain points that François introduced in his opening, which is really fundamentally about the fragmentation of these application delivery and security technologies. And that's the operational and technical debt, the challenges of integrating and scaling the point solutions, the vulnerability to the increasing threat surface area and sophisticated attacks, and the lack of visibility. And so in summary, as our portfolio has grown, we are continuing to compete on a point basis with a growing variety of competitors.
For example, the traditional ADC vendors, the public cloud native and open-source players in modern apps, point providers in security, but with our best-in-class capabilities in most segments, we're well positioned to win many of those battles, and more importantly, we're very well positioned to win the war with our distinctive vision for Adaptive Applications and our best-of-suite capability, which is comprised of the assets we've built and acquired. Back to you, François.
Thank you, Kara. Excellent, and I would just add that even though we do look at competitors over time, what drives our actions is more the vision we have for Adaptive Applications and what we see in the transformation needs of our customers. And so our next question is: Frank outlined some of your M&A parameters. What are the holes in your portfolio that still need to be filled?
Okay, so I'll take that one. And look, we have assembled, as you probably saw today, the broadest set of application services for application security and application delivery. And our primary, our first priorities is to continue to invest organically in that portfolio. There are a ton of exciting things that we're doing in AI, in security, in modern applications, and even in traditional application delivery in multi-cloud that will continue to further this vision for Adaptive Applications. And that is our focus. Now, if we do pursue additional M&A, I want to reiterate the parameters that Frank gave. We would not contemplate anything that would negatively impact either our operating margin targets or EPS targets in Horizon 2 or negatively impact our ability to deliver on the capital return program that we've just committed to.
Okay, I'm going to a third question here. The targets are impressive, but given the crazy COVID numbers we are seeing, what are the underlying assumptions with regard to the macro environment? And I think, Frank, perhaps you can take that one.
Sure. Absolutely, François. So as we talked a little bit about in our earnings call three weeks ago, when we took a look at our Horizon 2 model that we were building and some of the specifics that we gave around FY 2021, we were not assuming really a material change in the macro environment that we are seeing today. We certainly have seen the spike in COVID cases, and we hope that that is quickly reduced by all the activities that have happened. But I think the only thing that would really take us off track is a global depression that is really not assisted with the same level of government aid that we saw in the March and April timeframe. But if it's the status quo that we've been living through for the last nine months, we feel good about the targets that we laid out today.
Thank you, Frank. And our next question is around our go-to-market. And the question is, are you selling to new customers or new persona, or are you primarily expanding within your installed base? And I'm going to ask Chad Whalen, our EVP of Worldwide Sales, to take a first crack at this question. Chad?
Yeah, super. Thank you, François. We're doing both. We're selling to new customers and expanding our customer base. However, we also are advantaged by having a significant position of incumbency. We have the better part of 18,000 customers that are existing customers within our customer suite today. And so we've been able to expand those relationships to new buying personas within those customers as well. In the time of COVID, incumbency has proven to be a very significant differentiator for us and one that we've gained a lot of leverage on. So short answer to that, François, is both leveraging new buyers and existing customers and also securing new customers with new applications.
Excellent, Chad. And I want to remind, we have over 18,000 customers at F5 that are buying our solutions. So there's a large opportunity to grow our business within our existing customer base and, of course, going into new buyers as the portfolio develops. All right, the next question are, what are the main drivers or data points that give you confidence that the rate of hardware revenue decline will slow?
So I'll take that question. So what we've seen over time is persistent demand for hardware, both in a number of geographies and in a number of use cases. So a number of geographies, especially internationally, we're seeing actually hardware demand grow in a number of emerging markets. But we're also seeing a number of use cases across the globe, including the U.S., that drive demand for hardware. And that's the case in security in particular. And as more and more of the mix of our hardware business has become security, we're seeing the hardware decline moderate because our hardware security business is actually not declining. So that's why we see the confidence in the moderation of the rates of declining hardware.
You saw that in the second half of 2019 and 2020, we were in the double digit. In our last quarter, we were in the high single digit, and we expect that trend to continue and moderate even further in our Horizon 2. Okay, so the next question is, why announce a large share buyback now? You had recently been committed to rebuilding the balance sheet and M&A. What changed? Frank, do you want to start with that one?
Absolutely, François. Thank you. So as I talked about a short while ago in my presentation, we have seen great success in the resiliency in the business and the ability for us to continue to generate a significant amount of cash through this COVID time.
And so we have been really, really excited about rebuilding the balance sheet to where we have gotten to, which is fairly close to where we were when we actually did our first acquisition of NGINX. And so with $1.3 billion of cash, $900 million net of debt on our balance sheet, we feel like it's the right time and we've got the right balance between our share return as well as any opportunities in the future for M&A. And this is the right time for us to drive an accelerated share repurchase of $500 million for this year, another $500 million in FY 2022, and ongoing 50% of our free cash flow from FY 2023 and beyond.
Thank you, Frank. And we've got our next question here, which is, what progress have you made with your strategy to monetize NGINX in a more scalable fashion? Gus Robertson, I'm going to ask you to answer that question.
Thanks, François. Appreciate it. Yeah, we're making very good progress with the integration with NGINX. And I'll give you maybe three ways of looking at that. Firstly, around sales alignment, the two data points that I shared around 57% increase in deal size and 23% growth in customer base, I think shows that we're getting very solid integration with the F5 sales organization. Secondly, the additional engineering resource that we were afforded as part of the acquisition has enabled us to bring NGINX Controller to market in January of 2020 and to go after both the ADC use case and the API management use case with Controller, which has been a substantial product release.
And then finally, through the integration and collaboration efforts with F5 security, we've been able to bring App Protect to market, which brings security closer to the developers and closer to the code. So in all three of those areas, I think they exemplify the progress that we've made with the integration of NGINX. Back to you, François.
Thank you so much, Gus. And you pointed to that, but I do want to reiterate it because it's an important deliberate choice that we made at the time of the integration that we decided to continue to double down and invest in the NGINX platform and increase the engineering resources on the NGINX platform so that we could bring these new solutions to market.
And so if you look at the solution sets that are now monetizable from the NGINX platform into our customer base, it's much greater than it was 18 months ago. And that will accelerate the revenue growth that we're seeing with NGINX. All right, our next question is, you referenced cost efficiencies in your sales and marketing, but it has been growing significantly faster than revenue. Do you expect that trend to reverse in the next few years? So I'll take that question. And the simple answer is yes, we do. We do expect that trend to reverse. As I shared in my presentation, we made some deliberate investments in the go-to-market for Shape and NGINX in the early days of us coming together. But we are seeing operating leverage from that, and not just in sales and marketing, but across the board.
We're seeing revenue expand rapidly, and we don't have to grow the OpEx linearly with the expansion in revenue, and so we definitely expect our sales and marketing expense to grow less fast than our overall revenue, and in fact, we expect overall OpEx to grow less fast than our overall revenue and for us to gain the leverage that we've talked about. The next question is this: we appreciate the disclosure on the software today. Why not take a more aggressive position with a sales organization and move to software-only quotas? Chad, do you want to answer that one?
Sure, sure. Thank you, François. We have taken a very aggressive position with our sellers in this transformation over the last number of years as we've readied ourselves to change the composition of selling software. Today, it is a significant component of the overall selling requirement within their compensation plan. As you know, we have a very vast portfolio, and we have to make sure that we have balance in that portfolio. We believe the compensation plan that we have today is incenting the behavior and driving the outcome that obviously we're seeing and talking about today. So that's how we're addressing the software-only comp plan.
And Chad, one of the big changes Chad has made in the organization is incenting our sales team to sell subscriptions. And you've seen from Frank's presentation how successful this has been with our software subscription growing 120% CAGR over the last three years. And those were part of the early investments we made in our transformation to software that I mentioned during my presentation, part of the annualized $230 million of investments that we made. Some of that was to retool our incentives and our systems to make sure that we would aggressively move to a subscription model. And that has been very successful, and we continue to incent that in our compensation plans today. So the next question is, who will you compete with in the application insights market? And I'm going to ask Tom Fountain to address that question.
Sure, François, happy to. And thank you for the question. I think the starting point here is recognizing that we don't compete exclusively in the App Insights space. I think what we've managed to do is assemble the elements to compete in a much more comprehensive set of solutions for customers that are looking to understand how their applications are behaving. We have a unique position in the flow of traffic that allows us to learn information about those applications.
And because of where we sit, we're also then able to affect change on those applications. That gives us the ability then to really realize this Adaptive Applications vision that we've set out to achieve. It allows applications to be protected. It allows applications to scale up or scale down as appropriate. And the intent here is really to use sort of this richness of telemetry information to solve a very wide range of customer challenges around how applications behave in their environment. François, I'll hand it back to you.
Thank you, Tom. Excellent. We've got a next question on our competitive position here around cloud-native enterprises. The question is, I understand the multi-cloud value proposition, but who do you compete with for cloud-native enterprises, and do you win head-to-head? And I'm going to ask perhaps Gus and/or Kara to take that question.
Yeah, absolutely. Thanks, François. So much of NGINX Open Source and our commercial product, NGINX Plus, is run on the cloud. And many of our customers are architecting applications on the cloud. In some cases, they leverage the cloud-native capabilities in addition to NGINX because they want to have more fine-grained control over the application, and NGINX Plus delivers that capability. So we see most of our customers actually leveraging a combination of both cloud-native as an entry point into the architecture in the cloud while using NGINX more for distributed traffic within the application. So they work quite well together and are quite complementary. That being said, we do go head-to-head on occasion. And it comes down to whether the customer is looking more for leveraging the cloud-native capabilities or wanting more of that fine-grained control that we offer in N GINX Plus.
Thank you, Gus. All right, the next question is on visibility into a software subscription. You talked about high visibility into revenue and revenue growth from the increase in subscription mix of revenues. Given the predictability offered by subscriptions, how should we think about the reason that a dividend does or does not make sense as part of the broader capital allocation plan? And Frank is going to ask you to respond to that.
Sure, thanks so much, François. We're not opposed to a dividend. We just think that for us, there is a much more efficient way of returning capital to shareholders, which is the share repurchases that we outlined in my presentation. And so that's why we're returning the level of capital that we are both this year and next, and then the ongoing 50% of free cash flow through share repurchases and not dividend, because we feel like it's a much more tax-efficient way for all of our shareholders to participate in that capital return.
Thank you, Frank. We're going back in the next question to Shape and NGINX. It seems you are done with most of the integrations of Shape and NGINX. What areas of investments are needed to help support the software growth?
Well, the first thing, in terms of dollars, if you refer back to my presentation, you'll see that what we foresee over the next several years is that the investments that are required above our run rate are actually relatively small overall in terms of driving the growth, the guidance that we've given on our growth in Horizon 2 and beyond. But if you look specifically inside of that envelope around where in which areas do we intend to continue to invest? As I mentioned before, in the NGINX platform, we will continue to mature and enhance the sets of services that are monetizable, things like API Gateway, the maturity of our NGINX Controller to cover a number of use cases, new areas like service mesh that are going to be increasingly important inside of Kubernetes clusters. So all of these are areas of potential growth and investment.
We will also invest in making more and more of these propositions available as a service, as opposed to packaged software subscription, and in the case of Shape, we see significant opportunity in developing the analytics products that both Shuman and Sumit have talked about that actually help our customers get more value from their applications, not just secure the applications, but enhance the revenue that they're getting from their applications, and so these are vectors of investments that will support our software growth, but at the same time, we have made substantial investments in the BIG-IP franchise that will support our software growth and will continue to invest into that franchise to support the software and subscription growth,
so the next question is about, I think, more disclosures in our guidance. Will you be guiding to, or at least reporting software and security going forward? François, do you want to?
Sure, François. Yeah, so we intend to continue to report our software revenue on an ongoing quarterly basis, split out the subscription piece that continues to be growing incredibly nicely, as well as our recurring revenue. For the security revenue, we plan on reporting on an annual basis the standalone security revenue and the growth rates associated with that.
Thank you, Frank. The next question relates to public cloud providers, and the question is, can you provide an update on your AWS relationship and your relationships with other cloud providers? Chad, do you want to start with that one?
Sure, thank you, François. As I mentioned in my presentation, public cloud has been a strategic tenet of our software transformation and our go-to-market, mainly because it's a core tenet in multi-cloud deployment scenarios, which is a core underpinning of what we do.
As it relates to AWS, we have a very strong relationship with AWS. And in fact, just earlier this fall, we announced our first Build With offer with AWS with EAP. And so you'll see that we've done deep work on the integration side, as well as very strategic go-to-market programs like with the SCA, which is a very strategic program with them. And it's not just AWS. We do the same thing with Azure, and we're having a relationship with GCP as well. Those are really the three public clouds that we spent an incredible amount of time on: the deep integrations of our technologies, unified go-to-markets, and then increasingly on Build With offers. François, back to you.
Excellent. Thank you, Chad. And I think the next question, Chad, is coming to you and/or Mika as well. Given the growing complexity of the multi-cloud architectures with multiple point vendors plus next-generation CDNs and public cloud offering, how has your go-to-market approach changed to capture share in some of the newer opportunities? Go ahead, Mika.
We've focused a lot more on targeting customers digitally, and so the capture of our customers and engagement of our customers, especially in the time of COVID when we have gone to the virtual environment everywhere, the digital engagement of our customers has been paramount, and we've leveraged, as I said in my presentation, data to determine which customers we're going to focus on in that way.
Thank you, Mika, and the next question is related to competition with CDN players. As applications become points in the cloud and domain-to-domain traffic protection becomes critical, do you increasingly compete from a cloud? And if so, does that put you up against Cloudflare and Fastly and Akamai? Kara, do you want to start with this question?
Yeah, I'll start with that. We're increasingly seeing applications not become points, but rather, as François shared in his opening, applications are this composition across a number of different pieces of logic that can sit anywhere from a data center to a public cloud to an edge. We are seeing some competition with the edge players because they do offer some of their own native application services or application delivery and security services. However, we believe that in the future, the edge is not going to be based on static content, for example, what you see with CDNs today, but much more about being an intelligent edge.
And so we're expecting that customers are going to opt to build on top of an edge that's provided more by the likes of the Amazons, the Googles, or Microsofts, and something that integrates really well with their core rather than building on a new platform from a third party. And so in that context, we will be providing solutions and technologies that span all of these different environments from the core to the edge to the client because that's what customers are looking for their multi-cloud, hybrid cloud, and edge needs.
Perfect. Thank you, Kara. The next question relates to guidance. Is your guidance based on what you have in-house today, or do you need to buy something to achieve your Horizon 2 or long-term outlooks? I think there's a short answer to that question: our guidance is entirely based on the portfolio that we have in-house today.
Let's see. I'm waiting for the next question to come through here. Wow. And I think François, that one is probably for you or I. Is your focus on capital returns a capitulation that you will remain a single-digit top-line grower? I can start, François, if you want. Absolutely, go. So the answer is absolutely not. You saw from our guidance that we see our top-line accelerating, the 6%-7% in Horizon 2, and we have long-term targets of high single-digit growth. And the capital return program that we have announced today, we have very strong cash flows, as Frank shared. We feel we are at an inflection point where we are seeing our operating margins expand, our top-line growth accelerate, and we've seen the resiliency in our business through the COVID period. So we feel very confident about our capital return programs.
And over the long term, even with 50% of our free cash flows in capital returns, we still have flexibility, if we chose so, to do so to pursue strategic M&A. But we feel very good about the organic growth with the portfolio of assets that we have today. So we don't see ourselves as a mid-single-digit grower, as per the question. We see ourselves as accelerating our top-line growth with our portfolio. All right, so the next question is around application insights. And it says, what investments, organic or inorganic, do you need to still make to win in the application insights market? And Tom, I'm going to ask you if you can start with the answer to that question.
Sure. So I think the starting point for us around realizing the Adaptive Applications vision was really the Shape acquisition.
I think there were many elements that were attractive to us about the Shape business. Certainly, it solves a very compelling set of customer challenges around anti-bot and anti-fraud. But I think one of the pieces that we came to appreciate very quickly was that they have an analytics platform that can be applied to a number of other opportunities in the market. And as Shuman sort of described, the work that's now underway organically is to leverage the Shape technologies to solve a number of these other challenges. And I would point to offerings such as Beacon that we've launched over the last year as a great example of using the telemetry and the place we sit in the network together with some of these analytics capabilities in order to create new value and new offerings for customers.
Perfect, Tom. Thank you. And I'm now going to move to what will be our last question. If the recent top-line strength proves to be a false start or otherwise temporary, how will you maintain EPS growth? Frank, do you want to take that one?
Sure. Absolutely. So look, we've got three levers for our EPS growth, and our focus is to achieve and sustain double-digit EPS growth from this point forward. The first is the top-line revenue growth, and we do expect to achieve those targets. If we don't achieve those targets, then we'll get there through a combination of the two other levers, which is expanding our operating margins and using the capital that we've got on our balance sheet through share repurchases. And so that's our commitment to you, and that's what we intend to do.
Thank you, Frank. That's very clear. Now, I want to thank again our audience for being with us today. We're really excited about what's ahead for F5, and we hope you've enjoyed the sessions and the presentations today. Thank you so much for joining.