Good morning and good afternoon, everyone. I'm Peter Salkowski, Fortinet's Vice President of Investor Relations. I'd like to welcome everyone to Fortinet's 2022 Analyst and Investor Day. Before we begin, a few housekeeping items. For those of you attending virtually, if you wanna ask a question, you have two options. You can type a question into the video application that you're using right now to see this, and we will read them. Alternatively, if that doesn't work for you can email me. My email address should be on the screen, so I don't have to read it. For those of you who are in the room, please wait for a microphone to ask a question. Aaron and I will walk around and provide that so we can get the questions onto the webcast.
This is a live video presentation that will be available for replay on the Investor Events section of our website. The Analyst Day slide presentations, as well as the transcript, will be posted on the Investor Day website as well later today. Now for today's agenda. Our presenters today are John Maddison, Chief Marketing Officer and Executive Vice President of Product and Solutions, and Keith Jensen, our Chief Financial Officer. John will start off by doing a deep dive into Fortinet's core platform and platform extension products. While John has a ton of great information to share, he'd like to make the presentation interactive. As John's speaking, he's going to ask the audience if you have any questions, and so feel free to do so. If you have one in the room, please raise your hand.
If you have one, online, type it into the application. We're gonna give John a little bit of time, probably an hour, maybe a little bit longer, as he tends to have a lot of information to share, and I think it's really good stuff. So we'll go with that. After that, Keith will be following John, doing a financial overview of our consistent financial performance for the last several years, and then update our medium-term model. Keith's presentation will be followed by a Q&A session where Keith will be joined by Ken, Patrice, and again, John. Before we begin, the all-important safe harbor slide.
I'd like to remind everyone, during today's Analyst Day, that we will be making forward-looking statements and that these forward-looking statements are subject to risks and uncertainties which could cause actual results to differ materially from those projected. Please refer to our SEC filings, and particularly the risk factors in our most recent 10-K and form 10-Q, for more information. All forward-looking statements reflect our opinion only as of the date of this presentation, and we undertake no obligation and specifically disclaim any obligation to update forward-looking statements. With that, I will turn it over to John. One thing about the room, if you do get up and walk around, please be careful. People have things plugged into things on the floor, and they may trip you. Thank you. Alright, John.
Thank you, Peter. Now, as Peter said, please don't be shy about asking questions as we go along. So what I thought I'd do is just go through our product portfolio by platform, core platform and platform extension, and then dig into a bit of detail about what products are in those solution sets and then what's our vision within that strategy set. I thought I'd start off, though, by just I know we saw a lot of TAMs today by just looking at two pieces of the TAM. We talked about this $200 billion by, was it 2025 or 2026 somewhere in there? One part of that was the network security, and that's about, right now, $80 billion.
When you look at this marketplace, it's very conservative and there's not a huge amount of vendors. You can probably name, I don't know, the top 10, and that would be it, I think, after that for networking. It's somewhat, I wouldn't say commoditized, but what it's been focused on over the last 20 years is just getting faster. We've just got faster switches and faster access points, and Wi-Fi 7 is in there in two years' time. A lot of it, all these vendors can work together. An Ethernet switch works with another Ethernet switch, and so it's easy to interchange vendors in that environment.
I would say the biggest innovation that's come in this marketplace in the last three or four years is SD-WAN, where it's started to look at being a bit smarter. As Ken says, a lot of networking gear has no clue about the application. It has no clue about the content. It has no clue about the user, where the user is, and everything else. As SD-WAN came along and said, "Well, let me start guiding or routing based on application versus some static or dynamic IP address." You can see what happened pretty quickly over the last three or four years, it's just eaten into that router marketplace. In fact, the traditional enterprise router marketplace is shrinking, and it's all going into that SD-WAN marketplace there.
I do think the biggest piece of innovation coming, which a lot of these vendors have tried in the last two years, you've heard about software-defined networks and those sort of things, but I think the AIOps, which gets you to that point where it's operationally more efficient, is the next innovation center inside here. The other piece is start to embed more security in the networking devices so that my ports can apply micro-segmentation, so that my ports can apply security, so my access points can apply security. We think SD-WAN's just kind of the start of making networking smarter, more secure, and I think as we go forward and can have the graph of the ratio of networking versus network security, you can see network security becoming a larger portion, almost 30% now.
We just think that will continue going forward. Yes, maybe you can look at this marketplace and say it's somewhat commodity and slow moving in some ways, but we think there's a lot of opportunity to disrupt this marketplace through putting security into networking gear. There's not any ASICs inside this control. It's very slow. Was there a question there? No. Yeah. There we go. Then the other marketplace is cybersecurity, and you can see how fragmented it is. Even within those fragmented segments, there's sometimes hundreds of vendors doing different things. There's no standards to interoperate. There's no standard to share policy. There's no standards to interoperate.
If you look at the marketplace, there's different tools at endpoint and all over the kind of infrastructure, a bit faster-growing in certain segments, but certain segments are becoming very static. This marketplace, we feel, is ripe for consolidation, and it's a bit different from convergence, is consolidation of multiple vendors. Consolidation to us is not saying there's three products here, we get rid of three products. It is, there's three vendors here, let's go to one vendor for those three things. That's what we've talked about in the keynotes around, the mesh and platform fabric, and being able to kind of build that capability. Just about every customer I speak to, or every CISO, has that goal to get to automation. Okay, I think Keith has this. Keith will cover this slide as well.
I think it's we used to talk about things in this FortiGate and non-FortiGate world. We didn't modify it, but we just now talk about it in terms of what we call our core platform, which is FortiOS, as you heard today, which includes hardware and some virtual machine, but really FortiOS is the core there. Our platform extension. When we extend that FortiOS so that it can talk to networking devices like switches and Wi-Fi, when it can implement a zero-trust network architecture, which requires endpoint and policy engines and ZTNA and proxy enforcement capabilities, when it can talk to the cloud capabilities. I talked a bit about a new announcement there coming in a couple of months' time around cloud native.
Of course, when it can provide all that intelligence back into the SOC and the security operations. Going forward, we'll talk about it as platform, core platform, and platform extension. Let us kick off the first component of the core platform, which of course is network security. The TAM here for 2025 is about $20 billion. It includes, of course, the biggest part of that is network firewall. I call it network firewall, that includes stateful firewall and next-gen firewall. It also includes a kind of shrinking IPS marketplace. I think in the next three years, that'll all be assumed by the next-gen firewall. It includes secure web gateway, which is getting some different names as we go forward, as some of that makes its way into the cloud.
It includes network performance monitoring, which is a smaller marketplace. This is the key network security marketplaces. From our perspective, what we're really focused on now and going forward is making sure that we can deploy our FortiOS, which is the core of network security, the core platform, at any edge. These edges are formed around the WAN edge, around the LAN edge, especially OT edge, 5G edge, cloud edge, data center edge, it goes on, the edge is everywhere. Our key capability is being able to deploy that networking functionality, so the WAN edge is SD-WAN. You need best-of-breed SD-WAN functionality deployed there. Being able to apply security in any places.
Being able to apply that security at the WAN edge, LAN edge, or cloud edge, and maybe you apply different security in different places, and then being able to manage all of that from a single console. One of the hardest things when you're trying to build a platform, and the networking vendors have found this out, is if it's okay writing big checks for a lot of different companies, then building a single policy console across all those disparate acquisitions is impossible. It's absolutely impossible. Having a single console that can provide policy for your WAN edge, LAN edge, cloud edge, 5G edge, can only be done organically. That's why it's taken us a bit of time. We're still not there. It's still a journey for us in some ways, but we have a much better shot at doing it.
As we go forward, we'll start adding in some of that AIOps, so that we can measure that experience, digital experience from devices and users all the way through the LAN, into the WAN, into the cloud, measure that and feed that back in to our AIOps engine, and then provide initially, we're providing some information of what the performance is and maybe there's a problem here and there, long-term providing some ability to self-correct issues that are happening. We believe that you can't just do that if you're just in the cloud or you're just on-premise at endpoints or you're just in the network. You have to be able to see everything end-to-end, and you have to be able to provide control in the network, at the endpoint, in the LAN, in the cloud, et cetera, to change that experience.
'Cause if it's outside of your realm, your domain, you can't do anything about it. If you have all those pieces, then you can do something about it, but first of all, you need to know. Our goal, our vision as we roll forward in network security, as we said today, is to be able to deploy our FortiOS as an appliance, as a VM, as a container, delivered by us as a cloud, but long-term manage that from a single console and be able to provide the AIOps across everything, because the operational capability and the digital experience is going to be really important to the CIO as you go forward. This is the portfolio. Each one of these, we call them pillars inside Fortinet. We have a portfolio slide. Inside here is obviously our FortiGate and our FortiOS.
We also have our FortiProxy and FortiSASE Web Gateway, also our digital experience monitoring, and of course, our FortiGuard powered security. This is pretty impressive numbers for this marketplace. You know, Keith talked about the number of customers we add per quarter, per year. Over 565,000 customers, 5,000-7,000 per quarter. We're getting towards 40% of the marketplace. We think as the supply chain issues persist, we can get more market penetration beyond that. One of the key things going forward are those security services, and we definitely think there's an opportunity there to add more service components to each of those edges. We continue to add new capabilities. I think the inline sandboxing is one of the new ones we've introduced recently.
Definitely a lot of customers wanna make sure they've got the most appropriate FortiGuard or security stack that they can apply to each of those edges. Of course, our services are recurring revenues applied to that footprint. All right. Let me stop there to see if I've got a question.
Hamza Fodderwala from Morgan Stanley. Thank you so much for your time. I wanted to go back to an earlier slide where you talked a lot about consolidation. I feel like, you know, a lot of us have been hearing about security consolidation for a number of years. I'm just curious, what do you think has changed in the last couple of years, particularly post-COVID, where enterprises are finally starting to address some of the technical debt that they have from having all these various point solutions?
Yeah. Good question. I do think sometimes. You know, I speak to quite a few customers each week. Sometimes we get carried away with the huge customers who are still probably gonna be a bit of a siloed environment. There's some financial companies who still have 100 security vendors. That's just the way they're gonna be. There are this huge amount of enterprises and commercial and mid-market customers who just can't cope with 30, 40 different security vendors. They can't. They have got a plan in place. They're putting plans in place to consolidate, and it's a bit of a trade-off between a point solution. That's why our functionality can have the Magic Quadrants for WAN and for network firewall and for wireless LAN.
It's important for us to not only have that platform functionality, but also be almost best of breed as a product as well. If your functionality is too far off, the customer won't accept it. There's too much of a trade-off between the platform and the functionality. Your functionality needs to be good enough, maybe 80/20 rule, to get that platform benefits. I think what's happened, especially for us over the years, is some of those products that weren't core are starting to get to a point where they've got good enough functionality, and then it's an easy choice for customers after that. I want a platform, for sure. If we just focus in on the very large customers, I still think they've got a way to go before they decide on platform.
I mean, I'll see some pieces like IPS systems, for example, they still got separate IPS systems sitting in their data centers. That will change one day, but seems like it should have changed a while ago. Oh.
Thank you. Michael Turits, KeyBanc. Great to see you again. You talked a minute ago about visibility and control across cloud and on-prem, and we just saw a great demo at the end of the keynote of an interface that I don't know if it was the FortiCloud or what the interface was or SOC as a service, but clearly, you're moving this direction that they were calling service mesh, security service mesh architecture, and it sounds a lot like what people are doing in XDR. What specifically is the roadmap for building out the data, whether it's in a data lake or some other fashion, and then exerting that visibility and control over it?
Yeah. You know, what Robert was showing was FortiOS and our FortiManager. That has the ability to see everything like the fabric. On our fabric topology map, you can see all the firewalls, you can see all the endpoints, you can see SD-WAN, you can now see zero trust 'cause it's sitting inside there. That's that capability. I will say, though, that I think I had a slide that showed you, we probably have two or three consoles today for some of that functionality. Like, you know, some of the SASE stuff can be managed in FortiSASE, but we also have built a cloudified FortiSASE portal as well. That is probably.
As I said before, that is the hardest thing to do. When you're building a platform across networking and cybersecurity across LAN and WAN and cloud and everything else, you've gotta get all that functionality in that single console. Right now it's our FortiManager. We have a console that does some of the SaaS stuff. We also have a console that does some of the zero trust. I think we're gonna speak a bit further out here. As we go forward, you'll see some of those things that come together, either as FortiManager or as some sort of cloud portal as well. But that's always the hardest thing to do is to get the consoles in sync with the functionality and the products.
You pick. Hang on. Who you gonna pick? You're making me come all the way over here.
Oh, I don't know. Am I deciding who the answer
Yeah.
Oh, sorry.
I thought you were.
That's all right. It's appropriate. Brian Essex from Goldman Sachs. I appreciate it, and thank you for doing this. Follow-up on the visibility and control point. You know, when you're talking to enterprise, I guess when you're talking to clients, where are you seeing that come up the most? Is that primarily large enterprise clients, and is that a determining factor in terms of them choosing more of a secure networking solution as opposed to secure web gateway solution with regard to the amount of visibility and control? What are they looking for when they're comparing, you know, like, you know, your platform as opposed to like a secure gateway solution?
Yeah. I think they're still a bit broken. If I go back to the beginning of this, there was networking and network security and zero trust access, and they're still broken into those, what I call buying centers to a certain degree. Even SD-WAN, where everyone's said that secure SD-WAN is compulsory really considering you're opening up your network, there's still a networking team making those decisions. Then the CISO will come along and say, "Well, we need to add security components here, either it's on the SD-WAN device or it's in the cloud." There's still a bit of siloed thinking going on, even within networking, definitely between networking and security. Everyone I speak to, and I speak to quite a few customers each week, absolutely believe they can't carry on.
Who's working?
Just keep adding more and more different vendors and different companies. There needs to be some consolidation, some convergence. As I said, the larger customers are gonna have a harder time getting there, given some of these organizations of 50,000 people in IT, it's just hard to make the move. Definitely, the enterprises and commercials are starting to say, "Well, I'll take this vendor to do maybe three things, not just the one thing." It's easy for me. A really good example for us is SD-WAN, where they say, "Well, I'm coming up for the renewal of my Wi-Fi in my retail branch and my switching.
I could go and get a different vendor, I could stay with the same vendor, or I could add Fortinet. As the view you saw from Robert today, I can see all my switching, I can see all my APs, my SD-WAN, all my security in one view and manage it that way. That was just one use case. There was the work from anywhere as a use case, the cloud will be a use case going forward, the zero trust edge will be a use case. I think customers will look at use cases and decide, let's see if I can get to a platform approach within those use cases.
On that note, John, I'm gonna let you decide whether or not you wanna keep going for a little bit, or this audience will keep us on Q&A for the next hour and a half. Your call.
That's okay. We have another question.
Okay. All right.
That was my last slide, I think, wasn't it?
Oh, yeah. Yeah, you're on 13. I won't tell you how long it is 'cause I know.
Fatima Boolani from Citi. Thanks so much, John. Actually just on this slide, I think with the benefit of hindsight, if you look at the middle shipment chart, you know, notwithstanding the fact that you joined Fortinet in 2012, and that's when your shipments started going up, but maybe-
Everything got better after 2012, to be honest. Every single thing.
With the benefit of hindsight, what are maybe the three things that have transpired between now and then to have your shipment volumes really materially hit escape velocity? As a related question, that flies directly in the face of what we would consider to be opposite of cloud adoption, right? 'Cause your principal form factor is a hardware appliance. How do you explain that dichotomy with your shipment volumes going up into the right that way?
Yeah. We've had that question. We've got that question for the last five years and we're still doing pretty well. You know, as I kept saying that yes, there's gonna be some movement of applications from the data center into the cloud, and that means maybe you need less of some core firewalling or some IPS devices there. But there's other markets which have come and taken off. SD-WAN's a really good example.
We have to.
Where it's
Break so they can switch.
Replacing all the routers around the world in branches and also in campus environments. We've also seen the need to do OT security, and hopefully you've gone and seen our demo of our OT security when we need to put firewalls and that, those sort of capabilities inside the OT environment. Yeah, there's been a bit of shift in business, but we always thought and we knew that there's other markets which are expanding and opening up. It's, yeah, some has gone to the cloud and definitely we've got a thriving virtual firewall business. I think that will turn to cloud native eventually. And then definitely some of the secure web gateway business has moved into cloud delivered, and we definitely wanna be part of that going forward.
I jus`t think markets kinda move and the security always follows where the application is eventually. One more question here.
Second.
I'll let you. You're closest. You wave.
Thank you. Shaul Eyal with Cowen. John, looking at this 565,000 firewall customers and adding about 20-28 ,000 new customers a year. Can you maybe talk to us about maybe the blend of the customers? How are you thinking about it? Small customers, mid customers, large customers, and maybe what is it that you've been seeing over the course of the past few years?
Yeah. Well, I think Keith had the slide on the breakdown. It's pretty equal between SMB, enterprise, large enterprise, and service provider. They're about 25% each probably between those. Of course, the volumes are different between those sort of customers. There could be a large enterprise that's got 10,000 sites, or it could be a large customer that's building out data centers. The mix of the product changes, obviously with the size of the customer, but it's pretty equal between those customers. We've always been a company that's served both SMB, commercial, enterprise, and service provider. If you look at our product sets, they have to scale across those things.
Just a follow-up on that.
Sorry.
Thanks. Just to follow up on that. Is the mix in that part, you know, the network firewall customers different to the mix, the overall mix that you talked about in that slide? I mean, 'cause maybe you can imagine that a very small new business is purely operating on the cloud, and therefore their needs are different.
Yeah, it's a good question. Probably, but it also depends on the product. We know we have a broad set of products. Some are more mature, leading in Gartner Magic Quadrant, some are incubation, have just come out. You know, an enterprise customer is not gonna probably take an incubation product. If you've got somebody who just wants to have cloud, and that's it, then definitely our cloud portfolio. But even a cloud-only customer still has a campus, still has a branch office, still has a network.
I, you know, I think as I move to the next section, I think what's important to us is that, you know, a lot of people are talking, and this is the first component of the platform extension, and I do hear some vendors talking about the, you know, the network's kind of irrelevant, don't worry about the network. It's just, we've just got our cloud here and just, you know, find a good connection and an agent, and we're away. Don't worry about anything else. I, we think nothing could be further from the truth. That unless you can have that digital experience and measure that network and make sure that network's up full-time, and make sure that you can provide that connectivity to devices as well as users, you just can't ignore the network. It's so important going forward.
You know, the part of our extension is the network security. This marketplace, as I talked about it before, is pretty mature. 25%, it's still a $66 billion marketplace. In fact, in 2021, some of the core components of it, switching and access points, started growing again, if you noticed. This also includes unified communications, which these days is not just phone systems, it's Zoom and all those sort of things. The core components are definitely wireless switching, and the highest growth is SD-WAN.
You know, what we're trying to do here is from an SD-WAN perspective, and I think I had this slide up there earlier, is that we've really focused on the left-hand side so far, building that SD-WAN component and making sure that SD-WAN based on our SOC4 chip, and as Ken suggested today, we'll continue evolving those chips out. That was our first SD-WAN chip. We've done really well in building that out for the SD-WAN functionality, as well as we go forward, customers are starting to add some security on there, as well as zero trust going forward. As I also mentioned, a lot of our customers are saying, "Well, why not, why don't I have an SD-Branch?" Which includes 5G and switching and almost campus as well. On the right-hand side is what we've been working on.
You saw a couple of acquisitions over the last 12-18 months, which gives us that capability in the cloud as well. This is FortiOS on the left-hand side, sits in our appliance, on the right-hand side, sits in the cloud. Capabilities there, we think we focused on the secure web gateway, CASB, and zero trust. We do think that marketplace is more focused on remote access initially and maybe thin edge from 5G, but we do believe those two things need to work together. There's an intersection between those, and I think Robert talked a bit about that you need this single console and the ability to manage between your SD-WAN network, and if you wanna call it SASE network. I don't like that terminology, but, that's the important thing going forward.
Again, some vendors think it can just be a cloud, and that's all there is. We definitely think you need both that on-premise capability and networking to provide a digital experience as well as a cloud component. On the pure networking side, so that's SD-WAN, on the pure networking side, and I don't think this is well understood by a lot of people, is our goal is not to be a networking vendor and provide fast switches and fast APs. Our goal is to provide secure networking equipment where we can apply security to any switch port. If you go into one of our management console today, a FortiGate console, you can see all the switches inside there. You can configure the ports to have security. You can configure micro-segmentation across those ports.
The same on the AP side. Our goal over the last, you know, since we started the switching and wireless business, is to keep building that security capability inside there at greater speeds and greater capability, and then again, evolve that to what we think the next generation capabilities are around AIOps. Yes, we have a, you know, a networking business, but in our minds, it's a secure networking business, not just a pure networking business. It's not that often that someone comes to us and said, "Oh, I just want your switch." They want a secure switch. I'll come to your question in a sec. Here's the capabilities of our, like, enterprise networking portfolio, which includes access points, switches, NAC.
You know, I talked a bit about the Linksys homework, our FortiVoice, our SD-WAN, and our 5G, which round off the complete portfolio. Question?
Over here.
Hey, John. I'm Darren Aftahi with PRIMECAP. I wanted to kind of follow up on this topic, but also related to what Fatima was asking, right? Because when we look across this space, you know, you look at the people who are networking vendors, who are leading vendors in this space, and they're growing, you know, maybe single digits, right? And you guys have had a very consistent trajectory of growth, and honestly, you know, some of your best numbers since you IPO'd have been in the last few quarters, right? And product is leading the way there with a lot of hardware sales and things. I'd love to just get a little bit more color on kind of what you think is really motivating that.
You know, when you have people who maybe already have, you know, networking gear because they need it, are they adding in security in places where it didn't exist before, branch offices or things like that? Are they, you know, adding your devices in place of some of the networking because they get all these additional capabilities on top of it? What, you know, what other things are motivating those customers, that's driving that kind of growth for you guys when, you know, a traditional networking vendor is not seeing that kind of, you know, new hardware adoption?
Yeah. There's a few factors. There's also. If you look at the network firewall marketplace, I think long term, there's probably only two vendors in that marketplace. I've seen some of the traditional networking vendors fall so far behind, and some of their platforms are 10-15 years old. At some point, the customer goes, "Enough is enough. I've got to upgrade." I see some kind of taking market share from traditional marketplaces. We've seen a lot of SD-WAN implementations where they wanna put security on there. As I said before, I'm starting to see a lot of OT environments because the problem with OT is, during the pandemic, they had to open up for remote access. I've spoken to several manufacturing customers where they got infected through their supply chain.
One manufacturing customer had 3,000 suppliers that come straight into the network and update their machinery, and they got infected twice through those vendors. That's a big new marketplace as well. Yes, as I said before, there's some traditional marketplaces, like some maybe core data center that's moved, but there's so much more new opportunity. I do think that, you know, having that built-in security at high performance puts us at such an advantage over a traditional networking vendor or a security vendor. Most of the ninety-nine percent of security vendors are software. They don't make any of their own hardware. Even those that claim they've got ASICs inside there don't have their own ASICs inside there. They're just off-the-shelf stuff. I think that's where we're winning in both the networking and network security marketplaces.
Okay. One quick comment for those of you that know that the video wasn't working, it should be working now. For those of you who just got in and missed my presentation, there will be a replay. We'll have the first 30 minutes of this as part of the replay. I apologize for you not being able to get in. It will be.
That was my best piece, Peter, though.
No, you're gonna. Well, you're still gonna be in the replay, your first 17 slides, and we got another 17 to go. Your first 17 will be in the replay. I apologize for those people virtually who couldn't get in. Also, as a reminder, which I think we made a statement at the beginning of the call, if you have questions, John is doing a more interactive presentation online. If you have questions online, you should be able to type your question into the app, and we'll ask it here on the microphones. Or you can email me directly, which many of you already have. I know you have my email address.
Andy Nowinski with Wells Fargo. Just wanna follow up on the questions on the networking vendors. If you look at one of the prior slides and one that was presented this morning, you know, it showed obviously Fortinet shipping a lot more units than the other vendors. But Cisco seemed to flatline through 2021. Check Point obviously lost, had a decline in units. But why do you think if everyone talks about taking share from Cisco and, you know, the networking vendors not doing well, why do you think Cisco's firewall units have basically flatlined and not, it doesn't appear to have lost share?
Yeah. I can't talk to Cisco specifically. You know, I do think that we've really focused on that price performance, most recently on the supply chain and delivery. I think some of the market stats, you know, either from IDC and Gartner, sometimes they're not always accurate per quarter. Eventually numbers don't lie, and that catches up over the year. We're very confident about taking market share from our competitors, and that will show eventually inside the analyst reports. Because if you're a big company, I've got lots of buckets of money I can move around in different places. We can't do that. We show where our network security money is, and I think that's very evident in the market share, and then we'll continue to gain.
It sounds like you're taking share from Cisco, both networking and firewalls, but the data doesn't show it yet.
I don't wanna pick on Cisco 'cause they're a big company, and they've been a good company for a long time, so I don't wanna really pick on competitors. I think we're taking market share from quite a few different networking and network security vendors out there.
Thanks.
One more. Do you wanna keep going or do you wanna go back to your thing? I know Saket had a question. I saw his hand up earlier. One more?
Thanks, John. Saket from Barclays. John, I wanna marry together a few of the questions that were asked and just kinda ask this maybe rather bluntly. Can a firewall replace a switch or a router? I mean, when we think about just the convergence of security and networking, you know, is the FortiGate firewall actually taking share from that separate TAM? Right, that's the first part of the question. The second part of the question is, how does Fortinet remake that market, right, economically? I mean, do you charge more for something like that because it's got more security in it? Do you charge less for it, just to disrupt the market? Maybe just those two things.
All right, just two things. Two questions, okay.
1.5. I mean, you know.
All right. Sorry.
1.75, I mean, so.
The first part of your question is, you know, FortiGate isn't a switch, okay, but the FortiGate is a switch controller.
Mm-hmm.
Okay? It can control the switch. It can define the policies for the switch. It can define what ports do, access control. The brains, as it were, of the switch is in the FortiGate. That's why I call this an extension, platform extension, because I've got a FortiGate here, and I've a need to add some access points. You can see some access point here. It's a physical access point I need to add. Or a switch in our IT closet there. It's a physical switch I need to add. That access point and that switch is controlled by the FortiGate software. It defines a policy for it. That's what we call an extension. You're adding capability to it. Now, of course, I've forgotten your second question.
The economics. I mean, do you?
Yeah. Well, it's addition. Sometimes when we've got an SD-WAN deal, and they say, "Well, we wanna make it SD-Branch," I've gotta add switches, I've gotta add access points, I maybe add 5G connectivity. It's 2, 3, 4x. That's why you're seeing some of those numbers just dramatically increase. Okay. Let me scoot along here. We've done, as you know, extremely well in SD-WAN. We think it's a very important marketplace. We think it's the foundation going forward, and so you've seen our market share numbers, you've seen our growth. What we're starting to see is customers start to add some security to the SD-WAN network. Initially it was a networking decision, buying center.
We're starting to see quite an increase in people say, "Well, I just need to put at least maybe some base security in my SD-WAN. Maybe not the full stack, but I need some base security inside there." We're starting to see a service attach, because if you think about networking companies, their service attach only is service and support, which is a much lower number. Our goal going forward is to not only provide service and support, but provide security capabilities to networking as well. Again, switching access points in SD-WAN. All right. Zero Trust, which we absolutely think is a really important concept. Zero Trust marketplace is just dominated by identity and access management. NAC's quite small, and OT security is growing really fast inside there.
OT security, now you could put in different places 'cause a bit of it's endpoint, a bit of it's network, a bit of it's policy, a bit of it's identity, but we put it inside here. This is the IIoT security, and then what we call traditional VPN and ZTNA. ZTNA right now is probably a small marketplace, probably $0.5 billion, but growing at 30%-40%. What is our strategy there, and Michael talked to this on stage, is in his mind is one of the more exciting products as we're going forward, is to merge this ZTNA and traditional, what used to be called endpoint protection, now people refer to as EDR, together. The reason we're gonna do that is that there's a lot of information that can be exchanged that's very valuable.
If you think about a ZTNA solution, it needs an agent. You actually, if you can't get an agent on there, you need NAC, which a lot of people forget about. It needs a policy engine to decide what that user can do and what they can access. It needs an enforcement point. That enforcement point, in our opinion, needs to be in as many places as possible, close to the application. Not in a cloud somewhere that's not close to the application. If that application is on-premises, that's where your ZTNA enforcement point needs to be. If it's in the data center, it needs to be there. If it's in the cloud, it needs to be there.
Having that ZTNA architecture in place, then if we can start to say, for example, EDR, if you decide this endpoint is or has a virus or is compromised, I can immediately tell that ZTNA policy engine, "Change the policy for that user." Either don't allow access anywhere or allow internet access. The interchange of policy between components is so important going forward. We truly believe that bringing together EDR as well as ZTNA is the best long-term solution to protect endpoints. Yes, we can sprinkle in some NAC here and there to maybe for OT security, but making sure EDR, the endpoint. 'Cause you speak to a lot of CISOs that go, "I'm just tired of having nine to 10 agents on my endpoints. It's just too much.
I need to get it down. Now today, let's be honest, we have an EDR agent, and we have a ZTNA agent. Rather like the management consoles, our goal is to make sure those agents come together long term. That can't be done in six months. That takes a few years to do. We believe the convergence of these two is very important. By the way, we have a pretty sophisticated authentication multi-factor token offering that we connect inside there. I'll give you an example. This is the ZTNA portfolio. Obviously, it consists of our client, our proxy that can sit in the cloud, in the data center on premise. It consists of our token, our FortiTrust, which is the new licensing system, our authenticator, and FortiSASE.
We started this journey internally in IT inside Fortinet almost 18 months ago. One of the first applications we did was actually obviously the most valuable piece of data and the most valuable people accessing that. What's that? Our source code. We made sure all our developers were on ZTNA. The source code obviously sits in our data center, so when they access the data center, that firewall inside there has inbuilt ZTNA enforcement that only allows those people protected by ZTNA clients to access that source code. Because ZTNA, in our opinion, isn't something you just switch on with all the complexity of policies or the application movements. It's something we've been doing over the last 12-18 months because each person is different and each application is different, and the way you deploy that policy can be very different.
I think this is a marketplace. ZTNA, as I say, is small today. Every customer I speak to wants to get to ZTNA architecture at some point. They just find it very complex given all the different pieces in place right now. We've already added almost 1,500 ZTNA customers in the last 12 months. All right, any questions on the ZTNA stuff? Nope. All clear.
One second, John, before you go ahead. A reminder for those people who are on virtually, the entire Investor Day slides will be posted on the investor relations website. Great timing for the windows to go. On the investor relations website after the presentations are done today. You will get to see all of John's great slides in the beginning, as well as his entire replay of the event will be available later today on the website. The 30 minutes that you weren't able to see will be part of the replay. Lastly, if you do wanna ask questions during John's presentation, you can type them into the app that you have and we will read them from there. All yours, John. Oh, we have a question up front.
Thanks, Peter. By the way, that's our green building in action there.
Yeah.
The sun, as the sun goes round there, the blinds go up and down.
It wasn't my mental telepathy, is what you're saying?
Everything's green.
How you doing? Adam Borg from Stifel. Thanks so much for taking the question. Just on FortiSASE, right, maybe talk a little bit more about your own strategy there, building out some POPs internally, relying on service providers and how that should evolve over time. Great. Thanks.
Yeah. Yeah, good question. You know, our long-term approach, when I say long-term, is, you know, two, three, four, five years, is that we truly believe our service provider partners are in the best position to provide some of that capability. They have the network, they have the points of presence, they have the local access. Our goal is to, first of all, build our own FortiSASE, as we call it, and provide a global footprint, mainly focused on remote access initially, as well as thin edge, but that's able to connect into our SD-WAN network. We need to be able to build it and make sure it's working and functional, and we've been doing that over the last 12-18 months.
We have many service providers lined up who wanna take that functionality at some point, and we'll transfer it across. Because they've suddenly woke up and realized that they've OEM'd a lot of other cloud vendors right now, and now they compete with them. They kinda knew that, I think, years ago, and they maybe couldn't do anything about it. Now they definitely wanna do something about it. We'll build our own capabilities out, but we're also long-term, we'll transfer that technology to service providers to allow them to compete as well. It's part of us being, you know, very partner-friendly, but, you know, maybe three or four years ago, we started to do that, but if you haven't built it yourself, it's hard to transfer something you haven't built.
We decided, you know, almost when we did the acquisition of OPAQ and some other capabilities, is to build it out, and that's in progress right now. It's progressing very well. We added ZTNA to it in Q1, which is a fantastic new feature for remote users, and we'll keep building that out. To be honest, it's a very different development model as cloud and SaaS vendors are. You know, we have weekly releases for software 'cause that's what you do in a SaaS environment. That's why, you know, I asked Michael the question about the development and developers. We have different development teams who have different skill sets because a SaaS implementation is very, very different. The way you build it, the way you operate it, the way you control it from a four or five-year development around an ASIC.
Extremely different. Does that answer the question?
Yes.
Thanks.
Thank you. Roger Boyd with UBS. Just going back to the question on AIOps and considering that kind of partner-friendly SASE, zero trust product, how do you think about who owns the data and can provide that value from looking at data and driving insights from that?
When you say the data, you mean the data not the customer's data or the data from the network and the applications and the security?
Just collecting, like, telemetry data.
Okay.
I think earlier you were talking about 100 billion telemetry events a day or something.
Oh, okay. Yeah. There's two pieces there. The first one is that all our customers have the option to. They opt in to providing data on our FortiGuard services, and that gets sent back into us into our POPs around the world, and then we apply machine learning. It could be that I've got a file in a sandbox, for example, or I've got a hit on an IPS, or I've got an AV file. They provide all that telemetry back into our into our core data centers, and then we attach machine learning to each one 'cause each threat vector is different. I've got a file that's very different from a URL, that's very different from a vulnerability. Each of those threat vectors is very different from a malicious piece of email.
We take each threat vector in, we apply machine learning. Machine learning today is very much focused on good or bad. For example, a file, we'll pass it through two billion good files and four or five billion bad files, and we get a pretty accurate view if that's bad or good. The key long term is taking all those threat vectors and then applying AI to detect some sort of campaign in the wild. That's the end goal for everybody. If I can detect a campaign in the wild, and I know where it's gonna attack you and how it's gonna spread and where it's gonna go and who it's gonna go after, that is the key. Because you're gonna tell a customer, "By the way, this person is gonna try and get in through here.
If they get in, they're gonna go over here and they're gonna do XYZ and they're gonna try and get this information, or they're gonna try and lock your manufacturing plant down." I think that still evades most companies, especially companies who haven't got all the threat vectors. You need all the threat vectors because, you know, a life cycle goes across all of those. I still think it's a bit way off, even for us, given the amount of compute and data you need to apply there. That's our goal in getting all that data. You need all the data. You need it from the endpoint, you need it from the network, you need it from email, applications everywhere.
Right now we're applying a lot of machine learning, but our goal is to provide AI against that eventually, to hopefully be able to detect campaigns in the wild. Okay. Question.
I just had one quick question about ZTNA. So it sounds like you're using that proxy predominantly for remote users today. Do you foresee, or are you already seeing that use case being extended to branch offices? How do you think about that potentially cannibalizing what's already a really strong.
Well.
Branch firewall business?
It's not a good diagram, to be honest, but the SASE is for remote users today. ZTNA is for everyone on the network and off the network. You know, we have controlled access to some of the product management systems in our data center. I have some product marketing systems in AWS. When I'm off network, my ZTNA policy provides enforcement off the network and the same enforcement on the network. If I'm on the network here and my FortiClient isn't talking to our policy engine, I can't access that either. ZTNA, Gartner term called universal ZTNA, which is ZTNA on the network, off the network for applications in the cloud, in the data center and on premise. That's the end goal.
SASE. On the other hand, SASE right now, we've really focused on remote users. Eventually, that connects into 5G. Eventually that'll be universal. ZTNA is absolutely universal across on network, off network, and applications in every location. That's really important. That make sense?
Yeah. What about just the cannibalization between, like, maybe you have appliances at the branch office already. All of a sudden, maybe you're using more of a cloud-enabled SASE model. Does that cause any, you know, friction over time between what's already a strong appliance business?
No. I mean, you still need SD-WAN, so that isn't going away. You still need to have an efficient connectivity. We still have SD-WAN there. In the future, how much security to put on an SD-WAN device versus our own SASE cloud may change, but we'll always have a presence there. It's the same, you know, look at it this way. You know, five, 10 years ago, our firewalls provided firewalling, maybe some IPS. Today, they provide SD-WAN, SSL inspection. We just added a new application, ZTNA proxy. All our firewalls now can do ZTNA proxy, which is another application sitting on the firewall. I've heard some people talk, "Well, firewalls can't do ZTNA." The firewall is part of a ZTNA. It's not going to do all the ZTNA, it's the proxy enforcement.
You've got policy, and then you've got the endpoint. As I say, our network internally, all our firewalls, both virtual and in the cloud and our SASE, have a ZTNA enabled to provide that enforcement.
Hey, John. It's Taz Koujalgi from Guggenheim. I have a question on ZTNA and how you reconcile that with VPN, because one of the things that we've heard from many vendors and many industry analysts is that ZTNA is kind of anti-VP-
I'm sorry?
ZTNA and VPN.
Yeah.
Now your approach to remote access is based on getting on the VPN remotely from a remote location. How do you reconcile the zero trust concept with the fact that most of your, I guess, remote access technologies still based on VPN and networking, right?
No, I think Robert's demo was pretty good showing that. He actually showed a VPN agent going into a data center, traditional VPN technology. By the way, a lot of the zero trust could be done today through firewall technology in the data center, but people didn't get around to it. They just said, "Oh, just go wherever you want when you get there." That's one of the issues of VPNs. We upgrade that client to a ZTNA client. We upgrade the firewall to ZTNA proxy enforcement. ZTNA is there straight away. Now, some of the applications have moved into cloud and SASE, so we're gonna need more ZTNA enforcement in the cloud and over here. You're not going always to that firewall in the data center.
You can go to the virtual firewall in AWS or Azure, or you can go to our SASE firewall. We just expanded it, but it's very easy upgrade for us. It's just an upgrade of the client and the firewall. Does that make sense?
That's a common question that we do get, is sort of the VPN going away, being replaced by the proxy capabilities for connecting to branches and things like that.
Right. Remember, VPN technology was pretty straightforward. You had a client, and you had a data center concentrator, where all the policy was. Everyone had the same policy. You just switch to VPN on, you had the IP address, and you went to that concentrator in the data center. Going forward, when you upgrade that to ZTNA, you also need to add a policy engine as well, 'cause that policy engine needs to decide which applications you can access and where you can access them, even how you can access them long term. As I said in, you know, my presentation, in the Gartner mesh, three, four years from now, if we can provide context to that as well, that's the key.
'Cause no way does anybody outside of your company know the context of what you're doing, why you're doing it, when you're doing it, where you're doing it. When you provide that contextual engine to the ZTNA policy engine, the transmission and the interface and the transport is the same technology in a way. It's encryption, encrypted tunnels going to the data center or the cloud or to the SaaS. To us, it's a very simple upgrade of our existing VPN technology, and that's why you saw those 1,500 customers already upgraded to ZTNA.
Just to follow up on that, is that the specific point or not the issue that other VPN vendors also? Like other VPN vendors, can they also, I guess, upgrade their software to make it more zero trust?
It's always hard to tell. I mean, PowerPoint's very powerful. It looks good. I don't really know if they've done it or not. You know, for us, it's at least a three-year development. For us, it's, you know, the policy engine and also making sure that works inside our OS. Now, those traditional vendors who had a VPN, let's say I've got a networking vendor who had a VPN, that's not their firewall, it's something completely different. It was a completely different device doing VPN concentration. It was dedicated to doing that. In fact, we replaced a lot of these VPN concentrators because our performance was so huge on IPsec that we once replaced a rack of gear with a 1U box. That was a big difference. Going forward, that's not just the only thing you need.
You need that policy engine to decide where customers can go and your employees can go. I don't know the answer to that question, to be honest, but I think it's hard to do. All right.
Sorry.
Okay.
Hey there. Patrick Colville from Deutsche Bank. The message today has been, you know, all about platform. Platform, platform. Fortinet's clearly seeing a lot of success in platform and with the platform message. I think one of the things that would help us is how do you conceptualize security platforms today in 2022 versus the security platforms we saw 10 years ago with, like, Symantec, McAfee, and Cisco? You know, what's changed between now and then, and why and I guess how is this platform message gonna be, you know, durable?
Yeah. Well, I think,
I have one comment to add to that. The three companies you listed, how do they put their platforms together?
Yeah. If you go back, and Ken knows this well, so you go back to 2000. You know, if you go back then, I mean, I worked for an endpoint vendor before I worked for Fortinet cause, back between 2000 and 2010, the endpoint vendors were the big cybersecurity vendors. You mentioned McAfee, Trend Micro, all these companies, they were the big. But network was much smaller than the endpoint marketplace. So you had an endpoint platform, and they tried to bring more endpoint functions and try and expand a bit, but they never really got beyond the endpoint.
Between 2010 and today, I suppose, you know, the networking vendors came along and said, "You need a networking platform." There's us, and there's some people down the road there apparently that do networking, network security. You know, network security overtook endpoint as being a larger marketplace. That's somewhat swung back to endpoint recently. Endpoint's actually overtaken network security again. The key for a platform long-term is not just endpoint, not just network, not just cloud, it's all three of those working together. That's the key message for us. It's not just network, endpoint, platform. It's all of those things together as a combined platform with a single policy engine across everything. That's the key. That's the difference, I think. All right.
Just a quick time check, John. We got about 15 minutes for you, and Keith is just waiting to go.
He is. Keeps saying, "Hurry up." All right. Cloud, you know, cloud is very, very fragmented. This is gonna be a very interesting marketplace going forward. No one really knows the size of the cloud security marketplace. I've seen guesses all over the place. Always, $500 billion. Oh no, it's only $20 billion. No one really knows, and so I don't think there's a good estimate of how big it is. These are some of the major marketplaces which are considered cloud. You know, you've got CASB, which in fact if you look at Gartner, their cloud market is based on just CASB, that's it. You know, you've got email security, you've got WAF, which is gonna be very important going forward to secure API traffic.
API traffic now has overtaken HTML traffic inside these environments, and that's gonna be a major attack vector going forward. For us, this is our portfolio right now. We have our WAF, which is really growing very fast inside the cloud to protect applications from botnets or attacks on applications and API in the future. We actually have a substantial email security-
Where is it at?
Protecting some remaining on-premise email. Most of the email's gone to the cloud now. We also have a cloud workload protection through an acquisition, our FortiDevSec, our CASB solution, some smaller products around ADC. We have a reasonable size cloud portfolio, but as I mentioned in the keynote earlier today, we definitely think going forward, you're gonna need to be very conscious of the cloud-native capabilities and make sure that's part of your solution. Because in the end, the platform vendors wield a lot of power. My analogy is you go back to when I was at my endpoint company, it was a long time ago, there was a certain company called Microsoft who decided they wanted to get into the game. Now, Microsoft own consumer endpoint with Defender.
In the end, they got so much power, so you can't ignore them and say, "Oh, we're gonna compete head-to-head." You've gotta be able to take advantage of some of the capabilities they're gonna build, and they've already built some security capabilities. The one thing they won't be able to do is to apply that same capability across other clouds. This multi-cloud, hybrid cloud is with every customer I speak to, it's got multiple clouds. Even if they've signed a $1 billion deal or a $1 million deal to take cloud from a certain vendor, they're always gonna have multi-cloud. I think this cloud world, first we're building our own products, building capabilities to take advantage of cloud native and bring that together, and that's the product we'll announce, probably in a couple of months.
Again, some really good numbers here in terms of cloud, in terms of our growth across all the different product areas. Yes, we do talk a lot about hardware and ASICS and everything else. We do have a thriving cloud business, and we do invest in the cloud business. All right. I think we're gonna finish up on the fourth part, which was the security operations. This portfolio or this TAM is pretty large. Obviously, endpoint inside there, that makes it very large. But you also have some of the new technologies around SOAR, network detection and response, and also threat intelligence. Our portfolio is pretty substantial. In fact, if you looked at the slide that Ken had on acquisitions, maybe half of those were security operation acquisitions.
The SIEM, the SOAR, most recently is our enterprise attack surface monitoring tool. We're just about to announce that's FortiRecon, by the way, that tool there. That was the acquisition of Vallon. What we're seeing is, if you look at the, you know, the attack life cycle, we started to implement some more capabilities in the front end that can see what's going on. It's very unknown. It's stuff like deception or bots or things that look for a lot of behavioral type capabilities. Now, what you can't do with all of those products is block. You're not 100% sure, you can't be blocking across that. What we hope to do is build those tools out, and then we transfer them into what we call our protect.
The latest change to this was sandboxing, which previously has just been detection. Yeah, I found this file, it's bad, it's already gone. We just added inline sandboxing protection. Once you get more certain about that capability, you can add protection in there versus just detection. You know, and again, Ken had his slide about the number of detection vendors, protection vendors. It gets harder and harder as you need to do that at high speed, and you need to be really sure you detected something bad because you don't wanna cause false positive inside the network. That's a disaster. Of course, we have our SOC capability, which ranges from our SIEM, our analyzer, analytics, new SOC as a service, incident response.
This is a very broad portfolio that's really focused on the SOC and the CISO from a security operations perspective. I think that could be it.
Jonathan, just a question that came in online.
Okay.
I'm not exactly sure if it fits right in 'cause I've been jumping around here. The question is, can you give some more concrete examples of how you can coexist with the cloud-native platform vendors and maybe how you delineate their role versus yours?
Yeah, a good example is our WAF rule set. I think what the platform vendors are very good at doing is taking some basic function and making it ready and available. All the cloud vendors have a WAF, a web application firewall, AWS, Azure, GCP, Alibaba. What we did inside AWS was if you'd already have a AWS WAF, you can opt in Marketplace and click on Advanced WAF rule set from Fortinet. That gives you updates about botnets, about attacks, vulnerabilities, and that service is doing extremely well. For the customer, they've kinda taken a basic cloud native functionality, but they've added on functionality from us that makes it better and more sophisticated. The same will happen when they introduce, you know, they've already introduced basic firewalling.
They haven't got the capabilities to add that next-gen firewall on top of that. The other capability long term will be not only am I providing functionality on top of that cloud native functionality, but I'm also sucking information in from the cloud native capabilities. Like all the cloud vendors have got vulnerability scanners. Why build your own vulnerability scanner? Just take the information from them and bring it in. It's a combination of working on top or with, and then alongside the cloud native capabilities, but you need to do it across all the clouds. You can't just focus on one cloud. All right. I think I might stop there actually.
Thank you.
Yes. I'm gonna. I think I might stop. There's our management systems, and I think I talked a bit about which we think is really exciting technology is the AIOps and the Monitor. Monitor was an acquisition in Chicago of Panopta, which is digital experience monitoring. We feel like long term, the network operations teams will want this functionality to be able to provide so their CIO knows what the digital experience is. Once you have that in place, you start working on AIOps. AIOps is not one of those things you just, again, you're gonna switch on, it just looks after the network, and you go home, and that's it. It's gonna be a roadmap and an evolution of functionality across both endpoint network and the cloud. Okay. I got to slide 36. That's pretty good.
Some really good questions, though. Any other questions for me?
Yeah, we've got a couple minutes. We can take a couple more questions, and then we're gonna turn it over to Keith.
Well, Keith always needs some extra time 'cause he's-
He talks slow.
Talks slow. Yeah.
No, I have a surprise for you, John, so.
Hey, John. Fatima again. Excuse me. In the same way we've seen the convergence of networking proper with security proper, do you anticipate that we, in the next couple of years as these previously independent disciplines as they fused, we're gonna start to see the NOC and the SOC actually become one singular entity? Why or why not?
Yeah, we heard about that for a long time. In fact, we acquired a SIEM company. What was the company again? It was on that slide. Anyway, but they were one of their.
I think it was AccelOps.
Yes, AccelOps. I knew that. I was just testing you.
Bingo.
Someone's paying attention. So they actually one of their key features was a NOC and a SOC combined together. I also see a lot of customers, I mean, large enterprises for sure, it's just very separate. I think this convergence and consolidations are two different concepts. Convergence is, I'll take two products, and I'll make it into one. Consolidation is, I've got three vendors, and I'll make it one vendor. That's kinda different. I think network and security is converging. I think security operations is consolidating. They're slightly different concepts. One's a platform approach, and one's an OS approach.
Thank you.
Hey, John. It's Greg Moskowitz from Mizuho. Good to see you.
You too.
Question going back to secure switches and access points, 'cause some have the viewpoint that, and you sort of alluded to this, that it's a very commoditized area, really not much opportunity to differentiate. Now, you talked about naturally the integration with your broader portfolio, including FortiGuard, and a lot of the intelligence that your switches have. I guess I'm also curious, since we're talking about some recent M&A, one we haven't talked about is Alaxala, from last year, and I'm curious, naturally that has given you more of an inroads into Japan. I'm wondering if there's any IP from the Alaxala acquisition that you can actually apply, thereby potentially further strengthening your switching and access point presence in the marketplace.
Good question. I hadn't covered that piece. Today, the intelligence is in our FortiOS operating system and FortiGate. Yes, we have communication links to the switches and APs so that we can tell it to provide more security, but the intelligence is not in the switches. The piece that we've built is the ability for the switches to communicate that intelligence. Alaxala, I mean, has built switches in the traditional way. I think our area which we were kinda missing from a coverage perspective was the data center. If you look at switching, there's two distinct markets. There's the campus and the data center. Very different marketplaces. We didn't really play in the data center per se.
I think Alaxala's gonna give us the capability to play in the data center long term, but it also probably means a more integrated architecture. I'll just leave it at that as we go forward because, given the performance criteria of a data center, you probably need things more integrated together versus my AP talking to a FortiGate somewhere else, and that's okay because the speeds are in tens of gigabits versus terabits. Yes, that's definitely part of the strategy long term.
I've one follow-up question from online, which the good news is people are online and can see it now. Slide 29-
Just now?
What's that?
Just now?
No, they've been on for half hour, 40 minutes. Slide 29 apparently had some good stats. It said 32% growth in FortiWeb and 52% growth in cloud and virtual. The question is really just ballpark, you know, how are those businesses in terms of Fortinet and kinda round numbers? I wouldn't necessarily give numbers 'cause we don't give to that level. You know, part of our-
I can see Keith over here.
Yes, I know. We'll let Keith answer.
He's getting a little shotgun arm.
You know, kinda get into like.
I think what we're doing right now is we're saying here's our new kind of structure of what used to be FortiGate and non-FortiGate, and we split that into core and extension. The extension is networking, zero trust access, security operations, and cloud. That's as far as we're going right now.
Okay.
We'll give you some stats of growth for the components inside there. Long term, we hope, but we'll be ready, we might break those out to show you some of the components inside there, but not at this point. Is that a good answer, Keith?
That's super.
Thanks.
Hey, John. It's Taz again. You've had a lot of success in the last few years converging networking and security, and that made sense because you're the only guys who had both networking and security while Palo Alto and Check Point were mostly security and firewall vendors.
Right.
When you think about the classic network vendors like Juniper and Cisco, they've always had security and networking under the same umbrella, but they never had the convergence that you've had in the last couple of years. They've never seen the success of integrating security and networking like you guys did. Is that more of a product thing that they missed, or was the market not there yet? Why did you guys have the success in combining or converging those two areas while Juniper and Cisco were not able to?
Because it's hard to do if you're not innovating. Because go and buy it. I mean, I'll give you SD-WAN as an example. We could have gone and bought it. Well, we wouldn't have bought it because there was ridiculous valuation, so let's stop there. We could have built it on a separate box. It would have been much easier for us to do, much faster, maybe some code. Here's a separate box. Even the largest networking vendor in the world couldn't build it internally. They went and bought something from somewhere else. They go, "Well, can we try and make that work with our firewalls?" No. It's completely different code, completely different management system. When you go and acquire a mature product, I almost feel sorry for them.
Well, not really, but it's really hard to take mature products that have got roadmaps and customers and everything else and bring them together as a converged solution. You can't do it. Yes, you can make it look that way by a console talking to each other. If you go back even further, you know, IPS and next-gen firewall. Let me go and buy an IPS system instead of a firewall system. Let's see if I can bolt a firewall on top of an IPS system. No, it's really hard to do. It's really hard to do not only in terms of functionality, but high performance. You know, some of our latest firewalls are running, you know, 400 Gbps per port. You can't do that when you've bolted some virtual machines together. It's impossible.
I just think the strategy is incorrect and that one of the issues is that internal innovation has died, so you're not building it internally. You're going and buying pieces all over the place, and then the innovation is trying to make it work together, and I think that's really hard to do. Really hard to do.
On that note, I knew he could do it. I knew he could fill 1 hour and 15 minutes. That wasn't gonna be a problem with the Q&A. John, thank you very much for your presentation. You'll be back later for the Q&A in about
Oh, I will.
15-20 minutes.
Thanks.
Thank you very much.
Okay.
Very much appreciated. Come on, move forward. I told you there were more slides. These will be posted, but I'm just gonna fast-forward to. Nope, not there. Well, I thought you were gonna move it. Can you take me to slide two? Okay. Because I have a surprise for those of you all in the room. First of all, just a reminder for those people that are online that got in late, there will be a replay of the entire Investor Day presentation, so John Maddison's 1 hour and 15 minutes and soon to be the rest of the presentation will be webcast, will be replayed, will be available. We will also post a transcript later today, as well as all of the slides. But more importantly, as I wait for my slide to show up.
Peter, you can say a few words about Safe Harbor.
I can, and I'm going to. I know it's a surprise, but for those of you, because since we didn't have the video playing in the beginning, we're gonna redo the Safe Harbor slide as soon as they can get it up there. There it is. Before I turn the call back over to Keith, I'd like to remind everyone that during today's Analyst Day or during this part of the Analyst Day, we will be making forward-looking statements, and those forward-looking statements are subject to risks and uncertainties, which could cause actual results to differ materially from those projected. Please refer to our SEC filings, in particular risk factors in our most recent 10-K and 10-Q for more information.
All forward-looking statements reflect our opinions only as of the date of this presentation, and we undertake no obligation and specifically disclaim any obligation to update forward-looking statements. With that, we're gonna turn it over to Keith, as hopefully they can throw it up. Jamie, hopefully, you can throw Keith's presentation up. That one. Just the agenda item for everybody that knows, certainly the people who are online that didn't hear it. After Keith's presentation, we will bring up Ken Xie, my founder, CEO, Chairman, Patrice, our Head of Sales, John Maddison will come back, and of course, Keith will be here as well. John, just wait, Keith. They gotta throw it up there to the beginning here.
Never stop hitting the button. It's not gonna show.
Yeah, button's not gonna do any good. I think they just threw it up there to put it up.
Okay.
This will give you all time to read it in its entirety. You want me to read it out loud like a poetry reading? Wouldn't that be fun? Information, statements, and projections contained in this presentation. How fast can I read it? Slides concerning Fortinet's business outlook, second quarter, and full year guidance, 2015 financial targets and future thereto. Now just Keith. I know. I do the Safe Harbor statement on the earnings call as fast as I can, but anyway. You're welcome. I think we're on about slide 39 or so for Keith.
The last thing I would offer is that what we have not yet been exposed to is that the windows will actually open and close automatically based upon temperature variance. Typically happens about the most important part of the presentation, you know. The mid-year guidance will be.
Fortunately, these windows don't open in this room particularly, but that is true in some other parts of the building.
Okay.
They're all yours.
Let's see. Thank you again for everybody for joining us. Appreciate you being here earlier this morning as well. I'll take about 15 minutes here, and then we'll pivot back to Q&A. Take a look at the agenda. I'll begin by highlighting our investment thesis, discuss several of our industry and company specific growth drivers, review our financial performance over the past several years, and then offer some observations about the supply chain. I'll wrap up by highlighting the cash flow generation, capital allocation strategy, and then I'll conclude by updating our medium-term financial guidance. Immediately after that, Ken, John, Patrice will join me as well as Peter, and we'll have some more conversation. As you know, cybersecurity is a very large and fast-growing market, with growth being driven by long-term secular tailwinds.
Our business is driven by our ASIC and operating system advantage that combine to form our platform strategy and provide customers a lower total cost of operating.
Operations and a sizable performance advantage. The highly diversified nature of our business, our business model across customer sizes, industry verticals, and geographies has enabled strong and consistent financial performance over the past several years. Doesn't work with the clicker?
Yeah.
All right. Our financial strategy as a publicly traded company has been balanced growth and profitability, including last week's 2022 guidance. Fortinet is expected to achieve the rule of 40 in eight of 10 years and 11 of the last 14 years as a public company. In 2021, we hit the rule of 55, and last week's guidance indicates we should hit it again this year. In some ways, the rule of 40 has become easier for Fortinet to as it scaled and expanded from its early days as a single product company to the cybersecurity platform company that it is today, with product and service offerings that extend well beyond the firewall. At the core of the platform are the high-performance ASIC-powered FortiGates, serving a number of different use cases from data centers to branches and from SD-WAN to OT.
From this core, the platform extends to products in seven different Gartner Magic Quadrants and a full product suite that appears in over 20 Gartner research categories. Our suite of platform extension products has grown to be over 30% of our business. Based on Gartner projections, as we talked about this morning, we estimate the cybersecurity market that we play in will grow at 10% annually over the next four years. It'll approach $200 billion by 2026. Keep in mind these TAM estimates are products only. They exclude the over 60% of our business-related services, FortiCare and FortiGuard. Our continued focus on organic innovation will continue. Means we will continue to add capabilities to our core platform and platform extension, including zero trust security, cloud security, and fabric operations or security operations.
Our solutions include a complete range of form factors and delivery methods, including physical and virtual appliances, cloud, SaaS, and perpetual software, as well as hosted and non-hosted solutions. Together, they provide security solutions enabling broad integrated protection for hybrid environments in the expanding digital attack surface. Next year, we're gonna put a monitor in the back, so I don't have to do this each time I say, "Adjust the slides." Thank you very much. All right. Fortinet's almost all organic billings growth accelerated from 19% in 2020 to the mid-30% last year, closing 2021 with billings of over $4 billion. Contributing to the 2021 growth, cloud billings grew approximately 40% to $325 million. Last week, we guided 2022 billings to be over $5.5 billion, representing full year growth of 32%.
Over the past four years, product and service growth has remained balanced at say 29%-28% respectively, and services continue to account for nearly 70% of total billings. Our revenue is highly diversified across customer sizes, geographies, and industry verticals. The diversification you see on these charts largely contributes to the consistent performance over the past several years. Illustrating our customer segment diversity over the past five years, again, no single customer has represented more than 2% of our billings in any quarter over that five-year period. The geographic diversification you hear is very interesting. Over the last 12 months, we've generated almost half of our billings across more than 100 smaller companies, with no single country representing more than 3% of our business.
It's all about geographic diversity, which provides us the ability to mitigate the impact of country-specific events impacting local economies, including the rotation of the pandemic, economic downturns, and even conflict in Ukraine. Looking at the industry mix, we see the top five are very consistent quarter over quarter over quarter at about 60%-65% of our business, while we've certainly seen very strong growth in each of these larger industries. What's interesting again is the mix from the other industries, which has increased to 39%. That's up about four points year-over-year. We've seen extremely strong growth here, especially in industries that historically may have invested or been more constrained with their IT and security budgets. We think that ransomware is changing that. Ransomware is much more industry agnostic.
Over the past year, we have seen significant security investments coming from customers in manufacturing, utilities, services, and similar industries. The diversity you see across the slide drives the need for a broad solution set, as our customers are not easily pigeonholed into one size or one type of solution, or buying only one form factor or one size of a security offering. I'll pivot now to review some of our growth drivers that have contributed to our strong performance and that we expect will help to drive our market share gains going forward. As I said earlier, it all starts with adding new customers. Last year, we added over 23,000 new customers. That's 5,000 more than the year before. As we earn the trust of our partners and customers, solving use cases, consolidating more technologies on platforms, solving more of their business challenges, the partnership expands.
The bar graph on the right shows that in 2021, we increased the number of $1 million deals by over 60%, and the dollar value year-over-year increased by 70%. The question was asked earlier, at the same time, we saw the large enterprise mix shift increase by three points year-over-year to 37%. In the SD-WAN, Fortinet is at the epicenter and showing dramatic growth. SD-WAN has shown to be the driver for both the networking and security markets and for Fortinet. We offer a unique product that combines security and SD-WAN functionality in a single appliance. Fortinet is the only SD-WAN vendor in the leadership quadrant for both SD-WAN and enterprise firewalls with the exact same product, the FortiGate.
With these advantages, our SD-WAN bookings increased to 15% total bookings in 2021, and again, from almost zero in 2018. I n OT, we have something I would say newer and newer on the scene, younger. It's driven less by the ROI type model that you see in SD-WAN and more by the current threat environment. It's now at scale at 78% bookings growth. It follows the earlier comments about ransomware and some of the other industries that we see are investing more in security, you know, manufacturing and services. Fortinet's almost organic, all organic revenue shows a three-year average growth of about 26%, and in 2021 accelerated to 29%. Last year, we guided additional acceleration with 2022 revenue of 31%.
With the proliferation of work and study from anywhere, together with the worsening of the threat environment, security investments and spending accelerated as companies reconfigured their network architectures and infrastructures, along with the security capabilities to accommodate an increasingly hybrid workforce. Partially driven by the accelerated security spending, product revenue increased from 16% in 2020 to over 35% in 2021. Over the two-year period ending in 2021, our higher margin service revenue grew at a two-year CAGR of 23%. For 2022, we are forecasting an acceleration of service revenue growth to 28% as services continue to represent the clear majority of our total revenue. I think you've seen these before. These four graphs illustrate the consistency of Fortinet's operational metrics.
Despite the COVID shutdowns, supply chain disruptions, conflict in Ukraine, demand for exceeding supply, whether you're looking at discount rates, average contract term, renewal rates, or the predictability of our service revenue, each of these has consistently tracked within narrow bands over the last three years. As we pivot to the supply chain, I'll offer some commentary about the supply chain, how we're working through it, information about backlog and the financial impact. Some of you may have seen this chart earlier today. During our earnings call, we summarized some of the actions we've taken to mitigate the risk, including redesigning products and reprioritizing how we allocate the limited supply of components to finished goods, qualifying additional suppliers, shifting from ocean freight to air freight, and significantly increasing our inventory purchase commitments.
That's that bar chart on the left that shows the increased level of commitment we've made to our suppliers from $300 million to $1.4 billion. The increase reflects longer lead times as well as a read-through on how we view the opportunities for growth over a longer period of time. The chart in the middle provides the backlog trend. It also offers a metric that provides sizing context. Specifically, we're seeing the net additions to backlog hovers around 9% of total orders each of the last two quarters. Below that, you can see the mix in the trend in backlog. The last chart highlights the impact of one aspect of the current supply chain challenges. Expedite fees does not include labor, other component costs, et cetera, or freight.
We've agreed to pay expedite fees to our suppliers to facilitate inventory deliveries in certain cases. As you know, we have a price or performance advantage, and like our competitors, have taken certain pricing actions to offset a portion of these higher costs. The key message here, as we balance profitability and market share gains, is that we have passed through some, but not all, of the higher supplier costs. While product margins reflect the majority of our pricing actions to date, the tailwind to service revenue will become more noticeable as we progress through 2022 and thereafter. In 2022, we expect a 75% gross margin to be a headwind to our 25% operating margin, but to be mitigated by the service revenue tailwind and continued leveraging of our operating expenses at these higher top-line growth rates.
At the same time, the 25% operating margin guide still provides room for increasing our top-line capacity through continued investments in sales and marketing products and other areas. In the end, sales and marketing accounted for just over 50% of our head count for the year, at the end of the year. When it comes to cash flow, for the last 20 years since our IPO, free cash flow remains our most important source of capital. In 2021, we generated $1.2 billion of free cash flow at a 36% free cash flow margin. To put our strong free cash flow conversion into context, we've again benchmarked the free cash flow against the S&P 500 constituents. Our top ten outstanding as a percentage of total S&P of all S&P companies really is a testament to our business model. There we go.
Our ability to maintain margins and the efficient working capital management. This capital allocation strategy is key to financing our R&D investments in small tuck-in acquisitions. Over the past five years, our innovation investment has totaled $1.4 million in R&D, engineers and salaries, and $200 million in tuck-in acquisitions. Our free cash flow generation has not been the result of letting up in our innovation investments. We have over 2,300 engineers, with software engineers accounting for approximately two-thirds of the total. Again, working on the operating system, working on the cloud and other software products. As we work to transition to a more efficient balance sheet in 2021, we issued investment-grade bonds totaling $1 billion with an average annual interest rate of 1.6%.
During 2021, we repurchased 2.6 million shares of our stock for a total cost of $743 million. As for our capital allocation, we have a clear hierarchy for uses of cash and our free cash flow in order, debt reduction if necessary, reinvesting in the company through R&D, CapEx investments and other organic initiatives, investing in inorganic alternatives, i.e., M&A, with a focus on smaller scale acquisitions and minimal execution risk, and returning excess capital to our shareholders. Here's a recap of our second quarter in 2022 guidance as we provided it on May 4th. In order to achieve service revenue growth of 28% in 2022 for the full year, we expect quarterly service revenue growth to begin to accelerate in the Q2 , reaching 30% in the second half of this year. Just a couple of additional modeling points.
As a reminder, the analyst day slides will be posted on our investor relations website later today. Now I'd like to share our medium-term targets. I'm happy to say that the personal objective that Patrice said earlier today of $10 billion in 2025 is consistent with the rest of the company. All right. Over the next three years, we expect continued growth. Looking out at 2025, we expect billings to be at least $10 billion and total revenue of at least $8 billion. At the midpoint of the 2022 guidance that we provided last week, these projections equate to three year CAGRs for both billings and revenue of approximately 22% through 2025. As for margins, we expect our non-GAAP operating margin to average 25% for the period from 2022 to 2025.
We expect adjusted free cash flow at the margin to be in the mid-to-high 30% range in 2025. Okay. All right. With that, I think it's time to bring Ken, Patrice, John back, Peter for Q&A.
Okay. With that, thank you very much, Keith. Very much appreciated. I think everybody, you know, as always, a very good presentation. Please be careful as you're walking up with power cords on the floor. It's a little bit of a treacherous journey from the back of the room to the front of the room.
This appears to be a bring your own chair event.
Yes, it is. I'm sorry. I don't have people. I wonder if we can turn that thing off.
Yeah. Figure it out.
See if I can.
You're good, man.
Nope, we only need four of you. We don't need five. I'm not sitting there. Okay. With that, if I could ask the video guys to turn the projector off, so we don't need the light. Can you get them on the camera without it? You're good? All right. I like the camera guy. All right, let's begin this Q&A. Any hands? How about Patrick here? I feel like I could have gone Brian.
Patrick Colville from Deutsche Bank. I mean, congrats on these very impressive forecasts. I guess the first one is on the operating margin. 25% or greater than 25% as an average over three years. I guess can you just help us understand the components of that? You know, if I think about this year, gross margins may have been a little bit light because of the supply chain stuff, but OpEx has been very disciplined. I guess how should we kind of conceptualize the next couple of years and the kind of subcomponents of the operating margin guide? Thank you.
Yeah, I think I assume that's a question for me, not John.
Okay.
Um, but I, I think.
Yes.
Yes. No, I think, you know, you've seen us guide again this year to we widen the range a little bit, I think 24%-26% in light of what's going on out there in the supply chain. I think we've seen clearly with the model it is capable of producing increasing operating margins. As we look forward over the next several years, and we anticipate that, you know, the supply chain environment and other factors may not be as challenging as it is today, we did pull that back a little bit from what we think the model is capable of, just to reflect what we are seeing today and because we do not know when the supply chain challenges as such will end.
Maybe address the averaging over three years or four years.
It is an average, as you kind of alluded to. Pardon. We're not necessarily committing to 25% as a floor each and every year, but we are saying 25% over that period of time.
Just to remind everyone, if you go back to our 2019 guidance, it wasn't over a three-year period, but we did a similar thing. We said we'd average 25% over that period back then. Similar to what we did back then.
Good afternoon. Thank you. Brian Essex from Goldman Sachs. You know, maybe for Keith. As we think about some of those longer term projections, obviously one of the ways that Ken's been able to differentiate the company is maintaining the hardware focus and the value that ASICs performance. How should we think about the contribution of product, service, maintenance as we kind of look out to that 2025 timeframe and the mix that you anticipate from a contribution standpoint?
Yeah. I think that we've seen some very rich product mixes, particularly over the last, comparatively speaking, over the last two quarters. I would say the model over a longer period of time does not contemplate that same level of richness, if you will. I think previously, we've kind of been in a two-third, one-third model between product and services, and we expect over time it's gonna revert to norm. You may have heard the reference to, you know, software accelerating, and also an inference that the pricing actions that we've taken in November of last year, August of last year, and February of this year, but those pricing actions again appear in the product revenue line immediately, or comparatively speaking. In services, it takes over time.
We knew we were not gonna get a lot of lift from the services, even though the pricing, the billings went up at the second half of last year and the first half of this year, but it takes a while for that to pull into the service revenue line. You see that acceleration that we talk about this year, part of that comes from, you know, that you're gonna see the impact of the price increases starting to appear in the income statement. Not unlike what you saw with us when we started adding 25x7 support from our 8 x 25. Pardon me, 25.
4 by 7.
Yeah. All-day support. You know, that was a bit of a journey, you know. We saw the uptake, and it was continual, and we saw that our customers were switching over. In the same way, you'll see that here, not only as the new customers are working off a new price list, but our renewal pricing is also based upon the then current pricing. We should start to see, again, like we did with 24 x7 , a bit of a tail to this, to these pricing actions.
Got it. Maybe one quick point of reconciliation or just to give you an opportunity to address it, 'cause I have had some questions. Investors kind of wanted to put a bow on the difference between the product revenue growth and the service revenue growth. How much of that is delayed revenue recognition or pricing impact versus customers pre-buying or purchasing equipment not yet installing yet?
Yeah. I think if we're looking at a Q4 to Q1 comparison, if you will, and I think it was 27% growth versus 24% growth, you know, there's a number of factors that go into there, and I'll give some sizing to a few of those. One of those is we actually recognize revenue on a daily basis for services. Here's the thing, two fewer days in the first quarter than there are in the fourth quarter, so that's about 2% of revenue right there.
I think we've talked in other places that, you know, that impact on service revenue in the quarter, you know, from the attach rate, if you will, not the attach rate, but the registration lag, you know, was probably in the mid-seven figures, maybe to the low-seven figures in terms of a dollar amount. If you looked at, this gets kinda complicated if I try to do the math out loud. Of the pricing impact on services versus product and how much of an impact it was, I would probably size that pricing difference at around. Well, the pricing swag, I guess, is probably close to $10 million.
One way to think about it, if we have an average 27-month contract term, and one month is. You know, one quarter is three months, so one-ninth of a service contract is actually being recognized in a quarter over that 27-month period. On top of that, only the new service contracts that are signed or the renewals that occurred would even be at the new price, while the other service contracts are gonna be at the existing prices that were pulling them off the deferred into the income statement. To Keith's point, the 24 x7 versus 8 x 5 move that we did a couple of years ago, that's still happening. That's still trickling into the income statement. But it's, you know, we talked about it back then.
You can look, go back and look at the comments we made in terms of what the mix shift was over time, and we, I think we talked about it for two years. It takes a while for that to happen.
Your thing.
Thanks. Saket from Barclays. Keith, maybe for you, just looking at the long-term targets from a different angle, how do you think about the what are the new names? The core versus platform extension mix, right? Sort of the two-thirds, one-third that we have now. What do you sort of envision that mix looking like down the road from a high level? And then within the platform extension, do you sort of see the splits of, you know, switches and access points versus cloud versus all the other stuff sort of changing meaningfully as well?
Yeah. I'm not gonna put a specific number about it, but I do expect that the platform extension will continue to become a larger percentage of the mix of the business. Inside that, John and I have had this conversation. He violated the cardinal rule by giving numbers for specific products, which we said we were never gonna do.
I didn't.
I do think the you know, we're optimistic there'll be something to talk about in those areas in the future. We've talked in the past, and if you kinda look at that extension, the grouping of products in there, about a third of that is software, about a third of that are these access points and switches, and about a third are other products that we offer inside there. That's been fairly consistent. Keep in mind, Alaxala, if you were to add Alaxala's switches to that part of the business, you'd get a little more of a lift on the switches and access points.
Hi. Irvin Liu from Evercore ISI. Thank you for the presentations today, and I'll leave my question as a jump ball for anyone to answer. From a product innovation perspective, it sounds like you've been gaining traction in SASE as you made several mentions during your keynote today and even featured it as part of your product demo. Correct me if I'm wrong here, though, this is a bit of a contrast versus recent months where SASE mentions were somewhat sparse.
I don't recall the term used during your last two earnings calls. Can you talk about any recent developments here, in your SASE offering or if there are any milestones worth calling out?
I can.
Sure.
I think nothing's changed dramatically. I think at this conference, we just wanted to make sure we cover as much as we could. We can't cover everything, and so we wanted to make sure that the FortiOS everywhere message got across. That message is that we can deploy FortiOS as an appliance, as a VM, as a container, and as a SASE delivered. We just wanted to make sure that message went. It's nothing to do with any changes. We still wanna build out our SASE. We still wanna build out all of those products and those businesses.
Question for Patrice, Shaul from Cowen. As we think about this, midterm targets that you've provided, in the context of your channel partners, the VARs, should we be expecting any change, maybe also in the context of supply chain comments that Keith alluded to, anyone that you have been investing in, whether it's in the U.S. or in Europe, or we should think about your partners, your VARs, your channel picture largely intact for the next several years?
Yeah, I think let's say the impact and on the evolution on the supply chain, and especially for the partner, we try to provide the best let's say visibility that we can. It's always a bit difficult, but. We have been able to serve let's say slightly better than most of our competitor in this space. I think here we're gaining a bit of better traction from the very large SI size worldwide 'cause the opening door this year is to be able to deliver and match from customer requirements. I've said on one hand that's helped to create a bit I'll say a bit more strategic and long-term engagement with those partner.
We also been able to let's say align a bit our sales strategy with the especially for the enterprise segment as we have this direct touch engagement to really make sure we are going a bit more strategically with the partner we want. Before it was more like a bit of a broad whatever the choice of our rep. Right now it's much more strategic focus on the key partner in the U.S. and Europe. The discussion we're having now right now with those very large SI or service provider are becoming much more strategic and at a much larger scale and more projects. It's opening door. I'd say it's more confident. It was a bit more tactical before, it's becoming more strategic today.
Sure.
Hi. Thank you. Tal Liani with BofA. Obviously very, very small guidance on the CAGR and $10 billion and the $8 billion. This coming year, 2023, we will be getting something of a boost, not huge, but something of a boost from the runoff of backlog. How can you help us parse how much of that growth that we're seeing on a long-term basis and in 2023 will be from that backlog, granted you don't know how fast it'll run off. How can you help us parse it today, and how will you guide us through that as we try to think about what the really sustainable organic growth of the business is post this backlog build?
I think there's simply too much uncertainty around the backlog and when it's actually gonna turn around into the financial statements. I think when we look at, you know, our longer term guidance setting process, it's more about starting with, first of all, can I generate enough sales capacity to make those numbers, right? Am I gonna be able to give Patrice and John enough dollars, if you will, while maintaining 25% operating margin on average that he can have his sales team maintain their productivity and John can build the pipeline. I think that's the first step that we look at. The next step that we look at is what's the TAM? How big is our market? We know that we've gained market share, I don't know how many years in a row now, for many, many years.
How much of a market share gain do I have to assume out of that almost $200 billion of TAM that's coming? How much do I have to get to make that number? Now, the distinction in terms of what may happen with backlog, either the ins and the outs of it, I think we set that aside largely as we look at it for a longer term, modeling purposes in terms of whether it's gonna be a headwind or a tailwind. I think we kind of really assume as we get into those outer years, it's more of a neutral proposition. If it accelerates, that would be fantastic.
Thanks for taking the questions. Ken, my first question is for you. When I think about the success you've had with the secure SD-WAN strategy as basically a net new FortiGate use case in the last four years, can you talk to us about the evolution of your relationship with service providers? 'Cause as we understand it's an ROI game for SD-WAN, and one of the areas where a lot of customers see ROI is from reducing their MPLS spend. I've always found it interesting because your relationship with service providers has been very unique. Just wondering how you see that relationship evolving where you're basically sure cannibalizing some of their business.
It's SD-WAN, a little bit different than some other 5G even IoT. Lot of our SD-WAN deal driven by the enterprise, and because they see the cost saving, they can offer more reliable, redundant, flexible service. Some bigger service provider, I have to say they are a little bit hesitant in the beginning because they get so much money on MPLS service. That's where some smaller service provider tend to be a little bit more aggressive, so they try to use SD-WAN to gain market share. I feel 5G is a little bit similar since so we do see a lot of 5G requests, especially connect a lot of device, even certain vertical like manufacturer or this healthcare, all these things.
I do believe long term, the service provider they because they have infrastructure, whether later the 5G or some other, you know, the other IoT, OT space, they do play quite some important role, even some kind of a SASE. If we working with service providers, still one of the key areas, they're still one of the top three. They tend to be the number one if you look back 10 years ago. The carrier service provider almost come across as 30% of our business. Now they're probably number two, number three. I do believe they probably will have a. I think put it this way, once the economy stabilize a little bit, service provider, they probably can add more value.
Once the economy growing so fast in the last couple years, some vendor tend to losing money against the market share, than the service provider sitting back a little bit. We feel the service provider, carrier probably will keeping coming back in the next few years, especially a lot of new infrastructure being deployed and also, security like operation goes to a service also will be huge potential.
I appreciate that. Thank you. Patrice, just a very quick one for you. Keith has promised us 25% or more operating margin. What does that mean?
On average.
On average. What does that mean for the build-out of your sales capacity? As you look out over the next three years, is the growth in the business going to come from adding incremental levels of sales capacity or driving more productivity? I'm just mindful of the talent environment. How are you sort of thinking about that in the context of the guidance that was just laid out?
I think it will be a combined result. We definitely look for acquiring new white space or new logo, and that's where we're investing in capacity. We have this, especially for the enterprise segment. As you know, we are very organized within the sales organization by segment from SMB, mid, and enterprise. The enterprise require much more attention, for we have this kind of a pay and growth strategy where we reducing number of comp by rep. We are quite high today compared to our peers. We're expanding in fact to, of course, giving less account and each rep has to develop, in fact, the value proposition or broad portfolio in fact allow us to start, you know, adding some use cases of the fabric.
It can be data center, and then maybe next will be branch refresh or cloud, and then as we consolidate this platform. The idea is that we one, it will be of course much more revenue per account that we develop, so better protected per rep. We'll need of course to continue to invest in capacity to have this better coverage. At some point, we will reach the right ratio. We have this aspect which of course expand and the new logo of course because we mix a bit of existing account and of course a new white space account for the rep.
We'll be acquiring and we hope that we can continue to gain market share because especially on this enterprise, I would say even in the U.S., we still have a huge room for gaining here compared to Europe or Asia, where we have already nice but still of course a high potential. If we just convert the ratio, I think we'll have a significant impact in growing in the U.S. We should see a combined, I would say, contribution.
Yeah. I had a question on SD-WAN and OT. How much headroom do you think these high growth rates have to continue? I think maybe you started to answer that, Ken, a little bit with this service provider comment you made. I'm just wondering, you know, these are extraordinarily high growth rates. How much longer can they go on that way?
Sorry. You wanna talk about SD-WAN and you go. Yeah. I think SD-WAN still, in fact, I would say at the early stage. Service part is a good example. They're quite slow to move. There was of course a bit of holding due to the revenue strain that was coming from MPLS, so there was clearly not trying to go ahead. They're being forced by the market adoption and also more independent, I would say, system integrator that was able to provide expertise to deploy, in fact, SD-WAN and secure SD-WAN. Now we see, and it takes, of course, much more time. Like 12 months, we enable all the logistics, the connectivity with their system, ERP and ADC to be able to launch the machine.
We do see that the sales part is coming much stronger in terms of volume and contribution. The market is. I think there's a very significant refresh, I think, for the next five years on this SD-WAN. OT, it's a bit of similar, I would say, situation. Maybe difficult to assume from, you know, how much has really adopted security right now, this infrastructure, maybe five or maybe less than 10%, I think. Still huge, in fact, white space here for protecting those critical infrastructure. People are rushing, so it's. I think that's also potentially a longer. I won't say road. We're also developing. You see on the roadmap a lot of additional feature on, you know, this detection for OT.
It will be more on OT, but also to expand as we already feature set. Those two drivers, I think, should sustain for the next three, four years without any problem.
Yeah. I think the SD-WAN use case, and I'll ask John to jump in here in a second. I mean, early on, it was all about the ROI that came from the MPLS avoidance, if you will, and it was a no-brainer. I think maybe there's other SD-WAN use case that are coming on the scene now.
Yeah, when you look at the SD-WAN marketplace's had 30% growth last two years, which surprised a lot of people with this work from home and say, "Oh, we're not doing anything else to the branches." Still had 30% growth. That will slow down a bit, and so the total marketplace will slow down a bit. I think there's, as I said before, there's opportunity to add additional services. One of them is our security services. The other one is the cloud on-ramp, which I think is gonna be very important going forward. We see that, you know, building out SD, which is pure SD-WAN, is still a growing marketplace, but we can keep it growing at a high percentage to add more services on it as we go forward.
Rather than, again, just treating it as a piece of networking gear, add service on top.
A couple of quick clarifications too, by the way. The 30% John's talking about is the market, not Fortinet, right? Our CAGR for the last three years was 85%. Secondly, I think Keith earlier during his presentation talked about services and product. And I think he switched them when he gave the percentages. Two-thirds of our business is services, one-third of our business is product. Keep that in mind as you kinda think about the model. Thirdly, the executive briefing rooms are across the hall. After we're done in here, if you wanna walk through there and take a tour and see the OT lab and the SD-WAN lab and the other teaching labs and the executive briefing capabilities, we certainly can make that happen. Although I gotta check with what meetings are going on there.
We don't want to disrupt them.
Great. Adam Borg from Stifel. Thanks again for the question. Just maybe so for Ken or Keith, you talked obviously about the M&A strategy really being more tuck-in in nature. Just given, you know, your extensive cash balance, the valuations that potentially will continue to come in on the private side in coming months, how any change to the M&A cadence to think about going forward? Thanks again.
Every week we evaluate a few opportunities. So far, we still see the more attractive come from the smaller company, some startup. I think the market multiple come down a little bit, but as well as also, we need to consider integration, like, keep insisting 98% the integration will be done before acquisition. Also, before the acquisition, we also tend to partner first, make sure how things can work together if there's a chance of acquisition, all these things. That's why so far I don't think we are changing the strategy right now.
Yeah, I think I would agree and add to that we get a weekly report from the biz dev team about the deals we're looking at. Historically, valuation concerns appears very, very frequently in that weekly report, meaning that their valuation expectations are higher than we're ready to go for. Look, as dramatic as the market, the public market has moved over the last month or two, oftentimes when you see a correction like this, you know, we're told, expect it to take six months for the private companies to really adjust their expectations. I have no reason to think that's not true, but boy, this has been a very quick movement in the market, and so maybe we're gonna get some valuations moving through to the private sector a little faster than we've seen in the past.
I guess what I'm really saying by all that is that valuation has always been a filter for us and it will continue to be. Maybe more things will move through the filter from there in the second half of the year in light of current market events.
Hey, guys. The last one over here. Thank you for the time again. Keith, I wanted to come back to the operating margin question. I mean, you guys have been around that kinda 25%, you know, operating margin level for the past couple of years. You commented you think, you know, maybe the model can actually support somewhat higher than that. I've just wondered like, kinda what are the key levers that if you were to actually be able to achieve some margin expansion, even though that's not, you know, in the forecast, what where would that come from?
' Cause it feels like y ou guys are already very efficient, certainly with G&A and realistically with R&D as well. It feels like you kind of maybe have a couple of points of maybe mix effects to work with in the gross margin, but otherwise it's just sales and marketing. How would that play out if you were to be able to find some additional margin opportunity in the business over the next few years?
Well, first of all, I wanna acknowledge the shout-out about the G&A being very, very efficient.
Uh-huh.
For everybody's benefit. Those are. Second part of the question? I'm sorry. Yeah, look, I think, you know, we try and be prudent about it. If I get upside or where I'll get upside, Patrice talked about it. I don't like to assume increases in productivity in the longer term model. We do get it now because of the price increase, but if I normalize for that, I think the model is still assuming the same. So if I get increased productivity, you know, it will come there. Lower discounting can move things around the edges a little bit. The pipeline growth, thank you, John, has been really strong. So it's really, you know, he generates the pipeline, he converts it as long as the close rates, you know, are.
I assume they're gonna be at normal rates. The other place would be. I kind of feel I'm uncomfortable making any real assumptions about when the backlog starts appearing in the income statement. It is just. There's just too much uncertainty. It seems that every time we get together, we're always talking about, well, maybe it's a little bit better now in terms of supply chain, but it's gonna go for another six months. We get together again in three months, and we say the same thing. I think it would be very imprudent to pick a point in time where that's gonna start coming in, but I do think it's gonna start coming in.
I do believe that, you know, services, you know, we look internally, spend a lot of time looking at billings because it's a current indicator, as opposed to GAAP revenue, which is more of a lagging indicator. I think that, you know, we'll start to see it internally on some of our billings numbers will come up above those numbers would be the thing that we would expect, and then we get the conversion into revenue.
Yeah. Also, from my experience, we see the margin tend to be more short-term, easy to manage compared to the growth. Sometimes you need to invest, it'll be long-term, whether by the gen or by the sales. You probably will see a result maybe six months or nine months, 12 months after that. Margin, if we slow down the hiring or if we probably do some on the pricing side or discount side, the margin can be improved much quicker, within months compared to the top-line growth. Sometimes you need to see a result after a few quarters, even years.
Excellent. With that, we have made it to the top of the hour, so we're gonna wrap it up at this point. Appreciate, obviously, to the management team for all their time and their Q&A. If we give them a round of applause, I'd appreciate that. On that, you're free to go. Are you. At this point, we do have lunch.