Excellent. Thank you, everyone, for joining us. My name's Keith Weiss. I run the U.S. Software Equity Research franchise here at Morgan Stanley, and very pleased to have with us from Fortinet both Chairman, CEO, and Founder Ken Xie, as well as CFO Keith Jensen. So, gentlemen, thank you so much for joining us at the TMT conference. Maybe to start out with, Ken, I'd love to get an update from you on the platform story at Fortinet. From sort of the earliest days of Fortinet, we've been talking about the convergence of networking and security. Now that purview has opened up a lot, we're talking about SASE, we're talking about security operations, and a lot more consolidation of that security footprint. How has the Fortinet story evolved to encompass that kind of broader purview?
Yeah, it's a great question. Actually, I just feel I still play the same trick I played 25 years ago, because if you look at network security, it's very different than endpoint and modular, because network security is in the middle of the wire, trying to stop the bad traffic, and then so that's where most companies only have one device instead of multiple devices, so you see most point solutions in the network security space all disappeared in the last 10, 20 years. At the same time, every year there's a new function needed to add on the network security box there, so that's where you need to have a single box, single OS, try to handle as much function as possible. At the same time, the network speed also keeps going up, so how to solve this issue, so all kinds of tricks.
It's really 25 years ago when we created Fortinet. We do believe long term the network security will gradually take over the traditional networking. Because network security gives you the visibility on the application, the content, all these device users behind, compared to networking just connecting all this traffic together. So that's where we started the company. We tried to have a single OS handle as much function as possible, integrate all together, and at the same time using ASIC to accelerate all this function. So you can see from our early days, there's only three, four functions from like a firewall, VPN, antivirus, and then intrusion prevention. Now you have all the other like all the SASE function, all the SD-WAN function, all the CASB, all these DLP. So you see we have about 30 functions now running the same OS.
And half of these 30 functions, about 14, 15, using ASIC to accelerate. But still in the same OS, and then still keeping develop ASIC to accelerate more function and increase more speed and lower the power consumption. And so that's the same trick keeping playing. That's where you can see the market takeoff like 5, 10 years ago, SD-WAN, because we have SD-WAN in the same OS as a firewall. So most of the firewall customers, I think right now we say maybe almost 70% firewall customers starting using our SD-WAN solution. So we become from leader in the firewall into leader in the SD-WAN. Now about two years ago, we also launched our own SASE, which is in the same OS, and also similar SASE function also using ASIC to accelerate.
So that's also we see. I think right now probably around about 10% SD-WAN or firewall users convert to SASE. But you do see the convert rate very, very high. I mean, customers are very, very interested in using our SASE function if they already have firewall SD-WAN customer there. So that's where you see the SASE runtime very, very quick. And actually over 97% of current SASE customers come from the existing firewall SD-WAN customer. So that's making the customer adopt this SASE much quicker, sooner, and more easier compared to whether some other try to do the new SASE deployment. So it's kind of the same trick. Keep adding new function, and then same kind of accelerate the existing function using ASIC and enable kind of more computing power to help in OS.
Got it. I want to dig into that answer in a couple of dimensions. Like one, in terms of the market's willingness to adopt these more consolidated solutions to look more at a platform type of acquisition strategy. Security has traditionally been very best of breed focused, and a lot of customers have bought what they perceive as the best sort of product for each sort of channel, each potential vector. Do you see any shift in that buying pattern, that customers are more willing to buy a consolidated solution and try to consolidate the number of vendors that they're working with for security?
Yeah, I agree. Traditionally, especially big enterprise, they usually have the best of breed, always a kind of point solution because they have different security expertise to cover different areas, but now with all this convergence and also not just on the cybersecurity, but also with networking, the SOC and NOC starting also merged together, we do see the consolidation starting happening, not just enterprise, and some other SMB or work from home has a similar sense there, so that's where we see the trend we're keeping going. That's also especially in the network security because endpoint sometimes you can have multiple endpoint software in the same PC, whatever. But network security, the cost of multiple boxes is definitely too high, and also the cost of multiple solutions, if they're not integrated together, also kind of high.
Whether we can leverage all these different AI or kind of machine learning can help in lower all this kind of manage multiple functional. Once it's integrated in the same OS, you can see also can work together much better. So we do see the trend keeping going both in enterprise and also in the SMB since starting more consolidating together and try to manage together.
Right. And on the other side of the equation, the market seems to kind of be coming to Fortinet in terms of you guys have always had this kind of platform ingrained within your solutions. The FortiOS is common across kind of the solution portfolio. You leverage common chipsets, whether it's the content processor or the security processor within multiple solutions. How does that enable Fortinet to outperform, if you will, in terms of that consolidation? What is it about your architecture that enables you to, well, expand into these adjacent categories?
Yeah, I think the ASIC is really we feel it's the one differentiates us from most other players because they do give us a lot of computing power. So you can enable more function in the same OS and also working together. But on the other side, ASIC definitely takes a long time investment, big investment to make it happen there. So that's why so far we don't see any other vendor to develop the ASIC in this networking security area. So we do see this as a huge advantage for us. And now we already have about 55% market share globally on the unit shipment. So the economy of scale also starting working better because the ASIC chip, the trick is really if you have more quantity, the per chip cost can get lower. Because each time each new chip, you have a big initial investment.
And then also unit cost depends on how many units you can ship in. So that's where we're starting to see the economy-wise working out better and better now. So we're making very profitable business and even take a long-term investment. On the other side, security definitely we see also more and more computing power is also needed, not just in our plants, but also we're starting to see in the cloud, in the infrastructure side. You also need more secure computing power. Right now, secure computing power only accounts for about 1%-2% of the cloud computing.
But we do see this growth very, very fast. It's kind of exponential. And so once the more computing power needed in the cloud in all this big different environment, we also see the benefit of using ASIC, just like how the GPUs and other AI is also needed. We feel it's still a lot of potential going forward.
Got it. I want to touch base on the demand environment more broadly. One of the remarkable aspects of Fortinet is how globally diversified your business is. I think it's over 70% of your revenues come from outside of the U.S. and a broad diversity of countries that you sell into. There's also a broad diversity of sort of macro conditions out there. How are you guys feeling about the spending environment and the degree to which security demand can sustain sort of well even in a more mixed macro environment?
Yeah, I think we've gotten that question in different ways over the last several years. Usually it's about the SMB starts off. And for us, the SMB, maybe it's the sheer volume of the SMB. And we add 7,000 new logos in a quarter. And it's held up extremely well through the ups and downs of the economy over the last several years. The other place we get it is Europe. A lot of questions about Europe. And those are fair questions. But the European business for us continues to be very, very strong. We are number one in the market in Europe in terms of market share. And I think that provides a tailwind to our sales.
And it also means that you're largely selling into, often selling into an install base in the enterprise where some of the products and services that Ken talked about a moment ago in terms of the expansion of what's in the operating system continue to go deeper and deeper into that wallet. Yeah, I think the first two months of the quarter, we kind of looked at that and where we want to be, I think, with that. I think we're starting to see the early signs of some possible disruption in the market, if you will, in terms of the stock market in reaction to tariffs. So we'll get a little more information as we go on that.
Got it. The other disruption people are worried about is DOGE. But if I recall correctly, I think it's low single-digit % of your business in the U.S. federal. So not a lot of exposure there.
Yeah, I think you're correct. It runs in a given quarter 1%-3% of our business. And there's kind of two sides to it in terms of and you've heard others comment on this. Will there be somebody there to sell to and to purchase? And the other side of it is if they're bringing back the workforce en masse, there's an expectation that there's probably going to be a fair amount of upgrading of the cybersecurity systems inside of those organizations in order to support that workforce as it returns to work. We'll see how that plays out.
Got it. Got it. When it comes to Fortinet in particular, I think one of the things investors are excited about is a product refresh coming up within your firewall base. I think you've talked about an unusually large kind of percentage of that base seeing end of life over the next year or so. Can you talk to us about the magnitude of that opportunity? And is that just a product revenue? Is that just a firewall opportunity? Or does that give you sort of more potential to go in and sell the broader solution? Is that an opportunity for SASE attached, if you will, on a go-forward basis?
Yeah. And I think, relating to your last comment, we're calling it the upgrade cycle. And it really, and we'll come back to it, but that really is the opportunity to sell the full suite of products that we have into our install base of SASE and SecOps solutions. And Ken will talk about that, I think, a little bit more. We presented a slide at the Analyst Day. We have an unusually large volume of units that are going end of support in 2026. It's roughly 10 times more than our average in the prior 10 years. And then it's followed in 2027 with another cohort that's about half that size. It's just unusual to see the grouping of that.
I think it has some things to do with some decisions that we made five years ago or four years ago when we announced end of support related to new chips and some other supply chain considerations. So it's really creating the opportunity. What we don't want it to be is a simple unit swap. I don't want to see somebody just upgrading from unit to unit. These units that are out there installed, they're probably something on the order of 7 to 10 years old. They're operating on a different ASIC. They may not have the ability to support the operating system that we have today. And with this, the expanded operating system and the newer ASICs, it creates the opportunity now for that consolidation that you and Ken have been talking about.
Yeah, the customer on average has the box on hand almost 10 years. And that's reached end of the service. And then we do see the opportunity compared to 10 years ago when they bought a box. First, the speed and then the function has a huge difference. Probably average about 10-20 times better speed. And then on the function, probably also two, three times more function than they previously have. And also the customer starting to deploy the network security differently than 10 years ago. So before it's more like secure whatever the infrastructure border, all these kind of things.
Now they have to expand into supporting work from home. They have to do internal data center kind of East-West traffic security there, internal segmentation. So we do see this as like a we call upgrade opportunity. W e do see the customer we so far work with always kind of come back with much bigger planned infrastructure to upgrade than previously just replacing the old box.
Got it. And then Keith, any help you can give us in terms of helping to sort of model investor expectations on how this is going to flow through your product revenues when we think about 2025 versus 2026, just to make sure that we stay appropriately conservative, if you will?
Yeah, I'm more comfortable talking about units than dollars in this particular context. But I think that the guidance that we've given to people, things to consider, one is that we know of that cohort that we talked about for 2026, which is call it 650,000 units. One, 15% of those units are not pinging home anymore. And so they're probably end of life someplace and doing something else perhaps. But also we look at our customer base and our customer types and what our expectations are about when they're likely to start on this upgrade journey.
When you look at a larger enterprise that has a more sophisticated IT organization and a more sophisticated purchasing organization and security organization, than say an SMB, and there are larger upgrade cycles, we believe, and we saw some indications of this in the fourth quarter, that those larger enterprises will purchase and go through the upgrade cycle in a more methodical basis. It's simply too many units to take down all at once, and so while we got some tailwind, we think from the fourth quarter on some of our larger firewalls, we would expect those larger enterprises to continue that purchasing pattern as we get closer and closer to the end of service date. If you look at the SMBs, it's quite possible that they're more likely to wait till Sunday night to do their homework, shall we say.
They may wait until closer and closer to the end of service date before they actually go through that change. And that cohort or that sub-cohort could be more of a 26 event. You probably have another group of customers that are someplace in between with the service providers, which oftentimes are selling to the SMBs. But again, they're more sophisticated in their buying behaviors, their security considerations. And they're more apt to start that planning and purchasing process earlier than the SMBs.
Got it. So as we go through this refresh opportunity, is there a particular playbook from Fortinet in terms of go-to-market to improve sort of the services attached on the refresh to make this more than just a box refresh? And if so, have you seen any early indications of how effective that's going to be on this refresh cycle?
Yeah, Ken talked about some of the numbers earlier. Well, first of all, keep in mind our first sale is almost always a firewall. I mean, that's who we are. The expansion sale, 90%-95% of my first sale is going to be a firewall. The expansion sale and the SASE group or the SecOps group, again, 90% of those are going to be to my install base. Ken talked about the penetration rate. He used the example of our larger enterprises. We're 70% of our larger enterprises that have firewalls are also using our SD-WAN technology. And of that cohort, that 70%, with the SASE solution really being brought to market about 15 months ago, that penetration rate is already about 10%. That's a very fast move on that cohort. So we're seeing success on it.
Do I have examples of larger enterprises that got ahead of us a little bit and started buying before I had a chance to go talk to them about SASE? Yeah, there's some of those. But we're really working hard to make sure that the sales understand the expectation that it's not a simple unit swap. What we really want to do is offer more of a platform play for those customers.
Got it. Got it. You guys recently revamped the business model and the go-to-market strategy to capture more SASE and security operations deals. Can you talk more about the revamped strategy and why is now the time to sort of undergo that transformation?
We do see, because of this work from home and also some additional function like a DLP, CASB build is needed in an enterprise. There are more interests in not just traditional network security, but also some other SASE function. So that's where we see probably the advantage we have really is first, we are the only company that have all the SASE SD-WAN in the same operation system. So that's where when customers which already have the firewall, which we have a majority market share, they can very easily turn on the SD-WAN and SASE. That's very different than other SASE companies that have to do all the different kind of Pool concept installation of these things. So the switching costs are much lower.
The second, also for SASE, we do have a SASE because in the same OS we also can deploy whether we call the local or the private SASE or sovereign SASE. So they can deploy locally with their own data center. So we have a lot of bigger customer enterprises, especially financial services customers. They want to have their own kind of SASE infrastructure. So they don't feel comfortable having the data go outside to be processed and sent back. So they would rather control the data themselves. So that's where the private or sovereign SASE got more and more important. We see a lot of new cases. And then the third one, we also starting to invest in our own we call the secure cloud infrastructure more than 10 years ago. So globally, we own about 4 million sq ft building and data center office all these things together.
So none of our other SASE players has this infrastructure. Because when we own all this infrastructure, the cost is about like one fifth or one tenth of the cloud provider can offer. And also probably half or one third compared to colo company can offer. So that's what you can see for SASE, we have a very, very price competitive solution there. And same time our margin also among the highest margin among the SASE players. So that all give us kind of advantage.
T he single OS, the sovereign SASE or private SASE for customers themselves to deploy or own kind of infrastructure with a cost advantage with also not just the data center, but also with technology like a FortiStack or this kind of software to manage all this together. So that's what we do believe will be we are the number one in the firewall SD-WAN. We do believe we'll be the number one in the SASE player because of all this differentiation we have.
Got it. And where are we in that build? I think you guys have talked about over 150 points of presence in terms of building out the cloud infrastructure for SASE solutions. How big does that have to get? How much further do you have to sort of expand that network on a go-forward basis?
We kind of using this 70-30 rule, so we try to see 70% traffic still goes through kind of own infrastructure, then the 30% probably still goes to cloud provider, colo company. Because for us also, there's some remote location or certain areas probably not quite for us to make sense to invest in a data center ourselves, so we still want to partner with a cloud provider, partner with also colo company because the SASE growing so quick. Usually you build a data center, you probably take two to three years, and also a lot of location probably not make economic sense to build ourselves. Whether data center, you do need like 100 racks or all this kind of make it work in like probably every $10-$20 million investment to get all this up and running.
Probably that's working with a partner still the best solution for all this like 30%-40% of market share.
Got it. So is that where like the partnership with Google Cloud comes into play?
Yes, Google Cloud, yeah.
Sort of things.
It's a merger like a co-lo company and other cloud providers thing.
Got it. Got it. I want to talk about the security operation side of the equation. You have a portfolio that now goes into FortiXDR, FortiSIEM, FortiEDR. And I think it was about 11% of billings in Q4. Why is this a natural extension for Fortinet? The move into SASE makes sense. It's leveraging kind of the same network and the same equipment. Why is it as natural of an upsell for Fortinet to sell the security operation side of the equation?
That's kind of because, like I said, there's so many different part of infrastructure. Probably difficult to integrate the same OS. Like email security, very difficult to integrate with whatever the FortiGate or whatever network security and same thing in the web and all these other endpoint, the same sort of other things. So that's where for the enterprise, the biggest cost is still the management cost. So how to make it working together, we usually call it a fabric. Make sure different part of infrastructure security can working together. So that's where it's kind of important. We call it the SecOps, how to help him lower the SecOps cost. So because we do apply a lot of AI technology in this SecOps area.
One thing you probably notice is really so we not only the number one patent over like probably like 1,500 patents in this cybersecurity, but AI patents as well. It's almost 500 AI patents in the last 20-some years. So we do spend a lot of time applying all this AI innovation into this secure operation. And that's make us the biggest AI patent company among the cybersecurity space there. And that's give us huge, huge potential going forward.
Got it. I mean, can you give us some examples of sort of how Fortinet is embedding AI, how that's improving sort of the solution? Are there any sort of use cases or sort of particular functionalities that you're seeing making a big difference for your customers?
Yeah, we have almost like the FortiAI already apply almost 10 different products from FortiManager, FortiAnalyzer, FortiSOAR, all these other things. You can see using AI, they can automate a lot of process instead of try to see a human try to dig out what's happening now, like a security break-in and how this relate to the previous data and all these different other part of infrastructure tool. So that's what FortiAI, we demonstrate in the last two years, every year in this user conference, how AI can help you solve secure operation issue, the intelligent issue, the customer supporting issue. One other potential big area also will be eventually we also feel network security can also apply to home user consumer, which is not happening right now because supporting costs way too high.
And the only way is really using AI to solve that, right? So if your AI can solve like 97-plus% of supporting, and then that's what the network security can expand into the consumer space, which that's also the reason we acquired Linksys and then potentially can try to solve that issue there.
Got it. Got it. So I think from an investor perspective, I think a lot of us focus on the ability of AI to help solve the security analyst problem with people, like the fact that there's not enough security analysts. And that sounds like part of the equation. The part of the equation of the customer support, the complexity for the home user to be able to actually do networking and do network security well, I think that's gone under the radar, but that could be like how do you think about sizing that market opportunity on the consumer side?
Consumer is a huge, not just people starting working from home, but a lot of home device connect online also need some kind of security protection. Because a lot of these OT, IoT device, most of the time the only way to secure is really using network security because they are very difficult to load any agent on the device itself. So you have to depend on network security to secure it. So we do see it's a huge opportunity actually, not just work from home consumer, but also a lot of like operational tech area. We see that's the fast growing area for us. Like whether the ruggedized device, all this kind of utility manufacturer, all this smart city, all these things, we see huge and connected car, that's another example. It's a huge growing for us right now.
Got it. And you guys talked about OT security sales approaching $1 billion in 2024. It's been a big part of the Fortinet growth story for a while. I think one of the things that's made operational or OT security difficult is the heterogeneity of what needs to be protected out there, especially when you go into manufacturing environments or factory floors and the likes. How does Fortinet deal with that? How does Fortinet take what is a very complex environment and find an appropriate route to market or an efficient route to market for OT security?
The OT security kind of different than the traditional network security is really they do need to invest in a lot of different technology, like whether the ruggedized environment or kind of an operating system more related to the real-time OT operating system. You understand the protocol they have, but also they have a long sales cycle. Much longer, usually the OT technology probably take one to two years on the sales cycle to get in there. But also the tail end also much longer. They usually need a device to be there for 10, 20 years. So that's where we need to make sure it's very stable, long-term ruggedized device, but also can stay there for a long, long time in the rough environment. So that's for long sales cycle, but eventually tail also much longer.
Got it. Got it. Got it. I want to shift gears and talk a little bit about sort of the FY25 guidance. Maybe to start out with, how do you guys think about balancing growth priorities between the traditional network security business? You have a refresh that you're taking care of, but also making sure that there's the right amount of focus on some of those high growth areas and the new emergent opportunities like SASE. How do you guys think about managing that balance?
Yeah, I think the business model itself creates a lot of cash flow and creates a lot of margins. And with that, it gives us the opportunity to reinvest in the business. Excuse me. And the decision points really become back to how much of that gets reinvested back into the operating system, the ASIC, if you will, but also how much gets invested into SASE and SecOps. And as we look further out, what the consumer opportunity might be. I think that we feel very comfortable in terms of the opportunity to continue to balance growth and profitability. It is, when you look at the revenue part of the business or the industry, still a fragmented industry. And with that, there continues to be the opportunity to take market share, particularly in the network security. And we don't want to miss that.
But at the same time, I think we've successfully demonstrated the ability to continue to make investments in both network security as well as SASE and SecOps and maintain the margin and supporting growth.
Got it. So as we think about the dynamics of a sort of a big product refresh coming on a go-forward basis, but still big opportunities when it comes to some of the newer growth subscriptions like SASE and SecOps, how should we think about the cadence of growth on the subscription and service side of the equation versus product revenues?
Yeah, I think the part of the business, we kind of get a similar question about contract term and duration because you get a little bit of a difference every time you sell a SASE solution. The size of the network security, the firewall, the switches, the access points, it's still running about 65% of the business. And it's a very significant portion of the business. SASE and SecOps making up the remainder of it. It's going to take a little bit of time for both the contract duration to shift from what we've shown historically at 27-28 months and that mix shift to come through the business.
We expect not the contract duration to be something you will see because of the size differential. And what we're seeing from our SASE and SecOps solution customers is that they are buying oftentimes more than one year contracts. So you're kind of looking at that same dynamic between the two.
Got it. And if we think about demand drivers, I'm thinking back to kind of when we had all the SaaS transitions. We started using a lot more kind of external applications. It was a good tailwind for overall network security, a lot more network traffic going on. It feels like we're coming into a build-out cycle around generative AI, a lot of new applications people want to build out utilizing that. Could that provide similar tailwinds to Fortinet in terms of more surface area to protect, more network traffic that has to go through the boxes?
Yeah, whether the General AI or some other AI like MOE or certain AI model, we do see there's a lot of opportunity can apply into this cybersecurity area. Because like I said, the AI definitely helping lower a lot of management costs and also can respond much quicker. And then they also open up the new opportunity like consumer market dependent AI to handle some supporting. And then there's a lot of AI applied to OT, LT robot area. That's also need kind of some kind of security to protect the data there.
And even protect the AI data center itself, we started to see some takeoff in that business there because people worry about what's the data you want to fit in the model, what output they may give you, whether it will be some kind of a data leakage prevention thing there. We do see a lot of new opportunity come with AI.
Got it. Got it. And then to touch on the margin side of the equation, Fortinet has always been a very efficient company. How much operating leverage is there left in the business? And how should we think about the balance? You started talking about this a little bit before in terms of what can flow through to the bottom line for investors versus what you guys are going to take to kind of reinvest in the growth opportunities on a go-forward basis?
So we do upgrade from the Rule of 40 a few years ago to Rule of 45 last November. And that's the commitment we have to the investor. And we're hoping we're keeping improving going forward. But I think right now we try to balance among the growth and the margin. So that's why we try to see the Rule of 45 will be the model we can hold on.
Got it. And I think within that Rule of 45 that we're modeling, we're very excited about it. I think we're very comfortable with the amounts that we have available to invest in growth. And that focus will continue.
Got it. Got it. And maybe just one last question to kind of wrap up the conversation. You guys have at the most recent analyst day, you guys talked about a three to five year CAGR of 12% plus on a go-forward basis. Can you give investors a framework of the equation, if you will, of how we should think about what drives that growth on a go-forward basis or your confidence in the durability of that growth on a go-forward basis for Fortinet?
Yeah, fair question. I think we look at the three pillars of our business that we've talked about. And we do one of the inputs to that would be what organizations like Gartner and such are showing for market growth over that period of time, whether it's in firewalls or switches or access points or SASE solutions, SASE, SecOps, et cetera. And we do some weighting around that given our relative mix of business and where we might end up. I think we're also certainly very aware that we've shown consistently the ability to take market share.
So whatever a third party may offer in terms of market growth dynamics, we have an internal expectation that we're going to outgrow those numbers because of the market share. And we also make sure that we have things like the sales capacity and the sales productivity that will support that number. I think that put us in a very comfortable position in terms of what we provided at the Analyst Day in terms of mid-range targets.
Got it. Unfortunately, that takes us to solid six seconds left there, but that takes us to the end of our allotted time frame. So Ken, Keith, thank you so much for joining us. Appreciate that time.