Companies, and I wanted to get your perspective.
Yeah, I would say cybersecurity is a very resilient market. The threat actors are not going away, and so far we do not see any impact on our business from the volatility that you hear about and the expectations that GDP might go down. We are very confident that we are not going to be impacted, and so far we do not see signs.
Yeah. Ken, when you discuss with your customers, when you discuss kind of spending plans with the customers, how do they react to the uncertainty because of tariffs, etc.? Is there any hesitation? The reason why I'm asking it is because there are two parts of your business. You have the growth, SaaS and OPSEC and others, and then there is also the more "legacy" that customers can sweat out or customers can upgrade, delay upgrades. How do they react to the uncertainty overall?
I think if you look at the cybersecurity space, there's some change in our environment, where the working environment of more devices connect online now. That all drives the additional growth, plus now the AI is the other driver. We do not see this spending slow down. Even in the current environment, a lot of the uncertainty, but cybersecurity is probably more resilient compared to other IT spending. Even like there is up and down in different markets this year, cybersecurity markets are still pretty stable, whether on the stock market or some other things there. I do believe the convergence will continue going forward, and also the format may change a little bit because the next 10 years probably need more secure, a lot of devices compared to the last 20, 30 years, more secure people, whether the laptop or phone, all these are connected there.
A lot of OT, OT security need to keep on growing, which Fortinet is the leader, probably the only leader actually based on the Westland report. On the other side, some change in whether SaaS, ZTNA will also transition the current firewall into the next generation. Traditional firewall is more about the NAT, that's a firewall VPN, that's my previous company, NetScreen. And then when we started Fortinet, there's other, we call the UTM on NetScreen firewall. Now in the same Forti OS, you see all the SaaS functions built in, all the DLP, all the CASB, all the WAF, all the functions are built in the same OS as a firewall SD-WAN. I feel this network technology, network security technology will continue to evolve, especially when we secure this IoT, OT environment. It's very different than secure the people, laptop, mobile phone.
You have a pretty standard operating system, but OT, IoT, most devices have a different operating system, have very limited computing power. Most of the time, the only way to secure it is really by network security. It is very different than the traditional endpoint security market, has a pretty standard operating system. This is all different operating systems, and that is where there will be 10 times more devices connecting online in the next 10 years compared to people connecting. That is where I feel there is a lot of driver for the network security growth. Network security continues to be one of the biggest markets in cybersecurity, so we do see keep growth double digit.
Tal, I think you mentioned tariffs, right? I think there's a lot of anxiety around tariffs because we still promote our hardware, which is extremely important to accelerate security. For us, I think it's important to understand that first of all, our products are predominantly exempt, maybe some cables coming from somewhere. Our market is not only the US, our market is very global. That's another area where internationally we are not impacted by US tariffs. I think we continue to say to our customers, to our partners, I don't want to say don't worry, but let's be transparent. The tariffs right now should not have an impact on your pricing, on your products, and we will inform you if something changes.
Got it. I'll get back to it. I wanted to ask Ken about platformization. I'll ask it from a different angle, not the way that Palo Alto describes platformization. Bank of America says publicly that we have over 300 vendors for security. On the other hand, when I look at the offerings today, I don't know if there is room in the market for another box, another point solution. It could be a service, it doesn't matter. We see companies offering wider and wider sets of solutions. Where is Fortinet in this journey to expand the portfolio horizontally and go into adjacent markets and offer, I'll call it end-to-end solution, but you know what I mean, a platform for security?
I think that's where if you look at the platform, it's all dependent on where you deploy the platform. The network security tends to be more based on in the middle of the network, right, to stop the bad traffic or whatever. There's an endpoint more deployed in your laptop or mobile phone. There's some also deployed in the cloud, like WAFs or some other things there. That's where if you look at the network security, that's why I do believe a lot of things, probably IoT, you do need a network security like IoT, OT security. Most devices have to be used network security to secure. Network security, because it's more based on some appliance or some screening of traffic in the middle network there, you do need to handle more and more functions.
If you look at the Forti OS, we started probably like four, five functions 25 years ago, traditional firewall, VPN, the antivirus, intrusion prevention. Now we have about 30 functions now, including all the networking functions, all the switching, routing, all the SD-WAN, and plus all the security functions there. I do believe we'll continue to add more functions and then integrate in the same OS, and then using ASIC to accelerate all these functions. Right now, ASIC can accelerate half of these 30 functions. That is improvements performed by 10X average. That is the progress. That is also the reason in the network security space, you see pretty much no standalone or single point solution provider anymore, whether FireEye or some other one are starting to disappear.
If they only offer like sandbox single function there, you have a very difficult time to compete with a platform when they add a new function with existing function, integrate together, then starting to disappear. The same thing even like SD-WAN space, like five, 10 years ago, a lot of SD-WAN player. Fortinet is the only one we develop internally, integrate with the firewall, with our network security, not with the SaaS. That is where in a few years we become the number one in SD-WAN because it is well integrated with other functions. Very easy from networking to the firewall, from firewall to the SD-WAN. That is where over 70%, actually 73% of enterprise customers, which is use of firewall, also use our SD-WAN now.
That's where when the function can integrate into the platform, especially network security, the single function device has a very short life, only for a few years, because once the platform player catches up, the customer is always willing to use the platform side, which costs lower and is more easy to manage and works together better with other functions. That's in the network security. I think in the endpoint, in the cloud, it's a little bit different story because you do can load multiple agents on your laptop. You maybe can run multiple applications in the cloud also, but on the network security, mostly it has a single box. The more functions they can process, the better.
Do you think there is synergy between SaaS and firewall? The reason why I ask it is because Zscaler is saying the opposite. They say SaaS is a separate market. Actually, they want to replace firewall.
Which is not the case. If you look at, we only launched our own SaaS like 18 months ago. If you look at the Gartner Magic Quadrant, I think released last week, we become the fast growing SaaS in the top three, top four player. That is where in the earlier release, I keep on saying in a few years we'll be the number one SaaS player. I feel we have three key differentiation compared to Zscaler or any other SaaS player in the market. First, we have the technology integrate all the SaaS functions, including SD-WAN in a single OS. None of them in the single OS, they have to come from different box, democratization, SD-WAN, different CASB or different kind of DLP.
We are the only one can integrate in the same OS, which gives the customer you can deploy in the cloud or deploy on-premise using hardware, the same OS. The second one, since we have the biggest customer base in enterprise, we have over 800,000 customer base, bigger than any other SaaS player. That is where it is very quick for current firewall network security customer to migrate into SaaS. That is the reason in the last only 18 months, we have become the fast growing and probably the top three players. We have over a $1 billion unified SaaS market right now and continue to grow faster than any other SaaS player.
Then the third one, also we started investing in this, we call the because SaaS eventually, you not only compete on the function, but also compete on the cost of the infrastructure because SaaS has to leverage cloud or infrastructure process or the traffic. That's where whoever owns some infrastructure has a cost advantage because if you're using cloud provider compared to your own infrastructure, cloud provider charge probably like 5-10 times more expensive than the only infrastructure. Even the colo, the only infrastructure probably only one third cost compared to the colo. That's where in the last few years, we probably invest billions of dollars into the infrastructure. We have a global facility over five million sq ft and a lot of data center, all this one, which we have our own engineer running it, has a much cost advantage.
That's where the three key differentiation, the own the technology into a single OS, the bigger customer base, very easy to migrate to SaaS, and then our own infrastructure, which none of the other SaaS players has these three advantages. That's why we feel we continue to grow probably the fast in the SaaS market and will be the number one in a few years.
So there are two deployment models for your SaaS. One is to use your own infrastructure and the other one is to use public cloud. I know you said once that if a customer uses your own infrastructure, your price could be one third of the price of Zscaler, for example. What happens to the pricing advantage if the customer uses in areas where you do not have infrastructure or they have to use public cloud? What is your advantage then in that case?
There's also a third case. It's really we're working with a service provider carrier. We offer, we call the sovereign SaaS or private SaaS, leverage their infrastructure. We provide the product, the technology, right? That's a sad mod. But It's rarely customer's choice, right? Sometimes they already are cloud users, right? They can use whatever the cloud they consume. We do give them flexibility. You can use in the cloud, you can use in their own service provider or their own, a lot of like a bank or financial service, they also try to use their own data center. That makes the data stay within their data center, process within their data center. That's what we call the private SaaS. Then there's a lot of sovereign SaaS. We are much more international than most other SaaS players.
We see a lot of sovereign SaaS requirement. The third mode is really use your own infrastructure, which we have advantage on the cost and also on the talent on the engineer side to supporting costs. We have a lot of other technology beyond just a SaaS, like secure storage, like secure content, like all these Fortinet stack, replace a lot of virtual machine, all this kind of technology. We will be more secure, more cost efficient for our own infrastructure. That's where we kind of let customers select.
Yep. Christiane, you made some comments in the last conference call about conservatism, sales conservatism during Q1 on the Q1 call. Can you walk us through some of the conversations you had with your sales team, with the market about the outlook? Can you also remind us the changes you've made in order to improve the pipeline hygiene and provide better outlook?
Let's start with conservatism, right? We came out of a, I think, month at the end of April where a lot of news came up, right? Around tariffs and so on and what is the impact on companies? What is the impact on our customers? How do interest rates develop? How does the US dollar develop? There was a little bit more uncertainty despite the fact that I mentioned cybersecurity is resilient. We had a good April, a good month one. Because we are a highly diversified company with a lot of business coming from smaller entities, a significant portion of our pipeline develops throughout the quarter. We have good visibility into large enterprise deals. We know the size, we know whether it's an existing customer or whether it's a new customer. We can apply our kind of risk-adjusted models to the pipeline.
For the lower end of the market, we rely on in-quarter pipeline. That is harder for us as well as for the sales teams to assess in times of uncertainty. That is where some of what we may call conservatism came in. In addition, we have scrubbed the pipeline, of course, more so, and we are putting more diligence on the management of the pipeline. There may not always be run rate markers anymore in the pipeline until they know that it is confirmed it is coming, right? It is a combination of factors that made us pause a little bit too and say, okay, let us continue to execute well and see what Q2 brings.
As far as the environment, we're now in June, as far as the environment versus what you saw in April, are you in a better position, worse position, or how did the environment change?
I think understanding a little bit more that there's going to be, I think, constant news, right, and trying to calm down the news and just allow us to work with our partners, give them confidence that the tariffs are not impacting them, give them and also the US dollar, of course, with the deterioration may actually benefit us long term, not from a cost perspective, but from a sales perspective because we price in US dollars internationally. That can actually help us. I think we see good confidence globally that the markets are stable.
Yeah. And you're a new CFO for the company. You're not new to the company, but new CFO. Can you talk to us about your guidance philosophy? How do you view when you provide guidance? What are the things you're looking at and how do you set the guidance?
Guidance setting is not a CFO job alone, right? It's not just mathematical models. It comes from a bottom-up pipeline perspective. It comes from factoring in multiple aspects, whether it's sales capacity, whether it's the economy, it's the sales commit, it's the composition of the pipeline, and everything else. That gives us kind of the overarching number for billings. Then, of course, we look at deferred revenue for service revenue. We look at the pipeline composition to determine how much is hardware. I know a lot of you are asking always, what's the refresh cycle doing, right? Of course, we look at what's the renewal pipeline versus what's the new business and refresh pipeline to determine what is our hardware revenue. That's shaping.
Got it. I'll come back to something you said, but I want to ask Ken about data security, AI security, because when we talk to companies, like we're not practitioners in the sense that I look at the market from the outside, but when I hear a lot of startups and a lot of public companies talk about something, I know it's a trend. I always see things a little bit in delay, but at least I can figure out there's a trend. The trend over the last few quarters or the last few months was that companies talk about data security, more about data security and AI security. We heard it from you look at the strategic direction of Zscaler and just the discussion I had now with Nikesh from Palo and what they announced with security, AI security.
First, what is your view on the space? And then how is Fortinet playing in these markets?
Yeah, we are a more long-term player in the space. So we started investing in AI probably 15 years ago. You can look at the number of patents we have. It's over 500, more than any other company in the space. But we are also a little bit different than some other companies. They tend to announce something and they are not there yet. We tend to say something which we already delivered. That's where it's very different. For AI, we have probably three main buckets. The one we usually call, probably the biggest one right now, we call the AI assist. There's probably over a dozen products. We do charge 20-25% more when they enable the AI. It's like a FortiM anager, FortiAnalyzer, Forti SIEM, Forti SOAR, all these helping the secure operation.
That's where we started to see some good revenue coming from. They will call the Forti AI- Assist. They do have, we call the Forti AI- Protect. That's also come from the intelligence there, come from all these other like how to secure the AI infrastructure, secure the data, what's the go into the model, what's come out. That's also working quite well. Also internally, we also use a lot of AI to do the development, to handle the customer supporting. There's like a 30-40% supporting already can handle the use AI to handle. That's where we are in the AI space for quite a while. We probably, once we see the big achievement result, then we probably promote more instead of some other company always talk about since probably not there yet.
We will only release or see something when the product all released.
Yeah. There are two types of when you talk about AI, there is the utilizing AI to improve security or alternatively the security of AI. When you deploy AI modules, how do you, so can you distinguish between the two and talk about where you are? I think you spoke at the beginning, you spoke about using AI, utilizing AI in order to improve security.
Yes. I think that's where we have quite some improvement on both sides, whether using security to secure the AI or kind of use AI internally. We do have a customer more concerned about how AI eventually may cause some security issue. That's what we keep on working with them, not just some customer, but also not just some AI company, but also some service provider, some customer which have the data feed into the AI. Internally, we also use a lot of AI ourselves. That's where it's kind of both.
Got it. Christiana, I'm going to go back to something you said, and I want to understand. When you provided Q2 guidance, it was a tad weaker than expected. Then when we spoke about conservatism, right? Is there a delay? Before that, in the quarters before that, we spoke a lot about the refresh cycle of firewalls and end of service and replacement of end of service. Is there a delay in customers' deployment of new firewalls ahead of end of service because of the environment? Do you see any correlation between some economic uncertainty and the timing in which firewall upgrade is happening?
So far, I would say we haven't seen a delay. In Q1, we had good Fortinet growth, right? 15%, which was higher than the overall product revenue growth. In Q4 last year, we saw good growth in the mid-range segment. There are always different segments that are growing faster. What gives me confidence is that when we analyze the customers that had end of support devices and who purchased in Q1, they all purchased more than their end of support devices, right? We are able to expand and sell more devices, more services, which is what we actually want and what we promised we would do last year when we announced we have a pretty big cohort.
Yeah. You have a big—so I asked you this question before. I'm going to ask it again because it's important. When you show the chart, there was a big cohort for 2026 end of service, and there was not much smaller from a number of products for 2027. Does it mean that we're going to have two years of big kind of upgrades, or is there a difference between the 2026 cohort and the 2027 cohort?
Yeah, there's a pretty big difference in the two cohorts. The 2026 cohort is composed of about, value-wise, one third of large firewalls, one third of mid-size firewalls, and one third of small firewalls. The 2027 cohort is the low end of the low end, right? It's pretty much one model that drives all the units up. And so value-wise, it's not as important. What we do have and what we expect, and this is why also our targets were set this way, is that we expect from the growth during COVID that in 2027, 2028, we will have a natural, not necessarily forced upgrade cycle that customers will go to the next generation because they've deployed the firewalls they purchased between 2021 and 2024 for four or five years, which is a natural upgrade cycle.
2026 is really a forced one where the technology is so old that it's not going to be supported by us anymore.
Got it. I want to go back to SASE, Ken, and ask about SASE because it's such a big opportunity. There used to be two players in the market, and now we see Cisco, a firewall company, going into SASE. We see Check Point buying Perimeter 81. We see yourself. What do you think is going to, first of all, do you think this market is commoditizing? Do you think that this market pricing will go down? I mean, you're at the good side of the market because you are a price disruptor. Do you think overall the pricing will go down, commoditization, or do you think that the market could still be this unique kind of high-end, etc.? Also, sorry, it's a long question, but Microsoft.
Microsoft is in the market, and their pricing, if you just look at what they say that they charge for Entra, is extremely disruptive. Just talk to us about overall the pricing environment and the market environment.
Yeah, that's where I put in the three categories. There's a dedicated SASE player, like Zscaler, Netskope, all these things. There's come from the cloud provider or service provider, which is whether Microsoft, even Google started getting in. I think some of the telecom service provider, we're also working with them, maybe will offer similar things soon. Then there's a traditional firewall company trying to evolve in the firewall into SASE without a SASE function integrated firewall. That's Fortinet, Palo Alto also. That's where when there's more competition, I feel there will be a price pressure. Also, we'll see who can offer some easy migration. That's also kind of important. That's where for us, that's where the focus always on customer, how to easily migrate from the traditional firewall into this SASE or these other things in the same OS.
Then also we started investing in infrastructure. Like five to ten years ago, we spent $1 billion in infrastructure. We feel we'll be benefiting in the next few years. You'll see the huge benefit. That is where compared to some other player in the space, I do believe that is also the strategy in the early days when we do the SASE. I always try to enable the service provider, including cloud provider, to SASE. I have to say they moved kind of slower compared to the SASE player. We do not want to miss the market. We also want to play ourselves. That is where we changed the strategy 18 months ago. You can see we grew very fast, the fast growing SASE top player. That is where we feel will be more competition because there is a customer need.
They do need to have supporting work from home, this kind of ZTNA environment. On the other side, SD-WAN is the most important part of SASE since we are already the number one in SD-WAN and also number one in the firewall, which is in the same OS as SASE. We do feel customer migration, we have the easiest solution to customer, which also can enable a lot of other service providers using our hardware advantage and the ASIC advantage. That is where we feel we position quite well in the SASE space to compete, which a lot of other SASE players do not have any of this advantage. That is where we are pretty confident. That is what I keep on saying will be the number one SASE player.
Great. We only have one minute left. Sorry. I know I already have questions, but is there any question from the audience? I only managed to ask. I have four pages. I managed to cover one page of questions. I know there are probably some other questions from the audience. No? Ken, I'll ask you. I'll use the last minute just to ask you about OT. Last year, you said, or recently you said you're approaching a billion dollars in OT. Can you talk about the opportunity? Can you talk about what is positioning you better than others in this space?
Yeah, the OT area we invest for over 10 years. Not only the platform, you do need to have some recognized solution, but also understand the OT environment, what's the traffic pattern, the protocol, what's the device, how to identify the device, how to secure all this traffic. That's where we're doing that for more than 10 years. We have probably a billion dollar, over a billion dollar in OT security now. That's also I believe OT will be one of the fast-growing network security market going forward because OT, to secure this OT, IoT device, some other technology in the cybersecurity will be very difficult to apply, like all the endpoint solutions, some other traditional, even the cloud-based solution because OT is really a lot of data, a lot of devices on deploy on edge.
You do need to have some physical, some edge solution to process in real time. That is where I feel we have an advantage. That is where, because like I keep on saying, the next 10 years will be 10 times more devices connect online than people connect online. That is where this 10 times more devices will create a lot of security issues and will be a big concern for most users and even people ourselves. We can see how many appliances and phones connect online now and how we can have to work remotely. Eventually all the robots, all the connected cars, all will have some security issues. That is where I feel will be a huge market opportunity. Also, it will be a pretty complicated market. It is very different than the traditional laptop or mobile phone security. It is OS very standard.
This one is a different OS, different device, different traffic pattern, different platform. It will be a pretty complicated area, but you do need a long-term investment to play.
Got it. Great. Thank you. We ran out of time. Thank you. Thank you, Ken. That was great. Thank you.
Thank you.
Next time, I'm going to ask you the other three pages.