Vertical right now. I wanted to ask you the question on where has Okta earned the right to win by asking you what you think the company's core competencies are.
Sure.
Through that lens, what do you think is Okta's most central core competency or barrier to entry, and how do you then leverage that into deciding where you're going to participate in the broad identity?
I think the identity itself is a, it's a fairly broad functional space of problems to solve, but at its core, it starts with knowing who people are and knowing who machines are and knowing who agents are in their world. We can talk about that. When someone takes an action, one of those things takes an action, being able to authenticate it is who it says it is, or it is who he or she says they are. That authentication is kind of the beginning of the conversation. What we've seen over the past, Okta's now 17 years into this journey, is our customers have really pulled us into more and more advanced use cases. There's been three waves for us that we've had to manage through. Wave one was the shift to cloud.
If you go back to when we were started in 2009, 2010, the industry was going through a transformation where customers were going from managing all their systems in their on-prem data centers into managing a hybrid world that's both on-prem and cloud-based. As they're bringing in web-based services, one of the first fundamental challenges they needed to solve was that functional challenge of how do I authenticate users in a directory in both on-prem and in a hybrid world? Okta came in with identity as a service and providing core access management to solve that fundamental problem. We've been very successful in that space. As that market matured, that then pulled us into additional areas like multi-factor authentication and then adaptive multi-factor authentication. What we saw along the way is Okta's really good at making the complex simple.
It's really good at making products that are easy to administer and that are relatively straightforward to configure. Relative to legacy providers, can be managed in a way that customers have confidence that it's deployed accurately and that it's deployed the way that they intended and that it is being managed the way that they intended. An Okta deployment is typically, it's mostly a perfect administer unless fragile than a lot of legacy vendors. That brought us a lot of credibility with our customers. It caused them to ask us to help them solve additional use cases. Start with access management. Great. You can look at all the metrics you want about Okta's leadership in this space. You look at things like, like I mentioned, multi-factor and adaptive multi-factor. Customers asked us for a way to automate the provisioning and deprovisioning of accounts. We created a product called Lifecycle Management.
That allowed for onboarding and offboarding. When somebody's hired, you create a user record for them. When they're terminated or they leave, you delete that user record. We then expanded that. That worked great. Customers needed us to help them solve more generic business rules. We brought our Workflows product to market that lets you expand upon that. As the years progressed, people kept pulling us into adjacent use cases. One of the big ones for us right now, we talk about very publicly, is identity governance. Lifecycle Management is step one, provisioning, deprovisioning, Workflows makes that more general. Identity governance starts to, customers have a need to deploy business rules and logic and approvals and auditability in a way that allows them to report that they're managing their systems properly. We've recently entered the governance space.
We're very pleased with the performance of our Okta Identity Governance, our product in this space. We announced in Q4 a couple of quarters back that it had crossed $100 million in ARR for us. We're really pleased with that. This most recent quarter, we announced that new products in total and anchored on governance continue to be a very healthy contributor to our bookings. Beyond governance, we look at privileged access. Now, how do we take machine accounts and highly privileged accounts and manage them in a way that is vaulted and rotated and stored through privileged access? Those areas have been what's together. To your question about how do we differentiate, the way that we differentiate is in conversations with CIOs, in conversations with CISOs, they have all these use cases that they need to solve.
Historically, they've had to attack all these use cases by going off to a bunch of different point solutions and a bunch of different vendors. One of the things Okta's done really, really well is we've earned the trust of our customers. They trust our technology. They trust that when there's an issue, we help them resolve the issue. They trust that we're transparent. Our customers have asked us to help solve more of their identity use cases. What we see right now is a very strong interest for CIOs and CISOs in this wave of vendor consolidation as everyone's trying to simplify. They want one identity partner. They want one identity partner that can address all those use cases. What we provide is what we describe as the identity security fabric.
It's the combination of all of these technologies, the ones I'll mention, plus our Auth0 product for developers, and our security products on top of this. We provide things like posture management and threat protection, which is our ITDR product. All of these are woven together in what we call this identity security fabric. A core differentiator for us right now, what customers look for is they believe Okta is their one-stop partner as a neutral identity provider that can support all their identity use cases.
Yeah, maybe let's stay on the idea of credibility and solving adjacencies. Sometimes we hear industry concern and industry feedback that Okta is a great business enablement tool, but they're not really a security company. Maybe help us refute that directly. Have you made progress with some of the security relationships? How do you think about balancing across business enablement and security in a central agenda?
Yeah, that's been an evolution. I mentioned the first wave for Okta, that our first wave of growth back when we were founded 17 years ago was about the move to cloud. The second wave for us was a recognition and an acknowledgment and a mobilization within the industry that identity is security. What started as a technical problem, how to allow people to move to the cloud, has really become, it's turned into also a very significant security challenge for people to manage. Depending upon what study you look at today, somewhere between 80% and 86% of security incidents start with some form of compromised credential, 80% to 86%. If you can't secure identity, you can't be secure. What we've seen in the past several years and really pronounced in the past two years, our audience has shifted.
Whereas historically it was predominantly CIOs and developers, it is now very heavily weighted towards Chief Information Security Officers who are recognizing the importance of securing identity at the beginning of their security architecture. We've convened a forum of CISOs, the Okta CISO Forum, where we have 60 of our top CISOs from our top customers that we meet with twice a year and monthly virtually and physically twice a year to talk through trends in identity security and to understand the threat actors that they're challenged with. We've also launched this year a thought leadership platform, Okta Threat Intelligence, where we publish what we see. Now we manage today over 45 billion authentication events every month. In that volume of data that we have, we see threat actor activity before any individual customer is going to see it.
Our threat intelligence thought leadership platform allows us to share that with CISOs. You asked about credibility and trust and what we build. We're very consciously investing in building our relationships with and the value that we provide to the security audience based on our unique position and what we can do. We're very pleased with that. We don't see that abating. In fact, in the world of agentic, as agents are coming in, the security challenges associated with identity get even more pronounced. We're very confident this is a continued way for us to invest in.
I do want to spend more time on agentic, but before we do that, Okta, one of the more interesting product cycles that you're doing with Privileged Access Management is bringing Privileged Access Management to the mid-market. We're hearing now from Palo Alto and CyberArk on their plans to democratize Privileged Access Management as well. Maybe just compare and contrast the two approaches. Privileged Access Management has historically been a really tough technology to do simply and cheaply. How are you progressing with that and how does your approach compare to Palo Alto CyberArk?
I think that we're newer into the privileged access space. That product is newer than our governance product that I talked about previously. I personally see a very similar path for our privileged access product as we continue to invest in that. We just announced with our Q2 earnings, we've acquired a company called Axiom. Axiom is an expert in this space. We acquired it for two reasons. One, they have technology that adds some important capabilities to our existing privileged access product, in particular connection to Kubernetes and connection to databases. That technology will make our product able to solve more use cases for customers and makes it more of a viable product in mid-market and in the enterprise. In addition, we acquired a number of really, really talented technologists that have been focused in this space exclusively for many, many years. That will accelerate our privileged access product.
To your question, the path that we're on with this, most SaaS companies, when they start, they start with smaller customers first. When we started with single sign-on 17 years ago, our first customers were small companies that didn't have an identity provider and didn't have single sign-on. The typical curve, which Okta has followed, is as your product becomes more capable, as you innovate over time, and as your customers are successful, that success compounds and you earn your way up market. For Okta, our fastest growing cohort has been in large customers for many, many quarters now. We announced in our Q2, customers spending more than $100,000 with us account for 80% of our ACV. We have almost 500 customers spending more than $1 million a year with us.
We've brought our products up market in a way where that's where we're seeing the greatest economic opportunity and the greatest return. Obviously, it's a very core focus area for us and will continue. With every incremental product we bring to market and governance and privileged access are in this market, there's a similar path. Our first launch of governance more than two years ago initially was not well suited for Fortune 500 companies. It solved some basic use cases. It initially didn't have separation of duties, which is very important for large companies that have auditability requirements. It saw basic provisioning and deprovisioning and smaller companies would buy it and deploy it and had great success with it. We mentioned it's grown to over $100 million in ARR. We crossed 1,000 customers in our first 18 months.
I think it took SailPoint like 20 years to get to, or 18 years to get to the same number of customers. We feel good about the trajectory and the relevance and we're earning the right to compete more up market. In Q1, we had two major functional releases, which make us more ready for up market. To your question on privileged access, we see the same curve. Our early privileged access customers, we're not, privileged access today is not a land product for Okta. We don't go compete head-to-head with CyberArk for a privileged access opportunity. They're 20 years in this space and on their capabilities and the depth of their product. We're not there in what we offer. What we do offer today is for companies that are Okta customers where they're using us as their identity partner to solve use cases.
If they have needs with privileged access, we have an offering that can help them with that. We're seeing some accounts where people are bringing in privileged access alongside a legacy privileged access provider. We're seeing some where they don't yet have a legacy provider where they're getting started with us. I'm really, really confident over time as our product gets more and more capable, we'll be more directly competitive in the privileged access space than we are today.
I think two things that investors have been debating pretty actively are both the timing of when agentic is going to start to matter for the identity space. Could you comment a little bit on just the maturity of those conversations right now? The second piece is when you look across the different pillars of identity with IAM, IGA, PAM, where do you see the most opportunity you'd say from an agentic standpoint?
From agentic, yeah, everyone's trying to figure this out right now. All of you are as well. All technologists are trying to figure it out as well. From an Okta standpoint, we're really excited by what agentic means for the world, both for what it means for our ability to innovate and our ability to be more productive, our ability to solve big problems faster. From a securing identity perspective, Okta secures identity, we need to secure agentic identity. What we see happening right now, and we've talked about this publicly, is agents in general right now are in development and they're in prototype. Companies are excited by what the agents can do. As people move those agents from development and prototype into production systems, they're realizing that managing the identity of that agent is fundamentally important.
It's complicated because the way that agents are typically provisioned now is by a user giving it access. For our reviewer, if you're using Google Gemini in your Google account, when you turn on Gemini, we'll ask you, do you give it access to your email? You have to decide, yes, no, give access to my email. Does it get access to your calendar? Yes, give it access to my calendar. Does it get access to my financial system? Yes. My travel system? Yes. You go through all this manual process of provisioning. Now there's an agent somewhere that you don't control that's going to have updates and code and capabilities added that has perpetual access to all the things that you've given it access to. As companies start to realize the exposure with that, managing agentic identity is a core challenge that people need to manage.
For Okta, the way that we see helping this problem, it's first from a product standpoint. Our products are already ready to support agentic identity. We have a Universal Directory product that manages the identities that we secure. Some of those are human identities. Some are service accounts or non-human identities. It can also include agentic identities. Our directory product is ready for that. Our governance product, as I mentioned, one of the features of our governance product is business logic for when you provision and deprovision. Rather than an agent having perpetual standing access to all of your things, you can use Okta Identity Governance with that identity to just-in-time provision it. When you need your agent to take action, turn it on. When you're done with that action, you can turn it off again. The identity governance can really help contain that.
From a functionality standpoint, what is your agent authorized to do? It's one thing to know your agent is who it says it is, and it's not being impersonated by a threat actor or a nation state. That's important. That's what we call authentication. Once you've authenticated, you then have the challenge of what is it authorized to do. I was a user in Google and can log into my Google Workspace. When I click on a document, it checks to make sure I'm authorized to look at that particular document. The same distinction applies for agents. We need to authorize them. When it tries to take a specific action, it needs to be authorized to make sure it can do that.
Our Auth0 platform for developers developing agents allows them to develop with fine-grained authorization so that developers can ensure these agents have access only to what they're supposed to. Authentication and authorization are even more important. We're launching a product at Okta in a couple of weeks called Auth0 for AI Agents, which is designed specifically to make that use case easier for developers to get right. The stuff I mentioned, there's two things. The second conversation, which is important to this, is not so much a product conversation as an industry standardization conversation. Right now, we have actually just this month, we have announced that we're advocating for a new standard with the Open Standards Committee called a cross-app access. What cross-app access will do, it's a protocol.
What it will do is it will allow an agent to share its identity with an IDP so that the agent can be managed just like a human identity or a non-human identity. If you're a developer and you build, you implement your agents to support cross-app access, that agent's identity can be put in a directory. It can be managed through authentication. It can be managed through authorization. We have a number of ISVs that have signed up to support and implement the protocol. I had the opportunity to interview the CEO of Ryder a couple of weeks back. Their framework for development and agents is very excited about what cross-app access will do.
Ultimately, as more and more companies, more and more developers develop agents to support cross-app access and more and more IDPs, including Okta, support it from a management standpoint, what we do is we allow the industry to manage agents. Until we get that standard in place and implemented and supported, it's going to be an unmanaged landscape for a while. We're taking a thought leadership position to help make that manageable for our customers.
I think one thing that people agree on is the way that employees interface with technology is probably going to look different 10 years from now. There are a bunch of questions out there on what actually that looks like and if the user interface will even exist in 10 years. Given the lack of visibility into kind of what that looks like, how do you kind of prepare Okta for any scenario?
I think from a user interface perspective, it's hard to know what our UI is going to be in 10 years. Are we all wearing meta glasses? Are we all like, we don't know. What I would say, the way Okta views UI evolution is that the core challenges of making sure a person or an entity or an agent is who it purports to be doesn't change. The core issue of verifying that that agent, that person, that machine is authorized to do the thing that it's doing doesn't change. Whatever user interface we put on top of this, the core business logic, the core technical problem, the core security problem still remains.
It's Okta's business to make sure we help people manage that, that we give them technology that works, that has fast time to deploy, a quick return on investment, and that helps them solve more and more of their adjacent use cases over time. That's our brand promise to our customers.
Okta is kind of in a unique position where you have a lot of visibility into the app ecosystem and also a lot of visibility into kind of the newer entrants in this space, I would say. What's your kind of take on this death of SaaS narrative and what's Okta's view?
You know, it's a prominent narrative right now. What is the, in the era of vibe coding, can someone tell their computer to write Salesforce and then turn off their Salesforce? There will be evolution, and there will be enterprise SaaS companies whose business is impacted by the things that people can do with AI and AI development and not only vibe coding, but coding in general with AI-assisted agents. It's hard to know exactly where it will play out and who are going to be the most impacted at one point in time. It's fair to say for the foreseeable future, enterprise SaaS is really important. The world runs on enterprise SaaS. I don't fundamentally see any change overnight where any of these big technologies are significantly impacted.
All of them are thinking about how this evolution is going to impact their opportunity and how they, if not pivot, how do they tweak their roadmap and their prioritization to ensure that they're embracing a world where we're surrounded by people that are AI-empowered, both developers and business users. It will change what we do. I heard a comment recently, someone talked about how people go from doing the work to seeing AI as AI is doing the work. I think that shift in thought work between agents and humans, I think it's going to be exciting for us all to watch. I don't see the death of SaaS to your question.
It leads nicely to a secondary question on how you think about the pricing model. Because if you think about classic Okta workers, seat count based mostly tied to white-collar workers. I guess the question is, in the event that you see pressure, excuse me, on white-collar seat count over the medium term, how do you think about evolving your pricing model? Are you already evolving your pricing model? How do you monetize the agents such that you end up in a net positive place as opposed to a net negative?
Yeah, that's a great question. It's early to know that exactly. How do I personally feel about that? I think it is certainly a possibility that Okta historically, because we grew up, as I mentioned, managing human identities and specifically solving getting human identities into the cloud and then securing those identities, I talked about that. It's reasonable to wonder in a world where maybe there are fewer white-collar workers, what downward pressure does that place on Okta? We're not seeing that, but it's reasonable to, and that's a more macroeconomic conversation of how does the global workforce across all industries evolve and what might that do from Okta's human identity business? I think the reality for us is that's something that we have to be mindful of and look out for. We're not feeling it yet.
It's important to understand as well, our business is not just human identity anymore. For many, many years, we've supported machine identities through advanced server access and privileged access. We monitor through Identity Security Posture Management. Machine identities and service accounts and other token identities we've been managing for years and years. Depending upon what industry report you look at, there's ratios that typically there's somewhere from 30 to 60 times as many machine identities as there are human identities. If there's downward pressure on human, what does that mean for machine identities? You can look at whatever number you want for agents. Agents are an order of magnitude more complicated. You'll see people are going to have thousands of agents per person or dozens or hundreds, pick your numbers.
For us, as we look at how do we evolve our business, we need to look at all those trends and see what's real. We don't worry. In our minds, the evolution of AI and the importance of securing agentic identity and the potential for AI to take on more provides way more upside than exposure is how we're thinking about it.
Maybe not a forward-looking question then. When you look at your profile today or your customer's profiles today between human identity and things like machine identity, how do you price the machine identity part? Are there any value creation data points you can share on how that price is?
Users are in one of two buckets. It is either a named license with an annual subscription or it is a monthly active user. Those are our user buckets. Our machine buckets are typically by resource unit, such as how many CPUs or how many boxes. That has been effective for us to date. It will certainly need to evolve in a world where it is not just machines but also agents. We have not announced agentic pricing yet. Stay tuned for that. We have some exciting announcements coming up at Octane.
Yeah, fantastic. Let's talk a little bit about the go-to-market changes that you made in Q1 of this year. As you alluded to in the last 20 or 30 minutes, there has been this evolution towards multi-product and up-market as well. Maybe give us the point-in-time update on how the realignment in Q1 is playing out relative to your expectations. How do you feel about things like productivity ramps for QBRs, % of QBRs achieving attainment, those kinds of metrics? Any color you can share?
Yeah, I think beyond what we talked about in our Q1 and Q2 earnings is we feel after Q1, we said we felt we were on track. After Q2, we said we had a strong quarter and we feel highly confident in the path that we're on. That's very true, as you would hope, because we said it publicly to all of you. This is not our first time specializing. It's our third major wave of specialization. What's underneath this, this year, for those of you that haven't been closely following, we made a significant change in our go-to-market organization. It was to be more outside in and to focus on our buyer personas. Last year, 100% of our sales force was what we call generalists. Every salesperson sold every product to every audience.
It required, if you were an account executive at Okta, it required you to understand how to sell to a developer who's building an app with Auth0 and the portfolio of products under the Auth0 platform. If you were selling to a CIO, you needed to be able to sell the entire spectrum of Okta products. You needed to know what a CIO needed and cared about and what they were talking about and what their priorities were. I mentioned earlier, our conversations have really evolved. We spend a high % of our time now with Chief Information Security Officers who have a whole security conversation. We were asking our salespeople to understand security, to understand IT, to understand developers, and then to understand a really broad mix of products across two platforms and all of that. What we realized is we were asking too much of an individual salesperson.
We realized that we were highly confident we would be more productive from a sales standpoint if we focused on our buyer personas and our platform. Now the majority of our salespeople this year, reflected February 1, are either selling to IT and security, a corporate sale, or they're selling to developers, a developer sale, an engineering sale. They're selling either the Okta platform with our traditional identity security fabric, as I described, or they're selling the Auth0 platform to developers. That model for us has allowed our buyers to focus, to build deeper relationships, or sorry, our sellers to focus on their buyers, to develop deeper relationships, to earn more credibility and trust, the question you asked earlier. It's helping them build pipeline in their territories in ways that we haven't.
One of our data points we shared from Q2 is we generated a record dollar amount of pipeline in Q2 for the company. In 17 years, we've never generated more pipe. This is two quarters into us getting more focus in our go-to-market organization. We have XDR, our folks who triage inbound leads and outbound prospect for leads. That group is now focused on either the IT security buyer or the developer buyer, our salespeople, our pre-sales engineers, and our technical account managers. All of our go-to-market teams are better in tune to the needs of the audience. One output from that in Q2 was a record amount of pipeline that we generated. We're highly confident in the path that we're on. We also shared that our year, every year, is back and loaded. We were on track in Q1. We had a solid Q2.
We have a record pipe into Q2 carrying us into the second half of the year. We're confident. We have a lot of work to do. Q3 is an important quarter for us. Q4 is an important quarter for us. We're our heads down executing.
Maybe just benchmark this record pipeline comment because companies that grow generally every year, you see two records on pipeline. Is there something to read into the fact that you're seeing record pipeline in Q2, meaning you would normally see record pipeline later in the year? I guess this is a long way of asking. We don't have Brett on stage to talk about CRPO.
Sure.
As someone who's so focused on operations and go-to-market, how do you think about the scenarios for re-acceleration as we go to the backlog?
Yeah, I think that's a great question. I think for, which is not to imply the previous questions weren't also great. The way that I think about the relevance and the importance of that milestone for us in Q2, it's related to your prior question about specialization, how is specialization going? What we've seen with specialization is it takes time to really, there's a cost of change when you make a change. That starts to pay off with productivity gains over time. This is our third wave. Our first wave of specialization many years ago was we created a public sector go-to-market team that focuses on public sector customers and learning the needs of the public sector and the way that they contract and their specific technical needs and security needs. That team is, we talk about it publicly, it's a high-performing team for us.
Last quarter in Q2, we announced that half of our five of our top 10 deals were in the public sector. We announced that our largest deal in the quarter was a public sector deal. That specialization really works, but it took time for it to be performing at the way that it's performing right now. Last February, almost two years ago, we announced a specialization on Hunter Farmer.
Where we took a team, we had brought so much new product to market that we saw our bookings had shifted away from the logo acquisition to cross-sell and upsell because we had more to sell to our customers. Almost two years ago in February, we created a Hunter Farmer model for our small business team in North America where we had a team of AEs who were only compensated on new logo acquisition, and we had a team that were compensated only on cross-sell and upsell. That change took time. That group had a very strong Q2. We talked about that, and we're highly confident that that's 18 months in. When we look for this next current round of specialization of separating go-to-market into the two buyer personas and the two platforms, we look for leading indicators that tell us that it's working.
For us, being only in our second quarter and seeing pipeline get even farther than it's ever been before is a really encouraging indicator that the path that we're on is a productive path. That's how those ideas tie together.
Yes, great context. Questions from the audience? I can ask one on the go-to-market theme. A couple of months ago, you guys rolled out suites for workforce identity. Could you talk a bit about feedback from your go-to-market team, feedback from customers, and anything you're noticing from changing in your deal cycles or anything like that as a result?
Yeah, suites, we launched suites. You can think of them as bundles for the identity security fabric with the intent of making it easier for people to buy. Rather than know specifically the nuances of every product and every license, they can buy the suite and then they can grow into the suite over time. That was the intent and the rationale behind the launch. It's early. Feedback from customers has been very positive. It makes it easier for them to just buy and go and plan. Feedback from sellers has been similar as well. We also have some anecdotal feedback from sellers that are topping on the average sale price. It's really, really early. We haven't announced any specifics about that yet.
Yeah, I'll go with one last one. We've got a lot of discussion from companies on what they're seeing internally from AI productivity benefits. What are you guys seeing internally? What are you most excited about from like an operational plan?
It's like everyone's asking themselves this question. You've got prognosticators out there saying that they don't need employees anymore. We have some good early success in our support organization. We're really pleased. We're turning around cases faster with higher CSAT. We're really pleased with battles and opportunity. Our marketing organization is heavily leveraging AI tools for a lot of our creative work and our campaign work. That's been very effective. We're piloting right now on our XDR for lead prospecting, how it can help us be more productive there. Functionally, I manage our IT organization. We have a cross-functional team that is helping advocate for applications of AI in each of our functions, GNA and legal. We're seeing opportunities everywhere. We haven't published specific quantitative productivity metrics across those businesses yet. We'll get to the point where we do.
Thank you.
Yeah.
Fantastic. Eric, thank you for your time.
Thank you.
Thanks for joining me and thanking Okta.
Thanks, David. Appreciate it. It's great to see you.