Just for a few logistics, I plan to host a fireside chat with Monty and David here, but at any time, if the audience has a question, feel free to send it through the Q&A function or via email. You can reach me at mcikos@needhamco.com. I'll do my best to tackle the questions and subject matter while we have Monty and David here. With that, Monty and David, thank you very much for joining us. We really do appreciate it.
No, welcome. Thank you.
Just to start, maybe for Monty, for folks that may not have had the opportunity to engage with you before, can you just do a quick overview of your role at the firm? And then also just double questions here for anyone who's either new to the story or revisiting the story. Just a quick overview of who and what Okta is, as far as customer value prop.
Sure. No, I appreciate it. So, so thanks again for having us over here. Looking forward to the conversation. Monty Gray, I've been with Okta for about seven years now. My role in, in responsible for corporate development covers a broad spectrum of things, anything from company strategy to M&A technology partnerships, you know, getting involved in some cross-functional initiatives that we might have that don't sit within a given silo. So it's, it's a, it's a good role where I get to see things that are, you know, a couple horizons out and things are happening immediately today. So it's, it's pretty fun, fun from that perspective. To answer your question, like, what does Okta do in our, our customer value proposition?
The best way to think about us is we are the, you know, the largest independent neutral identity vendor in the space today in the market. And what that, what does that mean? Right. And we'll get into it, I'm sure, with some of these conversations. It's really about enabling organizations to adopt the technologies that they want to adopt. And that's part of our, that's our tagline as a company, to safely adopt any, to enable a company to safely adopt any technology, and then also to securely do that as well. So security is a big part of what we do. And I'm sure we'll have plenty of time to get into what that means.
Okay. Excellent. Big picture question first. And I, I know the identity market has, has been around for a while now, but historically been viewed through different lenses, segments, if you will, whether it's IAM, IGA, PAM. The cybersecurity industry loves acronyms. But there's always been a view that these swim lanes are or should converge, which seems to be playing out here over the last 12-18 months. And so with where we are today and the convergence of what have historically been viewed as separate swim lanes, like the question that we often receive from investors is just the why now? Like, why has this moment come to fruition today versus where we were three, five years ago, et cetera?
Yeah. And I think there's the best way to, to approach that question, I think, is to understand a little bit of the history of identity, right? The first, the first iteration of identity would be thinking of identity as an enablement function. You know, enable, you're enabling the adoption of a certain piece of technology within the enterprise. And that, you go back 10, 15 years, that was really what was happening. You know, you want to deploy Workday to the cloud, you want to deploy Salesforce to the cloud or some other system of record to the cloud. You, you quickly realize I need an identity system to help me provision that, put users into that system, and to, to not only do it for that system, but other systems I'm, I'm doing. So there was a big enablement phase that was happening within, within the industry.
Then that quickly matured into a security phase, which is, okay, great. I have all my users who have access to all the systems that I've now deployed within the organization, including, you know, my email system, for example. How do I actually start to secure those? And then you start to get into the other acronyms, right? Whether it's IGA, which is governance, right? How do I provide governance, meaning, establishing the right entitlements, doing the right reporting to make sure people, right, that people have access to what they're supposed to have access to? The lifecycle management, meaning an employee joins a company through their different roles and responsibilities till they leave a company, do they right access through that whole lifecycle? That's what governance really encompasses.
And then privileged access management is, as the name implies, can I lock down those resources, resources meaning systems or applications that are of high value? So it could be an administrative function within a given area, or it could be a critical piece of your infrastructure. And can the user have the right access at the right moment in time to actually do what they're supposed to do in those systems in an appropriate manner? So a lot of complexity came with that, right? In that first phase.
What we're seeing now is like, with a lot more security awareness coupled with adoption to the cloud, people are saying, okay, this is great, but we would love to actually have this be a little bit more simpler and have one system doing this versus multiple systems where you can actually have some gaps, have some leakage in terms of policies and access. The main driver for that, candidly, is probably just adopting the cloud and having a cloud identity system be prevalent and be adopted within the organization. That enables companies to actually say, okay, great, I have a cloud identity system. I now want a cloud privileged access management system, cloud PAM system, and a cloud governance system. We're now seeing that convergence actually happen in real time. That's what we've been investing in over the past couple of years.
Excellent. So that sets the table. Then you obviously have these offerings on the market today. How would you describe recent traction for your privileged access or Okta governance offerings? Where are we in terms of product maturity or even how the ecosystem, whether it's your own sellers or partners going out and rallying around these products to then go sell on behalf of you to your customer base?
Yeah. So as we mentioned in our call, and we've stated publicly, you've heard the comments from Todd and Brett. We've done extremely well with our governance. You know, there's a sequence in here, right? The first was identity management, which was single sign-on, multi-factor authentication, getting the directory into the cloud. Governance was the next one that came on top of the next use case for us, the next product, which we call IGA identity governance and administration. So our IGA product has done exceptionally well through the market for a couple of years. It's been a material part of our new product contribution as a company. We're very pleased with that. That's been a really good cross-sell opportunity for us into our installed base of 20,000 customers. Right behind that would be privileged access.
Privileged access is probably, you know, in terms of maturity, in terms of nuance and deployment, it's behind the governance one, but we're very excited about how those two are now, you know, have gone from development to actually being, having meaningful contribution to our business going forward.
Right. This is more like a procedural line of questioning here, but I was just trying to think through the sales organization itself. Can you walk through how it's structurally built to cross-sell these newer offerings that you guys have to the customer base, and then secondarily, like when a customer gives you guys the green light and says, hey, we're on board, we're going to adopt, what is required for that deployment, on the customer's part from like a readiness standpoint?
Yeah. So from a customer standpoint, it's really about, you know, the complexity lies in their environments. Is it a hybrid environment? Meaning, is it cloud-based? Is it on-prem? And if you take a step back, what resources are being covered, right? When I talk about resources, I'm referring to the applications in the organization, applications, infrastructure, as well as, you know, databases, for example, right? So there's a whole spectrum of resources. So there's a complexity of the customer's environment. That's one consideration. The second consideration would be just their readiness from understanding, you know, think of all the change management aspects that come along with it, which is, do they have a good grasp on the policies, entitlements, what they would like that to look like against their infrastructure?
That's where, you know, our partners can help. That's where we, you know, there's really just kind of this maturity and readiness that we look at from our customers when they're looking to deploy. We've seen customers, you know, because if we're cloud, so the onus is less on the technology deployment itself. It's more on the change management and more on understanding what they want from the business output standpoint. Because of that, we're seeing, you know, deployments today that are in the cloud happen measured in weeks and months versus, you know, quarters, even years before when it's more of like a heavy on-prem deployment. We're seeing time to value happen much quicker.
But it's really about, is the customer, have they gone through that maturity cycle of understanding what they want to do when it comes to a best practice within their given environment?
Excellent. Just to cycle, I know I'm just asking too many questions.
No, this is great.
But for the Salesforce org, can you talk about how they're structured to then go out? Like, is it Mike Cikos to sell on the entire portfolio? Like, can you talk through how we're getting that cross-sell?
Yeah, we have, and we specialized our sales force. This is something we've evolved our sales force over the past couple of years, depending on, you know, reacting to the complexity of our portfolio, reacting to the buying mechanics of our customers. And, you know, there's certain specialization that happens in verticals, for example, public sector. That's one. Another would be within certain segments, we have you know traditional hunter farmer model where it's like new business acquisition versus understanding what they have and then cross-selling across that specific to you know governance and privileged on top of identity access management. Governance is a natural cross-sell. What we've observed, it's a natural cross-sell. So the same seller can actually do both look at the identity suite and then also cross-sell governance on top of that.
There's a natural extension of it. Privilege can be a little bit more nuanced depending on the environment. At that point, you're probably talking a little bit about resource coverage, meaning Kubernetes cluster, database, something else. And so we do have some specialists that actually support with that as well.
With that, and sorry, just on that latter point, when thinking about the PAM offering or the privileged access offering, is that tapping into a different persona necessarily or no? Just to be clear on that one.
[crosstalk] It sounds like it's a. This is what I mean by that. Because you can find some customers have matured and centralized their identity department. In that case, it's the same customer, right? If they're more sophisticated and we like these customers who've gone through this maturation of different departments deploying different identity systems and then maturing into saying, hey, I have to rationalize the system. We're starting to see ourselves, even ourselves as like customer zero, you know, as Okta as a company, we have one organization that covers all different identity use cases for us. We're seeing our largest customers actually do that. And that's a great ability. That's a great way for us to have a single conversation with them, elevate the value proposition. And they get the single control plane narrative that happens there.
Some other customers that might be localized, privilege might be localized to a DevOps department, for example, right? Where they might have the keys, the privileged access keys to a piece of cloud infrastructure that they're working on. Okay. And that's a different department you might sell and target to, but they're still heavily influenced by the centralized identity department within the organization. In that case, it becomes a classic, you know, who, who, who owns the budget, who's the champion, who's the user, and we're able to navigate those complexities as well.
Excellent. Okay. One thing I didn't want to leave on the table there, but if we shift gears for a second in the interest of talking about the breadth of the offering you have, first, congratulations on the week-early news earlier this week regarding the $1 billion authorization repurchase program. I think the company did a good job of expressing, hey, in no way does this take away from our ability to invest in future growth, whether that's organic or inorganic. Maybe on that element of tuck-in M&A, as you sit here today, can you just talk about where the portfolio is? Are there areas that look like they need incremental investment or where you'd like to see further maturation of the offerings? And does any, just given industry dynamics, does large scale M&A in any capacity make sense from where we sit?
Yeah. So I think the best way to frame the M&A conversation is to articulate what the product approach is, right? And the best way to do that is our approach today is to look at how do we cover as many users as possible within the organization. Let's start there. How many users? The users historically, identity has been the knowledge worker, you know, addressing a governed app, a governed SaaS application within the enterprise. That was kind of like a Cloud Identity 1.0. Today we're looking at the different types of users. Users could be contingent labor. It could be a knowledge worker. It could be a retail, a deskless worker that could be in retail or a factory or somewhere else, right?
So the user part of it is we're getting broader into what users. Another one, which we haven't really touched upon, which I'm sure we'll get to, is agents. Agents are a different user type within the organization. So agents are another user type. Okay, great. So we have the spectrum of users that we're looking to address with an identity system. Okay. So what are they doing? Now we have them accessing different resources. You heard me talk about resources before. Resources historically were a SaaS application, a governed SaaS application. Now that's spread to cloud infrastructure, even on-prem systems to a certain extent for access. Then you get into databases, Kubernetes, et cetera, et cetera, et cetera. So the resource is getting broader and broader. The user types are getting broader and broader.
Once we actually have all that connectivity within a platform, we have the different use cases. The initial use case was one of access. You know, access would be single sign-on. You had multi-factor authentication, which was a security use case on top of it. You had lifecycle management. You, we talked about governance, so IGA, identity governance, and you have privileged access management, so we had these different use cases that kind of hung off that single platform addressing, you know, all users, all resource types, different, different use cases across it. When I think about tuck-in acquisitions, especially the ones, Axiom's the most recent one that we announced publicly, that one would be an example of, hey, let's get more resource coverage and let's get some different capabilities to go with the resource coverage, so we got database resource coverage with Axiom.
We were able to get some more Just-in-Time functionality to support the use case for privileged access in that as well, and so we, to answer your question with that picture, see ourselves like being very deliberate about we have a roadmap across more resource coverage. We have a roadmap for more use case coverage. If there's a way that M&A will accelerate that, we'll pursue that, right? And that's kind of been our approach so far. As far as large scale M&A, I think it's something we're always looking at. It's something we're aware of, but we don't feel like we have to do that right now. I think, going back to the buyback comment, that gives us a lot of flexibility with our capital structure.
It gives us, you know, and I think it demonstrates a lot of confidence in where we think the stock can go as well. So those are all the different inputs we're looking at. We spend a lot of time, you know, looking at the roadmap. We spend a lot of time looking at the market and who's out there. And if there's a good fit, you know, we'll pursue it.
Excellent. And just on Axiom, since you had mentioned it as well, smaller, it's a tuck in, right? It's not heavily influencing your revenue by any means. But I just wanted to see, could we get a quick update as far as how the integration has gone thus far? Is that in the rearview mirror at this point or is there still more to do?
No, the integration, so the integration small team. We're in the technology integration portion of that right now, and we expect to actually have something in early H1 out to market with that as part of our PAM offering.
Excellent. Excellent. It's funny. I know before we started, I, I said I was going to bother David, but you've been thrown out there agentic. And I think that's the meat of the conversation for Okta that a lot of people are tuned in for. Let's start with like, again, just zoom out for a second. When we were talking about these identity swim lanes converging before we even get into agentic, but you had cited cloud and the move to cloud. And one of the things that I know Okta prides itself on is its cloud neutrality. So we could talk about cloud neutrality, how that is a competitive advantage in your eyes versus other competitors out there. And then we could start to weave that into the agentic conversation.
Sure. I think it's been a core tenet of, you know, Okta was founded on the core tenet of being neutral and independent from any application silo. You know, throughout the past 10 to 15 years, we've seen different maturations of that narrative where historically there were application silos where there's a large, you know, pick an application company, SAP, Oracle, even Salesforce to some extent. They have their own identity embedded into their respective silos. As soon as you support best of breed, that breaks down. Then you started to see the large cloud hypervisor platforms, AWS, Google, Azure, and their respective offerings. So that also brought a need for some more neutrality across all that. So the environment's got more complex is kind of the headline narrative there. And I think that's proven true for us.
I think our businesses demonstrate that's proven true where being neutral has benefited us in terms of that adoption curve I mentioned earlier from identity. The adoption curve was one that we wrote in terms of best of breed supporting it. And just to give you, you know, a data point or anecdote for that, our largest integration is Office 365. So that shows customers that are adopting Office 365 for the productivity work, for the productivity suite are still looking at us to actually help support that plus other cloud offerings within the organization. So that's kind of an interesting point. That's been out there for a while. When it comes to agentic AI, we see that as being an accelerant to a lot of these trends, right?
Agentic AI is something where to do it effectively, the same things are happening, the same trends are happening. You have agents that are within the application stack. You have agents that are now orchestrating across multiple stacks. You have agents that are going to be independent of a given stack. And with that principle, it's the same thing that happened, you know, a decade ago with identity with users and the best of breed happening. Agents are now jumping onto the same environments and trying to actually provide the right value to their customers and use cases are covering. You need to have a neutral and independent identity vendor positioned to support the agents so they can actually, you know, deliver on the promise they have of providing that value beyond just like a given application stack. So we see that playing out over again.
We've seen this before. We feel we're well positioned for the adoption and securing agents. These are at a core principle very similar to what we've seen before.
Excellent. Yeah, it's extremely topical. I think there was a Palo Alto report I was reading in the last maybe a couple of weeks that cited non-human identities, i.e., agents or however you want to interpret that versus human identities is now somewhere around 82 to 1, based on the number of surveyed organizations. And so when you hear that number, there's a bit of like a shock. And I'm trying to get a sense, especially as these agents increasingly feel like we're at the precipice of going into production environments.
Yeah.
What is the awareness level among CISOs? Like, is this still on the come up and there needs to be some evangelism on your part or are we like in, hey, hit the panic button, we need to lock this down ASAP?
Yeah. I would say awareness is high today, right? And it's not. The surprising or interesting thing is the awareness part of it is not localized to a given segment or vertical. Historically you would think whenever a new technology trend happens, oh, it's the tech vertical that's adopting them first. We're seeing this across the board. And it's hard to pinpoint like one. I think the common thread would just be whoever's mature and sophisticated in their business processes are looking to gain adoption of agents. I mentioned the curves earlier. I mentioned there is this, you know, enablement curve that identity supported. Then there's a security curve that happened. We're seeing those two curves converge pretty quickly when it comes to agents, right?
I think there's a lot of CISO awareness and anxiety around how do they adopt these things securely. That's been informed by the prior curve of like users doing identity, identity in the cloud and then having to do security use cases around those identities. I think CISOs are looking at that and saying, okay, we went through that adoption curve. Now with agents, they're having to realize that, okay, this can actually happen at a scale. You mentioned 82 to 1. Let's just use that ratio, 82 to 1 scale. So the problem statements of all the basic principles of deploying, access, privilege, governance, all those things still stand, are still there, but at a much rapid and pace.
And so we're definitely seeing the heightened awareness and there's some anxiety around like the conversations we're having with customers coming to us is help me secure these agents so I can adopt these within the enterprise. And they want to get in front of it. They don't want to have the shadow agents kind of running around the systems. 'Cause what happens in that, in that case is you have what I mean by shadow agent would be an agent that's not governed by an identity system. You then basically, what's happening there, you're basically giving an agent an overprivileged account. You're basically giving a super user account to a given system and saying, go do some work. That's a huge gap, the security gap that exists in the organization versus, hey, let's work with the identity system.
So the right access, the right policies, the right entitlements, the right reporting is all in place. So an agent can go access a system and do it in a way that's compliant and secure by default. So we've spent a lot of time in those conversations. They're coming to us. They're much more informed conversations coming to us versus us having to evangelize. So it's a very interesting, it's super interesting time right now.
Yeah. Excellent. Excellent. And one other thing that I wanted to come to as well, like I know that you guys have had active engagements. You're probably actively building up that Rolodex of customer testimonials. Would it be possible for you to kind of walk through a specific customer as far as what that rollout looks like? Because I imagine it almost feels, and I don't want to say anything bad about like more traditional human identities, right? But it feels like with how nascent agentic AI is, you, people would be almost inherently turning to you for guidance as far as what is next from an R&D standpoint. And you almost need to invest ahead of the curve and then bring customers along to make sure that they understand how to lock this down. Does that make sense?
Yeah. So an example would be we have a financial services firm came to us and said, we'd love to use agents to talk to our customers, but we want to make sure those agents, you know, they're fronting the customers so the customers can actually talk to an agent, but the agent's going to have the customer information and want to be able to, and that's obviously sensitive information in a governed environment. Can they then access the right systems within the financial services firm in the right compliant manner so they can actually do response back to the customer?
It's a very simple kind of workflow, but if you think about how an agent, customer facing agent can scale, that's one where they're looking at saying, how can you help us do this in a compliant manner where we just don't have an overprivileged agent looking at data they should not be looking at, but rather something specific for a given customer. So, as I mentioned earlier today, or I just mentioned, all the basic primitives still apply. How does this, what does this user or this customer supposed to have access to? You know, my agent, you know, talking to the customer, what access am I supposed to have to show? Can I report upon that?
You know, this is in a governed environment and can I report upon that in a regulated environment so that I actually know that that's actually true? You need to actually have an identity system in the middle to actually have that work. And so we actually, before that was a person taking the call or a person taking the, you know, the email or the request and then doing it on behalf and like that was fine. But now once you start to automate that process, you want to make sure that's still covered by identity system. So that's just one example of many. It's a very simple example.
But those are the type of things that we're seeing customers come to us and say, "we want," and again, this is a non-tech company in a regulated environment that's looking to adopt this technology so they can be better and more effective at their business with their customers, right? And they're looking at us to help them do that.
Excellent, and just on the most recent earnings call as well. I know Todd had cited something like north of a hundred existing customers have already reached out to you guys on this point specifically with Okta for AI Agents, north of $200 million in ARR. These are substantial customers as far as the contribution to you guys. Can you just walk through? I know that you have a couple of different revenue generating products out there today on the agentic AI front, but have we solved for monetization at this point? Just because when we're starting to talk about these kinds of ratios and that scale, one, the scale in itself, I think presents headwinds to the maybe newer entrants trying to crack the code.
But secondly, what are customers willing to stomach just because you think about the volume of agents that might be coming online?
Yeah. So, so I think it's important to realize like our position. We haven't really spoke about Auth0 that much and Auth0 is part of this story for us right now, right? Auth0 is another part of our business, which is where, let me just start with a description of Auth0, then I'll get to kind of the agent aspect of it. Auth0 is a part of our business where if you want to build an application and you need identity for that application, Auth0 has a developer motion, a set of developer tools and SDKs. So you can build identity into your application. They also, Auth0 also sits on the B2C side of it. So if you're a brand or a large institution that has a customer facing part of your business, Auth0 can power that experience.
So the users in that case would be your customers, you know, interacting with your brand. That's kind of the Auth0 business in a nutshell. Specific to agents, we actually have, think of us as having kind of two offerings, two different buckets. One bucket would be on the build side. So if you're building an agent, whether it's an agent as a, which is your business, like a SaaS company, or if you're an agent within an internal company, you want to build an agent to do customer success, for example, use that example. We have Auth0 for AI, agentic AI, right? That's one bucket. The other would be what we've described earlier in this conversation on the Okta side. So Okta for AI Agents, that's how do you manage the agents within your enterprise, within your organization.
And what we're seeing is an interesting dynamic play out where some companies are adopting both because they want to build agents themselves internally, like their internal IT departments or internal developers are building agents to solve internal use cases they have. And then they also want to manage those with Okta. So we sit on both sides of that equation. And there's a lot of benefit of building with Auth0 because you get a lot of adoption of some standards that we've been pushing out there in the market that just work natively with Auth0, with the Okta side of it. So if you build with Auth0, it's going to work natively with Okta. And there's a really nice tight story that fits there.
Our agent product offerings, those are two things that we're monetizing now very early. We just announced those. They sit on both sides, the build side of it and the manage side of it within the organization.
Maybe just the last question on the agentic AI identity market that is fast growing here. But are, when you guys are speaking with your existing customers, are you bumping up against different companies versus who you've historically competed with or who are some of the more, the noisier competitors when you're bringing this to your customer base?
I think you bump into for agents specifically.
Yes, sir.
Yeah. I think for agents, you run up against existing competitors. You also run into, I mentioned earlier, like that if the agent is stuck to a specific application silo.
Yeah.
It's like, well, why do I have to manage that if it's within an application silo? And as soon as you, this is the exact same conversation that we would have with identity prior, which is like, well, I have my identity within this application. Why do I need an independent identity? And that conversation quickly falls down as soon as you say, well, that agent is going to access something that's outside of it. It's like, okay, now I get it, right? But if you have an agent that's just doing something very specific to a given application, that's, you know, that's probably like a very narrow use case. But as soon as you want to get something more sophisticated, that's where the independent neutrality aspect of Okta really, really shines in and having our positioning that's out there neutral really shines.
That's probably the one area where people are looking at. I would say there's, it's early, but there's a lot of noise around like what's the right way to provide observability around an agent? Is that something that's the network at the endpoint? These are all, these are like the classic traditional cybersecurity control point conversations that take place. So if a CISO steps in and says, I have agents that are being adopted within my organization, you naturally fall into the security kind of paradigms of different control points. Is it identity control point? Is it endpoint control point? Is it network control point? Is it cloud infrastructure control point? And the answer is probably yes to all the above.
But we believe identity really kind of plays a centralized view from, you know, access to governance to privilege around all of it for, for the agent. So it's, it's a lot of the similar conversations before. And there are some, there's some nuance. You get into some protocols and standards. You hear things like MCP Model Context Protocol, which has been out there, which is a new technology that kind of starts to show up. And so people start to ask, well, how do I, you know, how do I secure my MCP server? Because MCP server is a way for you to extract data and value, you know, with an agent from the system. And then we have to quickly tell a story about like, hey, you know, we've been participating in the standards with MCP out there.
The identity part of MCP is a standard that we have offerings to support that, and we've been on the standards councils for that, and so there's a little nuance for that. Those are probably some of the newer things that are happening out there that we're seeing in customers, but again, the primitives and the principles are very similar to what we've seen before with people.
Awesome. Awesome. Apologies for the wait to the clients that have submitted questions. We are, we are getting there, I promise. I want to be true to form and just bother David for a second.
Yeah, please.
Over to the financials. Thanks, Monty. We might cycle back to you. We'll see. But let's see on the most recent quarter, revenues as an example, grew north of 12, grew 12% year on year. RPO was up 17%. cRPO up 13%. And so one of the things we've been fielding from folks is what specifically drove that divergence in the various growth rates. How should investors be thinking about RPO, or cRPO for that matter as leading indicators from where we are today?
Yeah, absolutely. So the first thing is keeping in mind that 98% of our revenue is recurring. So revenue for us is largely a backward-looking metric, while RPO and cRPO are forward-looking. So ultimately we continue to guide, you know, you and our investors, to cRPO because that's the best metric we can provide to give you a window into what our future subscription revenue will look like. On RPO and cRPO specifically, you know, as we become more enterprise-weighted over time, the average duration of our contracts is slowly expanding. So the average duration of our contracts historically is about two and a half years. That's a little bit longer for enterprise. It's a little closer to three, you know, that's balanced out by the fact that public sector is about one year.
And so, you know, what you'll see is that, the divergence is caused by this extension in duration. And by the way, we're also incentivizing our sales team to go for longer duration deals as well. So that's kind of the primary factor that's driving what you're seeing there.
Just on that last point around the incentives for longer duration deals, I just want to make sure I'm clear there because I would argue that part of that is just influenced by the success you guys have seen in upmarket with your 100,000+ ACV customers. So that push for longer duration deals, is that—we were just thinking about this earlier with another company, but is that—call it a tool, if you will, by the sales reps to drive lock in additional portfolio expansion while maybe allowing for enhanced price discipline? Like I don't need to go discount as much if I can extend this out and get you to take on more of the portfolio. We can find a happy medium, if you will. Does that make sense?
Yeah, it makes sense. And I think you're thinking about it in the right way. You know, right now, the way that Okta's contracts are structured is that, you know, if a client, if a client is underutilizing what their provision, there isn't a way to kind of, you know, ratchet down the contract in the middle. They would need to come back to the table upon renewal, but they can always, you know, expand their usage in the middle of a contract here. And so by having these kind of longer duration contracts, you've seen all this new product we've put out over the last couple of years. It gives our reps, you know, our customer success reps, our account managers, and our sellers, you know, more opportunity to kind of connect with our clients, introduce new products, upsell. It enhances the cross-sell motion as well.
So those are kind of the what's underlying the decision.
Great. And as for the client question that came in was around net retention. And we're talking about these contract durations, so it folds in nicely. But it's the idea that hey, coming out of COVID, we have seen downsell pressure. Where are we in terms of, I guess, navigating those downsells coming out of COVID, versus the potential offset to the positive inflection points, whether it's new product or agentic AI taking off?
Yeah. So, you know, firstly I'll say, underpinning our net retention number is a healthy gross retention number that's been stable, you know, for a number of years now. Retention, you can think of it really, it's a combination of seats and monthly active users and product, right? So while companies have been more conservative with their expansion of seats and MAUs, we've had a lot of success upselling and cross-selling our existing customers on this large portfolio of new products, you know, headlined by governance, PAM, security, password management, threat protection, device access, fine-grain authorization, right? The lineup, the list goes on and on. We continue to innovate here and, you know, we already talked about some of the new AI products that we introduced recently, so that should also be a big help.
And then also on that note, the go-to-market specialization effort is, you know, something we recently instituted at the beginning of FY26, and that's been producing positive results for us as well. Enough for us to have actually been encouraged to increase sales capacity beginning, you know, incrementally beginning back in Q2, that continued in Q3, and to the extent we see, continue to see positive benefits from that, we'll slowly methodically keep that process going. To go back to like kind of where we are in terms of the whole COVID cohort, we've completely lapped those headwinds. So again, that was, you know, from about three years ago in that zero interest rate environment. As you mentioned, our average contract duration is about two and a half to three years. So we've now fully lapped that impact.
Those customers have come back up for renewal and, you know, done whatever right sizing is necessary. At the same time, you know, the buying environment now is not quite as robust as it was back then. And so this inflection in GRR isn't necessarily going to be a V-shape, but it's going to be, you know, what we've been seeing, which is a slow stabilization and then, you know, a tick up.
Okay. And for the net retention, that just to take that one step further, we've been fairly stable in recent quarters around that 106 level. And so levers to think about for improving that metric. I know that we have a number of products for the cross-sell opportunity or even continuing to do same store sales. If someone's already a core Okta user, they can just add more seats, right? But is there anything that you guys are doing to influence that behavior via, let's say, packaging, pricing, any levers that you have there that you can use?
Yeah. So Okta, you know, we've been pretty consistent on pricing for a long time and, you know, we're a value-based tool. We think we offer quite a bit of value here. One of the things we have introduced recently that I, you know, I think hits on your point here is something that we're calling workforce product suites. So that's kind of a, you know, what's the right word, like a bundling essentially of different tools at different levels for companies based where they, for them based on where they are in their identity journey. So kind of you can think of it as a good, better, best. And that's been, you know, great both internally, it's made it easier for our sellers to actually sell the product. It's, you know, simplified the selling process and made it easier for customers to understand.
But just beyond that, it's actually exposed our customer to a wider variety of tools that they may not otherwise have had exposure to. Maybe they, you know, didn't think they need PAM. They come on with this, you know, early bundle and they say, hey, we're actually getting a lot of use of it out of this. And then it leads to an upsell down the road. So that's, that's one way we're doing that.
Great. And I know you had commented on the go-to-market specialization earlier, and the fruits of that initiative. I think a lot of investors and, in our view, rightfully have interpreted the recent acceleration in headcount growth in the most recent quarter as a bullish signal. Can you help us understand first where the majority of those new hires are going? And then secondly, with the success of the Okta versus Auth0 segmentation, are there, is there additional tinkering to the sales org going into this coming year from where we sit today?
Yeah, I'll start with a latter question. So, the way that we're thinking about the structure of the sales team is really we're trying to avoid a situation that we saw four years ago when we kind of looped in the Auth0 acquisition in which we had, you know, a lot of sellers. They weren't necessarily hitting their number. What we would rather have right now is too many folks going to President's Club than not hitting their number. And so, you know, we're starting with this base of, you know, sales reps, which by the way, we mentioned on our most recent call, productivity is extremely strong. The AE tenure is at multi-year highs. AE attrition is near multi-year lows. So those two things in conjunction with each other tells you that, you know, there's a lot of internal buy-in on what we're doing around these go-to-market changes.
Reps are, you know, sticking around. And so, yeah, I think, you know, all of these kind of things in conjunction with each other are, I think, helping lend credence to some of those bullish signals.
Excellent. Excellent. And with that, I know we're at time, so we'll leave it there. But David, Monty, thank you very much for the, conversation here. Looking forward to it.
Thank you.
Thank you.
Excellent. Bye guys.