Good morning. Welcome to our first analyst day as a public company. I'm gonna cover some housekeeping items today. You have your agenda in front of you. Very straightforward. We have two Q&A sessions interspersed throughout the day after each main section, so queue up your questions for each of those sessions. We do have a break right in the mid-morning at about 10:15 A.M., and we'll end the day at 12:30 P.M. We have the entire management team here today, and we're really looking forward to telling our story. Let me first cover some housekeeping items. We have any forward-looking statements that we have today will be covered by our safe harbor statement. With that, I'm gonna cover Mark McLaughlin. I'm gonna introduce Mark McLaughlin, our President, CEO, and Chairman. Thank you.
Oh, great. Okay. Can't have a meeting without a clicker. Morning, everybody. Thanks for coming. I'm Mark McLaughlin, President and CEO of Palo Alto Networks. Really happy to have everybody here with us today and appreciate you taking the time to learn a little bit more about Palo Alto and for us to get a little more involved in discussing our story. With me today to help tell that story, I have the entire executive management team from Palo Alto. I just want to do a couple quick introductions. You may know some folks already, but we have Nir Zuk up here in front, our CTO and founder, Rajiv Batra, our co-founder, who runs our engineering. We also have Steffan Tomlinson, you know, our CFO.
We've got Rene Bonvanie, our Chief Marketing Officer, who is in the back running master ceremonies back there. We also have Mark Anderson, who runs worldwide field operations, which is a combination of our sales plus customer support team. Lee Klarich, front here, is runs product management for us, and you'll hear about our products from him today. Chad Kinzelberg up front is running our corporate development, business development, and strategy. Allison Hopkins runs HR for us. Last but not least, Brett Eldridge runs customer support and customer engineering for us. Got everybody here. Encourage you to take the time on the breaks to talk to folks if you have any questions. Our main job here is to answer questions you have.
As we thought about the day and what we wanted to try to accomplish here, with you, our goals were really up here, which is we wanted to give you a sense of the market we serve. We've talked about that a number of times with you folks, but just being pretty specific about the market that we're in, the opportunity we think we have in that market and where we are in an opportunity. You know, we're winning in this market. We just wanted to discuss in fairly detailed manner why we're winning, why we think we can continue to win the market. We'll get a view from Mark on how we're doing, and then, most importantly, like I said, answer your questions.
To get all this done today from an agenda perspective, we're gonna talk through the following, the following things. There's a lot of things that are happening from a market dynamic perspective that favor a company like Palo Alto Networks, and some of those are based on strategic technical trends and implications from those trends. We'll walk through some of those with you. We'll talk about how do we address those implications from a product perspective, which Lee will discuss for us. We're gonna talk about how we serve the market, which Rene will get into a bit with us and how we're doing in the market. We'll get a view from the field from Mark Anderson about what's happening on the street when we're out there, selling and competing.
Chad's gonna give us a brief tutorial on how we're leveraging strategic partnerships in order to continue our growth. At the end of the day, we're all about results, so you'll hear from Stefan from some of the numbers perspective. One of the things that I wanted to try to do is just to kick things off was to sort of set the stage for Palo Alto Networks. You know, we're doing fairly well as a company, and in a lot of conversations as to why that's the case, we are very focused on the technology, which is true. We have a highly differentiated technology, and there's a lot of focus on that.
You will hear from us today quite a bit about how the Palo Alto technology is different from what the competition has because that's a really important point. A couple other things, though, that I don't think we discussed as much in the past that try to put Palo Alto in context are a bit higher level, which is, you know, we believe we've got the right technology, and like I said, we'll define that and you'll hear about that later on. We also think that there's a lot going on in the market that means that importantly, to be a winner in this market, you need to be in the right place, not with just the right technology, but in the right place.
By that, I mean the right place in the network because there are technical trends that are going on in network security that favor folks who are in the right place, and by that I mean the firewall level. The other thing is, it's sort of the right time. You can have a company with great technology, be in the right place, but it also really helps if in the really big picture, you know, the things that are happening in the world favor, you know, what you're, what you're doing for your customers, and we think that's the case. I'm just gonna walk through these fairly rapidly, but to give some context around Palo Alto Networks and starting from the top to bottom, which is the right time.
As everybody knows today, security is, and cybersecurity is absolutely paramount. You can't pick up the paper, you can't turn on the browser, right, without seeing literally on a daily basis now, somebody being breached, you know, somebody with a problem, and it's very, very public. Just this morning, I woke up, you know, fired up the laptop and saw 2 or 3 South Korean media companies, you know, were hacked by North Korea last night. You know, it's all over the front page, and that's a real problem, you know, for those companies.
Literally every day, you know, we're seeing something like this. These breaches have major business implications that range from stolen personal information, stolen passwords, intellectual property getting ripped off, to things that are even more, you know, even more serious than that. The People on the wrong side of this, meaning the companies, the entities that are being hacked and breached, are very concerned about this, and rightfully so.
It's now a matter of major importance for all organizations, but, you know, particularly enterprises all around the world, where the idea of security and cybersecurity has become a boardroom issue. Lots of reports out there saying it's the number one, two, or three issue discussed in every boardroom on a quarterly basis, with a lot of enterprises are actually forming standing committees now at the board level that are security-related to understand how does that company protect themselves against all the stuff that's happening? How are we doing? Because the implications are becoming more and more important if they are unable to do that.
On top of that, it's now a matter of officially, you know, a matter of national security because of all the potential threats for enterprise in America, which is the backbone, you know, of the economy, and in addition to that, for the government as well. Just as recently as 2 or 3 weeks ago, President Obama issued an executive order laying down a number of things that were progress in the direction of public-private partnership and how do we take care of this issue. More likely than not, the precursor for congressional legislation that will occur in the next, you know, 12 months, probably 18 months, to try to define from a legal perspective on what companies have to do in working with the government and vice versa.
From a time perspective, when you have a situation like this where there's a lot of problems, a lot of attention, you know, a lot of focus, if you're a security provider, a network security provider, it's the right time, right? This stuff is not going away. It's getting worse, and you can see that almost daily on a weekly basis as it kind of continue to heat up. We think us plus other players are in a position from a right time perspective that the world is more and more needing, you know, what we provide as a company. And when you've got a big problem like that and that much focus on it, you have to kind of ask yourself, "What's the problem?" Right?
You know, everybody's agreed that this is a big deal, and there's lots of resources to throw at this. What's the problem and how do you fix this? Why is it getting worse and not getting better? One of the major technical things that is happening in the world today around this is really around the threats. The kinds of threats that are out there, the ability for the bad guys to morph those threats, create new ones, change them rapidly, that is accelerating at a pace that is alarming. Really alarming if it's your job to stop it, right? That's not slowing down. That's getting faster. You can kind of see this playing out, too, with all those headlines before about the breaches. They're not all the same.
They're different, and new ones are popping up all the time. Old ones, meaning ones that the company may have seen before, can very quickly morph. Even though you thought you defended against it over here, they change it slightly, and it comes in over here. That's just because the level of sophistication is going up dramatically as well in the threat environment from either state sponsorship, lots of money involved, but it's very, very serious.
Threats are moving very quickly, evolving very rapidly, to the point where again, if it's your job in the enterprise to stop this stuff, I've heard a lot of people say, you know, they can't throw their hands up, but almost want to throw their hands up, saying, "How do I just keep up with this, you know, let alone trying to be in front of this?" That's a big picture thing that's been changing for quite some time.
We think will change into the future, meaning the rapidity of these threats and the ability to morph them very quickly is a real challenge, you know, when it comes to how do you stay in front of these things or at least not fall too far behind of these things from a technical perspective on how do you defend. There's an implication that I'll discuss in a second. Before that, in addition to the fact that the threats are there, changing rapidly, morphing very rapidly, you have another problem, which is the age of the application, right? Some of you have seen this slide before, but really what we're saying here is that with all these threats, they can exist, but until they're on your network, it's not really a problem, right?
How are they getting there? Well, one of the ways that they've been getting there, the biggest way they've been getting there is from an application perspective. In the last, you know, 7, 8, 10 years, we've seen a lot of macro trends playing out on the technical front that are really important for companies, for productivity, all sorts of reasons. Things like SaaS and cloud, the acceptance of social networking as people use that more and more. You have mobility, which leads to bring your own device. All these major macro trends are playing out right in front of us. It's taking years, but they're very real, and they're here to stay. They're not gonna get small. They're gonna get bigger.
The one thing that all these things have in common is that they are causing an explosion in applications, and that makes a lot of sense, right? If you're an enterprise, you know, for enterprises very rarely anymore are writing their own proprietary application for anything. Why would you know, why would you do that? It's expensive. You got to do it, you got to maintain it, you got to have staff for that. Some third party's out there who's willing to take care of you know, for that on, whether it's very serious from a CRM perspective or something else. More and more often, you're relying on third parties to provide applications for your enterprise.
In addition to that, there's just a lot of applications that may have nothing to do with your business, but they're finding their way onto your network. If you took a poll, you know, 10 years or 12 years ago, the number of that third-party applications on your network would have been measured in dozens. If you took that poll 2 years ago, on average, it was 1,200. If you took that poll last year, average number of applications that are on enterprise network is 1,600. It's growing at that kind of rate. You're getting more and more of these applications on your network, whether you want them or whether you don't want them.
The combination of the fact that the threats are increasing, the rapidity of the threats are increasing, their ability to morph are increasing, and at the same time, you have this explosion of applications coming onto your network, is a dangerous combination because this is how they get in. They're riding the applications into the network, and the combination of those things makes security a real challenge for folks. Just to make matters worse, this won't last forever, hopefully, right? We've all been living in an environment for the last few years, and it seems that we will for quite some time here, of just budget realities, right?
At the same time that you have all these big-picture challenges going on, you're also faced with the fact that there's not all the money in the world to solve it. It's not security at any cost. It just can't be that way anymore. If you're in charge of solving these problems, you're being told, "This is super-duper important from the board down, and by the way, you have to do more with less." Go figure that out. Right? That is the world in which our buyers live in today. We've got this, your really big-picture stuff that's been evolving for 10 years and probably gonna continue to evolve in the direction I just said. In addition to that, they've got to do more with less. What does that mean from a buying pattern behavior?
For a very long time, customers, the enterprise customers, have purchased network security products with three things in mind: security, performance, and value, and sometimes they'll just say that's cost, right? Of those three, obviously, the most important for enterprises is security, meaning if you're not secure, who cares what it costs, right? Particularly with these kind of challenges. The implication of the things I talk about the big trends going on in the threat side of things and the explosion of applications, has fundamentally changed point number 1, what does it mean to be secure?
What it means to be secure now, this is what the world is recognizing, our customer base is recognizing in a fairly rapid manner, is it means I need to be able to safely use those applications on my network, and I need to be able to, if nothing else, respond in fairly short order to the threats and the morphing of the threats that are occurring out there. That's a different definition of security than, you know, than five, six, eight years ago, and the acceptance of that is gaining ground very, very quickly. In addition to that, I have to do that, and I have to do that at a performance level that doesn't cost me my network, right?
If you have a secure network and it's so slow that nobody can really use it, you didn't really accomplish anything. You can't give up performance in getting that kind of security. In addition to that, I have to get a great value in all this, right? Because I don't have all the money in the world, all the things you're gonna do for me, whatever it means on security and performance, I need that to be of really good value and ideally an increasingly good value over time because I'm under a lot of pressure. These are the conversations and how they go when you're talking to our buying universe. The most important of these is, like I said, point number 1, which has just fundamentally changed.
What that has, what that has led to for us is a few technical architectural changes that have been going on for some time and that will continue to go on into the future, and this one I call the right place, right? What I mean by this is the right place in the network itself. The right place to handle the security challenges, if you have the right technology, is to be the firewall. The reason for that is pretty simple. The firewall is the only security device in an enterprise network that sees all the traffic coming in and all the traffic going out. Because of that, it makes a hell of a lot of sense to try to either defend yourself or be proactive in nature at the firewall level.
That's the right place to try to take care of these issues. What has happened over time in our industry, as all these threats have come up and evolved very quickly, is the kludge network, right? As new threats evolve or new categories of threats have evolved over the last decade, our industry has responded with best-of-breed providers doing things that, frankly, the firewall vendors should have done, the main firewall vendors. They didn't over time, it gave birth to whole industries and whole sets of technology like IPS and web filtering and AV and malware now, right?
They're all these things that should have been handled at the firewall, weren't, so it allowed or created a need for all these disparate technologies to come into existence, and it forced customers to say, "If I'm gonna deal with those problems, here's how I have to deal with it. I have to go buy, you know, a best-of-breed point solution, either in a device or software, and put it into my network." More often than not, when you walk into an enterprise, the enterprise network looks like this, which is I got a firewall, and I got stuff stacked up all around it, right? The reason for that is that I've got these threats. They're evolving quickly. I'm trying to solve them, and somebody comes up with something, so I get it. You know, I put it into the network.
The problem with this is because of the underlying technology of all this stuff, stateful inspection technology, it fails the fundamental point of being able to safely enable applications. We'll discuss that in more detail today, it fails the fundamental point of security, the first buying need, which is how do I safely enable the applications? In addition to that, now it's more and more failing the main point of security, which is because those threats are showing up much faster, evolving much faster, morphing much faster, putting multiple pieces of technology together is fundamentally insecure. You have no piece of technology itself inherently understands the problem in the first place with these applications, and then you string them all together.
Every one of those handoffs is a security issue for you in your network, just because they're not all natively talking together. We can see this now. What, what we're hearing from enterprises, you're probably hearing this as well, is they don't like that anymore, right? They don't like that not because of cost. I mean, that's the one we hear a lot is saying people wanna integrate the technology because it's expensive to work with the vendors. That's all true. That's all true, but that is not the primary point. The primary point is that the professionals, the security professionals whose job it is to defend the networks, they get it.
They're saying, "We need native capabilities, ideally, in a platform, the least number of platforms, but native capabilities that understand these applications from the ground up, from the start, in order to protect ourselves. Just as importantly, ideally, they'd be in a platform where it all occurs in the platform because every time we have to string together a technology, we have two problems. The first is every one of those handoffs is by definition a weak point in our network from a security perspective. The second thing is all these threats keep coming faster and faster, and we have to wait for somebody, you know, to come up with this best-of-breed box and then go get it, right, and put it in a network that can make all that work." This just doesn't work anymore for those two reasons, and that's what we're seeing.
You know, this is evolutionary in nature, right? These are things that are playing out over a decade at a time, it's really heating up now. I mean, this is becoming much more in the forefront for folks about the demand on what it takes in order to keep your enterprise safe. Because of that, the network is going here. This is the much more likely network architecture from a security perspective in the future, which is, if I can get rid of all these disparate pieces of technology, I can get a platform that natively understands all these applications and understands how to handle those threats, that platform is flexible enough that I can add continued protection as these threats emerge and evolve, that's the one I'm gonna want. Again, not because of cost.
That's a, that's an added benefit. It's just more secure. That is a major technical implication playing out in the market, and that's why I said that, in addition to having the right technology, meaning you can safely enable the applications with a flexible platform, being at the right place, which is the firewall, is really important because that's where this is gonna happen. Again, simply because it's the only device in the network, sees all the traffic in, all the traffic out. If you're not a firewall, in this market, one of the main implications of that is that your device, if it fails, when it fails, it doesn't bring your network down. If you're the firewall and you fail, the network is down.
There's a huge difference between the capabilities of firewalls and non-firewall devices, and that is the difference, and that's why they're so frankly, that's why there's so few firewall vendors because it's not just about technology, it's about your capability to be an inline high speed, all those things are required from an enterprise perspective. In addition to that, you have to have the right technology, right? What we mean by the right technology is a platform that is flexible enough to be able to add to it on a fairly rapid basis, to take into account the threats, macro trends we're talking about, that also, and importantly, is the one that can safely enable the use of these applications. It's a fairly simple definition, but it's really, really hard to do. That's where we think we are.
We think we have the right technology in the right place in a network for these architectural implications, which is things moving to the firewall at the right time, where this problem is paramount and becoming more and more important and evident for folks. There's a big desire out there in order to figure out how do you handle these, kind of problems. That has led to major market disruptions that will continue for quite some time, with or without us, frankly, right? Major market disruptions. We're serving the enterprise network security market, which is a very large market, $10 billion a year plus, and growing, as you can see, by some estimates, into $13 billion in a few years' time. It's broken into some fairly discrete technical functionality here, as you can see.
It's not a gazillion things. It's just a few things that are in there. What's happening, the reason I'm showing you this slide, what's happening in this, in this TAM is money's moving around fairly rapidly, and I think that's picking up from an acceleration standpoint because of all the stuff that I just went through. The money's moving, not just greenfield opportunities, but the existing money is moving around, and it's moving in favor of the disruptors, as it always will. As a result of that, there will be winners and there will be losers in this market just inside that big TAM I just showed you. The winners are gonna be folks who have the following things.
The first is you have a next-generation platform that's purpose-built for the problem you're trying to solve. The flexible platform, which is capable of safely enabling all the applications on your network. The losers will continue with legacy architectures and try to not purpose-build it. They'll try to work with their legacy architectures. That platform, the next-gen platform, has to have application enablement, understanding, and threat prevention at its core. You'll see that here. We'll show you in a little while exactly what we mean by that. The losers here will take bolt-on approach. They'll continue to take disparate pieces of best-of-breed technology, continually try to slap it together in order to approximate the definition of security, safe enabling of applications, as opposed to just doing it right from the core of the technology. The winners' platforms will be flexible.
What that means is that in light of all those threats that are coming faster, morphing faster, the platform will be flexible enough to take them into account so that you continually add to the platform as those threats evolve and be able to handle those, as opposed to have to wait for a fundamental rebuild of the platform itself or, like I said in the previous point, bolting on technology to take care of this. The winners will have demonstrated enterprise capabilities as a firewall. Not as an auxiliary, what we call firewall helper.
That's very important because, as I said, the technical trend is this stuff's moving to the firewall simply because it's the only device that can see all the traffic at line speed and try to take care of these problems for you, where the auxiliary helpers are just solving one little problem, maybe important, but trying to solve one problem, but they are not in line, and it takes a hell of a lot, like I said, to be a firewall provider and be in line. Demonstrated firewall capabilities at enterprise class levels and speed are critical important for the winners. You can see this playing out. This is the market recognition, at least from Gartner. This is their Magic Quadrant. These are the firewall players. There's actually a lot more players in here.
We took off the other ones, only because they all end up in the bottom left-hand corner. I'm just trying to show the major firewall players here, right? I'm not trying to muck up the slide. This is what's happened from 2010 to 2013. As you can see, the major firewall players, you know, moving around here. Like I said, everybody else in the bottom left corner there, so don't worry about that. What these axes are on this on from a Gartner perspective is the X-axis is your visionary capabilities, right?
What they mean by that are the companies that are visionary enough to understand the things that I was just talking about, the big picture change in strategic imperatives, the big picture change in architectural implications because of those imperatives from a threat landscape, they understand it, and they're able to address that. That's the visionary aspect. The further you are out that way, the better, you know, from a visionary perspective. The other axis here is your ability to execute, which is you may be the smartest guys in the world about that, but in order to serve an enterprise, be in line speeds, customer support, RMA a box in Nigeria in 24 hours, all those things that you have to do to serve global enterprises, that's the other axis.
The higher you are on this is the better. As you can see from that sort of morphing, you know, in the last 3 years' time, at least, Palo Alto has been doing better and better and better here because we're proving, you know, we're right on the vision part of this, and we're always continuing to prove our execution capabilities. That's also just playing out, right, from financially in the market. This is just last quarter to give some sense of the relative, you know, absolute and relative performance of Palo Alto in the market. This is the market recognizing everything I said and buying our technology because it's true. It works the way that we said it works, and it helps solve those problems for folks. What's the difference between Palo Alto and everybody else?
At a really high level, the differences are the fact that we started out by trying to solve the problem, which is how do you safely enable all these applications, as opposed to being reactive to the problem and saying, "How do I do that with my existing legacy technology?" We started out with the understanding that great security is native and not bolt-on, and that means that because those threats are evolving so quickly, if you're bolting on technology for every one of those or waiting for the next best-of-breed solution, you have a problem just from an architectural standpoint about what security is gonna mean for you from those various handoffs and the weak points in your network. We start off with macro trends in mind. You know, we obviously, we don't know everything, right?
We can't see everything into the future. When we design the platform and continue to design things in the platform, we have a lot of big picture things in mind, like mobility, malware, virtualization, SDN, all the things that people are talking about today. You know, we baked into the product in a lot of different ways and continue to evolve it with those things in mind.
One thing I should note is that we're not always the first mover, right, in a lot of these different areas, and that's by design because the first mover, you know, may have first-mover advantage, but as far as having great security at the end of the day, that's what we've been able to prove again and again and again, is what's the right way to solve these problems that will have longevity over time? We've been able to do that. We started with a business model that scales because of this, which is we can answer any enterprise network security need in that entire $10 billion TAM.
No matter what you think your problem is, you know, as an enterprise, we have a solution that's flexible enough that we can address that specific point, and more importantly, it can address all of your needs. The recognition of that over time, once we get into the account, allows us to expand inside the account, and our platform is flexible enough that we can keep adding services to take care of all the rapidity of these threats we've been talking about, and we can continue to extend our value proposition. You can see that from our business model, which is, which is scalable and one that we can operate with ever-increasing ever-increasing leverage. That leads us to where are we.
We think we're in early innings in a big market where big disruptions are occurring and will continue to play out for quite a long time. These things are not playing out in 6 months or 1 year. They're playing out in 5 and 10 years' time behind us, and that's accelerating in front of us is how they play out. We've got a really large and growing market opportunity. Because of that threat landscape I talked about and everything that's happening there, strategic imperatives are changing for enterprises. You know, 5 years ago, this was not discussed in the boardroom. Now it's discussed in every boardroom, and that's gonna continue over time. The strategic imperatives top-down in organizations are demanding answers to this problem.
That has led to the industry and the professionals buying this technology to want and demand major technical changes in the network, and the implications of that are things are moving to the firewall because it simply makes sense to do that, so you need to be in that position, and we are, which has led to the gaps between those who can and can't, meaning you're a demonstrated enterprise firewall player with a flexible platform that can safely enable applications. If you can do that, the gap between those who can do that and those who can't is wide right now, and it's getting wider pretty fast just because it's really hard to catch up to that if you don't have it already. That results in those who can benefiting disproportionately from a market perspective.
You can kind of see that, you know, not only from things like the Gartner, but also our results in the market, is the disruptors will get a good portion of that TAM because you're effectively answering and efficiently answering the problem that these networks have. We are Palo Alto Networks. Our vision is to be the leading independent global enterprise network security provider. We think we've got a great start in that. We think we've got a long way to go on that, and we're very appreciative of you taking the time today to hear us try to prove that out to you. You'll hear that from a lot of our team today. Thanks again for your time. Look forward to talking to you a little later on.
When we did the evaluation, I[Break]
Good morning, everyone. I'm Nir. I'm the founder and CTO of Palo Alto Networks. I want to talk a little bit today about what makes us different from a technology perspective and why is our technology enabling us to be so successful. To do that, first, I want to go back seven years and show you what we've seen back then is the opportunity in front of us, and then show you how we implemented it. Okay? Seven years ago, we saw two major trends in the network security industry. The first one was the World War I style trench wars between the business, represented by the CIO, and the security group. Where the business kept wanting to use the Internet for much more than they were using it, and the security group keeps saying no to everything. The business wanted to use Webex.
I know many of you work for financial services companies that don't even allow Webex. The business wanted to use things like Facebook and other social media, the security group said no. The business wanted to use things like Dropbox and Box and Google Drive and others, the security group said no. The business maybe wanted to start using online office applications like Google Docs and Zoho and now Office 365, the security group said no. This war between the business and the security group didn't make sense because the role of IT guys is to enable the business, not to stop the business from doing its business.
The fundamental issue that the security group had, and the reason that they kept saying no, was the fact that the entire focus of all the technology that's being used or was used by the security group, was focused on protecting web and email. What I mean by that is that you all use email. Today when you receive email, if you work for a company that is not Palo Alto enabled, when you receive the email, the email goes through a lot of checks. The checks that the email goes through include, for example, making sure you don't re-receive an executable attachment, right? If I send you an executable attachment, your IT department is probably going to cut it off.
It includes scanning the email for bad things, for viruses and for spyware and for botnets and for Trojans and for all kind of malware. It includes scanning the email for exploits of vulnerabilities, such that if there is a PDF attachment that's going to try to exploit a vulnerability in Adobe Acrobat and take over your computer, your machine, then it won't make it in. Also on the way out, email gets scanned for a lot of things. It gets scanned for the same things I just described on the way in, as well as for data leakage, making sure that you don't accidentally send out information that you're not supposed to send out. The problem of securing email is well known, and it's been like that for many, many, many years.
The problem of web browsing is similar and has been known for the same amount of time. When you browse the Internet, same thing. Your IT department makes sure that you don't receive any content that's going to harm you or your machine. And when you send something out, they make sure that you don't send out anything confidential. They also make sure you don't go to sites that you're not supposed to visit, either for security reasons or for productivity/liability reasons, okay? The problem of security for email and for web browsing has been well understood for many, many years, and that's really what the security group has been focused on solving all these years.
What we saw 7 years ago is that if you want to use anything else beyond web browsing and email, then things like external SharePoint or Webex or Dropbox/Box.net/Google Drive or online email like Gmail or any other online email, online office applications, instant messenger applications, any kind of an application beyond web browsing and email, as an enterprise, you have 3 options. The first option is to block the application, which is pretty common, especially in the financial services industry. The second option you had is to stick the head in the ground and allow the application to go through, knowing that the same threats and the same bad things and good things that you control email for are going to come in and go out with that application. The same executable that you block over email will come in over Dropbox, okay.
The same malware that you block in email will come in via SharePoint. The same data that you stop from leaking over email would be leaking out over instant messenger or whatever application you decide to allow. This is the second option, many of your employers also do that. I mean, they took a conscious decision saying, "We'll keep spending a lot of money protecting email, and we'll ignore the fact that this new application that we let you use is going to carry the same risks that we are protecting email against." The third option you have is to use Palo Alto Networks today. There's no fourth option. These are the only three options that you have, okay? We'll show you in a demo later what we mean by that.
What Palo Alto Networks does and what the problem that we saw back then was, is the need to safely enable applications. What it means to safely enable application is to make the application as safe to use as email, providing the enterprise the same controls over the application, for example, no executables, and the same security, meaning scanning the application traffic for all the bad things that you scan email for and for the same data leakage that you scan email for. We'll show you in a live demo how we are different than our competitors. How we safely enable applications, how we can take any application and make it as safe to use as email, while our competitors are focused on blocking the application, okay? That's the first thing that we saw then.
The second trend that we saw seven years ago when we started Palo Alto Networks is something that Mark described, which is the Whac-A-Mole approach to network security. Meaning that every time there is a new security problem, a new solution emerges, a new sub-market of the network security market is being created. You have a problem with exploits? No problem. We'll create an IPS or IDS, and then IPS market. You have a problem with content? No problem. We'll build a proxy market for you. You have a problem with filtering? No problem. We'll build a web filtering industry for you. You have a problem now with APTs? No problem. There are 10 companies that will be happy to sell you yet another box to solve your APT problem.
Back then we saw, and today we still see that that approach is not scalable. Enterprises can't continue paying for so many devices on their network. They can't deploy and manage so many devices on the network. More importantly, as you'll see a little bit later, and as Mark described, it's not the right solution. From a security perspective, you cannot continue doing it. You are not going to be secure if you continue the Whac-A-Mole approach.
As Mark described, we believe that the core of network security has to be the firewall because the firewall is the only device, even after almost 20 years since the launch of the stateful inspection firewall, the firewall is the only device that is everywhere on the network, from the small branch office to the largest data center, from the edge of the network to the core of the network. It's the only device that is installed everywhere. Other devices are either not everywhere, or they don't see the traffic, all the traffic all the time. They see very small portion of the traffic, for example, a specific port or a specific application. The only device that's positioned to block bad things is the device that is everywhere and sees all the traffic all the time, and that's the firewall.
The firewall has always been and will always be at the core of network security, okay? Now, the firewall can't do everything by itself. The traditional approach was, let's add more and more and more devices behind the firewall. The newer approach that we're seeing to this, and that we saw 7 years ago, is pairing the firewall with some centralized detection. A data center that is either hosted by the vendor, in our case, Palo Alto Networks, or hosted by the customer or by a service provider that's processing some of the information going through the firewall that the firewall cannot process, and then sending back information to the firewall for enforcement, okay? Again, the firewall is the only device that is positioned to enforce things, and therefore the firewall has to be the key part in this map. Now, we've been doing this for a long time.
Our URL filtering solution from when we released it many years ago works like this. We've been sending, or our firewalls in the field have been sending URLs to the cloud for categorization, and the cloud would send back the result. Recently, we added more functionality to this around malware, around APTs, where we send files to the cloud for analysis and then receive back signatures to block the bad things. We call that WildFire, okay? Now, to achieve those things, those two things, number one, safely enabling applications, and number two, building a platform that can deal with all network security threats and excuse me, and stop the Whac-A-Mole approach to network security, we had to do two main things.
The first thing we had to do is to create what's called App-ID, which is sitting at the core of our device, such that when we receive traffic, we know which application it is, and we analyze the application, such that the rest of the device, everything else the device does, is based on the application, okay? Everything we do, and no matter what functionality we add, as we add more and more functionality, it immediately applies to all applications because the concept of identifying and understanding the application is at the core of the product. That's the first thing we had to do. We'll show you later in a live demonstration how that's different than adding a blade on top of a stateful inspection firewall to identify and trying to block applications. It's a very big difference.
The fact that we do it at the core of the product, and by that, make the entire product application-based, makes the whole difference between us or a big part of the difference between us and our competitors. You'll see it in a live demo and the implications of that in a live demo later. The second core technology that we developed was the single-pass architecture, which essentially allows us to load the box with many different kind of signatures or other things to detect stuff. The engine is running all the time, and the engine is capable of looking for different things at the same time without losing speed. For example, in the first version that we released of our product, we didn't have DLP. We had the engine, but we didn't have DLP, Data Leakage Prevention.
In one of the following releases, we released DLP, loaded the single-pass architecture with DLP information, and by that, started detecting the leakage of information without degrading performance, okay? We started doing it without degrading performance. As we added more and more functions like APT, modern malware, and so on, we load that engine with that functionality and keep looking at the same speed for all those bad things without degrading performance. This is very different than our competitors, which with their UTMs or similar or blade-based products, add more and more software and yet another engine to detect things, and by that, they slow down every time you turn on a new thing.
Which means that they can't really do it, which is why all these other companies are thriving, selling devices to sit behind the firewall. Okay. We stopped it. Again, the way we stopped it is by building an engine that is flexible enough and is also future-proof enough, such that whenever new threats emerge, we can add detection for this threat and then load the engine with ways to block those threats without degrading performance and, of course, while doing it for all applications. What I want to do right now is to give you one example of how we did that. Okay. I want to show you how we solved the problem recently with WildFire of APTs. We did it in a way that shows that our platform can solve problems without degrading in performance and doing it in a market-leading way. Okay.
We'll use APTs as an example. Before I describe how we stop APTs, I'll describe to you how APTs actually work and how you're being attacked. The way you're being attacked, or the way our customers are being attacked, and the way the world is being attacked is relatively simple. Okay? The goal of the attacker, the first step in the attack, the goal of the attacker is to get an end user in the target's victim to open a document. It can be an executable, a PDF document, an Office document. Open a document. Let's say PDF in this example. Okay? My goal, if I'm the attacker, is to get one of your employees to open a document. What you do for that is spear phishing. It's actually easier than this.
You don't have to take a stick and, you know, try to hit a fish with that. It's much easier. What you do is, first step would be, for example, to go to LinkedIn and figure out who are your employees. Get a list of employees of the target. Then the second step is use social media and other tools to figure out not just who the employees are, but who their friends are, what interests them, and then craft a special message for them that appears to be coming from one of their friends. Can come in via Facebook, it can come in via instant messenger, it can come in via email, via any other application, and talk about something that interests your employee.
From your perspective, one of your employees or some of your employees will be receiving a message from one of their friends talking about something that interests them. It's just a PDF. I mean, everybody here knows to open executables, but PDFs, you cannot do your work without opening PDFs. They're going to click on it and open it. That's going to lead us to the second step of the attack, in which the PDF document is going to exploit an unknown vulnerability in something like Adobe Acrobat Reader, and then a small piece of code that we call an exploit or a dropper is going to run on the machine. It can't do much. All it can do is execute the next step of the attack, which is go out to the Internet and download the backdoor program, install it on the local machine.
The next step is for the backdoor program to establish a back channel or command and control channel back to the bad guy. Now that the bad guy and the backdoor program sitting on your network behind the firewall are in full communication, the bad guy can do whatever they want on the network. This is the way APTs work. Okay? How do you detect them, and how do you stop them? How do you detect APTs? How do you stop APTs? The first step is, of course, getting hold of the malware. If you want to block malware, you need to first find the malware, and there are two ways of doing it.
There is the traditional way of detecting malware, in which AV vendors like Symantec and McAfee and all the others have been using for the last 20 years, which is using things like honeypots or using your consumer base to find something that is spreading quickly through the Internet. And we do that, too. We are part of that network, and we collect between 50,000 and 100,000 samples of malware every day into our office in that way. Between 50,000 and 100,000, closer to 100,000 nowadays. Okay? The firewall companies like Cisco and Juniper and Check Point, they don't do that. They outsource their malware work to a third party. In the case of Cisco, that will be Trend Micro. Okay? They count on Trend Micro to collect the malware, generate the signatures, and send them to their customers.
They don't do it themselves. They don't deal with malware. The same is true, again, for Juniper and Check Point as well. IPS companies like Sourcefire do it. I'll show you later why they need to collect malware. Modern malware companies or APT companies like FireEye, they don't do that. They collect malware in a different way. There is also a set of companies represented here by Damballa. What they do is they look at outbound traffic, especially at DNS traffic and which servers you're trying to connect to, and try to detect the presence of malware on the network like that. They don't do that either. I'll show you later what they do. The second approach for detecting malware is using sandboxes. It's a 20 years approach, 20 years old approach as well, just never been commercially successful until recently.
The way that works is you take objects coming into the network, executables, PDF documents, Office documents, and so on. You run them in a controlled environment, and you see what they do to the machine that they run on. For example, if you open a PDF document and the next thing that happens is a connection opens out to Russia and downloads an executable, then guess what? It's probably not a good PDF document. It's very easy to see whether an executable or a document are good or bad, and if they're bad, then you have a malware in your hands. Okay. We do that through our WildFire service. Firewall companies, they don't do it. Okay. IPS companies, they don't do that either. APT companies, that's their bread and butter. They do it. Companies like FireEye do that.
The outbound guys like Damballa, they don't do that. They do other things, which I'll show you later. Now that you've collected the malware, what do you do with it? The question is, what do you do with the malware? Maybe a step back. We do it, FireEye does it. We do it in a little bit different way than FireEye does it, in two ways. First, as you know, we do it in the cloud. More importantly, we do it across all applications. The idea of applications is core to our product, when we added our modern malware or APT solution, it immediately applies to all applications.
We don't care if the bad document or the executable or whatever it is, if the APT comes in via email, via web browsing, via an encrypted session, via Dropbox or SharePoint or Office 365 or instant messenger file transfer or a Webex file transfer. We don't care how it comes in. Once we add the functionality, it immediately applies to all applications because that's the way we built our platform. We built a platform in such a way that everything we do immediately applies to all applications. If you compare it to FireEye or all the other APT companies, they only work for web and email, not even encrypted web, because they didn't build a platform that at the core understands applications. This is the power or one of the powers of our platform. It's the fact that everything we do immediately applies to all applications, okay?
Such that our customers can safely enable the use of these applications. If you buy our APT subscription, it immediately applies to any application that you want your users to use. Once you have the malware in your hand, what do you do with it? The first thing you do with it, of course, is you generate anti-malware signatures, such that if the malware tries to get back again on the network via any application, you can stop it. We do that. The firewall companies, they not do it. All their malware work is outsourced to either Kaspersky or Trend Micro or others, depending on who the firewall vendor is. They don't generate malware signatures. They don't even know what malware is. They don't have malware in their hands. The IPS companies, even though they have the malware, they don't do that.
The reason they don't do it is because IPSs are not in the business of blocking malware. Why? It was a different mole that had to be whacked at a different period of time. They don't deal with malware. They only deal with exploits and with other things related to malware, which I'll show you in a second, but they don't deal with trying to stop the malware from getting in. The APT guys, they don't do it, okay? I'll talk about it a little bit more in a second. Of course, those that look at outbound traffic, they're not in the business of trying to stop the malware from getting in, so they don't generate anti-malware signatures either. Going back to the APT guys, they don't really block malware, and there are 2 reasons why they don't block malware.
The first reason is because they don't really have anti-malware technology. They have URL filtering technology, and what they can do is they can block the place in the internet from where the malware works, okay? It's not the best approach. We believe that hackers tend to put their malware in more than one place on the internet. They keep changing it. More importantly, and more strategically, the APT guys, like any other firewall helper, is not in a position to stop malware because they are not everywhere in the network. If you want to stop malware in your data center, you need a 10 or 20 or even faster gigabit per second firewall or device to sit in the data center and block malware. They don't have it.
If you want to block malware in a small branch office, you need a small, you know, branch office device that costs and operates like a branch office device. The only device that can do that is the firewall. The only device that can run in a small branch office and runs at multi-tens of gigabits per second in a data center, and of course, anywhere in between, is the firewall. The firewall helper guys, like the APT guys, aren't in a position to do that. They are not deployed in the network in a position to be able to block malware. The next thing you need to do with the malware is generate command and control signatures, such that if the malware is already on the network and it's trying to communicate back with the bad guy over a command and control or a back channel, you stop that.
That's traditionally been the role of the IPS. We do that. When we run the malware in our sandboxes, we record the traffic that it's generating, and then we generate a signature for that, such that if it's already on the network, we block it. The firewall companies don't do that. Even though Cisco and Juniper and Check Point all have IPSs, not very market-leading, but IPSs, they don't do that. Why? Because they don't have the malware. They outsource all their malware work to other companies. They don't have the malware, so they cannot run the malware, look at what the malware is doing, and then program their IPSs to block the malware. They just don't do it. The IPS companies do it. That's their bread and butter, of course. APT companies don't do that. Why? Because they're not the IPS.
If FireEye or someone like FireEye wants to do that, they will need to become the IPS. They will have to go and replace not just the firewall, but also the IPS to be in a position to do that. They aren't doing it because they're not an IPS. They're not in a position to do it. They can detect the malware, not block the malware from communicating with the bad guys. We have the outbound guy that take a different approach to detecting the malware already being on the network. The reason they do that is because it turns out that it's much more efficient and much more effective to try to detect the malware already being on the network rather than trying to detect it coming in. I'm not saying you should not try to detect it coming in.
I'm just saying that it's much harder and it's easier to miss the malware on the way in than it is to miss it on the way out, okay? We see more and more value in doing both and more and more value in detecting the malware trying to get out, not just with the IPS, but using other tricks exercised by a company like Damballa, which I'm not going to get into. In general, they have to do with the fact that the malware has to do a lot of DNS, domain resolution tricks, in order to figure out where the bad guy is, because the bad guys have to keep moving around. They cannot stay in the same place all the time, and the malware has to track them.
Detecting those tricks that the malware is using is a very efficient way of detecting the malware presence on the network and even stopping it from being able to communicate with the outside. We do it. You can see no one else besides the companies that dedicate themselves to that because that's another mole that had to be whacked do that. Then the last thing that you want to do is to create URL filtering filters to block well-known malware sites, okay? You can see we do it, some of the APT guys do it, the others don't do that because they don't have the malware, so they don't know where the malware came from. If you put everything into a big picture, into a big matrix, you'll see that different companies focus on different things.
You see that there is a group of companies, the IPS companies, that focus on detecting the back channel, focusing on detecting the malware already on the network, trying to communicate with the bad guy. There are a set of companies like Damballa that focus on detecting the malware on the network using different tricks. There are APT companies that focus on trying to detect unknown threats, zero-day threats, getting on the network and then maybe trying to block the sites that they came from. There are companies like the firewall companies that really don't do anything when it comes to security, just money, and there's Palo Alto Networks, okay? The reason we can do it is because of the things I said in before.
It's because what we do, we do for all applications, and because we have a platform that is flexible enough that allows us to do that, okay? Can our competitors do it? Maybe. If they all come together, this is how it's going to look, right? You're going to have an APT vendor like FireEye finding the APTs. They're not in a position to stop it, so they'll have to send it to a firewall vendor, in this case, let's say Check Point. They'll have to send it to Check Point. Check Point is not an malware company, so they'll have to take the malware and send it to Kaspersky. In parallel, they'll have to run the malware, see the traffic that is generating to program their IPS.
Kaspersky will be generating an anti-malware signature and sending it to the Check Point customer, to the blade, to the AV blade. In parallel, Damballa will need to receive the malware and see what kind of DNS traffic it's generating and send something to the firewall or you can just do this, okay? You can have one device responsible for all the network aspect and a cloud that's responsible for the detection. This is what we're selling today. We call it WildFire, and we believe that it's much more scalable than the approach that our competitors are taking. We do it, by the way, not just for WildFire. We also do it for PAN-DB, for URL filtering. This is the way we approach URL filtering.
This is our approach to WildFire, and this is going to be our future approach for any other threat that's going to come up. Yes, with the next threat, you're going to see a few mushrooms popping up trying to solve that threat. As we've said several times, they're not in position to do it. They cannot see all the applications, and they are not everywhere on the network. They're not in a position to block it, and we are. We have an extensible platform, a platform that allows us, like in the case of APT, just an example of APT, but like in the case of APT, we can add more and more functionality for detecting bad things on the network, again, mostly in the cloud, and then preventing them on our device.
When we do that, we usually do it as part of our subscription services. Thank you very much.[Break]
Good morning. My name is Lee Klarich, Head of Product Management at Palo Alto Networks. Today, I have the pleasure of being here and being able to talk about product. It's what I do. Today, in particular, I'd like to focus on our unique approach to the network security market. To lead this off, I'm gonna show you for the 2nd and not even the last time, this chart. I'm gonna use it to in a whole different way. Really, it's just a setup for what is the network security market composed of, and what are the traditional approaches to that, and how does that differ from our approach?
When you look at this, you see, you know, from a network security perspective, firewalls, web gateways, IPSs, VPNs. The traditional approach to these, and Mark has covered this, and Nir's covered this to some extent as well, have a couple of really sort of serious fundamental flaws. First, all of these were invented in sort of a pre-2000 application user landscape, and I'll go into this in a little more detail. Basically what this means, and you think about it, you know, firewalls were invented when there was basically web and email. The same is really true of web gateways. It was when web browsing was, you know, just people going to cnn.com and things like that.
The IPSs were invented when the way hackers worked was they tried to attack the server. IPSs were formed when that was the threat landscape. VPN was formed when you just needed to find a way to connect a user to their webmail. That was the environment when these technologies were invented. Second, the approach that the traditional vendors take to all of this is they look at this as opportunities to have different products doing different things. The firewall is the firewall. The web gateway is a different product. It does something else. The IPS is yet another product. It does something else. The VPN is yet another product. It does something else. The siloed approach that treats each of these as like a completely separate thing simply doesn't work. What do we do? We fundamentally look at this differently.
First and foremost, we start with a whole different understanding of what the application and user environment looks like. Applications have changed radically from pre-2000 till today. Not just the number of applications, as Mark talked about, but the technologies they use and how they work has phenomenally changed. It's amazing. Second, we look at this as a single network security market and problem to solve. We don't look at it as 4 distinct different things. This allows us to solve much more complex problems than you can do if you approach these in a siloed way. Let me now sort of describe this in a more graphical way to really show how this is different. This is the pre-2000 landscape. This is what things looked like when the world was simple. Users worked in the office. Mostly, they had desktops.
They didn't even have laptops pre-2000, for the most part. Certainly, there wasn't anything called mobile at the time. The applications they used were basically web and email, and when it wasn't web and email, it was an application that IT deployed in the data center. It was, you know, the application's simple, the attackers were just kids basically having fun. Often, when I talk about this with network security people, I tell the joke, I guess it's sort of geek humor, but I'll say, you know, we long for the day of the ILOVEYOU virus. You knew when you had it, and you knew when you didn't. I don't know if you remember the ILOVEYOU virus. Like 1999, it hit.
Everyone was scared because it brought down email for a day, then the next day, everybody had it cleaned up, and things were back to normal, right? I mean, that was the threat landscape in 1999. Like, that was the thing you worried about. Compared to today, that was great. At the time, it felt bad, in hindsight, that was great. This was the simple world. Drew a little box around it, contained it. That's how traditional products were designed for these traditional markets. The world is not simple. Users are no longer contained to the physical network. Users are everywhere, with laptops and mobile, everything. Those users are using whatever application they feel like, for the most part. When they're off the network, they use anything for sure.
When they're on the network, they also use anything they want because application vendors have realized how to encrypt applications, how to hide them, how to port hop, how to tunnel inside of other apps. Users can use applications on the network, off the network, whatever they feel like doing. For the applications that IT deploys, they might not even be deployed on the network anyway. As data centers get virtualized into private clouds, private clouds morphing into public clouds and hybrid clouds and community clouds, even the IT-deployed applications might be anywhere. To make all of this worse, the hacker understands this. If you're thinking about trying to access data, applications, things, you know, on someone else's network, they understand this landscape. They understand the applications that users use. They understand how to get to those users.
They understand how applications encrypt and tunnel and port hop and find their way in and out of networks. If you're a malware writer, you simply leverage that. You don't even have to write it yourself. You leverage what everybody else has already figured out. You see this play out publicly. Servers are, you know, by a sophisticated hacker, servers are not attacked directly. They're attacked by first finding users, attacking the user, which is much simpler, and then using the user to access the ultimate data on the server that you're trying to get to. The whole attack vector has changed. How do we approach this if the traditional mechanisms don't work? You have to start by fixing the core problem on the network. We do this with a next-gen firewall.
We do it in the firewall for all the reasons that Nir talked about and Mark talked about of needing to be in the right place with the right technology, you know, App-ID, User-ID, continuity, the management capabilities. Everything that we do starts by you first protect the physical network of the enterprise. As users, though, have moved off of that physical network, we then had to extend this technology to be able to handle users no matter where they are. Physically on the network is easy because they have to go through your security infrastructure to get to whatever they want to get to.
When they're off the network, what we do is with a product called GlobalProtect, we actually logically keep the users on the network so that we can apply the same security capabilities for those users no matter where they are. This, by the way, would traditionally be viewed as VPN, for us, it's way beyond that traditional just give them, you know, encrypted access to email. It's all about how to keep the user on the network all the time, connected to the closest gateway. Third, we have to extend this technology into the data center as these data centers are evolving toward private cloud, public cloud, leveraging virtualization, eventually SDN-like concepts. We do that through, first and foremost, flexible platforms. VM-Series launched recently. It's a software form factor of our next-gen firewalls that is designed specifically for deployment into cloud environments.
Extending that through context awareness of the virtual environment, understanding VMs as they move around, get spun up, turned down, move even to other data centers, keeping that context from a security perspective, no matter where the virtual machines are, tying into the automated workflows. You'll see as we talk about some of the trends from a cloud perspective later, why that is so important. Then partnering with key vendors, and Chad will talk about this later, VMware, Citrix, and others that are really helping to define these software-defined data center environments. Then lastly, from a, from a threat perspective, there's a lot of things we've done from an IPS perspective, anti-malware perspective, and most recently, WildFire, detecting the unknown threat.
Doing this in a very sophisticated way, leveraging the existing technologies, the existing single-pass architecture, also leveraging cloud for compute and scale and timeliness of updates. Most recently with the subscription service for WildFire, where we can actually take new malware that we find from anywhere in the world and turn it into signatures that are then available to all of our customers in 30 minutes. Power of the cloud, right. Plus the power of a next-generation firewall being in line in the network. Soon, we'll even be able to extend the cloud-based capabilities into local scanning capabilities to provide even more flexibility in the solution and giving customers choice as to where files are scanned, their network versus our cloud infrastructure, et cetera. That's how we look at this, as a network security problem, not disparate technologies, not disparate products.
When you combine all that together, you get to the product line. This is how we take the technology and the things that we do, productize, and offer to customers. It all starts with the platform, of course. Wide range from small branch office boxes all the way up to big devices designed to sit in front of high-speed data center environments and core enterprise networks. Most recently augmented with the PA-3000 Series, new mid-range platform, and the VM-Series. As I mentioned before, designed for private cloud, public cloud kind of environments. You'll see from us that this will continue to evolve. This never sits still. We'll have bigger boxes, we'll have smaller boxes, so we'll be able to continue to take the technology that we have and extend it further and further.
One of the things that is so great about this product offering is the ability to then augment these platforms with subscription services. Threat prevention, URL filtering being the first services we offered back when the product first launched 5 and a half, 6 years ago. More recently with GlobalProtect and WildFire coming into play. Being able to do that, add those new services without fundamentally changing the hardware platforms they run on, but rather just through software updates, being able to enable whole new capabilities on those existing platforms. The flexibility of being able to adapt to new market requirements through the simple addition of a new subscription service is wonderful. I'm speaking from a product perspective. Stefan will talk about it from a financial perspective. The ability to do that is obviously wonderful as well.
That is the power of the platform, the single-pass architecture that we've come up with. The use cases, of course, firewall, web gateway, IPS, VPN, managed all of that through a single management platform. Panorama, most recently, the M100 hardware platform for management, you know, scalability, flexibility, integrated management, visit, log views, viewing, reporting, all of that packaged up in a single platform. Of course, PAN-OS being the underlying operating system that really drives all of this. That's what the product line looks like. Single line of hardware, services on top of that, wrapped with a single management platform. Two things that are very clearly top of mind for many of you, I'll go into just a little more detail on.
The first would be APTs. We've talked about WildFire, Nir's talked about it, I've talked about it. There's just a couple more points that I think are really important relative to APTs, WildFire in particular. Number one, we talk about this all the time, but it's really, really important. Prevention matters. If you just detect, then you'll see malware, and then you'll see it again and again and again and again and again. Companies, when that happens, they have people running all over the place trying to re-image machines to clean them up after they got infected. This is a chart of data that shows even if you wait 24 hours before you have a signature to prevent it, 50 samples will turn into over 8,000 instances of potential malware infection on the network.
Versus if you can prevent that within the first hour, you can reduce that by almost 10x. Prevention is a huge time saver, data saver, threat saver if you can compress the time from first detection to prevention, okay? We can back this up by simply saying we have over 1,300 customers today using WildFire. This is a phenomenal number given that WildFire just launched about 15 months ago. On a typical month, we now see over 500,000 unique files that we scan. Of those, we find over 26,000 new pieces of malware a month, and of that, 13,000 are net new, meaning we are the first company to find that malware.
I'll show it here in the chart, but what we found even is that 13,000 pieces of malware, even 7 days after we find it, roughly 40% is still unique to us, meaning we're still the only vendor that knows that that malware exists. We're not just the first to find it, but many of these malware are so evasive that the traditional mechanisms just never catch up. 500 pieces of malware a day that falls in that category. The second big topic that comes up all the time is virtualization SDN. What does it mean? Is it good? Is it bad? From a virtualization perspective, what we have today, what you see on your left, virtualization, flexible form factor, the VM-Series and the hardware platforms both are relevant in virtualized data centers.
Context for dynamic VMs and dynamic motion within these data centers, and tie-ins to automation through APIs and things like that. That is the solution today for private cloud, public cloud environments. As virtualization morphs toward SDN, software-defined networking or software-defined data centers, those same principles we have today extend perfectly into an SDN world. Flexible form factor extends into a world of SDN, where software trumps everything else. Dynamic objects that we have for tracking dynamic motion of VMs morphs toward all decisions being made on context. Nothing is static anymore. An automated workflow integration morphs into integrating into the orchestration, and that is probably the most important point because in a software-defined network, everything is orchestrated, the network, security, everything. All the things that we have now blend perfectly as virtualization moves toward SDN, okay?
Now, I'd like to finish by answering a few questions proactively, things that we hear all the time, because quite frankly, it's a big market, there's lots of vendors, and there's lots of things that get said that aren't necessarily substantiated. There's 3 in particular I wanna touch on today. The first is management doesn't scale. They don't mean the management team, they mean the management platform of our product. You hear this all the time. The reality is it's not true. Our management platform scales to 1,000+ devices. We have software form factor of Panorama, very flexible. More recently, that extended to the M-100, which is a hardware-based form factor of our management platform, and that can extend into a distributed model where central management is separated from distributed log collectors, geographically dispersed 1,000 devices.
We can scale a number of devices, we can scale in the amount of data to collect and report on all in an integrated way where all of the things that we do are under a single policy. Second, hear it all the time, switching is hard. Honestly, switching can be hard, which is why over the last several years, we've put a lot of effort into trying to make this as easy as possible. Some of this is training, some of this is education, some of this is professional services. One of the things in particular we're proud of is we've built a very sophisticated policy migration tool that allows us to migrate existing configs to our configuration form. Not only do we migrate the config, but we can also fix problems with the configuration.
We do config migrations where, you know, we'll decrease the number of rules 10x, 100x in some cases. We reduce duplicate objects. We fix things that are broken in their current configs as we do the migration. We make this as easy as we can. The last thing, continue to hear, performance drops as you add additional capabilities. Nir talked about this, Mark talked about this. It's simply not true. Let's take a platform that we have that can do 10 gigs of App-ID firewalling threat prevention. If you enable QoS, it still does 10 gigs. If you enable URL filtering, it still does 10 gigs. If you enable WildFire, the most recent service, it still does 10 gigs. We've proven this out again and again. The platform scale, the single-pass architecture works.
What I'd like to leave you with is fundamentally designed from the ground up products with today's application and user environment in mind. Seamlessly integrating the technologies and functionality that we have to solve today's complex challenges in an integrated way. Single-pass architecture, scaling, and flexible enough to incorporate new technologies as they're needed to adapt to the changing threat landscape and ongoing product execution that will continue to evolve both the next-generation firewall core capabilities, as well as adapting to the new landscapes of mobility, SDN, and other types of things like that. Okay? Now we're gonna show you a little bit of this.[Break]
Good morning. I'm Rene. I am responsible for marketing in Palo Alto Networks. We thought that Well, Nir and I thought that it would be very insightful for you to see how our product actually functions in the field, see how it compares to other products. To do that, we thought it was a good idea to do that not through slides, even with all the customer testimonials, but to actually show it side by side. I know that's not what you see very often in analyst days. We keep hearing over and over again that certain vendors claim certain things. We wanted to kinda set the record straight on that because we believe that what we build is fairly unique. Therefore, why not show the product?
To do that, right, we looked at three things, right, that you may have been told? When you speak with vendors in this industry, they may tell you, "Oh, well, we do what Palo Alto Networks does," typically in that order, right, typically referring to us. The good thing is that that kinda looks like a benchmark. The bad thing is, we wanna actually take them to task on that. Do they actually do what Palo Alto Networks does? The second claim that is made and that you will often hear in the market is, "Oh, we have better performance than Palo Alto Networks. Our boxes are faster," and so forth. Again, we wanna make sure that you understand what is being said there and how that compares.
Thirdly, what you will hear is, "Oh, by the way, we're much cheaper." Specifically, no one uses the word cheap, but they say, "We're more cost-effective than Palo Alto Networks." It may be in a different order, depending on who makes those claims, but at the end of the day, these are the 3 things that we typically hear, right? Let's take that to task in this demo. To do that, why would you believe the marketing guy, right? It's my job to say these things are not true, but let me actually introduce you to a few folks who know this much, much better. Of course, this is Nir. Nir, 19 years ago, was there when certain technologies were invented by him. Other folks here, on my right is Frankie.
Frankie joined us from Fortinet, so he knows a few things about this industry. Jerish on the left, right, who joins us from Juniper. In the back, right, is Matt. Matt has a long history with, also with Check Point. I bring these engineers with me because, right, you should believe engineers, not marketing guys in general, except for me, of course. What we also brought is a couple of friends, and these friends are actually involved in our side-by-side, right, demonstration. We brought some members of the Palo Alto Networks family. They are in the back, humming away in the back there. If you turn around, you can see Matt there, right?
If you wanna see these things, 'cause you may have never seen a Palo Alto Networks box, or you may have never seen a Check Point box or two, we also brought some Check Points. Right. What you're gonna see here is real products. These are no videos. These are no slides. This is the real product as it works. In fact, what we brought, right, we brought the PA-3050, the model that we launched in November, right, which is a 4 gig firewall, right, 2 gigs firewall with everything on, right? To compare and contrast it, we brought a very similar sized box, in fact, physically the exact same 1 unit box, but more importantly, a box that when you turn IPS on, is in the realm of performance of a Palo Alto Networks box.
Of course, it's marketed as an 11 gig firewall, right? When you actually turn on the IPS, it does a gig and a half, right, which is very typical for Check Point gear, right? Here you have two boxes. Forget about the price for two seconds. Forget about all of this. This is very equivalent technology. With that And, they're humming in the back, if you wanna see them during the break, right? More than happy to demonstrate them. What are we going to show you? Right. Let's start, Nir, with the most simple thing, right, that you guys 19 years ago tried to do, which is manage web and email.
Yes.
Right. Since you all work on Wall Street or are associated with it, I thought the easiest thing to do was to have 2 completely default firewalls, who by definition don't allow anything, right? 'Cause why would you have a firewall if you put it there and everything still goes through, right? A default firewall doesn't allow anything in, right? Let's only enable web browsing, right? The problem that Check Point said they were gonna solve, right, 19 years ago. How are we gonna do that, Nir? What kind of things do we need to do to do that? Let's switch to the 2 screens. What you're gonna see here is Check Point. Frankie represents Check Point, and let's go to that. On the left, you see Palo Alto Networks, right?
What are we looking at here on the Palo Alto Networks side?
This is our policy editor. This is actually our GUI. The GUI connects directly to the PA-3050 that's there in the back. here on the Check Point side, you see SmartCenter, which is running off a dedicated management appliance of Check Point that then controls the
Right. Check Point actually.
4810.
Yeah. Check Point actually is 2 boxes.
They're two boxes.
The management appliance and the 4810.
Yeah. You could have connected directly to the box to manage it.
Yes.
You'll see later why we didn't do that.
Yes.
Here you see the Palo Alto policy editor.
Yep.
Here you see one of Check Point 12 policy editors. Specifically, this is the application and URL filtering blade.
Okay
policy editor.
Let's start with Palo Alto Networks then. Let's start with what can we expect from this policy? Cause this policy allows us to web browse, right?
Yeah, of course.
Explain what we're looking at here?
There is only 1 rule enabled in this policy right now. The other 3 are not. It allows all the necessities for web browsing, which is DNS, SSL, and of course, web browsing.
Web browsing. If, with this policy enabled, right, I should expect to be able to go to MSN or something. Jairus, can you show, right, that we can actually get to the website? Yeah. If we go to MSN or CNN.
CNN is also good.
CNN. Okay.
Okay.
There we go.
MSN.
Then MSN, right? Can we go to MSN, for example? 'Cause this is expected, right? We enabled, right, web browsing, and there we go. What about Google? Google is a website.
Depending what. Google Search is a website.
Okay. Can we go to Google?
Let's go to Google.
Yeah.
Google Search is a website, and that's why we can go to it. It's a web browsing.
Okay.
Uh, but-
What doesn't be a Google property that is?
For example, we can try to go into mail.google.com or docs.google, try mail dot Yeah, gmail.com is fine.
Okay.
You see that it's blocked. 'Cause Gmail is a web-based application.
Right.
It's identified as such.
Yeah.
Since we only enabled web browsing.
Okay
Of course, Gmail is blocked.
Right. mail is a clear app, but what about things like Facebook or Twitter?
We can try them.
Yeah.
Facebook is an application.
Yep, Facebook isn't a website, it's a web application.
It's blocked.
Okay.
Twitter is an application.
Yep, yep.
We can try to go to Twitter here.
Yeah. Okay.
It's blocked.
Okay, this is exactly what you would expect.
Yes.
Right.
That's what the policy says.
Now-
that's what the Palo Alto device does.
Okay. Now, Check Point says that they do what we do.
They say. It's easy to say that.
Okay.
Yeah.
Can we go, can we switch?
Yeah, of course.
Yeah.
Here we have a similar policy. This is the application blade policy, the app blade policy.
Right.
You can see there's one rule enabled, and it's the same rule. It allows web browsing, DNS, and SSL.
Right.
We can ask Frankie to also switch to the firewall tab over there, and you'll see that we had to do the same thing in the firewall tab because Check Point has a separate inspection policy.
Right.
On top of it, there is an application blade policy. The firewall policy, the separate inspection policy also allows DNS, HTTP, HTTPS, and SSL version 3. Go back, Frankie, go back to the application.
Yeah.
As we've seen here we allow the web browsing application, not the web browsing port. Back there it was the port.
Yeah.
We allow the DNS application, and we allow the SSL application, and the other rules right now are disabled. It should allow those three.
Okay
everything else.
I would say this is not exactly how Palo Alto Networks does it.
No
right, 'cause there's already 2 policies instead of 1.
Correct. You already see that it's a little bit different.
It's a little bit different, but let's give them the benefit of the doubt.
Yes.
Right? They have more policies, which is not the same, but does it work?
We can try it.
Okay. Frankie, can you-
CNN.
Does the 3D Security actually work?
If you have a 3D printer.
Okay. Well, we can go to CNN, right?
CNN works.
Yeah.
Okay, MSN.
Can we go to MSN? Yeah.
Google.
Google. Yeah.
Gmail.
Gmail. Hold on.
Okay
Wait. What is this happening here?
So-
Why, this is not what Palo Alto Networks does.
No. I guess it's because we didn't have a rule to block applications. You expect a firewall to block things by default.
Correct.
Apparently, the Check Point application blade doesn't block things by default.
Even though it has lots and lots of applications in the application database, it doesn't know that Gmail.
Gmail is different than web browsing.
Wow.
So that's what-
What about Facebook and Twitter?
You can try Facebook.
They always talk about Facebook being the easy application. Can we go to Facebook? Uh-oh.
John. Yeah, Frankie, you need new friends there.
Yeah. Yes, your friends are freaky and-
Twitter.
Twitter. Yeah, of course it works. This is not what Palo Alto Networks does, is it now?
No.
No. Now, more policies, by default, they actually do not control these applications whatsoever, even though they claim that they can control.
Correct.
I heard a rumor that there is a policy in Check Point, right, that can block all known applications.
Correct. They are saying that they can do that.
But-
we can actually ask Frankie to go back to the policy.
give
You can see here at the bottom.
Yeah
There is a rule that says source any, destination any recognized.
Yeah
I think that's what you're referring to.
Yeah, any recognized application.
Block.
Yeah.
what we're going to ask Frankie now is.
Hold. Two seconds. This would imply that we have to set yet another policy to block any known application.
Yeah. You expect firewalls to block things that are not explicitly-
Right
permitted by default.
Right.
They don't.
No.
Fine. Okay. It's a little bit different than Palo Alto Networks. Let's add a rule to actually block all the things that are not web browsing.
This is a lot of management overhead now.
It is.
Right? This superior management platform that they say they have, right, actually, I'm already three policies in.
Yes.
Right?
Again, saying things is easy.
Yes. Okay.
Um-
So can we-
Actually doing them is not that easy.
Can we implement this rule?
Yeah.
I want to see if it actually works.
What we're going to do right now, just wait for a second. Frankie just pushed the push policy button, which is now going to take the policy, compile it to some internal format, and push it from the management platform to the actual Check Point firewall.
Okay.
We're going to hit Okay.
Yeah.
With this superior management system, we only have to wait about a minute and a half.
Okay
to make this little change.
A minute and a half? What are we gonna do in a minute and a half?
Um-
Can I make you some coffee?
That would be great.
How would you like your espresso and your.
Let's see how many shots you can get while Check Point pushes the policy. I heard they're coming up with an espresso blade. You'll see in a second why. They really, really need that.
You want a single or a double?
Let's see how many you can get.
Okay, let's do a double first.
You know, luckily this is why we brought a separate management appliance because if it was on the device itself, it would have taken 10 minutes, not a minute and a half.
Right.
You can see it's working. It's verifying.
It's working, yeah.
Verifying. We made a little change. Lot of verification.
Yeah.
By the way, if we asked Jairus to do it, and we're going to ask him to do that, it would have taken about 10, 15 seconds to do the same thing on the Palo Alto device. Managing the device directly, not through a Panorama appliance, not through the M-100.
Right
which is faster. Still verifying. Yeah.
Good.
How many have we made so far?
This is your double.
Thank you.
This is the double, yeah.
Thank you.
I'm gonna make myself a single. I am a single guy. Let me do a single here.
I mean, in reality, what happens here right now. When I was at Check Point, it wasn't that slow. What happened is that It's not me. I think what's happening here right now is that because Check Point has so many different blades, and each blade is developed by a different group inside Check Point, sometimes it's developed by a different vendor, right? The OEM is from different vendors. Each of them now has to go and compile sequentially and be pushed to the device because there are so many different policies, so many different engines, so many different functionality that is completely separated.
We're done.
3 shots? 4 shots?
I made three shots and actually drank mine.
Okay.
Wonderful. Now for the question.
Now let's try it again.
is does it work? Like, 'cause we've waited for a minute and a half, right, to push 3 policies. Frankie, can you go back to.
Go to CNN.com.
Go to cnn.com. Okay, that still works, so nothing broke, right? What about?
Go back to Facebook.
Go back to Facebook. Okay, it didn't work.
Of course it still works.
It didn't work.
Yeah.
What is going on here? 'Cause now we've given them everything that they asked for, right?
Almost.
Almost.
Yeah. If you go back to the policy. The issue is that this is not a real firewall. This is really a URL filter. As you can see, they integrated both together, and this is not the way URL filters work. In reality, Check Point can block Facebook. To block Facebook, what you'd have to do is to go and add the rule above the rule that allows web browsing and say, "Block Facebook." You cannot do it by saying, "Block anything other than web browsing." You actually have to go and specify all the applications that you want to block, and Check Point supports about 100,000 applications.
Yeah.
You need to go and add about 100,000 rules.
Okay.
You can make a lot of espresso while you do that. Then push it. Even worse than that, when they recognize a new application and come out with it.
Yes
you have to remember to wake up early in the morning.
Yep
add more rules to do that.
Wow. Okay.
Check Point doesn't quite do what Palo Alto Networks does.
No.
They certainly can't even block applications.
The management overhead here is tremendous. Like, the operational implications of this is you have to set many, many, many, many rules.
Look, it's not even complicated. It's just impossible.
It's impossible.
You can't expect customers to go and set 100,000 rules.
Okay
to block to allow just web browsing.
Let's go to the next scenario. We can put the slides back up just to quickly show. We've shown you the scenario. Now, that wasn't even safely enabling these applications. That was just to make them work. That's not my slides. May I have my slides back? Okay. Yeah. The scenario that we want to enable here is a more complicated scenario. We have 3 groups in the company. A group, a marketing group that wants to do Photoshop files over SharePoint, a group of bankers, i.e. people like you, who want to do PDF over Box, and then a group of IT folks that want to exchange zip files over FTP. These are now very specific policies that allow these users to safely enable those applications.
Rene, this is a real world scenario.
This is a real world scenario.
A couple of you asked yourself, "Okay, why allow the IT department to send zips over FTP and not over Box?
Yes.
That's because Box stores all the files at Box, and maybe you don't want to enable zip inside Box because.
Like, 'cause it could be source code in there or something like that.
Yeah. You want zip to be able to be exchanged via an application like FTP that doesn't store things online.
Correct.
You want PDFs to be shared over Box, which stores things online.
Okay.
It's a valid scenario. It's a scenario that we see all the time, and it's one of the reasons why customers buy our product.
Okay, let's go back to the demo and see how the two products enable this. Oh, it's very small there. Okay, well, we'll do with what we have.
We'll live with that.
Yep, we can live with this. We're now. Where are we now?
Can you just cancel for a second, Jairus? We're back to the Palo Alto policy. There is one policy, as you can see. We just enabled 3 rules. The first rule there allows marketing to use SharePoint. The second rule says, allow bankers to use Box. The 3rd one says, allow IT to use FTP. Still not enough. We have to go in now and enable the specific file types that we want him to use. I am going to ask Jairus to click there and add to file blocking something that will block Excuse me, that will allow only Photoshop PSD files. This is of course just a policy that we predefined. It does not come with the product. You can, as a customer, you can go and create these kind of little policies and attach them to the rule.
We're going to ask also to add here allow PDF, and then on the last one, we're going to add ZIP. That will really achieve what you showed on your slide. Now, we have 3 different groups inside the company.
Yep
that are allowed to use 3 different applications. Each can use a different application to transfer 1 kind of a file.
Perfect.
This is how you achieve it. The next step is to push the policy. We're not going to do it right now, and it works.
Yep. with that in mind, right, a single policy for these combinations of users, applications, and content, right? That's what you would expect.
Yes.
Let's see if Check Point does what Palo Alto Networks does. Let's go here and explain to me, like, what we're doing here.
What Frankie did here is enable 3 new policies that allow specific groups to use specific applications. That was done in the application blade.
Right
in the app blade. As you've seen before, we didn't even have to do that. These applications were enabled already even though we asked to block them, but let's give them the benefit of the doubt. We enabled those 3 applications. Now, the next step is to go and control file types.
Hold on. In a single policy in the App-ID, you can actually not specify the content type at all?
No, because the app blade is only about enabling or disabling applications, and here we enabled those three applications with specific users, but the app blade is not the element in Check Point's product that controls file transfers.
This is a wholesale allow or a wholesale block.
Correct
of the application.
Correct.
Okay. That's not quite what Palo Alto Networks does, is it now?
No, it's not.
Okay. Where would you do the file types?
File type is available in the DLP blade, data loss prevention blade. Frankie's going to go there now. Here you can see that you can define something like graphic design file, source marketing group.
Yeah
or just detect, don't prevent. This rule will allow the marketing group to transfer graphic files, but it will happen across all applications.
You cannot specify the application here?
No, you cannot. This goes back to the architectural difference between Palo Alto Networks and our competitors. Whereas Palo Alto Networks, the fact that we identified the application at the core of the product makes it available for the rest of the product.
Got it.
With Check Point and with others, the core of the product is stateful inspection. It doesn't identify the application, okay? There is a blade identifying the application.
Yeah.
There is a blade identifying the file type.
Okay.
They don't talk to each other.
That's amazing.
The right architecture is to push the concept of applications to the core of the product.
Right.
Maybe all the blades will be able to do that, but that requires you to completely rewrite the core of the product, which is completely new hardware, completely new software. It's much easier to say that you do what Palo Alto Networks does.
Right
Do this.
There's one more scenario that I want to go through. If we can go back to the slide once more and show there's one more element. The safe enablement also has to do with the level of tolerance that you give to certain users.
Correct
groups using those applications.
Maybe just to summarize what we saw here.
Yeah.
Rene, what we saw here is that with Check Point, you can block PDFs or allow PDFs, but you do it for everyone across all applications.
Yes.
You do it's not for everyone, but across all applications.
Yep.
If you allow PDFs via Box, you also allow PDF via email, and you also allow PDF via other applications, which you might think are dangerous for PDFs.
Yes.
More specifically, if you allow ZIP via FTP, you also allow ZIP via Dropbox, which means that now ZIP files are going to be stored by the, in the cloud.
Right
against your policy.
Right.
Okay?
very much against that policy.
To fix that, Check Point would have to go and completely rewrite the core of the product, which really means rewrite their product.
That they can set a policy that specifies both user application and content.
Such that the application will, the concept of application will be available to blades other than the application blade.
Got it. Okay. One more scenario, if you can go back to the slides very quickly, because there is a way to look at the tolerance that we have. What if I want to be more strict with the bankers, as we should be, right, in policy, and a little bit more loose with the IT guys? In other words, the IT guys can do a few more things because they know what they're doing, right? The bankers, right, may not necessarily know what they're doing, and it makes them more vulnerable.
It's not just about knowing what they're doing.
Okay.
It's not just about knowing what they're doing.
Yeah.
That's one thing, but it's also about risk management.
Yeah.
There is always a balance between security and connectivity.
Of course. Yeah.
The more things you try to block, the more you're going to err. I mean, sometimes you'll err, and with the bankers.
Yeah
You will err, and sometimes you'll be blocking good things.
Okay.
It could be that the security requirements of the banking environment is much higher than the security requirement of the IT department, that you're willing to risk blocking some good things.
Yes
so that you can block more of the bad things. Whereas with IT, you don't want to take that risk.
Okay.
You don't have to take that.
Fair enough.
that risk.
I understand. If we go back to-
It is a very common scenario. All our customers do this.
It is, yes. All our customers, yes. Can we go back to the demonstration?
Of course.
I want to see how this works. Let's look at this in Palo Alto Networks first. Right, we're back in the policy.
The same policy.
Yep, same policy.
What we're going to ask Jairus right now is to go into one of the rules and add a vulnerability protection profile called.
Strict
strict. Yeah.
Yeah.
This is for the bankers.
Yeah.
We just added the strict. What strict is something that you can define. I mean, we're not going to show you the definition here, but you can go in as the customer and define what does it mean to be strict. You can define what kind of attacks you want to block, what kind of attacks you want to just know about, what kind of attacks you want to ignore. You define what strict is.
Right.
We are going to ask Jairus to do the same thing for the banker's rule.
Yeah.
We're going to choose a profile called loose.
Loose.
Again, the customer gets to define what loose is. It is not predefined.
Okay. We didn't change tabs or screens or blades.
No
Anything. It's just in the core of the firewall.
Correct.
Okay. Where would I do this in Check Point?
First, in Check Point, you'll have to go into multiple blades because Check Point doesn't have a threat prevention blade. They have an IPS blade.
Okay.
We're going to ask Frankie here to go into the IPS blade.
His name is Frankie.
Hey, Frankie, sorry. I don't know why I keep calling you Frankie. Sorry, Frankie. We're going to ask Frankie to go into the I did it last night, too. Into the IP Sorry for that. Into the IPS blade. You can see here that you can choose which protection profile you want to apply.
Yes.
You apply to the entire gateway.
That's another Palo Alto itself.
It's not user-based, and it's not application-based.
It's.
Everybody across all applications.
in on that firewall. Across everything.
Yeah. It's, again, it's the same problem that we discussed before. The fact that the core of the product only knows ports and protocols and IP addresses-
Right
means that that information is not available to the individual blades.
Understood.
The application blades understand application.
Yep.
The DLP blades understands files.
Yep.
The IPS blade understands threats but doesn't understand applications, files, or users.
There are more blades, right?
There are more blades because to do threat protection with Check Point, you have to go into, like, 50 different blades. Well, I'm exaggerating, but you have to go into the anti-bot and antivirus blades and do the same thing.
Anti-spam
anti-spyware.
Yeah.
I mean, you have to go into I don't think we have license here for all the blades, but you have to go into other blades as well and configure the same thing.
Right
It's going to apply system-wide, again, because the core of the product.
Yeah
doesn't understand applications and users.
Got it.
The individual blades don't understand application and users.
What would Check Point have to do to really do what Palo Alto Networks does?
Sell Palo. I don't know. They'll probably, so I mean, realistically, what they have to do is to go and rebuild the product. They have to go and rebuild the core of the product.
Okay.
They have to rebuild the hardware because if you move the concept of applications to the core of the product.
Yes
they now, you have to run the application ID engine all the time, and their hardware cannot support that.
Right.
They have to build new hardware, completely new software-
Yeah
and rebuild all the blades. The issue with that is that some of these blades are theirs.
Yeah.
Some of their blades are OEM.
Yep.
They'll have to go and build a single-pass architecture, which means everything has to come home.
Understood
and be built-
Yeah
from scratch in a single-pass architecture.
Okay. If you can go back to slides, because there's one point you made about the operational efficiency here, and which also, to me, translates into margin or room for error. If we can get the slides back on. This is kind of what you told me, right? There are multiple policies that you have to set, and we took 5 here, right? 5 blades where you need to set policy. Then depending on the blade, right, you can either, like, look at it from an IP address perspective or a user perspective-
Correct
Port protocol or app or content.
Correct. Most blades understand IP and protocol.
Some, not app.
Not all. No, no, IP and protocol.
Yep, yep.
Um, some blade-
Yeah
only one blade understands application, which is the app blade.
Yeah
It doesn't understand anything else.
Yeah, yeah.
You have the content blades, which is the IPS blade, the antivirus blade, and so on.
Yes
that understand, IPs, but they don't understand users.
Yeah
and don't understand, protocols. it's
To operationalize this is extremely hard.
It's not hard. It's impossible.
It's impossible.
I mean, you cannot do what Palo Alto Networks does in the sense that the concept of users and applications are not available for you in all the blades. Even if they were.
Yeah
which is, I think, what you're trying to say.
Yeah
you would still have to go and set at least 5 different policies.
Yeah
Make sure they're all synchronized.
Which is not a given either.
Which is not a given either.
Right.
Make triple espresso every time you push a policy.
This is what it looks like for Palo Alto Networks?
In Palo Alto Networks, as you've seen, there's one policy. All the information is available in that policy, and that policy controls all the aspects of the product. Everything that we can do, you can do based on.
Right
based on app, based on content, and of course, if you really want to, based on IP and ports and protocols.
Nir, at least they're fast, right?
Depending what you try to do with them.
Okay.
They fall fast. The very error that I make.
'Cause I look at this, and it's like, wow, they have some pretty fast boxes.
Yeah, you can see there how fast their boxes are, and but you can see what happens when you turn on things over there.
Nir, my eyes are not quite that good. Which box are we looking at here?
Check Point just announced the 21700. It's their latest platform.
Oh, this one. Yeah.
We can try to zoom into there.
Yeah. I'm 51 years old. I'm sorry I cannot even see it there.
Yeah, let's try to zoom more into this.
Yes.
This is the latest platform that they announced, and this is data sheet information. This is not NSF tested information or anything like that. We know what happens when they are tested with NSF for performance. You can see there are so many numbers on it.
Hold on, Nir. Why would they have lab performance and production performance?
Because lab performance look good.
Okay. That's the 110 Gb number, right?
Yeah. Check Point is selling this as a 110 gigabit firewall. What they mean by lab performance is that if all your traffic is large UDP packets.
Yeah
with a very small set of policies.
Which is what nobody uses.
Nobody uses.
Okay.
This is, by the way, not tested. I mean, this is Check Point.
This is Check Point's labs.
Yeah.
NSS Labs.
Not NSS yet.
Not even NSS Labs.
No, no.
No?
It's too new. It wasn't tested.
Okay.
So a hundred and ten gigabits per second.
Okay.
The other thing they tell you is that in production performance, whatever that means, firewall performance goes down to 25 Gbps, and IPS performance is 4.1 Gbps.
4.1. That 110 just became 4.1.
Correct. You lost more than 90%.
That's IPS.
That's IPS.
What happens when you turn on all these other blades?
Check Point doesn't say that here. On their data sheet, they don't show the other blades.
Right
Used to be on the support site, will tell you is that if, for example, you want to turn on the anti-malware.
Yeah
antivirus blade, performance will go down another 90%. To put it another way, if you go to their configurator-
and you ask to configure a 5 gig, for example.
Yeah
or even a 4 GB anti-malware device
Yep
they don't have a platform for that. They'll tell you, "Our highest end platform doesn't support that.
This is very common for all stateful inspection firewall vendors, isn't it?
Correct. It's not just Check Point. It's all the other stateful inspection vendors.
Yeah.
Fortinet.
Yeah
Juniper, Cisco.
Yeah.
They're all like that.
In fact, if you want to see this, because we don't have the data here. Jonathan Ho, where are you sitting? Jonathan Ho has a brochure with him from Fortinet. He can show you what that 110 gigs becomes in Fortinet and how fast it degrades to next to nothing, right, when you turn these things on. Jonathan is going to be my lovely assistant here, showing the Fortinet numbers. What would you buy from Palo Alto Networks to get about 4.1 IPS?
To get 5 gig IPS, you would buy the PA-5050.
Okay, I can actually.
You can see there.
No, I can't.
Over there.
Yeah.
Over there.
Okay. Can you tell me.
Over there.
Okay.
That.
Okay. That's a 50/50. 5 Gb firewall, App-ID, IPS, what happens when you turn more things on?
When you turn more things on, it stays at 5 gigabit.
Right. Remember, we don't actually turn things on, do we, now?
We don't turn things on. What we do is we sell you a license.
Right
that unlocks-
Right
further functionality. That functionality runs all the time.
Yeah.
The single engine runs all the time, and the license key that you get or that you subscribe to.
Yes
Remember, it's a subscription service, will unlock functionality that will allow you.
Because I keep on hearing.
Use that engine for more things.
Right. I keep on hearing people say, "When you turn things on." Well, there's no such thing as turning on because it's already there.
It's already there. You just get a license, or you ask for us to show you the information.
Right. When you do firewall plus FID plus IPS plus QoS plus antivirus plus URL plus WildFire plus whatever comes out of your mind.
Plus Whatever is next.
Right
you will run at 5 Gbps.
Okay.
NSS verified. I mean, not on this platform, on another platform, but.
Absolutely, yeah.
NSS verified.
Absolutely.
The performance doesn't degrade.
That's on the PA-5020. That's absolutely true. Nir, at least they're cheap, right?
In the way they market their product, they're cheap, yes.
What would that box cost?
From us or from them?
From them. Let's do it the same way.
This is Check Point's online, configurator.
Yeah.
We configured the 21700.
Yeah
to do IPS and other things as well.
Yeah.
I mean, mostly IPS.
$159 thousand.
Yeah, that's the first year cost.
That's the first year cost. With Palo Alto Networks?
$84,000.
Okay.
First year cost. You get much more because you get also the other things that are included in the threat prevention subscription.
Right
that Check Point doesn't provide for free.
Now, again, if you wanna run more, if you wanna enable more of those services, subscribe to them.
Yeah, if you want to enable WildFire.
Yeah
1 hour or 30-minute signatures.
Yeah
you pay another 20% a year off the base price.
Of the base price. Yeah, of the $70,000.
This or of the $70,000 or so.
Right.
You pay another $14,000 a year.
Right.
You just enabled APT.
Yeah, great.
signatures, and performance, of course, does not degrade. Another $14,000 a year, you get URL filtering.
Right.
Performance doesn't degrade.
Doesn't degrade. Fantastic. Good. Well, Nir, thank you so much for the demonstration. Thank you, Frankie. Thank you, Jerish. Thank you, Matt. In conclusion, I think, hopefully, we have shown you that in this case, Check Point does not do what Palo Alto Networks does, right? Despite the claims, right, marketing is easy, right? Product is actually hard. When you see it live, right, it doesn't do what Palo Alto Networks does, right? The argument that it performs better, you saw the management claim. You saw the efficiency of the management platform, right? You saw also the comparison between lab results and real-life results. It's not the same. Finally, the argument that it's also more cost-effective than Palo Alto Networks doesn't hold, right? It's not true that like for like, right, these are the same things.
They may get there through excessive discounting and try to do that. Remember, that's not why people buy network security. They buy it first and foremost for security. The security you saw, right, in this demonstration at Check Point was not at all what Palo Alto Networks delivers. With that, thank you very much. We're going to have a quick break, right? Coffee and snacks are served outside. Before we do that, hold on. Hold on. Right. Before we do that, right, I wanna have a few questions from the audience, so I'll bring both Nir back up and Lee. Right. If you have a question, put up your hand, wait for the microphone, because otherwise the folks on the, on the webcast cannot hear you. Keith Weiss over there can have the first question. Yep.
Excellent. Thank you guys, and thank you for the time this morning. I was wondering, Nir, if you could talk to us a little bit more about the virtualized offering. You've had some of your competitors come out with virtualized offering in the past. Can you talk to us about what you're doing differently, first of all, and then second of all, how you see sort of industry penetration going? Are we at the time when people are starting to deploy these virtualized solutions into their environments?
You want to go after the first half or?
Yeah, I think so, first of all, the core difference is that our virtual firewall is a next-gen firewall. Previous attempts to do this have all started by trying to put stateful inspection into software into the data center, which is probably the most useless thing to do because in the data center, almost all the applications run on just one or two ports anyway. You need to be able to identify the applications. Everything that we talk about applies in the data center. The first difference is the VM-Series is a next-gen firewall. It doesn't leverage stateful inspection. The second thing is, in these virtualized data centers, things are moving from static to dynamic. When you had physical servers with an application, you knew what the IP address was. It didn't change.
You wanted to deploy a new one, it takes weeks to get a new server in with a new IP address, you could have static network security policies. In a virtualized data center, everything's dynamic. One of the capabilities we launched in addition to the VM-Series was the dynamic object capability, where we can actually track movement of VMs dynamically through APIs that integrate into the orchestration layer. VM gets spun up, IP address gets mapped dynamically, policy doesn't change. VM moves, gets a new IP address, we track it. VM gets torn down because you don't need the scale anymore, we remove the IP address. All of that is dynamic as opposed to static, right?
Just to extend on that, the customer problem that this solves is the fact that in the virtualized data center with our competitors, whenever let's say that you need more computing power for database. You flip a button, and you add 10 more database servers. With our competitors, you still have to wait for Saturday night for a window where you're allowed to make firewall changes. It took you a second to add 10 more instances of database, but you have to wait a week for all the approvals to change the firewall policy to actually allow access to those 10 instances.
Right.
Whereas with us, because of our partnership with VMware and because of our ability to integrate into the orchestration system, when you flip the button in the orchestration system, wherever that is, we know about it immediately, and we immediately allow access to those 10 new database servers. Or if you shut down 10 database servers, we immediately block access to those 10 database servers, and that without having to push a new policy and to get all the approvals that involve that, okay? That's the customer benefit.
Wonderful.
Just like that.
Joel, did you have a question?
Yes.
Because I see Maria next to you.
Just to follow up on at the RSA Conference, obviously it was a lot about advanced threat protection. You did a nice job about talking about the offering here. Two interrelated questions. One is, are you saying that with WildFire running on a next-generation firewall that you are as good, if not better, than what FireEye is offering and getting $300,000 for per, you know, instance that they're offering? Interrelated to that is obviously you had a lot of buzz at the booth around WildFire, and I wanted to see if you had any, you know, if there was an uptake since that time on the subscription services since then.
The technology side. If you compare us to FireEye, here are the things that we do that FireEye doesn't do. Some of them are tactical, and some of them are even more important than that, are architectural. What we do, we do across all applications. FireEye can only protect non-encrypted web and email, meaning if the threat comes in via SSL or via an application like SharePoint or Dropbox or Webex or anything else, they don't see it, which is a big issue. That means that their customers have to shut down all applications and only use the internet for non-encrypted web. No more amazon.com for you and no more online shopping or online help for you and email. That's the first difference.
The second difference in us and FireEye is more architectural, and that's on the prevention side. That's the fact that FireEye can't really prevent the threat from coming in. They can detect them. They can tell you about it. To prevent the threat from coming in or detecting them already on the network trying to get out, you have to be everywhere on the network, as I explained in my presentation, okay? You have to be in the small branch office running at a few megabits per second. You have to be in the data center running at tens of gigabits per second. You have to be in between, at the internet edge, at the core of the network, and so on, and they are just not there. More than that, you need to be the IPS for that.
You need to be the anti-malware for that, anti-malware device. You need to be the application device for that, they aren't. Architecturally, if they don't become the next-generation firewall of choice, for the customer, long term, I just don't see them being deployed in the network. They're going to go the same way that the IPS vendors went and the proxy vendors went and the content filtering vendors went. Again, there is a problem to be solved right now. It's being solved. Long term, architecturally, this belongs in the firewall.
Okay. There's another question.
There was also a question about.
We'll answer the sizing and customer acceleration questions in the next QA, Joel, just so you know, because these are not the guys qualified to talk about that, as you know. Okay. There's a question in the, in the middle there. Just wait for the mic, please. Oh, you stole the mic.
Good morning. It's Aaron Schwartz from Jefferies. You guys talked quite a bit about the advantage of not bolting on different technologies and really natively integrating, I guess, a lot of different functionality. Can you talk about how you think about an acquisition strategy longer term, and maybe if you do go down that road, how you would integrate differently than other companies?
I can. Yeah. I think from a technology perspective, not from an M&A perspective. No, of course. From a technology perspective, as I said, we believe that the firewall is the place to enforce things, and the single-pass architecture is the one that's going to actually execute the enforcement. Even when we acquire a technology company, it's probably going to be someone that can detect more things that we cannot detect today. The way you integrate something like that is the actual detection happens in the cloud, so you place their technology in the cloud, and the actual enforcement happens in the single-pass architecture. The integration will be, put their software in the cloud, detect more bad things going through the network, generate signatures based on that, and push them to the single-pass architecture. Okay?
That's how we scale, that's how we integrate different technologies. Frankly, I mean, this is the way we integrated WildFire and other things into our product, okay? I mean, WildFire was not an acquisition. We developed it in-house, but that's the way it worked. We had a group of engineers developing the cloud-based technology and then creating signatures and pushing them to the already existing firewall, which is single-pass architecture. Yeah.
Alan Weinfeld, Rear Front Research. Thanks for coming to New York today. I kind of had a two for one. You claimed that Sourcefire couldn't stop malware. They actually spent about 40 times earnings on a special acquisition that was supposed to have a honeypot that would be their management talked about all the other malware players that this would be freeware, I guess, in 2012, and it would catch fire in 2013. Fires are simple also. I would just like your opinion on if you know about that solution and what's the difference between yours and theirs.
The other thing is at the RSA Conference, you actually were giving out a review from NSS Labs, talking about the 2013 network firewall security value map. Actually, Fortinet FortiGate 800C is the appliance that is the highest enterprise management security effectiveness and TCO per protected Mbps. I'm surprised you haven't mentioned them and just talked about Check Point, which I think, you know, we all realize Check Point has a very low valuation for a reason, and you guys have a very high valuation for the reason you showed on the other side.
I'll take that last question first. You didn't get it from us. I can guarantee you.
I did.
No, no, you did not. You got that from Fortinet or from Check Point, 'cause I don't give out NSS materials. Very importantly, what you see there is classic stateful inspection throughput. This is not throughput with lots of things actually enabled, right, to do the inspection. I will always tell you, if you want a very fast, very cheap traditional firewall, right? Fortinet, right, is the probably the best firewall to get there, right, from the cost perspective. It has ASICs. It has ASICs. It does all that. That's optimized for that. That's not what we do, right? We tend to think of performance with all of these things actively inspecting all the traffic for all the applications, for all the users. That's not what you see on that SVM. That's a very different thing.
That's actually not something that NSS actually tests. That's why, like, we refer to the numbers.
They just make this stuff up?
No, no, no, no. They're not making it up. They're testing for a very specific use case of traditional firewalling, right, with no other inspections than classic firewalling. That's what I'm saying. NSS doesn't make this up. Absolutely not. No. Back to the question about Sourcefire. Sorry. Pardon because that was another question there. Yeah. Without getting into too many details, the product that you're talking about is a desktop product that they give away for free. It's nothing to do with network security. And specifically, Sourcefire is an IPS company. Sourcefire is not an anti-malware company. Customers don't buy anti-malware gateways from Sourcefire. They buy them from Blue Coat, okay? From companies similar to Blue Coat. That's why Sourcefire is not in the business of blocking malware.
That's the point I was trying to make in my presentation.
Sourcefire says they're a next-generation firewall.
Again, I think we showed on the stage here that it's very easy to say things. It's a bit more difficult to do them. Specifically with Sourcefire, we have never, ever seen them in a single firewall deal. We compete them against them as an IPS. We have never seen them as a firewall in a firewall deal. I think it's important to note that building a firewall is not something you wake up one day and just have. Firewalls take a long time and a lot of technology to develop. The inline capabilities, the reliability, the performance, the HA, the networking. There's so many things that go into being an inline device. It takes years, honestly, to get there if you do it well. Yeah.
One more question.
One more question. Greg Dunham. Yeah. That's the last question before we go.
Blake? Yeah.
Switching gears a little bit. You mentioned WildFire, you know, the opportunity in service providers, you know, virtualization. There's a number of different areas where you're putting development dollars. How do you actually allocate in terms of, you know, when you strategize, these are the areas we need to be in and kind of from a philosophical standpoint, what's the best way to approach kind of the opportunity and the threat landscape?
I don't know. It's not if you're asking, like, how do we, you know, do we say, 10% needs to go here and 5% needs to go here? We don't really approach it that way. I think that would be sort of a more traditional approach of new problem, new product. Because the approach is so integrated, we work really closely with customers. I'm always meeting with them. We take their feedback, we understand the problems they're dealing with, and then we take that back and we just work with the engineering team to develop good solutions for it. Often leveraging the existing infrastructure we have in the product, including things like single-pass architecture and things like that, to enable these new capabilities.
We don't really think about it in terms of carving out percentages of resources and applying it that way.
Yeah, I mean, specifically because we can leverage existing technology, for example, if you wanted to build a standalone APT company today, you will need to build actual device. You will need to build an operating system for the device. You'll need to build a management system for the device. You'll need to build reporting and all these other things that we already have. The number of engineers that actually worked on WildFire to get WildFire to be a product was probably a handful, okay? They did it over a year. It's not like we needed a complete set as our APT competitors, because a lot of the technology was already there. They built it, and now they moved on to the next project. Okay, good. At this point, let's break for 10 minutes.
Coffee and snacks are being served outside and be back here in about 10. Okay, thank you very much.
If I please may have your attention. Take your seats. We're going to move on to the go-to-market part of the presentations as well as the results part. I've already introduced myself. The part that I'm going to speak about in this section is our view on market dynamics, what is going on in the market, how does the market view Palo Alto Networks, but also how do we view the market, and the evolution of that, and also take a look at our go-to-market strategy.
There were quite some questions during the break about that. I want to start there, and then Mark Anderson will continue that conversation, because I think it's a good thing that you get the view, right, from both the person who generates the demand as well as the person who then closes that demand and turns that into revenue for the company. There are many ways to look at the market. We chose to look at the addressable market in, I would say, a rather consistent way. Ever since we started to publicly talk to the market about what we believe the opportunity is for Palo Alto Networks, what elements we believe our technology can address, right? We have shown you this picture. You've seen it a few times today. I want to dissect it and look at some of the dynamics.
Introduce you to some of the players that we see and our take on who those players are, what the dynamics are, and then give you our opinion about what we believe, right? The game is and why we believe that we are different in this market. IDC and others, but I refer to IDC here, has sized this market very consistently. There are many ways to look at this, but if you at the bottom, and it's a somewhat traditional way of looking at the market, look at it. There are firewalls. Sometimes they come out as UTMs, but firewalls. There are web gateways, there are threat prevention systems, and there's VPN technology. That is a $10 billion market, growing very nicely over the next few years to $13 billion plus. There's a lot of movement happening inside that market.
A big player here, a very big player, doesn't have 40% market share. There is no such player in this market that has overwhelming market share. In fact, when you look at these markets, the core players are actually somewhat different, right? The strongest player in firewall is not a player, right? A very strong player in things like web gateway. The dynamics, right, would suggest, that this market, even though people are spending money on this, maybe piecemeal today, will start to shift. Let's dive in and look at each of these slices in a little bit more detail. The first slice is in fact the biggest slice, and that is the UTM slice or firewall slice in this market. That slice, right, is characterized by a, first of all, a refresh cycle that is 3-5 years.
These companies, right, That's not the product refresh cycle of these companies, right? Quite the opposite. It is the refresh cycle that enterprises have on these technologies. These technologies are very wired into the infrastructure, right? Especially firewalls. There are 2 very distinct players in this market. There is a large group of traditional legacy stateful inspection-based firewall companies that are based on 19-year-old stateful inspection, right. In order of their size, right, that's Cisco, Check Point, Juniper, and Fortinet in that market. Then there is 1 player, Palo Alto Networks, with a very different core architecture. As we've shown, those architectures are not identical, right. Whether you look at Ciscos or Check Points or Fortinets, right, a UTM, right, example, right, versus a next-generation firewall example, it's not the same.
There are many, many things that those legacy stateful inspection-based technologies cannot do, right, in the firewall. Even if you attach blades for application control, even if you attach blades for other types of functionality, it still doesn't do what Palo Alto Networks does. It took a fundamental re-architecture of the core of the firewall to get to where we are. Shares, right, are shifting rapidly, right. We are the big grower in this market, right. All the others are not. In web gateway, you see a very different landscape, right. Web gateways are characterized by technologies that traditionally were based on proxy-type, right, solutions. Websense, Blue Coat, and to some extent, even Cisco. These companies, right, are in a position today where because of their legacy architecture, right, more times they are being replaced by modern technologies, right.
In the modern category, right, there's Palo Alto Networks and companies like Zscaler. Zscaler does it in the cloud. They have a different approach to solving this problem, right. As you can see, only one vendor, right, is here, right, that was on the previous slide as well, apart from Palo Alto Networks, which is Cisco, right. When we go head to head, right, against a Websense or Blue Coat in these deals, we can win. In fact, we oftentimes win, right. We replace those Blue Coats. We replace those Check Points. We replace those Ciscos for this function, right. It's almost never, if ever, that we see Juniper or Check Point in these kinds of deals. This big chunk of market, right, is not where we would see Check Point, right, or Juniper or Fortinet for that matter. That is already very different.
You go to the next slice in the market, IPS and IDS, right? You have modern vendors, and I would include clearly Sourcefire and FireEye in this market, right? You have legacy vendors, IBM, McAfee, TippingPoint, right? All of whom have been, right, part of acquisition strategies and have lost focus on this market, right. You don't see Check Point in this market as a standalone IPS vendor. When there are IPS projects, right, we run into Sourcefire, right? Not FireEye, but I put FireEye there because I think what will happen, right, in the next few years is that the non-existing APT market, right, because there is no such thing, right.
This market will kind of embrace the APT functionality, and what was known as the traditional IDS, IPS market will evolve to a market that is very threat prevention-centric and will include, right, whatever money gets made, whatever people spend on APT, right? The majority. There may be some other monies being found, right, fundamentally, this market, right, will collapse, right, into this. I don't think there will ever be a completely separate layer because that would suggest, right, that the best way to solve this problem is done outside of the firewall, which we don't believe is true. Not even Sourcefire believes it is true because that's where they're moving, right. They know that they have an interesting solution, but they're in the wrong spot, right. They have to move the firewall to make it operational.
Again, what is very unique is that when there is a pure IPS opportunity, right, we're now the only vendor, right, that can bid on both firewall opportunities, gateway opportunities, and IPS opportunities. There's a sliver that will continue to exist, right, for VPN-ish technologies. When we introduced GlobalProtect, that isn't necessarily a classic kind of VPN. Again, from a modern perspective, there are companies here who are good at this, right, who continue to sell ways to securely get into the corporate network, and that includes Cisco, Juniper, and F5, right. The legacy vendors here are guys like Microsoft and SafeNet, right. The consistent theme throughout all of this is that we believe that we can bid and win, right, very consistently on all of these four slices in the market.
That shows when you look at the relative performance year-over-year of what I call the Big Six, right? The Big Six include Palo Alto Networks, Cisco, Juniper, Check Point, Fortinet, and Sourcefire, right. You can see that Sourcefire and Fortinet have shown very decent performance, right? Very different characteristics, right? Oftentimes, very different markets, right? I would say that very rarely do we run into Fortinet. I always joke that if one of us shows up in the same deal, 90% of the time, one of us is in the wrong deal. Because the use case for Fortinet, right, in the enterprise is typically a very, very big box that does stateful inspection, and we don't sell that only.
It is in an extreme distributed model where in the branch they need a $200 box with ears for Wi-Fi, which we don't have either, right. That would be the situation. Believe us, when we are in that situation, we're in the wrong spot. That's not a use case for us to fulfill yet. You look at the relative performance, and what you see is that other than a pure specialist, Sourcefire, who is the last man standing, so to speak, in that, in that IPS segment, right, the growth isn't there, right. In fact, when you do it on a dollar basis, the last quarter was a very interesting quarter, right? Combined, right, 5 other vendors here, right, made less additional dollars in the last quarter than we did, right, in that same quarter.
You can see the money moving, right. The market shares are shifting. By the argument that I sometimes hear that others are gaining market share, the numbers don't show that, right. If you look at the big guys, right, they're barely growing at market rate, if even that. That would suggest that somebody, right, somebody who shows consistent 50-plus% growth rate is taking market share. The dynamics have changed substantially, right, in the last quarters. The dynamics are also very important, right? Mark showed you a condensed picture of the NQ. The full picture is here. You can see that there are a whole bunch of vendors there, right, that have firewalls but aren't necessarily seeing the traction, right, and the big guys, right, have all moved to the left.
They have a terrible time keeping up with the technology rate of change that we're introducing the market. I wanted to give you a little bit more insight into what is behind this graphic, because the graphic itself is only one dimension. I have to explain something before. There were some questions about, well, there's other opinions in the market. Well, we made the point in the demonstration to talk about what happens in the lab and what happens at customers, right? A lab report is what it is, right? In a lab report, you look at what we sometimes call synthetic data, right? The best they can do, right, with synthetic transactions or synthetic users or synthetic applications or synthetic threats. Then there is what customers actually say about how the product works. Someone like NSS, right, is on the lab side, right?
Someone like Gartner talks to thousands of customers and forms an opinion about whether it actually works. Right? People vote with their money, and you can see that in growth, and people, right, vote their confidence to companies like Gartner, who talk to, they don't talk to us about this process whatsoever, right? They tell us what they are doing. We actually don't have a vote in any of this. We don't go in there and tweak and optimize and change and turn knobs. This is an opinion that they form by speaking to thousands of customers. What do they hear? Well, first on the market. The market, right, looks at quality of features, right? They actually don't think that the quantity is important. That shouldn't be confused with what features do you have. It is how you factor out your features.
In the case of Check Point, as we showed, Check Point, the way Check Point factors out its features is its many blades. 20-plus blades. We say, "Well, they have 20 blades, you only have 4." That's not how you should think about it at all. Because threat prevention or URL filtering, or even the core firewall does so much more. You should really look at the quality of those features, how they work in your environment, rather than whether you have 20 or 27 or 35 blades. That's not at all how you should think about this. The other part is that it still is early days in the move from traditional firewalls to next-generation firewalls.
That is, by the way, less of a technology argument, but as you heard Motorola say, this is more an argument of how do you put that in with the oversight that you need, right? Lee showed that the technical migration actually is not so much the challenge. Right? That's not what's hard. What typically people have to do as well is make sure that the policies that they implement are the right policies, that it is okay with the compliance teams and with the legal teams and with the audit teams. Now, while you're safely enabling these applications, the impact of that has to be understood. What you see, though, is that the install base will rise rapidly to 35%, but more importantly, new purchases will rapidly move, right, in the next 2 years to be next-generation firewalls.
Lastly, they're not gonna buy them from traditional vendors that they bought their switches and routers from. They're gonna buy them from very few specialists, right? Which tells you that the money will disproportionately shift to those who have a true next-generation firewall and no longer come from the leveraged vendors, right, which you would include companies like Cisco. On us, there were some interesting observations as well, right? We moved the needle. Everybody says that they do what we do, right? Because we do what we do. Right? They cause them to react, right? To be honest, in the last 5 years, I don't think anybody has announced ahead of us, has done anything in their firewall or in their product ahead of us. Very different.
We do it because the design at the core was different. That allows us to displace traditional competitors. This argument is made over and over again. Are you just helping another competitor, or are you displacing competitors? Gartner believes, by talking to customers, that we displace. The customers you've seen today displace, we'll come back to that in a second. Finally, right, what we do is different. It's not just a little bit better, it is very much different from what others do. Okay, how do we move this to the market? Our model has been very consistent for the last 5 years. Right? We go through 2-tier distribution.
We build a channel to move the product, right, to the end customers, to augment our ability to reach those end customers and to properly service those end customers after they've done the purchase. We always start with going directly to the end customer as far as the storytelling is concerned. When we tell the story, the end users, get it from us. We tell that story, we do it in many, many ways, but we raise the demand, for that product. In parallel, we build the channel organization, so they can do this. We enable, so we recruit, enable, and then optimize the channel partners involved, both distribution partners as well as resellers.
Both of these add value to what we do in terms of services, in terms of presence, in terms of all kinds of skills that we don't necessarily want to put in front of the customer. We believe that our partners are better suited and more trusted to do that, right? Mark. Clearly, our market, our resellers will also go to those customers, and we do that in a co-op model, where we jointly execute on the demand. When we sell, right, the predominant way, of course, the only way that we sell is through that channel. In other words, 100% out of our business flows this way. It comes, right, generates the demand, it flows back from us through the channel. Right? No stocking, no funny deals. Right?
It is all clean as a clock, where the customer, right, picks the value-added reseller, the value reseller picks the distributor, right, and we transact. Right? We have channel account managers to work with these distribution partners, and of course, we augment our own high-touch sales force, right, with the sales force of our channel partners. Right? We don't take those deals directly. It's not because we have people in the field that we then get greedy and pick deals off of the table. No. Every one of those deals 100% flows back through the channel. This model has been implemented globally. We've run it for many years, and what it gives us is visibility, right, into pipeline development, right? Very importantly, it gives us great predictability, right, of our business.
The way it works, right, the way we transact in this model with deal registration and automation, that gives us very good insight into where we stand on demand, where we stand on recruitment, and so forth. I specifically highlighted here our strategy with VARs and resellers. That was the model that got us to where we are. More and more, our customers also tell us that they truly wanna engage, right, through service providers and systems integrators. After me, Mark will come up and talk a little bit more about those relationships. They're somewhat different. They're not necessarily the pure security VARs that you know so well. We also believe that the market dynamics are such that our customers, especially the larger ones, wanna be serviced by people, right, in the category of service providers and systems integrators.
This model has worked well for us, right? It's a model, again, of quality, not quantity, right? Our 900-ish channel partners, right, that growth hasn't been excessive because we believe that the best way to make our customers successful is by having high-quality resellers and distributors in place. All of them augment what we do. They don't just push boxes or sell through. These are people who are involved on a daily basis with our customers. We provide benefits, right, based on their commitment and based on their performance, right? In terms of deal registration, margin, multi-year protection, and so forth, right? We're very demanding in terms of accreditation, certification, and so forth. Unlike, right, partner or partner ecosystems of thousands and thousands and thousands of resellers, right, we don't believe that it's the right thing to do for the enterprise customers that we serve.
We believe that they benefit from specialists and from people who are committed to services. Okay. Now, I wanna end my section 2, 'cause after all, I am the marketing guy. Oh.
A little technical glitch or just that.
Okay. Yep. It is kind of the fact or fiction part of every presentation. Fact or fiction, that always comes down to whether something that is being claimed is true or not. The first fact is you can't keep growing your customer count like that. Like, where does all these people? Can you sustain it, right? Have you done it? How have you done that? Well, first of all, clearly, we have done it, right? We have consistently grown our end customer count, right, to a very, very advanced level. 1,000 plus in the last 5 quarters each, right? That helps us with one part of our strategy, the land strategy, right, that Mark referred to.
Landing 1,000+ customers allows something equally or even more valuable to the customer, which is then to expand and extend that footprint in those 10,000 customers, right, by repeat buying of our technologies for different parts of the network or for different security functions. While we're very proud of this, right, you shouldn't just look at it this way. Clearly, because of our expansion, because of the attraction in the market, more and more so have we been able to attract these customers. We're still in early days in some of the markets that we operate, right? China and India and Russia. Where there are, by the way, very big companies, very large enterprises in desperate need of good network security. There's also a question of, well, You've picked the low-hanging fruit, right?
All the easy ones, right? The guys who were very disappointed with old technologies, those are the guys that you displaced. That would suggest, right, that two things. It would, first of all, suggest that what we do is a one-off, right? The customer buys one thing, and then they're done buying from us. It also would suggest that we've done so with small customers, right? Not necessarily the big enterprises on the planet. Let's look at that claim as well. What it takes to become a top 25 customer, right, has grown substantially in the last 5 quarters, right?
You look at the movement of this bar from only a very short time ago to now, and you can see that that bar has moved up substantially from less than $1.6 million to more than $2.8 million, right? That number, right, when we were on the IPO roadshow, which is only seven, eight months ago, right, was in that one point, so almost $2 million range, right? Even in that short period of time, you can see how much that has grown. That certainly wouldn't suggest, right, that people, right, are selling us low-hanging fruit, that we're picking low-hanging fruit, right? This means, this points to an infrastructure type of transactions with these companies. We also, at the time of the roadshow, right, started to share with you the repeat buying behavior of these large customers, right?
What you can see is that this actually has evolved, right. Only at the time of the IPO, again, 7, 8 months ago, right, was that number 3x, right. Sorry, that number there was 8x of the top 25. That was 8x. It is now 11.4x, right. They bought 11.4x what they started out with. They keep on expanding and extending, right, their purchases with us. That's not low-hanging fruit. That means, right, becoming more and more part of the infrastructure. Similarly, across all customers, right, the number that was 3 at the time of the IPO roadshow is now 4.6. Grows substantially. This is repeat buying across all of our customers. Even for the average customer, this metric has gone up substantially, right.
You keep on seeing them buying and buying and buying, right, in each subsequent quarter. Of course, then, well, yeah, but big companies don't use you, right? Now, I'm gonna say something that you shouldn't take personal, Mark Anderson, right? Without a lot of effort, 'cause Mark only joined us right about eight, nine months ago. Without a lot of effort, right, we actually have already seen tremendous growth in the world's largest customers. Mark will explain to you how much of an emphasis that is in his organization, right? Today, right, we service 500 of those Global 2000 customers, right? Very, very good growth year-over-year, right? Which means that, A, there is lots of headroom left, right, in that market with focus that Mark is putting in place, right?
That is both on the count but also the penetration in those existing 500. You look at what we've actually sold to those guys in the last few years, right, we may be 10%, 15% penetrated in their networks, right, which would suggest that we have both an opportunity to get more Global 2000s, but also more from those customers. Okay. There is a claim that we're only succeeding in a few verticals. I sometimes hear this on earnings calls where, yeah, we see them in 1 or 2 verticals, but never in all of them. I wanna reiterate that our model is such that we have a very wide distribution, both on the customer side as well as on the vertical side, right?
No single customer accounts for more than 10% of our revenues, the end customers, and no industry accounts for more than 15% of our revenues, even in any given quarter, right? Even in what is traditionally a Fed quarter, right, or a Japan quarter or whatever it is, right, it's never more than 15%, which tells you that, first of all, we're diversified, and when you look at the industries we service, it's very, very broad. The last two I wanna cover are the ones that really go to my heart because this is what I always hear from you guys and from everybody else. You're not deployed at the firewall. Somehow you made all this money and all these customers not being deployed at the firewall.
I don't know of anybody else who has done that in the past, but supposedly, we are the first that gets all this money without being deployed as a firewall. Only 7, 8 months ago, we gave you a statistic where we said that we believe that at that point, about 50% of our customers had deployed us as primary firewall, and about 50%, right, percent of the new deals that we were involved in were for primary firewall. These numbers that we will update you once a year in an event like this, right, we'll update you today on what we believe they are, right, based on our analysis out of our deals, our customers, and so forth.
More than 75% of new customers in FY 2013, the last 6 months of selling, right, 75%, right, have chosen us as the primary firewall. These are deals in which we replace an existing traditional firewall in the primary position, in the data center, in the perimeter, in the extended enterprise, which then yields a number of more than 60% of all our customers, right, who have now put us, right, in place as a primary firewall. There's a claim that, well, yeah, that may be true, but we never lose against you. You never win in competitive deals, right? You get this from somebody else, not us, right? Which also isn't necessarily supported by the data, looking at the growth numbers of others, but it's another important data point.
I've always said that we do very well when we get the opportunity to get the product tested, right? The way we want to update a number to you is that when we do a technical evaluation of our product, right, our win rates are best in class. We win more than 85% of deals, right, after we've done a technical evaluation. Our box was on the network. We've delivered the application visibility and risk report, right, and the customer, right, knows that what our technology does versus what other technologies do. With that, I'd like to thank you very much. Mark, please come up. Thank you. Give me 2 seconds to set the slides. Yep.
Good morning, folks. Thank you so much for taking your time to listen to us this morning. My name is Mark Anderson. I manage the worldwide field operations team here at Palo Alto Networks. You know, I've seen a lot of faces here before in my previous lives, and some of you have asked me, you know, why did I leave a good company like F5 to join Palo Alto Networks here nine months ago. And for me, I think it was really simple and basic. First of all, I love the size that we are right now. When I joined F5 back in 2004, we were a little smaller, but we grew really quickly over the next eight years, and I really loved that ride.
It's a really fun ride, especially like F5 had and like we have today, when you have disruptive technology leadership. It's fun to win. Second thing is the market here, it's massive. We've heard $10 billion, $13 billion by 2016. It's a huge market. We have less than 5% market share, and we're competing against some good companies that have 20% or more market share, three of them, in fact. When you have that disruptive technology leadership, it's good to go up against companies and take share from them. That's also very much fun. Really the third thing is the team that I get to work with. I get the privilege of meeting Nir before I joined, and how can you not be inspired by a badass, cool CTO like Nir?
Mark McLaughlin, an amazing CEO and leader, and really the entire leadership team is really humbling to work with. I'm really psyched to be here, and I'm excited to talk to you today about, first of all, what I've seen in the first nine months since being here. You know, the things that we're doing to exploit and take advantage of that technology leadership in the market by growing our focus, growing our footprint. Finally, you're gonna hear some real examples about customers. I'm not gonna talk about fiction. What we do in the field every day is fact. We're with customers, and we're doing deals that put money on pieces of paper that you guys like to evaluate on us, and I love to talk about that because I love to meet with customers.
First, let me talk a little bit more about the land, expand, and extend strategy that you've heard about. You know, for us, landing means we put an enabled, trained sales team, subject matter experts, this high-touch sales team that we have that we're growing, we put them in front of a customer, partnered up with a partner, a security VAR, MSSP or a systems integrator, and we tell our story, the story that you heard Nir and Lee and Mark tell this morning. It's a very compelling story about differentiation, about how we do things differently. We show up, as you just heard Rene talk about, we put our network in a proof of concept mode. We connect it offline on a tap port into their network, we blow their minds.
We come back a week later with an application visibility report, and we show them what's going on in their network today, things that they said weren't happening. We're not enabling Facebook. We're blocking BitTorrent. 25% of our network traffic is not video, like YouTube and other nefarious video applications. It really blows their mind, and that's a really fun thing to do. As you heard Rene just say, when we do that, we win 85% of the time. That's non-trivial. That's technology leadership, and that's fun to win like that. Of course, we expand. We typically get in an initial deal, and we win in one corner of the network. They wanna prove out all the great things that they've heard about Palo Alto Networks from their friends in security. We expand that into other areas.
You know, there's 4 major use cases, but there's dozens or hundreds of different places in an enterprise network that we can sell these use cases. We expand into those, we continue to leverage our relevance and our performance and execution in that customer. Of course, we extend by selling more features. Maybe we got in as an IPS, as we have with one of our largest customers, that's a big, a real big tier 1 bank here in New York, that we only have about 15% market share, and it's just IPS today. We've got a lot of room to extend there. We can sell them WildFire. We can sell them URL filtering in our innovative business model that sells these as a subscription, not just as features. We're winning 85% of the time.
Well, what the heck is happening to the competition? Well, they're facing the traditional innovator's dilemma. Of course, they can't change. They can't wind down their current cash generation machine by selling extensions to compete against us. They have to continue to try to surround themselves with the firewall helpers that you've learned about today. That gives us the opportunity to go in and talk about massive differentiation. Our competitors are resulting to some things that, you know, if I were in their position, I'd probably do the same thing. They're dropping their drawers on price. They're trying to find places where we don't play. You know, we've got some good competitors, some good companies like Check Point, Cisco, Juniper, and others. Cisco's always gonna get 20% market share because they're Cisco.
When we show up and compete against them, we win based on technology leadership and scalability. We do it against all of them at a pretty alarming rate. What are we doing? Obviously beating our competition is not the challenge. We're doing it every day. It's showing up. What are we doing to get more at-bats, if you will, to get up to more places? We're not just that annoying little competitor that you read about in the trade rags. We're scratching the surface last quarter of a half a billion dollar run rate in billings. That's pretty significant. I think, as I think you'll hear Stefan say, we're growing ourselves more than the rest of the market is combined. That's a fun market to be in.
It's fun to be in sales from that perspective. What are we doing to build out the team, build out the footprint? Let me talk a little bit about the team that existed back in 2010. It was a great team, but it was a small team. It's subject matter expert reps, SEs scattered around the world, really just covering just a few of the NFL cities in the U.S., nothing in LATAM, nobody in India, nobody in China, a few people down in Australia, and then a few of the major cities in EMEA with a small but highly skilled team. If you just take a look here, 3 years later, we've really fleshed out the footprint by attracting world-class people that are experts at selling security that wanna come to a place like Palo Alto Networks.
They wanna come here to win with technology disruption because it's fun. You can see we've really invested aggressively, not just in EMEA by going east and west. All across APAC, I visited Singapore a few weeks ago. We headquarter out of Singapore. We've got a really good team there. New leader for APAC that's doing a terrific job. He's building out the team up and down across the entire theater. We have a very good team in Japan as well. The gentleman that runs EMEA for us is continuing to expand in the major cities. We're still really just scratching the surface as we build out our footprint. Now let me give you a few examples of that. Before 2013, we just had 2 sales teams in Chicago. Now there's 5.
We had 1 person in India. I think there's more than 1 billion people in India, today we have 3 teams there, and we're investing aggressively. We'll announce the beginning of next month, a new leader that's gonna really provide us some aggressive scale there. We're also aggressively investing in China. It's a part of the world that we didn't have focus in before, it's a large country. We need teams in all of the key geographic areas. There's some verticals there that we're allowed to sell into, banking, telco, and they spend a lot of money. We had 4 teams in California, where our headquarters is, and today there's 3 different districts that have people in California selling into service providers, large enterprise and commercial enterprise.
Now London, one of the most populous cities in the world, certainly in EMEA, we've got six teams there today that are selling to large and commercial customers. We really didn't have, as Rene Bonvanie may have mentioned earlier, we really didn't have a lot of sales resources focused on the channel. That was all placed back in marketing. Today, we're building out a channel account organization that's focused on enabling these partners and helping us get into new partners and get into, you know, larger leverage opportunities. Before 2013, we had two major account managers doing a really good job, but two is a small number. Right now, we have 32, and I'll talk a lot more about that in a few slides. You know, we're not doing anything that's rocket science here.
We're salespeople. We gotta keep it very simple, keep our knuckles from dragging off, keep our knuckles off the ground. We're following a proven model to productivity, and it's a model that I learned back in the 1990s at Cisco, and certainly that I leveraged at F5 throughout the last 8 years. For me, it always starts with the center of the universe, as much as I hate to say this to Account Managers because they tend to have large egos. It starts with the Account Manager. That person is the center of the universe. They're the CEO of their territory. Whether it's a list of accounts, as a Major Account Manager or a Global Account Manager, or whether it's a Regional Sales Manager that covers a geography, they need resources to be productive. We give them resources.
We give them an SE, a dedicated SE for every account manager in the world, at least 1. There's 1 sales rep here in New York that has 2, but that's a different story. The SE team we have here is amazing. It is a technical sale. We have to show technology differentiation. This SE team, I would put them up against any SE team in the world. I inherited a great 1, 9 months ago, and we're really building aggressively into this team. We need to. Customers love our SEs. For every account manager, there's half of an inside salesperson. We have inside salespeople in Europe, across Europe, excuse me, in Asia Pac, and a large team here in the U.S., in Plano and in Santa Clara. The inside sales focus does a lot of things.
They take the leads that are cranked out by Rene's marketing machine and process them into qualified opportunities and really act as the tip of the arrow when it comes to going to the customer, talking with partners. Play a really valuable role. They actually reduce our overall cost of sale a little bit, but they actually improve our productivity for that account manager in a dramatic way. Of course, we're building out this channel team I'll talk about in a few slides. The channel team that's gonna help make our channel partners smarter and more able to sell our technology and tell the story that we're talking about today.
Of course, around all of this, we have to have the sales operations team that provides us with the infrastructure, the tools, the enablement to make all of us productive, not just inside the company, but outside the company, to partners, distributors that are gonna be selling and representing and supporting our technology. We have an amazing sales operations team that we're aggressively building out because we need to provide, we need to provide tools not only for people to manage their accounts and build sales plans and get better and smarter, but also to managers to look at analytics about ability to forecast so that we can forecast accurately. You know, really trying to build a discipline in this team now that we're a publicly traded company of kind of a commit culture, I like to call it.
Every Monday morning, an account manager sits down with their first-level manager all around the world and commits their business for that week. Here's my commit for the week. Here's what happened last week relative to my commit for last week. I'm gonna validate my commit for the month. I'm gonna validate or update my commit for the quarter. It happens every week. There's laser-like focus in on this, and this allows us to manage our investments. If we see our linearity go a little better, we crank up our investments. If we see it slow down, we take a pause and have a look. Thankfully, it's only been the former.
Finally, we have a global customer service organization, you're going to hear from Brett in a few minutes, that really supports all of us, our partners, our customers, our distributors in a world-class way and in an incredibly impressive way, and you'll get a lot more details on that. Let me talk a little bit about the focus that we're applying to global and major accounts. I mentioned geographically focused regional sales managers. They still exist here today. They've got a geography, a patch of dirt that they manage, that doesn't include the list of major accounts. There's still tons of large opportunities. Couple of weeks ago, we did a half a million dollar deal at a community college in Toronto. That was in a regional sales manager territory.
Starting August 1st, we bifurcated the sales organization to add the title of major account manager and global account manager. They typically have, you know, anywhere from 6 to 25 accounts around the world. By the end of this year, there'll be 40 major account managers around the world, primarily in EMEA and in the Americas. We'll be rolling this out, excuse me, and Japan. We'll be rolling this out in APAC probably by the end of this year and the beginning of next year. It really helps us drive focus to these major accounts because we're competing against companies that are much larger than us. We're competing for wallet share against giant companies like IBM and HP, and we really need to have a discipline and a focus. We actually created that discipline and focus ourselves.
We got together early on when I joined with folks from marketing, from sales operations, from product management, and created a strategy to go after major accounts and build sales plans that engage resources. Resources like the ones I mentioned earlier, but resources like executives, like Lee, like Nir, when it's appropriate, to go into customers and tell the story and blow them away with our technology differentiation. We're really very focused on executing here. We think, based on my experience, there's tremendous amount of leverage to get out of these major accounts that we're already seeing and certainly in the future. The other thing I talked about is investing in channels. You know, I'm really proud of the development that we've done so far.
Before 2013, it was again, primarily in the marketing organization, focusing on enablement, certification, and investing market development funds. There was a minimal investment in sales resources. I think we had 2 CAMs in the U.S. I think we had 2 CAMs in EMEA and maybe 1 in Australia. Starting August 1st, we hired somebody to run the Americas, a leader, really great background from Cisco and IronPort. We hired a person in EMEA, again, really good background, and they're getting busy hiring people. We're gonna go from, you know, less than 10 to 25 today, and we'll continue to invest in that in the future because building scale with our partners by teaching them how to sell our solutions is a great leverage opportunity for us.
We're also surgically recruiting additional VARs, systems integrators, and MSSPs, and I'll talk a little bit about that more right now. you know, let's think about what a managed service provider or a systems integrator does for us, you know, and for their customers. They provide outsourced services for people that don't wanna own their own infrastructure. They might provide just, you know, 10 years ago, they might have just provided circuits. Today, they're providing just clean circuits that have security solutions added to them. They're the trusted advisor. They're typically large companies like Verizon or AT&T, and they have great relationships that span many years, and in many cases, millions of dollars a month. The program facilitates, you know, solutions like monitoring, managing, either remotely or on-premise, and other value-added services that these customers are paying premium dollars for.
It also feels a little more comfortable for some, especially larger customers, to ease in some of the next generation firewall features and ease out some of the legacy, you know, stateful inspection firewall technology that they use. This is a ripe market for us to go after. Between Chad Kinzelberg, our head of business development and his team and our channels team, we're very, you know, laser-like focused on going after these partners. I'll talk about that in a little more. You know, Rene talked about this. We've got our direct touch, subject matter expert sales team selling through distribution partners, in many cases, value-added distribution partners that provide tier 1, tier 2 support. Traditionally, in the past, they've sold to VARs.
I mean, great VARs like FishNet, Accuvant, you know, large, either regionals or super regionals that cover a geography, in some cases, with hundreds of reps. These companies have been great partners for us. They will continue to be great partners for us in the future. Based on my experience, they'll grow at or above the clip of rate that we're gonna be growing because customers need security expertise like this. As I mentioned, we're also spending a lot of time with service providers and systems integrators to give us the scale and leverage to go after that end customer in broader numbers. We have 11,000 something customers today. To continue to cover them, we can't invest in the expensive direct touch only model for sales.
We're really doing both and really trying to manage the investments wisely. Just a few names of the people that we partner with today. They're not mom-and-pop shops that you might have heard some of our competitors tell you about us. We're working with IBM, who is reselling and doing managed services today with their customers and our customers. Companies like AT&T and Verizon with their national and global footprints are providing managed services for us today. NTT Communications out of Japan, a huge customer, either both directly and through the managed service offerings that they provide. As Mark, I think, said first thing this morning, this is a vertical for us that represents multiple opportunities. The sell-to opportunities because they're huge enterprises with, in some cases, tens of thousands of employees.
The sell-through opportunity because they're large channels as well. We want them to be our channel, but also selling to in a managed service environment where we've leveraged the technology that Lee and Nir and Rajiv have developed that can be shared with multiple customers or dedicated to customers and managed in a way that no one can compete with us. There's lots of customers that wanna buy next-generation managed service solutions, and they can only buy it through these partners with Palo Alto Networks because our competitors are stuck in that innovator's dilemma world of, you know, old, bloated, stateful inspection firewall technology and the surrounding firewall helpers. I wanna talk a little bit more deeply about Integralis. For those of you that may not know who they are, they're a division of NTT, acquired a few years ago.
A great company with a global footprint. They're really becoming the security, the security SI for the NTT group of companies and the NTT global footprint, and they're a great partner. They've got a great sales team around the world. Simon Church, the CEO, I've done business with him previously. They make a great partner for us, and they're going all in in their investment with Palo Alto. They, you might know them as one of Check Point's largest resellers in EMEA, and they're able to do business with both Check Point and Palo Alto. I think what you'll see, the business that we've done with them today and the business that we'll do with them in the future will be substantial, and it's gonna help us and it's gonna hurt our competitors.
I want to talk about some real-life customer examples here as I close out. I'll sort of just go back to our go-to-market. Landing, as you hopefully now know, can mean our sales teams touch a customer and sell a solution, or it could also mean Integralis sells a managed service solution. Together with our partners, we go and look for expansion opportunities and extension opportunities. With that framework, let's talk about some real examples. First 1, large media company in the U.K. The use case was protecting online content management system as they started to roll out their services on iPads and iPhones and other devices other than televisions. Key differentiators for us, it was a long technology bake-off.
They invested $20,000 for a test system in one of their smaller markets for us a year ago. They worked with us for a year to test our capabilities because they wanted to see it in equipment that they owned, running in production environments that they owned, and we proved it to them. One of our legacy competitors wasn't very happy when we pulled out a $2.9 million opportunity for some of our largest devices across their entire network. It was a huge expand deal for us, and it was a great example of staying focused with a major account, with the kind of coverage model and a partner, a large systems integrator, that gave us the span of the relationship that made this deal happen in the end.
We also have opportunities over the next 2 years to continue to build out the footprint as their business scaling to iPads and iPhones continues to grow. A large global carrier based in Japan, a next-generation service offering with our mid-size PA-5000 Series and our largest PA-5000 Series in data centers today in Japan and the U.S., and in the future it's going to be across the data centers that they have all around the world. Differentiators here, they really embrace the technology and are actively promoting the next generation of features on our firewall network firewall technology to their customers as a managed service.
They have been a customer in some of their entities in Japan directly, using our equipment to safely enable applications, but we expanded with an $800,000 deal with our largest system here just recently in a really nice expansion opportunity. We believe there's millions of dollars to go after just in this use case alone. Of course, continuing to replace the legacy Check Point equipment that they have in their enterprise represents a great opportunity. We've built a team to go after this customer around the world, both from a marketing standpoint and from a sales standpoint, to cover them as a global account. A large financial services company in the United States.
This one I love because, you know, we did a quick land deal for $75,000 as they started to, again, play with our technology. In an example like Renee showed about how customers increase their long-term value spend with us over time, most recently in a new data center that they built out, they spent almost $900,000 with us, $840,000. This is a very conservative customer based in the Midwest that has, you know, long legacy relationships with companies like Cisco and others. In this case, again, we competed against Check Point. They dropped their prices. The customer still went with us because of the massive technology differentiation.
This is one-sixth of the opportunity that exists at this large company over the next two years, so lots of expansion opportunity here as well. A large re-retirement fund based in Australia. It's a brand-new customer for us, a land deal. It did take us a year to convince them, but it was a huge win. I don't wanna give you the impression that all of our sales campaigns take a long time. In many cases, in many of our especially commercial territories, 50% of the business that a sales rep will sell will be found and closed in the same quarter. In this case, this was a very conservative customer that we applied a multi-tier campaign to win.
In fact, the customer, visited our booth a couple of weeks ago at RSA, and brought the partner and a large systems integrator with them, to, you know, and had a meeting with me right in our booth while Nir was in the background screaming on stage about how great our technology is. The customer went to great details to say how impressed they were with our persistence and our technology differentiation. These guys have 2,000 remote offices. That's the next phase for us. A tremendous expansion opportunity. Large shipmaker here in the U.S., again, a brand-new customer that did a couple of months worth of testing and did a land deal for us for $1.3 million.
Real competition here from everybody, but at the end of the day, based on the customer's buying criteria, they couldn't compete with us on scale and on price. We have the opportunity in this huge account for becoming the primary firewall, which will represent millions of dollars of opportunity. In conclusion, I want you to know that we're responsibly maturing and aggressively investing into our go-to-market to get in front of more customers, get more at bats. Unlike anything I've ever seen before, and I think I've worked for some really good companies, we're attracting world-class talent at an amazing rate. I mean, I see LinkedIn requests and resumes come across my desk every day from people that, you know, I don't think we would've ever attracted even a year or two ago.
We're very, very focused on driving productivity in the field fast. We realize that getting an account manager and that ecosystem of resource around them to be productive and be productive fast is really important, so we're investing in enabling tools like a learning management system. We're investing in training methodologies that aren't just show up and throw up with PowerPoint like I'm doing right now. We're really focused on not only making our salespeople and sales resources more productive, but also our partners. They're also focused on being the very best next-generation partner. As I mentioned, it's a fun place to be. It's fun to leverage technology leadership, and it's really fun to win.
I think when you get the opportunities that we do with our customers, to be in line in security, devices around their networks, to be a single point of failure, you can't take that lightly. To do this, you've got to provide a total customer solution. One of the reasons that when Mark hired me, he combined the focus of sales and post-sales customer support was to really provide a unified face to the customer here at Worldwide Field Operations to really have a very elegant handoff between the pre and the post-sales environment. I'm gonna call Brett Eldridge up on stage, who's the VP of our global customer support organization. He's done a tremendous job building this organization from the ground up over the last 3, 4 years.
I think in the last year, we've almost doubled the size of the team to accommodate the demand from our customers. Please welcome Brett Eldridge.
Thanks, Mark. Thank you everybody for your time this morning. As Mark said, my name is Brett Eldridge. I run the global customer services team at Palo Alto Networks, I'm just gonna spend a few minutes giving you some insight into the strategy of our support organization and some customer stat scores and where we're going. First, this really ties into what Mark and the company is trying to do around expand and extend. We know for a fact that customers that are happy with, you know, the buying experience with Palo Alto and with support buy more product. They buy it faster. Our mission is to be the strategic differentiator for Palo Alto Networks by ensuring customer success, satisfaction, and loyalty. In order to do that, we really have three main strategies we adhere to.
The first is enterprise-grade services and support. What does that mean? That means that we have an organization that can successfully help our customers, our large enterprise customers, deploy the product and maintain it. World-class online experience. We've made significant investments to building our online systems, both for automation and for our customers to have access to key information. Third is global scalability. Obviously, we sell to customers that are all over the globe, multinational corporations, and we really need to be able to support them no matter where they are. There's something that's very unique about Palo Alto Networks, and I don't think you'll find this at any other vendor of our size. As Mark mentioned, we have a unified technical organization in the company. There's not siloed organizations between pre-sales and post-sales.
The end effect of that is that customers get a much better experience with our technical organization. Our SEs work very closely with our support engineers. We've got cross-training that goes on. Our professional services engineering get a smooth handoff from pre-sales. These teams really act as a unified team to our customers, and they're much happier with that approach. Speaking of customer satisfaction, I just wanted to give you a few statistics to give you an idea of how satisfied our customers are. We measure it in a few different ways. These are just 2 of them. This data's from the 1st half of our fiscal year.
On average, if you look across all of our customers, on average, they give us a score of 8.8 on a scale of 1 to 10. That's a really amazing result, especially when we're growing the company and our customers as fast as we are. The second statistic is 86% of our top customers, our largest customers, rate us an 8, 9, or 10. That really is a world-class result for a customer support organization, especially when you consider that we're selling to extremely large customers that are globally distributed. I also thought I'd give you just a couple quotes. I picked these 2 for specific reasons. The first one really shows you that the engineers we hire into the support organization are really talented engineers that have a broad base of skills in addition to Palo Alto Networks skills.
When a customer calls up and they get an engineer on the phone, which is usually less than a minute, that engineer can immediately start troubleshooting, and they have a knowledge of other products in their network. The second one shows the length to which we go to support our customers, and it really highlights why this approach is different. You know, we hear all the time that customers are really satisfied with our support because they are really good engineers. It's not a fact or fiction slide, but I can tell you that I've heard in the past that Palo Alto Networks, you know, support isn't scaled. It's completely fiction. I can guarantee it. We've got support in seven locations. Kinda the size of the dot gives you an idea of the scale of the organization there.
We currently obviously are 24 by 7 by 365 all around the globe, follow the sun. We don't plan on expanding into new physical locations. We will be building the organization and scaling it out to support all the new customers we're bringing on in these current locations. The last thing I wanted to cover is what are we doing in the organization to gain leverage? Obviously, everybody in this room wants to hear about that. There's three primary areas where we've been doing this, and we're gonna continue doing it. The first is customer self-service. As I said, key strategy is a world-class online experience, and that ties directly into this. This means that customers, any time of day, any time they want, can get easy access to a lot of content.
That content includes self-training videos, exams you can take online, knowledge-based discussions. We've built an amazing infrastructure for customers to do that, and the end result is they open fewer cases with us. The second area is automation. It's something that Palo Alto does in all different departments, and we take it to heart in support. Instead of hiring what most people do, which is a bank of people to answer the phone to triage a case, we build automation into that. Instead of having 30 people answering phones, when somebody calls up, we know who they are, and we know how to route their case and who to route it to. It happens automatically, which is why they get directly to an engineer. Again, the end result of all that automation is you save on people costs.
The last approach is obviously through partners. We work extremely closely with one partner and one partner only worldwide, and they help us build flexibility and scalability into the organization. At the same time, we get to reduce costs and ensure very high customer satisfaction scores. I just wanted to give you a little bit of insight into our customer support organization. You've heard me talk about our satisfied customers. You've heard Mark talk about our satisfied customers. I thought it would be great if you could hear from two of our actual customers.
Good morning, everyone. I'm Chad Kinzelberg, and I'm genuinely excited to share our technology partnership strategy with you. Our partnerships span a variety of categories and vary in nature. We have some basic technology integration partnerships. Usually, they're done to satisfy customer requests or overcome buying objections. Over the past year or so, we've really focused on cultivating strategic partnerships with a select number of vendors. These strategic partnerships hold the potential to broaden our appeal to a lot of customers, to extend our competitive advantage, and to broaden our distribution. If you think about strategic partnerships and tactical partnerships, we're trying to do all of these things to deliver better solutions for our customers. Our goals are to facilitate customer acquisition and increase customer satisfaction. Quite simply, we engage in these partnerships to drive revenue, not issue press releases.
I like to say, "POs trump PR," that mantra really governs over our day-to-day business development activities. When we look at where we sit in the ecosystem, our partnerships really fall into five different categories. Those five categories are networking, mobility, big data and security analytics, enterprise security, and virtualization and SDN. I'd like to briefly describe our initiatives in all five of these categories and also have some executives from our strategic partners comment on our collaboration. Let's start with networking. Firewalls are really at the intersection of networking and security. Networking vendors tend to have really strong relationships with their customers just because networking is so central to IT strategy. By partnering with the networking players, we really gain leverage into a lot of accounts. Citrix is a great example of that. There's tremendous synergy between Citrix and Palo Alto Networks.
We're focused on safely enabling applications, Citrix is focused on optimizing performance for those same applications. Together, we've delivered a new application-centric network architecture that better suits customer needs. Most importantly, Citrix has done a great job at penetrating large accounts. 99% of Fortune 500 companies are Citrix customers, so gaining their endorsement and integrating with their products carries a lot of weight with some of the largest customers in the world. Here's Sunil Potti of Citrix commenting on our partnership.
Hi, my name is Sunil Potti. I'm the General Manager and Vice President of the NetScaler business at Citrix. Citrix is the cloud computing company that enables mobile work styles by empowering people to work and collaborate from anywhere as if they were working right out of the office. With the advent of the mobile cloud era, we recognize the need to deliver comprehensive enterprise solutions that combine application delivery along with the secure and safe enablement of any application from any device. Citrix and Palo Alto Networks have come together to address these needs and have forged a long-term strategic partnership to deliver better solutions for enterprises that want secure, scalable and highly optimized access to mobile and cloud services. Palo Alto Networks provides the unique ability to safely enable applications while preventing all types of threats.
That differentiation made them our first choice to become our primary network security partner. Citrix and Palo Alto Networks share a common vision of how networks are evolving. Legacy networks have no awareness or understanding of application layer traffic. We're working together to provide a new application-centric architecture, a next-generation cloud network that safely enables applications with best-in-class performance and availability. Our multi-phase partnership brings together leadership and application delivery, desktop virtualization, enterprise mobility management, and network security solutions to solve real-world challenges for enterprises. We selected Palo Alto Networks as our primary network security partner because of their world-class technology, commitment customer-centric innovation, and overwhelmingly positive feedback from our customers. We're very pleased with the progress and even more optimistic about our collaboration in the future.
Service providers represent a significant portion of the overall network security market and are essential to our continued growth. In order to accelerate our penetration into carriers, we've forged a relationship with Ericsson. Ericsson is the world's largest supplier of equipment to service providers. They have their finger on the pulse of the carrier market, and what they've consistently heard from carriers is, as they contemplate building out their next generation of fixed and mobile networks, they need a more robust security solution. Ericsson wants a strong partner in network security, a partner that can handle the modern threat landscape, that can be deployed in a wide variety of use cases and is innovative. They've chosen to work with us to build out those solutions. Here's Trevor Adey of Ericsson talking about the carrier market and how we're going to work together.
Hi, my name is Trevor Adey. I'm vice-.
The next category is mobility, and clearly, mobility is a secular trend that's having a profound impact on our market. Smartphones and tablets are becoming ubiquitous in the enterprise, and we've established a range of partnerships to make it easy for enterprises to embrace this whole BYOD phenomena without compromising security. We've partnered with Aruba Networks, a leader in mobile enterprise and wireless solutions. Effectively, we've combined Aruba's wireless network products and our next-generation firewall to share user, device, and application information in order to establish and enforce security policies for mobile devices. One example of that is we've exposed some functionality via an API, and Aruba has written a plugin that extends User-ID so that when guest users or employees bringing their own mobile devices come onto the wireless network, they are governed by the appropriate security policy.
We also have some partnerships in the mobile ecosystem designed to augment our GlobalProtect product. As we described, GlobalProtect ensures that the same policy that you established for the traditional network is extended to mobile users, regardless of the location or device type. We've partnered with the leading mobile device management vendors, MDM vendors like MobileIron and Zenprise, in order to simplify the deployment of GlobalProtect and ensure ongoing compliance. These MDM platforms can be used to initially deploy the GlobalProtect client to configure security settings, and in the case that there's some type of a security violation, actually disable access or quarantine those devices. We have a range of partnerships in this mobile ecosystem that mean companies can let employees use mobile devices to access sensitive corporate applications and data, but without the security risks ordinarily associated with those devices.
Our next category is security analytics and big data. Our customers use a whole range of products in order to monitor and analyze their security information, and we effectively integrate with all of them. If you look at the SIEM market, whether it's Q1 Labs from IBM, ArcSight from HP, Symantec, they all use our rich data around applications and users in their security information management solutions. We're also doing some really innovative and useful work with Splunk, the leader in big data. Together, we're developing this next-generation security analytics platform that really leverages the unique strengths of both companies. Ordinarily, when we talk about natively identifying applications and users and content, it's done in the context of setting security policy. That same functionality and those same constructs are really useful if you wanna do any type of security analysis or forensics investigation.
If you want to identify the root cause of a breach or respond to a security incident or generate context-rich, insightful reports that capture your security posture, you are much better off starting with the rich data that we have around applications and users as opposed to relying on IP or port or protocol information that are supplied by competitive firewalls. It's yet another example of where our proprietary technology and App-ID and User-ID extend our sustainable competitive advantage. The interesting thing here is, by working with Splunk, we're able to do things to satisfy customers that we wouldn't be able to do alone. Splunk really recognizes this competitive advantage that we have and the rich data and has developed a killer app. Nobody has been a bigger advocate of this solution than Splunk CEO Godfrey Sullivan.
Hi, everyone.
The next category is enterprise security, and you'll notice that our partner ecosystem here is a lot different from our competitors. Because we have a next-generation firewall, we address the entire spectrum of network security needs, so you won't see us partnering with IPS vendors and web filtering vendors. Our firewall competitors, on the other hand, have to partner with those companies to make up for the inadequacies of a stateful inspection firewall. We don't have to do that. We address the entire spectrum. What we do is focus on the adjacent categories and think more broadly about what are the problems that CSOs are trying to solve, and we partner with companies in endpoint security configuration, risk management, authentication, access control, things of that nature.
For example, we partnered with RSA, in order to safely enable access to sensitive corporate applications and data, coupling what we do on the network security side with RSA's market-leading two-factor authentication solution. We also have a set of partnerships to complement WildFire. With WildFire, we have a best-in-class network-oriented approach to thwart APTs. We're supplementing that by partnering with companies with endpoint products and incident response services. At the RSA Conference a few weeks ago, we announced integrations with Mandiant and Bit9 to provide a holistic approach to APTs. If you look at the network detection and prevention capabilities that we have, we're coupling that with the ability to actually resolve incidents at the endpoint. The way that that works is when we identify malware in WildFire, there are certain indicators of compromise associated with that malware.
We'll send those indicators of compromise down to the Mandiant and Bit9 consoles, where all of the endpoints in the enterprise can be pulled. That just accelerates the whole remediation process. Again, a very broad range of partnerships here to complement what we've done. The last category is virtualization and SDN. In the case of SDN, we're very much at the embryonic stage in terms of enterprise adoption. I think it's a little premature to comment on exactly how it will impact our business. Lee described the way that our efforts on SDN kind of dovetail from our virtualization efforts. We're complementing that by partnering with some of the emerging leaders in the SDN space, companies like Arista Networks and Big Switch Networks.
For example, we have an automated networking solution in which security policy can be attached to virtual network segments in Big Switch using their open SDN protocol. In the case of virtualization, we're seeing massive adoption right now. This is the single biggest trend in the data center in the last decade, and it has a very profound effect on the way people think about network security, and it's causing a lot of disruption. That disruption is wonderful for us because it means more at-bats. Last November, we introduced the VM-Series to address the security needs of private clouds, public clouds, and just virtualized data centers. Not only was this product very innovative and flexible, but it's also the first step in a very important relationship with VMware. As you know, VMware is driving this whole virtualization revolution.
They pioneered the concept, and they've really driven the acceptance of these private clouds and what they're talking about as the software-defined data center. However, they realized that one of the impediments to virtualizing mission-critical applications is security. They've chosen to partner with us to develop a well-conceived, tightly integrated solution that will remove this security barrier. We're very optimistic about the long-term implications of this strategic partnership with VMware. If you listen to Hatem Naguib, Vice President of Networking and Security at VMware, I think you'll get a sense of their enthusiasm as well. As you can see, we have a vibrant ecosystem of technology partners. We're working with some of the leading and most innovative technology companies in the world. Our combined solutions result in better and more comprehensive products for our customers.
We'll continue to cultivate these relationships in order to accelerate our land, expand, and extend strategy. With that, I'll turn the floor over to Stefan to review our financial performance.
Thank you. Thanks, Chad.
I'm Steffan Tomlinson, the CFO, and today I'm gonna be covering our trends, some recent financial results, and then I'll wrap it up with our business model. To level set everyone, our Q2 2013 results, which we posted for our January quarter about a month ago, we had record revenues of $96 million, which grew 70% year-over-year. Our hybrid revenue model enabled us to grow our services revenue to $35 million or 36% of total revenues, which increases our visibility. Deferred revenue of $188 million grew 92% year-over-year, and we had very robust gross margins at 72.2% on a non-GAAP basis. Q2 also marked the fifth consecutive quarter of adding over 1,000 end customers.
We ended the quarter with a robust balance sheet with $368 million in cash equivalents, and investments. Our results demonstrate that we continue to grow faster than the competition, faster than the market, and we're gaining share. This quarter is just part of a trend, and you can see from both the annual and quarterly revenues we've been growing much faster than the market. That's due in part to not only our disruptive technology, but to our sales and go-to-market function that we have in our customer service organization. When everything's firing on all cylinders, you get this type of growth. Let's put a finer point on revenues. You can see revenue by theater for the last 5 quarters, and you can also see the corresponding year-over-year growth rates, which are really best in class.
For a moment, let's focus on sequential performance because that indicates momentum. You can see that in the Americas, we've had very consistent sequential growth. In EMEA, for the first three quarters of this chart, you can see that revenues have been flat. Part of that was due to macro issues, and part of that was also just due to us making more investments in the region. The last two quarters, however, have posted meaningful sequential growth, and that's due to the sales traction that we're getting, as well as some timing of large deals that have been working from a fairly long gestation period. Looking at APAC, you can see we've had, again, very nice sequential growth over the past five quarters. Q2 flattened out a little bit.
Mark mentioned this earlier, we consciously made a change in the APAC region to put a new leader in place at the beginning of Q2. We did this consciously because we're preparing to scale for long-term growth. With the investments we're making in our sales and go-to-market organization, we're just starting to see the benefits of building what I would call real diversity of revenues by theater. Another way that you can look at diversity of revenues is by vertical. On a lifetime to date bookings basis, we don't have 1 vertical that's over 11%, and that makes sense. Every enterprise needs network security. You can also see the customers on the right. This is a small sample of our 11,000 plus customers. Many of them are household names, AT&T, General Electric.
Some aren't household names, but nonetheless, they are very large in their industries. For example, Elavon. It's a large multinational corporation that focuses on payment processing services for over 1.2 million merchants. The reason why these customers are important to us is our land, expand, and extend strategy. We're nearly one of the only vendors out there that has the versatility to sell into any network need, enterprise network security need, whether or not that's next-generation firewall, threat prevention, filtering, WildFire, et cetera. To put a finer point on that, we like to look at our top 25 analysis. You've seen a number of different variations of this data. What you're looking at here is the trended line of the repeat purchasing metric, which really is the embodiment of what I would call our expand and extend strategy.
Once we land an account, this is representative of our top 25. In Q2, on a cumulative lifetime basis, our top 25 accounts have spent 11.4 times more in aggregate lifetime repeat purchases than their initial buy. Again, that's selling for a next-generation firewall or an IDS, IPS project, and now malware, APTs, URL filtering, et cetera. It's very compelling. Now one customer in our top 25 we acquired in 2009, and it was a Check Point displacement for a very small part of the network segment. Since 2009, and that initial purchase was $60,000, they've spent $6.5 million times more in repeat purchases as we get deployed throughout their broader network in not only the data center but the distributed perimeter firewall business.
We feel like we're about 30% penetrated. That indicates that there's a very long tail. What's providing the foundation for the land and expand business is our hybrid revenue model. For those of you who have followed the company, you've heard me talk about this before, but just to level set folks. We have 2 elements to our revenue model. We have products and services. Within the product category, we have our series of appliances, we have our VM-Series, we have our M-100 and our Panorama. From a revenue recognition standpoint, once all the criteria are met, we recognize that revenue up front. Now, the services revenue is bifurcated into 2 buckets. The first is subscriptions. We have 4. Each of them list for 20% of the appliance list price per annum.
Those subscriptions provide a SaaS-type revenue element, which is why we call our revenue model a hybrid revenue model. Within the last quarter, the number of subscriptions per appliance shipped was greater than 1.5. Historically, what we've told folks is, you know, we ship anywhere between 1 and 2, 1 to 2 subscriptions per appliance. The bottom end of that range is actually coming up. On the support side of the house, we have a number of very, very different programs that we offer, but as a proxy, support is about 16% of the appliance list price. The attach rate on support is very strong. You can't buy enterprise network security equipment without buying support. It provides you updates, upgrades, bug fixes, and the like. For both the subscription and support, these are either annual or multi-year contracts.
What we've seen is, over the past, you know, call it, you know, several quarters, we've had an uptick in multi-year deals. We'll take that business all day long. That provides us a very nice foothold into the account, now we're more structured and ensconced in the account. You can see how this model translates into our revenues. On the left-hand side, you can see the product versus services revenue split. You should train your eyes to the bottom row there, which is services as a percentage of total revenue. That continues to grow. As I've mentioned previously, last quarter is 36%. That provides incremental visibility as we go forward. To the extent that we're successful in selling multi-year deals and selling more subscriptions, like our new paid-for subscription of WildFire, that will translate into a growing deferred revenue stream.
Now let's turn to margins. Our gross margins have been operating at a very steady band. Last quarter, they were 72.2%, and that's represented by the green line. Underneath the total gross margin, we go back to products and services. Products are always gonna fluctuate a little bit, especially a company of our size and given where we are in the evolution curve. Anytime we come out with a new product, like the PA3000, there will be a higher initial cost to goods sold, but as volumes increase over time, gross margins will improve. Our services business is comprised of both subscriptions and support. Subscriptions have a very high gross margin profile. Think of it like software-type business. Our support is very people-intensive and systems-intensive. We've added over 5,000 new end customers in the last 5 quarters.
We've had to make the investments in order to scale. There are kind of countervailing forces there, but over time, we will get scale. The net result of that is we've been pretty steady in total gross margin, but there will be fluctuations amongst the contributors there. Now turning to operating margin, we've taken a very conscious approach to making investments in the business to really drive our innovation engine and our sales and go-to-market organization. Last November, we came out with five new products, which is, I would call, you know, industry-leading. We've been able to do all this and post the revenue growth in a very profitable manner, we're pleased with that.
We're not gonna be stretching to get to higher operating margins in the short term because we feel like we have the opportunity in place to really capture market share while doing it profitably. Which takes me to our balance sheet and other metrics. You can see the trending in cash and cash equivalents and investments trending up to $368 million. Other metrics that we track, cash flow from operations, free cash flow, very strong in fiscal Q2 2013. We have no debt on the balance sheet. Our DSOs are 58 days. We're gonna be monitoring that because as the profile of our business evolves with more services being sold, there could be some pressure on that, but you know, we'll keep you posted on that. Now turning to headcount.
At the end of the quarter, we had 949 heads worldwide. The vast majority are in sales and marketing, in our services organization, and R&D. We have what we call the minimum required investment in G&A and operations. We like to keep that lean. As far as future investments are concerned, you've heard today about our product roadmap, our innovation, our go-to-market. That's where we're gonna be making the investments. About two-thirds of our expenses are headcount and headcount related. Let's turn to our planning assumptions for approximately the next 12 months. We plan on hiring about 75 to 100 heads per quarter. The legal cost for our litigation with Juniper will ramp up over the next 12 months as we approach trial, which will be in February of 2014.
From a CapEx standpoint, we're calling what a normal range for a run rate is about $5 million-$10 million per quarter. We also entered into a new lease facility, you know, I guess it was a couple quarters ago now. We're gonna have incremental investment to our normal run rate of CapEx of approximately $10 million in FY 2014. Our tax rate on a non-GAAP basis is estimated to be approximately 39%. This will fluctuate. We haven't removed our valuation allowance yet, and also it's very sensitive. The rate's very sensitive to the pre-tax profit mix from an international and U.S. standpoint.
Additionally, on tax rate, we have a project underway where we're scheduled to go live with this in about 6 months, which is our IP cost-sharing project, which should decrease our longer term effective tax rate. Once we go live with that, we'll give more guidance on that going forward, but that should bring our effective tax rate down over time. That'd be more comparable with our peers. Finally, many folks asked, in fact, I was asked today, "What about seasonality in the business?" You know, seasonality, still kinda too soon to tell. Our growth rates mask seasonality. If we were to have just a preliminary indication on a go-forward basis of what seasonality could look like from a revenue standpoint, you know, an early indication would be Q4 and Q2 would be the stronger quarters.
Q4, well, because it's Q4, and we have natural business momentum built up throughout the year, and Q2, because the end of year calendar budget flush happens, and we, you know, participate in that. We expect growth in, you know, all of our quarters, but Q4 and Q2 being the strongest. This brings me to my wrap-up slide, which is our target non-GAAP operating model. Our gross margins are forecasted to be in the 70%-73% range. R&D, 13%-15%. Sales and marketing, 30%-33%. G&A, 5%-6%, leading to a total non-GAAP operating margin target of 22%-25%. When we went public back in July, we had mentioned that we thought we could achieve this in, you know, call it approximately 4 years.
As we sit here today, we've made some very good progress to date, and we think we're about three years away from achieving the target model. I will say that very much consistent with our investment philosophy, we want to ensure that we are adequately investing in the business in order to capture market share and do it in a profitable manner. We will be growing operating margins, or our plan is to grow operating margins in more of a slow and steady progression, and we'll see how the actual results play out. That concludes my section of the presentation. What I'd like to do is bring Mark McLaughlin and Mark Anderson up on stage, and we can open up the floor for Q&A.
Thanks, Stefan. Put me live. I'm sorry, just before we start the questions, just a couple things, just 'cause in case people have to leave. We said we had a number of goals when we started off today, and hopefully we accomplished a lot of that. One of the things we fundamentally believe as a company is that a lot of those trends that are playing out in security are great for security providers. It's a very helpful tailwind for us, and those will play out over a long number of years as we've seen them behind us, we see them in front of us as well.
The second thing and point we were trying to get across was the fundamental place you need to be in order to capitalize on the security trends in the network is the firewall, as the functionality that you'll need in order to protect yourself continues to move in the direction of the firewall. The third thing is obviously having the right technology as well, which we believe is a flexible platform you can continue to add to take care of those threats, and with the ultimate goal that you can safely enable the use of all applications.
Just a couple points around that is, one, you know, we were trying with the demo here to get across the point that there truly is a technical difference, because we hear a lot of marketing going on in the market. We really try to show it. It's hard to do that, as you can tell. Hopefully, the demo got some of that across. Firewalls are hard. It's policies, all sorts of stuff. Our goal there was to try to simplify it a bit and show you that. We also, obviously, we used Check Point in the demo, because they're fairly vocal about they can do it, Palo Alto does. That's just a proxy for every other stateful inspection provider in the market today is the same from a functionality perspective.
Not just trying to pick on those guys. It's just one that we could use Cisco there, we could use Jim, we could use anybody for tonight. It doesn't really matter on that. The other thing I wanted to get the point across back to the, the flexible platform and the right place in a network is we spent a little bit of time, we're overweighted on, APT and malware just because it's on, you know, it's a hot topic today. People are talking about it. We look at that as a great opportunity for us, but we're also just trying to show that with our platform that we've developed, it's, it's an example.
It's an example of yet another thing that we're able to put into that platform in a native way, and there'll be more of those in the future. I just want to put some context around all the stuff that we were trying to get done. Hopefully, you got the points across. With that, be happy to open up for some questions. How about we'll just start up front here and try to work around. Thanks.
Hi, thank you. Karl Keirstart at BMO Capital Markets. I've got a question for Mark Anderson, actually. You mentioned in your comments that one of your big initiatives is growing the number of major account teams. I think you said from 2 to 40. I guess at first blush, that sounds like a big change, and I'm wondering if you could add a little color into what the catalyst for that change is, maybe a little deeper on the process and whether a team approach like that involves any kind of comp changes for your reps.
Okay. Yeah, sure. I think it's pretty natural, a company of our size and scale, going through this evolution, and I wanna be really clear on 2 things. Firstly, the 40 is by the end of this year, not right now. I think I said 32 right now. Secondly, we did transition some existing RSMs, regional sales managers, into major accounts, especially ones that had already started to get some traction with major accounts. We just narrowed their focus down to a tighter list of accounts. I think it's also important, I try to communicate this within the company, you know, there are 2 really important functions. Whether you're an RSM, whether you're a MAM, they both have roughly the same comp plan.
They are both held to pretty closely the same expectation on productivity, although there can be spikes with major account managers where they might do a lot in one quarter and then a little less in the next quarter. They're both really important roles. Excuse me. They both require a different set of skills and a different set of enablement and training. We're, we're really focusing on that because our bigger customers are really asking us for that. They're asking us for more attention than just, you know, one account manager or two account managers in Chicago that do flybys on their 150 customers once a quarter or so.
Over here.
Thank you. Dan Cummins from B. Riley. Question for Mark and Nir, if he's still here. I had a question about, you talked about your capabilities that were pretty comprehensive with respect to network security. There wasn't a lot of talk about Data Leakage Prevention. I wonder if, Mark, you could talk about how much focus DLP is getting in big, complex deals, number one. It sounds to us as if it's very, very well prioritized and not necessarily a niche product or a niche market. It seems like Gartner's actually been talking about a product market that's approaching $1 billion.
What are your ambitions and capabilities around network DLP, particularly now with Fidelis being acquired, you know, out of the market, and what's your relationship to the host-based DLP players?
Sure. Let me give you a general on that. I can give Nir for more specifics. Can you or Lee, can you bring a mic over here for one of these guys? Yeah. As a general matter, from a DLP perspective, there's obviously a market there. It's important, and it's related to network security, although it's arguably more on the enterprise security side than the network security side. From a functionality standpoint for us, you heard us talk about DLP a bit. A big part of that for us is the ability to see, you know, what's leaving the network because we see all the traffic, we see all the applications, we know the users. That's a major portion of what we consider from a DLP perspective.
There's a lot of other things that happen in the DLP world that we don't do, some of which are endpoint, you know, and host sort of things that are possibilities for us in the future, but they're not at the network level. We're very focused right now from a network security perspective on the network-related things, and there's pieces that DLP the functionality that are valuable to our customers we do there. There's a whole separate market, you know, a whole different way to market, a whole different set of technologies out there that we haven't addressed at this point.
You answered it.
Okay, there we go. Yeah.
You answered it well. The only thing I'd add is I think when we look at it, DLP, just like a lot of things, is relatively complicated when you think of the entire problem. A lot of what we can do through application, User-ID, and things like that is simply reduce the scope of what's going on, controlling what applications are being used, controlling what kinds of content can be transferred in and out of organizations. That actually solves a big portion of the DLP problem, and it helps narrow it down for the specialists who do host and email DLP kinds of things to really focus in on the things that they can do to augment the parts that we're doing.
Did you guys already pick somebody? Okay. We'll just go over here then in the middle. Thanks.
Just 2 questions. I think the first one probably for Lee, Nir, or maybe Mark, given your legal background. It's been about 15 months since I think you were presented with the lawsuit out of Juniper and not expecting sort of detail on your defenses and so forth, but just wondering what progress, if any, you've been able to make around potentially engineering around the patents. Secondly, just I guess for Lee on APT, should we think about you talked about 1,300 customers for WildFire. I understand some of those are using the free product today. Should we think about your traction on the paid WildFire product as a proxy for your success in the APT market?
If so, could you give us any sense as to how many of those customers, the 1,300, are paid today?
Yeah, sure. On the Juniper side, you know, again, there's only so much you can say in litigation. Let me talk about where we are procedurally in all this, which is, like, kinda in the middle, process of going through discovery and expert witnesses is all occurring at this point, will occur for some time, up until the next real procedural item that's material, which is summary judgment motions Mark might hear and coming up in November of this year. Not a lot of, you know, no news, no news there.
On the question from an engineering standpoint on workarounds and stuff, you know, we can't talk about that directly, although you'd imagine that, you know, we would, like anybody, you know, in playing defense in a patent case, would explore, you know, all your defenses you could have and the mitigation strategies. I wouldn't be surprised if we were, you know, thinking about those things as well. On the question on the APT sale, I'll try to take this one, which is what we're talking about two different statistics here, but intentionally, well, talking more about one, which is how many customers are using WildFire today, and you heard Lee say over 1,300. That keeps going up. Not all of those are paid.
The other thing we talked about on the call was the number of paid users, which we haven't disclosed in there, is, well, going well and ahead of about where I thought our expectations were given the product's only been out for a short period of time, and you have to be on 5.0 to use it, right? So there's a couple hurdles to get over for us, which will, you know, which will happen in relatively short order through the course of the rest of this year as the customer base migrates to 5.0 to be able to use that. I think the question from a proxy standpoint is it's not exact.
The reason for that, the reason we continue to talk about the free ones plus paid ones is that even if the customers are not paying for it, there still provides great value for customers who will. This is a network effect. We encourage people to use it. That's why we seeded it for free, and we'll always keep the free version out there because if a customer is using the free version, they're not getting all the benefits of the paid version, but we're getting their malware samples into the system, which we can federate, for lack of a better term, out to everybody who is paying. It creates more value because we're seeing lots of malware across lots of verticals across the whole globe. We'll continue to encourage that kind of behavior.
Naturally, anybody who's using the free version is a great prospect, you know, for the paid version as well.
You know, that's our primary target, you know, as we brought that thing to market, is go back into that base, and we're doing pretty well there. Next question.
How about right there on the end, right there?
Hey, guys. Thanks. Michael Turits from Raymond James. 2 questions. One, in terms of verticals, you showed 7% of your bookings or billings coming from the service provider telco space. Fortinet, you know, is about at 28%. How much do you view this as an incremental market opportunity? If so, what's the product strategy for getting in? Then second question was just if you could quantify on the legal expense ramp.
Sure. I'll take the first part of that. Yeah. Fortinet's business there is fundamentally different than ours, which is 28% of their business is mostly the service providers using their technology in order to push service offerings to the SMB. before we've said, and we'll reiterate here, our target audience right now from a go-to-market perspective is not SMB, it's enterprise. There's two reasons for that. The first is that the enterprise network security market is over $10 billion a year. The SMB network security market is about a third or a fourth of that, you know, depending on whose research you look at. We're playing in a much bigger market. That we're not anywhere near, you know, penetrated in yet, right? For what we can do.
The second thing is that for the SMB market, there's different technology, there's different go-to-market, there's different support costs, there's different margin structures around that. Most importantly, that market is primarily driven by cost. Remember we said security, performance, you know, value. The enterprise market, primarily driven by premium security, and they'll pay for that. That market's primarily driven by what can I get, you know, from a security perspective for this cost. A great go-to-market avenue to touch that market is service providers, and that's what Fortinet has done there. We're working with service providers as well for service offerings. Ours are directed to the enterprise level, so all the ones you heard Chad talk about, that's those guys selling our technology into the high end of the market. We can go there. We can go down market.
If we did, we would go with the service providers because it's an obvious way to go get that done. We just choose not to at this time, mostly from a focus perspective of just keeping, you know, our eye on the ball and the brand as the premium brand, as opposed to kind of confuse the market with, you know, the best technology, but, you know, at the low end of the market. That's where we could go on this.
Part of the-
Yeah.
Part of that, you know, part of our focus on expanding into major accounts really includes service providers, as I mentioned, as customers, but also as partners. The focus that we have today is really significantly bigger than the focus that we had just a year ago in selling to service providers. I gave one example of a 6-figure deal to a service provider, but there's many of them that we've done, as the teams have really ramped up, not only just here in the U.S., but across the world. You know, just think just a year ago, we had salespeople that were calling on medium and large enterprises and service providers. It's a different go-to-market methodology. It's a different type of salesperson that you need to be successful there, and we're very mindful of that.
On the cost for the Juniper litigation, the ramp, for competitive reasons, we're not going to give a forecast for that. We are considering potentially disclosing that on a retrospective basis on our earnings calls, just so folks can understand what the costs are. We're considering that. Well, back here. Go to this side.
Thank you. Jayson Noland with Baird. Mark, to start with, hiring, are you getting, account managers and SEs from competitors? It sounds like they're experienced. How long, if so, does it take them to ramp? The second question on evals, an 85% win rate with technical evals or proof of concepts, that's very high. How do you manage, a sales force that could easily bring hundreds of these to you every quarter?
Yeah. Well, thanks for the question, Jayson. On the proof of concepts, you know, we're very focused on being very good at that and really just telling the story of how different our technology is and then proving it with the application visibility report that I talked about. You know, we have a large pool of eval equipment that we own and manage, but our partners, I believe, have an even larger pool, where they've purchased our technology, and they, along with our own subject matter experts, are going out and doing these evals. A big part of the enablement focus with them is to teach them how to do this in an effective way and teach them how to get more of that.
As far as hiring, we're seeing inbound requests from people at all of the tier 1 network and network security vendors. I'm not gonna name any specific names, but it's pretty consistent across the board. I think the salespeople are a pretty predictable bunch. A lot of us are really addicted to the opportunity to grow and to take a territory and take it from a little to a lot. I'm very focused on creating an environment that leverages a great culture, gives them a competitive comp plan that really competes with the tier 1 vendors that are out there and shows them a path if they want to be promoted.
Of course, when you're growing the team from very small to very large, there's lots of opportunities to be promoted to SE managers, SE directors, first-level managers, second-level managers. It's really part of a, you know, an overall culture-building picture. Productivity. You know, we actually don't talk about, you know, the times of productivity, but what we do talk about is we're very focused on trying to make it happen earlier.
How about we go in the back, lady back there.
You talked a lot about the platform approach that you're taking, and you showed statistics on, you know, primary firewall use cases. I'm curious, how has the customer buying pattern itself changed? Do they still come to you for a specific project or use case, like say, a firewall or an IPS deployment, or do you have more strategic conversations with them?
Both. It's very well ingrained in the customer mindset, just as you kind of think about the last decade to 15 years, about all these technologies we mentioned and the kludge aspect about how they think about their networks in the first place and from a defense perspective on how they purchased for a really long time. These things get done in refresh cycles. It's fairly consistent still, you know, that folks will say, "It's time to do the such and such refresh," you know, or this piece of technology, and that's your opportunity to kind of get in there.
What we have seen, though, is a rapid increase in the focus, probably from the boardrooms, as I mentioned, it's one of these top three items, down where the C-level folks who are in charge of the CISO, CIO, CTO are, they understand. I mean, not that you know, they're living it, so they're kind of telling us. It's not the other way around, you know. They understand that rapid change of threat. They understand that, you know, they can't really keep up. They understand the budget issues and all. So those are the folks who are strategically saying, you know, "Enough, you know.
We need to come up with a better way to do this." They're the ones challenging their teams then who may have been doing it a certain way for 10 years or 15 years to say, "We need a better way." That's very helpful for us, and we try to get as many of those conversations as we can because if we can, you know, tie into what they're thinking, then we just have a better chance of getting it back because then they go back to their staff and say, "What about these Palo Alto guys, right?" It takes that 1 comment to go get the AVR done and, you know, then we're off to the races. We're seeing it really at both sides. Yeah.
We just have time for one more question.
Okay. We're gonna be here. Nobody's going anywhere afterwards, so we'll happy to answer any other questions up front. How about we'll just go. It's hard to see. Right, right there, right, since you're standing right there. Thanks.
Yeah. I think Check Point would disagree. This is Shebly Seyrafi, by the way, FBN. With the degradation, the performance of 90% or so, 100 gig going to 4, which is less than your 5 gig for the PA-5050. What are your thoughts about even taking away that argument and improving, you know, the performance per box eventually? Separately for Stefan, you're targeting hitting your target operating model in 3 years. What if your growth is still very high, say 30%-40%? Other companies would defer hitting that target of, let's say, 22%-25% operating model, operating margin that is, further still if the growth is robust.
What are your thoughts about, you know, potentially hitting the margin target later than 3 years if the growth is still very strong?
Let me talk on the performance one, and I also failed to mention there, we brought 5 or 6 of our SEs with us today, which are, I think, outside. These folks are all from different competitors, some from Check Point, some from Cisco. I would encourage you, they're outside at the different areas to talk to them if you really wanna talk technical on, like, what's happening on the ground. It's just another source of information for you. Specifically on the performance, I'm positive that Check Point would disagree with what we said. That wouldn't shock me. I think there's 2 things to think about on that. The first is that the reality of just the testing, whether it's ours, theirs, their spec sheets, NSS, anybody, that's just what happens, right?
There's just kind of no way around that. The second thing is, you would have to disagree with your them with that, which is either say that's not right, or that doesn't matter, we got bigger and bigger boxes. I always try to think about these things, about where people are coming from on them, right? If we're right, and I think we are, that the more these blades or functionality you add, you get the decreased degradation, which technically I think we can prove, and you can go check it out yourself. You're them, then you must talk about performance. You have to do that, right?
You have to say, "I've got the bigger box, the bigger box, the bigger box," because as these threats change and the new functionality has to be introduced and it's kludged on with another engine, your performance will degrade every time the traffic passes through another engine. You must have a bigger box and then a bigger box and a bigger box because that's what's going to happen at the end. Here's how customers think about it. Customers don't say, "I'm looking for a 120 gig box." Customers say, "I'm looking for security, and I need 4 gigs." Remember I said security performance? My performance requirements as an enterprise, in order to run my enterprise, are 4 gigs of protected output or 5 or 10 or pick your number. That's how they think about it.
When they say that, then you backward plan off of that to say, "If I wanna get 5 gigs out the end of what I think their protection is, well, how do I do that?" With Palo Alto, you buy a 5-gig box. If you're Cisco, I'm not gonna pick on Check Point anymore, Juniper, it doesn't really matter. To get that 5 gigs, you've got to say, "I need to start 40, 100," you know, depending on who you're talking to because of the degradation. It's This is why those guys are super-duper focused on speaking about performance all the time of the bigger boxes because it's a necessity in order to actually get the output that we're talking about the end of the day. You're gonna hear more of that, not less of that.
I think related in that question was, you know, us and what would we do on the performance side. It really depends on where we're sitting in the network. We don't have to do more from a performance standpoint to deliver what customers are asking us to deliver today. We are getting more inbound requests from customers saying, "Gee, we'd like to see, you know, bigger bo-." A small set of customers saying, "We've got use cases in the data centers or something where we'd like to see even higher performances, not because the performance degrades. That's just our throughput requirements in that massive data center we have, so we wanna see the 100 gig next-gen firewall doing everything that it does.
Again, not because it degrades, but would be great if we got a 100-gig box of it. Those are things we take seriously. As Lee said, you would imagine in our family of appliances, all the way from the small to the large, that we would keep adding inside of there as customers tell us what those, you know, needs and requirements would be.
On the target model question, we have a flexible approach, but our current viewpoint is, given our growth characteristics, given our nice gross margin, we feel like we can achieve the target model in 3 years. At the next analyst day that we hold, we'll, you know, we'll take stock of where we are, but our current viewpoint is we're about 3 years away from achieving it. Hypothetically, if our growth rates, you know, were dramatically different than they are or where we think they're gonna be, of course we'll, you know, I think we'll take a flexible and nimble approach to the target model. As we sit here right now, we feel like it's achievable in about 3 years, and we feel good with that.
I think that's all we have time for. Again, the whole executive team is here. We'll stay around for as long as you guys like. We really appreciate you taking the time and your interest in Palo Alto. Thanks a lot for coming.
Thanks.