Good morning. Welcome to our 1st Analyst Day as a public company. I'm going to cover some housekeeping items today. You have your agenda in front of you, very straightforward. We have 2 Q and A sessions interspersed the day after each main section.
So queue up your questions for each of those sessions. We do have a break right in the mid morning at about 10:15 and we'll end the day at 12:30. We have the entire management team here today and we're really looking forward to telling story. But let me first cover some housekeeping items. We have any forward looking statements that we have today will be covered by our Safe Harbor statement.
And with that, I'm going to cover Mark McLaughlin. I'm going to introduce Mark McLaughlin, our President, CEO and Chairman. Thank you.
Great. Okay. Can't morning, everybody. Thanks for coming. I'm Mark McLaughlin, President and CEO of Palo Alto Networks.
Really happy to have everybody here with us today and appreciate you taking the time To learn a little bit more about Palo Alto and for us to get a little more involved in discussing our story. With me today to help tell that story, I have the entire executive management from Paladis. I just want to do a couple of quick introductions. You may know some folks already. But we have Nir Zuk up here in front, our CTO and Founder Rajeev Bantra, our cofounder who runs our engineering.
We also have Stefan Thomas, Indino, our CFO. We've got Rene Bommany, our Chief Marketing Officer, who is in the back running master ceremonies back there. We also have Mark Anderson, who runs Worldwide Field Operations, which is a combination of our sales plus customer support team. Lee Klarich, up front here, runs product management for us. You'll hear about our products from him today.
Chad Kinselberg upfront is running our corporate development strategy. Allison Hopkins runs HR for us. And last but not least, Brett Eldridge runs customer support and customer engineering for us. So got everybody here, encourage you to take the time and the breaks to talk to folks if you have any questions. Our main job here is to answer questions you have.
So as we thought about the day and what we wanted to try to accomplish here with you. Our goals are really up here, which is we wanted to give you a sense of the market we serve. We've talked about that a number of times with you folks, but just being pretty specific about the market that we're in, the opportunity we think we have in that market and where we are in an opportunity. We're winning in this market, which we wanted to discuss in fairly detailed manner why we're winning, why we think we can continue to win the market. We'll get a view from Mark on how we're doing.
And then most importantly, like I said, to answer your questions. To get all this done today from an agenda perspective, we're going to talk through the following things. There's a lot of things that are happening from a market dynamic perspective that favor a company like Palo Alto Networks. And some of those are based on strategic technical trends and implications from those trends. So we'll walk through some of those with you.
We'll talk about how do we address those implications from a product perspective, which Lee Lee will discuss for us. We're going to talk about how we serve the market, which Renee will get into a bit with us and how we're doing in the market. We'll get a view from the field from Mark Anderson about what's happening on the street when we're out there selling and competing. Chad's going to give us a brief tutorial on how we're leveraging strategic partnerships in order to continue our growth. And then at the end of the day, we're all about results.
So you'll hear from Stephan from some of the numbers perspective. So one of the things that I wanted to try to do is just to kick things off was to sort of set the stage for Palo Alto Networks. We're doing fairly well company. And in a lot of conversations as to why that's the case, we are very focused on the technology, which is true. We have a highly differentiated technology and there's a lot of focus on that.
So you will hear from us today quite a bit about how the Palo Alto technology is different from what the competition has because that's a really important point. A couple of other things that I don't think we discussed as much In the past, I tried to put Palo Alto in context, are a bit higher level, which is we believe we've got the right technology. Like I said, we'll define that and you'll hear about that later on. But we also think that there's a lot going on in the market that means that importantly, to be a winner in this market, you need to be in the right place, not with just the right technology, but in the right place. And by that, I mean the right place in the network Because there are technical trends that are going on in network security that favor folks who are in the right place, and by that I mean the firewall level.
And then the other thing is, is it's sort of the right time. So you can have a company with great technology, be in the right place, but it also really helps If in the really big picture, the things that are happening in the world favor what you're doing for your customers, We think that's the case. So I'm just going to walk through these fairly rapidly, but to give some context around Palo Alto Networks and starting from the top to bottom, which is The right time. So as everybody knows today, security is and cybersecurity is absolutely paramount. You can't can't pick up the paper, you can't turn on the browser, right, without seeing literally on a daily basis now somebody being breached, somebody with a problem And it's very, very public.
Just this morning, if you I woke up, fired up a laptop and saw 2 or 3 South Korean media companies were hacked by North Korea last night, and it's all over the front page. That's a real problem for these companies. But literally, Every day, we're seeing something like this. And these breaches have major business implications that range from stolen personal information, stolen passwords, intellectual property getting ripped off, to things that are even more serious than that. And the people on the wrong side of this, meaning the companies, the entities that are hacked and breached are very concerned about this and rightfully so.
And it's now a matter of major importance for all but particularly enterprises all around the world where the idea of security and cybersecurity has become a boardroom issue and lots of reports out there saying it's the number 1, 2 or 3 issue discussed in every boardroom On a quarterly basis with a lot of enterprises are actually forming standing committees now at the board level that are security related to understand how does that company protect themselves against all the stuff that's happening, how are we doing because the implications are becoming more and more important if they are unable to do that. And then on top of that, it's now a matter of Officially, a matter of national security because of all the potential threats for enterprises America, which is the backbone of the economy and in addition to that for the government as well. So just as recently as 2 or 3 weeks ago, President Obama issued an executive order laying down a number of things that were progress in the direction of public private And how do we take care of this issue? More likely than not the precursor for congressional legislation to occur in the next 12 months, probably 18 months to try to define from a legal perspective on what companies have to do in working with the government and vice versa.
So from a time perspective, when you have a situation like this where there's a lot of problems, A lot of attention, a lot of focus. If you're a security provider, a network security provider, it's the right time, right? This stuff is not going away. It's getting worse and you can see that almost daily and a weekly basis as it kind of continue to heats up. So We think us plus other players are in a position from a right time perspective that the world is more and more needing what we provide as a company.
And we've got a big problem like that and that much focus on it, you have to kind of ask yourself, so what's the problem, right? Everybody's agreed that this is a big deal and there's lots of resources to throw at this. What's the problem on how do you fix this? Why is it getting worse and not So one of the major technical things that is happening in the world today around this is really around the threats. So the kinds of threats that are out there, the ability for the bad guys to morph those threats, create new ones, change them rapidly, that is accelerating at a pace that is alarming.
And so really alarming if it's your job Stop it, right? And that's not slowing down. That's getting faster. And you can kind of see this playing out too with all those headlines before about the preachers. They're not all the They're different and new ones are popping up all the time.
And old ones, meaning ones that the company may have seen before, can very quickly morph even though you thought you defended against it over here, they change it slightly and it comes in over here. And that's just because the level of sophistication is going up dramatically as well in the threat environment from either state sponsorship, lots of money involved, but it's very, very serious. So threats are moving very quickly, evolving very rapidly to the point where, again, if it's your job in the enterprise to stop this stuff, I've heard a lot of people say, They can't throw their hands up, but almost want to throw their hands up saying, How do I just keep up with this? Let alone try to be in front of this. So that's a big picture thing that's been changing for quite some time.
We think we'll change into the future, meaning the rapidity of these threats and the ability to morph them very quickly is a real challenge when it comes to how do you stay in of these things or at least not fall too far behind of these things from a technical perspective on how do you defend. So I wonder if there's an implication that I'll discuss in a second. But For that, in addition to the fact that the threats are there, changing rapidly, morphing very rapidly, You have another problem, which is the age of the application, right? So, some of you have seen this slide before. But Really, what we're saying here is that with all these threats, they can exist.
But until they're on your network, it's not really a problem, right? So how are they getting there? Well, one of the ways that they've been getting there the biggest way they've been getting there is from an application perspective. So, in the last 7, 8, 10 years, we've seen a lot of macro trends playing out on the technical front that are really important for companies for productivity, all sorts of reasons, things like SaaS and cloud, as people use that more and more. You have mobility, which leads to bring your own device.
So all these major macro trends are playing out right in front of us. It's taking years, But they're very real and they're here to stay. They're not going to get small, they're going to get bigger. But the one thing that all these things have in common is that they are causing an explosion in applications. And that makes a lot of sense, right?
If you're an enterprise, enterprises very, very rarely anymore are writing their own proprietary application for anything. Why would you do that? It's expensive. You got to do it. You got to maintain it.
You got to have staff for that. Some third parties out there who's willing to take care of you for that on whether it's very serious from a CRM perspective or something else. But more and more often, you're relying on 3rd parties to provide applications for your enterprise. And then in addition There's just a lot of applications that may have nothing to do with your business, but they're finding their way onto your network. So if you took a poll 10 years or 12 years ago, the number of 3rd party applications on your network would have been measured in dozens.
If you took that poll 2 years ago, on average, it was 1200. And if you took that poll last year, The average number of applications that are on enterprise network is 1600 and it's growing at that kind of rate. So, it's getting you're getting more and more of these applications on your work whether you want them or whether you don't want them. So the combination of the fact that the threats are increasing, the rapidity of the threats are increasing, their ability to morph are increasing And at the same time, you have this explosion of applications coming onto your network is a dangerous combination because this is how they get in. They're writing the applications into the network.
And the combination of those things makes security a real challenge for folks. And just to make matters worse, this won't last forever, hopefully, right? But we've all been living in an environment for the last few years and it seems that we will for quite some time here of just budget realities, right? So at the same time that you have all these big picture challenges going on, you're also faced with the fact that there's not All the money in the world to solve it. It's not security at any cost.
It just can't be that way anymore. So if you're in charge of solving these problems, You're being told this is super duper important from the board down and by the way you have to do more with less. So go figure that out, right? And that is the world in which Our buyers live in today. So we have we've got this really big picture stuff that's been evolving for 10 years and going to continue and evolve in the direction I just said.
And in addition to that, they've got to do more with less. So what does that mean from a buying pattern behavior? For a very long time, customers, the enterprise customers have purchased network security products with 3 things in mind: Security, performance and value. And sometimes I'll just say that's cost, right? And of those 3, obviously, the most important for enterprises is security, meaning if you're not secure, who cares what it costs, right, when you have particularly with these kind of challenges.
The implication of things I talk about, about the big trends going on in the threat side of things and the explosion of applications has fundamentally changed, point number 1, what does it mean to be secure? And what it means to be secure now, and this is what the world is recognizing, our customer base is recognizing in a fairly rapid manner is it means I need to be able to safely use those on my network and I need to be able to, if nothing else, respond in fairly short order to the threats and the morphing of the threats that are occurring out there. That's a different definition of security than 5, 8 years ago. And the acceptance of that is gaining ground very, very quickly. Now in addition to that, I have to do that And I have to do that at a performance level that doesn't cost me my network, right?
If you have a secure network and it's so slow that nobody can really use it, you didn't really accomplish anything. So you can't give up performance in getting that kind of security. And in addition to that, I have to have good great value in all this, right? Because I don't have all the money in the world. So all the things you're going to do for me, whatever it means on security and performance, I need that to be a really good value and ideally an increasingly good value over time because I'm under a lot of pressure.
So these are the conversations and how they go when you're talking to our buying universe. But most important of these is like I said, point number 1, which is just fundamentally changed. And what that has led to for us is A few technical architectural changes that have been going on for some time and it will continue to go on into the future and this one I call the right place, right? And what I mean by this is the right place in the network itself. And the right place to handle these security challenges, if you have the right technology is to be the firewall.
And the reason for that is pretty simple. The firewall is the only security device in an enterprise network that sees all the traffic coming in and all the traffic going out. So because of that, it makes a hell of a lot of sense to try to either defend yourself or be proactive in nature at the firewall level. So that's the right place to try to take care of these issues. And what has happened over time in our industry is all these threats have come up and evolved very quickly is the Kluge network, right?
As new threats evolve or new categories of threats have evolved over the last decade, our industry has responded with Best of breed providers doing things that frankly the firewall vendors should have done. The main firewall vendors, they didn't over time. So it gave birth to whole industries and whole sets of technology like IPS and web filtering and AV and malware now, right? There are all these things that have been handled at the firewall weren't. So it allowed or created a need for all these disparate technologies to come into existence and it Force customers to say, if I'm going to deal with those problems, here's how I have to deal with it.
I have to go buy a best of breed point solution, either in the device or software, put it into my network. And more often than not, when you walk into an enterprise, the enterprise network looks like this, which has got a firewall and I got stuff stacked up all around it, All right. And the reason for that is that I've got these threats that are evolving quickly. I'm trying to solve them and somebody comes up with something. So I get it.
I put it into the network. The problem with this is because of the underlying technology of all this stuff, stateful inspection technology, It fails the fundamental point of being able to safely enable applications. We'll discuss that in more detail today. But it fails the fundamental point of security, the first buying is how do I safely enable the applications. And in addition to that, now it's more and more failing the main point of security, which is Because those threats are showing up much faster, evolving much faster, morphing much faster, putting multiple pieces of technology together is fundamentally insecure.
You have no piece of technology itself inherently understands the problem in the first place with its applications and then you string them all together. Every one of those handoffs is a security issue for you in your network just because they're not all natively talking together. And we can see this now. What we're hearing from enterprises, you're probably hearing this as well, is they don't like that anymore, right? And they don't like that Not because of cost.
I mean, that's the one we hear a lot is saying people want to integrate the technology because it's expensive to work with the vendors. That's all true. That's all true. But that is not the primary point. The primary point is that the professionals, the security professionals whose job it is to defend the networks.
They get it. They're saying we need native capabilities, ideally in the least number of platforms, but native capabilities that understand these applications from the ground up from the start in order to protect ourselves. And just as importantly, ideally, they'd be in a platform where it all occurs in the platform because every time we have to String together a technology, we have 2 problems. The first is every one of those handoffs is, by definition, a weak point in our network from a security perspective. And the second thing is all these threats keep coming faster and faster and we have to wait for somebody to come up with this best of breed box and then go get it, right?
Put it in the network to make all that work. This just doesn't work anymore for those two reasons. And that's what we're seeing. This is Evolutionary in nature, right? These are things that are playing out over a decade at a time, but it's really heating up I mean, this is becoming much, much more in the forefront for folks about the demand on what it takes in order to keep your enterprise safe.
And because of that, the network is going here. This is a much more likely network architecture from a security perspective in the future, which is if I can get rid of all these disparate pieces of technology, I can get a platform that natively understands all these applications and understands how to handle those threats and that platform is Flexible enough that I can add continued protection as these threats emerge and evolve. That's the one I'm going to want. Again, not because of cost. That's an added benefit.
It's just more secure. And that is a major technical implication playing out in the market. And that's why I said that in addition to having the right technology, meaning you can safely enable the applications with a flexible platform, being at the right place, which is the firewall, is really important because that's where this is going to happen. Again, simply because it's The only device in the network sees all the traffic in, all the traffic out. If you're not a firewall, in this market, One of the main implications of that is that your device, if it fails when it fails, it doesn't bring your network down.
If you're the firewall and you fail, the network is down. There's a huge difference between the capabilities of firewalls and non firewall devices. And that is the difference. Frankly, that's why there's so few firewall vendors because it's not just about technology, it's about your capabilities to be an in line high speed, all those things are required from an enterprise perspective. And then in addition to that, you have to have the right technology, right?
So What we mean by the right technology is a platform that is flexible enough to be able to add to it on a fairly rapid basis to take into account the threats, macro trends we're talking about, that also and importantly is the one that can safely enable the use of It's a fairly simple definition, but it's really, really hard to do. So and that's where we think we are. We think we have the right technology in the right place in the network for these architectural which is things moving to the firewall at the right time where this problem is paramount and becoming more and more important and evident for folks And there are big desire out there in order to figure out how do you handle these kind of problems. That has led to major market disruptions that will continue for quite some time with or without us, frankly, right? But major market disruptions.
We're serving the enterprise network security market, which is a very large market, dollars 10,000,000,000 a year plus and growing, as you can see by some estimates, $13,000,000,000 in a few years' time. It's broken into some fairly discrete technical functionality here, as you can see. So it's not a gazillion things. It's just a few things that are in there. But what's happening, the reason I'm showing you this slide is what's happening in this TAM is money is moving around fairly rapidly and I think that's picking up from an acceleration standpoint because of all the stuff that I just went through.
So the money is moving not just greenfield but the existing money is moving around, and it's moving in favor of the disruptors as it always will. And as a result of that, There will be winners and there will be losers in this market just inside that big TAM I just showed you. And the winners are going to be folks who have attributes of that have the following things. The first is you have a next generation platform that's purpose built for the problem you're trying to solve. The flexible platform which is capable of safely enabling all the applications on your network, the losers will continue with legacy architectures and try to not purpose build it.
They'll try to work with their legacy architectures. That platform, the next gen platform has to have application enablement and threat prevention at its core. And you'll see that here. We'll show you in a little while exactly what we mean by that. And the losers here We'll take a bold on approach.
We'll continue to take disparate pieces of best of breed technology, continually try to slap it together in order to approximate The definition of security is safe and able of applications as opposed to just doing it right from the core of the technology. The winners platforms will be flexible. What that means is that in light of all those threats that are coming faster, morphing faster, The platform will be flexible enough to take them into account so that you continually add to the platform as those threats evolve and be able to handle those as opposed to have to wait for a fundamental rebuild of the platform itself or, like I said in the previous point, bolting on technology to care of this. And the winners will have demonstrated enterprise capabilities as a firewall, not as an auxiliary, what we call, firewall helper. And that's very important because as I said, the technical trend is this stuff's moving to the firewall simply because it's the device that can see all the traffic at line speed and try to take care of these problems, where the auxiliary helpers are just solving one little problem, maybe important, but to solve one problem, but they are not in line and it takes a hell of a lot, like you said, to be a firewall provider and be in line.
So demonstrated Firewall capabilities at enterprise class levels and speed are critical important for the winners. And you can see this playing out. So This is the market recognition, at least from Gartner. This is their Magic Quadrant. These are the firewall players.
There's actually a lot more players here. We took off the other ones only so only because they all end up in the bottom left hand corner. Just trying to show the major firewall players here, right? So I'm not trying to mock up the But this is what's happened from 2010 to 2013. As you can see, the major firewall players moving around here.
Like I said, everybody else is in the bottom left corner there, so don't worry about that. But and what these axes are on this from a Gartner perspective is the x axis is your visionary capabilities, right? So what they mean by that are the companies that are visionary enough to actual implications because of those imperatives from a threat landscape. They understand it and they're able to address that. So that's the visionary aspect.
Further you are out that way, the better from a visionary perspective. And then the other axis here is your ability to execute, which is you may be the smartest guys in the world about that. But in order to serve an enterprise, be in line, line speeds, customer support, RMA a box in Nigeria in 20 All those things that you have to do to serve global enterprises, that's the other axis. And so the higher you are on this is the better. And as you can see from that sort of morphing, In the last 3 years' time at least, Palo Alto has been doing better and better and better here because we're proving we're right on the vision and we're always continuing to prove our execution capabilities.
It's also just playing out right from financially in the market. This is just last quarter. To give sense of the relative absolute relative performance of Palo Alto in the market. And this is the market recognizing everything I said and buying our technology because it's true. It works the way that we said it works, and it helps solve those problems for folks.
So what's the difference between Palo Alto and everybody else? At a really high level, The differences are the fact that we started out by trying to solve the problem, which is how do you safely enable all these applications We started out with the understanding that great security is native and not bolt on and that means that because those threats are evolving so quickly, If you're bolting on technology for every one of those or waiting for the next best of breed solution, you have a problem just from an architectural standpoint about what security is going to mean for you from those various handoffs and the weak points in your network. If we start off with macro trends in mind, Obviously, we don't know everything, right? We can't see everything into the future. But when we design the platform and continue to design things in the platform, We have a lot of big picture things in mind like mobility, malware, virtualization, SDN, all the things that people are talking about today, We baked into the product in a lot of different ways and continue to evolve it with those things in mind.
And one thing I should note is that we're not always the 1st mover, in a lot of these different areas. And that's by design because the 1st mover may have 1st mover advantage. But as far as having great security at the end of the day, that's what we've been able to prove again and again and again is how do you what's the right way to solve These problems that will have longevity over time, we've been able to do that. And we started with a business model that scales because of this, which is we can answer any enterprise network security need in that entire $10,000,000,000 TAM. No matter what you think your problem is, as an enterprise, We have a solution that's flexible enough that we can address that specific point and more importantly, it can address all of your needs and the recognition of that over time once we get into the account allows to expand inside the account.
And our platform is flexible enough that we can keep adding services to take care of all these rapidity of these threats we've been talking about, and we're going to continue to extend our value proposition. And you can see that from our business model, which is scalable and one that we can operate with ever increasing leverage. That leads us to where are we. We think we're in early innings in a big market where big disruptions are occurring and will continue to play out for quite a long time. These things are not playing out in 6 months or a year.
They're playing out in 5 10 years' time behind us, and that's accelerating in front of us is how they play out. We've got a really large and growing market opportunity. And because of that threat landscape I talked about and everything that's happening there, Strategic imperatives are changing for enterprises. 5 years ago, this was not discussed in the boardroom. Now it's discussed every boardroom and that's going to continue over time.
So the strategic imperatives top down in organizations are demanding answers to this problem. That has led to the industry and the professionals behind this technology to want and demand Major technical changes in the network and the implications of that are things are moving to the firewall because it simply makes sense to do that. So you need to be in that position, and we are, which just lead to the gaps between those who can and can't, meaning you're a demonstrated enterprise firewall player with a flexible platform that can safely enable applications. If you can do that, the gap between those who can do that and those who can't is wide right now and it's getting wider pretty fast just because it's really, really hard It's really hard to catch up to that if you don't have it already. And then that results in those who can benefiting disproportionately from a market perspective.
And you can kind of see that not only from things like the Gartner thing but also our results in the market is the disruptors will get a good, good portion of that TAM because you're effectively answering and efficiently answering the problem that these networks have. So we are Palatin Networks. Our vision is to be the leading independent global We think we've got a great start in that. We think we've got a long way to go on that. And we're very appreciative of you taking the time today to hear us try to prove that out to you.
And you'll hear that from a lot of our team today. So thanks again for your time. Look forward to talking to you a little later on.
Good morning, everyone. I'm Nir. I'm the Founder and CTO of Palo Alto Networks. And I want to talk a little bit today about what makes us different from a technology perspective And why is our technology enabling us to be so successful? And to do that, first, I want to go back 7 years and Show you what we've seen back then is the opportunity in front of us and then show you how we implemented it, okay?
So 7 years ago, We saw 2 major trends in the network security industry. The first one was the World War I style trench wars between the business represented by the CIO and the security group, where the business kept wanting to use the Internet for much more Then they were using it and the security group keeps saying no to everything. So the business wanted to use WebEx. I know many of you work for financial services companies that don't even allow WebEx. The business wanted to use things like Facebook and other social media and the security group said no.
And then the business wanted to use things like Dropbox and Box.net and Google Drive and others And the security group said no. And the business maybe wanted to start using online office applications like Google Docs and Zoho and now Office 365 and the security group said no. And this war between the business and the security group didn't make because the role of IT guys is to enable the business, not to stop the business from doing its business. And the fundamental issue that the security group had and the reason that they kept saying no was the fact that the entire focus of all the technology that's being used or were used, was used. But by the security group was focused on protecting web and email.
What I mean by that is that you all use email. And today when you receive email, if you work for a company that is not Palo Alto enabled. When you receive the e mail, the e mail goes through a lot of checks. The checks that the e mail goes through include, for making sure you don't receive an executable attachment, right. So if I send you an executable attachment, your IT department probably going to cut it off.
It includes scanning the e mail for batings, for viruses and for spyware and for botnets and for trojans and for all kinds of malware. It includes scanning the email for exploits of vulnerabilities, such that if there is a PDF attachment that's going to try to exploit a vulnerability in Adobe Acrobat take over your computer, your machine, then it won't make it in. And also on the way out, e mail gets scanned for a lot of things. It gets scanned for the same things I just described on the way in as well as for data leakage, making sure that you don't accidentally send out information that you're not supposed to send out. So the problem of securing e mail is well known and it's been like that for many, many, many years.
The problem of web browsing is similar and has been known for the same amount of time. When you browse the Internet, same thing. Your IT department makes sure that you don't receive any content that's going to harm you or your machine. And when you send something out, they make sure that you don't send out anything confidential. They also make sure you don't go to sites that you're not supposed to visit either for security reasons or for Productivityliability reasons, okay.
So the problem of security for email and for web browsing has been well understood for many, many years And that's really what the security group has been focused on solving all these years. And what we saw 7 years ago is that if you want to use anything else Beyond web browsing and email, then things like external SharePoint or WebEx or Dropbox box.net/googledriveoronlineemaillikegmail or any other online office applications, instant messenger applications, any kind of an application beyond web browsing and email, as an enterprise, you have 3 options. The first option is to block the application, which is pretty common, especially in the financial services industry. The second option you had is to stick the head in the ground and allow the application to go through knowing that the same threats and the same bad things and good things that you control email for are going to come in and go out with that application. The same executable that you block over email will come in over Dropbox, Okay.
The same malware that you block in email will come in via SharePoint. And the same data that you stop from leaking over email would be leaking out over instant messenger or whatever application you decide to allow. This is the second option and Many of your employers also do that. I mean, they took a conscious decision saying, we'll keep spending a lot of money protecting email and we'll ignore the fact that this new application that we let you use is going to carry the same risks that we are protecting e mail against. And then the 3rd option you have is to use Palo Alto Networks today.
There's no 4th option. These are the only three options that you have, okay? And we'll show you in a demo later what we mean by that. Now, What Palo Alto Networks does and what the problem that we saw back then was is the need to safely enable applications. And what it means to safely enable application It is to make the application as safe to use as e mail, providing the enterprise the same controls over the application, For example, no executables and the same security, meaning scanning the application traffic for all the bad things that you scan email for and for the same data leakage you scan e mail for.
And we'll show you in a demo later, in a live demo, how we are different than our competitors, how we safely enable applications, how we can take any application and make it as safe to use as e mail, while our competitors are focused on blocking the Okay. So that's the first thing that we saw then. The second trend that we saw 7 years ago when we started Palo Alto Networks is something that Mark described, which is the whack a mole approach to network security, Meaning that every time there is a new security problem, a new solution emerges, a new submarket of the network security market being created. You have a problem with exploits? No problem.
We'll create an IPS or IDS and then IPS market. You have a problem with content? No problem. We'll build a proxy market for you. You have a problem with filtering?
No problem. We'll build a web filtering industry for you. You have a problem now with APTs? No problem. There are Now with APTs, no problem.
There are 10 companies that will be happy to sell you yet another box to solve your APT problem. And back then and today, of course, we still see or back then we saw and today we still see that that approach is not scalable. Enterprises can't continue paying For so many devices on their network, they can deploy in many so many devices on the network. And more importantly, as you'll see a little bit later, and as Mark described, it's not the right solution. From a security perspective, you cannot continue doing it.
You're not going to be secure if you continue the WACC Amol approach. As Mark described, We believe that the core of network security has to be the firewall, because the firewall is the only device Even after almost 20 years since the launch of the Sted for inspection firewall, the firewall is the only device that is everywhere on the network, From the small branch office to the largest data center, from the edge of the network to the core of the network is the only device that is installed everywhere. Other devices are either not everywhere or they don't see the traffic, all the traffic all the time, they see very small portion of the traffic, for example, a specific port or a specific application. The only device that's positioned to block bad things is the device that is is everywhere and sees all the traffic all the time and that's the firewall. And the firewall has always been and will always be at the core of network security, Okay.
Now the firewall can't do everything by itself. The original approach was let's add more and more and more devices behind the firewall. The newer approach that we're seeing to this and that we saw 7 years ago is pairing the firewall with some centralized detection. A data center that is either hosted by the vendor, in our case, Palo Alto Networks or hosted by the customer or by a service provider That's processing some of the information going through the firewall that the firewall cannot process and then sending back information to the firewall for enforcement. Okay.
Again, the firewall is the only device that is positioned to enforce things and therefore the firewall has to be the key part in this map. Now, we've been doing this for a long time. Our URL filtering solution from when we released it many years ago works like this. We've been sending or our firewalls in the field have been sending URLs to the cloud for categorization and the cloud would send back the result. Recently, we added more functionality to this around malware, around APTs, where we send files to the cloud for analysis and then receive them back receive back signatures to block the bad things.
We call that wildfire, okay? Now, To achieve those things, those 2 things, number 1, safely enabling applications and number 2, building a platform that can deal with all network security threats and not and stop the whack a mole approach to network security, we had to do 2 main things. The first thing we have to do is to create what's called App ID, which is sitting at the core of our device, such that when we receive traffic, we know which application it is and we analyze the application such that the rest of the device, everything else the device does is based on the application, okay. So everything we do and no matter what functionality we add, as we add more and more functionality, it immediately applies to all applications because the concept of identifying and understanding the application is at the core of the product. So that's the first thing we have And we'll show you later in a live demonstration how that's different than adding a blade on top of a step forward inspection firewall to identify and trying to block applications.
It's a very big difference. The fact that we do it at the core of the product and by that make the tire product application based makes the whole difference between us or a big part of the difference between us and our competitors. And you'll see it in a live demo and the implications of that in a live demo later. The second core technology that we developed was the single pass architecture, which essentially allows us to load the books with many different kinds of signatures or other things to detect stuff. The engine is running all the time and the engine is capable of looking for different things at the same time without losing speed.
So, for example, In the first version that we released of our product, we didn't have DLP. We had the engine, but we didn't have DLP, data leakage prevention. In one of the following releases, we released DLP, loaded the single pass architecture with DLP information and by that started detecting the leakage of information without degrading performance. Okay. We unlocked that functionality on the engine by loading it with more and more things to detect and we started doing it without degrading performance.
And as we added more and more functions like APT, modern malware and so on, we load that engine without functionality and keep looking at the same speed for all those bad things without degrading performance. And this is very different in our competitors, which with their UTMs or similar or blade based products add more and more software and yet another engine and another engine and another engine and another engine to detect things and by that they slow down every time you turn on a new thing, which means that they can't really do it, which is why all these other companies are thriving, selling devices to sit behind the firewall, okay. We stopped it. And again, the way we stopped it is by building an engine that is flexible enough And it's also future proof enough such that whenever new threats emerge, we can add detection for these threats and then load the engine with ways to block those threats without degrading performance and of course while doing it for all applications. And What I want to do right now is to give you one example of how we did that, okay?
I want to show you how we solved the problem recently with wildfire of APTs and we did it in a way that shows that our platform can solve problems without degrading in performance and doing it in a market leading way, okay. So we'll use APTs as an example. And before I describe how we top APTs, I'll describe to you how APTs actually work and how you're being attacked. And the way you're being attacked or the way our customers are being attacked, way the world is being attacked is relatively simple, okay. The goal of the attacker, the first step in the attack, the goal of the attacker is to get an end user in the target's victim to open a document.
It can be an executable, a PDF document, an Office document, Open a document, let's say PDF in this example, okay. So my goal, if I'm the attacker, is to get one of your employees to open a document. And what you do for that is spear phishing. It's actually easier than this. You don't have to take a stick and try to hit a fish with that.
It's much easier. What you do is, 1st step would be, for example, to go to LinkedIn and figure out who are your employees, get a list of employees of the target. And then the second step is use social media and other tools to figure out not just who their employees are, but who their friends are, what interests them and then craft a special message for them that appears to be coming from one of their friends, can come in via Facebook, it can come in via instant messenger, it can come in via email, via any other application and talk about something that interests your employee. So from your perspective, one of your employees or some of your employees will be receiving a message from one of their friends talking about something that interests them. It's a PDF, I mean, everybody here knows not to open executable, but PDFs, you cannot do your work without opening PDFs.
They're going to click on it and open And that's going to lead us to the 2nd step of the attack, in which the PDF document is going to exploit an unknown vulnerability in something like Adobe Acrobat Reader And then a small piece of code that we call an exploit or a dropper is going to run on the machine, it can't do much. All it can do is execute the next step of the attack, is go out to the Internet and download the backdoor program, install it on the local machine. The next step is for the backdoor program to establish a back channel or command and control channel back to the bad guy and now that the bad guy and the backdoor program sitting on your network behind the firewall are in full communication, the bad guy can do whatever they want on the network. This is the way APTs work, okay? So, how do you detect them and how do you stop them?
Do you detect APTs? How do you stop APTs? So the first step is of course getting hold of the malware. If you want to block malware, you need to first find the malware. There are 2 ways of doing it.
There is the traditional way of detecting malware in which AV vendors like Symantec and McAfee and all the others have been using for the last 20 years, which is using things like honeypots or using your consumer base to find something that is spreading quickly to the Internet and we do that too. We are part of that network and we collect between 5,000,001 100,000 samples of malware every day into our office in that way, between 50,000 and 100,000 closer to 100,000 nowadays, okay? The firewall companies like Cisco and Juniper and Checkpoint, they don't do that. They outsource their malware work to a third party. In the case of Cisco, that will be Trend Micro.
Okay. They count on Trend Micro to collect the malware, generate the signatures and send them to their customers. They don't do it themselves. They don't deal with malware. And the same is true again for Juniper and Checkpoint as well.
IPS companies like Forcefire do it. I'll show you later why they need to collect malware. More than malware companies or APT companies like FireEye, they don't do that. They collect malware in a different way. And there is also a set of companies represented here by Damballa.
What they do is they look at outbound traffic, especially at DNS traffic and which servers they're trying to connect to and try to detect the presence of malware on the network like that. They don't do that either. I'll show you later what they do. The second approach for detecting malware is using sandboxes. It's a 20 years approach, 20 years old approach as well, just never been commercially successful until recently.
And the way that works is you take objects coming into the network, work, executables, PDF documents, Office documents and so on. You run them in a controlled environment and you see what they do to the machine that they run on. Example, if you open a PDF document and the next thing that happens is the connections opens out to Russia and downloads an executable, then guess what, it's probably not a good PDF document. It's very easy to see whether an executable or a document are good or bad. And if they're bad, then you have a malware in your hand, Okay.
We do that through our wildfire service. Firewall companies, they don't do it, okay. IPS companies, they don't do that either. APT companies, that's their bread and butter. They do it.
So companies like FireEye do that. And the outbound guys like Damballa, they don't do that. They do other things, which I'll show you later. So now that you've collected the malware, what do you do with it? The question is, what do you do with the malware?
So maybe a step back, We do it, FireEye does it. We do it in a little bit different way than FireEye does it in 2 ways. First, as you know, we do it in the cloud. But more importantly, we do it across all applications. Because the idea of applications is core to our product, When we added our modern malware or APT solution, it immediately applied to all applications.
We don't care if the bad document or the executable Whatever it is, if the APT comes in via e mail, via web browsing, via an encrypted session, via Dropbox or SharePoint or Office 3 65 or instant messenger file transfer or WebEx file transfer, we don't care how it comes in. Once we add the functionality, it immediately applies to all applications, because that's the way we build our platform. We build that platform in such a way that everything we do immediately applies to all applications. If you compare it to FireEye or all the other APT companies, they only work for web and email, not even encrypted because they didn't build a platform that at the core understands applications. This is the power or one of the powers of our platform.
It's the fact that everything we do immediately applies to all applications, okay, such that our customers can safely enable the use of these applications. If you buy our APT subscription, it immediately applies to any application that you want your users to use. Now, once you have the malware in your hand, what do you do with it? The first thing you do with it, of course, is you generate anti malware signatures, such that if the malware tries to get back again on the network via any application, You can stop it. We do that.
The firewall companies, they don't do it. All their malware work is outsourced to either aspersky or Trend Micro or others depending on who the firewall vendor is. They don't generate malware signatures. They don't even know what malware is. They don't have malware in their hands.
The IPS companies, even though they have the malware, they don't do that. And the reason they don't do it is because IPSs are not in the business of blocking malware. Why? Because it was a different mall that has to be whacked at a different period of time. They don't deal with malware.
They only deal with exploits and with other things related to malware, I'll show you in a second, but they don't deal with trying to stop the malware from getting in. The APT guys, they don't do it. Okay. I'll talk about a little bit more in a second. And of course, Those that look at outbound traffic, they're not in the business of trying to stop the malware from getting in.
So they don't generate anti malware signatures either. Now going back to the APT guys, they don't really block malware. And there are two reasons why they don't block malware. The first reason is because they don't really have anti malware technology. They have URL filtering technology and what they can do is they can block the place in the Internet from where the malware works, okay.
And it's not the best approach. We believe that hackers tend to put their malware in more than one place on the Internet. They keep changing it. But more importantly and more strategically, The APT guys like any other firewall helper is not in a position to stop malware because they are not everywhere in the network. If you want to stop malware in your data center, you need a 10 or 20 or even faster gigabit per second firewall to sit in or device to sit in the data center and block malware.
They don't have it. If you want to block malware in a small branch office, you need a small Branch office device that costs and operates like a branch office device. The only device that can do that is the file. The only device that can run-in a small branch office and runs at multi tens of gigabits per second in a data center and of course anywhere in between is the firewall. The firewall helper guys like the APT guys aren't in a position to do that.
They are not deployed in the network in a position to be able to block malware. The next thing you need to go with the malware is generate command and control signatures, such that if the malware is already on the network and it's trying to communicate back with the bad guy over command and control or a back channel, you stop that. That's traditionally been the role of the IPS. We do When we run the malware in our sandboxes, we record the traffic that it's generating and then we generate a signature for that such that if it's already on the network, we block it. The firewall companies don't do that.
Even though Cisco and Juniper and Checkpoint all have IPSs, not very market leading, but IPSs, they don't do that. Why? Because they don't have the malware. They outsource all their malware work to other companies. They don't have the malware, so they cannot the malware, look at what the malware is doing and then program their IPSs to block the malware.
They just don't do it. The IPS companies do it. That's Their bread and butter, of course. APT companies don't do that. Why?
Because they're not the IPS. If FireEye or someone like FireEye wants to do that, they will need to become the IPS. They will have to go and replace not just the firewall, but also the IPS to be in a position to do that. But they aren't doing it, because they're not in IPS. They're not in a position to do They can detect the malware, not block the malware from communicating with the bad guys.
And then we have the outbound guy that take a different approach to detecting the malware already being on the network. And the reason they do that is because it turns out that it's much more efficient and much more effective to try to detect the malware already being on the network rather than trying to detect it coming in. I'm not saying you should not try to detect it coming in. I'm just saying that it's much harder and it's easier to miss the malware on the way in than it is to miss it on the way Okay. And we see more and more value in doing both and more and more value in detecting the malware trying to get out, not just with the IPS, But using other tricks, tricks exercised by company like Zambala, which I'm not going to get into, but in general, they have to do with the fact that the malware has to do a lot of DNS, domain resolution tricks In order to figure out where the bad guys, because the bad guys have to keep moving around, they cannot stay in the same place all the time and the malware has to track them.
And detecting those tricks that the malware is using is a very efficient way of detecting the malware's presence on the network and even stopping it from being able to communicate with the outside. We do it. You can see no one else besides the companies that dedicate themselves to that because that's another mall that had to be whacked do that. And then the last thing that you want to do is to create URL filtering filters to block well known malware sites. Okay.
You can see we do it, some of the APT guys do it, the others don't do that because they don't have the malware. So they don't know where the malware came from. If you put everything into a big picture, into a big matrix, you'll see that different companies focus on different things. You see that there is a group of companies, the IPS companies focused on detecting the back channel, focusing on detecting the malware already on the network trying to communicate with the bad guy. There are a set of companies like Zambala that focus on detecting the malware on the network and then maybe trying to block the sites that they came from.
There are companies like the FIO companies that really don't do anything when it comes to security, just money, and There is Palo Alto Networks, okay. And the reason we can do it is because of the things I've said in before. It's because what we do, we do for all applications and because we have a platform that is flexible enough that allows us to do that, okay. Now, can our competitors do it? Maybe, if they all come together, This is how it's going to look, right.
You're going to have an APT vendor like FireEye finding the APTs. They're not in a position to stop it. So they'll have to send it to a firewall vendor, in this case, let's say, Checkpoint. They'll have to send it to Checkpoint. Now Checkpoint is not a malware company.
So they'll have to take the malware and send it to Kaspersky. In parallel, they'll have to run the malware, see the traffic that it's generating to program their IPS. Kaspersky will be generating an anti malware signature and sending it to the checkpoint to the blade, to the AV blade. In parallel, Zambala will need to receive the malware and see what kind of DNS traffic it's generating and send something to the firewall and or you can just do this. Okay.
You can have one device responsible for all the network aspect and the cloud that's responsible for the detection. This is what we're selling today. We call it wildfire. And we believe that it's much more scalable than the approach that our competitors are taking. We do it by the way, in order for wildfire, we also do it for pan DB for URL filtering.
This is the way we approach UIL filtering. This is our approach to wildfire and this is going to be our future approach for any other threat that's going to come up. And yes, with the next threat, you're going to see a few mushrooms popping up trying to solve that threat. But as we've said several times, they're not in position to do it. They cannot see all the applications and they're not everywhere on the network, they're not in a position to block And we are.
And we are we have an extensible platform, a platform that allows us like in the case of APT, just an example of APT, but like in the case of APT, We can add more and more functionality for detecting bad things on the network, again, mostly in the cloud, and then preventing them on our device. And when you do that when we do that, we usually do it as part of our subscription services.
Good morning. My name is Lee Klarich, Head of Product Management at Palo Alto Networks. And Today, I have the pleasure of being here and being able to talk about product. That's what I do. And Today, in particular, I'd like to focus on our unique approach to the network security market.
And so To lead this off, I'm going to show you for the second and not even the last time this chart, but
I can use it to in
a whole different way. Really, it's just a setup for what is the network security market composed of and What are the traditional approaches to that and how does that differ from our approach? And so when you look at this, You see, from a network security perspective, firewalls, web gateways, IPSs, VPNs. And the traditional approach to these, and Mark has covered this and Nir has covered this to some extent as well, have a couple of really sort of serious fundamental flaws. First, all of these were invented in sort of a pre-two thousand application user landscape.
And I'll go into this in a little more detail. But basically, what this means and you think about it, firewalls were invented when there was basically web and email. The same is really true with web gateways. It was when web browsing was just people going to cnn.com and things like that. The IPSs were invented when the way hackers worked was they tried to attack the server and so IPSs were formed when that was the threat landscape.
And VPN was formed when you just needed to find a way to connect a user to their webmail. And so that was the environment when these technologies were invented. 2nd, the approach that the traditional vendors take to all of this is they look at this as opportunities to have different products doing different things. The firewall is the firewall. The web gateway is a different product, it does something else.
The IPS is yet another product, it does something else. The VPN, yet another product that does something else. This siloed approach that treats each of these as like a completely separate thing simply doesn't work. And so what do we do? We fundamentally look at this differently.
1st and foremost, we start with a whole different understanding of what the application and user environment looks like. Applications have changed radically from pre-two thousand till today. Not just the number of applications, as Mark talked about, but the technologies they use and how they work has phenomenally changed. It's amazing. 2nd, we look at this as a single network security market and problem to solve.
We don't look at it as 4 distinct different things. And this allows us to solve much more complex problems than you can do if you approach these in a siloed way. So, let me now sort of describe this in a more graphical way to really show how this is different. So, This is the pre-two thousand landscape. This is what things looked like when the world was simple.
Users worked in the office, Mostly, they had desktops. They didn't even have laptops pre-two thousand for the most part. Certainly, there wasn't anything called mobile at the time. The applications they used were basically web and e mail and when it wasn't web and e mail, it was an application that IT deployed in the data center. It was the application is simple and the attackers were just kids basically having fun.
Often when I talk about this with network security people, I tell the joke, I guess, it's sort of geek humor, but I'll say, we long for the day of the I love you virus. You knew when you had it and you knew when you didn't. So I don't know if I know if you remember the other, it was like 1999, It hit. Everyone was scared because it brought down e mail for a day. And then next day, everybody had it cleaned up and things were back to normal, right?
I mean, That was the threat landscape in 1999. Like that was the thing you worried about. And compared to today, that was great. At the time, it felt bad, but in hindsight, that was great. And so this was the simple world, drew a little box around it, contained it, Users are no longer contained to the physical network.
Users are everywhere, with laptops and mobile, everything. Those users are using whatever application they feel like for the most part. When they're off the network, they use anything for sure. When they're on the network, they also use anything they want because application vendors have realized how to encrypt applications, how to hide them, how to port hop, how to tunnel inside of other apps. So users can use applications on the network, off the network, whatever they feel like doing.
And then for the applications that IT deploys, they might not even be deployed on the network anyway. As data centers get virtualized into private clouds, private clouds morphing into public clouds and hybrid clouds and community clouds, Even the IT deployed applications might be anywhere. And to make all of this worse, the hacker understands If you're thinking about trying to access data, applications, things on someone else's network, They understand this landscape. They understand the applications that users use. They understand how to get to those users.
They understand how applications encrypt and tunnel and port hop and find their way in and out of networks and so if you're a malware writer, you simply leverage that. You don't even have to write it yourself, you leverage what everybody else already figured out. And you see this play out publicly. Servers are By sophisticated hackers, servers are not attacked directly. They're attacked by first finding users, attacking the user, which is much simpler, and then using the user to access the ultimate data on the server that you're trying to get to.
And so the whole attack vector has changed. So how do we approach this if the traditional mechanisms don't work? You have to start by fixing the core problem on the network. We do this with an ex gen firewall. We do it in the firewall for all the reasons that Nir talked about and Mark talked about of needing to be in the right place with the right technology, app ID, user ID, continuity, The management capabilities, everything that we do starts by you first protect the physical network of the enterprise.
As users though have moved off of that physical network, We then had to extend this technology to be able to handle users no matter where they are. Physically on the network is easy because they have to go through your security infrastructure to get to whatever they want to get to. But when they're off the network, what we do is with a product called GlobalProtect, we'd actually logically keep the users on the network so that we can apply the same security capabilities for those users no matter where they are. This by the way would traditionally be viewed as VPN, But for us, it's way beyond that traditional just give them encrypted access to email. It's all about how to keep the user on the network all the time, connect to closest gateway.
3rd, we then have to extend this technology into the data center as these data centers are evolving toward private cloud, public cloud, leveraging virtualization, eventually SDN like concepts. We do that through, 1st and foremost, flexible platforms. VM Series launched recently. It's a software factor of our next gen firewalls that is designed specifically for deployment into cloud environments, extending that through context awareness of the virtual environment, understanding VMs as they move around, get spun up, turn down, move even to other data centers, keeping that context from a security perspective no matter where the virtual machines are tying into the automated workflows And you'll see as we talk about some of the trends on the cloud perspective later why that is so important. And then partnering with key vendors, and Chad will talk about this later, VMware, Citrix and others that are really helping to define these software defined data center environments.
And then lastly, from a threat perspective, there's a lot of things we've done from an IPS perspective, anti malware perspective, and most recently, Wildfire, detecting the unknown threat. And doing this in a very sophisticated way, leveraging the existing technologies, existing single pass architecture, but then also leveraging cloud for compute and scale and timeliness of updates, recently with the subscription service for Wildfire where we can actually take new malware that we find from anywhere in the world and turn it into signatures that are then available to all of our customers in 30 minutes. Power of the cloud, right, plus the power of a next gen firewall being in line in the network. And Soon, we'll even be able to extend the cloud based capabilities into local scanning capabilities to provide even more flexibility in the solution and giving customers choice as to where files are scanned, their network versus our cloud infrastructure, etcetera. So that's how we look at this, as a network security problem, not just for technologies, not just for products.
So when you combine all that together, you get to the product So this is how we take the technology and the things that we do productize and offer to customers. And it all starts with platform, of course, wide range from small branch office boxes all the way up to big devices designed to sit in high speed data center environments and core enterprise networks, most recently augmented with the PA 3000 series, new mid range platform and the VM Series, as I mentioned before, designed for private cloud, public cloud kind of environments. And you'll see from us that this will continue to evolve. This never sits still. We'll have bigger boxes, we'll have smaller boxes.
So we'll be able to continue to take the technology that we have and extend it further and further.
One of
the things that is so great about this product ability to then augment these platforms with subscription services. Threat prevention, UO Filtering being the first service We offered back when the product first launched 5.5, 6 years ago, more recently with GlobalProtect and wildfire coming into play. And being able to do that, add those new services without fundamentally changing the hardware platforms they run on, but rather just through software updates being able to enable whole new capabilities on those existing platforms. The flexibility of being able to adapt to new market requirements through the simple addition of a new subscription service is wonderful. I'm speaking from a product perspective.
Stefan will talk about it from a financial perspective. The ability to do that is obviously wonderful as well. But that is the power of the platform, the single pass architecture that we've come up with. And then the use cases, of course, firewall, web gateway, IPS, VPN, and then managed all of that through a single management platform, Panorama, most recently, the M100 hardware platform for management, scalability but flexibility, integrated management, log viewing, reporting and all of that packaged up in a single platform. And then, of course, PAN OS being the underlying operating system that really drives all of this.
And so that's what the product line looks like. Single line of hardware, services on top of that and then wrapped with a single management platform. 2 things that are very clearly top of mind for many of you, and so I'll go into just a little more detail on. The first would be APTs, and we've talked about wildfire, Nir has talked about it, I've talked about There's just a couple of more points that I think are really important relative to APT's wildfire in particular. Number 1, we talk about this all the time, but it's really, really important, prevention matters.
If you just detect, then you'll see malware and then you'll see it again and again and again and again and again. And companies, when that happens, they have people running all over the place trying to re image machines to clean them up after they got infected. This is a chart of data that shows even if you wait 24 hours before you have a signature to prevent it, 50 samples will turn into over 8,000 instances of potential malware infection on the network versus if you can prevent that within the first hour, you can reduce that by almost 10x. Prevention is a huge time saver, data saver, threat saver, if you can compress the time from first detection to prevention, okay? And We can back this up by simply saying we have over 1300 customers today using Wildfire.
This is a phenomenal number given that Wildfire just launched about 15 months ago. On a typical month, we now see over 500,000 unique files that we scan. Of those, We find over 26,000 new pieces of malware a month and of that, 13,000 are net new, meaning we are the 1st company to find that malware. And I'll show it here in the chart, but what we found even is That 13,000 pieces of malware, even 7 days after we find it, roughly 40% is still unique to us, meaning we're still the only vendor that knows that that malware exists. So we're not just the first to find it, but many just never catch up.
500 pieces of malware a day default in that category. The second big topic that comes up all the time is virtualization SDN. What does it mean? Is it good? Is it bad?
From a virtualization perspective, What we have today, what you see on your left, virtualization, Flexible form factor, the VM series and the hardware platforms, both are relevant in virtualized data centers context for dynamic VMs and dynamic motion within these data centers and tie in to automation through APIs and things like that. That is the solution today for private cloud, public cloud environments. As virtualization toward SDN, software defined networking or software defined data centers. Those same principles we have today extends perfectly into an SDN world. Flexible FormFactor extends into a world where of SDN where software trumps everything else.
Dynamic objects that we have for tracking dynamic motion of VMs morphs toward all decisions being made on context. Nothing is static anymore. And automated workflow integration morphs into integrating into the orchestration and that is probably the most important point because in a software defined network, everything is orchestrated, the network, Security, everything. And so all the things that we have now blend perfectly as virtualization moves toward SDN, Okay. Now I'd like to finish by answering a few questions proactively, things that we hear all the time because quite frankly, it's a big market.
There's lots of vendors and there's lots of things that get said that aren't necessarily substantiated. And so there's 3 in particular I want to touch on today. The first is management doesn't scale. They don't mean the management team. They mean the management platform of our product.
You hear us all the time. The reality is not true. Our management platform scales to 1,000 plus devices. We have Software form factor of Panorama, very flexible. More recently, that extended to the M100, which is a hardware based form factor of our management platform, And that can extend into a distributed model where central management is separated from distributed log collectors, geographically dispersed 1,000 devices.
We can scale a number of devices, we can scale in the amount of data to collect and report on, all in an integrated way where all of the things that we do are under a single policy. 2nd, hear it all the time, Switching is hard. Honestly, switching can be hard, which is why over the last several years, We've put a lot of effort into trying to make this as easy as possible. Some of this is training, some of this is education, some of this is professional services, One of the things in particular we're proud of is we've built a very sophisticated policy migration tool that allows us to migrate existing configs to our configuration form. And not only do we migrate the config, but we can also fix problems with the configuration.
We do config migrations where we'll decrease the number of rules 10x, 100x in some cases. We duplicate objects, we fix things that are broken in their current configs as we do the migration. So, we make this as easy as we can. And the last thing, continue to hear, performance drops as you add additional capabilities. Nir talked about this, Mark talked about this.
It's simply not true. Let's take a platform that we have that can do 10 gigs of app ID, firewalling, threat prevention. If you enable QoS, it still does 10 gigs. If you enable URL filtering, it still does 10 gigs. And if you enable Wildfire the most recent service, it still does 10 gigs.
We have proven this out again and again. The platform scale, the single pass architecture works. So, what I'd like to leave you with is fundamentally designed from the ground up products, with today's application and user environment in mind, seamlessly integrating the technologies and functionality that we have to solve today's complex challenges in an integrated way. Single path architecture, scaling and flexible enough to incorporate new technologies as they're needed to adapt to the changing threat landscape and ongoing product execution that will continue to evolve both the next gen firewall core capabilities as well as adapting to the new landscapes of mobility, SDN and other types of things like that. Okay?
And now we're going to show you a little bit of this.
Good morning. I'm Rene. I am responsible for marketing in Palo Alto Networks. And we thought that well, Nir and I thought that it would be very insightful for you to See how our product actually functions in the field, see how it compares to other products. And to do that, we thought it was a good idea to do that not through slides, even with all the customer testimonials, but to actually show it side by side.
I know that's not what you see very often in analyst days, but we keep hearing over and over again that certain vendors claim certain things and we wanted to kind of set the record straight on that because we believe that what we build is fairly unique And therefore, why not show the product? To do that, right, we looked at 3 things that You may have been told, right, when you speak with vendors in this industry, they may tell you, oh, well, we do what Palo Alto Networks does typically in that order, right, typically referring to us. Now the good thing is that that kind of looks like a benchmark. The bad thing is we want to actually take them to task on that. Do they actually do what Palo Alto Networks does?
The second claim that is made and that you will often hear in the market is, oh, we have better performance than Palo Alto Networks. Our boxes are faster and so forth. And again, we want to Make sure that you understand what is being said there and how that compares. And then thirdly, what you will hear is, oh, by the way, we're much cheaper. Well, typically they'll lose the years cheap, but they say we're more cost effective than Palo Alto Networks.
And it may be in a different order depending on who makes those claims, But at the end
of the day, these are the
three things that we typically hear, right? So let's take that to task in this demo. Now to do that, I actually because why would you believe the marketing guy? It's my job to say these things are not true, but let me actually introduce a few folks who know this much better. Of course, this is Nir.
Nir, 19 years ago, was there when certain technologies were invented by him. Other folks here on my right is Frankie. Frankie joined us from Fortinet. He knows a few things about this industry. Jarisch on the left, right, who joins us from Juniper.
And in the back, right, is Matt. Matt has a long history with also with Check Point. Bring these engineers with me because you should believe engineers, not marketing guys in general, except for me, of course. Now, what we also brought is a couple of friends and these friends are actually involved in our side by side demonstration. We brought some members of the Palo Alto Networks family.
They are in the back humming away in the back there. So if you turn around you can see Nat there. If you want to see these things, because you may have never seen a Palo Alto Networks box or you may have never seen a Checkpoint box or 2, we also brought some Checkpoints. So what you're going to see here is real product. These are no videos.
These are no slides. This is the real product that it works. In fact, what we brought, We brought the PA-three thousand and fifty, the model that we launched in November, which is a 4 gig firewall, 2 gigs firewall with everything on. And to compare and contrast it, we brought a very similar sized box, physically the exact same one unit box, but more importantly a box that when you turn PS on is in the realm of performance of Apollo's voice box.
Now of course it's marketed as
an 11 gig firewall, right, But when you actually turn on the IPS, it does a gig and a half, right, which is very typical for checkpoint gear, right? So here you have 2 boxes. Forget about the price for 2 seconds, forget about all of this, this is very equivalent technology. So With that and they're humming in the back if you want to see them during the break, more than happy to demonstrate them. So, what are we going to show you?
Let's start, Nir, with The most simple thing that you guys 19 years ago tried to do, which is manage web and e mail. Yes. Right. So, Since you all work on Wall Street or are associated with it, I thought the easiest thing to do was to have 2 completely default firewalls, who by definition don't allow anything, right? Because why would you have a firewall if you put it there and everything still goes through, So, a default firewall doesn't allow anything in, right?
And let's only enable web browsing, right? The problem that Check Point said they were going to solve 19 years ago. So, how are we going to
do that, Nir? What kind of things do
we need to do to do that? So, let's switch to the 2 screens. What you're going to see here is Check Point. So, Frankie represents Check Point and let's go to that. And on the left, you see Palo Alto Networks, So this is what are we looking at here
in the Palo Alto Networks side? So this is our policy editor. This is actually our GUI. The GUI connects directly to the PA-three thousand and fifty that's there in the back. And here on the Check Point side, you see Smart Center, which is running off a dedicated management appliance of Check Point that then controls The So Check Point actually is 2 boxes.
There are 2 boxes. Management appliance And the 48 Yes, you could have connected directly to the box to manage it. Yes. But you'll see later why we didn't do that. And so here you see the Palo Alto Policy Editor.
Here you see one of Check Point's dozen Policy Editor. Specifically, this is the application and URL filtering blade policy editor. Okay.
So let's start with Palo Alto Networks then. So let's start What can we expect from this policy? Because this policy allows us to web browse, right?
Corinne, what
we're still looking at here?
So there is only one rule enabled in this policy right now, the other 3 are not. And it allows all the necessities for web browsing, which is DNS, SSL and of course, web browsing. Web browsing. So if with this policy enabled, I should expect
to be able to go to MSN or something. So, Jeris, can you show, right, that we can actually get to the website? So if we go to MSN for CNN.
CNN is also good.
CNN? Okay. There we go. MSN. And then MSN, right?
Can we go to MSN, for example? Because this is expected, right? We enabled web browsing and there we go.
What about Google? So Google is a website? So depending what, Google search is a website. Okay. So can I go to Google?
Yes. Google Search is a website and that's why we can go to it. It's a web browser. So what wouldn't be a Google property that is So for example, we can try to go into mail. Google.com or docs.google.
Mail.com is fine. And you see that it's blocked. Because Gmail is a web based application and is identified as such and since We only enabled web browsing. Of course, Gmail is blocked. So, Mail is a clear app, but what about things like Facebook or Twitter?
We can try them. Facebook is an application. Yes. Facebook is on the website. It's the application.
So it's blocked. Okay. Twitter is an application. Yes. So We can try to go to Twitter here.
Okay. So this is exactly what you would expect? Yes. So That's
what the policy says. That's what the Palo Alto device does.
Okay. Now so Check Point says that they
do what we do. They say. It's easy to say that.
Okay. So can we go Can we switch? Yes, of course. Yes.
So here we have a similar policy. So this is the application blade policy, the up blade policy. And you can see there's one rule enabled and it's the same rule. It allows web browsing, DNS and SSL. We can ask Frankie to also switch to the firewall tab over there and you'll see that we have to do the same thing in the firewall because Check Point has a separate inspection policy and on top of it, there is an application blade policy.
So The firewall policy, the self inspection policy also allows DNS, HTTP, HTTPS and SSL Version 3 And then go back, frankly go back to the application. And as we've seen here, here we allow the web browsing application, not the web browsing port, back there it was the port, we allow the DNS application and we allow the SSL application And the other rules right now are disabled. So it should allow those 3 and block everything else.
So I would say So, this is not exactly how follow-up the network does it, because there's already 2 policies instead of 1. Correct.
You already see that it's a little bit different.
It's a little bit different. But let's give them the benefit of the doubt. Yes. So, they have more policies, which
is not the same, but does it work? We can try it. Okay. So, Frank, can you Does the
3 d security actually work? If you have a 3 d printer.
Well, we
can go to CNN, right. So CNN CNN works. Yes.
Okay. MSN. Can we go to MSN? Yes. Google.
Google. Yes. Gmail. Gmail. Hold on.
So what is just happening here?
So why can this this is not what Palo Alto Networks does? No. So I guess it's because we didn't have a rule to block the applications. You expect the firewall to block things by default? Correct.
Apparently, the Check Point Application blade doesn't block things by default. So even though it has Lots and lots of applications in the application database. It doesn't know that Gmail generally is different than web browsing. So, what about Facebook and Twitter? Because you can try I always talk about Facebook being the easy application.
So, can we go to Facebook? Yes, Frank, you need new friends there.
Yes, your friends are freaky and Twitter. Twitter.
Yes, of course it works.
So, this is not
what Polytechnic does, is it now? No. No.
So, more policies, by default, they actually do not control these applications whatsoever, even though they claim that they can control. Correct. But I heard a rumor that there is a policy in Check Point that can block all known applications. Correct.
They are saying that they can do that and but We can actually ask Frank to go back to the policy. So he can see here at the bottom, there is a rule that says source any destination any, Any recognized, I think that's what you're referring to. Yes, any recognized application. En bloc. Yes.
So what we're going to ask Johnny now 2 seconds, 2 seconds, 2 seconds. So this would imply that we had to set yet another policy to block any known application. Yes. You expect firewalls to block things that are not explicitly permitted by default? Right.
They don't? No. Fine. Okay. So it will be different than Palo Alto Networks.
Let's add a rule to actually block all the things that are not web browsers. So this is a lot
of management overhead now. So this superior management platform that they say they have, right, actually I'm already 3 policies in. Yes.
Right. Again, saying things is easy? Yes. Okay. Actually doing them is not that easy.
So can we implement this rule?
Yes. I want to see if it actually works. So what we're going to
do right now, just wait for a second. So Johnny just pushed the push policy button, which is now going to take the policy, compile it to some internal format and push it from the management platform to the actual checkpoint firewall. So we're going to hit okay. And with the superior management system, we only have to wait about a minute and a half To make this little change? 1,500,000 What are we going to do in 1,500,000?
Can I make you some coffee?
That will be great. Can you So how would you like your espresso and your Let's see how many shots
you can get while Checkpoint pushes the policy. I heard they're coming out with an espresso blade, you'll see in a second why. Do you want a single or a double? Let's see how many you can get. Okay.
Let's do a double for it. And luckily, we brought this is why we brought a separate management appliance, Because if it was on the device itself, it would have taken 10 minutes, not a minute and a half. You can see it's working, it's verifying. It's working.
It's working.
It's working. It's working. It's working. It's verifying. We made a little change, A lot of verification.
By the way, if we asked Jairus to do it, I'm not going to ask him to do that, it would have taken about 10, 15 seconds to do the same thing on the Palo Alto device, Managing the device directly, not through a Panorama appliance, not through the M100, which is faster. Still verifying. Yes. Good. How many have you made so far?
This is your double. Thank you. Yes. I'm going to make myself a single. I am a single guy.
Let me do a single here. So, I mean, in reality, what happens here right now when I was at Checkpoint, it wasn't that What happened is that as it's not me. So I think what's happening here right now is that because Check Point has so many different blades and each blade is developed by a different group inside Check Point. Sometimes it's developed by a different vendor, right? The OEM is from different vendors.
Each of them now has to go and compile sequentially and be pushed to the device, because there are so many different policies, so many different engines, so many different functionality That is completely separated. We're done. So, 3 shots, 4 shots? I made 3 shots and I actually drank mine.
Okay. Wonderful. Now let's try to think, does it work? Because we've waited for 1.5 minute to push 3 policies. So, Frankie, can you go back to Go
to CNN.com.
Go to CNN. Okay. That still works. So nothing broke, right? But what about
back to Facebook? Go back to Facebook.
Okay. So it didn't work. It still works. It didn't work. Yes.
So what is going on here? Because Now we've given them everything that
they asked for, right? Almost, almost, yes. So if you go back to the policy, So the issue is that this is not a real firewall. This is really a URL filter. As you can see, they integrated both together and this is not the way URL filters work.
So in reality Checkpoint can block Facebook, but to block Facebook what you'd have to do is to go and add the rule above the rule that allows web browsing and say block Facebook. You cannot do it by saying block anything other than web browsing. You actually have to go and specify All the applications that you want to block and Check Point supports about 100,000 applications. Yes. So you need to go and add about 100,000 rules.
Okay. You can make a lot of espresso while you do that. And then push it. And even worse than that, when they recognize a new application and come out with it, You have to remember to wake up early in the morning and add more rules
to do that. Okay. So Checkpoint doesn't quite do what follow-up networks does.
They certainly can't even block applications.
So, the management overhead here is tremendous,
right, because the operational implications of You have to set many, many, many, many rules. Look, it's not even complicated. It's just it's impossible. It's impossible. You can't expect customers to go and set 100,000 rules to block
So let's go to the next scenario. So we can put the slides back up just to quickly show. So we've shown you the scenario. Now, that wasn't even safely enabling these applications. That was just to make them work.
That's not my slides. May I have my slides back? Okay. Yes. So, the scenario that we want to enable here is a more complicated We have 3 groups in the company, a group, a marketing group that wants to do Photoshop files over SharePoint, a group of bankers, I.
E. People like you who want to do PDF over box and then a group of IT folks that want to exchange zip files over FTP. And these are now very specific policies that allow these users to safely enable those applications.
And Randy, this is a real world scenario. This is a real world scenario. For example, you asked yourself, okay, why allow the IT department to send zips over FTP and not Box. Yes. That's because Box stores all the files at Box and maybe you don't want to enable Zip inside Box.
Like if it could be stored
or source code in there or something like that. Yes.
So you want Zip to be able to be Change via an application like FTP that doesn't store things online. And you want PDFs to be shared over box, which stores things online. And It's a valid scenario. It's a scenario that we see all the time and it's one of the reasons why customers buy our product. Okay.
So let's go back to the demo and see How the 2 products enable this? Very small there. Okay. Well, we'll do with what we have. We can
live with that.
Yes, we can live with this. So we're now where are we now? Can you just cancel for a
second, Josh? So we're back to the Palo Alto policy. There's one policy as you can see. We just enabled 3 rules. The first rule there allows marketing to use SharePoint.
The second rule says allow bankers to use BoxNet. And the third one says allow IT to use FTP. That's still not enough. We have to go in now and enable the specific file types that we wanted to use. So I'm going to ask Cherish to click there and add to file blocking something that will block That will allow only Photoshop PSD files.
This is of course a predefined policy that we predefined. It doesn't come with the You can as a customer, you can go and create these kind of little policies and attach them to the rule. We're going to ask also to add here allow PDF and then on the last one, we're going to add Zip. So that will really achieve what you showed on your slide. Now we have 3 different groups inside the company that are allowed to use 3 different applications.
Each can use a different application to transfer one kind of a file. Perfect. This is how you achieve it. The next step is to push the policy. We're not going to do it right now and it
So, with that in mind, so a single policy for these combinations of users, applications and
Right. That's what you would expect. Yes. So let's see if Check Point does what Palo Alto Networks does. But let's go here and explain to me what we're doing here.
So what Johnny did here is enabled 3 new policies that allow specific groups to use specific applications. That was done in the application blade, in the application urothelial in the app blade. As you've seen before, we didn't even have to do that. These applications were enabled already, even though we have to block them, but Let's give them the benefit of the doubt. So we enabled those 3 applications.
Now the next step is to go and control file Hold on. So in a single policy in the AppLaid, you
can actually not specify the content type at all?
No, because the AppLaid is only about enabling or disabling applications and here we enabled those 3 applications with specific users, but the Up Blade is not the element in Check Point's product that controls file transfers. So this is a wholesale allow or a wholesale block of the application. Correct. Okay. But that's not quite what Palo Alto Networks does, is it now?
No, it's not. Okay. So where would you do the file type? So file type is available in the DLP blade, Data leak, Data Loss Prevention blade. So John is going to go there now.
And here you can see that you can define something like Graphic Design File, Source Marketing Group, detects or just detect don't prevent. So this rule will allow the marketing group to transfer graphic files, but it will happen across all applications. So you cannot specify the application? No, you cannot. And this goes back to the architectural difference between Palo Alto Networks and our competitors, where at Palo Alto Networks, the fact that we identified the application at the core of the product makes it available for the rest of the product.
With Check Point and with others, the core of the product is set for inspection. It doesn't identify the application. There is a blade identifying the application. There is a blade identifying the file type, but they don't talk
to each other. That's amazing.
The right architecture is to push the concept of applications to the core of the product and then maybe all the blades will be able to do that, but that requires you to completely rewrite the core of the product, which is completely new hardware, completely new software. It's much easier to say that you do what Palo Alto Networks does and
Now there's one more scenario that I want to go through. So if we can go back to the slide once more and show because there's one more element, because the safe enablement also has to do with the level of tolerance that you give to certain users or certain groups using those applications.
Maybe just to summarize what we saw here, Rene. What we saw here is that with Check Point, you can block PDFs or allow PDFs, but you do it for everyone across all Yes. Or you do it, it's not for everyone, but of course all applications. So if you allow PDFs via Box, also allow PDF via email and you also allow PDF via other applications, which you might think are dangerous for PDFs. Yes.
Or more specifically, if you allow zip via FTP, you also allow zip via Dropbox, which means that now zip files are going to be stored in the cloud against your policy. And to fix that, Checkpoint would have to go and completely rewrite the core of the product, which really means rewrite their So
that they can set a policy that specifies both user application and content.
That's what the application will the concept of application will be available to Blade other than the
application Okay. So one more scenario, if you can go back to the slides very quickly, because there is a way to look at the tolerance that we have. So, what if I want to give be more strict with the bankers as we should be in policy and a little bit more loose with the IT guys. In other words, the IT guys can do a few more things because they know what they're doing. They and the bankers I may not necessarily know what they're doing and it's
not just about knowing what they're doing. I mean, that's one thing, but it's also about risk management. There is always a balance between security and connectivity. The more things you try to block, the more you're going to I mean sometimes you'll and with the bankers if you block more, you will and sometimes you'll be blocking good things. Okay.
And it could be that the security requirements of the banking environment is much higher than the security requirement of the IT department that you are willing to risk blocking some good things, so that you can block more of the batting, whereas with IT, you don't want to take that risk. Okay. Or you don't have to take that risk.
Fair enough. I understand. Can we go
back
to the demonstration, because I want to see how this works. So let's look at this in Palo Alto Networks first.
So we're back in the policy. The same Policy. What we're going to ask Jerry's right now is to go into one of the rules and add a vulnerability protection profile called Strict, yes, this is for the bankers. So we just added a strict. What strict is, is something that you can define.
I mean, we're not going to show you the definition here, but you can go in as a customer and define what does it mean strict. You can define which attacks you want to what kind of attacks you want to block, what kind of attacks you want to just know about, what kind of attacks you want to ignore. You define what strict is. And then we're going to ask Jerry to do the same thing for the bankers rule and we're going to choose a profile called loose. And again, the customer gets to define what loose is.
It's not predefined. Okay. So we didn't change tabs or screens or blades or anything. It's just
in the core of the firewall. Correct.
Okay. So where would I do this in Check Point? So first in
Check Point, you'll have to go into multiple blades because Check Point doesn't have a threat prevention blade. They have an IPS blade. So we're going to ask Johnny here to go into the IPS blade. His name is Frankie. Hey, Frankie, sorry.
I Don't know why it's recording this morning. Sorry, Frankie. We're going to ask Frankie to go into the I did a last noise too. Sorry for that, for the IPX blade. And you can see here that you can choose which protection profile you want apply, but you apply to the entire gateway.
But that's not a parallel to the network. It's not user based and it's not application based. So it's everybody Everybody on the firewall. Because everything. Yes.
And it's again, it's the same problem that we discussed before. The fact that the core of the product only knows ports and protocols and IP addresses, it means that information is not available to the individual blades. Understood. So the application blades understand applications. The DLP blades understand files.
The IPS blades understand threat, but doesn't understand application files or users. There are
more blades, right? And there are
more blades because to do threat protection with Checkpoint, you have to go into like 60 different blades, while I'm exaggerating, but you have to go into the anti bot an antivirus blade and do the same thing. And then you have to go into the I think they have and configure the same thing. And in any case, it's going to apply system wide, again, because the core of the product doesn't understand applications and users. The individual blades don't understand application and user. So what would Checkpoint have to do to really do what Palo Alto Networks does?
Sell Palo, I don't know. They're probably so I mean, ReadyStix, what they have to do is to go and rebuild the product. They have to go and rebuild the core of the product. They have to rebuild the hardware because if you move the content of applications to the core of the product, they now you have to run the Application ID engine all the time and their hardware support that. So they have to build new hardware, completely new software and rebuild all the blades.
And the issue with that is that some of these blades are theirs, Some of their blades are OEM. They'll have to go and build a single path engine, which means everything has to come home and be built from scratch in a single path engine. Okay. So if we
can go back to slides, because there's one point you made about the operational efficiency here and which also to me translates into margin or room for error. So if we can get the slides back on. So this is kind of what you told me. There are multiple policies that you have to set and we took 5 here, right, so 5 blades where you need to set policy. And then depending on the blade, You can either look at it from an IP address perspective or a user perspective or protocol or app or content.
Correct. So most blades understand IP and protocol. Some not apps. No, no, IP and protocol. Yes.
Some Some blade only one blade understands application, which is the up blade, but it doesn't understand anything else. Yes, yes. You have the content blade, which the IPS blade, the antivirus blade and so on. Yes, that understands IPs, but they don't understand users and don't understand protocols.
And it's So this is to operationalize this is extremely hard.
It's not hard. It's impossible. It's impossible. You cannot do what Palo Alto Networks does in the sense that The concept of users and applications are not available for you in all the blades. And even if they were, which is I think what you're trying to say, you would still To go and set at least 5 different policies
and make sure they're all synchronized. Which is not a given either.
Which is not and make triple express every time you push a policy. So this is what it looks like for Palo Alto Networks? Yes. So in Palo Alto Networks, you've seen there is one policy, all the information is available in that policy and that policy controls all the aspects the product. So everything that we can do, you can do based on user, based on app, based on content and of course, if you really want to, based on IP and ports and protocols.
But near at least they're
fast, right? Depending what you try to do with them, okay? They fall fast. They're very aerodynamic. So, if I look at this and it's like, wow, they have some pretty fast boxes.
Yes, you can see there how their boxes are. But you can see what happens when you turn on things.
My eyes are not quite that good. So Which
box are we looking at here? So, Checkpoint just announced the 2700 is their latest platform. We can try to zoom into there.
Yes. I feel too many years old. I'm sorry, I cannot even see you there.
Yes. So let's try to zoom more into this. Yes. So this is the latest platform that they announced and this data sheet information. This is not NSS tested information or anything like that.
We know what happens when they are tested with NSS for performance. And you can see there are so many numbers on it. But hold on, why would they have a lab performance and production performance? Because lab performance Look good.
Okay. So that's the 110 gigabit number, right?
Yes. So Checkpoint is selling this as a 110 gigabit firewall. And what I mean by lab performance is that if all your traffic is large UDP packets with a very small set policy is this is what Which is what nobody uses. Nobody uses. Okay.
And this is by the way not tested, I mean this is Check Point Labs. This
is Check Point Labs.
Yes. Or NHS Labs. Not even HS Labs. Not even HS Labs. No, no.
It's too new, it wasn't this. Okay. So 110 gigabits per second.
Okay. And the other thing
I tell you is that in production performance, whatever that means, firewall performance goes down to 25 gigabits per second And IPS performance is 4.1 gigabit per second. 4.1. So that 110 just became 4.1. Correct. So you lost more than 90%.
And that's IPS. That's IPS. What happens when
you turn on all these other blades?
So Check Point doesn't say that here on their data sheet, they don't show the other what any third party chose and even their own configurator on their used to be on the support side will tell you is that if example, you want to turn on the antivirus blade, performance will go down another 90 percent or to put it another way, if you go to their configurator and you ask to configure a 5 gig for example, or Even a 4 gig anti malware device, they don't have a platform for that. They'll tell you our highest end platform doesn't support it.
So this is very common for all Stateful inspection firewall vendors, isn't it? Correct. It's not
a checkpoint. It's all the other Stateful inspection vendors, Fortinet, Juniper, Cisco, they're all like that.
So in fact, if you want to see this, because we don't have the data here, but Jonathan Ho, where are you sitting? Jonathan Ho has a brochure with him from Fortinet He can show you what that 110 gigs becomes in Fortinet and how fast that degrades to next to nothing, right, when you turn these things on. So Jonathan is going My lovely assistant here showing the Fortinet numbers.
What would you buy from Palo Alto Networks to get about 4.1 IPS? So to get 5 gig IPS, you would buy the PA-fifty 50. So this is okay. So I can As you can see there No, I can't. Over there.
Yes.
Over there. Okay. Over there. Okay.
That's a fifty-fifty. Now, 5 gigs, firewall, FID, IPS, what happens when you turn more things on? So when you turn more things on, it stays at gigabit. And remember,
we don't actually turn things on, do we now?
So we don't turn things on. What we do is we sell you a license, right, that unlocks further functionality. That functionality runs all the time. The single engine runs all the time and the license key that you get or that you subscribe to, yes, Verma So the different service will unlock functionality that will allow you to Because I keep on hearing people say when
you turn things on, There's no such thing as turning on because it's already there.
It's already there. You just get a license or you ask for us to show you the information. Right. So when you do 5 0 FID plus IPS plus QoS plus antivirus plus URL plus wildfire plus whatever. Whatever is next, but you will run at Okay.
But NSS verified. I mean, not on this platform and another platform, but NSS verified. On the fifty-twenty, that's absolutely
true. But at least they're cheap, right,
in the way they market their products. So what would that box cost? From us or from them? From them. So this is Check Point online configurator.
Yes. And we configured the 21700 to do IPS and other things as well. I mean, most of that $159,000 Yes. So that's the 1st year So it's
the 1st year cost. And so with Palo Alto Networks,
so $84,000 okay, 1st year cost and you get much more because you get also The other things that are included in the threat prevention subscription that Checkpoint doesn't provide for No,
and again, if you want to run more if you want to enable more So if you want
to enable wildfire 1 hour or 30 minute signatures, you pay another 20% a year off the base price. Detour of the $70,000 or so. If you pay another $14,000 a year and you just enabled APT signatures and performance of does not agree. Another 14,000 a year you'll get URL filtering and performance doesn't agree. Fantastic.
Good. Well, Nir, thank you
so much for the demonstration. Thank you, Frankie. Thank you, Jerish. Thank you, Mattke. So, in conclusion, I think hopefully, we have shown you that in this case, Check Point does not do what Palo Alto Networks does.
Despite the claims, marketing is easy, product is actually hard when you see it live, but it doesn't do what Polynomus The argument that it performs better, you saw the management claim, you saw the efficiency of the management platform, You saw also the comparison between lab results and real life results, it's not the same. And finally, the argument that, oh, it's also more cost effective than Palo Alto Networks doesn't hold. It's not true that like for like, These are same things. They may get there through excessive discounting and try to do that. But remember, that's not why people buy network security.
They buy it 1st and foremost for security. And the security you saw was not at all what Polymer's delivers. So with that, thank you very much. We're going to have a quick break, right? Coffee and snacks are served outside.
But before we do that, hold on, hold on, right? But before we do that, right, I want to have a few questions from the audience. So I'll bring both Nir back up and Lee.
And if you have a question, please stand, wait
for the microphone because otherwise the folks on the webcast cannot hear you. So, Keith
Excellent. Thank you guys and thank you for the time this morning. I was wondering, Nir, if you could talk to us a little bit more about the virtualized offering. You've had some of your competitors Virtualized offering in
the past. Can you talk to
us about what you're doing differently, first of all? And then second of all, how you see sort of industry penetration going? Are we at the time when people are starting to deploy these virtualized solutions into their environments?
You want to go on with the first half?
Yes, I think so first of all, the core difference is that Our virtual firewall is a next gen firewall. So previous attempts to do this have all started by trying to Put stateful inspection into software into the data center, which is probably the most useless thing to do because in the data center, almost all the applications run at just 1 or 2 ports anyway. And so you need to be able to identify the applications. Everything that we talk about applies in the data center. And so the first difference is The VM Series is a next gen firewall.
It doesn't leverage stateful inspection. The second thing is, in These virtualized data centers, things are moving from static to dynamic. So when you had physical servers with an application, you knew what the IP address was, it didn't change, you wanted to play a new one, it takes weeks to get a new server in with a new IP address and so you could have static network security policies. In a virtualized data center, everything's dynamic. And so, one of the capabilities we launched in addition to the VM series was the object capability where we can actually track movement of VMs dynamically through APIs that integrate into the orchestration layer.
And so VM gets spun up, IP address gets mapped dynamically, policy doesn't change. VM moves, gets a new IP address, we track it. VM gets torn down because you don't need the scaling more, We removed the IP address and all of that is dynamic as opposed to static, right?
So just to extend on that, the customer problem that this solves is the fact that in the virtualized data center with our competitors, whenever you say they say that you need more computing power database, right? So you add you flip a button and you add 10 more database servers. With our competitors, you still have to wait Saturday night for a window where you're allowed to make firewall changes. So it took you a second to add 10 more instances of database, but you have to wait a week for all the approvals to change the firewall policy to actually have access to those 10 instances. Whereas with us, Because of our partnership with VMware and because of our ability to integrate into the orchestration system, when you flip the baton in the orchestration system, Whatever that is, we know about it immediately and we immediately allow access to those 10 new database servers.
Or if you shut down 10 database servers, we immediately block access to those 10 database servers and that without having to push a new policy and to get all the approvals that in both that, okay? So that's the customer benefit. Wonderful. Joel, did you have a question? Can you
see Maria next to you? Just a follow-up At the RSA conference, obviously, it was a lot about advanced threat protection. You did a nice job about talking about the offering here. 2 interrelated questions. 1 is, Are you saying that with Wildfire running on the next generation firewall that you are as good, if not better than what FireEye is offering and getting $300,000 for instance that they're offering.
And related to that is, obviously, you had a lot of buzz at the booth around wildfire. And I wanted to see if you had any if there was an take since that time on the subscription services since then?
So on the technology side, So if you compare us to FireEye, here are the things that we do that FireEye doesn't do. And some of them are tactical and some of them are even more important than our architectural. So what we do, we do across all applications. FireEye can only protect non encrypted web and email, meaning if the Threat comes in via SSL or via an application like SharePoint or Dropbox or WebEx or anything else, they don't see it, which is a big issue. That means that their customers have to shut down all applications and only use the Internet for non encrypted web, no more amazon.com for you and no more online shopping or online help for you and email.
So that's the first difference. The second difference in us and FireEye is more architectural and that's the it's on the prevention side. That's the fact that FireEye can't really prevent the threat from coming in. They can detect them, They can tell you about it, but to prevent the threat from coming in or detecting the majority of the network trying to get out, you have to be Everywhere on the network as I explained in my presentation, okay. You have to be in the small branch office running at a few megabits per second.
You have to be in the data center running at tens of gigabits per second. You have to be in between the Ethernet edge, at the core of the network and so on and they are just not there. And more than that, you need to beat the IPS for that, you need to beat the anti malware for that anti malware device, you need to beat the application device for that and they aren't, okay. So I think that architecturally, if they don't become the next generation firewall of choice, they for the customer long term, I just don't see them being deployed in network and they're going to go the same way that the IPS vendors went and proxy vendors went and the content filtering vendors went. Again, there is a problem to be solved right now.
It's being solved, but long term architecturally, this belongs in the firewall. Okay. There's another question. There was also a question about
so we'll answer the sizing and customer acceleration questions in the next QA, Joel, just so you know, because these are not the guys qualified to talk about that, as you know. Okay. There's a question in the middle there. Just wait for the mic, You stole the mic.
Good morning. It's Aaron Schwartz from Jefferies. You guys talked quite a bit about the advantages not bolting on different technologies and really natively integrating, I guess, a lot of different functionality. Can you talk about how you think about an acquisition strategy longer term? And maybe if you do go down that road, how you would integrate differently than other companies?
I can yes, so I think from a technology perspective, not from an M and A perspective.
No, of course. From a technology perspective, as I said, we believe that the firewall is the place to enforce things and the single path engine is the one that's going to actually execute the enforcement. And if and when we acquire a technology company, it's probably going to be someone that can detect more things than that we cannot detect today. And the way you integrate something like that is the actual detection happens in the cloud. So you place their technology in the cloud and actual enforcement happens in the single pass engine.
The integration will be puts their software in the cloud, detect more bad things going through the network, generate signatures based on that and push them to the single pass engine. Okay. That's how we scale and that's how we integrate different technologies. And frankly, I mean, this is the way we integrated Wildfire and other things into our product, okay. I mean, Wildfire was not an acquisition.
We developed it in house, but that's the way it worked. We had a group of engineers developing the cloud based technology and then creating signatures and them to the already existing firewall, which is single path engine.
Alan Weinfeld, RiverFront I kind of had a 2 for 1. You claim that Sourcefire couldn't stop malware. They actually spent about 40 times earnings on a special acquisition that was supposed to have a honeypot that would be their management talked about All the other malware players that this would be freeware I guess in 2012 And it would catch fire in 2013. Fires are simple also. And I would just like your opinion on if you know about that solution and what's the difference between yours and theirs?
And then the other thing is at the RSA conference, you actually were giving out a Review from NSS Labs, talking about the 2013 Network Firewall Security Value Map and Actually Fortinet, FortiGate 800s is the Appliance that is the highest Enterprise Management Security Effectiveness and TCO per protected MBMS. And I'm surprised you haven't mentioned them and just talked about Checkpoint, which I think We all realize Check Point has a very low valuation for a reason and you guys have a very high valuation for The reason you show it on the other side.
So I'll take that last question first. You didn't get it from us. I can guarantee it. But no, you did not. You got that from Fortinet or from Checkpoint because I don't give out NSS materials.
Very importantly, what you see there is classic stateful inspection throughput. This is not throughput with lots and lots of things actually enabled to do the inspection. And I will always tell you, if you want a very, very fast, very cheap Traditional firewall, Fortinet is probably the best firewall to get there from the cost perspective. It has ASICs. It does all that that's optimized for that.
That's not
what we do, right? We tend to
think of performance with All of these things actively inspecting all the traffic for all the applications for all the users. That's not what you see on that SVM. That's a very different thing. That's actually not something that NSS actually tests. So that's why we refer to the numbers.
No, no, no, no, no. They're not making it up. They're testing for a very specific use case of traditional firewalling with no other inspections than classic firewalling. That's what I'm saying. NSS doesn't make this up, absolutely not.
But back
to the question about source fire, that was another question. Yes. So without getting into too many details, the product that you're talking about is a desktop product that they give away for free. It has nothing to do with network security. And specifically, Sourcefire is an IPS company.
Sourcefire is not an anti malware company. Customers don't buy anti malware gateways from Sourcefire. They buy them from Blue Coat, okay, or from companies similar to Blue Coat. And that's why Sourcefire is also in the business of malware. And that's the point I was trying to make in my presentation.
Again, I think we showed on the stage here that it's very easy say things, it's a bit more difficult to do them. And specifically with Sourcefire, we have never ever seen them in a single firewall deal. We compete against them as an IPS. We have never seen them as a firewall in a firewall deal.
I think it's important to note that Building a firewall is not something you wake up one day and just have. Firewalls take a long time, a lot of technology to develop. The in line abilities, the reliability, the performance, the the network and there's so many things that go into being an in line device. It takes years, honestly, to get there, If you do it well. Yes.
One more question.
One more question. I think it's Greg Dunham.
The last question before we go to break. Yes.
Switching gears a little bit. You mentioned Wildfire, the opportunity in service providers, virtualization. So there's a number of different areas where you're putting development dollars. How do you really allocate in terms of when you strategize, these are the areas we need to be in. And kind of from a philosophical standpoint, what's the best way to approach kind of the opportunity in the threat landscape?
I don't know.
It's not if you're asking Like how do we do we say, oh, 10% needs to go here and 5% needs to go here. We don't really approach it that way. I think that would be sort of a more traditional approach of New problem, new product. Because the approach is so integrated, we work really with customers, I'm always meeting with them. We take their feedback.
We understand the problems we're dealing with, and then we take that back and we just work with the engineering team to develop good solutions for it. Often leveraging the existing infrastructure we have in the product, including things like single pass architecture and things like that to enable these new capabilities. So we don't really think about it in terms of carving out percentages of resources and applying it that way.
Yes, specifically because we can leverage existing technology, for example, if you wanted to build a standalone APT company today, will need to build actual device, you will need to build an operating system for the device, you will need to build a management system for the device, you will need to build reporting all these other things that we already have. The number of engineers that actually worked on wildfire to get wildfire to be a product was probably handful. And they did it over a year. So it's not like we needed a complete set as our APT competitors because a lot of the technology was there, they built it and now they moved on To the next project. Okay.
Good. So at this point, let's break for 10 minutes. Coffee and snacks are being served outside and be here in about 10. Okay. Thank you very much.
If I please
may I have your attention? Take your seats. We're going to move on to the go to market part of the presentations as well as the results part. So I will introduce myself. The Part that I'm going to speak about in this section is our view on market dynamics, what is going on in the market, How does the market view Palo Alto Networks, but also how do we view the market and the evolution of that?
And also take a look at our go to market strategies. There were quite some questions during the break about that and I want to start there And then Mark Anderson will continue that conversation because I think it's a good thing that you get the view from both the person who generates the demand as well as the person who then closes that demand and turns that into revenue for the company. So There are many ways to look at the market. We chose to look at the addressable market in, I would say, a rather consistent way. Ever since we started to publicly talk to the market about what we believe the opportunity is for Palo Alto Networks, What elements we believe our technology can address, we have shown you this picture.
You've seen it a few times today. And I want to dissect it and look at some of the dynamics, also introduce you to some of the players that we see and our take on who those players are, what the dynamics are and then give you our opinion about what we believe, right, The game is and why we believe that we are different in this market. So IDC and others, but I refer to IDC here, has sized this market very consistently. Now there are many ways to look at this, but if you The bottom and it's a somewhat traditional way of looking at the market. Look at it, there are firewalls, sometimes they come out There's UTMs, but firewalls.
There are web gateways. There are threat prevention systems and there's VPN technology.
That is
a $10,000,000,000 market growing very nicely over the next few years to $13,000,000,000 plus. Now there's a lot of movement happening inside that market. A big player here, a very, very big player doesn't have 40% market share. There is no such player in this market that has overwhelming market share. In fact, when you look at these markets, the core players are actually somewhat different.
The strongest player in firewall is not a player, but a very strong player in things like Web Gateway. But the dynamics would suggest that this market, even though people are spending money on this, maybe piecemeal today, will start to shift. So, let's dive in and look at each of these slices in a little bit more detail. So, that first slice is, in fact, the biggest slice and that is the UTM slice or firewall slice in this market. That slice is characterized by a first of all, a refresh cycle that is 3 to 5 years.
These companies, right, that is 3 to 5 years. These companies have that's not the product refresh cycle of these companies, right, quite the opposite. It is the refresh cycle that enterprises have on these technologies. These technologies are very wired into the infrastructure, specialty firewalls. And there are 2 very distinct players in this market.
There is a large group of traditional legacy state inspection based firewall companies that are based on 19 year old stateful inspection, right? And in order of their size, That's Cisco, Check Point, Juniper and Fortinet in that market. And then there is 1 player, Palo Alto Networks, with a very different architecture. And as we've shown, those architectures are not identical, right? Whether you look at Ciscos or checkpoints or Fortnets, a UTM example versus A next generation firewall example, it's not the same.
There are many, many things that those legacy Safel inspection based technologies cannot do, but in the firewall. Even if you attach blades for application control, even if you attach blades for other types of functionality, it still doesn't do what Palo Alto Networks does. But it took a fundamental rearchitecture of the core of the firewall to get to where we are. So shares are shifting rapidly. We are the big grower in this market, all the others are not.
In web gateway, you see a very different landscape. Web gateways are characterized by technologies that traditionally be based on proxy type solutions. So, WebSense, Blue Coat, and to some extent even Cisco. These companies are in a position today where because of the legacy but more times they are being replaced by modern technologies. And in the modern category, There's Palo Alto Networks and companies like Zscaler.
Zscaler does it in the cloud. They have a different approach to solving this problem, right? But as you can see, only one vendor, right, is here That was on the previous slide as well, apart from Palo Alto Networks, which is Cisco. When we go head to head against a web sensor blue code in these deals, we can win. In fact, we oftentimes win, but we replace those blue codes.
We replace those checkpoints. We replaced those Ciscos for this function, right? It's almost never, if ever, that we see Juniper or Checkpoint in these kinds of deals. So this big chunk of market is not where we would see Checkpoint right, or Juniper or Fortinet for that matter, right. That is already very different.
You go to the next slide in the market, IPS and IDS, You have modern vendors, and I would include clearly SourceFire and FireEye in this market, And you have legacy vendors, IBM, Mega Free, Tipping Point, all of whom have been part of acquisition strategies and have focus on this market. You don't see Check Point in this market as a standalone IPS vendor. When there are IPS we run into source fire, not FireEye, but I put FireEye there because I think what will happen in the next few years is that the non existing APT market, because there is no such thing, But this market will kind of embrace the APT functionality and what was known as the traditional IDSIPS market will to a market that is very threat prevention centric and will include whatever money gets made, whatever people spend on APT, right, the majority. There may be some other monies being found, right, but fundamentally this market will collapse into this. So I don't think there will ever be a completely separate layer because I would suggest that The best way to solve this problem is done outside of the firewall, which we don't believe is true.
Not even Sourcefire believes it is true because that's where they're moving, right? They know that they have an interesting solution, but they're in the wrong spot. They have to move the firewall to make it operational.
Now again, what is very unique is that when
there is a pure IPS opportunity, right, we're now the only vendor that can bid on both firewall opportunities, gateway opportunities and IPS opportunities. There's a sliver that will continue to exist, right, for VPN ish technologies when we introduced GlobalProtect, that isn't necessarily a classic kind of VPN. But again, from a modern perspective, there are companies here who are good at this, right, who continue to sell ways to securely get into the corporate network and that includes Cisco, Juniper and F5. The legacy vendors here are guys like Microsoft and SafeNet. But the consistent themes at all of this is that we believe that we can bid and win very consistently on all of these four slices in the market.
And that shows when you look at the relative performance year over year of what I call the big six, right? And the big six include Palo Alto Networks, Cisco, Juniper, Checkpoint, Fortinet and SourceFire. You can see that SourceFire and have shown very decent performance, right, very different characteristics, right, oftentimes very different markets, right. I would say that very rarely do we run into Fortinet. I always joke that if one of us shows up in the same deal, 90% of the time, one of us is in the wrong deal because the use case for Fortinet in the enterprise is typically a very, very big box the stateful inspection and we don't sell that only or it is in an extreme distributed model where in the branch they need a $200 box with ears for Wi Fi, which we don't have either, right?
That would be the situation. But believe us, When we are in that situation, we're in the wrong spot. That's not a use case for us to fulfill yet. So you look at the relative performance And what you see is that other than a pure specialist Sourcefire, who is the last man standing, so to speak, in that IPS the growth isn't there. In fact, when you do it on a dollar basis, the last quarter was a very interesting quarter.
But this combined, right. The 5 other vendors here made less additional dollars in our last quarter than we did in that same quarter. So you can see the money moving, right? The market share is shifting. By the argument that I sometimes hear that Others are gaining market share.
The numbers don't show that, right? If you take it if you take it if you look at the big guys, They're barely growing at market rate, if even that. So that would suggest that somebody, Somebody who shows consistent 50 plus percent growth rate is taking market share. So the dynamics have changed substantially in the last quarters. The dynamics are also very important, right?
So, Marc showed you a condensed picture of the MQ. The full picture is here. You can see that there are a whole bunch of vendors there that have firewalls, but aren't necessarily seeing the traction, right? And the big guys that have all moved to the left, They have a terrible time keeping up with the technology rate of change that we introduced in the market. But I wanted to give you a little bit more insight into what is behind this graphic, because the graphic itself is only one dimension.
I have to explain something before. There were some questions about, well, there's Other opinions in the market. Well, we made the point in the demonstration to talk about what happens in the lab and what happens at customers. A lab report is what it is, but in a lab report, you look at what we sometimes call synthetic data, the best they can do with synthetic transactions or synthetic users or synthetic applications or synthetic threats. And then there is what customers actually say about how the product works.
So someone like NSS is on the lab side. Someone like Gartner talks to thousands of customers and forms an opinion about whether it actually works. So people vote with their money and you can see that in growth and people vote their confidence to companies like Gartner who talk to they don't talk to us about this process whatsoever, right? They tell us what they are doing, but we actually don't have a vote in of this. We don't go in there and tweak and optimize and change and turn knobs.
This is an opinion that they form by speaking to 1,000 customers. So what do they hear? Well, first on the market. The market looks at quality of features. They actually don't think that the quantity is important.
Now that doesn't shouldn't be confused with what features do you have. It is how you factor out your features, right? So, in the case of Check Point as we showed, the way Check Point factors out features is many, many, many bleeding blades, 20 plus blades, right? And we say, well, they have 20 blades, you only have 4, right? That's not how you should think about it at all, because threat prevention or URL filtering or even the core firewall does so much more.
And so you should really look at the quality of those features, how they work in your environment rather than whether you have 20 or 27 or 35 blades. That's not at all how you think about this. The other part is that it still is early days in the move from traditional firewalls to next generation firewalls. And that is, by the way, less of a technology argument. But as you heard Motorola say, this is more an argument of How do you put that in with the oversight that you need, right?
Lee showed that the technical migration actually is not so much the challenge, but that's not what's hard. What typically people have to do as well is make sure that the policies that they implement are the right policies, that it is okay with the compliance teams and with the legal teams and with the audit teams, because now While you're safely enabling these applications, the impact of that has to be understood. So what you see though is that The installed base will rise rapidly to 35%, but more importantly, new purchases will rapidly move in the next 2 years to be next generation firewalls. And then lastly, they're not going to buy them from traditional vendors that they bought their switches and routers from. Shift to those who have a true next generation firewall and no longer come from the leveraged vendors, right, which would include companies like On us, there were some interesting observations as well.
We moved the needle. Everybody says that they do what we do, because we do what we do. They cause them to react. To be honest, in the last 5 years, I don't think anybody has announced ahead of us, has done anything in their firewall or in their product ahead of us. So very different.
We do it because the design at the core was different and that allows us to displace traditional competitors. And this argument made over and over again. Are you just helping another competitor or are you displacing competitors? Gartner believes by talking to customers that we The customers you've seen today, this place and we'll come back to that in a second. And then finally, right, What we do is different.
It's not just a little bit better, it is very much different what others do. Okay. So how do we move this to the market? Our model has been very consistent for last 5 years, right? We go through 2 tier distribution.
We build a channel to move the product to the end customers to augment our ability to reach those end customers and to properly service those end customers after they've done the purchase. We always start with going directly to the end customer as far as the storytelling is concerned. When we tell the story, the end users Then in parallel, we build the channel organization, so they can do this. We enable so we recruit, enable and then optimize the channel partners involved, both distribution partners as well as resellers. Both of these add value to what we do in terms of services, in terms of presence, in terms of all kinds of scales that we don't necessarily want to put in front of the customer.
We believe that our partners are better suited and we're trusted to do that. Mark, clearly our resellers will also go to those customers and we do that in a co op model where we jointly execute on that demand. Then when we sell, The predominant way, of course, the only way that we sell is through that channel. In other words, 100% out of our business flows this way. It comes but generates the demand, it flows back from us through the channel, but no stocking, No funny deals, it is all clean as a clock where the customer picks the value added reseller, the value added reseller fix the distributor and we transact, right?
We have general account managers to work with these distribution partners and we have of course, we augment our own high touch sales force with the sales force of our channel partners. We don't take those deals direct. It's not because we have people in the field that we then get greedy and pick deals off of the table. No, every one of those deals, 100% flows back through the channel. This model has been implemented globally.
We run it for many years and what it gives us is visibility into a pipeline development. And very importantly, it gives us great predictability of our business, because the way it works, the way we transact in this model with deal registration and automation gives us very good insight into where we stand on demand, where we stand on recruitment and so forth. Now, I specifically highlighted here our strategy with VARs and resellers. That was the model that got us to where we are. But more and more our customers also tell us that they truly want to engage through service providers and systems integrators.
So After me, Mark will come up and talk a little bit more about those relationships. They're somewhat different. They're not necessarily the pure security VARs that you know so well, but we also believe that the market dynamics are such that our customers, especially the larger ones, want to be serviced by people in the category of your service providers and systems integrators. So, this model has worked well for It's a model again of quality, not quantity. Our 900 ish channel partners, That growth hasn't been excessive because we believe that the best way to make our customers successful is by having high quality resellers and distributors in place.
All of them augment what we do. They don't just push boxes or sell through. These are people who involved on a daily basis with our customers. And we provide benefits based on their commitment and based on their performance in terms of deal registration, margin, multi year protection and so forth, right? Now we're very demanding in terms of accreditation, certification and so forth.
So unlike partner ecosystems of 1,000 and 1,000 thousands of resellers, we don't believe that that is the right thing to do for the enterprise customers that we serve. We believe that they benefit from specialists and from people who are committed to services. Okay. Now, I want to end My section too, because after all I am the marketing guy. Okay.
Yes. So it is kind of the fact or fiction part of every presentation. Fact or fiction, it always comes down to whether something that is being claimed is true or not. So the first action is you can't keep growing your customer count like that. Like where do you tell these people?
What can you sustain it? Have you done it and how have you done that? Well, 1st of all, clearly, we have done it, right? We have consistently grown our end customer count to a very, very advanced level, 1,000 plus in the last 5 quarters each, But that helps us with one part of our strategy, the land strategy that Mark referred to. Landing a 1,000 plus customers allow something equally or even more valuable to the customer, which is then to expand and extend that footprint in those 10,000 by repeat buying of our technologies for different parts of the network or for different security functions.
So while we're very proud of this, you shouldn't Look at it this way. But clearly, because of our expansion, because of the attraction in the market, more and more so have we been able to attract these customers. And we're still in early days in some of the markets that we operate, right, like China and India and Russia. And so where there are, by the way, very big companies, very large enterprises in desperate need of good network security. There's also a question of, well, have you you've picked the low hanging fruit, right, all the easy ones, right, the guys who were very disappointed with old technologies, Those are the guys that you displaced.
Well, that would suggest that 2 things. It would first of all suggest that what we do is a one off. The customer buys one thing and then they're done buying from us. It also suggest that we've done so with small customers, right? Not necessarily the big enterprises on the planet.
So let's look at that claim as well. What it takes to become a top 25 customer has grown substantially in the last five quarters. You look At the movement of this bar from only a very short time ago to now, and you can see that, that bar has moved up substantially from less than $1,600,000 to more than $2,800,000 right? That number when we were on the IPO roadshow, which is only 7, 8 months ago, right, was in that $1,000,000 it's almost $2,000,000 range, right? Even in that short period of time, you can see how much that has grown.
That certainly wouldn't suggest that people are selling us low hanging fruit, that we're picking low hanging fruit, right? This means this points to an infrastructure type of transactions with these companies. We also, at the time of the roadshow, started to share with the repeat buying behavior of these large customers, right? And what you can see is that this actually has evolved, Only at the time of the IPO, again, 7, 8 months ago, was that number 3x. We're now at 4.
Sorry, that number there was 8x of the top 25. It was 8x. It is now 11.4x, right? So They bought 11.4x what they started out with. So they keep on expanding and extending their purchases with us.
So that's not low hanging fruit. That means becoming more and more part of the infrastructure. Similarly, across all customers, the number that 3 at the time of the IPO roadshow is now 4.6, grows substantially. This is repeat buying across all of our customers. So even for The average customer, this metric has gone up substantially.
You keep on seeing them buying and buying and buying in each subsequent And of course then, well, yes, the big companies don't use you, right? Now, I'm going to say something that you shouldn't take personal, Mark Anderson, but without a lot of effort, because Mark only joined us about 8, 9 months ago. Without a lot of effort, we actually have already seen tremendous growth in the world's largest customers. Mike will explain to you how much of an emphasis that is in his organization, right? But today, we service 500 of those Global 2,000 customers, right, very, very good growth year over year, right, which means that, a, there is lots of headroom in that market with focus that market is putting in place, that is both on the count, but also the penetration in those existing 500.
Because you look at what we've actually sold to those guys in the last few years, we may be 10%, 15% penetrated in their networks, which would suggest that we have both an opportunity to get more Global 2000s, but also more from those customers. Okay. Is a claim that we're only succeeding in a few verticals. I sometimes hear this on earnings calls where, yes, we see them in 1 or 2 verticals, but never in all of them. Well, I want to reiterate that our model is such that we have a very wide distribution both on the customer side as well as on the vertical side.
No single customer accounts for more than 10% of our revenues and customers and no industry accounts for more than 15% of our revenues, even in any given quarter. So even in what is traditionally a Fed quarter, right, or a Japan quarter or whatever it is, it's never more than 15%, which tells you that, first of all, we're diversified. And when you look at the industries we service, it's very, very broad. Now, the last 2 I want to cover are the ones that really go to my heart because this is what I always hear from you guys and from everybody else. You're not deployed into firewall.
So somehow you made All this money and all these customers not being deployed at the firewall. I don't know if anybody else who has done that in the past, but Supposedly, we are the first that gets all this money without being deployed as a firewall. So only 7, 8 months ago, we gave you a statistic where we said that we believe that at that point about 50% of our customers have deployed this as primary and about 50% of the new deals that we were involved in were for primary firewall. So these numbers that we We'll update you once a year in an event like this. We'll update you today on what we believe they are based on our analysis out of our deals, our customers and so forth.
So more than 75% of new customers in fiscal 'thirteen, so the last 6 months of selling, right, 75% have chosen us as the primary firewall. These are deals in which we replace an existing traditional firewall in the primary position, in the data center, in the perimeter, in the Xtamp Enterprise, which then yields a number of more than 60% of all our customers, right, who have now put us in place as a primary firewall. And then there is a claim that, well, yes, that may be true, but we never lose against you. You never win in competitive deals, right? So you get this from somebody else, not us, right, which also isn't necessarily supported by the data looking at the growth numbers of others, but it's another important data point.
So we said I've always said that we do very well When we get the opportunity to get the product tested, the way we want to update that number to you is that when we do a technical evaluation of our products, but our win rates are best in class. We win more than 85% of deals after we've done a technical evaluation. Our box was on the network. We've delivered the application visibility and risk report, and the customer knows what our technology does versus what other technologies do. So with that, I'd like to thank you very much.
And Marc, please come up. Thank you. Give me 2 seconds to take the slides. Yes.
Good morning, folks. Thank you so much for My name is Mark Anderson. I manage the worldwide field operations team here at Palo Alto Networks. And I've seen a lot of faces here before in my previous lives. And some of you have asked me why did I leave a good company like F5 to join Palo Alto Networks here 9 months ago.
And for me, I think it was really simple and basic. First of all, I love the size that we are right now. When I joined F5 back in 2004, we were a little smaller, but we grew really quickly over the next 8 years and I really love that ride. A really fun ride, especially like F5 had and like we have today when you have disruptive technology leadership. It's fun to win.
Second thing is the market here, it's massive. We've heard $10,000,000,000 $13,000,000,000 by 2016. It's a huge market. We have less than 5% market share and we're competing against some good companies that have 20% or more percent market share, 3 of them in fact. And when you have that disruptive technology leadership, it's good to go up against companies and take share from them.
That's also very much fun. And really the third thing Is the team that I get to work with, I get the privilege of meeting Nir before I joined and how can you not be inspired by a badass A cool CTO like Nir, Mark McLaughlin, an amazing CEO and leader and really the entire leadership team is really humbling to work with. So I'm really, really psyched to be here and I'm excited to talk to you today about, first of all, what I've seen in the 1st 9 months since being here, the things that we're doing to exploit and take advantage of that technology leadership in the market by growing our focus, growing our footprint. And then finally, you're going to hear some real examples about customers. I'm not going to talk about fiction.
What we do in the field every day is fact. We're with customers and we're doing deals that put money on the pieces of paper that you guys like to evaluate on us and I love to talk about that because I love So first, let me talk a little bit more about the land, expand and extend strategy that you've heard about. For us, landing means we put an enabled, trained sales team, subject matter experts, this high touch sales team that we have that were growing. We put them in front of a customer, partnered up with a partner, a security, VAR, MSSP or integrator and we tell our story. The story that you heard Nir and Lee and Mark tell this morning.
It's a very compelling story about differentiation, about how we do things differently. We show up and as you just heard Renee talk about, We put our network in a proof of concept mode. We connected offline on a TAP port into their network and we blow their minds. We come back a week later with an application visibility report and we show them what's going on in their network today, things that they said weren't happening. We're not enabling Facebook.
We're blocking BitTorrent. 25% of our network traffic is not video like YouTube and other nefarious video applications. It really blows their mind. And that's a really fun thing to do. And as you heard Renee just say, When we do that, we win 85% of the time.
That's nontrivial. That's technology leadership and that's fun to win like that. Then of course, we expand. We typically get in, in an initial deal and we win on In one corner of the network, they want to prove out all the great things that they've heard about Palo Alto Networks from their friends in security. We expand that into other areas.
There's 4 major use cases, but there's dozens or hundreds of different places in an enterprise network that we can sell these use cases. We expand into those and we continue to leverage our relevance and our performance and execution in that customer. Then, of course, we extend by selling more features. Maybe we got in as an IPS as we have with one of our largest customers that's a big a real big Tier 1 bank here in New York that we only have about 15% market share and it's just IPS today. So we've got a lot of room to extend there.
We can sell them wildfire. We can sell them URL filtering. In our innovative business model that sells these as a subscription, not just as features. So we're winning 85% of the time. Well, what the heck is to the competition, well, they're facing the traditional innovator's dilemma.
Of course, they can't change. They can't wind down their current cash generation machine by selling to compete against us, they have to continue to try to surround themselves with the firewall helpers that you've learned about today. And that gives us the opportunity to go in and talk about massive differentiation. Our competitors are resulting to some Things that if I were in their position, I'd probably do the same thing. They're dropping their drawers on price.
They're trying to find places where we don't play. And we've got some good competitors, some good companies like Check Point, Cisco, Juniper and others. Is always going to get 20% market share because they're Cisco. But when we show up and compete against them, we win based on technology leadership and scalability. And we do it against all of them at a pretty alarming rate.
So what are we doing? Obviously, beating our competition is not the challenge. We're doing it every day. It's showing up. So what are we doing to get more at bats, if you will, that get up to more places.
We're not just that annoying little competitor that you read about in the trade rags, we're scratching the surface last quarter of a $500,000,000 run rate in billings. That's pretty significant. And I think as I think you'll hear Stephane say, we're growing ourselves more than the rest of the market is combined.
That's a
fun market to be in. It's fun to be in sales from that perspective. So what are we doing to build out the team, build out the footprint? So let me talk a little bit about the team that existed back in 2010. It was a great team, but it was a small team.
It's subject matter expert reps, SCs scattered around the world, really just covering just a few of the NFL cities in the United States, nothing in LatAm, Nobody in India, nobody in China, a few people down in Australia and then a few of the major cities in EMEA with a small but highly skilled team. And if you just take a look here 3 years later, we've really fleshed out the footprint by attracting world class people that are experts at selling security that want to come to a place like Palo Alto Networks. They want to come here to win with technology disruption because it's fun. And you can see we've really invested aggressively not just in EMEA by going east and west, but all across APAC. I visited Singapore a few weeks ago And we headquarter out of Singapore.
We've got a really good team there, new leader for APAC that's doing a terrific job. He's building out And the gentleman that runs EMEA for us is continuing to expand in the major cities. But we're still really just scratching the surface as we build out our footprint. And let me give you a few examples of that. So before 2013, we just had 2 sales teams Chicago.
Now there's 5. We had one person in India. I think there more than a few more than 1,000,000,000 people in India, but we're but today, we have 3 teams there and we're investing aggressively. We'll announce At the beginning of next month, a new leader that's going to really provide us some aggressive scale there. We're also aggressively investing in China.
It's a part of the world that we didn't have of the world that we didn't have focus in before, but it's a large country. We need teams in all of the key geographic areas. There's some verticals there that we're allowed to sell into, banking, telco, and they spend a lot of money. We had 4 teams in California where our headquarters is. And today, there's 3 different districts that have people in California selling into service providers, large enterprise and commercial enterprise.
London, one of the most populous cities in the world, certainly in EMEA, we've got 6 teams there today that are selling to large and commercial product excuse me, commercial customers. And we really didn't have as Renee may have mentioned earlier, we really didn't have a lot of sales resources focused on the channel that was all placed back in marketing. Today, we're building out a channel account organization that's focused on enabling these
partners and helping us get
into new partners and and helping us get into new partners and get into larger leverage opportunities. And before 2013, we had 2 major account managers
Doing a
really good job, but 2 is a small number. Right now, we have 32 and I'll talk a lot more about that in
a few slides.
So we're not doing anything that's rocket science here. We're salespeople. We got to keep it very simple, keep our knuckles from dragging keep our knuckles off the ground. But we're following a proven model to productivity and it's a model that I learned back in the '90s at Cisco Certainly, that I leveraged at F5 throughout the last 8 years. And for me, it always starts with the center of the universe as much as I hate say this to account managers because they tend to have large egos, it starts with the account manager.
That person is the center of the universe. They're the CEO of their territory. Whether it's a list of accounts as a major account manager or a global account manager or whether it's a regional sales manager that covers the geography, They need resources to be productive. So we give them resources. We give them an SE, a dedicated SE for every account manager in the world, at least one.
There's one sales rep here in New York that has 2, but that's a different story. So the SC team we have here is amazing. It is a technical sale. We have to show technology differentiation. This SC team, I would put them up against any SC team in the world.
I inherited a great one 9 months ago and we're really building aggressively into this team. We need to. Customers love our SCs. For every account manager, there's half of an inside salesperson. We have inside salespeople in Europe across Europe, excuse me, in Asia Pac and a large team here in the U.
S. In Plano and in Santa Clara. The inside sales focus does a lot of things. They take The leads that are cranked out by Renee's marketing machine and process them into qualified opportunities and really act as the tip of the arrow when it comes to going to the customer, talking with partners, play a really valuable role. They actually reduce our overall cost of sale a little bit, but they actually improve productivity for that account manager in a dramatic way.
Then of course, we're building out this channels team. I'll talk about in a few slides, The channels team that's going to help make our channel partners smarter and more able to sell our technology and tell the story that we're talking about today. Of course, around all of this, we have to have the sales operations team that provides us with the tools, the enablement to make all of us productive, not just inside the company, but outside the company to partners, distributors that are going to be selling and representing and supporting our technology. We have an amazing sales operations team that we're aggressively building out because we need to provide tools not only for people to manage their accounts and build sales plans and get better and smarter, but also to managers to look at analytics about ability forecast, so that we can forecast accurately, really trying to build a discipline in this team now that we're a publicly traded company of kind of a commit culture, I like to call it. So every Monday morning, an account manager sits down with their 1st level manager all around the world and commits their business for that week.
Here's my commit for the week. Here's what happened last week relative to my commit for last week. I'm going to validate my commit for the month I'm going to validate or update my commit for the quarter. It happens every week. There's laser like focusing on this and this allows us To manage our investments, if we see our linearity go a little better, we crank up our investments.
If we see it slow down, we take a pause and have a look. Thankfully, it's only been the former. And then finally, we have our global customer service organization. You're going to hear from Brett in a few minutes that really supports all of us, our partners, our customers, our distributors in a world class way and in an incredibly impressive way and you'll get a lot more details on that. So let me talk a little bit about the focus that we're applying to global and major accounts.
I mentioned geographically focused regional sales managers. They still exist here today. They've got a geography, a patch of dirt that they manage That doesn't include the list of major accounts. There's still tons of large opportunities. Couple of weeks ago, we did a $500,000 deal at a community college in Toronto.
Now That was in a regional sales manager's territory. Starting August 1, we bifurcated the sales organization to add The title of major account manager and global account manager, they typically have anywhere from 6 to 25 accounts around the world. By the end of this year, There'll be 40 major account managers around the world, primarily in EMEA and the Americas. We'll be rolling this out excuse me, and Japan. We'll be rolling this out in APAC probably by the end of this year and the beginning of next year.
It really helps us drive focus to these major accounts Because we're competing against companies that are much larger than us, we're competing for wallet share against giant companies like IBM and HP, and we really need to have a discipline and a focus. And we actually created that discipline and focus ourselves. We got together early on when I joined with folks from marketing, from sales operations, from product management and created a strategy to go after major accounts and build sales plans that engage resources, resources like the ones I mentioned earlier, but resources like executives, like we, like near when it's appropriate to go into customers and tell the story and blow them away with our technology differentiation. So we're really very focused on executing here. We think, Based on my experience, there's tremendous amount of leverage to get out of these major accounts that we're already seeing and certainly in the future.
The other thing I talked about is investing in channels. I'm really proud of the development that we've done so far. For 2013, it was again primarily in the marketing organization focusing on enablement, Certification and Investing Market Development Funds. There was a minimal investment in sales resources. I think we had 2 CAMs in the U.
S. I think we had 2 cams in EMEA and maybe 1 in Australia. So starting August 1, we hired somebody to run the Americas, a leader, Really great background from Cisco and Ironport. We hired a person in EMEA. Again, really good background and they're getting busy hiring people.
We're going to go from less than 10 to 25 today and we'll continue to invest in that in the future because Building scale with our partners by teaching them how to sell our solutions is a great leverage opportunity for us. We're also surgically recruiting additional VARs, systems integrators and MSSBs and I'll talk a little bit about that more right now. So let's think about what a managed service provider or a systems integrator does for us And for their customers, they provide outsourced services for people that don't want to own their own infrastructure. So they might provide just 10 years ago, they might have just provided circuits. Today, they're providing just clean circuits that have security solutions added to They're the trusted advisors.
They're typically large companies like Verizon or AT and T. And they have great relationships span many years and in many cases 1,000,000 of dollars a month. And the program facilitates solutions like monitoring, managing either remotely or on premise and other value added services that these customers are paying premium dollars for. It also feels a little more comfortable some especially larger customers to ease in some of the next generation firewall features and ease out some of the legacy inspection firewall technology that they use. So this is a ripe market for us to go after.
And between Chad Kinkelberg, our Head of development and his team and our channel team were very laser like focused on going after these partners. And I'll talk about that in a little more. So, Renee talked about this. We've got our direct touch subject matter expert sales team selling through distribution partners, in many cases, value added distribution partners that provide Tier 1, Tier 2 support. And traditionally in the past, they've sold to VARs.
I mean, great VARs like Fishnet, Acuvant, large either regionals or super regionals that cover geography, in some cases with hundreds of reps. These companies have been great partners for us. They will to be great partners for us in the future. And based on my experience, they'll grow at or above the clip of rate that We're going to be growing because customers need security expertise like this. But as I mentioned, we're also spending a lot of time with service providers and systems integrators to give us the and leverage to go after that end customer in broader numbers.
We have 11,000 something customers today. To continue to cover them, we can't invest in the expensive direct touch only model for sales. So we're really doing both and really trying to manage the investments wisely. So just a few names of the people that we partner with today. They're not mom and pop shops that you might have heard some of our competitors tell you about us.
We're talking we're working with IBM, who is reselling and
doing managed services today with their
customers and our customers, companies like AT and is today with their customers and our customers. Companies like AT and T and Verizon with their national and global footprints are both directly and through the managed service offerings that they provide. So as Mark, I think, said first thing this morning, this is a vertical for us that represents multiple opportunities, the sell to opportunities because they're huge enterprises in some cases, tens of thousands of employees. And then the sell through opportunity because they're large channels as well. We want them to be our channel, but also selling to in a managed service environment where we've leveraged the technology that Lee and Nir and Rajiv have developed that can be shared with multiple customers or dedicated to customers that managed in a way that no one can compete with us.
And there's Lots of customers that want to buy next generation managed service solutions and they can only buy through these partners with Palo Alto Networks Because our competitors are stuck in that innovator's dilemma world of old, bloated, inspection firewall technology and the surrounding firewall helpers. I want to talk a little bit more deeply about Integrales. For those of you that They're really becoming the security SI for the NTT Group of Companies and the NTT Global Footprint and they're a great partner. They've got a great sales team around the world. Simon Church, the CEO, I've done business with him previously.
He's they make a great partner for us. And they're going all in in their investment with Palo Alto. They might know them as one of Check Point's largest resellers in EMEA and they're able to do business with both Checkpoint and Palo Alto. And I think what you'll see, the business that we've done with them today and the business that we'll do with them in the future will be substantial. And it's going to help us and it's going to hurt our competitors.
So I want to talk about some real life customer examples here as I close out. I'll sort of just go back to our go to market. Landing, as you hopefully now know, can mean our sales Teams touch a customer and sell the solution or it could also mean integralus, sells a managed service solution. And then together with our partners, we go and look for expansion opportunities and extension opportunities. So with that framework, Let's talk about some real examples.
First one, large media company in the U. K. The use case was protecting online content management system as they started to roll out their services on iPads and iPhones and other devices other than televisions. Key differentiators for us, it was a long technology bake off. They invested $20,000 for a test system in one of their smaller markets for a year ago.
And then they worked with us for a year to test our capabilities because they wanted to see it in equipment that they owned, running in production environments that they And we proved it to them. They were one of our legacy competitors wasn't very happy when we pulled out a $2,900,000 opportunity for some of our largest devices across their entire network. It was a huge expand deal for us and it was a great example of staying focused with a major account with the kind of coverage model and a partner, a large systems integrator that gave us the span of the relationship that made this deal happen in the end. We also have opportunities over the next 2 years to continue to build out the footprint as their This scaling to iPads and iPhones continues to grow. A large global carrier based in Japan, next generation service offering with our midsize 5000 series and our largest 5000 series in data centers today in Japan and the U.
S. And in the future, it's going to be across the data centers that they have all around the world, differentiators here, they really embrace the technology and are actively promoting the next generation features on our firewall network firewall technology to their customers as a managed service. They have been a customer in some of their entities in Japan directly using our equipment to safely enable applications, but we expanded with an $800,000 deal with our Largest system here just recently in a really nice expansion opportunity. We believe there's 1,000,000 of dollars to go after just in this use case alone. And of course, Continuing to replace the legacy Check Point equipment that they have in their enterprise represents a great opportunity.
So we've built a team to go after this customer around the world, both from a marketing standpoint and from a sales standpoint to cover them as a global account. A large financial services This one I love because we did a quick land deal for $75,000 as they started to again play with our technology. And in an example like Renee showed about how customers increase their long term value spend with us over time. Most recently, in a new data center that they built out, they spent almost $900,000 with us, 840 This is a very conservative customer based in the Midwest that has long legacy relationships with companies like Cisco and others. In this case, again, we competed against Check Point.
They dropped their prices. The customers still went with us because of the massive technology differentiation. And this is And this is one sixth of the opportunity that exists at this large company over the next 2 years. So lots of expansion opportunity here as well. A large retirement fund based in Australia is a brand new customer for us, a land deal.
It did take us a year to convince them, but it was a huge win. I don't want to give you the impression that all of our sales campaigns take long time. In many cases, in many of our especially commercial territories, 50% of the business that a sales will be found and closed in the same quarter. But in this case, this was a very conservative customer that we applied a multi tier campaign to win. And in fact, the customer visited our booth a couple of weeks ago at RSA and brought the partner, a large systems integrator with them and had a meeting with you right in our booth while Nir was in the background screaming on stage about how great our technology is.
And the customer These guys have 2,000 remote offices, that's the next phase for us. So a tremendous expansion opportunity. Large Shipmaker
here in the U.
S, again, a brand new customer that did a couple of months' worth of testing and did a land deal for us for $1,300,000 Real competition here from everybody. But at the end of the day, based on the customers' buying criteria, They couldn't compete with us on scale and on price. And we have the opportunity in this huge account for becoming the primary firewall, which will represent 1,000,000 of dollars of opportunity. So in conclusion, I want you to know that we're responsibly maturing and aggressively investing into our go to market to get in front of more customers, get more at bats. And Unlike anything I've ever seen before and I think I've worked for some really good companies, we're attracting world class talent at an amazing rate.
I mean, I see LinkedIn requests and resumes come across my desk every day from people that I don't think we would have ever retracted even a year or 2 ago. And we're very, very focused on driving productivity in the field fast. We realized that getting an account manager and that Ecosystem of resource around them to be productive and be productive fast is really important. So we're investing in enabling tools Like a learning management system, we're investing in training methodologies that aren't just show up and throw up with PowerPoint like I'm doing right now. But we're really focused on not only making our salespeople and sales resources more productive, but also our partners.
And they're also focused on being the very best next generation partner. So As I mentioned, it's a fun place to be. It's fun to leverage technology leadership and it's really fun to win. And I think When you get the opportunities that we do with our customers to be in line in security devices around their networks to be a single point of failure. You can't take that lightly to do this.
You've got to provide a total customer solution. One of the reasons that when Mark hired me, he combined the focus of sales and Post sales customer support was to really provide a unified face to the customer here at Worldwide Field Operations to really have a very elegant handoff between the pre and the post sales environment. And I'm going to call Brett Eldridge up on stage, who's the VP of our global customer support organization. It's a tremendous he's done a tremendous job building this organization from the ground up over the last 3, 4 years. And
As Mark said, my name is Brett Aldridge. I run the Global Customer Services team at Palo Alto Networks. And I'm just going to spend a few minutes giving you insight into the strategy of our support organization and some customer SAT scores and where we're going. So first, this really ties into what Mark and the company is trying to do around expand and extend. We know for a fact that customers that are happy with the buying experience with Palo Alto and with support buy more product and they buy it faster.
So our mission is to be the strategic differentiator for Palo Alto Networks by ensuring customer success, satisfaction and loyalty.
In order to
do that, we really have 3 main strategies we adhere to. The first is enterprise grade services and support. What does
that mean? That means that
we have an organization that can successfully Help our customers, our large enterprise customers deploy the product and maintain it. World class online experience, We've made significant investments to building our online systems, both for automation and for our customers to have access to key information. And then 3rd is global scalability. Obviously, we sell to customers that are all over the globe, multinational corporations And we really need to be able to support them no matter where they are. There's something that's very unique about Palo Alto networks and I don't think you'll find this at any other vendor of our size.
As Mark mentioned, we have a unified technical organization in the company. There's not siloed organizations between presales and post sales. And the end effect of that is that customers get a much better experience with our technical organization. Our SEs work very closely with our support engineers. We've got cross training that goes on.
Our professional services engineering get a smooth handoff from presales and these teams really act as a unified team to our and they're much happier with that approach. So speaking of customer satisfaction, I just wanted to give you a few statistics To give you an idea of how satisfied our customers are, we measure it in a few different ways. These are just 2 of them. This data is from the first half of our fiscal year. So on average, if you look across all of our customers, on average, they give us a score of 8.8 on a scale of 1 to 10.
That's a really amazing result, especially when we're growing the company and our customers as fast as we are. The second statistic is, 86% of our top customers, our largest customers rate us in 8%, 9% or 10%. And that really is a world class result for a customer support organization, especially when you consider that we're selling to extremely large customers that are globally distributed. I also thought I'd give you just a couple of quotes. I picked these 2 for specific reasons.
The first one really shows you that the engineers we hire into the support organization are really talented engineers that have a broad base of skills addition to Palo Alto Networks skills. So when a customer calls up and they get an engineer on the phone, which is usually less than a minute, That engineer can immediately start troubleshooting and they have a knowledge of other products in their network. And then the second one shows the length to which we go to support our customers and it really highlights why this approach is different. We hear all the time that customers are really satisfied with support because they are really good engineers.
It's not Fact or fiction slide, but
I can tell you that I've heard in the past that Palo Alto support isn't scaled, it's completely fiction. I can guarantee it. We've got port in 7 locations, kind of the size of the dot gives you an idea of the scale of the organization there. We currently obviously are 24x7x3 65, all around the globe, follow the sun. We don't plan on expanding into new physical locations.
However, we will be building the organization and scaling it out to support all the new customers we're bringing on in these current locations. The last thing I wanted to cover is what are we doing in the organization to gain leverage. Obviously, everybody in this room wants to hear about that. There's 3 primary areas where we've been doing this and we're going to continue doing it. The first is customer self-service.
As I said, key strategy is a world class online experience and that ties directly into this. This means that customers any time of day, any time they want can get easy access to a lot of content. That content includes self training videos, exams you can take online, knowledge based discussions, we've built an amazing infrastructure for customers to do that. And the end result is they open fewer cases with us. The second area is automation.
It's something that Palo Alto does in all different departments and we take it to heart in support. So instead of hiring what most people do, which is a bank of people to answer the phone to triage a case, we build automation into that. So instead of having 30 people answering phones, when somebody calls up, we know who they are and we know how to route their case and who to route it to. And it happens automatically, which is why they get directly to an engineer. And again, the end result of all that automation is you save on people costs.
And then the last approach is obviously through partners. We work extremely closely with 1 partner and 1 partner only worldwide and they help us build flexibility and scalability into the organization. And at the same time, we get to reduce costs and ensure very high customer satisfaction scores. So again, I just wanted to give you a little bit of insight into our
Good morning, everyone. I'm Chad Kimflberg, and I'm genuinely excited to share our technology partnership strategy with you. Our partnerships span a variety of categories and vary in nature. We have some basic technology integration partnerships. Usually, they're done to satisfy customer requests or overcome buying objections.
Over the past year or so, we've really focused on cultivating strategic partnerships with a select number of vendors. And these strategic partnerships hold the potential to broaden our appeal to a lot of customers, to extend our competitive advantage and to broaden our distribution. If you think about strategic partnerships and tactical partnerships, are trying to do all of these things to deliver better solutions for our customers. Our goals are to facilitate customer acquisition and increase customer satisfaction. Quite simply, we engage in these partnerships to drive revenue, not issue press releases.
I'd like to say POs trump PR and that mantra really governs over our day to day business development activities.
When we look at where we sit
in the ecosystem, our partnerships really fall into 5 different categories. And those 5 categories are networking, mobility, big data and security analytics, enterprise security and virtualization and SDN. I'd like to briefly describe our initiatives in all 5 of these categories and also have some executives from our strategic partners comment on our collaboration. So let's start with networking. Firewalls are really at the intersection of networking and security.
And networking vendors tend to have really strong relationships with their customers just because networking is so central to IT strategy. So by partnering with the networking players, we really gain leverage into a lot of accounts. Citrix is a great example of that. So there's tremendous synergy between Citrix and Palo Alto Networks. We're focused on safely enabling applications And Citrix is focused on optimizing performance for those same applications.
Together, We've delivered a new application centric network architecture that better suits customer needs. And most importantly, Citrix has done a great job at penetrating large accounts. 99% of Fortune 500 Companies are Citrix customers. So gaining their endorsement and integrating with their products carries a lot of weight with some of the largest customers in the world. Here's Suneel Pote of Citrix commenting on our partnership.
Hi, my name is Sunil Poddie. I'm the General Manager and Vice President of the NetScaler Business at Citrix. Citrix is a cloud computing company that enables mobile work styles empowering people to work and collaborate from anywhere as if they were working right out of the office. With the advent of the mobile cloud era, We recognize the need to deliver comprehensive enterprise solutions that combine application delivery along with the secure and safe enablement of any application from any device. Citrix and Palo Alto Networks have come together to address these needs and have forced a long term strategic partnership to deliver better solutions for enterprises that want secure, scalable and highly optimized access to mobile and cloud services.
Palo Alto Networks provides the unique ability to safely enable applications preventing all types of threats. That differentiation made them our first choice to become our primary network security partner. Citrix and Palo Alto Networks share a common vision of how networks are evolving. Legacy Networks have no awareness or understanding of application layer traffic. So We are working together to provide a new application centric architecture, a next generation cloud network that safely enables applications with best in class performance and availability.
Our multi phase partnership brings together leadership in application delivery, desktop virtualization, enterprise mobility management and network security solutions solve real world challenges for enterprises. We selected Palo Alto Networks as our primary network security partner because of their world class technology, commitment customer centric innovation and overwhelmingly positive feedback from our customers. We're very pleased with the progress and even more optimistic about our collaboration in the future.
Service providers represent a significant portion of the overall network security market and are essential to our continued growth. In order to accelerate our penetration into carriers, we've forged a relationship with Ericsson. Ericsson is the world's largest supplier of equipment service providers. They have their finger on the pulse of the carrier market. And what they've consistently heard from carriers is as they contemplate building out their next generation of fixed and mobile networks, they need a more robust security solution.
So Ericsson wants a strong partner in network security, a partner that can handle the modern threat landscape that can be deployed in a wide variety of use cases and is innovative. And they've chosen to work with us to build out those solutions. Here's Trevor Ady of Ericsson talking about the carrier market and how we're going to work together.
Hi, my name is Trevor Rady. I'm Vice
The next category is mobility. And clearly, mobility is a secular trend that's having a profound impact our market. Smartphones and tablets are becoming ubiquitous in the enterprise. And we've established a range of partnerships to make it easy for enterprises to embrace this whole BYOD phenomena without compromising security. We've partnered with Aruba Networks, a leader in mobile enterprise and wireless solutions.
Effectively, we've combined Aruba's wireless network products and our next generation firewall to share user, device and firewall to share user, device and application information in order to establish and force security policies for mobile devices. One example of that is we've exposed some functionality via an API And Aruba has written a plug in that extends user ID so that when guest users or employees bringing their own mobile devices come on to the wireless network, They are governed by the appropriate security policy. We also have some partnerships in the mobile ecosystem designed to augment our GlobalProtect product. As Lee described, GlobalProtect ensures that the same policy that you established for the traditional network is extended to mobile users regardless of the location or device type. And we've partnered with the leading mobile device management vendors, MDM vendors like MobileIron and Zenprise In order to simplify the deployment of GlobalProtect and ensure ongoing compliance, these MDM platforms can be used to initially deploy the GlobalProtect client to configure security settings.
And in the case that there's some type of a security violation, actually disable access or quarantine those devices. So we have a range of partnerships in this mobile ecosystem That means companies can let employees use mobile devices to access sensitive corporate applications and data, but without the security risks ordinarily associated with those devices. Our next category is Security Analytics and Big Data. And our customers use a whole range of products in order to monitor and analyze their security information. And we effectively integrate with all of them.
So if you look at the SIEM market, whether Q1 Labs from IBM, ArcSight from HP, Symantec, they all use our rich data around applications and users in their security information management solutions. We're also doing some really innovative and useful work with Splunk, the unique strengths of both companies. Ordinarily, when we talk about natively identifying applications and users and content, It's done in the context of setting security policy. But that same functionality and those same constructs are really useful if you want to do any type of security analysis or forensics investigation. So if you want to identify the root cause of a breach or respond to a security incident or generate context rich and applications and users as opposed to relying on IP or port or protocol information that are supplied competitive firewalls.
So it's yet another example of where our proprietary technology in App ID and User ID extend our sustainable competitive advantage. The interesting thing here is by working with Splunk, we're doing we're able to do things to satisfied customers that we wouldn't be able to do alone. And Splunk really recognizes this competitive advantage that we have and the rich data and developed a killer app. Nobody has been a bigger advocate of this solution than Splunk's CEO, Godfried Sullivan. The next category is enterprise security, and you'll notice that our partner ecosystem here is a lot different from our competitors.
Because we have a next generation firewall, we address the entire spectrum of network security needs. So you won't see us partnering with IPS vendors and web filtering vendors. Our firewall competitors, on the other hand, have to partner with those companies to make up for the inadequacies of a stateful inspection firewall. We don't have to do that. We address the entire So what we do is focus on the adjacent categories and think more broadly about what are the problems that CSOs are trying to solve.
And We partner with companies in endpoint security, security configuration, risk management, authentication, control, things of that nature. For example, we partnered with RSA, in order to safely enable access to sensitive corporate applications and data, coupling what we do on the network security side with RSA's Assay's market leading 2 factor authentication solution. We also have a set of partnerships to complement Wildfire. So with Wildfire, we have a best in class network oriented approach to Ford APTs. And we're supplementing that by partnering with companies with endpoint products and incident response services.
At the RSA conference a few weeks ago, we announced integrations with Mandiant and BIT9 to provide a holistic approach to APTs. If you look at the network detection and prevention capabilities that we have, we're coupling that with the ability to actually resolve incidents at the endpoint. And the way that, that works is when we identify malware In Wildfire, there are certain indicators of compromise associated with that malware. We'll send those indicators of compromise down to the Mandiant and Bit9 consoles, where all of the endpoints in the enterprise can be pulled. You can quickly identify which endpoints have been affected and that just accelerates the whole remediation process.
So again, a very broad range of partnerships here to complement what we've done. The last category is virtualization in SDN. In the case of SDN, we're very much at the embryonic stage in terms of enterprise adoption. So I think it's a little premature to comment on efforts. We're complementing that by partnering with some of the emerging leaders in the SDM space, companies like Arista Networks and Big Switch Networks.
So for example, we have an automated networking solution in which security policy can be patch to virtual network segments in Big Switch using their open SDN protocol. In the case of virtualization, We're seeing massive adoption right now. This is the single biggest trend in the data center in the last decade. And it has a very profound effect on the way people think about network security and it's causing a lot of disruption. And that disruption is wonderful for us because it means more at bat.
Last November, we introduced the VM Series to address the security needs of private clouds, public clouds and just virtualized data centers. And not only was this product very innovative and flexible, but it's also the first step in a very important relationship with VMware. As you know, VMware is driving this whole virtualization revolution. So they pioneered the concept and they've really driven the acceptance of these private clouds and what they're talking about as the software defined data center. However, They realize that one of the impediments to virtualizing mission critical applications is security.
And they've chosen to partner with us to develop a well conceived, tightly integrated solution that will remove this security barrier. We're very optimistic about the long term implications of this strategic partnership with VMware. And if you listen to Hadam Naguib, Vice President of Networking and Security at VMware, I think you'll get a sense
of their enthusiasm as well.
As you can see, we have a vibrant ecosystem of technology partners. We're working with some of the leading and most innovative technology companies in the world. Our combined solutions result in better and more comprehensive products for our customers. We'll continue to cultivate these relationships in order to accelerate our land, expand and extend strategy. So with that, I'll turn the floor over to Stefan to review our financial performance.
Thank you.
Thanks, Chad. So I'm Stefan Tomlinson, the CFO. And today, I'm going to be covering our trends, some recent financial results and then I'll wrap it up with our business model. So to level set everyone, our Q2 'thirteen which we posted for our January quarter about a month ago. We had record revenues of 96,000,000 which grew 70% year over year.
Our hybrid revenue model enabled us to grow our services revenue to 35,000,000 total revenues, which increases our visibility. Deferred revenue of $188,000,000 grew 92 year over year and we had very robust gross margins at 72.2% on a non GAAP basis. Q2 also marked the 5th consecutive quarter of adding over 1,000 end customers. And we ended the quarter with a robust balance sheet with $368,000,000 in cash, cash equivalents and investments. Our results demonstrate that we continue to grow faster than the competition, faster than the market and we're gaining share.
But this quarter is just part of a trend. And you can see from both the annual and quarterly revenues, We've been growing much faster than the market. And that's due in part to not only our disruptive technology, but to our sales and go to market function that we have in our customer service organization, when everything's firing on all cylinders, you get this type of growth. Now let's put a finer point on revenues. You can see revenue by theater for the last five quarters.
And you can also see the corresponding year rates, which are really best in class. But for a moment, let's focus on sequential performance because that indicates momentum. You can see that in the Americas, we've had very consistent sequential growth. In EMEA, For the 1st three quarters of this chart, you can see that revenues have been flat. And part of that was due to macro issues and part of that was also due to us making more investments in the region.
The last two quarters, however, have posted meaningful growth and that's due to the sales traction that we're getting as well as some timing of large deals that have been working from a fairly long gestation period. Now looking at APAC, you can see we've had again very nice sequential growth over the past 5 quarters. Q2 flattened out a little bit. And Mark mentioned this earlier, we consciously made a change in the APAC region to put a new leader in place at the beginning of Q2. And we did this consciously because we're preparing to scale for long term growth.
So we're doing these things in a position of strength. And with the investments we're making in our sales and go to market organization, We're just starting to see the benefits of building what I would call real diversity of revenues by theater. Another way that you can look at diversity of revenues is by vertical. On a lifetime to date bookings basis, we don't have one vertical that's over 11%. And that makes sense.
Every enterprise needs network security. Now you can also see customers on the right. This is a small sample of our 11,000 plus customers. Many of them are household names, AT and T, General Electric, some aren't household names, but nonetheless, they are very large in their industries. For example, Elavon.
It's a large multinational corporation that focuses on payment processing services for over 1,200,000 merchants. The reason why these customers are important to us is our land, expand and extend strategy. We're nearly one of the only vendors out there that has the versatility to sell into any network need, enterprise network security need, whether or not that's next generation firewall, threat prevention, filtering, wildfire, etcetera. So to put a finer point on that, we like to look at our top 25 analysis. And you've seen a number of different variations of this data.
What you're looking at here is the trended line of the repeat purchasing metric, which really is the embodiment of what I would call our expand and extend strategy. Once we land an account, and this is representative of our top 25. In Q2, on a cumulative lifetime basis, Our top 25 accounts have spent 11.4 times more in aggregate lifetime repeat purchases than their initial buy. And again, and that's selling for next generation firewall or an IDSIPS project and now malware, APTs, URL filtering, etcetera. So it's very compelling.
Now one customer in our top 25, we acquired in 2,009 And it was a checkpoint displacement for a very small part of the network segment. Since 2,009, in that initial purchase was $60,000 they've spent 6,500,000 times more in repeat purchases as we get deployed throughout their broader network in not only the data center but the distributed perimeter firewall business. And we feel like we're about 30% penetrated. So that indicates that there's a very long tail. What's providing the foundation for the land and expand business is our hybrid revenue model.
And for those of you who have followed the company, you've heard me talk about this before, but just to level set folks, We have two elements to our revenue model. We have products and services. Within the product category, we have our series of appliances, We have our VM Series, we have our M100 and our Panorama. And from a revenue recognition standpoint, once all the criteria are met, We recognize that revenue upfront. Now the services revenue is bifurcated into 2 buckets.
The first is subscriptions. We have 4. Each of them are list for 20% of the appliance list price per annum. Those subscriptions provide a SaaS type revenue element, which is why we call our revenue model a hybrid revenue model. Within the last quarter, the number of subscriptions per appliance shipped was greater than 1.5.
And historically, what we've told folks is we ship anywhere between 1 to 2 subscriptions per appliance. So the bottom end of that range is actually coming up. On the support side of the house, we have a number of very different programs that we offer. But as a proxy, support is about 16% of the appliance list price. And the attach rate on support is very strong.
You can't buy enterprise network security equipment without buying support. It provides you updates, upgrades, bug fixes and the like. Now for both the subscription and support, These are either annual or multiyear contracts. And what we've seen is over the past, call it, several quarters, We've had an uptick in multiyear deals. We'll take that business all day long.
That provides us a very nice foothold into the account. And now we're more structured and in spots on the account. And you can see how this model translates into our revenues. On the left hand side, you can see the product versus services revenue split. And you should train your eyes to the bottom row there, which is services as a percentage of total revenue.
That continues to grow. As I've mentioned previously, last quarter is 36%. That provides incremental visibility as we go forward. And to the extent that we're successful in selling multiyear deals and selling more subscriptions, like our new paid of wildfire, that will translate into a growing deferred revenue stream. Now let's turn to margins.
Our gross margins have been operating at a very steady band. Last quarter, they were 72.2%, and that's represented by the green line. Underneath the total gross margin, we go back to products and services. Products are always going to fluctuate a little bit, especially a company of our size and given where we are in the evolution curve. Anytime we come out with a new product like the PA-three thousand, There will be a higher initial cost of goods sold, but as volumes increase over time, gross margins will improve.
Our services business is comprised of both subscriptions and support. Subscriptions have a very high gross Systems Intensive. We've added over 5,000 new end customers in the last 5 quarters. So we've had to make the investments in order to scale. And there are kind of countervailing forces there, but over time, we will get scale.
So the net result of that is we've been pretty steady in total gross margin, but there will be fluctuations amongst the contributors there. Now turning to operating margin. We've taken a very conscious approach to making investments in the business to really drive our innovation engine and our sales and go to market organization. Last November, we came out with 5 new products, which is, I I would call industry leading. And we've been able to do all this and post the revenue growth in a very profitable manner, and we're pleased with that.
Not going to be stretching to get to higher operating margins in the short term because we feel like we have the opportunity in place to really capture market share while doing it profitably, which takes me to our balance sheet and other metrics. You can see the trending in cash and cash equivalents and investments trending up to 368,000,000 And then other metrics that we track, cash flow from operations, free cash flow, very strong in fiscal Q2 'thirteen. We have no debt on the balance sheet. Our DSOs are 58 days. We're going to be monitoring that because as the profile of our business evolves With more services being sold, there could be some pressure on that, but we'll keep you posted on that.
Turning to headcount. At the end of the quarter, we had 949 heads worldwide. The vast majority are in sales and marketing, in our services organization and R and D. We have What we call the minimum required investment in G and A and operations, we like to keep that lean. And As far as future investments are concerned, you've heard today about our product road map, our innovation, our go to market.
That's where we're going to be making the investments. And about twothree of our expenses are headcount and headcount related. So let's turn to our planning assumptions for approximately the next 12 months. We plan on hiring about 75 to 100 heads per quarter. The legal costs for our litigation with Uniper will ramp up over the next 12 months as
we approach trial, which will
be in February of 2014. From a CapEx standpoint, we're calling what a normal range for a run is about $5,000,000 to $10,000,000 per quarter. We also entered into a new lease I guess, it was a couple of quarters ago now. And we're going to have incremental investment to our normal run rate of CapEx of approximately $10,000,000 in FY 'fourteen. Our tax rate on a non GAAP basis is estimated to be approximately 39%.
This will fluctuate. We haven't removed our valuation allowance yet. And also, it's very sensitive. The rate is very sensitive to the pretax profit mix from an international in U. S.
Standpoint. Additionally, on tax rate, we have a project underway where we're scheduled to go live with this in about 6 months, which is our IP cost sharing project, which should decrease our longer term effective tax rate. Now once we go live with that, we'll give more guidance on that going forward, but that should bring our effective tax rate down over time. That'd be more comparable with our peers. And then finally, many folks asked, in fact, I was asked today, What about seasonality in the business?
Seasonality, still kind of too soon to tell. Our growth rates mask seasonality. But if we were to have just a preliminary indication on a go forward basis of what seasonality could look like from a revenue standpoint, An early indication would be Q4 and Q2 would be the stronger quarters. Q4, well, because it's Q4 and we have natural business momentum built up throughout the year. In Q2, because the end of year calendar budget flush happens and we participate in that.
So we expect growth in all of our quarters, but Q4 and Q2 being the strongest, which brings me to my wrap up slide, which is our target non GAAP operating model. Our gross margins are forecasted to be in the 70% to 73% range R and D 13% to 15% sales and marketing 30% to 33% G and A 5% to 6%, leading to a total non GAAP operating margin target of 22% to 25%. Now when we went public back in July, we had mentioned that we thought we could achieve this in, call it, approximately 4 years. As we sit here today, we've made some very good progress to date, and we think we're about 3 years away from achieving the target model. I will say that very much consistent with our investment philosophy, we want to ensure that we are adequately investing in the business in order to capture market share and do it in a profitable manner.
So we will be growing operating margins or our plan is to grow operating margins and more of a slow and steady progression, and we'll see how the actual results play out. So that concludes my section of the presentation. And what I'd like to do is bring Mark McLaughlin and Mark Anderson up on stage, And we can open up the floor for Q and A.
Thanks, Edmond.
I'll be
live. Before I'm sorry, just before I start the questions, just a couple of things, just because in case people have to leave. So we said we had a number of goals when we started off today and we Hopefully, we accomplished a lot of that. But one of the things we fundamentally believe as a company is that a lot of those trends that are playing out in security are great for security providers. So it's very helpful tailwind for us and those will play out over a long number of years as we've seen them behind us, we see them in front as well.
And the second thing point we're trying to get across was the fundamental place you need to be in order to capitalize on the security trends in the network is the firewall as the functionality that you'll need in order to protect yourself continues to move in the direction of the And then the third thing is obviously having the right technology as well, which we believe is a flexible platform. You can continue to add to take care of those threats. And with the ultimate call, they can safely enable the use of all applications. So just a couple of points around that is one, we were trying with the demo here to get across point that there truly is a technical difference because we hear a lot of marketing going on the market. We've really tried to show it.
It's hard to do that. As you can tell, hopefully the demo got some of that across. Firewalls are hard. It's policies, all sorts of stuff. So our goal there was just try to simplify it a bit and show you that.
Also obviously we use Checkpoint in the demo, just because they're fairly vocal about they can do it, Palo Alto does. But that's just a proxy for every other stateful inspection provider in the market today is the same from a functionality perspective. So I'm not just trying to pick on those guys. It's just the one that we could use Cisco there, we could use Jim, we could use anybody Fortinet, it doesn't really matter on that. And the other thing I want to get the point across back to the flexible platform in the right place in a network as we spend a little bit of time or overweighted on APT and malware just because it's a hot topic today, people are talking about it.
We look at that as a great opportunity for us, but we're also just trying to show that with our platform that we've developed, It's an example of yet another thing that we're able to put into that platform in a native way and there'll be more of those in the future. So I just want to put some context around all the that we were trying to get done, hopefully got the points across. And with that, we're happy to open up for some questions. We'll just start up front here and try to work with
it. Karl Kierstead at BMO Capital Markets. I've question for Mark Anderson. Actually, you mentioned in your comments that one of your big initiatives is growing the number of major account teams. I think you said from 2 to 40.
I guess at first blush that sounds like a big change. And I'm wondering if you could add a little color into what the catalyst for that change is, maybe a little deeper on the process and whether a team approach like that involves any kind of comp changes for your reps?
Okay. Yes, sure. So, I think it's pretty natural company of our size and scale going through this evolution. And I want to be really clear on 2 things. Firstly, the 40 is by the this year, not right now.
I think I said 32 right now. And secondly, we did transition some existing RSMs, regional sales managers into major accounts, especially ones that had already started to get some traction with major accounts. We just narrowed their focus down to a tighter list of accounts. And I think it's also important to try to communicate this within the company. There are 2 really important functions.
Whether you're an RSM, whether you're a MAM, they both have roughly the same comp plan. They are both held to pretty closely the same expectation on productivity, although there can be spikes with major account managers where they might do a lot in 1 quarter and then a little less in the next quarter. But they're both really important roles. And we're but they both require a different set of skills and a different set of enablement and training. And so we're really focusing on that because our bigger customers are really asking us for that.
They're asking us for more attention than just one account manager or 2 account managers in Chicago that do flybys on their 150 customers once quarter or so.
Thank
you. Dan Cummins from B. Riley. A question for Mark And Nir, if he's still here. I had a question about you talked about your capabilities that were pretty with respect to network security.
And there wasn't a lot of talk about data loss prevention. But I wonder if Mark you could talk about How much focus DLP is getting in big complex deals, number 1, it sounds to us as if it's very, very well prioritized and not necessarily a niche product or a niche market. It seems like Gartner has actually been talking about a product market that's approaching $1,000,000,000 What are your ambitions and capabilities around network DLP, particularly now with Fidelis being acquired out of the market? And what's your relationship to the host based DLP players?
Sure. Let me give you a general net. I can give for more specifics. Can you or Lee, can you bring a mic over here for one of these guys? Yes.
So As a general matter from a DLP perspective, there's obviously a market there that's important and it's related to network security, although it's arguably in more in the enterprise security side than in the network security side. So from a functionality standpoint for us, you heard us talk about DLP a bit. A big part of that for us is the ability to see what's leaving the network because we see all the traffic, we see all the applications, we know the users. So that's a major portion of what we consider from a DLP perspective. There's a lot of other things that happen in the DLP world that we don't do, some of which are endpoint those sort of things that are possibilities for us in the future, but they're not at the network level.
We're very focused right now from a network security on the network related things and there's pieces that functionality that are valuable to our customers we do there. There's a whole separate market, A whole different way to market, a whole different set of technologies out there that we haven't addressed at this point. You answered it well.
The only thing I'd add is, I think When we look at it, DLP, just like a lot of things, is relatively complicated when you think of the entire problem. A lot of what we can do through application notification, user ID and things like that is simply reduce the scope of what's going on, controlling what applications are being used controlling what kinds of content can be transferred in and out of organizations. That actually solves a big portion of the DLP problem and it helps narrow it down for The specialists who do host and email DLP kinds of things to really focus in on the things that they can do to augment the parts that we're doing.
Did you guys already pick somebody out? We'll discover here in the middle. Thanks.
Just two questions. I think the first one probably for Lee, Nir or maybe Mark given your legal background.
It's been about 15 months since
I think you were presented with the lawsuit out of Juniper and not expecting sort of detail on your and so forth. But just wondering what progress, if any, you've been able to make around potentially engineering around the patents? And then secondly, just I guess for Lee on APT, should we think about you talked about 1300 customers for wildfire. I understand some of Are using the free product today. Should we think about your traction on the paid wildfire product as a proxy for your success in the APT market?
And if so, could you give us any sense So how many
of those customers, the 1300 are paid today? Yes, sure. So on the Juniper side, again, there's only so much you say in litigation, but where we let me talk about where we are procedurally in all this, which is kind of in the middle process Going through discovery and expert witnesses is all occurring at this point will occur for some time, up until the next real procedural item that's material which is summary judgment Motion is Mark Mahiran coming up in November of this year. So not a lot of no news there. And the question from an engineering standpoint on workarounds and stuff.
We can't talk about that directly, although you'd imagine that we would like anybody playing defense in the patent case would explore All your defenses you could have in the mitigation strategy. So I wouldn't be surprised if we were thinking about those things as well. On the question on the APT side, I'll try to take this one, which is, what we're talking about 2 different statistics here, but intentionally, we're Talking about 1, which is how many customers are using wildfire today and you heard Lee say over 1300 that keeps going up. Not all of those are paid. The other thing we talked about on the call was the number of paid users which we haven't disclosed in there is well going well and ahead of where we thought our expectations were given the product has only been out for a short period of time and you have to be on patients were given the profits only been out for a short period of time and you have to be on 5.0 to use it, right.
So there's a couple hurdles to get over for us, Which will happen in relatively short order through the course of the rest of this year as the customer base migrates to 5.0 to be able to use that. So I think the question from a proxy point is it's not exact. And the reason for that and the reason we continue to talk about the free ones plus paid ones is that even if Even if the customers are not paying for it, it still provides great value for customers who will. So this is a network. So it's a network effect.
So we encourage people to use it. That's why we seeded it for free and we'll always keep the free version out there Because if a customer is using the free version, they're not getting all the benefits of the paid version, but we're getting their malware samples into the system, which we can federate for lack of a better term out to everybody who is paying and it creates more value because we're seeing lots of malware across lots of verticals across the whole globe. So we'll continue to encourage that kind of behavior. Naturally, anybody who's using the free version is a great prospect for the paid version as well. So we would that's our primary target as we brought that thing to market is to go back into that space and we're doing pretty well
Michael Turits from Raymond James. Two questions. 1, in terms of verticals, you showed 7% of your bookings or billings coming from the service provider telco space. Fortinet is about a 28%. So how much do you view this as an incremental market opportunity?
And if so what's the product strategy for getting in? And the second was just if you could quantify on the legal expense ramp.
Sure. So I'll take the first part of that. Yes, so Fortinet's business there It's fundamentally different ours, which is 28% of their business is mostly the service providers using their technology in order to push service offerings to the MB. So before we said and we'll reiterate here, our target audience right now from a go to market perspective is not SMB, it's enterprise. There's two reasons for that.
The The enterprise network security market is over $10,000,000,000 a year. The SMB network security market is a third or fourth of that depending on whose research you look at. So we're playing in a much bigger market. And the second and that we're not Anywhere near penetrated in yet, right, for what we can do. And the second thing is that for the SMB market, there's different technology, there's different go to market, There's different support costs, there's different margin structures around that.
But most importantly, that market is primarily driven by cost. And remember we said security performance value, the enterprise market primarily driven by premium security and will pay for that. That market is primarily driven by what can I get from a security perspective for this cost? A great go to market avenue to touch that market is service providers and that's what Fortinet has done there. We're working with service providers as well for service offerings.
Ours are directed to level, so all the ones you heard Chad talk about, that's those guys selling our technology into the high end of the market. We can go there. We can go down market. If we did, we would go with the service providers because it's an obvious way to go get that done. We just choose not to at this time, mostly from focused perspective of just keeping our eye on the ball and the brand is the premium brand as opposed to kind of confuse the market the best technology, but it's the low end of the market.
So that's how we're doing this. And if you want to take
that Yes.
Part of our focus on expanding into major accounts really includes service providers, as I mentioned, as customers but also as partners. So the focus that we have today is Really significantly bigger than the focus that we had just a year ago in selling to service providers. I gave one example of a 6 figure deal to a service provider, There's many of them that we've done as the teams have really ramped up, not only just here in the U. S, but across the world. And just think just a year ago, we had salespeople that were calling on medium and large enterprises and service providers.
And different go to market methodology. It's a different type of salesperson. You need to be successful there, and we're very mindful of that.
Yes. On The costs for the Juniper litigation, the ramp for competitive reasons, we're not going to give a forecast for that. But We are considering potentially disclosing that on a retrospective basis on our earnings calls just so folks can understand what the costs are. We're considering
that.
Jason Nolan with Baird, Mark, to start with hiring, are you getting account managers and SEs from It sounds like they're experienced and how long, if so, does it take them to ramp? And the second question on evals, 85% win rate with technical evals or proof of concepts, that's very high. So how do you manage a sales force that could easily bring 100 of these to you every quarter.
Yes. Well, thanks for the question, Jason. So on
the proof
of concepts, We're very focused on being very good at that and really just telling the story of how different our technology is and then proving it with the application visibility report that I talked about. So we have a large pool of eval equipment that we own and manage, but our partners, I believe have an even larger pool. But they've purchased our technology and they, along with our own subject matter experts, are going out and doing these evals. So a big part of the enablement focus with them is to teach them how to do this to weigh and teach them how to get more at bats. And as far as hiring, we're seeing inbound requests from people at all of the Tier 1 network and network security vendors.
I'm not going to name any specific names, but it's pretty consistent across the board. I think Salespeople are a pretty predictable bunch. A lot of us are really addicted to the opportunity to grow and to take a territory and take it from a little to a lot. And I'm very focused on creating an environment that leverages a great culture, gives them a competitive comp plan that really competes with the Tier 1 vendors that are out there and shows them the path if they want to be promoted. And of course, when you're growing the team from very small to very large, there's lots of opportunities to be promoted to SE managers, SE directors, 1st level managers, 2nd level managers.
It's really part of an overall culture building picture. Productivity, we actually don't talk about the time to productivity. But what we do talk about is we're very focused on trying to make it happen earlier.
How about we go in the back, lady Becker?
So you talked a lot The platform approach that you're taking and you showed statistics on primary firewall use cases. I'm curious how has the customer buying pattern itself Do they still come to you for a specific project or use case, like say a firewall or an IPS deployment? Or do you have more strategic conversations with them?
Both. So it's very well ingrained in the customer mindset just as you kind of think about the last to 15 years about all these technologies we mentioned and the Kluge aspect about how they think about the networks in the 1st place and from a defense perspective on how they purchase for a really long time. And these things get done at refresh cycles. So it's fairly consistent still that folks will say it's time to do the such such refresh or this piece of technology and that's your opportunity to kind of get in there. What we have seen though is a rapid increase in the focus probably from the boardrooms as I mentioned it's one of these top three items down where the C level folks who are in charge of the CISO, CIO, CTO They understand, I mean, not that they're living it, so they're kind of telling us it's not the other way around.
They understand That rapid change of threat, they understand that they can't really keep up, they understand the budget issues and all. So those are the folks who are strategically saying enough, We need to come up with a better way to do this and they're the ones challenging their teams then who may have been doing it a certain way for 10 years 15 years to say, we need a better way. Well, that's very helpful for us. And we try to get as many of those conversations as we can, Because if we can tie into what they're thinking, then we just have a better chance of getting it back because then they go back to their staff and say, what about these Palo Alto guys, right? And It takes that one comment to go get the AVR done and then we're off to the races.
So we're seeing it really at both sides.
And we just have time for one more question.
Okay. And then we're going to be here. Nobody's going anywhere afterwards. So we're happy to answer any other questions up How about we'll just go it's hard to see right there since you're standing right there. Thanks.
Yes. So I think Check Point would disagree. This With the degradation in the performance of 90% or so, 100 gig going to 4, which is less than your 5 gig for the PA-five thousand and fifty. What are your thoughts about even taking away that argument and improving the performance per box eventually? And separately for Stefan, you're targeting hitting your target operating model in 3 years.
What if your growth is still very high, say 30% to 40% and other companies would defer hitting that target of, let's say, 22% to 25% operating model operating margin that is, further still if the growth is robust. So what are your thoughts about potentially hitting the margin target later than 3 years if the growth is still very strong.
So let me Talk on the performance one and I also failed to mention that we brought 5 or 6 of our SEs with us today, which are I think outside, but these folks are all from different competitors, some from Check Point, San Francisco, but I would encourage you they're outside of the different areas to talk to them if you really want to talk technical on like what's happening on the ground. It's just another source of information for you. But, specifically on the performance, I'm positive that Check Point would disagree with what we said, it wouldn't shock me. But I think there's 2 things to think about in that. The first is, is that The reality of just the testing whether it's ours, theirs, their spec sheets, NSS, anybody, that's just what happens, right?
There's just kind of no way around that. And the second thing is, you would have to disagree with that, which is either say that's not right or that doesn't matter, we got bigger and bigger boxes. I always try to think about these things about where people are coming from on them, right. If we're right, I think we are that you the more these blades or functionality you add, get the decrease in degradation which technically I think we can prove and you can go check it out yourself. And then you must talk about performance.
You have to do that, right? You have to say, I've got the bigger box, the bigger box, the bigger box because there's the threat change and the new functionality has to be introduced and it's colluged on with another engine, your performance will degrade every time the traffic passes through another engine. So you must have a bigger box and then a bigger box and a bigger box because that's what's going to happen at the end. Here's how customers think about it. Customers don't say I'm looking for 120 gig box.
Customers say I'm looking for security and I need 4 gigs. Remember I said security Performance, my performance requirements as an enterprise in order to run my enterprise are 4 gigs of protected output or 5 or 10 or pick your number. That's how they think about it. When they say that, then you backward plan off of that to say, if I want to get 5 gigs out the end, what I think their protection is, Well, how do I do that? With Palo Alto, you buy a 5 gig box.
If you're Cisco, I'm not going to pick on check money, where it's Juniper, it doesn't To get that 5 gigs, you've got to say, I need to start 40, 100, depending on who you're talking because of the degradation. This is why those guys are super duper focused on speaking about performance all the time with the bigger boxes because it's a necessity in order to actually get the output that we're talking about at the end of the day. So You're going to hear more of that, not less of that. And then I think related in that question was us and what would we do on the performance side. It really depends on where we're sitting in the So we don't have to do more from a performance standpoint to deliver what customers are asking us to deliver today.
We are getting more in request from customers saying, gee, we'd like to see bigger box a small set of customers saying we've got use cases in data centers or something, we'd like to see even higher performances, not because the performance degrades, that's just our throughput in that massive data center we have. So we want to see the 100 gig next gen firewall doing everything that it does. Again, not because it degrades, but would it be great if we got 100 gig box net. So Those are things we take seriously. And as Lee said, you would imagine in our family of appliances all the way from the small to the large that we would keep adding inside of there as customers tell us what those No needs and requirements would be.
On the target model question, we have a flexible approach. But our current viewpoint is given our growth characteristics, given our nice gross margin, we feel like we can achieve the target model in 3 years. At the next Analyst Day that we hold, we'll take stock of where we are. But our current viewpoint is we're about 3 years away achieving it. Hypothetically, if our growth rates were dramatically different than They are or where we think they're going to be.
Of course, I think we'll take a flexible and nimble approach to the target model. But as we sit here right now, We feel like it's achievable in about 3 years and we feel good with that.
So I think that's all we have time for. Again, the whole executive team is here. We'll stay around As long as you guys like, we really, really appreciate you taking the time and your interest in Palo Alto. Thanks a lot for coming. Thanks.