All right. Can you hear me okay? Awesome. We'll get started. I'm Roger Boyd. I'm the cybersecurity analyst here. It's my pleasure to introduce Nikesh Arora, Chairman and CEO of Palo Alto Networks. Nikesh, thanks for being here. Before I get started, we're gonna have a 30-minute Q and A or fireside chat. If you wanna submit a question, you can use the app. There's a QR code on the tables that will allow you to submit. And I'll do my best to weave it in the conversation. But with that, thanks again for being here.
Thank you.
Awesome. Maybe just to start high level, coming off 1Q, there's a lot of topics to get into, but high level, how are you thinking about the macro demand backdrop today? And as we enter 2025, how are you thinking about cybersecurity as a budget priority?
Look, first of all, thank you for having me here. I think the biggest change we have seen so far in terms of any overall macro thesis is that AI continues to become a bigger and bigger topic across the place. So it seems to be that AI funding will continue, whether it is those in these large, hyperscalers or perhaps enterprises trying to figure out. There's a lot of FOMO out there. Nobody wants to be left behind. So they don't want to find out that their competitor's got AI right, either if you're an AI provider or an app provider or perhaps an enterprise who didn't adopt it. So that's kind of like one interesting new data point. And the other interesting data point is, we're all cautious about what the new administration's gonna bring in terms of, all the big changes we're seeing.
There seems definitely to be some degree of technology focus given Elon Musk has camped right by our incoming president, so you'd expect there'll be a difference in the rhythm or investment focus or perhaps the decluttering of regulation going towards technology, so generally, I feel more optimistic about technology spending today than I possibly spent about three months ago. Against that backdrop, you know, we've always maintained that the cybersecurity debt has not been paid yet, and if you look at the amount of time and effort spent by bad actors to create economic outcomes for themselves, whether it's against individual consumers or against enterprises, that doesn't seem to have abated, so bad activity's on. Investment's going to be positive, which means there's a little more room in budgets for enterprises, and then hopefully in that, against that backdrop, we particularly hope to take more market share over time.
Yeah, I feel good about it.
Good. I wanna touch on the regulatory backdrop. But before that, you mentioned AI. And we sat here last year and we talked about kind of the impacts of Gen AI and cybersecurity. And it felt like a lot of the concerns over what Gen AI could mean from an attacker perspective were pretty vastly outweighing the near-term potential benefit for defenders. And I think broadly as an industry, we're talking about operationalizing generative AI into 2025. But do you feel like from your business, what you're doing with some of your Copilot offerings, that next year we can start to level the playing field? Or do you think that the kind of unbalanced way that attackers leverage new technology persists? Does that make sense?
Yeah, it makes sense. I think, if you step back, I think we're all, we're all getting too caught up in the short-term impact of AI, and I think if you step back and look at what's happened in the last 12 months, 18 months, is that think about it. We're building a smarter and smarter brain, so if you look at all these new models, whether it's Claude 3 or ChatGPT or Gemini or their next model, Llama or their next model, you're seeing these models are getting smarter and smarter or better and better over time. I think the tipping point is gonna be inferencing is how do you reason? Can these models reason? Can they figure out answers to questions which they've not seen before? Today, they're pretty good at answering questions that they've seen before and getting better and better at it.
We're all training around them. Now, if they start inferencing stuff or figuring stuff out, perhaps like your, you know, it's just literally driving in. There's a Waymo with nobody in it, right? So now you've got a car which is driving itself. You know, 10 years ago, it sounded like science fiction. If you imagine yourself 10 years out and think about what the world could look like, from that perspective, we will give up a lot of autonomy to AI, just like the car with the driver. Now, step back. I think every company is gonna have to give up autonomy to some version of computing. If that happens, what is your control system? Where is your kill switch? How do you stop rogue actors from getting their hands on this stuff?
Just the way you need petabytes and petabytes of data to figure out whether the car should take the risk and drive across traffic and take the turn, you need petabytes and petabytes of data to understand how to block bad things from happening. I think if you look back and people say, "Well, why is it? Does Waymo have an edge or does Tesla have an edge?" They both have a lot of data. Waymo's collecting a lot of data. Tesla's collecting a lot of data. Let's, you know, transpose that to cybersecurity. Who has a lot of data? Incumbents.
I can't start a company today and say, "I'm gonna go collect 20 petabytes of data on cyber activity and go build an antidote to AI." I think from that perspective, if you think slightly longer term, AI will be relevant and prevalent in most enterprises in many, many, many incarnations in many, you know, shapes or forms. You know, I have, I got a 3D image made on my arteries using an AI product because it had analyzed 250,000 MRIs. Can't do it without that data. So if you believe that's gonna happen, then the question is, how do you control for that? And that control is gonna require AI applied to cybersecurity as well, which means advantage incumbents. Now, are bad actors gonna tactically in the short term try and impersonate you and me? Of course they are. They already are 'cause they see an economic opportunity.
But I think that's the wrong end of the spectrum. The bigger question is, are we gonna get out of this business of trying to solve small slivers of cybersecurity by funding 2,000 startups a year? The answer is yes.
Got it. Okay. Maybe just one more on the regulatory environment. I think you rightfully pointed out that the focus on automation potentially creates opportunities with you for the federal customers. How do you think about a more deregulatory environment broadly as a demand driver for cybersecurity? And I think you'd maybe agree that there's been an element of cybersecurity demand fueled by regulation. And I think that's probably faded a little bit as the attack environment's gotten worse. But do you see that as a potential headwind at all?
Look, there's two versions of regulation. One regulation towards all of us as companies, the other regulation as it relates to the federal government. Let's talk about the federal government for a second, right? 80% of the federal government cybersecurity budget is a services budget, not a product budget. What that means is they would rather hire people than buy products because it takes five years to certify or three to five years to certify a cybersecurity product. So the entire procedure is to get to say, "So by the time you're certified, you're five years old from a technological perspective." That sounds cool. It took them more than five years to agree to have a cloud provider in the federal government and not fully deployed.
So if you believe that, that any regulation is gonna make it easier to adopt technology in the government, how do you drive efficiency without automation, without technology? I don't know. So from that perspective, any regulation that makes the adoption of technology faster in the federal government is good for technology businesses. Let's leave that there. It's good for us. It's good for every technology company out there. If you take a look at how does regulation change or apply to companies out there, enterprises out there, I think there's too much how-to regulation out there. You should do this this way. You should deploy Zero Trust. You should be secure. I think the what needs to be more focused on, which is what's the outcome? If you get briefed, you better have your stuff together.
I think I'm hoping that regulation shifts towards outcomes as it relates to companies and say, "You have to stay secure. And the way to stay secure is to understand how quickly you redeem yourself, how quickly you fix yourself." Hopefully that'll be more where things go in the future.
Yeah. Got it. Okay. On platformizations, you ended Q1 with, I think, 1,100. You put this target out of getting to 2.5K-3.5K by fiscal 2030. Now that we're a couple quarters into this kind of push, how do you think about that sales motion? Is it becoming more repeatable? Have you been able to leverage the channel to the extent you wanted to? And how should we think about the trajectory of those platformizations as we get towards that target?
Sure. So I think it's important to abstract this for a second. So look, the cybersecurity industry has every company, every one of our customers has anywhere from 20-70 cybersecurity vendors protecting them, which is bizarre because that means our customers have to understand 70 products and be able to figure out real-time how stuff is happening in their enterprise across 70 products, which is technically, technically infeasible. It's just impossible. We barely understand our products well enough that some customer understands 70 products is just hard to imagine. But okay, they do, and if you look at every subsector of technology, some element of, and I'll call it platformization because platformization means that things have gotten integrated. The customers don't have to do the work. Whether you look at the biggest SaaS companies out there, why do they exist?
Whether it's a Salesforce, Workday, ServiceNow, Adobe, what do these things do? They take 10, 15, 20 solutions, make them work together so you don't have to buy 15 of them and make them work together yourself. At the most fundamental level, that's what we mean by platformization. Now, six and a half years ago when I started, we were one of those 20 vendors or 40 vendors. Today, I can consolidate 60%-70% of my customers' estate by saying, "You don't need 15, 20 extra vendors. I'll give you one solution that works together across this." Now, it's an early step. This is something we're gonna persevere and grind because the more we persevere and grind, we know two things are gonna happen. One, customers are not gonna go back.
Nobody's sitting in their company saying, "Let's replace our CRM system called Oracle or Microsoft Dynamics or Salesforce and say, 'Let's go back to the old time when you used to have 18 cool apps that we used to stitch together.'" Nobody's doing that. So if I can get customers to go from 40 to 15 vendors, from 70 to 25, and I have a reasonably large share of what remains, that's a good thing. And that sets us on a path, which means better profitability in the future, you know, better outcomes for the customer. So we've done that about 1,100 times. We couldn't have done it six years ago because we didn't have the portfolio. Today, we have the portfolio.
So we think if we can take that number and roughly triple it in the next five and a half years, that allows us to get to about $15 billion in ARR, which makes us a real company.
Gotcha. I wanna talk about the SIEM market and XSIAM. I think that's one of the bigger opportunities out there. If you look at all the vendors that are targeting next-gen SIEM, I think the commonality is some level of integrating SIEM more tightly with endpoint or in some cases cloud security. Just how important do you think that is? And just what's your high-level view on how the next-gen SIEM market kind of plays out from here?
Right. So the way you, you should think about cybersecurity is that in the past, everybody had a swim lane, and they swam in that lane, which is identity management, endpoint security, SOC management, network security, and we all stayed in our swim lanes and played in the swim lanes. So what happens is that every 10, 15 years, a big revolutionary change happens that swim lane gets disrupted and new set of vendors are born. Palo Alto was one of those vendors that was born when something called the next-generation firewall came out. Before that, people were buying all kinds of different stuff. So we started to play and win in that space. The Zscaler came about. They did SSE or ZIA at that point in time. So they started trying to play in the network security space.
The network security swim lane has evolved where we now command a large share in that space because of the evolution we've had to our company. But then there's the endpoint swim lane that got disrupted. And Symantec, McAfee, and the others took a backseat. And you saw the CrowdStrike and the SentinelOne and the Cylance, Carbon Black take up. We started playing that space too. I think that same inflection has now come to SIEM. In this inflection, the old guard of, you know, QRadar, ArcSight, Devo, Splunk, all these people are getting challenged by the new vendors. And I think this is a $20-$40 billion market in the next seven years that gets fundamentally disrupted.
We think we should be one of the top three players in this market in the next 24 months and sustain that lead, which allows us a bite at a larger pie over time. So that's kind of the overarching picture. To accelerate that, we made an acquisition, which we closed in August, which is we bought IBM's QRadar SIEM business or QRoC SIEM business, to be precise, which was their SaaS offering. And we're working with IBM to see how many of the on-prem customers can be migrated to Palo Alto. That allows us to cement our strategy to be one of the top three players in the next 24 months. And that helped us cross $1 billion in ARR in that space, which is the fastest $1 billion ARR of any new swim lane that has been created.
Yeah. I think, feel free to push back on this. But relative to some of the other vendors in this space, it feels like Palo's aiming for more of a soft transformation. I think it kind of goes back to everything you talked about so far. Maybe relative to other vendors in the space, it's a potentially heavier lift. Feel free to push back. But you've got about.
You already allowed me to push back three times. Go on.
You've already added about, I think, 150 XSIAM customers. You've got 500 or so QRoC customers and I think double that or additional 500 million that's on the on-prem install base. How do you think about kind of the S-curve adoption of XSIAM from here?
Is a heavier lift a bad thing or a good thing?
What's that?
Is a heavier lift a good thing or a bad thing?
I think it's potentially better longer term because you're aiming for more of a soft transformation where maybe some of the other vendors are pitching a kind of like-for-like Splunk replacement.
Yeah. Look, you know, when I worked at Google, Larry used to tell us that 10X is better than 10%. So if you aim for something big, you aim for 10, you get to 3 or 5, that's a better outcome than aiming for 10 and getting 7%. So I'm all in for the heavy lift.
Yeah.
The heavy lift allows us to go to the customer and say, "You get a real real outcome." To the customer, we sold 150 of these in the last 20 months. We've deployed north of 60 of these. 50% of them have a median time to remediate a security incident under 10 minutes, which means for under 10 minutes, we find out at a customer that something bad is happening in their security infrastructure across any vendor, and we can help them fix it. That's a good outcome. The current standard in the United States is four days. So yeah, it's a heavy lift. It takes four months to get that from current four days to 10 minutes. Would you rather have 10 minutes or replace your four days with cheaper technology? Yeah. I'm all in.
And to be fair, I mean, of the 150, I think you've talked about 40 that are spending $1 million plus per year. So it's fairly.
Yeah. The good news is the replacement time. People already spend the money. We go and tell them, "We're already spending the money. We can get you a better outcome from four days to somewhere under an hour." And if you get there, this is net positive because we get you can't get to a minute, which is where we are, if you don't get to under an hour from four days.
Yeah.
And AI is gonna be at some point in time is real time, right? There's some products that work real time. You try and attack somebody, we can stop you real time. You try and go to a bad internet address which is gonna be spammy or has phishing attacks on it, we will stop it instantaneously. Can't wait four days to stop that stuff.
I think you debated on the earnings call whether the QRadar or Talon deal was one of the best acquisitions you've made as a company. But just to shift to SASE, with Talon, you've talked about pretty impressive adoption. How do you think about the use case for that within the SASE broader universe? And just how do you think about enterprise browser adoption? There's been some chatter about what happens with Google. Any impacts to how you're thinking about that space?
So again, if you step back and think about it, all of your devices, some of you are on iPads, Apple phones, all of you are trying to access some application in your company, hopefully not, not watching Instagram, but that's fine too. When you access the application in your company, you have to go through some sort of security protocols, right? When you go through a VPN client, there's a bunch of security protocols that's going to your firewall. You have Zscaler or Palo Alto, which are going to a SaaS application. We are running some security on your endpoint. Now, in many cases, it's hard to see what you're doing because some of the applications encrypt the data and don't let us in, which is fine. And it gets decrypted at the other end, giving you a secure tunnel.
Enterprise browser, which is like using your Safari or Chrome or what is Microsoft Internet Explorer browser. You can use those where we can see everything. As you get towards an AI world where you wanna watch what people are doing because they're gonna be putting company-specific information up in the cloud, visibility of that data is more important, and as the world gets to more and more cloud applications, you don't need fat pipes running back to your data center, so we have a different technological view of the world. If you look at all the consumers, 90% of what consumers do on their laptops is through a browser. Think about your significant others or your kids. 90% of what they're doing is in the browser. I have young kids. They're on the browser. They're doing Zoom on the browser. They're doing tech learning apps on the browser.
If you believe that's the consumer use case, 90% that use case will prevail in the enterprise as well in the next three to five years. If 90% of what you do is going to be in a browser, browser takes on an even very, very important role in how we secure everything that happens in a company. So that's our bet. We sold a million endpoints. We got 115 customers in the, you know, first six months after closing a deal. This is the beginning. Again, it's very important, at least from my perspective, for companies like us. Look, in Silicon Valley, tech companies die if you don't focus on product and technology changes. You look at the history of companies that have, you know, the graveyard of technology companies when companies lost focus on where technology was going, where the product was.
We don't intend that to happen to us. We don't want to be the first ever green cybersecurity company. From that perspective, we're constantly watching technological trends and making bets. Some of them are gonna work. Some of them are not gonna work, which is fine. It's our portfolio theory. Our bet is that browser is gonna be big in the world, which means that security through the browser is gonna become a very, very important topic. So we pivoted our SASE strategy saying, "Firewalls are important. VPNs are important, but browsers are very important." So we made an acquisition. We've, you know, taken their browser capability, connected all of our security capability, and we'll see.
Yeah. High level in SASE, we've talked about kind of the endpoint market and the SIEM market, maybe narrowing down to three or four big vendors. Do you think that plays out in the SASE space? And I think right now it's probably a story about three or four or five vendors, depending on who you ask, but you've got potentially seven or eight total that are looking to enter the space. And I think part of that speaks to where we are in the overall SASE adoption cycle. But how do you think about SASE as kind of a critical area being satisfied by a few vendors?
SASE, for those of you who are not fully initiated, is a market where we all provide access capabilities to your devices, to your companies. Every employee needs that access. Everybody's gonna have it. 70%-80% of the market is still legacy. It's still sitting on old technology, old techniques, and as the world goes more towards the cloud, whether it's SaaS applications or Google, Microsoft, AWS, public cloud and comes because AI will drive us there faster, hopefully, on the endpoint. As that happens, most companies will have SaaSification that'll happen. There are more SaaS projects out there than any other projects, but they just take longer because companies need to re-architect their network, and I think it's a big market. It takes time. Look, there'll always be 7- 10 vendors. In the end, if you're not in the top two, it doesn't matter.
Maximum three, if you have a way of getting other stuff, so any vendor who's four, four and below. It's just like, you know, one of these days we'll get bought by somebody in the industry who likes to buy those companies and cut off their fourth market share position, as you've seen in certain categories.
Fair enough. In the past, you've talked about firewall being a single-digit growth area. It felt to me like on the last earnings call, you were maybe warming up to a view that, hardware could better support your growth across the board over the next few years. Can you just put a little more context behind that?
Yeah.
I think a lot of investors are aware of one of your competitors talking about a firewall cycle.
Love it. I'm glad they have 25% coming up for renewal. We'd love to get a share of that.
But that notwithstanding, look, the firewall. I like that. Step back. I think you all believe that the traffic in the world is compounding every few years, right? The amount of internet traffic that we're sending back and forth is compounding. Just that Waymo out there is sending tons and tons of data through the internet somewhere. And if there's a million of those floating around the world, there's more data. Every train is sending data. Every lamppost is sending data. There's more data in the world, right? We all believe data is not slowing down. Any security that needs to be applied, you have to inspect every bit. Inspecting bits is an overhead. It's like taking off your shoes at the airport. It's overhead. It costs money. Somebody else just slows you down. Security works the same way in the internet.
So our job is to create low latency, do it as fast as we can without being painful to the process of inspection. That's inspection. That inspection is done by a firewall. Firewall comes in three varieties. They come in hardware. They come in software. And they come on your endpoint as SASE. That's the three products that universally work as a firewall. Hardware is still the fastest inspection at lowest cost. Software is next. SASE is more expensive because I gotta go to every laptop, put it on the laptop, and it's more expensive to deploy and maintain because of the spread of it. So if you believe that, there are still many use cases where hardware is the best way to solve the problem, and that's not slowing down.
Now, because a lot of the world is going to the cloud, you don't see it, but Google buys some hardware from vendors, and Amazon builds its own, and Microsoft is a bit of mix and match. So as you move to the cloud, the data centers are going, the hardware's moving from the data center to the cloud. Some people buy hardware. Some people don't. But the amount of inspection needed is not stopping. So there is gonna be a steady growth rate of the hardware business. I've always said for the last six and a half years, in the 0-10% range. Some years it's 0-3%. Some years it's 8-10%. The pandemic supply chain caused a bunch of fluctuations, but I see it coming back to normalcy. It's in the 5% range.
What the real value is when you deploy hardware, can you put more software on top of it? I think what's changing is we're adding more and more software capabilities because the hardware box is an amazing piece of compute and throughput sitting in the customer's infrastructure. Once we get there and we have 60,000 customers using it, we can do a whole bunch of stuff on top of it.
Gotcha. So I wanna talk about free cash flow, and I wanna ask you about billing just to preface.
Oh, what is that?
Anyways, if you look at last quarter, I mean, pretty impressive free cash flow results. The billings result was, I think, below where people had expected. Again, you're not guiding to it, but.
So you shouldn't expect something I don't pay attention to.
Yeah. Fair enough. Fair enough. Can you just talk about, as investors look to get comfortable with the free cash flow guide, what other levers you have to control free cash flow? And I think investors recognize the one million plus you have in short-term backlog and short-term finance receivables, but anything else you can provide around color around some of the operational and working capital benefits?
Yeah. I possibly, you know, a colleague of mine used to say, "Repetition does not spoil the prayer." So I will repeat. Billings is the worst metric to measure software companies on. And if you measure companies on billings, it means you need to understand the dynamics of our businesses. Because billings is fundamentally driven by what payment terms customers accept. Traditionally, customers are willing to pay you upfront for three years. Now, there's a model which is closer to one year. And depending on what proportion of your business is three years versus one year and where you land in the spectrum is what billings is for that quarter. If you can predict it, I got a job for you because it's a very hard number to predict if you don't understand payment terms you're taking every contract.
It creates a ton of friction in our businesses when we're trying to beat a billings number because we're trying to get more three-year deals because we're trying to get a better billings. The longer the tenure of the deal, the better the billings number, fundamentally. So it fights in the face of SaaS businesses who sell one-year deals. So looking at companies on billings is a bad idea. Even though I say that your first two paragraphs of your research last quarter were dedicated to billings, I don't know why, but one of these days I'll convince you. But the numbers to look at is how much business do we book? What is our remaining performance obligation? What is my deferred revenue? And what is my revenue for the year? My revenue for the year pays my bills.
My deferred revenue or RPO tells you how much business I've contracted. There's nothing to hide. So that's why we pivoted to that. That's where we wanna live. That's where we're gonna live and die by. Billings, I don't understand anymore.
Yeah. Got it. Okay.
On free cash flow, so the only thing going, "Oh my God, if you're doing more one-year deals, you're not collecting as much money upfront." 50% of our business comes as upfront business, below $1 million deals. They just come and give the check. The channel collects the check, gives it to us. The 50% free cash flow is not perturbed by any change in duration on my deals. Of the remaining business, half of my business is already gone to an annual payment terms. That's de-risked. I collect every year I bill, which means I have other collections I can have which are still not collected from past years. The remaining half of that is set at a normal decay over the next many years because when I joined Palo Alto, it used to be 5% of our business. Now it's 25% of our business in annual billings.
50% is stated constant. It's decayed 5%, 3%-4% a year. If it decays at that point, we maintain mid to high 30s in free cash flow. If it decays at that rate, we expect we'll be able to maintain that. That's not a bad place to live.
Yeah. Got it. I'll ask one question from the audience. The question is whether diversification of solutions is preferred in cybersecurity. And you spoke a little earlier about how it's physically not possible for companies to manage 50, 70, 100 different solutions. But any change you've perceived in the market around risk diversification following the CrowdStrike incident? Has that materialized at all?
No, I think it's a fallacy to believe that having 40 vendors allows you diversification. I think the benefit is of consolidating into single stacks where things will move fast. Like, imagine if you, you know, like, it's a, it's a crass example, but between the time you log into your laptop and by the time that, you know, connection hits your data center and hits AWS, you run through seven cybersecurity vendors. Somebody's gotta figure out across these seven vendors what happens and how to protect. I, I don't think every any company out there is gonna have the resident skills to integrate our products at scale, speed, and deliver the outcomes as quickly as they're needed. So eventually, you will see this world of platformization that's gonna emerge, and you will see that smaller vendors are gonna be by the wayside because I think that strategy hasn't worked.
It hasn't worked. Like, we have history to prove. There's $12 billion in ransomware that's been paid. But if it was working so well, that sounds like a lot of money.
Yeah.
That shouldn't have had to be spent. So that strategy hasn't worked, and the fact that we've been able to convince 1,100 instances where people want to consolidate your vendors, we've consolidated an average of five to eight vendors every time we do one of these.
Yeah. Cool. Well, I think we'll end it there. So thank you very much for joining us. Great, great chat. And thank you all for participating.
Thank you for your time.
Yeah.
Appreciate it. Thank you, everyone.