Excellent. Thank you, everyone, for joining us. My name is Keith Weiss. I run the U.S. Equity Research franchise here at Morgan Stanley, and I'm very pleased to have with us from Palo Alto Networks, Nikesh Arora, Chairman and CEO, thank you for joining us.
My pleasure. Thank you for having me.
Excellent. Before we get started, for important disclosures, please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/researchdisclosures. All right. With that out of the way, happy birthday to Palo Alto Networks. 20-year anniversary.
Thank you. Yes. 20 years. Most cybersecurity companies don't survive 20 years.
No. No, definitely. And Palo Alto is definitely.
It's also Workday's 20th anniversary. Did you know that?
I did not know that.
Carl sent me a note. I sent him a note saying, "We turned 20, so so do we." I'm like, "Will you let me have a moment of glory?
I should know that because we worked on both IPOs. Anyway, so thank you so much for joining us. Palo Alto has obviously changed a lot over the past 20 years. The cyber markets changed a lot over the past 20 years. Maybe narrow the focus in a little bit. I thought maybe we could start out with just like a state of the union. What's going on right now in terms of the demand environment, the threat environment, and how sort of Palo is adjusting to that environment?
I mean, look, the last few years, we've had a reasonably steady demand environment in cybersecurity, and cybersecurity demand is driven by the technology market. The more excitement there is to deploy more technology, you see more automation, more consumer deployment, you're going to see the need for security. Twofold. One, every new technology needs to be secured, and two, there's still a large amount of technical debt that has not been paid in terms of upgrading of infrastructure that has its own course, which will take its course in the next 5 to 10 years. Now, I'd say the last few months and perhaps a year or so, we've had a new technological wave that is ahead of us called AI. Can't have a meeting or discussion without the conversation around AI.
From that perspective, while AI is taking its time getting deployed in enterprise, I think everybody's mostly in an experimentation phase. There is an experimentation phase on the consumer side with the Gemini's, Grok's, OpenAI's, DeepSeek's of the world. There's enterprise use cases we're all experimenting with. But what is also fascinating is you're seeing the bad actors have figured out that they can also have AI-assisted cyber hacking capability, which is going to accelerate the pace. So every time the pace of cyber threats accelerates, the focus on cybersecurity continues to be there. So I think we're going to see a reasonably robust cybersecurity demand market for the next few years as we go through this next technological cycle.
Got it. I've always been of the mind similarly that security demand drives from expanding surface area, and AI is going to expand that surface area, especially when you start to talk about agentic computing on a go-forward basis, rising threat environment, and regulatory, right?
Exactly.
Regulatory reviews. The one that I wanted to get your opinion on is the rising threat environment, because it's been so persistent over the past 10 years, 15 years. Does that still work to drive demand, or does it just keep the demand at a consistent level?
Look, there are new threats, right? I was having this conversation earlier in the investor group, and there's a discussion. They started bandying the word agent around. Agentic AI in the future. Now, I said the biggest example of what an agent can do is drive your car. Waymo is agentic AI, right? You've got an agent with autonomous control driving your car. The next attack vector is I can hijack your agent. And that allows me to do all kinds of bad things that I want. So the question is, what is the security solution for agents that are going to get hijacked or agents that are going to get tampered with? So there's a whole new threat vector that has now arisen with the arrival of AI or potentially agentic AI.
So I think the cyber threat environment continues to increase, and you said it right, as the attack surface increase, as the more scenarios and opportunities we create for individuals to interact with technology or for technology to interact with technology itself. So from that perspective, I think it's going to be sort of, as I said, a robust demand for the next few years.
Got it. Pulling on the thread of AI and generative AI, there's both the sort of demand side of the equation of AI expands the surface area. AI is in the hands of the threat actors. The phishing attacks that I'm getting are a lot more sophisticated. It's harder to tell them apart. It also gives you guys more tools, right? It enables you guys to, I mean, you've talked a lot about the lack of security analysts and sort of that being a critical need within security and something Palo can help pursue. AI seems like a good new tool in your arsenal to be able to help solve one of those core needs in the marketplace.
Yeah. That's a good point. Look, security is complicated. Many of our security products are complicated by definition, which means not only do we need great security products, but we also need amazing practitioners and users on the customer side to be able to deploy our products and leverage them to their maximum. If you can imagine that AI can assist our customers in deploying our products, perhaps take over the task of automation or recommendation or remediation using some sort of agentic AI on the positive side, it'd be a lot easier to deploy our products. So from that perspective, we feel we're in a better position than many because we have critical mass and scale as a cybersecurity company.
It's a lot easier for a $120 billion cybersecurity company to go invest hundreds of million dollars in developing that future than for a startup which has to go make their core product work to go deploy AI within their core product. So we feel we're in a good place, but there's a lot of work to be done. I think, generally speaking, across any industry for any sophisticated application, we don't have the right data. Most companies don't have the right data because you haven't collected the right data. You don't have A/B testing. You don't know what good looks like. So we're going to spend the next two, three years as industries across the board saying, "Here's the right data. Here's what a good outcome means. Here's what a not-so-good outcome means. And how do we train AI to understand how to generate good outcomes?
Right. It's an interesting sort of point you bring up about data. When I think about your tenure thus far at Palo Alto Networks, and I think it matches with what's been going on in the industry, is an increasing focus on the data, right?
Yes.
Making Palo Alto less about, "We're just blocking different threat vectors, but we are sort of accumulating data about your threat environment, accumulating data about your positioning for that, and making use of that data to help protect you on a go-forward basis." And it's part of the platformization kind of strategy that you have talked about, and it's part of what's driving people to consolidate more of their solution. Is AI another kind of impetus towards that consolidation in that because AI is going to accelerate sort of the value of that data, it just increases the value proposition of what you're presenting in terms of a consolidated platform or that platformization?
So look, if you step back and look at first principles of security, typically security has been a scenario where you build a sensor, you put it at the edge, and say it acts like security. It only lets good things get inside. It blocks bad things at the door. It's like how security has traditionally worked outside this door, outside the hotel door, right? That's how security works from a perimeter perspective. We've talked about SASE perimeters and perimeter security as the thing. The problem is, irrespective of how good your perimeter security is, things sneak in. That's how hacks happen. People's identities get taken over. People get into your databases, exploit them. So the question isn't, well, the question is, how good is your perimeter security? But the question is, if somebody gets in, what do you do? How do you figure them out?
How quickly can you find them? And how quickly can you shut it down so they can't steal your data? The only way we think that's going to be possible is if you look at all the data flowing through the enterprise, find anomalous behavior, have high signal-to-noise ratio in terms of good signal, and shut it down. Now, if you believe that from an engineering perspective, the only way to get it done is you have access to all the data. You have low-latency machine learning models running on a constant basis looking for anomalous behavior and shutting it down. If you want that future, you have to have all the data accumulated in one place.
So that's why we've always maintained that the future of real-time security is going to be an analytics-based, machine learning-based, AI-based sort of system which requires you to consolidate all data, make sense of it in one place, which has not traditionally been the model of security. The model of security was collect all the data and we'll go look at it if we have a problem. It's no longer that. You have to look at it while it's happening if you want to get real-time outcomes.
Right. And I go one step further. The model was get a best-of-breed solution for every different data type, if you will, or every different threat vector, and try to tie together all those solutions, which created risk in and of itself because the bad guys could sort of weave between your different solutions. You guys present a concept last year of platformization, of kind of bringing together more of the solution onto one platform, bringing together more of the data. How has that? What's the traction been like with that initiative? What's the feedback you're getting from customers about platformization?
Look, we've maintained. I've said this before. If you go back, I started working in technology 30-plus years ago, and we had 27 applications at a large investment firm which made up the sum total of our CRM activity. That was 30 years ago. Today, at best, you have one system, maybe two, that encompass the entire expanse of what you do from a CRM perspective because we figured out that this stuff needs to talk to each other and work together. It makes no sense to sit in 27 different systems. Today, security has that attribute. It is 27 vendors to 50 vendors in each enterprise which do security. Yet you see breaches every day, billions of $18 billion lost in sort of economic value when people get breached. So that model has to change.
The only way we change that model is you start consolidating security capabilities into singular platforms. You can see that trend is beginning to happen. I think the word platform is used by almost every security company, which may or may not be a platform. We did 75 last quarter. We've gotten to 1,150 or so in platform deals. We think we get to 3,000, 3,500. We double the business, triple the business in our ARR. And this is the best part of our business. It's sticky, has high net retention. It has great customer value from a security benefit. It actually reduces the total cost of ownership for our customers. So it's generally a great commercial outcome for our customers, great commercial outcome long-term for us, a better security outcome for them.
So in an enterprise of 99% perspiration, so you got to keep our head down and keep perspiring to get there.
Got it. And sounds great. What's the friction? What's the pushback you hear from customers about sort of driving that consolidation?
The people who like it do it for all the reasons I described. The people who are skeptical are often skeptical about the idea of putting all their eggs in one basket, and I ask them when they go to the grocery store, do they get one box of eggs or do they get 17 boxes to keep the eggs separate? Normally, it's one egg, one basket, but they just don't want them all in the same place. You'll get the argument that I have differing duration of my economic contracts with 727 vendors. How do I consolidate that? We provide a solution for that, so I think it's a matter of time. It's a matter of time as people start to see you have to show the benefit.
And the benefit we have been able to demonstrate in our XSIAM platform is we are operating at a median time to detect security incidents to under a minute and remediate in under a minute, which is as close to real-time as the industry can get. If I can get my customers who are on average at four to seven days to minutes or under an hour, that's a good start. So we're saying, forget about the conversation of platformization. Imagine if I took your time to find a threat in your environment and remediate it down from four to seven days to one minute. How would you feel?
Right. Because the cost of the breach is going to be directly related to how long is it persistent in your environment.
The best time that people focus on cybersecurity when they've just had a breach for that reason.
Right. Got it. So you mentioned the Cortex XSIEM, your next-generation SIEM solution. It's automating the security operations center. It's what we think of as the next major product cycle within Palo Alto. What makes you feel that this market is ripe for disruption right now? And where are you winning share?
Look, when I started seven years ago, actually, I was at a Morgan Stanley event four days after I started, and I had the pleasure of meeting some of the EDR vendors. And David Chen, who's here somewhere, had me go for a walk with some of them, and I sort of was new in the industry. I didn't know how to spell cybersecurity. I thought it was two different words. Anyway, and I went for a walk with these guys, and they told me how EDR was the next thing. And if you look back, one of those companies is probably worth $85-$90 billion. They were $2 or $3 billion seven years ago, but they were at the inflection point of where endpoints were migrating from McAfee and Symantec to them.
I think we're at the same inflection point in the SIEM SOC business where we are going to change the entire landscape in the next five to seven years. Some vendors which technically started 17, 20 years ago in the SIEM business, when you couldn't consolidate the data, it was expensive. You couldn't run machine learning models because they didn't exist. And you did not have a concept of real-time security. It was a concept of offline query-based security. So I think that inflection point is here. It's a $40 billion market. In the next five to ten years, it transforms. And hopefully, we're in a great position to be able to take advantage of that.
Got it. I like that analogy a lot. It makes a ton of sense. In the EDR side of the equation, it was the core technique being used for doing endpoint detection couldn't keep up with a threat environment. There was a necessity for a technological change. If we sort of draw that analogy down to the technology layer, what is it about the Cortex XSIAM that is solving that similar technology problem? And what exactly is that technology problem?
Look, traditionally, security operations centers were designed to investigate a breach after you understood there was a breach. Somebody says, "We have a problem. We have a breach. Go analyze what happened." You'd say you'd go into your data logs. You'd run a bunch of analytics. You'd figure out, "Oh, this happened this way. I found the cause. Let's go trace it back. Here's how much data we lost." The average time to figure out a security breach and remediate was anywhere from 27-120 days. In 27-120 days, you can shut down a business. You can take all the corporate jewels, the crown jewels, and leave. Today, that time to go in and exfiltrate is 11 hours. You can get in, steal data, and leave in under 11 hours. So you've got to have something that goes to solve the problem.
So current technology is we take all the data. We ingest it. We run it through 5,000 machine learning models that ingestion to see if there's any pattern recognition of 5,000 different ways that you can be hacked. We take that. We stitch events. And we actually have all the data analyzed. Our view is if you don't analyze every alert, every piece of data, you're not going to block bad activities from happening. So it's kind of gone from an offline query-based post-breach model to an inline real-time analytics model because latency is low. Cost of data is a lot cheaper than it was 17 years ago. So you can actually deploy those techniques. And you can save a lot of economic value in people not getting breached. So I think it's new tech. It's using machine learning. It's AI. I think that's where the future needs to be.
Taking the focus from reactive to proactive.
Right.
You guys, last year I believe it was a signed the IBM partnership was twofold. One, you have over 1,000 IBM consultants that are helping you guys sell this IAM solutions. Two, it gave you access to the QRadar asset. And you can start to bring those customers on board to this IAM. How has that partnership been running for you guys?
It's amazing. It's one of the best partnerships I think we've done. It's one of the best partnerships from a model perspective in the industry. IBM got to now suddenly work with us and deploy multiple cybersecurity solutions, best-of-breed in the market from Palo Alto. Earlier, they had their own captive products. We got access to a large SIEM customer base. And we got the support of IBM. There's instances where Arvind and I both called on a customer together. Our head of sales and their head of sales have called on customers together. So they've actually been very proactive in helping us migrate their customer base from QRadar to Cortex XSIAM, which is great because they can, over time, end of life that product. They can focus on their new acquisition, HashiCorp, and the developer side. We can focus on security.
Their consultants now have the option of setting the best security products on the market.
Got it. How far through that customer base have you guys gotten so far?
This is a robust pipeline. I think, as I said, economically, it's going to end up being a phenomenal deal for us. We are some part through their customer base. Some of them have renewed their QRoC subscriptions, which will, over time, be able to migrate to Palo Alto.
Got it. I want to switch gears and talk a little bit about SASE and kind of where we are in that transformation. Is there still? We've seen a lot of transformation within network security. SASE definitely met a need in the marketplace. It aligned to sort of what we're seeing in terms of the explosion of cloud-based applications. Is there still that same type of appetite for a transformation? Is there still as much sort of opportunity for SASE on a go-forward basis as we've seen over the past couple of years?
I think we're only about 15%-20% of the way there. I think there's 80% of the companies that haven't transformed their SASE capabilities yet. Morgan Stanley hasn't. A whole bunch of banks haven't. So a whole bunch of people out there who are actually still analyzing that journey. I think AI is going to be a continued stimulant in terms of getting people who have been reluctant so far to move towards that future. The first big inflection point in SASE came from the pandemic. Most companies were set up to have 10% of employees be able to access everything remotely. You had to still go to the office and do half the things because you didn't have access from home. You didn't want to touch portfolio attribution systems or trading systems from home because they were proprietary. They were stuck in your data center.
The pandemic hit. You had to provide access. Employees couldn't work. So we had a big inflection where people had to make every system accessible from anywhere at any point in time, not just cloud-based systems. That caused the first inflection point. That caused us to build our SASE product where originally SASE was more of an internet access product, which was typically provided by Zscaler. That has gone through one more cycle of evolution where people are saying, "Wait. Now I don't need to take my employees straight to my data center. I can take them to the cloud and decide where traffic goes, cloud or data center." And as we go more and more cloud, as we have private applications sitting in the cloud, the customers are being forced to deploy some sort of a SASE solution.
I think the next leg of SASE from our perspective is over time, we think the browser becomes the operating system of the future. We think a lot of people who are on their iPads or their laptops right now, you have some version of a thin sort of OS in there for the most part. I'm pretty sure a majority of you would have to shut down your laptops and start paying attention if the internet was down. You're only able to use these things because the internet exists. 90% of your work is being done in a browser. If that's true, the browser is a phenomenally better way to secure you than any other technology in the world. So we think the world goes towards the browser. We think 50% of enterprise access is through a browser.
You were lucky enough to buy a browser company about a year ago. A third of our users in SASE last quarter were browser-based, which is interesting.
Got it. So can we expand upon that in terms of a lot of opportunity left? You're talking about 80%-85% of the opportunity ahead of us. There's new technological changes that can help to accelerate sort of that transition towards SASE. The competitive market in SASE has definitely expanded as well. Every vendor that I've talked to this week has a SASE solution or expanded their SASE solution.
Great.
How does Palo Alto?
It'd be horrible if nobody else thought it was a great idea.
It's true. How do you guys look to differentiate the Palo Alto Networks solution from all the other vendors out there?
Look, our underpinning is security. When SASE originally was an internet access market, you accessed cloud applications. And you believed that Salesforce is secure, ServiceNow is secure, others are secure. You don't have to worry about it. But the moment you started having to access your private applications in your data center using a SASE front end, you wanted better security. So we come from a security background and underpinning of strong security from a firewall perspective, which translated well in us being able to do that. Our differentiation is we are the only vendor in the market that has a hardware, software, and SASE form factor which runs on a single platform. To replicate us, you'd have to at least have three to five vendors to replicate a network security platform. So that's a differentiation.
Our browser is the cherry on the pudding because nobody else has an integrated browser in the SASE solution, which allows us to go differentiate ourselves in the market. Seven years ago, we were not a SASE player in the market. Today, our SASE business is almost as big as a hardware business.
And in terms of being able to leverage that firewall install base, having that hybrid solution between hardware and software, how do we think about the ASP uplift when a customer goes from being just a more traditional next-generation firewall customer to a SASE customer for Palo Alto?
We've done the math before and shown that our customer value goes up to one and a half times as they go from being a hardware customer to a SASE customer because of the more expanded sort of QRoC that SASE provides. You don't need to deploy hardware. You don't need to recycle hardware. You don't need to go send people to go replace the boxes. You can run this as a SaaS service in the cloud. It's a phenomenal economic outcome for us. More importantly, it's a great outcome from a customer total cost of ownership because it's expensive to replace hardware. It's expensive to configure hardware. It's expensive to service hardware. If you're running a SaaS platform, remember, everybody's on the same version the day we decide to upgrade the version. In hardware, it takes two years to get everybody to the same version.
Right. Got it. You mentioned the Talon acquisition, getting that secure enterprise browser. Relatively early days in terms of this concept and pushing this out within SASE. What's the initial customer response been? Have you guys started to get traction with this solution yet?
Yeah. Look, if you think about it, the few use cases, which are horrible technology use cases in our industry is, one, most companies don't have a solution for contractors. If you have a third-party contractor, they don't want to put your software on their devices. So how do you protect your enterprise if 30%, 20% of your workforce doesn't want to put a security solution delivered by Morgan Stanley or delivered by Home Depot or delivered whoever you are? So from that perspective, a secure browser allows a third-party contractor to access your capabilities, shut off the browser, go do what they need to do, and they're comfortable with that. There's a use case called VDI, which is clunky, high latency, hard to use. That can be replaced with a browser solution. Your mobile devices can be replaced with a browser.
The most interesting impetus we're seeing right now is companies want their employees to access AI applications. But their biggest fear is, "My employee is going to take proprietary information and upload that into ChatGPT or Gemini and ask it a question." And oops, my corporate data, my drug formulation, my CAD design for my chip is now being used to train a public model. And I didn't know that was going to happen. The only way you can see what people are doing in your company in an unencrypted way is through a browser. So we have customers who are deploying AI applications in the company saying, "Every employee of our AI-leaning organization use the browser from Palo Alto.
As a result, we can see and block you from entering proprietary information." So literally, we have a customer who's bought 240,000 instances of the browser because they want to be an AI-first company and say, "You can all use AI. Just use it with the Palo Alto browser." So I think that's going to be the inflection point because organization enterprises, rightfully so, want visibility into the traffic between AI models or AI applications and their employees to make sure proprietary data doesn't go back and forth. From that perspective, that's the only way to inspect it and to protect it.
Got it. Got it. One more area of the next-gen portfolio I want to touch on, cloud security. Palo was an early mover and an early market leader in cloud security. How has the market, where are we in terms of kind of market penetration? How is that opportunity evolving for you guys over the past couple of years?
So the cloud market, I think, is in its sort of third iteration, which is where it's going to live. The early days of cloud security was, "I'm going to Google. I'm going to Microsoft. I'm going to AWS. What do I need to worry about?" So you're going to have to configure AWS, Microsoft, and Google for yourself. When you configure, you can make mistakes. When you make mistakes, people can hack you. That was called cloud security posture management. You had APIs coming from all these places. You looked at the configuration mistakes. Oops, you got a problem. Fix it. It was fine because if you go, "Oh shit, but I'm writing my own software. What if my software that I've written has flaws?" So then you had this notion of code security. How do you protect your software code and secure in the world?
Other people like that showed up. They said, "Okay, great." Then you sat there in security and said, "Holy shit, I'm getting a lot of alerts. I'm getting 100,000 alerts. And none of this stuff is in production. It's all sitting in some developer's laptop or it's sitting in some configuration." So the whole world started moving towards only protect what's running in real time in production. Pay attention there. All the other stuff is sort of before all the production issues, which is where agents come into play sitting in the public cloud from a real-time perspective. So the first wave was the version of CNAP. The next wave was code security. The third wave was how do you marry real time and the other two. So we spent the last nine months moved our entire stack into our Cortex stack, which is where we do real-time security.
We relaunched the product called Cortex Cloud, which does all that connective tissue. So our view is that if you go forward seven or 10 years from now and look back, you'll realize security is a data problem. All the data has to sit in one place. If you look in our industry, there's either analytics products or perimeter products. Perimeter products, we have a reasonably good market share. And we have a lot of products that play in that space. We think over time, the entire analytics industry collapses into some sort of platform like XSIAM. So we'll see slowly as we collect all the data, we will be able to build analytics products because otherwise every analytics product tries to ingest the same data we already have it.
So we can provide a lot lower cost of operating a lot more integrated solution as long as you can run the analytics on one large data lake.
Got it. Got it. Old habits die hard. So I got to ask you about the firewall refresh.
Do you have old habits?
Yeah, and it does feel like we're in an upcycle early innings of.
You've been listening to our competitors.
Yeah. It's not a problem.
No, no, no. I'm just guessing.
Okay. I'm listening to Hamza. Could this be a positive for the platformization trend? As these customers come up for refresh, does that give you a good opportunity to go in there and sell the broader base?
There's this fallacy about a refresh, which is perpetuated in the industry since I don't come from the industry traditionally. We don't sell iPhones. Like, "Oh, there's a new one in pink. I really want it. Forget the fact that I bought one last year. Let me just go throw it away and get a new one." Our industry works pretty much on a cycle. I bought it seven years ago. It's getting old. I need a new one. If I don't get a new one, I'll have a security breach. So our refreshes are very well documented, cataloged with our customers. They know after six or seven years, you have to change the firewall. If you wait for eight years, it doesn't get serviced, which defeats the purpose from a security perspective.
I know every firewall I sold seven years ago is up for a refresh all the way from between five and a half to seven years. So it's a very well-understood cycle. If I sold $800 million of the firewalls six years ago, $800 million or so are going to come off renewal. Some people stop using them. Some people want to get a bigger one, et cetera, et cetera. So it's a very defined cycle. I don't think there are spikes in this refresh business. I will tell you, if you step back, what does the firewall do? It inspects traffic. Any traffic that goes between you, your company, that goes between one company and the other company, that goes between a machine to a machine, every bit of traffic has to be inspected.
It's like everybody who goes through an airport has to go through a security check. Every bit of traffic has to be inspected. If you step back and say, "The global network traffic doubles every three years," which means you have to inspect more traffic. There's only two ways to inspect traffic. You put a big hardware box and all the traffic goes through it, or you send it all to the cloud and you inspect it there. So I think generally the market for traffic inspection needs to double every three years. The cost for inspection goes down every year. As a result, there is an 8%-10% increase in the market value every two to three years. That's a combination of hardware firewalls, software firewalls, and SASE.
We've been growing that business about 20% every quarter for the last many years, which means we're taking share in the inspection business. That's how I look at it. The hardware refresh is just an artifact of a part of our business. But if I can do more software inspections, it lowers TCO for my customers. If I can do more SASE, it lowers TCO for my customers. But in some cases, hardware inspection is the cheapest cost of inspection.
Got it. I want to shift gears a little bit and talk about M&A strategy. And this is something that's been super impressive in the Palo Alto story. I remember early days when you took over as CEO. While the industry view, while the investor view on M&A had been very sour, there was a lot of consolidating acquisitions, a lot of acquisitions that didn't work, you came out with a point of view saying, "Listen, there's nothing inherently bad about M&A. You just have to target the right M&A. We have to be buying in the areas where the customers are going, not where the customers have been." And it's been remarkably successful. I think Talon falls into that category. Is that the same philosophy you take on a go-forward basis?
Any areas that we should be kind of focusing on of where the puck is going on a go-forward basis?
As you know, cybersecurity is one of the most innovative industries in the world. We always have to stay one step ahead of the bad actors, so we are not sort of vain enough to believe that all innovation will come from Palo Alto. There's a bunch of smart people out there innovating on a constant basis, so we're constantly scanning the market. We look at about two to three hundred companies a year. The idea being that if they've got something that is cool that needs to be deployed in our market, we can bring them on board and use our go-to-market engine and integration engine to go make it useful. Talon, we sold 30% of our SASE business was Talon in the last quarter from an endpoint perspective where one year ago we didn't have them, so we are able to buy, integrate, and deploy.
But it's getting harder because we are now in 25 categories where we sort of win from a Magic Quadrant perspective. But we're always on the lookout. Now the new kid on the block is AI. You've got to watch and see where AI lands. It's the same philosophy. It's hard to do go-to-market acquisitions because we don't feel like paying multiples of revenue. But it's good to be able to buy products, which you can then put into our go-to-market engine and go amplify that in the market.
Got it. I want to sneak in one last one on the profitability side of the equation. Palo has seen pretty significant improvements in EBIT margins over the last year. Can you talk to a little bit on a backwards perspective? What's driven that sort of improvement in profitability? And is there significant upside on a go-forward basis? Is there still further room for leverage?
Look, when I joined seven years ago, our margin was a 20-plus range. I had to take it down to go invest because we hadn't invested enough in innovation. We had to go buy some companies. We had to go a whole bunch of go-to-market changes. We've now gotten it to the high 20s, which I think is a good place to live if you're trying to grow the business in the 15% range. I think the AI sort of opportunity from an efficiency perspective, all this agentic stuff, all the stuff that allows you to run a much better business is going to be positive. I think we're going to be able to eke out 50 to 100 basis points a year of improved margins over time, both from scale, benefits, and AI.
I do think there's a bigger prize on AI, which is three to five years out if you can get it right, and we're leaning in heavily from our perspective because if you believe we can get a 4-500 basis points improvement in operating margins with AI in the next three to five years, that allows us to be a very different cybersecurity company, then we can start looking at other companies which are not operating at our level of efficiency and justify acquisitions, which can allow us to selectively grow in the right way.
So just to be clear, that three-to-five-year opportunity is just compounding the improvements from utilizing AI internally and becoming that kind of next-generation company in terms of how you're operating.
Yes.
Outstanding. Unfortunately, that takes us to the end of our time. Nikesh, thank you so much for joining us and sharing the Palo Alto story.
Thank you, Keith. Thank you very much.