This is a very special session.
This is a very special session. Can you hear me loud and clear? Welcome to day three of the Golden Star Community Copyright Technology Conference. This is the fourth year in a row that we rebranded this conference and merged two or three business units, not business coverage areas, together to create Community Copyright Technology. Registration is up very nicely. We crossed 3,000. I know in your industry that's not very bad in finance. It's 3,000 plus, up mid-single digits.
It's a huge number.
It's a very big deal. I will turn it over to Bipul in a second, but I want to tell you a very good story. The year is 2013 or so?
'13, '14.
Yeah, 2013 or 2014. You had started the company. It was an idea. I still remember vividly how there was a whiteboard, and you drew on a whiteboard the idea behind Rubrik. I was just spellbound. Distributed systems in a cloud world. This is yet another technology inflection and yet another idea that is poised to benefit from the new architectural approach to how everything changes with the cloud. Twelve years later, they are a public company. It was a delight to work on your IPO. The IPO, not everybody got it. It was a tough idea to buy into. Here you are, one of the more enviable multiples of revenue cash flow. Congratulations on turning over the best of sentiment and earning a credible spot in people's minds. That's really well done, my friend. Very well done.
As I say, we are still in the early days of Rubrik. I accept your congratulations, but I'm happily dissatisfied because Rubrik will always be a misunderstood company because Rubrik will always be at the frontier of innovation. I used to be an engineer, then I became a venture capitalist and now a founder CEO. I always believe that the best companies are counterconsensus and misunderstood. That's when the value is created, and that's when value is realized. I would say we are still evolving. We have just put our initial kind of throw our initial salvo into AI. We are defining what the AI acceleration would be in the enterprise. We're constantly changing and evolving. There is an impermanence to Rubrik, let's just say that.
I like that. I'm going to ask you my open question. We're not even opening this conversation yet. It's just going to get started. I have to tell you something that came out of our fireside chat last year. You've been on the firesides as a product company. Every time we do this, I learn something about Rubrik and I learn something about you. Last year, you said somebody said I should go get an MBA. I decided to go to MBA Wharton. As a targeted goal, it was too easy compared to engineering, which is too easy. I decided to come back and do something in tech. I found that very on that note. How has the vision of Rubrik changed in the last few years? One of the things about you that I like is you adapt. You adapt. You adapt.
Some entrepreneurs are stuck with a vision when they found the company. It's that vision. They just march towards it, whether it comes to fruition or not, whether they have to make course corrections or not. They don't generally do a great job being flexible. You have been so flexible and adapting, adapting. How do you see the last few years for Rubrik? How do you see the road ahead to the extent that you can for the next four to five years?
I love markets. I don't love technology. That's a very bad thing to say for a technology CEO. A lot of times what happens is that technology people fall in love with technology, and they don't track the market. Market is where the truth is. Market is where the demand is. Market is where transformation happens. Market is always changing. You need to have a very strong sense of where you come from. We came from backup and recovery, which means that we have all the enterprise data in a single place. We use that enterprise data to recover businesses, applications, services from cyber attack. We are not stuck on that idea of recovery. We are stuck on the idea of all the data. Then how do we constantly evolve to make that data more useful, more productive, more beneficial to our customers? That is what we have been pushing.
Our step one was that data should transform backup and recovery industry into a cyber recovery-like play. Next was cyber recovery itself is not enough because you need to also understand risk if you are really ready for recovery. We expanded the whole idea into cyber resilience and created this whole paradigm that you should assume breach. If you have to assume breach, you need to understand the risk and be able to do the recovery. Now what we are seeing is our customers want to accelerate their AI journey. If you think about AI acceleration in the enterprise, there are two facets to it. One is, do you understand the risk of AI adoption, agentic adoption? Are you able to deliver AI in an accurate and cost-effective way? In both these scenarios, data is the critical piece because data can be used to assess the risk.
Data can be used to deliver more accurate results because you can fine-tune models using the data. We acquired a company called PrettyBase. They are the model fine-tuning and inference serving platform. As you can see, it's kind of like you never forget where you come from because if you forget where you come from, you belong nowhere. We belong in data. Data is not our be-all end-all. We are in love with our customers and market.
That's great. My colleague Matt Martino watched this space. It's going to be a big shot one day. Before I have him join the discussion, I wanted to sound like I'm half as smart as Matt Martino and ask you a couple of questions. The install phase of this industry has been around for a very, very long time. One of the things that I remember you telling me several years ago is that this is a B-plus space. We want to be an A-plus company in a B-plus space, right? When you look at that install phase that's still running decades-long legacy, what is the path ahead for Rubrik? How easy has it become displaced in governance and become the new system of choice?
Displacement doesn't happen just because you have a cheaper technology, or displacement doesn't happen just because you are a little bit better. Displacements happen when you have quantum shift. Quantum shift, me as a venture capitalist, has always been that can you create 10x value for the customer so that they are compelled to change? If you look at the world today, every enterprise has spent like millions of dollars between 80 to 100 different technologies to prevent and detect cyber attacks. I'll be as bold as to say that this whole cyber industry has been a bogus industry because where else will you spend $200 billion and still get attacked every day? The strategy has to change. That new strategy has to be one of resilience and recovery that assumes breach.
When you say I'm assuming breach and I'm ready for cyber attack because 1%, half a % of attacks will be successful, how do I keep my business up and running? How do I have integrity in my data? That's the compelling 10x reason for people to change. Just because you have legacy technology doesn't mean that you can recover from cyber attacks. People are learning this the hard way. I mean, look at Mark and Spencer. Look at UnitedHealth Group, Change Health. Look at MGM. These are all proofs that just because you have a legacy backup, just because you have a backup team, and just because you have best practices around recovery, it does not work for cyber because cyber is a completely different game.
Bipul, you've spoken in the past about the importance of layering concurrent S-curves. Data protection was the first. You're now making strategic bets on DSPM and identity recovery. What gives you the conviction that these two markets represent the right S-curves for Rubrik's next chapter of growth?
If you look at the last five, seven years of evolution of cyber attacks, hackers are not hacking in. Hackers are logging in. They are behind firewalls, behind your VPC. Why is that? It is because of the ubiquity of computing, personal devices, and our inclination to click on an offer. Identity theft, a credential compromise, has become the number one cyber attack vector because now attackers are not technically trying to outwit us. Now they are trying to psychologically outwit us. They are creating psychological compulsion loops in the name of an offer or a friend request or text message. Before we think, our system one thinking clicks on it. As a result, identity and identity protection has become a huge issue. The issue with our industry has been in cybersecurity, identity had been seen as an infrastructure. Can we allocate identity, Okta? Can we do PAM?
You have CyberArk. Can we actually do access management? You have SailPoint. These are all infra side of it. If you look at CrowdStrike, it's doing a great job in identity threat and response, just like SOC. There is a space in between where you say, if an identity is compromised, how do I know how much data is at risk? Identity companies have never looked at the data side of it. That's the biggest risk. If there is a privilege escalation, how much of a new sensitive data comes into the picture so that if you have identity compromise, what is the blast radius? How do I understand what is going on to my sensitive data? All the great things happen at the intersection of two unrelated or seemingly unrelated stuff.
That's where we see the opportunity of bringing identity with data to really create an identity resilience platform that goes from preparation stage, that do you have misconfigured identity, misconfigured data, to threat stage where you say, is somebody actively changing identity or escalating the privilege in a way that is detrimental to your posture? If your identity system gets compromised, how do we recover it so that you are back up and running in terms of hours, not days and weeks?
Bipul, is this white space? Is this new budget that you're unlocking, or is this displacement spend? Maybe peel that back a little bit for investors to understand kind of the TAM opportunity here.
I always like the displacement market because it's very hard to create a new line item specifically for CSOC because they are tired of buying tools. In some ways, they are trying to consolidate. They are already spending money today with legacy platforms on identity recovery, but those legacy platforms have no data visibility. Those legacy platforms don't have the full gamut of identity resilience as we are bringing the solution into the picture. It's about going after a legacy replacement or new gen replacement with a value proposition that is 10x better. That's the sweet spot that we want to be.
I want to touch on that security budget point. You've talked a lot about in the past of moving deeper into CSO-led budgets. How far along is Rubrik in that transition today? At maturity, what does that mix look like between traditional IT spend and security budget?
I think in the last, I would say, at least five years, there has been a convergence of IT operations and security operations. In fact, in many large banks, the infrastructure leader is also the CSO. This is a trend that we have been actually advocating for and anticipating for many years. What we are also seeing is that now CSOs are directly involved in Rubrik purchase. In some way, they made the decision for Rubrik. Very large oil and gas companies have never met anybody outside of CSO. That is happening. On the other side, this identity recovery resilience is a CSO budget. Now we are tapping into it. We are taking this journey of converging infrastructure security. We are equal opportunity money takers. Whoever gives us money, we take it.
I'm curious, you know, when you look at the last several months, it seems like Rubrik continues to expand their workload coverage across SaaS databases on-prem. At what point does that breadth create sort of a tipping point for your customers to sort of consolidate their entire estate on Rubrik? Are you finding that more and more?
The data protection market is expanding because it used to be just the data center. As the critical applications have been moving into the cloud, it's cloud. Now M365, identity systems, Salesforce, these are all mission-critical applications. As the criticality of these applications grows and as applications also become scattered, there is more of a need for a centralized platform with single policy control and single management to be able to control and holistically understand the data threats. The need for Rubrik will grow as we see more of a diverse set of things. AI and AI agentic world make it even worse because if the problem is even worse, the need for Rubrik is even more. If you think about it, AI agents are not generic systems. AI agents are a specific system because they are replacing human labor. Human laborers do a specific work in the enterprise.
It's custom AI. In the AI world, you'll get two kinds of AI. I call it infrastructure as a service AI, which you build those AI agents yourself in your own environment or cloud environment. Then you have a PaaS AI, such as M365 agents or Salesforce agents. You have to bring both together to holistically run your agentic world. Now think about it. You have a multitude of this infrastructure as a service AI across different clouds. Then you have PaaS AI across different systems. You need a centralized management and control and policy enforcement to be able to secure and undo the unwanted work of these agents.
It's fascinating. I want to touch on the AI piece. Your launch of Rubrik Annapurna is centered on providing enterprises with secure access to their data to build GenAI applications. Given how many platforms are vying for this opportunity, why is Rubrik uniquely positioned to win here? How critical is this to the long-term growth story?
The way we think about enterprises, Rubrik has some fundamental architectural advantage because Rubrik reflects the production permissioning on the Rubrik data. Users don't have to repermission for the usage. If you have any other data lake or warehouse, you have to repermission data. We have that advantage. We are not trying to become, again, a data company. We see where the customer is and what problems we can solve for them. Our idea is that how do we connect this secure data into a fine-tuning model so that we can deliver accurate results? That's why we acquired PrettyBase. We also see an opportunity that as people are now using agentic applications, if agents and agents are probabilistic systems, they can hallucinate. As a result, you may have to undo the unwanted work of an agent. You saw what happened with Replit when the agent went around and created havoc.
As you can see, we are connecting the dot from data into model tuning to agentic operations and applying undo for unwanted actions. That's the kind of path we are taking.
I just had one interjection before I turned it back to Matt. How much is the agentic application discussion a part of your sales cycle? Are people actually making decisions and tilting towards Rubrik based on the perceived threat from agents, or is that something that is at the back of your head and you say, OK, when agents get deployed, we're ready to tell our story?
When we were actually internalizing agents and did the announcement for agentic AI, internally, we thought that it's a day one or day two problem. It's not a day zero problem. The number of unsolicited requests that we have gotten for briefing indicates that there is a high degree of awareness and inclination to understand the operationalizing of agents. My thinking is that businesses are still in the proof of concept. Then going from proof of concept into production and value realization requires operationalizing of these agents. Operationalizing means that high accuracy. You need to have 90% confidence interval in the results. Otherwise, you'll have cascading errors. You need to have the ability to undo. You need to have to trace. You need to also find control who has access to what. These are the problems in their head.
One last thing I'll say is that last week, I met with the CIO of a large semiconductor company. I was showing them our vision of how the AI world would be, and he said that this is the most brain-crushing meeting he had in the last several weeks in the sense that he was really technically forced to reckon what it means to run an agentic AI system. It is top of mind. From top of mind to actual operationalizing, there are some steps that are needed. We believe that Rubrik will have a place to play in that market.
Aren't rogue agents playing the role of bad actors, but in an agentic world? Isn't the perverse takeaway here that something bad is going to happen in an agentic world, and you're going to have to trace it back to the data and recover the data? It's almost like you would benefit if agents go rogue, which is not what you want to have happen. The assumption is that cybersecurity has failed to solve the problem proactively. We're here to fix it. The same kind of logic applies in a perverse way in the agentic world.
The only difference with the agent is that there are two reasons for perverse action. One is the malicious reprogramming or deprogramming of the agent. The other reason is that agents are a probabilistic system. If you have a probabilistic system, it can hallucinate, and it can veer in a direction that you didn't anticipate. These agents have full authority to take action on your behalf. The cascading issues, whether it's data changes or system changes or calling other agents, happen because agents will be autonomous units, and folks will do agent orchestration. If you're doing agentic orchestration, and if the first agent creates 80% good results, and the second agent creates 80% good results, and if you trigger both at the same time, your results could be garbage, like a coin toss or close to it.
Those are the challenges that are not natural to just the cyber aspects of it. It is purely operational probabilistic aspects of it. The issue is that as a consumer, you go to ChatGPT or Perplexity, you can deal with 60%, 80% good results because now you are actively looking at it and then trying to make decisions. You're not actually taking action that could have an irreversible impact. In a business setting, when you have a fine chunk of work that somebody has to execute and make a decision, if your systems hallucinate or make wrong calls, the repercussions are very high. That's why the agentic adoption has a higher barrier in the enterprise. That's where we believe we have our opportunity to fine-tune, to be able to serve at a lower cost, do the Agent Rewind that we announced, plus, plus, plus.
Agent Rewind. It sounds like a really good name.
They actually announced the product, Agent Rewind.
I want to piggyback on the AI piece. I'm curious, Bipul, just high level, how you think about AI evolving kind of the threat landscape and how Chief Security Officers are sort of posturing against that and where Rubrik kind of fits into this.
The way I think about AI is two pieces. One is the AI security. If you look at purely AI security, it's no different than traditional security because AI systems are data systems. AI systems are database orchestration systems. There is that world. There is a world of guardrailing AI. Guardrailing AI means that AI results have to be tracked. Identity and access management has to be fine-grained and also probabilistic. That piece of the agent-specific security is going to be different. Folks have to attack this problem in two ways. General purpose AI security is like just today's security. There is no different. You need to have your endpoint secure. You need to have your browser secured. There is no real difference.
Bipul, I want to talk about the business momentum. More recently, you reported 2Q results last night. If you think about the broader software landscape, there still appears to be some macro headwinds. Rubrik's done a nice job executing. What would you attribute that success to? Is it just the growing importance of cyber resilience? Is it a TCO dynamic that's resonating with customers? Talk to us a little bit about what you're seeing.
I mean, we had an exceptional quarter. We grew top line north of 50% and generated 19% cash flow margin. This combination of top-line growth and profitability is rare at our scale. It is a testament to our maniacal focus on delivering cyber resilience, cyber recovery because all our customers have invested so much money in the prevention and detection from endpoint to cloud to SaaS to network to everything, SIEM, SOAR. They now realize that if they need to have a higher posture, switching one firewall to the next is not going to do it. The way it has to happen is that they need to have a firm cyber resilience posture. That's why we believe that the cyber resilience is the number one cybersecurity category.
Our customers are replacing legacy, replacing new gen vendors, really looking for the ability to detect malware, detect threat in the data, isolate it, deliver clean recovery. Our differentiated platform, which is the preemptive recovery engine in Rubrik Security Cloud, against our competition, we are winning a vast, vast, vast majority of deals because nobody has this capability that we deliver.
As you say, Rubrik's done a good job delivering high growth and accelerated margin expansion. What are the structural reasons you can continue to deliver operating leverage even as you continue to invest heavily in R&D and new product capabilities?
As I've always said, I come from a venture capital background. In my view, if the business has no profitability, you have no business because the business job is to create value. Value only accrues if you create cash flow because all the value is in the future cash flow that's going to generate. In my mind, I look at two things. Do you have high gross margin and fast growth? Are you running your operations in a way that uses the gross profitability in the most cost-effective way to generate cash? Kiran and I partnered on this, and we maniacally focused on how do we build a high efficiency, high growth business. Not an easy thing to do all the time because we are in a very large market with a very unique product.
We both also realized that win at all costs and burn a lot of money to win is not a sustainable thing, not just for the business, but also for the culture of the company. If the company has a culture of high burn and win at any burn, it is very hard to change that culture to be a more disciplined culture. We actually always thought about how do we create a culture that is frugal, that understands how to use dollars and create high ROI, at the same time aggressively invest in areas where we see high ROI, as well as aggressively invest in markets where we believe that we have to win that market for long-term profitability. That's the balance that we are establishing.
I want to touch on consolidation. Cohesity's acquisition of Veritas’s data protection business landscape appears to be shifting a little bit. What's your view on whether scale or innovation will matter more in the next phase of competition?
Let me take a step back and give you my framework of consolidation. In any market, when the market transitions, look at the phone market. When iPhone came, it transitioned the phone market from calling and texting device to an internet device. What happened after that? BlackBerry went away, and Nokia and Microsoft merged to survive. Now you know the results. Similarly, Rubrik transitioned the backup and recovery market into a cyber resilience, cyber recovery market. We changed the use case. When you change the use case, the existing player to survive tried to merge to build a scale. You can't take two pebbles for a swim. You can't have two companies with 90% product overlap and people overlap and everything else and say, I'm going to innovate on two things. These are all theoretical and sound very good.
If you ask an investor, why did you invest in the combined entity? They want profitability, product rationalization, people to be fired. This consolidation is not in a happy situation. Any consolidation like this with so much overlap only happens in a stressful situation. This is the natural order of things. The market use case is transitioning. Folks are trying to survive. That's the constructive destruction that we are all used to in technology. Also, the technology pace is evolving. Now think about a fast evolving pace of technology from cyber recovery, cyber resilience, AI. In this one, if you have the heavyweight merger and figuring out two products and consolidate all of that, you lose time.
I had a question, if I could interject. I think you invented the term cyber resilience. I mean, you're not only a good technologist, but you're a good marketer as well. Your customer base is several thousand customers. It would seem to me that if this cyber resilience category were to become mainstream, like databases or firewall, you should have a customer base that should be 100,000 plus. What are you looking to do as you scale the business from $1 billion to $10 billion plus? What are the things that you should be doing from an operational standpoint, executive alignment, bringing in new people, channels, market awareness, integration, partnerships? How do these things change?
That's actually a very good question because if you look at the market that we operate in, it's a global market with many markets inside the global market. It requires high scale. In many cases, we are replacing legacy vendors. We are replacing legacy big companies that have this offering on the side. Our way to win always is through partnership, whether it is our channel partners, global system integrators, or our strategic alliance partners such as Microsoft, CrowdStrike, Zscaler, because we need to create an ecosystem to really attack this market. We can't hire people and scale people to win this market. That's what we are doing.
We are focused on figuring out the routes to market that are efficient, routes to market that are compelling for our customers, and figuring out, like, can we build technology with our partners, with CrowdStrike, Zscaler, Microsoft, that one plus one is greater than two, so that for the customer looking out, they feel like they're getting more value for their investments. As you know, the adoption bell curve, you will always have a late majority that you want to go and convince the late majority. Number one is, are you ready to recover from cyber attack? How long will it take for you to recover? That's a compelling question. By the way, Rubrik enhances the value of the ecosystem for your cyber posture, cyber recovery, AI enablement, AI acceleration. Those are the things that will help us go and get the large share of this market.
On that note, we wish you really well in your journey to 10x. You like 10x, so I hope.
Always.
Yeah, I hope you get to be a 10x from here. My best wishes. Thank you for your support of Goldman Sachs. We'll have you back next year with this guy driving a lot of that thought leadership, hopefully.
We'll miss you, Kash. You have been such a big part of Rubrik.
I'll be sitting in the audience asking you really tough questions. That was great. You've been great. Thank you, sir.