All right, well, welcome. I'm Rob Owens with Piper, and I cover the security and infrastructure software for the firm. And very pleased to welcome our final presentation today, I think, at least my final with Varonis. Brian, who is the Field CTO, and Tim, who is the Director of IR. So gentlemen, welcome. Thank you.
Thank you.
Thank you for coming down.
Thanks for having us.
Varonis was founded, math's hard at this point, about 18 years ago, you know, solving a really critical problem around data. It only seems to me now that we finally are really starting to appreciate the data problem. You know, not that the company hasn't had success in the past, but if you look at the scale, there's never really been that inflection point. And so I would love to kind of track, and Brian, you've been here for a while, but just where, m aybe a little bit about your background, too. I know you do a lot of these, but then.
Sure
Overall, where those customer conversations have been and kind of where they're going now.
That's a big question, so.
It's a big question. I'm only asking three, so.
Yeah. So I've been at Varonis for 13 years now, and as you say, we've been around 17, 18 years. We're a security software company, and we were founded because companies really struggled with understanding what data they had, where it is, if any of it's at risk, exposed to the wrong people. They really struggled with catching threats to it, insider threats, outside attacks, and they really struggled, even if they could find the problems, with fixing them. So we created a platform, started in 2006, to solve these problems and answer these questions for on-premises file system, 'cause that's where the biggest problems were. To answer your question, what's changed or how are things evolved? You're right, the problem has gotten bigger. Yeah, it's funny, I met a CISO who said, "It used to be we could use the ostrich defense.
We could put our head in the sand, and if I didn't know about it, it wasn't gonna hurt me." The advent of ransomware kind of killed that defense. These days, you need to understand what data you have. You need to protect it, and we're the only way to do it. And what's changed is there's not just data in file systems anymore. There's data on premises, there's data in the cloud. Everything is connected together. It is so easy for anyone inside the company to share with anybody else inside the company or outside. Everybody uses cloud applications that are all connected together. So the threat surface is much bigger, the problem is much bigger, and every company has more of an incentive to solve it.
Are customers looking at this from a holistic standpoint, though? That would be my question, because if I look at all the different avenues of growth in tech, whether it's been mobility or cloud or SaaS, I mean, sprawl, sprawl, sprawl, sprawl.
Mm-hmm.
It feels like they've kind of piecemealed this together historically. So where is the customer approach? All we talk about is platform and consolidation in security. Have we hit that in data security yet?
I think we've been building that for a long time.
Yeah.
It's interesting, I don't think companies have really been piecing anything together. They've thought they have, they've been trying to, but they simply haven't. And, one thing that I've been repeating, another CISO said to us, "I've got, you know, I've got CrowdStrike on the endpoint, I've got Palo on the network, Varonis is data." There's nothing else for data. And you're right, everybody wants to take a platform-based approach, and the fact that we protect data on-premises and in the cloud, the fact that we protect files and databases and Amazon S3, which is object storage, it's big cloud storage. We protect Salesforce, we protect source code, we protect everything.
And companies really want to take a more holistic approach because they haven't been focused on data security. They've been focused on perimeter security, which is really the devices, and the networks, the firewalls, things like that. They haven't been focused on data, but now they are.
And how do you think about newer models? We had, I won't say which one, but a large SASE company present earlier today, and they talked about two of their largest deals, very large deals, being around data security. The fact they have roughly $200-250 million in ARR that's focused on data security. What about the evolution of some of these newer models that are kind of promising complete visibility across the network and trying to approach it from that perspective?
It is easy to promise visibility. It's harder to deliver it. It's even harder to take visibility and turn that into a security outcome. What I mean is, you can find a problem, but how are you going to fix it? Every single security team is stretched incredibly thin. Nobody has all of the headcount that they have open. Nobody can hire enough people. None of those people have enough hours in the day, the week, or the year to solve all of the security problems. So when we talk about protecting data, it's not just visibility. It's, we will automatically lock down exposure. We will reduce the time it takes to detect a threat and reduce dramatically the time it takes to investigate it. We will even proactively call you when we see a threat because we're a SaaS now, and we can do that.
We couldn't do that in the past. So we focus for our customers on outcomes. It's not about specific features or functionality, or even data sources that we provide visibility into. It's what does it mean for your data to be protected? And we're really good at defining that, and we're really good at delivering it.
Let's talk about SaaS from two angles. Number one, what's inherent to, either inherent challenges or differences in protecting SaaS data and SaaS-related applications? What does SaaS mean for Varonis? I think that, you know, if we just look at top of the funnel, which is probably getting sick of me asking this question every quarter, but I really think that's where we're starting to see some impact relative to just lowering the barriers to even trial, so.
Yeah, you just, once again, you asked about four different questions there. I'm gonna start with the first part.
I knew that.
Yeah. What does SaaS mean for data in the cloud?
Yes
For us? And one way to think about cloud data or, or anything in the cloud is it's data that's on somebody else's internet-connected computer. That's what the cloud means. And when you put data in the cloud, you can get a lot of value out of it. You can be so much more productive. Who wants to live in a world where all of your data is stored in your laptop, and if you lose it, you lose everything? Who wants to live in a world where you have to connect to a VPN or private network and launch software so that you can actually do any work? These days, I can do anything that I need to from my phone, right?
You don't work for a bank, do you?
Yeah. I did work for a bank. I was at UBS.
That was aside.
Before I came to Varonis. But yeah, it makes us much more productive, but it also makes the risks much higher. When everything is on the internet and connected together, that makes it so much easier for a threat actor.
Absolutely
especially an insider, to cause damage, to get access to your critical data, your intellectual property, your customer information, your source code. So protecting data is much harder, and it's much more critical to do. So that's one huge benefit for us. The flip side of it is, and you mentioned, and I think you're alluding to, our transition into a SaaS platform.
Yes.
So now, if you want to deploy Varonis, no longer do you need to call your infrastructure team and get databases and servers spun up. We deploy it as a SaaS, and we made that transition late last year is when we launched it, and it is a sea change for us. We have the benefit of 18 years of management, sales, and R&D experience, solving all of the hardest problems of collecting all this information and all these disparate data stores, but we rebuilt it as a modern SaaS platform, which makes it much more scalable, much easier to deploy. We can do a risk assessment in minutes and have results the next day, and it doesn't take, from a customer or a prospect perspective, it doesn't take them any time. We just do all of the work.
It's fully scalable, it's elastic, it's built on a modern cloud infrastructure, so it's a better product. It's, w e can innovate much more quickly, we can deliver more value, we can build more automation. So from a customer perspective, they get more value more quickly, we have to do less work, the deals are bigger, and they're happening faster.
That's great. How much do you run into the DSPM vendors?
They are, s o we talk about ourselves.
There's been a lot of funding in that space, too.
Sure, and it's funny, DSPM, it's the acronym of the day. It starts to describe parts of what we do and what we've been doing.
Data Security Posture Management.
Data Security Posture Management. It's an attempt to describe what we've been doing for 18 years. It's great that somebody finally came up with an acronym. It's still only a piece of what we do. So I think of it as a complementary and adjacent technology. If you've got Varonis, you typically don't need a DSPM. If you have a DSPM, you still need Varonis. So it's some noise, but they don't compete with us directly.
All right. Anything you want to add?
No, I think Brian said it pretty well.
Excellent. The GenAI play. The data play is probably the biggest element, I think, that is the biggest critical risk element to leveraging some of these tools, and that's gonna be awareness, categorization, kind of all the things that you guys do well. Realizing it's still incredibly early, but where are our customer conversations right now?
Yeah.
And how long is this gonna take to materialize? I mean, cars went 100 mi an hour before we even put seatbelts in them, let alone mandated people wear those seatbelts, which frankly, wasn't that long ago. So, we like to always put the cart in front of the horse relative to security.
Yeah. We like to be where our customers need to be before they get there, and that's what we're.
Well said
We always follow the data.
Yeah.
And so there's two pieces to the GenAI conversation. One is, what does it mean for risk to a customer? Their data is now even more valuable because it can be used and leveraged by all of their employees and their, and another third party so much more easily. So they have more of an incentive to protect it. It also makes the job of a threat actor easier. ChatGPT, write me ransomware. Now, I don't even have, b asically it makes the threat actors much more productive, which makes the risks even higher. So from a customer perspective, they're more worried about protecting their most critical data for all of those reasons. The flip side of it is, where can Varonis, as a technology company, leverage large language models and GenAI within our product platform? And that's absolutely something that we're working on. Because, LLMs are.
The value of an LLM is based on the data that it's learning from. From a security perspective, who has the best data? Well, we monitor every time someone touches anything, so we have all the behavior of every user and every application to all of your data. We know what data is sensitive and important because we do accurate classification. We know who's got access to what, we know who it belongs to. We've got context about where people are coming from. You put all that together, Varonis has the best data to learn from. So our customers are talking to us about why they need to, where they have data that they need to protect, and using Varonis to protect it, and we're talking to our customers about how we're leveraging LLMs within our platform to make their jobs easier.
So what do you think overall, as we look at software, IT, tech spending, security spending, normalizing and improving, what do you think the biggest growth drivers of the business are gonna be at that point? We've talked about ransomware in the past. We've talked about just how data sat everywhere within the Microsoft stack. Right? When we started using Teams, and based on sharing a file, sharing this or that. So what do you think will be the biggest kind of catalyst in a normalized environment looking ahead?
90% of all data has been created in the last 18 months. So it's going to be data growth and collaboration, which related to everything that you said. Remote work, you can't put that toothpaste back in the tube, right? Everybody's expected to work from anywhere at all times. Gen AI is gonna make not only data more valuable, but it's gonna create a whole heck of a lot more data, and your employees are gonna expect to be productive using a variety of both in-house and third-party tools. Third-party risk is becoming a massive driver for us.
You know, we used to talk about shadow IT, but these days, any business unit, anybody who wants to, can give a credit card to any SaaS company, click a couple of buttons, and now that company has access to all of your data inside Microsoft 365 or Salesforce or anything else that it asks to connect to. So you add all that together, the risk to data goes up, and there's more of it to protect. That's all good for us.
If we think about your model, especially around renewals, I think the second half implies $25 million of renewals that shift over from traditional into SaaS. Why is that number not higher? Like, where are customers is there, is there renewing, and why aren't they embracing SaaS more? And I know there's conservatism to your estimates, too, so, you know, that can somewhat play into this. But just curious, as you guys thought about that guidance and thought about those metrics, you know, what was behind it?
Yeah. I mean, first off, we're really happy with the $25 million of conversions that we've guided to this year. So let me explain kind of how we're thinking about the transition as a whole for some newer people in the room. So we talked about a five year transition period, where we expect to have 70%-90% of our total company ARR coming from SaaS. We're approaching that in two phases. So phase I is what we're doing now, selling SaaS to new customers. Phase II is converting the existing customers over to SaaS, which is what you're talking about. So the fact that we've already seen $25 million of conversions this year without actually targeting those customers is really exciting. So customers want the better protection at less effort that Brian's been talking about.
Also, our sales force wants to earn more commission dollars selling SaaS. The deal size has been larger on SaaS. That comes from the 25%-30% pricing uplift and also the platform packaging that we've done in SaaS. They're consuming more volume. The fact that it's not higher is really two factors. So one, our contracts are structured as three-year deals, so people might wait until renewal comes up. Also, they might wait until they depreciate their servers. That could be another reason why they're waiting. That said, we're obviously seeing some people come ahead of those renewals. Some people are also reprovisioning servers. So that's really the factors. Overall, we're pretty happy with what we're seeing.
And, Brian, you mentioned that within the, your SaaS-based offering.
Mm-hmm.
you have the ability to kind of alert customers when, when things are going awry, which kind of/
Yeah
Implies there's a managed service element to it.
This is not something we're charging them for right now. This is something that is offered. It's part of our customer experience. You're a Varonis customer, and you're using our SaaS platform. Our incident response team will look at your dashboards every day. We'll make sure there's nothing going on. We'll triage the alerts. We will do some basic investigation, and when we see something, and this has already happened hundreds of times, I have an entire win sheet that I can go back to, where we see insiders looking at salary data. We see indications of an advanced persistent threat, like a nation state. We see exposed credentials. We see users exposing customer data. We'll call you. All we need is a heartbeat, someone to pick up the phone. We don't charge for that.
It's just part of being a Varonis customer, and it's because that team can be so much more efficient because it's SaaS now.
Is that incrementally headcount intensive or not?
That team has existed for years. It's been something that we've, we put in place to ensure our customers were getting the value out of our platform, and now they can be so much more efficient, that we can offer that proactive service.
Great. Any questions at this point? Sure, Ethan.
Yeah. So just kind of going back to the point around renewals and customer behavior, I mean, it seems like you guys have seen really strong traction from the renewal base at this point. So how do you think about changing that transition plan a little bit, maybe accelerating that and bringing it forward, given the traction and interest you're seeing from customers already?
Yeah. So on our most recent earnings call, we did talk about the need to kind of revisit the timeline when we report our 4Q earnings, because we do understand the transition's moving faster than what we thought. So that's kind of where that comment came from.
I guess building on that, talking about renewals, what have retention rates been historically? How have you seen that kind of transitioning in this more difficult macro?
Yeah. So our gross retention's been over 90% historically. Net retention was 115% last year, 117% on a constant currency basis. Kind of obviously, with what's implied in our current guidance, we do expect that to come down somewhat, and that's really related to the friction from the SaaS transition in the first six months of the year and also just the macro environment kind of weighing on customer buying behavior. But we do expect the SaaS product to actually help our retention rates kind of going forward. There's just gonna be more customer satisfaction, and we know that more is more. When customers buy more, they see more value, and they're more likely to consume more of the platform.
As we kind of contemplate the 2027 targets, it just seems like it's so far out there, by the way. 2027 targets from the Analyst Day, Is that more SaaS and NRR related? Is that more kind of customer related? Like, how should we kind of start to think about the growth algorithm that gets us there?
Yeah, so I wouldn't think of our growth algorithm as being any different from what it's been historically. Historically, we've seen a pretty similar balance between new logos and expansion with the existing base, with slightly more of our growth coming from expansion from existing customers. So touching on new logos, we have about 4,300 subscription customers as of the end of 2022. That compares to more than 50,000 companies in North America and Europe alone that have a 1,000 or more employees.
So if you think about it from a new log o perspective, we're less than 10% penetrated. Within the existing customer base, we talked about the opportunity to double the value from our existing customers under the self-hosted model. So we changed our product packaging in SaaS, but that opportunity still exists from a volume perspective. And on top of that, you have the 25%-30% pricing uplift. So the opportunity with the existing customers has actually gotten even bigger with SaaS.
How much are you seeing Microsoft these days? Because they've had kind of their own data security solution that they've really evangelized, especially to us on the street, saying, "Hey, we play here too, guys.
Sure, and what they do is really what we would call data loss prevention. We integrate directly with them. There are Microsoft executives that are now telling the world publicly, "We're better together." You can buy Varonis on the Azure Marketplace. We're a technology partner, so you can't solve the data protection problems that we solve unless you have Varonis. All right, anything else? Yeah, Brian?
Yeah. I can't predict who might emerge, but we've been saying for years, and it's still true, we don't have any direct competition. We took a novel approach to protecting the data itself, rather than the technologies around the data, like the endpoints, the devices themselves, or the networks, and that's where everybody has really focused. Those were they're frankly easier problems to solve. We solved a very, very hard problem on in a place that nobody else did, on file systems, and then we expanded to all of these other places. There is still no direct competition. It also, it in some respects, it would be a lot easier for us if there were, if there was a Gartner Magic Quadrant, and there were three other vendors I could point to, but there simply isn't.
Who knows what the future might hold, but we haven't seen it yet.
Where do you guys get most of your investor questions? What do you think is the most misunderstood element, or what are people really focused on?
That exact question.
Competition?
Why is there no competition? Who are your competitors? Our biggest challenge, this is true for.
Well, it's not like there hasn't been a lack of security investment over the decade.
No, Yeah, it's just we took a really novel approach to it. One of our biggest challenges is helping everybody understand just how unique we are, that there is nobody else that does this. It's also true for our customers to understand that. That's why we have to do the risk assessment. They don't really understand the scale of the exposure or the risk that they are managing or not managing, as the case may be. They don't really understand it until we show it to them. That's why the risk assessments are so critical for us, and that's why.
Yeah
Our biggest, our biggest risk is sales execution. We need to do enough of those risk assessments. They need to be run the right way, and we need enough people to do them.
All right. With that, I think we'll wrap. So thank you guys very much.