UBS, very happy to have the Varonis team here. Guy Melamed is the CFO and Chief Operating Officer, and we have Brian Vecci to my right, who's Field CTO. Gentlemen, thanks for being here.
Thank you.
Thanks for having us.
So I'm gonna jump into some fireside questions, but if you guys have Q&A, please feel free to submit them through the app. I'm happy to forward it on to these guys. But maybe just to start, I think a lot of people are familiar with your story, but a lot of journalists here, a lot of people maybe not. Can you just start with the story of what Varonis does? Data is very in topic right now. What's the core problem you're solving, and where do you sit in the security kind of hierarchy stack?
Sure. So we're a security software company. We make software that helps organizations of all sizes in every vertical, secure and protect their data. What we see, and what we've seen for 20 years, is companies really, really struggle, or enterprises really struggle with knowing what data they have and where it is. They struggle with ensuring that it's properly secured, meaning that it's not exposed to people or applications or devices that don't need to have access. They struggle with detecting and responding to threats, and they struggle with keeping it private and being compliant. Now, these days, they really struggle with protecting it, when it comes to Gen AI use cases as well.
What we do is we make sure that the enterprise knows what data they have, what's important, what's sensitive, where it is, whether it's on premises or in the cloud, whether it's in a OneDrive share or a Salesforce field, and then it's properly secured and protected, that it's not exposed, that it's properly monitored. When something goes wrong, they know about it quickly, they can effectively respond to it.
Yeah, makes sense. With all this data, I mean, generative AI has been a big topic. It's been probably the number one question I get regarding Varonis, and I'm sure you guys are getting the same. But Yaki made some comments on the third quarter call, just about how generative AI and AI could ultimately become a tailwind of the business, and the risks that AI causes around data and how you solve them. I think there's two main types of risks that he called out. Can you just maybe first talk about the first one, the self-inflicted risk, and what does that mean for customers?
Talked to a CISO a couple weeks ago who said they wanna use Microsoft Copilot. The board says, "Go. You know, this is gonna make our people much more productive. Maybe the greatest productivity tool ever." For those that don't know, Microsoft Copilot is basically ChatGPT for your enterprise data, for all the files and emails that you have. And what she said was, "I'm terrified of turning this on, and suddenly people on our trading floor get access to the CEO's, you know, long-term plan or his email." And that's exactly what's going to happen. So enterprises that want to benefit from generative AI and large language models, it's all about data. They need to protect and secure their data before they use these, or they're gonna really expose themselves to risk.
The self-inflicted risk that you just asked about is organizations that are using new tools and technology, like large language models, to make their people more productive and get more value out of the data that they have. But the risk associated with it is people have access to way too much. The people on the trading floor have access to the CEO's email, and that's because data is so hard to secure and protect. We have been solving that problem from the beginning of the company. We were founded specifically to solve those kinds of problems, which have become more and more difficult to solve. So if a company wants to use generative AI, they need Varonis to secure that data, or else they're putting themselves at risk.
Varonis has been making this point about over-permissioned data. Is it right to think about Copilot, generative AI, really just escalating how quickly organizations figure out how over-permissioned they are?
I think they need to do a risk assessment with Varonis to really figure out how over-permissioned they are. But it's interesting, if you go to the Microsoft Copilot readiness page, right there on the page, it says, "Organizations struggle with oversharing.
Yeah.
They don't have a solution for it, but they acknowledge that you should be very cognizant of this, and you should review your settings and permissions before you use Copilot. We have the advantage of, if you want to solve that problem, you need us.
Mm-hmm.
This has been a problem for a very long time. To your point, this is now a problem that's becoming even more top of mind. We're going up the priority stack because of it.
Yeah. I'll come back to that in a second, but the other risk Yaki was talking about was the external risk for-
Mm-hmm
... from threat actors, and the fact that Copilots will pretty quickly become a pretty lucrative target for people looking for data inside the network. Can you just put a little more detail behind that and how you think about that?
I want everybody to remember the first time you used ChatGPT and how it made all of the information on the internet, up until 2020 or 2021, so much more accessible to you. You could just ask it any question. Now, imagine you could go into a company as a hacker or an insider threat and say, "Show me all of the employee information. Summarize everybody's 401(k). Show me all of the PII that might be accessible, that I might be able to monetize. Show me... Can you tell me about the source code? Can you show me intellectual property?" You can just ask questions, and if the data isn't secured, Copilot is gonna be a hacker's best friend.
How does Varonis specifically address that issue?
We make sure the data is secure. So, Copilot and other tools like Copilot use what we call the access controls, or the permissions of the user that is using it. Roger, if you went and asked Copilot to summarize all of the data of a specific company, maybe that you're doing research on, it's gonna use whatever you have access to. All of the files and emails and team chats, everything that you personally have access to, it's going to go out and learn from in order to produce new content for you. The problem is, is if you have access to too much, if half the data in the company is open to everybody in the company, just imagine the amount of risk.
Suddenly, that data is accessible, not just by somebody who's actively looking for it, but by an AI that's gonna go out and find it for them.
What are the alternatives for customers if they are recognizing this problem, they don't buy Varonis? I mean, Microsoft has their own information protection platform. How do you think about the competitive environment here? And if you're not using Varonis, how do you wrangle down over permission data?
We know, because we do so many risk assessments, that companies that aren't using Varonis are not solving this problem, period. What they're doing is they're using perimeter-based or DLP-based tools to try to block data from being sent or shared, or they're focusing on endpoints like devices, phones, things like that, but they are not securing the data. They're using adjacent technologies that don't solve these problems. Why, you know, when we say we don't have any direct competition, we know that because nothing does what Varonis does. If it did, we would do risk assessments, we wouldn't see so much data exposed to so many people who don't need it.
Yeah, makes sense. Maybe to bring Guy into the conversation, but instead of directly monetizing AI with a specific SKU, the messaging has very much been around your ability to address these risks will just become a tail wind of the overall business. Is that the right way to think about it? And at a minimum, it sounds like adoption of Copilot generative AI applications could, at a minimum, be a marketing beneficiary for... or a benefit to Varonis.
I think we can absolutely benefit and monetize AI. We're just doing it in a slightly different way, and we're not selling it as a separate SKU. Because one of the things that we've seen over the years is that we have a wealth of products, and we got to a point where we had 40+ SKUs, and that became slightly too confusing for customers and reps. So in 2022, we actually offered bundles and consolidated those SKUs into one SKU that encompasses whether it was 6, 7, 10, 12 individual SKUs, and that worked really well. And then in 2023, when we announced our transition to SaaS, it was an opportunity to double down on that consolidation, and through the SaaS offering, we don't sell individual licenses.
So you sell the Varonis platform for Windows, the Varonis platform for Office 365. And by doing that, we've seen both reps and customers really enjoy that change because it simplifies the conversation, and it really makes customers better protected. And with the AI, we decided to put it as part of the platform sale because it makes the product better. It provides customers higher, really higher customer satisfaction when you think about it. It works better, and then their ability to come back and purchase additional platforms that aren't protected goes up significantly. I just want to add one thing to kind of the conversation about AI and the whole risk assessment.
So I think it's important to note that the risk assessment is part of that visual sale and is a significant component in our selling motion. It's really critical to understand that, because the risk of data being exposed to everyone in the organization is out there. It's been out there for many years. I think that risk is increasing by the day. If we go to customers, potential customers, and tell them that they have millions of files that are open to everyone in the company, they kinda move on in life, because what do you do with that? If I told people in the room that on average they have a couple of million files that are open to everyone in the company, what do you do?
You go make coffee in, you know, in the stand outside, and rightly so, because you don't identify those files. But if I could actually show each and everyone in this room the list of top 2024 picks, long and short, a list that you prepared that is open to everyone that has access to the company's Wi-Fi, and through that Wi-Fi, they can access to that file, guess what? We would get the PO. So that's why we work very closely in that visual selling process.
The same goes with the AI and making sure that customers understand how vulnerable they are, and they can identify files that they knew should be protected or should not be accessed by everyone in the company, and they can recognize them, and they can see that people that have access to them shouldn't have access, and that kinda changes the whole conversation.
Sticking with Copilot, if that's primarily drawing from Microsoft 365, can you just talk about where you are in terms of customer penetration for Microsoft 365 use cases, which is SharePoint and OneDrive? I think at the Analyst Day earlier this year, you called out about $100 million from those use cases, but how do we think about that opportunity, and do you think something like Copilot adoption could help improve that penetration?
So the Office 365 has definitely become a driver. If we go back to when we introduced that product, it took a couple of years for both the reps to fully understand how to sell it. But once they kind of understood that, it started to become a driver for us, and it's continued to be a driver for us. But as you mentioned in the Investor Day in March, we actually showed how small that percentage is out of the overall kind of opportunity. So it was really low single digits, and that hasn't changed much. So when you think about our opportunity with that platform, it's extremely significant for us.
We wanna make sure that we capitalize on that, but we have a long ways to go in terms of our ability to sell that to potential customers and even to some of our existing customers that don't have it yet.
... The question I get on Varonis, and go back years, is what budgets do you pull from? And historically it's been some areas like DLP or the SIEM. We're starting to see budgets get created for generative AI. I get this is very early, but are you starting to see line items for something like generative AI security?
It's very, very early.
Yeah.
But signs point to you think directionally, yes, but it's still very, very early. We still don't see generally a budget for Varonis.
Mm-hmm.
Data security, specifically, partly because of generative AI, partly because of privacy and compliance use cases, partly because of, you know, we're seeing more just data protection projects overall, are becoming more and more common.
Yeah. The other element Yaki mentioned was the opportunity for Varonis to use generative AI and AI internally to improve your product, your customer experience. Can you give the summary on what's going on that front, and how we should think about that impact in margins?
Yeah. So we recently launched Athena AI, which is a generative AI, large language model-based set of functionality within the product itself. And to Guy's point, it makes our platform easier to use and increases customer satisfaction. Boy, does it demo well. You can just ask Athena, "Show me all of the HR data that's open to people outside of the company," and seconds later, here you go. And if you get an alert, like, "Boy, Brian's account is accessing data like it might be ransomware," the AI assistant will say, "Here's why this might be happening. Here's what you should go do next. You should look at this tool and this tool and this configuration." And it's just basically a SOC analyst, an expert, walking you through the investigation, response, and recovery. So it makes the entire platform easy to use.
Our customers love it. It's still really early, but really exciting.
Roger, I think there's another point that is important to note when you think about where we are in our journey, in transitioning to SaaS. We're only three quarters in, and the whole transition is, is happening quicker than what we initially anticipated. We, we talked about the fact in our Investor Day that we plan for it to be a five-year journey. We also talked in the last earnings call about the fact that with the SaaS, increasing 5% out of total ARR in one quarter alone, and when you do that extrapolation, it makes a lot of sense to revisit that timeline, at the end of this year. But I think what, what investors still don't fully understand is the fact that this AI, offering is only part of the SaaS.
So when you think about a product that's been out for three quarters only, this is, in a way, an inflection point in the fact that this is making the Varonis SaaS product much better than the on-prem subscription solution that we've had. And if this is how it looks in three quarters, how is it gonna look in a year or two years with the amount of development, and updates, and upgrades that we put into the SaaS offering? So when you think of where we are today and where we wanna get to, the desire is to protect customers and protect their data through the SaaS offering.
And it is much easier for us to do through the SaaS offering, and it will become a much, much better product over time, with a much bigger difference compared to the on-prem subscription.
Very interesting.
A good segue, actually. I wanted to touch on the quarter and go back to that transition. But Q3 was pretty good from a high-level perspective. Can you just kind of run through what were the highlights? Maybe to front load you a little bit, just really good traction with conversions happening, I think at a quicker pace than you were probably expecting. Just what's happening with that, and why does that make you excited about the SaaS transition?
Again, going back to the Investor Day, we broke out the transition into two phases. Phase 1, focusing on new customers and selling to them, and we expected that to take anywhere between 1-2 years. Then, as we get close to the end of Phase 1, start focusing on Phase 2, which would be converting our existing customer base into SaaS, and we expected that to take anywhere between 3-4 years, for a total transition period of 5 years. What we've actually seen this year has pleasantly surprised us with a natural conversion. We're not forcing it, we're not incentivizing reps, so there's no commission incentive apart from the uplift.
Anything that they sell with SaaS on top of the renewal goes towards their quota, and the price list of SaaS for the same product sold is 25%-30% higher. But what's actually happening is that some of our existing customers, because of the fact that we're not selling individual licenses, have to buy more than the same number of SKUs that they had previously, which makes kind of the uplift higher than that 25%-30%. But there's no specific incentive for our reps to sell and convert the existing customers. And with that natural evolution, natural occurrence of conversion, it's extremely encouraging because customers want it, because it's a better product, and reps are getting kind of that uplift towards their quota.
So the fact that it's happened so well this year, and if you look at Q3, it actually increased significantly compared to what we saw in Q1 and Q2, is a great indicator and very encouraging for us, that once we put the focus on that Phase 2, then that can actually happen at a much better pace. So if you think forward on how Phase 2 should look like, I think it will happen sometime through 2024. I don't expect it to be in the first part of the year necessarily, but more towards the mid to the second part of the year, as we think about it now. And then every single year, I would expect it to accelerate compared to the previous year.
So I don't see it as a linear progression, because one of the things to keep in mind is that we're selling three-year deals. So if you have a customer that just bought your on-prem subscription, or did an upsell and has a three-year contract, some of them will wait until the end of that period in order to convert. Now, some of them could reallocate the hardware that they purchased for the Varonis software, allocate it to other things, and then we'll be more than happy to assist in an earlier conversion. But just to keep in mind that some of our customers would rather wait.
One of the things that we've ensured in our 2019 transition, and we make sure that we put in the forefront of this transition, is that the customers go first. We want to make sure that we keep them happy. We know that it's a much better product, but we'll make sure that we align in terms of the timeline that works for them. So I think that's the one kind of element to keep in mind on the Phase 2. If you look at Q3, some of the other positive elements that we saw apart from the conversion, is the fact that we're selling to newer customers. And the selling of SaaS to newer customers opens up additional verticals, additional opportunities, additional markets, and additional customers that didn't want to buy the Varonis product before.
Because what SaaS does really well is eliminate two of the most biggest objections that we got. One of them was, "We don't want to buy hardware," and the second one, "We don't, we don't have enough people to support the, the platform." And SaaS eliminates those two objections completely. So definitely encouraging when you look at the Q3 in terms of new customers, in terms of the existing customers' conversion. But I would also add free cash flow, operating margin leverage, definitely points that give us a lot of confidence that even through a transition, we're able to maintain our cost structure in a very healthy way, and, and continue to generate more and more free cash flow, which is something that we've put out there as a, as a, as a North Star.
Yeah, that makes a lot of sense. And maybe to add on to that, you've talked about this uplift you get when you convert from term to SaaS. And you listed a couple of the reasons why you feel like that's an appropriate amount. The fact that it lowers cost of ownership for customers, it's easier to manage the cloud management pain. But what have you seen play out so far in terms of the uplifts you're recognizing? And again, the other point of, as you move to SaaS, maybe you need to take some additional SKUs.
Same number of licenses. Apples to apples, we see that 25-30% uplift, which gives us a lot of confidence in the pricing that we put out there. But as I mentioned before, we're definitely seeing some of our existing customers needing to buy a larger part of the platform in that conversion, whether it's additional users, whether it's additional modules, because we're not selling those individual licenses anymore. And that allows us to recognize a much higher uplift than that. Now, again, it's still on a smaller scale.
We need to see how this evolves, but overall, I can tell you that we feel pretty good with our pricing model and the confidence that we have in that uplift, and the fact that customers would be willing to pay more, just because, as you mentioned, the total cost of ownership is lower. So overall, they're in a better position, we're in a better position, and that's when it works well, when it's a win-win.
Yeah. How do you think about the opportunity of the install base conversions? And everybody can do that math of multiplying the current term base by the upsell. But how do you think about that opportunity versus the new logo opportunity, and the fact that a SaaS product should give you an opportunity to win customers you hadn't typically had an opportunity with in the past?
That's a very good question, and the way we have thought about it, and I think it's a good reflection when you kind of look at the comp plan, because you align the comp plan with what's important from a strategic perspective, is that there's a large portion of the commission in order for reps to focus on new business. Obviously, selling to existing customers is not as much as a lift as selling to new customers. But in order to support the growth going forward, you want to make sure that you bring in new fuel that would allow us to sell them, and upsell them, over the next couple of years. So the way we've structured the comp plan in 2023 is that a significant portion of the commission is focused on acquiring new logos.
I think that's, that's been working well. And when I think about 2024, there's not going to be any change in that focus, because we want to make sure that we can bring in those new logos, and address customers that we couldn't address before. Now, that doesn't mean we don't want to upsell to our existing customers. We will. And we don't want to convert them. We will do that as well, but there has to be a good balance. The majority will still come from our existing base when you look at kind of the new sales, but overall, we want to make sure that we focus on the new logos as well.
Yeah. I'm going to turn to a question from the audience real quick. It's a common question, but what is... And I think it's an overall platform question, but maybe we can talk about it in the generative AI context too. But what is the risk that Microsoft just pushes further into this market, adds the capabilities that you've been doing well for a while? It's been a question that I've gotten about Varonis for years. But if you want to talk about generative AI specifically, I think there's still some shortcomings with the products that they offer to help you here.
Yeah. They're focused very much on DLP, and Purview is certainly useful, but Microsoft themselves says, "If you want to get the most out of Purview, you need Varonis," and that's-
... why we're on the Azure Marketplace, and we have automation tied to Purview Information Protection and automatically labeling files. Microsoft doesn't have technology right now that solves the problems that we solve, and we've been doing this for a long time. This is the problem that we were built to solve. So we have a very strong technical partnership with Microsoft, and we'll continue to work with them closely.
And just to add to that, one of the things that we have done with the acquisition of Polyrize at the end of 2020, is try and address additional platforms that we didn't address before. So when you think about kind of the Varonis for Salesforce, Varonis for Google Docs, Varonis for AWS-
AWS, yeah
... those are additional platforms, because at the end of the day, we want to protect data wherever it resides. And I think that's what, that's the goal, that's the mission, and that's what we plan to do going forward.
Yeah.
That's a good point. On DA Cloud, we're starting to hear from partners that there's been more success selling that product. And I'd love to get your kind of view on what progress you've seen, and really to what extent has the introduction of Varonis SaaS kind of helped make that sale a little bit easier?
So it goes back to the Office 365 conversation that we just had. Reps don't adopt a new product just off the bat. Never happens. It takes time for them to understand the ins and outs and the positioning, and that's why when we talked about DA Cloud, we started talking about it last year, we said that we see a tremendous opportunity of having it a driver going forward, but we know that under the evolution of Varonis in the past, it takes time for them to adopt. As time goes by, and as they see the conversations with customers are very successful and customers are interested, it makes them-
More confident
... more focused and more confident in selling that. And that's why I think you're kind of getting that feedback from the sources that you're talking to. So I think when you look at where the DA Cloud... And we're not—we don't call it DA Cloud anymore, it's part of the Varonis SaaS product. But when you think about the ability to protect additional applications that we didn't have before, and the fact that we want to have one dashboard that provides the same visibility, that's what we're aiming for, and I think that's where we plan to get to with the sale of those platforms.
You also cannot underestimate the amount of R&D that's gone into those, you know, that set of products and the functionality there. It's better than it was six months ago, which is better than it was a year ago.
Yeah.
We continue to add more visibility and more automation, which makes it more valuable.
Maybe, maybe last question, or maybe two more. But as you think about Phase 2 and expanding the SaaS transition to the install base, where are you from an investment, a capacity standpoint? Is there anything you'd have to consider as you think about a broader Phase 2 rollout, or do you feel pretty comfortable with the operational ability you have today?
So we talked about the fact that when we sell the Varonis SaaS today, it for new customers, it's a better product already, and for most of the existing customers, it's already performing in a better way. Obviously, the amount of updates that we have come out with under the SaaS offering has been significantly higher than anything we've come out with the on-prem in a combination of two to three years combined. So I think that as you look at next year, every single update will make the product better. It's already performing in a better way than some of the on-prem subscription as we sit today. But I don't see that as a deterrent in terms of the Phase 2 that we want to focus on.
I think eventually we get to a point, not next year and not in 2025, but eventually you get to a point where you have one source of code, and you're not maintaining two types of code, and that provides tremendous leverage, not just in R&D, but in some of the other departments as well.
Yeah. Very good. I think we're all about up in time. Thank you, gentlemen, both for being here. Good, good conversation. Thank you all for joining.