the security software analyst, Greg Stevens. Very excited to have Varonis with us here today. Joining us from the company, we've got their Field CTO, Brian Vecci, and Tim Perz, directly to my left, head of investor relations. Gentlemen, thanks so much for being here.
Thank you.
Thanks for having us.
So maybe just to start off, for those in the audience that aren't as familiar with the story, Brian-
Mm-hmm
... if you could kind of give us a quick overview of, you know, how Varonis is differentiated in the market, and maybe the recent demand trends that you've seen in the business.
Sure, big question, but I'll start with the basics. We're a security software company. And Varonis was founded because companies really struggle with protecting data, securing it, knowing what data is sensitive and important and where it is, making sure that it's not exposed to the people who, in applications, that don't need to have access to it. And quickly determining whether, when, when and how something goes wrong, whether it's an insider threat, a ransomware, an advanced persistent threat, a nation state, anything. So we create software that solves those problems automatically. It makes sure that data's not exposed and helps you quickly identify and respond to threats effectively and efficiently. And you do all that, privacy and compliance then become a by-product. What we've seen is that organizations really, really struggle with getting to those outcomes.
They have more data than they've ever had before. It's in places that are harder to secure, like cloud collaboration platforms. There are workloads in cloud stores that are being, that are, that, that mean that data is exposed to not only people inside the company, but people outside the company. And we've seen demand for data security continue to increase, sometimes because of collaboration and requirements. Everybody's working from home and expected to work with anybody, and also the need for leveraging generative AI and large language models, both for employee productivity and to monetize data. So all of that contributes to needing to make sure that that data is properly protected, and all of that contributes to the demand for Varonis. Nobody else does what we do. We're unique in the space. We had to, we created this category.
There's nobody else that does what Varonis does in the data stores that we do it. So, you know, we don't have any direct competition. We're generally competing with adjacent product categories or trying to solve some of these problems manually, but that never actually works.
Excellent. Yeah, so you, you hit on AI.
Mm-hmm.
Obviously, a hot topic right now. Yaki, your CEO, made some comments during the third quarter earnings call about, you know, how AI could ultimately become a tailwind to the business because of the risk that AI poses, you know, to companies that adopt it. He mentioned two types of risk. The first of which was what we call self-inflicted risk. So I was hoping maybe you could kinda talk about that.
Mm-hmm.
What is self-inflicted risk?
Well, companies want to use AI to make their people more productive. Microsoft Copilot is a good example of that. They wanna use generative AI and LLM-based tools that leverage the collaboration, and the data that they have. They wanna make it so that their users can just ask questions, summarize all of the reports that we've got on a specific company, create a two-page document for me. What that does is it creates a lot more risk. If that user that's prompting that AI isn't supposed to have access to all of this financial information, suddenly, the company's at risk. So you need to make sure that that data is secure. It also creates a lot of net new sensitive information that now needs to be protected.
Companies that want to or already are leveraging these kinds of tools are creating a lot more risk than they potentially know about. They need Varonis to secure that data before they use it, and once they start using these tools, they need us to make sure it stays that way.
Can you give an example?
Sorry?
So when you say AI creates new data, it creates more risk.
Yeah. So you can use Microsoft Copilot. They have a demo right on their website. It says, "Show me or create a summary of the meeting that I had yesterday about this project," and then Copilot will also suggest: "Here's some other documents that you might want to include in that summary, like a product roadmap or a financial report." Then Copilot will basically just create new data for you that uses all of that information that you have access to, whether you're supposed to have access to it or not. So now you have a new piece of sensitive information that was created by somebody that wasn't supposed to have access to it, that's accessible by somebody that's not supposed to have access to it, that you didn't know about, and it happens in seconds. That's just one example.
What it means is a lot of new sensitive information gets created that's now harder to protect. It also means you need to make sure that your users and applications don't have access to data that they aren't supposed to have access to. What I'm describing is the problem that Varonis has been solving since the founding of the company. You know, this was the core problem that we were created to solve, and so we're kind of in the right place at the right time. Hope that makes some sense.
If a company doesn't use Varonis-
Mm-hmm
... how are they mitigating these risks?
Yeah, it's generally they're focusing on places where they know they can put controls and technology. I'll phrase it this way: so there's a CISO that said to me a couple of months ago, "I've got CrowdStrike on the endpoint, I've got Palo on the network, and I've got Varonis for data." So if a company doesn't have Varonis, they are securing the network, they're securing the endpoints. They've got firewalls, they've got antivirus, and what's called EDR, or they've got detection on the devices, but they are not securing the data... and that's why we do risk assessments. That's why that's our go-to-market sales motion. It's because no matter how much a company is spending, and no matter how much they've invested in security tools, their data is not secure.
We know that because when we go in and install and start scanning and showing them, they have no idea of just how broken things are and the scale of the problem that they need to fix, and suddenly it's apparent, "I need to do this. I don't have the time or the people to do it. I need to do it automatically," and that's why we're so valuable.
Because of AI and the risks that it creates-
Mm-hmm
... from a security perspective, I'm curious, just over the past, you know, six months or so, in your conversations with customers, are you seeing, you know, the prioritization of data security kind of increase when it comes to investments in their security stack? Like-
Mm-hmm
... you know, people and investors talk a lot about which categories in security are getting prioritized-
Yeah
... prioritized the most? So-
I think you did a good job of categorizing that. AI, generative AI, and large language models is another reason that companies are increasingly prioritizing data security. But something that we've learned over the last 5, 10 years is that the object of every security initiative is to protect data, 'cause why else are you doing something? It's... Data is the target. You've heard me say it before, and I'm gonna say it again: Nobody breaks into a bank to steal the pens. No, a bank robber is after money. If a threat actor, you know, a bad guy, an insider threat, a cyber criminal group, a nation state, if they get access to your network or to a device, they're going after data.
I don't know how someone's gonna get in, but I know where they're going, and Varonis is the only technology that secures data and monitors it in the way that we do. So what we're seeing is that data security is continuing to move up the priority stack, because when you secure your data, everything else works. No matter where you spend time and effort and money, if you're not securing your data, what are you doing?
Got it. So, instead of monetizing the AI directly, it sounds like, you know, you expect that your ability to address these risks, you know, will become a tailwind to the business. Can you go into-
Mm-hmm
... a bit more detail on that?
Sure. So, yeah, there's kind of two ways to think about this as a driver for demand for Varonis. One is to get the benefit of third-party generative AI tools, but to do it securely, to not expose your company to increased risk because you're leveraging AI and generative large language models. The other... The flip side of this is a lot of companies are building internal models, training LLMs on their own proprietary datasets. You wanna make sure that the data that you're using to train AI doesn't have, for instance, employee medical records in it or a customer's 401(k) in it, because if it does, you could potentially expose yourself to a lot more risk than you realize. Suddenly, your customers can search for employee data, and you don't want that.
So you wanna make sure that the datasets, the data that you are training your AI on, is properly secured, and it doesn't contain information that you don't want there. That's another reason to use Varonis, to make sure that that data is properly protected and that you're not putting potentially sensitive information in places that it shouldn't be. The flip side of it, too, is we have AI in our product now, and that makes Varonis easier to use. Today, you can log into a Varonis console and ask it, "Show me all of the employee information that is accessible to everybody in the company," and seconds later, you'll see it. We also have an AI assistant that will help you with an investigation. So Varonis generates an alert.
Tim clicked on the wrong email, I'm gonna pick on him, and suddenly his account is under the control of ransomware. Well, Varonis is gonna alert you, but what do I do next? The Varonis AI will now tell you. It'll tell you, "Here's exactly why this is happening. Here's exactly what you should do next. Here are the steps you should take to make sure it doesn't happen again." That makes Varonis easier to use, and that makes our customers happier. We know that customers that use Varonis will buy more, so...
When do you expect to see AI become a tailwind to the business? Or, again, or said differently, you know, when will investors start to see this showing up in your quarterly results on an ARR basis?
Yeah, it'll still take some time because we do need to educate customers on how we fit into the solution for this, so we still need to run the risk assessments. We need to teach the sales force how to talk about this opportunity as well as Brian does. So I don't want you to get too far ahead of yourself plugging into your 2024 model-
Yeah
... because I know how you guys are, but it should definitely serve as a nice tailwind to growth over the next couple of years. It's kind of the right way to think about it.
Got it. So, I mean, but this is like the data security protections and the governance and the classifications that go along with, like, the access controls; it's stuff that customers need to put in place before they start to roll a lot of this stuff out.
Yeah.
Like-
Microsoft even says, "Before you use Copilot, make sure you're not oversharing data, and you've got good data governance." What's good for us is there's no other way to do it without us.
Right.
Yeah.
So, I mean, you should see it, you know, before, like you see a broad-based rollout of Copilot, right? Like, should kind of happen in sync, I guess.
We would. In theory, yes. But again, there's nobody there. We don't compete with anybody. We still-
Yeah
... to Tim's point, we have to do the risk assessments. We have to show these organizations what it is Varonis does and how we automate this kind of security. But to your point, you know, I met a CISO of a big bank last week, and she said, "What keeps me up at night is an employee on our trading floor getting access to HR data because they just asked for it. They don't even need to know what they're doing anymore. They're just. And she says, "I don't wanna use Microsoft Copilot until that happens, until I have security in place." And then we showed her exactly what we do, and now we've got a risk assessment in. So to your point, yes, but we still have to execute on the sales motion.
Okay. So shifting to some financial questions. Where are you going? Oh, yeah, sorry, go ahead. Yeah. So, why, why is the cross-training team continuing to pass through? You guys are going to very well, obviously. What, what makes this a no-ask?
So when Varonis was founded, we were founded to protect big sets of on-premises file systems that nobody else had ever done that. We have a lot of intellectual property in how we do that, and we followed the data into other places on-premises and into the cloud. The answer to your question is that this is not an easy problem to solve. If it was, other people would have solved it. We have a massive technical moat around us, and with our transition to SaaS, we're able to innovate even more quickly, and that moat is growing. To be intellectually honest, it is software. Somebody else could invest a massive amount of time and money, but we have thousands of customers that have had success. We have automation built on visibility. We have analytics that are proprietary.
There is so much technology baked into what we do and the automation on top of it, and the ability for our teams to evangelize both the problem and the solution. We're in a unique spot, and, you know, in theory, there's nothing stopping other companies from doing this other than it would be a massive investment in resources, and they also need time and experience. Varonis is not something that you can prove in a lab environment. You need to look at real data in a real enterprise, and that's another reason we do the risk assessments.
We have a specific pilot and certain things, so customers say, "Hey, thanks for doing a great deal," and part of your solutions are-
We haven't seen that, and we're complementary to the controls and the technology that Microsoft and the other platform providers provide, which is why you can get Varonis on the Azure marketplace. You know, you can get Varonis on the AWS marketplace. So there's nothing that does what we do, and while there's nothing even that does, you know, 20% or 30% of what we do, and while what you say may have been true 10 years ago, it's not really true anymore because what you're describing is what we would call the ostrich defense. I don't wanna know about these problems 'cause I don't wanna have to solve them. That's not kind of the world today.
In the security part, there are multiple areas. One is the compliance, which probably look at all PHI, PCI-
Mm-hmm
... PII data. Other part is accessibility, encryption aspect, and those things. The third part is basically covering all the network getting to the data part.
Mm-hmm.
Do you cover all three in a single offering, or is that more like a separate product?
So that's a good question. In the self-hosted model, the answer was that, that those were different modules and pieces of functionality, and we worked very hard to make sure as many of our customers as possible had all of the functionality that they needed to do everything that you're describing. In the transition to SaaS, we simplified it. Now it's Varonis for Microsoft 365, Varonis for Salesforce, Varonis for your Windows data, so that you can do everything that you need to.
Excellent. So shifting to a couple of financial questions. 3Q, you just reported a few weeks ago, is a good quarter. What drove the strength in 3Q, and kinda what maybe surprised you to the upside?
Yeah. So in general, our SaaS product has been driving the strength that you've seen over the past couple quarters, really. So the different components of that is the SaaS mix, which judges our ability to sell SaaS to new and upsell to existing customers. You saw that come in at 59% this quarter, versus our guidance for 45%. The other piece is converting our existing base of customers over. We're not targeting them just yet, but we are seeing healthy adoption from existing customers, and we did see about $10 million of those conversions in 3Q, which was ahead of our guidance for about $8 million.
Those two components, coupled together, drove SaaS ARR to be about 15% of total company ARR, and overall, we're really happy with what we're seeing from kind of the SaaS momentum over the past couple quarters.
Those conversions are a key feature of, I think, phase two of the SaaS transitions. How big of an opportunity do you think that is? I mean, can we just take your on-prem ARR and multiply it by, you know, 25%-30%, or like, how should we think about the opportunity?
Yeah, you're thinking about it right. So in terms of kind of the timeline, let me take a step back and explain it to anybody who's kind of newer to the story.
Yeah.
So we outlined a 5-year transition period at our Investor Day back in March, kind of split into 2 phases. Phase one is focused on selling SaaS to new customers. That'll last 1-2 years. Phase two will start after that and will last kind of 3-4 years, and that's focused on converting our base of existing customers over to SaaS. So right now, we're in phase one. We're selling to new customers. We are seeing more and more adoption from existing customers because they want the benefits of our SaaS product, which is already a better product than the self-hosted platform is today. So that's really why we're seeing more and more customers ask to convert over to our SaaS platform. And we've actually seen about... Well, we will see about $30 million of those conversions this year.
In terms of the bigger opportunity, you're thinking about it right. You should be taking our non-SaaS ARR base, which is in the ballpark of about $400 million today. You can apply kind of a 25%-30% uplift. You do the math. That's a pretty nice tailwind to the business over the next couple of years. Now, you shouldn't think about that tailwind as being linear necessarily. You should see more contribution from those existing customers converting in each year throughout the transition, is kind of the right way to think about it.
Okay. And when do you think phase two will kick in, and kind of what will that ramp look like?
Yeah, you should see a more meaningful contribution from existing customers convert to our SaaS offering. I'd say, throughout next year, more so in the latter half, and then kind of a step up in each year. So you should think of 2025 as being more than 2024, 2026 as being greater than that. And that's the right way to think about it in terms of kind of the slope of adoption from existing customers.
Okay. And you talked about the 25%-30% pricing uplift. Can you just talk about, you know, why there is an uplift and what you've been seeing in terms of, you know, that actually playing out in, in the contracts that you're signing?
Yeah, so we are actually seeing discount levels hold pretty firm, so we are realizing kind of a 25%-30% apples-to-apples pricing uplift. And what I mean by that is assuming the same number of users, same features, and functionality as kind of a self-hosted contract. And in some cases, we're actually seeing deal sizes grow even more because with SaaS, we move to the platform packaging approach, which Brian had discussed earlier, which basically means a customer's landing with at least 6 self-hosted licenses, on average. And our average customer had about 5 or so licenses across the entire customer base before we announced the SaaS transition. And also on top of that, in some cases, we're seeing headcount grow as well in those deals. So there's a couple different levers that you can see us drive kind of ARR per customer higher.
Awesome. Any questions? I'll keep going. Can you just talk about how the macro has been impacting the business? You know, seems like from... Well, what we're hearing from a lot of companies is that, that the impact or the headwind has kind of stabilized, but curious to hear kind of your take on it.
Yeah, so we were pretty early to calling out the headwinds that we saw for 2023. We did the 3Q earnings last year. We have seen a pretty similar macro environment that other software companies have seen, meaning longer deal cycles, additional deal scrutiny due to additional signatures required on deals. But if I had to describe what we saw in 3Q in one word, it would be stabilization. We've seen those sales cycles kind of stabilize at a longer level. We've seen the deal scrutiny kind of stabilize. So overall, we're pretty happy with what we're seeing, at least on that standpoint. Makes it a little bit easier to plan the business around.
And if you think about how we've built our guidance over the past couple quarters, it's really been allowing for additional things that could go wrong that haven't necessarily gone wrong, and that plus the momentum of the SaaS transition is what has allowed us to kind of beat and raise our guidance over the past couple quarters. And if you think about how we built that 4Q guidance, it's in the same manner. We built in additional things that could potentially go wrong that we hope don't necessarily go wrong from a macro perspective. And thinking about 2024, while we haven't given 2024 guidance just yet, we did make a comment at the Investor Day back in March that we expect economic uncertainty to persist in 2023 and 2024 as part of that 5-year plan. That statement still holds true today.
Okay, so you're still baking in, like you mentioned, things that could go wrong, but not necessarily. I don't know, are you assuming that things get worse from here or kinda stay the same?
Yeah, that's kind of the right way to think about it, is that they do get worse from what we did see in the third quarter.
Okay. Okay, so gross margins have been really strong recently, and outperformed at least my expectations. What's especially when you bake in the revenue headwinds from the transition, so what's driving that strength? What's enabled you to kinda keep gross margins, you know, above the 85% level, even with the transition happening?
Yeah. So when we announced the transition, we mentioned that we invested over $100 million in a couple years into the SaaS platform. I think everybody was surprised by that number, and I think what you're seeing today is those investments paying fruits, right? R&D built this code in a really efficient way from a compute perspective. It's also resulting in a meaningful reduction in support tickets, so our support organization is able to service our customers in a more efficient way, and that's what's really driving gross margins to be better than what we expected at this point in the transition. Now, we do still expect gross margins to come down over time, just because we do have those hosting costs. We guided to about 80% gross margins in our long-term model.
I think that's still the right way to think about it, but overall, we're still really happy with what we're seeing from gross margins this year, and they're tracking ahead of where we thought they would.
Awesome. So maybe taking a step back, like, you've mentioned that ARR, free cash flow, and ARR contribution are kind of the north stars for the business during the transition period. And why, you know, traditional income statement might not necessarily be a great indicator for the business. Can you kind of go into more detail on why that is?
Yeah, it's a great question, and a very common one that we get from investors. So let's take a simple example to illustrate why this is the case. So if we deliver a $100,000 deal on the last day of the quarter, under on-prem subscription, we'd recognize $80,000 of revenue in that quarter. If we sell that same exact deal, but it's a SaaS deal, we'll recognize less than $1,000 of revenue in the quarter. From an ARR perspective, both would count as $100,000 in that quarter, and from a free cash flow perspective, we're billing and collecting annually in advance. So there's no free cash flow headwinds when we transition over to SaaS. And then touching on kind of ARR contribution margin, that's really just ARR minus the trailing four quarters total non-GAAP expenses.
That shows our ability to kind of maintain our cost structure and drive operating leverage in the business, kind of excluding those revenue headwinds that I kind of mentioned. That's why those three leading indicators, ARR, free cash flow, ARR contribution margin, are really the leading indicators for this transition.
Got it. Shifting over to just the new SaaS platform, can you kind of-
Mm-hmm
... talk about what the benefits are to the customer that they get with SaaS they did not have with the on-prem, self-hosted product? And what are the benefits to Varonis?
Yeah. So as Tim mentioned, SaaS is a better product. The reason... First of all, SaaS requires much less investment in time and resources from a customer in general, because they don't have to provision hardware. They don't have to spend time maintaining it. They don't have to buy database licenses. They don't have to worry about upgrades. They don't have to worry about the sizing and the infrastructure. We handle all of that. So the TCO is actually lower for many customers, apples to apples, because they don't have to handle all of that. Because it's a SaaS platform, and we don't have to go through thousands of individual customer upgrades in order to deploy new features and functionality to the market, we can innovate much more quickly. We have teams working in parallel.
It's also, you know, one way to think about the SaaS platform is we disrupted ourselves. We rebuilt our technology as a SaaS platform before somebody else did. And we also had the benefit of 15 years of technical and operational lessons learned, so we could take all the good stuff and leave behind all the technical debt. So it's faster, it scales much more easily, seamlessly to the customer. Customers, as Tim mentioned, we've seen an 85% reduction in support tickets, because most of the time a support ticket was related to the infrastructure that they were managing, and now we handle it. So if we see any issue, we fix it before they even know that it's an issue.
From a functionality, features and functionality standpoint, there's a lot in SaaS that doesn't and will never exist in the self-hosted platform. Automation for Microsoft 365, classification in email, in Microsoft Exchange, the AI that's built into the platform now. We also can offer... You know, we've had an incident response team for years that has been available to our customers at no additional cost. It's just part of our customer experience. If something went wrong, like they got hit with SolarWinds or Log4j, and they wanted help investigating and remediating and recovering from it, we would drop in and help them do that. But now with SaaS, we offer proactive incident response. Our team looks at your alerts every day, whether you're looking at them or not.
We do triage, initial investigation, and when we see something that you need to know about, "Hey, there's, you know, one of your IT admins is accessing salary data. You might wanna take a look at this," which is something that happened at a hospital system a couple months ago. Or, "It looks like you're, you got hit with ransomware," or, "We see at three or four other customers, indications of compromise that there's a zero-day threat being exploited. We also see the same thing. Would you like some help?" We do that at no additional cost. It's an extra set of hands, and we're proactive about it. We will call you. All you need to do is pick up the phone, and we'll help. That's a service that's impossible to offer in a self-hosted environment because we can't see what's going on in your self-hosted environment.
With SaaS, we can.
Would you expect SaaS to, like, speed up the sales cycles?
Yeah, because, you know, when we do a risk assessment, we need... in the self-hosted world, you need to provision hardware, and you need to do all the things that you would need to do to run Varonis. All of that goes away now. So it installs in minutes instead of hours. And the other thing to keep in mind is, part of the risk assessment is once we're installed, we're gonna find lots of sensitive data in lots of places it's not supposed to be. We're gonna find exposures, things like data open to everybody, or data in places like OneDrive shares, or S3 buckets that are public, where it probably shouldn't be.
But in order to do that analysis, I need to call you up, and you need to have an analyst or an engineer on with me so that I can run the reports and configure the dashboards. We can do all of that now on the back end. We can do it silently. So we can install more quickly. We do all of the hard work of the risk assessment, so the first time a customer or potential customer sees Varonis, we're already building a justification for the business. We've already done all of the analysis, so the entire process is much, much more efficient. Add to that, it's a better product with more automation built in. It's still early. You know, by definition, every SaaS deal that's closed has closed faster than, you know, many of our longer sales cycles, just because it's so new.
But the answer to... That's a very long way of saying yes. So it's been very encouraging. The sales cycles are shortening.
Awesome. Any questions? Okay.
With all the SaaS offerings, will you charge any premiums to your customer over a period of time, or you're actually charging them less?
... we charge them 25%-30% more for apples to apples. The customer overall will pay less. The TCO goes down, but we're just capturing the money that they would have spent on hardware and SQL, we're just taking that for ourselves.
Got it. What about new logos? I mean, you would think SaaS could potentially accelerate new logo growth. Have you seen that at all?
It's still early-
Mm.
But it's encouraging. Being able to do the risk assessments more quickly and at bigger scale lets us get into bigger enterprises, and it, the signs are encouraging.
Yeah, I think we also have the macro environment that's putting pressure on adding new logos as well as, like, an offsetting headwind. But the SaaS transition itself is a tailwind, and it should make it easier to get new logos because of the friction reduction that Brian talked about over time.
Okay. You talked about the two distinct phases. Just remind us kind of where we are?
Yeah. So right now, we're doing phase one, just selling SaaS to new customers. We're really happy with our progress there. We're guiding to about 55% of our new business to new customers and kind of upsell to existing customers coming from SaaS this year. I also mentioned that we have approximately 15% of total company ARR coming from SaaS. And then we also have existing customers increasingly choose to convert to SaaS just because it's a better product. We have about $30 million of those happening this year, and that's even without us targeting those customers. That's happening because they want the better protection at less effort, and our salespeople can earn additional commission dollars on the larger deal sizes. So they don't necessarily get paid on the entire deal, but they'd get paid, like an upsell.
So if we have a 100K deal that renews at 125,000, they'd get paid on that $25,000 increase like they would for any normal upsell. So there's definitely an incentive there from both the customer and our sales force, without us having to actually offer any additional incentives to do so.
Okay. You've called for the transition to take 5 years. Why, why do you think it will take so long? It seems like it's happening faster than you expect, so I'm curious, kind of, if that could change your expectation in terms of the timeframe?
Yes, it's a great question. We did the perpetual to term license subscription back in 2019. We did that in about a year. That was about, that was a financial exercise, so this one has a lot more operational components. We're responsible for hosting the software. This is a business model transition. It's not, not just a financial exercise. And if you think about phase two specifically lasting 3-4 years, the reason behind that is our average contract length is about 3 years for customers. Also, customers purchased hardware to host the Varonis software on it, so they might wait until they've fully depreciated that hardware before switching over to our SaaS offer. That's really the two main reasons why a customer might wait 3-4 years to convert, but at the same time, we're certainly seeing customers convert ahead of renewal.
We're happy to work with them on that. We're also seeing customers reprovision hardware that they've purchased for the Varonis software. There are ways to get around it, but that's why it might take as long as 3-4 years for some customers.
Okay. Any questions? Okay, go on.
So, I wanted to talk about competition more.
Okay.
You mentioned you guys don't really have much competition, but, I mean, data security, and I, I know it's a broad category-
Mm-hmm.
But it has been getting a lot more attention.
Yeah.
Specifically, Data Security Posture Management as part of a cloud security strategy.
Sure.
There's a lot of emerging vendors in this space.
Mm-hmm.
I'm curious, like, how you see... if you see some of those emerging competitors as a threat to your business?
Mm-hmm.
I think about Dig Security, Palo Alto just acquired-
Yeah
... players like that, that are small, but I guess getting attention, so curious, yeah.
Yeah, I think it highlights that we've been solving a really big and important problem, so now there are other companies that are trying to solve it. DSPM, like SSPM and CSPM, they are, they do pieces of what we do in some of the places that we do it. So you can think of them as a subset of Varonis' technology and what our offering is. They don't offer the automation, the analytics, the behavior monitoring, the threat detection that we do. On the flip side, we're the number one DSPM vendor, according to Gartner. So, you know, it's nice to some extent that there's an acronym that describes a part of what we do, so that might make things a little bit easier.
We haven't seen any of those any DSPM tools actually be a threat to us in any deal. They don't solve the same problems, so they are surface-level analysis of some of the data that we look at, but can't actually solve the problems that we solve. So we don't, we still don't see them as direct competition, but it is nice that that others are starting to realize that securing data is a really big problem and an important one. So they don't have the depth of visibility that we do. So I don't want to get too technical, but you can think of it this way.
A DSPM might show you, to use a house as an analogy, that some of your doors are unlocked, and that you might have a lot of, you know, sensitive data or important stuff inside the house, but they're not gonna look in every nook and cranny. They're not gonna find all of the ways, for instance, boy, this analogy really falls apart, but you've got jewelry in a, you know, jewelry in a safe. DSPM isn't gonna go down and tell you the exact combination of the safe and why it's exposed. It's not gonna tell you that the door to the safe, the room that the safe is in, is also unlocked. I really went down a path I shouldn't have to make this, this analogy. They don't have the depth of visibility.
They also don't tell you they're not monitoring data in the same way, so they don't have the behavior analytics that we do. Varonis generates a very small number of alerts, but these alerts have so much context that it dramatically lowers the time to detect a threat, and especially the time to investigate, respond, and recover from it. None of the DSPM players can do that. And if you're not doing those things, if you're not actually identifying the risk to the data itself, and you're not automatically fixing it, and you're not monitoring the data and detecting when something goes wrong usefully without generating noise, you're not actually solving the problems that Varonis solves. I hope that makes some sense.
Thank you.
Yeah.
So how much of the data that you protect is living on-prem in customers' data centers versus the public cloud?
The amount of data in the cloud is growing, and growing pretty dramatically, and also we continue to support more and more cloud data stores and applications. So, you know, it also depends on the customer. You know, we have some customers that were born in the cloud, that never had anything on premises. But we still see, especially big enterprises, there are massive amounts of data on premises, and then it's never going away, and it continues to grow. But the amount of data and the amount of workloads in the cloud, especially when you fold in not just files, but also what we call object storage, Amazon S3 and Azure Blob, these big, infrastructure and platform-as-a-service, places where data can live, and also the structured databases in AWS, which we now support.
Cloud is a big part of what we do and growing, but I don't think we don't publish or disclose a very specific amount of X, you know, versus Y.
Are you seeing, you know, an increasing number of customers, prospects, or whatever, like, thinking about, you know, buying Varonis as part of their cloud security strategy?
Absolutely. And that, that's been true for a while, and it continues to be more and more true. There was a major airline that said, "I wouldn't have even started using Microsoft 365 unless we had Varonis there," because they understood the risk it was gonna pose. And now, of course, with generative AI and LLM-based tools, the need becomes even stronger. So yeah, it - we are a critical part of all of our customers' cloud security strategy.
Got it. So, I mean, one of the things I hear from customers that I speak to is that, and you all will admit it, I mean, Varonis is not a cheap security product.
Mm-hmm.
... it's a premium product. I've heard customers call Varonis the, Ferrari of data security.
Mm-hmm.
Have you ever considered, you know, coming out with a more lightweight or a lightweight version that's maybe cheaper, just to kind of get a higher volume of, of customers, maybe downmarket?
The way we think about it is this: Varonis solves really big problems, and we're the only ones that do it, which is why we're comfortable being a premium offering. Instead of offering a cheaper version, we do the risk assessment for free. So we want to use that process to highlight... You know, I always push back on saying, you know, the Varonis is the Ferrari of data security because not everybody needs a Ferrari, but we know everybody needs us. That's why we have to do the da-- that's why we do the risk assessment.
So you get the initial visibility, you also get access to our incident response team, we prove that the automation works, and then we're comfortable with the fact that it's going to be an expensive solution, but it's such a big and important problem to solve that, you know, if we do the risk assessment right and get it in front of the right people, we'll close the deal.
Got it. I'll ask, this is a toss-up for either of you. I'm curious what you think is the most misunderstood or underappreciated aspect of the story of Varonis?
Mine is, this goes back to the competition question, like, how do you not really have any competition? Even customers will ask that, and we get often put into buckets that where we are being compared with other products or technologies or vendors that do only pieces of what we do. So the most misunderstood thing by investors, by the market, by our customers, sometimes by the salespeople we're trying to hire, is really what makes Varonis unique, and that's why the outcomes are so important. What does it mean for your data to be secure? Like, what does that actually mean? What does it mean to keep data private? Why is reducing alert noise so hard, and why can only Varonis do that?
Why and how we are unique is kind of the most important thing for everybody to understand, which is kind of what I spend all my time doing.
Yeah, and I think from my perspective, it's the size of the opportunity.
Mm-hmm.
I think investors see our top-line growth rates, and they ask, "If you have no competition, why are you not growing faster?" And I think it ties back to what Brian was talking about. We still need to do risk assessments because we're the only product that does what we do. There's nobody else evangelizing the market for us. So that's why doing the risk assessments is so important, and finding and enabling the right people to do those risk assessments is really the biggest bottleneck to why we're not growing faster. But we've done a couple things to kind of alleviate those bottlenecks in the years ahead. The SaaS product itself makes the risk assessments easier to run, so theoretically, our reps should be able to do more risk assessments, which will help productivity in the future years.
We've also been doubling down on kind of the Varonis Academy over the past couple years, which is our in-house development program for sales reps. So we'll hire a territory development rep out of college. They'll spend about 18 months cold calling customers. Good ones are kind of promoted into inside sales roles, where they'll sell over Zoom for about another 12-18 months, and the best ones kind of move into the field from there, selling to enterprise customers. And we've seen reps that go through that program actually have higher productivity versus ones that we hire from the outside, and we've been really doubling down on those efforts over the past couple years. So we expect that should show additional contributions in the years ahead.
Got it. Fantastic. Well, if there aren't any other questions from the audience, we will, we'll leave it there. Gentlemen, thanks again so much for being here.
Of course. Thank you.
Thanks, Brian.