It's gone faster than expected. Talk a little bit why that has been, surprisingly fast adoption.
It's funny you say surprising. It hasn't been surprising to me personally, only because the SaaS product is the—it's the best product we've ever released. It's the best version of Varonis that's ever existed. It's better for our customers. It's easier to install and deploy. It's easier to use and operate. We've seen a 90% reduction in support tickets. It's also just a better product. It does more. There's more automation. We support more data sources. We have better analytics. We can offer Proactive Incident Response. And now we've evolved that into Managed Data Detection and Response, which I'm sure you'll ask about at some point. It's a better product that has a lower total cost of ownership for our customers. So it delivers more value more quickly. And we've seen our customers adopt it faster than we'd hoped for all those reasons.
And just to add to that, when we look at finishing 2023, we ended the year with 23% SaaS from total ARR, which is definitely quick. And we're very happy with that result. That's coming a lot from the fact that we saw a lot of our existing customers convert to SaaS. And when we initially introduced the transition, we talked about phase one and phase two. Phase one, focusing on new customers. And we expected that to be between 1-2 years. And then phase two, we expected would start at the end of phase one. And that would be focusing on existing customers, converting them from on-prem subscription to SaaS. And we expected that to be anywhere between 3-4 years for a total transition period of 5 years.
What we actually saw throughout 2023 is that a lot of our existing customers asked to move to SaaS in a very natural way. So we didn't have to put any focus into it. But it just happened.
Yeah.
The benefit for our reps was that anything above the renewal amount goes towards their quota. So the fact that they could convert customers at a price that was above the renewal price helped them. But it also helped our customers to get a much, much better product. So that combination really helped us get to that 23%. In the last earnings call, we actually reduced the transition period from five years to four years. We're really happy to see that progress moving in the direction that we see.
Have there been any other surprises, as related to this transition to SaaS? Anything else that we should think about?
I'd say the only thing, on top of that, that we're pleasantly surprised [about] is the fact that the margins on the SaaS are much better than what we initially expected. The efficiency and the way the technology was built was done in such a great way that allows us to generate a lot of. There's a lot of in the model, in the SaaS model, there's a lot of benefits. Brian talked about the way we sell it. It's expected to be easier on the risk assessment when we do it with customers. It's a much better product for our customers. But there's a ton of benefits from a financial perspective. We expect the renewal rates to be better. We expect our ability to upsell with the MDDR. And we'll talk about that later, to actually help us in the upsell with our customers.
When you think about the R&D, the R&D department actually worked on two types of code. They're maintaining two types of code, both the SaaS and the on-prem subscription, where eventually we'll get to a point where we're only selling SaaS. And we won't have to maintain those two types of code. It won't happen next year or the year after. But eventually we'll get there. And there's a ton of benefit, a ton of leverage that we can generate just from maintaining the SaaS offering. Brian talked about the reduction on the support tickets. The customer success team, it's much easier for them to maintain SaaS customers versus the on-prem subscription customers. Professional service teams, the same. So there's a lot of goodness in the SaaS offering that helps both the customer and us.
Very good. All right. And again, please feel free to raise your hand. So last year was a challenging macro environment. You had said that you saw stabilization in the second half of fiscal 2024.
2023.
2023. Have you seen that stabilization continue into 2024? And maybe just touch on any other highlights you want to make from the Q4 call.
So when you look at the 2024 guidance, we baked in continued stabilization in terms of the macro. We didn't expect or we haven't baked into the guidance any improvement in the macro conditions. But from what we've seen in the second part of 2023, we've definitely seen the macro stabilize. The one thing to touch on, on the 2024 guidance, if we're talking about it already, is the fact that there are a lot of tailwinds that are benefiting that could benefit us in the future. Three of them that are important to highlight are the Copilot, just that we can talk more about later on, MDDR, which is a new introduction that we just recently announced that really could change the game in terms of the value we can provide our customers.
Basically, we would monitor their data to make sure that no abnormal behavior is taking place. There's a signed SLA with the MDDR of 30 minutes for detection of ransomware, which is very quick when you think about it. We've done MDDR in different versions for quite some time with the incident Proactive I ncident Response team. But actually now we're charging for it, giving in return that 30-minute SLA on ransomware. So that could become a big tailwind for us. And there's the SEC cybersecurity regulation that was recently introduced. All of those three tailwinds aren't baked into our guidance because we haven't; they're so new and they're so early on. We really like to see positive trends translate into numbers and data. And then we like to talk about it.
From a 2024 guidance perspective, we assumed macro stabilizing, continuing to stabilize, and no big change there. We also didn't bake any of the positive trends that we hope to see with the SEC, Copilot, and MDDR.
All right. Well, I, I got questions on those specifics. So we'll go down that. But, let me just make sure that we don't have any more questions here. So first off, let's talk about AI. Describe where does where does Varonis fit in the AI landscape? And then how does Varonis benefit as the customer adopts, AI infra applications?
Every conversation about AI and every use case related to AI and everything a customer is doing when it comes to either training and building their own LLMs or using productivity tools like Copilot is the conversation about data. AI is all about data. Large language models, it's baked in the name. It's right there in the name. It's large language, lots and lots of data. If you're going to benefit from LLMs and productivity tools like Copilot and AI in general, you need to protect your data. You need to make sure that you know what you have and make sure that only the right people have access to it. Productivity tools like Microsoft Copilot can make knowledge workers incredibly more productive. It's one of the greatest innovations in history from a knowledge worker standpoint. But it also introduces an incredible amount of risk.
Employees have access to way too much data. And Copilot makes it very easy for them to exploit that access either accidentally or maliciously. And so if you're going to deploy Copilot safely, you need to protect your data first. The number one reason and this has been validated by partners and integrators, Microsoft themselves, all of the customer conversations we're having, the number one reason that organizations are not deploying these tools is privacy and security because they don't know what's going to happen. I met a CISO who turned on Copilot for her employees. And this is a big bank. And she discovered that the users on her trading floor were doing research, asking Copilot, "What do our employees invest in?" And Copilot was spitting back information about employee 401(k) data. It's it's crazy.
You can also see users or insiders using Copilot to identify salary information and bonus information. It exploits all of the governance and security problems that we know exist because we've been solving these problems for decades now. But it makes businesses have an incentive to solve these problems very quickly. So the second half of your question, how does Varonis benefit? If you want to deploy Copilot safely and securely, if you want to get the benefits of AI while minimizing risk, and being responsible, you need to use Varonis first. And Microsoft says the exact same thing.
It's not clear, I think, from an investor's perspective, how do these large language models access this data that you would think would be too sensitive? Why aren't access controls sufficient for locking down data that's across your private environment?
In theory, they should be. But these platforms like Microsoft 365 are designed to make it easy for people to collaborate and work together. You can create a document, click Share, Share it with me, Share it with anybody in the company. We know, and by "we," Varonis knows, because we've been doing tens of thousands of data risk assessments over the last 17, 18 years. We know every single enterprise struggles with ensuring that these access controls are appropriate. Employees have access to too much data. None of their sensitive data has labels on it or data loss prevention controls. None of this data is in places where it's supposed to be. It's all accessible by way too many people. They don't know who's using it or why. And they don't have an army of people that it would take to go fix these problems.
You need automation to do it or it'll never happen. That's exactly what Varonis does.
And Guy, you had said that there's really nothing baked in. Have we not seen AI deployments for Varonis at this point? Or when, when does that start to materialize?
There's a lot of conversation about Copilot adoption. But from all that we have seen, it's taking longer than, you know, what some of the investors have initially expected. I'll ask if anyone here has actually deployed Copilot in their organization. I don't see any hands. And that's very consistent with what, you know, the conversations we've had with other companies. A lot of them are in preparation for the deployment. But as Brian mentioned, they want to make sure that they are not exposed from a data perspective. So it's taking longer.
Okay. All right. Briefly, just talk about the partnership with, with Microsoft. Where does where does Copilot's own security end? And where does Varonis start?
It's important to remember that Copilot doesn't have its own security. Copilot uses the security model that's already in place within Microsoft 365. So and we know that that security model is typically, to be frank, broken. Too many people have access to too much data. So we have a very deep and growing partnership with Microsoft. Microsoft reps can retire quota on Varonis deals. Varonis is available in the Azure Marketplace. Customers can use the money that they spend in Azure through Microsoft to procure Varonis. And we have a very deep technical integration with Microsoft security tools, primarily with Purview. We make it work and we make it work at scale. And earlier this year, Microsoft themselves stated publicly, if you want to deploy Copilot securely and confidently and quickly, Varonis is the best way to do it.
Okay. And then just briefly touch on partnership with Snowflake. What is that about?
Companies are putting lots of really important data inside Snowflake. They're training LLMs on top of it. Varonis can protect that data. We classify it. We ensure that only the right people and applications have access to it. We monitor it. And if you've got our MDDR, we'll tell you if somebody starts accessing it strangely.
Okay. Any questions? All right. So one thing that probably hasn't gotten a great deal of visibility is, or media attention is the new SEC rules regarding disclosure of breaches. Talk a little bit about what that is and what types of attacks that will relate to and how it relates to Varonis.
So in December of 2023, the SEC came out with a regulation that requires companies to report within four business days if there's any material breach in the organization. And using the term materiality is, you know, very fluid. So there's no strict guidelines on what is material and what isn't. But what we've actually seen is that many companies have already reported when they had a breach. And when you do that reporting, you have to file not only what happened but how it happened and what sensitive data was taken and kind of the risk to the organization. How would you know that if you don't have any way to track who's touching your sensitive information? So in a way, the SEC cybersecurity regulation puts the burden on additional C-level executives to ensure that they know what's happening from a data's perspective.
Now, we don't expect the SEC cybersecurity regulation to have an immediate effect in terms of POs and purchases and revenue and ARR. But it's one of the elements that continues to push more and more people into that spectrum of making sure they understand what's happening from an organization perspective to monitor data. And I think the conversations between the CFOs, legal teams, and the CISO and the security teams within the organization, the communication there is key. You cannot, a CFO cannot be as immersed in the cybersecurity space and understand all the technical elements. There's absolutely no way that can happen. But they need to start asking the questions, who has access to data? What happens if 10,000 files today would be deleted? Would we know about it?
There are certain questions that they can ask that can help them understand if the security team is in control or not. Eventually, as more and more of these events and more and more of these filings take place, I think it would just put additional tailwind for us that we can benefit from.
How do you think of that opportunity? Is that, front and center in terms of your outreach to customers at this point? Or how, how are you thinking of that, that from a market opportunity perspective?
So our champions are still the CISOs. Those are the ones that actually make the purchase. But we have started to target some of the CFOs. We've had a campaign in the Wall Street Journal, where we are targeting CFOs with this cybersecurity regulation. So we are putting emphasis. But it's not just the CFOs. It's the legal teams. And it's anyone that's involved with any SEC filing, because they have to know. And the SEC, in a way, came and said, you know, if there's a, we want to make sure that we kind of set the general setting of how filing should look like. Because if a company has a fire in their warehouse, they have to report it.
But if they had a breach, they saw that many companies didn't report it in an SEC filing but would have a press release related to it. And they wanted to generalize and make sure that they're generating an even playing field for everyone. So I think the intentions are right. And I think they're trying to do the right thing to allow investors to understand what is impacting the companies that they invest in. The side effect of that is that CFOs, legal teams have to make sure that they understand what's going on. And the communication between those functions and the security teams is key.
Okay. All right. I want to move on to MDDR. That's Managed Data Detection and Response. First off, just touch briefly on what it is. And then you've historically offered your Proactive Incident Response. How does it differ from what you've offered historically?
It's an evolution of that. I think it's important. I think it helps to put this into context. MDDR didn't come out of nowhere. We didn't create it from whole cloth. It's an evolution of Proactive Incident Response, which is an evolution of the incident response services that we offered at no additional cost to all of our customers. We built that team because we realized customers that knew what our alerts were and why they were triggered and how to respond to them and how to make sure that there was no noise got more value out of Varonis, which meant they were better customers. They were more likely to renew and expand their Varonis footprint. That team was built because we built behavior analytics and alerting into our platform.
That was built on top of the fact that we were the only technology that was actually monitoring data. You know, nobody breaks into a bank to steal the pens. They're after data or they're after money. If somebody if a threat actor or an insider gets access to a device or a network, they're going after data. And that's what we've been monitoring from the very beginning. So the natural evolution of building alerting and then behavior analytics, building the incident response team to help our customers. With SaaS, we could offer proactive Incident Response at no cost because we would see our customers' alerts, whether they were looking at a dashboard or not. And now what we've done is we've taken that service and expanded it to offer an SLA, 30-minute guarantee to catch ransomware. We'll do proactive threat hunting.
Our analysts will go into your environment and look for indications of compromise or vulnerabilities that you might want to fix, 24/7 monitoring, a dedicated security analyst. What we've done is added additional value on top of the service that we were offering before. Now we're charging for it.
Okay. You've described this as a game changer. I think part of that is because historically, accounts haven't necessarily had the talent to adopt and implement Varonis. How, how is this a game changer? And how does this change the, the requirements on that?
So companies definitely adopted our product. And, and our renewal rate has been consistently over 90%, prior to MDDR. I think what MDDR, the impact that it has on the conversation is in its simplicity. If we come to you, we talk to you about, do you want to protect data? Do you want to make sure that you know within 30 minutes if there's a ransomware attack? We'll do everything for you. All you have to do is pay for it. And I think that's a, that's a relationship that's working really well. We want to provide value. We will provide value with the MDDR. In return, we want to charge more for that service. But at the end of the day, the total cost of ownership for the customer is lower.
We charge with a SaaS offering, price list, same licenses compared to on-prem subscription, same users, same licenses, a 25%-30% uplift. But we take over everything that is related to the hardware. And with the MDDR, the company can actually utilize some of their security personnel to different tasks. So the total cost of ownership for the customer is lower. They're saving money. And we obviously can enjoy the efficiencies of SaaS and, and the economy of scale. So it's a win-win for everyone. We believe that if we call you up and let you know that there was a ransomware attack, but we monitor only one platform, but we can't really see what's going on on the other platform, the natural evolution would be that you would want to protect additional platforms because you don't have to do much apart from paying for it.
The ability of MDDR to be such a big impact on our company and the value that we provide, organization can come from hopefully a higher enroll rate because it's a much stickier product when customers don't need to work hard for it. There's an upsell opportunity with it. Also, when you introduce it to customers and you have a conversation and you talk about outcomes and it's simple and all you need to do is just buy that one SKU, it can make the conversation much, much easier. Hopefully, the sales cycles can be shorter.
Okay. All right. How long have you been selling it? And how, what kind of penetration do you think this can have?
So we introduced this at the beginning of 2024. Only a couple of months now. I can say that from when we talk to reps, it's a no-brainer. They understand the value that it provides customers. Customers have already shown very good, good desire and good interest to have MDDR. I think that if you look at from a percentage in terms of penetration, it should be a no-brainer for new customers. When you initially offer the MDDR, I think the percentage of new customers that would buy it would be high. Obviously, we want to go to our existing customers. Some of them that are on on-prem and want to switch to SaaS, it's another added benefit of switching to SaaS because then they don't have to manage the alerting from their security team. So it's an added benefit.
Eventually, we want to get to a point where the vast majority of our customers have this offering.
Okay. And what does it require in terms of additional investment and in terms of headcount?
So as Brian said, this is an offering that we've already provided. We just didn't charge for it. So now we're charging for it. And we're reallocating that headcount to the MDDR. We want to get to the MDDR offering to be software-like margins. The benefits of the MDDR and the reason we could get there from a margin perspective is because there's so much automation in the software. The alerting, the understanding of what's happening is happening in an automated way. We're not trying to become a service-type company. We don't want to be a company that has thousands of employees that are just looking at the customer's screen and their screens to try and see if there's anything abnormal. It has to happen through the software.
The software was built in a way to generate that understanding if the alert is important or not. And through that, we'll get to the margin-type business.
Okay. We're down to our last minute and a half. So if there's any questions from the audience, now it's come down to the deadline. Let me ask you, we talked earlier about the move to subscription. How you had talked about the transition being two phases. And now you're, I think you're, at phase two where you're starting to migrate existing customers to subscription. How are you incenting sales? Did the sales compensation change so that they're more incented to transition that installed base now?
So we're talking about the move to SaaS. And when we look at the commission structure, initially, when 2023 started, we felt that when we get to phase two, we would have to compensate our reps and kind of incentivize them to convert. But as I mentioned, the customers started to convert in a very natural way. So the reps can benefit significantly from the uplift on the additional dollars that they can sell to customers when they move from on-prem subscription to SaaS. We've actually put additional emphasis from a commission perspective on new customers where we would pay our reps actually more if they sell to new customers. And they really can't make significant money if they don't focus on the new business. And the reason we've done that is because both elements are critical.
We want to obviously, it's good for our customers to move to SaaS. It's good for us when they move to SaaS. But we also want to make sure that we bring in the new blood that will allow us to continue to grow in the years ahead. The customer lifetime value that we can generate with new customers is significant. We want to make sure that they focus on both and they don't just look at the conversion side. And that's why in 2024, we actually made some additional changes to make them focus on the new customers just as much as they focus on the existing.
That's not what you would have expected when you started this process, two years ago?
When we started in 2023, we thought we would have to incentivize reps, in order to convert. But it's happened in such a natural way. And there's so many benefits for both sides that we didn't feel it was necessary to put money to work there. If anything changes, we'll make those adjustments.
All right. Well, that's it. So I want to thank all of you for joining. And Brian and Guy, thank you very much for a very interesting presentation.