All right, we're ready to go? Great. Good afternoon, everyone. Thank you for joining us. My name is Brian Essex. I'm JP Morgan's Security Software Analyst, and with me today, I have Guy Melamed, the Chief Financial Officer and Chief Operating Officer of Varonis, and Brian Vecci, the Chief Technology Officer. Gentlemen, thank you for joining us. I really appreciate it.
Thank you.
Thank you. Thanks for having us.
Maybe a great place to start, for those that might not be too familiar with what you do, is maybe just an overview of the company and, you know, where you're positioned in the market.
Sure. So Varonis is a software security company. We, in short, help other companies protect their data. We see companies struggle with understanding what data they have and where it is, what's sensitive or important. And they really struggle with ensuring that only the right people and applications have access to it, and they struggle to minimize the time it takes to detect a threat and effectively respond and recover from it. So we sell software that makes it easy for companies to do that.
Great, and you guys have been around for a little while. Maybe help us understand the evolution of the company and-
Yeah
... where you got started and kind of where you are now.
We were founded in 2005 because nobody could solve these kinds of problems on Windows file systems. We created a platform that started on file systems and expanded to other places, like SharePoint and email, expanded into the cloud with Microsoft 365, and then into other IaaS and cloud platforms like Amazon and Salesforce. Then, a few years ago, we made a huge investment to reinvent our software platform as a SaaS. These days, it's a single SaaS solution for hybrid and cross-cloud data in files, databases, or in, internet infrastructure.
Got it, and then, you know, obviously, you recently announced that SaaS transition, and it's performing relatively well. Maybe an update on, on where we stand and how much further we have to go?
So we laid out a plan on a five-year transition plan last year on trying to get to anywhere between 70%-90% of total ARR coming from SaaS. At the end of last year, in Q4 of 2023, we actually reduced that timeframe from five years to four years because things are going very well. We finished Q1 of 2024 with approximately 30% of ARR coming from SaaS. I think the reason it's going so well is because our existing customers are embracing converting to SaaS. It's a much better product. They're getting way more value, and our new customers, it's really a no-brainer for them. So we've also introduced MDDR, which we could talk more about.
Mm-hmm.
when you combine SaaS with MDDR, it's a pretty compelling offering for our customers.
Got it, and then, you know, remind us, you know, from a product-specific perspective, what benefits the customers get from the SaaS offering. Like, what is their perspective that kind of pushes them towards SaaS as opposed to, you know, term?
Sure. In short, it's a better product. It's a better way to consume our platform. Because it's faster and easier to deploy, you don't have to deploy or provision the infrastructure, meaning you don't need servers, you don't need databases. We handle all of that. That's the benefit of a SaaS platform. It's much easier to operate. We've seen a 90% reduction in support tickets of customers that have converted because most of those issues that they were having were related to the infrastructure that they had to maintain, and since we handle all of that now, all of that goes away.
We can also innovate much, much more quickly, and there's a lot of reasons for this, but the end result for our customers is they get the benefits of innovation without having to go through costly or time-consuming upgrades. We have development teams that are working in parallel. And when you look at the output of that, we had, I think, 15 major press releases in 2023 for new features and functionality, which is more than the previous 10 years combined, and we've only accelerated that. So it's a better product. It is getting better faster, and there's functionality that only exists in the SaaS platform: automation in Microsoft 365, an AI assistant to help with investigations, and MDDR, which is Managed Data Detection and Response, where our team looks at your alerts, and if we see something you need to know about, we call you.
It's kind of a no-brainer, and we could only offer that in SaaS.
From our perspective, financially, the SaaS product has a ton of benefits, whether it's easier deployment for the customers, we expect shorter sales cycles, we expect benefits on the renewal rate because the product could be stickier. So when you combine that SaaS offering, that really took 15 years of experience, took whatever worked and kind of moved it to the SaaS and took all the hardship away-
Mm-hmm
... whether it's customers that didn't wanna deal with the hardware or customers that didn't have enough personnel to manage the software. I think there's definitely lack of security people out there to help protect against this environment, so we're kinda eliminating all the hardship and saying, "We'll do everything for you.
Mm-hmm.
All you need to do is pay us." And that resonates very well with our customers. MDDR started, we introduced it at the beginning of Q1. It was very well received, both by our customers and our sales force. We expected that to resonate well because the proposition is pretty compelling. You know, it basically says, "We'll do everything for you." We have a... We're not only-- We're protecting against cyber threats, so basically, you don't need to have that large of a team that focuses on the security side, and you can have your team actually focus on other things. Our team will help in making sure that we're preventing it, and also, we'll just call and let you know that we took care of it.
So that's been very well received, and I think we're really excited of how this can transform the organization going forward.
Mm. And, you know, you're going through several phases of this, right? You've kind of transitioning out of phase one into phase two. In phase one, you know, not targeting existing customers, but you're still seeing adoption from existing customers. Why would somebody not, like, convert over to SaaS or transition to SaaS? I mean, have you-
I-
Seen any of that yet, or is it just that you haven't gotten to the customers to kind of walk through the process with them yet?
So let me lay down the background just so everyone understands what we are talking about. Last year, when we introduced the transition, and during the Investor Day, we laid out two phases. Phase one was intended to focus on new customers. We expected that to be anywhere between one-two years.
Mm.
And then we said phase two would start when we kinda end phase one, and that should take anywhere between 3-4 years. And the total transition period was expected to be five years, so we would complete it by 2027, and we defined that completion to be anywhere between 70%-90%, of ARR coming from SaaS. So we didn't expect 2023 to have too much of existing customers convert, but we were actually pleasantly surprised. And it was, in a way, a win-win because customers saw that it was a better product, so why not convert?
Right.
Reps would retire quota on anything that's on top of kind of that renewal number. Now, what's important to emphasize is that the price list of SaaS is 25%-30% higher than the on-prem subscription if you compare the same purchase, apples to apples. But what we've actually seen is that many of the customers actually need to consume more of the platform, so the uplift is higher. So it worked well for the reps, it worked well for the customers, and we started seeing conversions happening in a natural way, and that was a good surprise for us.
And when you, when you look at kind of our progression, it allowed us to move quicker than what we initially anticipated, and that's why we were able to cut down that transition, period, cut it down from five years to four years. When you look at phase two, one of the things that we talked about is that we expect that phase two to accelerate within the years, but also accelerate within the year. So, we expect 2025 to be more higher in, in conversions than 2024, and, we expect within the quarters, Q4 to have the biggest impact.
Mm.
The reason we expect that is because many of our customers are kinda locked in three-year deals, and the vast majority, there's a pretty big chunk of renewals towards the second part of the year. So some of the customers are waiting for that renewal period, the expiration, in order to convert. We've definitely seen customers that don't wanna wait and are asking to convert prior. But I'd say the majority of them are waiting for their expiration date in order to flip, and that's why we're expecting phase two, to kinda accelerate, within the year and within the years of themselves. What I will say is that natural conversion is continuing, and that allowed us to get to that 30% at the end of Q1 of 2024, so we're definitely seeing that, work in a great way for us.
Initially, we thought we might need to incentivize reps in order to make that conversion, but happily, we don't see a need to do that currently. So it's, it's definitely happening in a natural way, and, and that's helping us move through the transition in a, in a quicker pace.
Great. And you noted, you know, uplift has been higher with more consumption. How do we think about that from a customer perspective? Like, where is the Like, what does the adoption look like, and, and where are they consuming more of the platform?
So I can say that if you go back a couple of years, and I, I think one of the issues that we were facing is that we had too many licenses to sell. I know it sounds strange-
Mm
... but we had 40+ SKUs, and it caused a lot of confusion, and we felt that we had to consolidate. So in 2022, we came up with on-prem subscription bundles and consolidated those licenses, and we saw that it was very well received, because the conversation became simpler with customers. The sales force liked it, customers liked it, and then when we announced the transition to SaaS at the beginning of 2023, we doubled down on that, meaning you no longer have the option to even buy individual licenses. And you take, I don't know, whether it's 7, 12, 15 licenses, they appear as one SKU. So the whole conversation is easier. And then you're talking about outcomes: What can we provide the customer? How can we protect them? What platforms are you protecting?
That has worked very well, but in that conversion from on-prem to SaaS, many of the customers now have to consume the equivalent of more licenses.
Mm.
So the uplift can actually be higher than that 25%-30%. But when we built the price list, we built it with that 25%-30% uplift, knowing that the total cost of ownership for the customers is lower. They don't need to deal with any of the hardware. They don't need the same amount of resources from them internally. So we knew that with that 25%-30% uplift, they still have a lower total cost of ownership, and it's been very well received by customers. We feel very good about the pricing. And I think the value that we are providing customers is much greater.
Great. And then you mentioned that, you know, some of your customers are waiting for renewal cycles to, I guess, materialize. What sort of cohorts are we looking at for the rest of the year when renewal cycles come up for like, when renewals come up for renewal, or when contracts come up for renewal?
So we said at the beginning of the year when we gave guidance, that our assumptions are that we would finish the year in that 46% SaaS out of total ARR. But we actually moved very quickly in Q1. We went from last year finishing at approximately 23% to approximately 30% in one quarter. So when you look at the pace, if we can continue with that, we also kinda mentioned that after Q2, if we see a reason to update customers, investors and analysts about kinda the progression, we'll let everyone know. So I think overall, the expectation is, when you look at kinda the renewals, that a big chunk is in Q3 and Q4.
Mm-hmm.
Q4 is the largest quarter of the year in dollar terms. So we're definitely kinda looking closely at all the trends. I can say that from a pipeline perspective, the conversions are really healthy. We're still seeing that happen in a natural way, very well adopted by the sales force. Again, I said this before, it's a win-win.
Mm
... both for us, both for the reps, and for our customers. So it really is a no-brainer.
Any way to get a sense, like, what percentage of your installed base comes up for renewal in 3Q and 4Q?
In a very simplified way, when you look at the total ARR number that we have, there's about $100 million of maintenance of perpetual, which we said we're not gonna touch on, and focus on, in 2024. And when you look at the remainder, divide that by three, that's a pretty good sense of what, what comes up for renewal every year.
Got it. And then I guess it sounds like you don't think that you're gonna have to do any discounting off of list to incentivize customers. Everyone's been moving over pretty proactively-
Yeah
... to the SaaS platform?
Yeah. Our discounts are holding very well. One of the things that we introduced in our previous transition from perpetual to on-prem in 2019, that actually worked much faster than anyone thought, was a grading table. And in that grading table, reps can make more towards their quota if they sell it at good discounts for the organization.
Mm-hmm.
So they can make $1.20, $1.30 going towards their quota, if they sell properly, I'd call it.
Mm-hmm.
But if they have to discount heavily, they can sometimes make only $0.50 on the dollar. So that's really helped us in kinda structuring the sales, because when you're selling the platform, you wanna make sure that your sales team does the right thing, and that's helped us tremendously in 2019 when we transitioned, and it's helped us since.
Great. And then, I think, you know, in your earnings call, you called it a strong start to the year, and obviously, the conversions are a big positive. Maybe could you dig into what drove better performance outside of the conversions in the quarter?
We, we called it out during the earnings call that the majority of the new ACV came from new customers. So when you look at this natural occurrence of conversions, we also wanna make sure that reps don't camp on the existing customers and just kinda retire quota on the uplift and kinda neglect the new customers. The SaaS offering and the MDDR offering have generated a tremendous opportunity within the new customer base, because you're kind of eliminating the hardships that were there, and the whole conversation is simpler. So when you combine the technology, and you combine the MDDR offering, it's a different selling motion than it was before. So-
Mm
... we wanted to make sure that reps actually focus on new customers, and we changed the commission plan at the beginning of the year to a point where reps can make money selling to the base, but they can't make big money if they don't sell to new customers. So there are certain limitations and certain sticks and thresholds that they have to achieve in selling to new customers and selling at the right size. And I think by doing that, we've made sure that the technology fits with the value proposition, and it fits with the focus of the reps. I think it was part of the drivers that we saw in Q1, where kind of the majority of the new ACV came from new customers. It was very healthy.
Still, Q1 is the smallest quarter of the year, so I'm putting that kind of in perspective.
Right.
I said that it was a good start, and kinda on to the next. That was kind of the feeling that we had. We want to progress throughout the year and kinda execute well, but it was definitely a good start for the year, with some very good indicators that we were looking at.
Great. I wanna make sure we get to AI and your AI story. How should we think about how you're positioned to benefit from AI? How would you describe it if you kind of like go-
Every conversation about AI is really a conversation about data.
Yeah.
Any company that's investigating using generative AI to either better monetize their data or to make their people more productive needs to secure their data.
Mm-hmm.
What it's done is it's made data security the absolute top priority from a security standpoint.
Mm-hmm.
I would have argued previously, it always should have been-
Mm
... because what else are we protecting? But whether it's productivity tools like Microsoft Copilot or Einstein Copilot, that require that you lock down data before you give it to your knowledge workers and your business-
Mm-hmm
-users, or companies training models on their proprietary data. They, they really need to make sure that it's not exposed to people who don't need it.
Mm-hmm.
They really need to make sure they know where sensitive data is. You don't wanna hand Microsoft Copilot to a user, and then that user can find employee 401(k) data, and customer information, and all kinds of things that he or she might not supposed to have access to. What this does, what these copilots and generative AI has done, is shine a bright spotlight on the problems that we have been solving since the beginning of the company. We're in a unique position where we built a platform to solve these problems before anybody had ever heard of Copilot or generative AI or ChatGPT.
Right.
We're half a decade or more in front of anybody else. The technical moat we have is massive, and with generative AI, companies need to solve this problem right now.
Mm.
Their boards, their CEOs are saying, "We need to deploy these tools because otherwise we'll fall behind our competitors." But the CISOs are saying, "I can't deploy these tools because of the privacy and security issues." We solve them, we solve them quickly, we solve them automatically. We solve them in a way where it's just, if you want your data to be secure, just give us money, because we've automated everything, and we have an overwatch for you. It's, it's that simple at this point.
Yeah.
Mm-hmm.
What does a typical profile of your customer look like? And by that I mean, you know, a lot of these larger enterprises need to modernize their infrastructure and how they manage data, how they store data, how their infrastructure operates.
Mm.
They might be in, you know, old legacy systems that need to be modernized first. You know, how do you think about... I mean, are your customers in that kind of a camp where that needs to be a step, and then they can get their arms around the data, and then they can kinda deploy AI? Or is this-
That might have been true-
Approach to data. That's step one.
... 5 or 10 years ago, but our platform and the way we go to market now is so automatic, and we do all of the work for you. It doesn't matter where you are in your journey.
Yeah.
You could have lots of legacy data in file systems and databases. Varonis will protect that for you automatically. You could be moving to the cloud or already have a lot of cloud data, Varonis will protect that data for you automatically.
Mm.
You might be at the beginning or dipping your toes in the water, or have a pilot for a generative AI tool like Copilot, you need us, and we can do it automatically. That wasn't always the case. We had to build this. But we're at a position now where we have the automation, and we have the breadth of coverage that can help any organization at any point of their security journey, and they don't need people, or they don't need to go through a process, as you say, of getting their arms around something.
Right.
We do it for you.
Yeah. On that, you mentioned copilots, and, you know, you've got a partnership with Microsoft-
Mm-hmm
... which is pretty compelling. How would you describe the partnership, even if it's not an exclusive one? You know, there are other data protection vendors kind of in that marketplace, and Microsoft sounds like they wanna steer customers to Purview. How do you get... You know, how are you adopted in that platform, and what are the incentives of, you know, either customers or Microsoft to, you know, I guess, incentivize adoption of Varonis-
Yeah
... in connection with adoption of Microsoft Copilot?
Microsoft offers a great set of functionality under Purview, that can help with preventing the loss of data, but nothing that they have actually solves the, the access control and monitoring problems that we're talking about. So you have to solve those before you can deploy these copilots, or specifically Microsoft Copilot. We solve it automatically, and we integrate with Purview, so we make all of the functionality that Microsoft provides even easier to attain. One CISO told me, "Varonis is what makes sure that Purview isn't shelfware.
Yeah.
Which is a danger, especially with enterprise software. As for the incentives, we're on the Azure Marketplace. Microsoft reps can retire quota on Varonis deals. Customers can use their MACC, their Microsoft Azure commit, to purchase Varonis, and in some cases, there are incentives to do that. So our partnership with Microsoft is strong and getting stronger.
Yeah.
A lot of that is built on the fact that a year and a half ago, we weren't on the Azure Marketplace, and now we are. In that short amount of time, we're already in the top 8% of Microsoft partners. It's clear that there's a need for what we do. None of Microsoft's other partners or even Microsoft themselves can solve the problems that we do, in the ways that we do, as automatically as we do. Now their customers really need it, because Microsoft wants people using Copilot.
Mm.
When did they realize they need it? Is that, is that-
Mm
... upfront before adoption, or is it in the process, and they just sit there, and they say, "Oh, crap, I'm exposed. I need to solve this problem?
It can be either way. I'll tell you two stories. One, I met a Wall Street bank, and I met the CISO, and she said they were evaluating Copilot. And one of the ways that they were evaluating its effectiveness was they gave it to users on their trading floor. The theory being is if you can make traders more productive, the bank is gonna make more money. And what they discovered was, as soon as they gave it to these traders, they were using it to research, because that's a really good tool for researching.
Mm-hmm.
It's gonna go through every file that I have access to, and it's gonna summarize things and make it really easy for me. So they started asking questions like: "What stocks do our employees invest in?" They're a big bank. They hire smart people, right? That'd be a good edge. And Copilot was spitting back tables that had names, and socials, and 401(k) positions, and amounts, and account numbers.
Mm.
And so she immediately turned it off, 'cause she said, "We're gonna get sued out of business. This is a privacy nightmare." And it wasn't because those traders were insider threats, it's they were just trying to use the tool, and really sensitive data was open to everybody in the company. So that's one example. They might pilot Copilot-
Mm
... and then say, "Oh, no, I, I can't use this. I need to find a solution.
Mm.
That's how we got engaged with them. Another example is, I'm at a publishing company where the CISO said, "We're not using Copilot yet. We haven't turned it on. We're not trying it, but we're starting to get asked about it. Our executives are asking about it. We have-
... she said, "Pockets of inquiries." And so what she was doing, she said, "I know this is coming. I need to get ahead of it. I can't be playing catch-up. I know the security and privacy issues are gonna be huge." She could see the forest for the trees. So we did a Copilot readiness assessment, a data risk assessment, before they ever turned Copilot on, and they made sure they had Varonis in place beforehand. So it can happen both ways.
Yeah. And on that data side, I mean, there's obviously, you know, we're all aware of a ton of regulations around data, data protection-
Mm-hmm.
consumer protection. You know, what are the primary regulatory drivers of adoption of your technology? Like, what drives customers from a regulatory perspective to think about data protection as far as you see?
I mean, privacy and data protection laws are only getting stricter. Whether it's the new SEC rule on material breaches, whether it's New York, New York's Department of Financial Services saying that you have to notify customers of any unauthorized access, whether the data was stolen or not-
Mm.
Whether it's state privacy regulations that are really just copy and pasted from the GDPR in Europe, those regulations are getting stricter. They're getting more costly if you violate them, and that's causing enterprises to think very thoughtfully or be very careful about data protection and data security. Regulatory risk is significant, and it's getting bigger.
Great.
Mm-hmm.
I wanna pause for a minute and see if there's anyone in the audience that has a question for management. We got one over here. If you could wait for the mic, I just think it's gonna run it over.
Just wanted to understand the model around MDDR in terms of, you know, what are you, what were you paying before for the SaaS product, and then if you're shifting some of it or all of it to MDDR, how does that flow through the financials?
MDDR is only offered with our SaaS customers. It's not offered with any of the other customers. The way we've structured pricing for MDDR kind of had two ways of going for it. The first one was, if you buy the full platform, you get the MDDR at a reduced price. But if you have the basic platform, and then you're kind of aiming for the MDDR, you'd pay a higher price. Our desire was that customers would consume more of the platform and get MDDR at a reduced price, which is exactly what happened in Q1. Remember, it was only introduced January 15th to the sales floor, so we didn't even have a full quarter. But we have definitely seen ASPs go up.
I don't wanna quantify the exact percentage because it's so early in the journey, but we feel that we can increase customer lifetime value, we can increase ASPs, and in return, we're giving them a much better service. So I think the overall start of the year with MDDR was very healthy and very positive.
Is it like a 10% uplift, or how? I mean, or maybe if you're adopting the full platform, what's the, what's typically the uplift?
If you're buying the platform, you can increase your purchase because you're buying additional modules. I don't wanna quantify the exact percentage because I know what happens when I give out numbers. It starts being built in models and all that fun stuff. But I can say that the ASP has been very healthy for us, and we're very happy with that start.
Is this, as you get into the bigger renewal quarters-
Mm-hmm.
Do you think this will be a driver as well, or is this more about getting adoption from people who might have not passed on Varonis because of the, you know, the TCO and just some of the heavy lifting people have to do on their own?
So during the earnings call, I said that we believe that every customer out there should have MDDR. Now, it doesn't happen overnight. It's gonna take time. But if you remember, when we sat in 2018 and talked about DatAlert, we said DatAlert is a product that every customer needs to have, and people looked at us as if we were crazy, and now it's part of the module that we're selling. You can't have anything without DatAlert. I think the same holds true in terms of the offering and how appealing it is for customers in terms of the MDDR, but again, it's not gonna happen overnight.
When you look at MDDR with new customers, it's a no-brainer, but what we've actually seen is that some of the existing customers said: "I wanna be protected. I want you to do this for me. Let's switch." Either they were on-prem, and then they switched to SaaS, and that's kind of a driver of switching to SaaS. But we even saw customers that had SaaS prior and said: "Now we want the MDDR on top," and then they buy the additional platform. So we're seeing it from new customers, existing customers that were SaaS, and existing customers that were on-prem.
And how much of this is automated, or do you need to beef up your people to address this?
So that's a very good question and an important point to emphasize. We've talked about MDDR as being software-type margins. We're not trying to be a service-type company. We're not interested in that. That's not what we're aiming for. The way the product has been built embeds a lot of automation into it, which means that we don't necessarily need the same headcount to support that level of service. With that said, the way the MDDR has been embraced so nicely, we are making some investments in order to increase the team. But keep in mind that the MDDR service is just an evolution of the proactive incident response team that we offered last year. It was just given for free. We helped SaaS customers with our proactive incident response team that went around and helped them.
We reallocated that team into the MDDR. Now we're charging for it, but in return, we're giving them assigned SLA, in that SLA, there's 30-minute ransomware discovery, which we haven't seen anywhere else in any of the other offerings, so, of other companies, so we're, we think that's pretty compelling. But we're not just on the ransomware side. We're trying to protect against cyber threats, whether it's outsiders trying to get in and take sensitive data, or insiders that are trying to get sensitive information and give it to competition. We are able to help with those threats, and reallocating kind of the headcount of the proactive incident response team to MDDR makes a lot of sense because we're giving them a better service. We're charging money for it, but there's a signed SLA.
We are planning on making some additional investments, but when you look at the margins overall, gross margins have been very healthy. I think one of the biggest surprises of this transition for us, have been that the margins have held so well. I think it's a testament to how the technology has been built. Obviously, we, as we grow and increase the percentage, there will be a little bit of a dip in the gross margins, but nothing too significant, and there's significantly more benefits in terms of leverage on the other departments. It's the ease of installation, the wholesale cycles that we expect would be shorter. We think that there's a ton of leverage on the R&D front that we can benefit from when you don't manage two types of code over time.
So overall, when you look at the free cash flow, when you look at the ARR contribution margin for 2023 and Q1 2024, they've been extremely positive, and we hope that we can track in that direction further.
Thanks.
Yeah, maybe we can take a quick step back. For MDDR, for those that aren't particularly familiar with the company, maybe take a step back and describe what exactly it is and what it does-
Yeah
... and put it all in kind of context.
It's a natural evolution of what we've done from the very beginning. 2005, we launched Varonis, and at that time, we were monitoring data in a novel way. We were monitoring files, and nobody had ever done that before. And then we add in classification, and we add in context about device usage, and we start monitoring other platforms. And then 2010, we start alerting, and in 2014, 2013, we had behavior analytics, so we could identify, and we would alert you when somebody started accessing something sensitive that they've never looked at before from a place they've never been, from a device they've never used, and it was incredibly useful. In order to make sure that our customers got the most value out of it, we created an incident response team.
They would help with tuning the alerts to make sure that there was no noise, since if it's noisy, it might get ignored. If there was ever an incident, they would help with investigations. We were all over every Varonis customer that had SolarWinds or Log4j issues, and it helped make sure that our customers got the maximum possible value out of Varonis. Then, in 2022, we launched SaaS, and that same team, instead of waiting for you to call us, we will call you because that team could see the alerts that were being triggered at our SaaS customers' environments. So all of last year, we offered proactive incident response, and then this year, that team is now, we've now turned that team into the MDDR team.
So we've taken the service that is a natural evolution of what we've been doing since the beginning, and now we have assigned SLA, and 24 by seven monitoring, and a dedicated analyst, and proactive threat hunting. We've elevated that service to a level where we're comfortable charging for it, and customers love it.
How do you charge for it? Do you charge for it when it's used, or do you just charge for it a flat rate and regardless-
It's part of your Varonis subscription, yeah.
It's based on number of users-
Mm-hmm
... who are accessing data. Simplify that, that's number of employees within the organization.
Got it. Got it. That's great. And maybe one last question. We got, like, 30 seconds left. You've seen much better margins and cash flow than expected. Why have they been better than expected? What have been the critical drivers of that? Is that just how pricing is kind of flowed out, or is it the rate of transition? Like, how do we think about that and what to expect in the future?
When we announced the transition, we talked about three North Stars: ARR, ARR contribution margin, and free cash flow. And the reason we wanted free cash flow and ARR contribution margin to be there is because we wanted to make sure that we show everyone that through the transition and the investments that we're making, we're still keeping the cost structure intact and can generate meaningful cash flow. When you look at kind of the free cash flow becoming more meaningful, and we've guided to $70 million-$75 million of free cash flow this year, when you look at that, it's definitely the fact that the technology is much easier to deploy-
Mm
... and there's a lot of benefits there. The margins of SaaS have been very healthy, and there's a ton of leverage that we can generate from some of the other departments. I think all in all, we're growing while we're increasing the leverage and improving our cash generation.
Great, great. With that, we're out of time. So Guy, Brian, thank you very much for joining us, and thank you all as well. We appreciate it.
Thank you.
Thank you.