Happy to kick off the second half of the second day of TD Cowen's TMT Conference. We are delighted to host the management team of Varonis. We have Dave Gibson, Senior VP for Strategic Platforms, Tim Perz, Director of IR. This is a fireside chat. By all means, anyone with questions, do not hesitate to raise your hands. Gentlemen, thank you so much for joining us this afternoon.
Thanks for having us.
Yeah. Maybe Dave, starting with you, maybe can you provide us with a brief overview of Varonis, and what is it that you guys do for a living?
Certainly. Varonis creates a SaaS solution that protects data. By protecting data, I mean, we automatically find and lock down sensitive data and then monitor it to make sure that we can detect and automatically stop potential threats or abuse to that data. We've been doing this. I've been with Varonis since 2006. We started by protecting data from a security perspective. I think it's pretty different than a lot of other security kind of solutions that started with a perimeter mentality, kind of an outside-in approach, keeping the bad guys out.
We really started with the data on the inside and have built our way outwards, as needed to really protect data, which is kind of the mission for almost every security practitioner now, is to make sure that sensitive data is protected.
Thank you for that. In late 2022, the company has initiated or embarked on a SaaS transition. Can you provide us with an update? Where do you guys stand in that respect, in that process?
Yeah. So let me take a step back and provide some context for everybody. So in Q4 2022, we started a SaaS transition. In March 2023, we had an investor day, where we outlined a 5-year plan, where we expected to complete the SaaS transition in 2027. For us, completing the SaaS transition means that 70%-90% of total company ARR was coming from SaaS. Last year, we saw a very nice adoption from both new customers and existing customers, which I would say was ahead of plan. We finished the year with 23% of total company ARR coming from SaaS. That progress allowed us to pull forward that SaaS transition timeline to 2026 on our Q4 earnings call back in February.
In Q1, we continued to see very nice adoption, both from new, new customers and existing ones, moving to the SaaS platform. In terms of where we stand on phase one, phase two, phase one is selling to new customers specifically. I'd say that's done. We sold more than half of our new ACV last year as SaaS. We're focused on converting our existing customers over to our SaaS platform as part of phase two, and we're very excited to embark on that over the next couple of years.
What are the benefits that customers are getting with that SaaS transition?
Yeah, the SaaS platform has been really wonderful, as it's come out. It. I think some of the key benefits, in addition to the fact that it is SaaS and the customer does not need to manage the infrastructure for the solution, it offers a lot of automation in terms of proactively locking data down. This is something that is, it's kind of a meaningful outcome when we do a risk assessment, which has gotten easier in SaaS.
We typically see a lot of sensitive data that too many people have access to, which is obviously important when you consider insider threats or how easy it is for an external attacker to get access to data, or more recently, when you're thinking about deploying AI, because the more access that people have, the more chances that data is going to be exposed with AI. So we have a lot of automation to address what we call the blast radius. That's the amount of data that a user or an account has access to just by logging in. And then we also have a lot of automation that we've introduced to detect potential threats, whether they're internal, external, or through Copilot abuse.
And with our SaaS solution, because it's from the cloud, we're able to offer a managed data detection and response service as well, where we can be on the hook for looking at the alerts that we generate and calling the customer when we think there is something that they need to know. So these are some examples of what we've been able to do in SaaS. There are plenty more. It's allowed us to innovate far more quickly by using the cloud technology and the cloud scale.
Tim, you mentioned minutes back, and if not, I'll reiterate that you had a strong start to 2024. What is it that drove the healthy performance? What did surprise you during the quarter or last quarter, actually?
Yeah, so I would say it was a strong start to the year, really driven by two things. So one being the continued success of the SaaS transition. We're starting to see that benefit new logos. If you look at the first quarter, a majority of our new ACV coming from SaaS was sold to new logos specifically. If you think about it, the two biggest pushbacks that we heard were, "I don't have the people," or, "I don't have the hardware." SaaS eliminates those, and I think we're starting to see that SaaS opens up new markets. The other main driver in the quarter, which I would say was more of a positive surprise, was our MDDR offering, which stands for Managed Data Detection and Response.
We introduced that in mid-January to the sales force and in February publicly, and we already started to see very strong adoption for that new product, which I would say is pretty unusual. Typically, it takes a couple of years before we see adoption of new offerings. David, I don't know if you want to provide some context on MDDR and maybe why it's resonating with customers so well.
Yeah. So I think the place to start is we're in a unique position to detect unusual or unwanted access to data. The way I think about it is, just like credit card companies have gotten really good at detecting credit card fraud by looking at the credit card transactions that you normally make, we've gotten really good at detecting data fraud or data theft by looking at the data transactions that people normally make. And we started with this in our self-hosted solution over 10 years ago now. And we had a unique vantage point that we learned really quickly about because ransomware started happening soon after we launched this, our alerting capability.
So we actually launched our DatAlert product, which was doing our alerting and our self-hosted solution, in about 2014 or so, and Locky hit shortly after. Locky was one of the early variants of ransomware. Because of where we were sitting, we weren't surprised that we were the only thing really catching that. Other parts of the security solutions were looking at the perimeter, as I mentioned before, so when things got past the perimeter, there was really nothing to detect a threat like ransomware, except us. What we were surprised about was all the other things that seemed to be getting past the perimeter solutions that we were also detecting, and we said: Wow, maybe we have some more things we could do here.
So we added more sophistication, a lot of behavioral models to that product, and that became very successful. So successful that we actually started offering incident response services, where any customer could call up and say, "Hey, I got an alert from either our solution or another solution, and I need some help to investigate it." That became really, really popular. So we developed that expertise and that kind of routine, and when we went to SaaS, we started offering that service proactively. We called it proactive incident response because we could look at the alerts without the customer needing to call us. That went over really well, but customers said, "You know, I'd really like a service level agreement.
I can't not look at your alerts if I don't have a service level agreement that you are looking for them." And that's really one of the big pieces that MDDR offers, is we now have 30 minutes to call them if we see a ransomware alert, for example. So it's very clear-cut, and it's become a really easy thing to talk about, and customers are responding very well.
Understood. The past few days, I would imagine even now, everybody's sitting here with their screens open, looking at the stock screens. It's red, especially on the software side. But with you guys, given 1Q results, given the guidance, what is it that you're seeing from a macro perspective, which in a way negates everything which is happening over the course of the past few days from a stock perspective?
Yeah, so what we're seeing from a macro perspective is pretty straightforward. We're seeing some additional deal scrutiny, but we've seen a stabilization of trends over the past couple of quarters, and I think there's a few things that are working in our favor. So one being the SaaS product itself. It's a better version of our previous self-hosted product. If you think about it, customers need to put in less effort, they have a lower TCO, and they're getting more value with that product, so that's a pretty appealing pitch in any market, let alone one where there's additional budgetary scrutiny. And then a couple other things are working in our favor. I think you're seeing data security move up the priority list in general.
There's a number of reasons for that, but I think a lot of companies realize that they're spending a lot on security, and they're still wide open on the data front, so they need to take a data-centric approach to security. We benefit from that. I also think that AI is a data problem. If you want to reap the benefits of AI, you need to make sure your data is secured in order to do so safely. And I think all of those factors are helping us cut against some of these, the macro noise that you see out there from other companies.
Dave, given that Tim just brought up AI, Varonis and AI, and I'll take it even a step further, Varonis, AI, and Copilot, right? We've been getting plenty of questions. You've been getting probably plenty of questions around it. What's the latest on that front?
Sure. So, we recognized really, I guess about six months ago or so, when we started talking with folks about AI, that it was shining a light on a problem that we've been solving for a really long time. Essentially, when you query an AI assistant, like Copilot for 365 or like Einstein in Salesforce, the way it determines what's in the answer you get is by the data that you have access to. So if you have access to data that you shouldn't have access to, the response is very likely to contain data that you shouldn't see.
So the risks that we've been revealing for folks during our risk assessments now are getting a different light shined on them because people realize, "I need to get access under control if I want to deploy Copilot safely." So, and it's not just, you know, Copilot for 365 or, or Microsoft Copilot, as I mentioned. You know, most of the AI assistants work in the same manner. You have to get the access controls correct before you can really have confidence that you're not gonna introduce a lot of risk in deploying AI. So we started talking with a lot of customers about this. There was a press release that we came out with earlier in the year, where Microsoft was quoted talking about how we can help people get ready for Microsoft Copilot.
We've introduced a Copilot module, which highlights the ways that we can automatically get people ready to deploy Copilot safely. It also introduces a dashboard, as well as detection for potential Copilot abuse. So when people are using Copilot, we can see the sensitive data that is used to create the response that they see, and then detect potential abnormal usage or excessive usage of sensitive data through Copilot or other abnormalities as well. So, it's very early yet, I think, in terms of the way people are adopting Copilot itself, but a lot of really positive conversations and reactions.
The feedback has been positive thus far? Understood. And where we are on Microsoft and Copilot, just generally speaking with Microsoft, how has that partnership been evolving, as of late?
So I think it's evolving very well because of three real key reasons. One is that we are in the Azure marketplace. You know, our SaaS runs into Azure. So there's a go-to-market aspect to the partnership. We've also been helping people get more value out of Purview more quickly, really helping them get to their data loss prevention goals by making sure that the right labels are on the right files, so that they can make sure that they don't get sent incorrectly via email or saved to a USB key or make sure they're encrypted. And now with Copilot, there's a third leg to the story, where we're helping people get ready to deploy Copilot safely.
Got it. Now, still sticking with the AI, has revenue from AI-driven deals, is it baked into 2024 guidance? What is it that you've seen thus far?
Yeah, so we haven't seen any contribution, material contribution from AI into our reported results. Where we are starting to see it is in the pipeline, whether I'm looking at webinar attendance, number of meetings, risk assessments installed. It's clear there's some interest there. As it relates to our guidance, we are continuing to take a responsible approach to that. And we're not baking any potential upside in from AI until we start to see it materially contribute to our reported results.
Understood. Double-clicking on the MDDR, and that opportunity and everything that you've seen thus far, why is it that it's being offered strictly right now to SaaS customers? And, you know, have you seen some demand coming from the non-SaaS customers or those that are being transitioned, or those, by the way, that will be remaining on on-premise, whatever little number that might be later on?
So there are a couple of reasons there. One is a very simple one. When with our SaaS solution, we can actually see the alerts, right? With a self-hosted solution, the customer would have to let us into their environment in order to just see the alerts. So that's a very practical and basic reason. But beyond that, one of the things that we've been able to do with our SaaS solution is use AI, actually, to evaluate what investigators are doing when they see the alerts. And our MDDR service incorporates additional automation where we can replicate and streamline those initial investigation steps, which allows us to do our response much more efficiently and much more quickly. And these kinds of things are just not possible unless you're doing this from the cloud.
Understood. Understood. And if anyone, if someone already had MDR, EDR in that respect from a different vendor, you know, how would you be able, or how would you pitch them, kind of trying to transition them into the MDDR?
Yeah, it's a great question. It's interesting, as I mentioned before, other security technologies have traditionally been endpoint or perimeter-focused.
Wow, yeah.
And our world started with the data itself. So even when folks have a managed detection and response service, it's typically perimeter-focused, and we're complementary. Just to put it simply, when companies have an insider or they have an outside attacker that's managed to get inside, we're usually the only thing that is alerting, and that's just because we sit on the inside. So it's when we talk to people about this, they usually don't disagree, so it's kind of pretty easy to say this is complementary. And I would kind of argue that really, if the point of security efforts are to protect data, then it makes logical sense that you really ought to consider that.
Yeah, and Shaul, we actually already saw customers purchasing our MDDR service alongside existing MDDR or MSSP providers in the first quarter. So it's clear there, there's a need in the market for a service like MDDR that's data-centric.
Got it. How do you actually charge for that? And what is the potential impact on deal sizes?
Yeah, so we've made it very easy for our customers to consume MDDR. It's just an add-on to our existing Varonis SaaS packages. So if you buy a smaller deal, there's a larger uplift built into that. If you're buying one of the larger packages, then you get a bigger discount on the MDDR, but that would mean that deal would be larger than our average deal size, and we want customers to consume MDDR. So in general, I think the right way to think about it is that ASP should go up with MDDR adoption, and customers should be getting more value as a result of it.
If we're sitting here, Tim, Dave, at our 2025 TMT conference, and we revisit MDDR, what do you think? How many customers, what percentage of customers kind of have already migrated? What's the possibility out there?
Yeah, so I think all customers should have MDDR. I think most will have it over time. It'll just take some time to get there. If I look at a product like DatAlert, it came out back in 2014, took a couple of years to see traction there. But then fast-forward to 2022, before we announced the SaaS transition, essentially, every single customer was purchasing DatAlert, and it really was the glue of our platform. I think MDDR does have that potential over time. I'm not sure if that'll be 2025, 2026, what year it'll happen, but that's just what I see happening over the next few years.
On the competitive landscape, you know, this is at one point whereby when we look at it from, you know, the various buckets or verticals of the cyber, you know, we always have, you know, couples or, you know, trios that kind of go head-to-head. But when we touch on Varonis, there's, like, no specific apple-to-apple comp. Help us understand, first of all, what's the competitive landscape is currently looking like? And number two, lots of transactions, specifically maybe on the tuck-in front, on DSPM. Backup guys are kind of also looking at it. What is it that you're seeing, any newcomers, any new names we should be familiar with longer term?
I think you hit it. You know, for the longest time, we were really alone in the data security space. When you looked at kind of the way I think and the way we think about what's needed for data protection and really to secure data, you have to understand kind of, I call three dimensions. You have to understand what's important, who's got access to it, and who's using it. And this has been something that we're alone in for a long time. And so you really need to have these three in a combination in order to solve a problem. Just to give you an example, like, yeah, if you can see sensitive data, that's great, but the next question is: Is it locked down? Is it at risk? I don't know.
Who's got access to it? If it isn't locked down, which is often the case when we do our risk assessments, well, how do I lock it down safely? I don't know who's using it, right? So very quickly, we see you might be able to see a problem without the three dimensions, but to solve it, you have to have all three, and then you have to have a ton of automation. And so recently, I think we've started to see more companies and more people and more questions about: How do we protect data? You know, there's all the security technologies out there, a lot of the security technologies, but the breaches continue to happen, right? And when there's a breach, what happens? Data gets exposed. So what do we need to do to protect it? I think more people are coming into the realization.
Most frequently, I see people saying: "Well, where's the sensitive stuff? Let's start there." A little bit more frequently, they're starting to say: "Well, what's the posture?" DSPM, that's what the P stands for-
Mm-hmm
In data security posture management. That can mean different people, different things to different companies or different people. Posture for some companies can mean like surface-level misconfigurations. Like, is the bucket public? Is MFA turned on? And these we see are critical to get right, but you can still get all of them right and have data way too open. We see you have to actually go a little bit level deeper, but people are starting to say, "Well, we have to look at how things are configured in order to protect data." Rarer still, do we see people saying we need the access activity? But people are starting, particularly the DSPM market, to enter in, and this is generating activity, generating conversations.
This has been a real positive trend, because the more people we see beginning to think about solving this problem, the more we can help and the more opportunities that we can capture there. And just to say one more thing about that, we see how necessary it is to combine these technologies. Our approach to make sure that we scan even the largest data stores completely, keep that inventory up to date, exercise a lot of automation so that we're not sending anybody a long list of things that they've got to do, and doing meaningful threat detection, we're still the only game in town.
Got it. Tim, when we think about the best metric trying to focus on as it relates to your, you know, top line growth, to Varonis's top line growth, even when we exclude conversions, how do you see that?
Yeah, so the right way to look at the business is ARR growth. Revenue growth will be messy during the transition. If you think about why that is, with a term license, we recognize about 80% of the booking upfront. With SaaS, that is fully ratable, so there's a headwind when we convert customers over to our SaaS platform, even though that's a major positive for the long-term health of the business. I'd caution investors from looking at ARR growth ex conversions, because those conversions do take time and effort for our sales teams to do. That's time that they could spend upselling customers otherwise. And also, if you think about it, customers have budgets, and just because they convert over to SaaS doesn't mean they still don't need to protect additional platforms down the line.
In fact, I think step one is moving them to the SaaS platform. They'll experience much better customer satisfaction there, just because it's so much less effort, they get so much more value out of it, and that'll actually unlock the long-term customer lifetime value because they'll be more likely to purchase additional platforms over time. We remain very under-penetrated when it comes to protecting customer platforms.
Back to 1Q 2025, strong free cash flow.
Yeah.
What's the reason, you know, behind the strength and probably what provides you with a confidence level for the later part of 2024?
Yeah, so I think free cash flow has been one of the big positive surprises at the start of the transition. If you think about, pre-transition in 2022, we were about free cash flow breakeven. Last year, we finished the year with just under $55 million of free cash flow, and that was even while making initial investments to support the transition in that first year. If you think about it, we've guided to $70 million-$75 million of free cash flow this year, so continued improvement. In terms of what's driving that, it starts with the gross margins. R&D built the product in a very compute-efficient way. It's also resulting in a meaningful reduction in support tickets. We've seen 90% less support tickets in the SaaS offering versus our self-hosted offering. We're also starting to see efficiencies in some of the other departments.
R&D is finding that it's much easier to innovate in SaaS versus self-hosted because it's a single common code base, rather than having to maintain multiple versions of the software. And sales and marketing is also experiencing benefits from the SaaS platform. We simplified our product packaging, which is leading to a simpler conversation with customers. It's also a much simpler process from a risk assessment standpoint. There's less technical requirements, and that's leading to a simpler conversation. When you put all that together and what that means to the business, it means that we can make investments to re-accelerate the top-line growth while showing margin improvement and generating meaningful cash flow.
Dave, just before we bring this session to a completion, as you've mentioned, you've been here since 2006. What excites you about the story? Like, you've been here pretty much from the get-go, from the beginning. You've been Y ou know, you've seen, Varonis really kind of y ou took us kind of through kind of the subscription back in 2018, 2019, now the SaaS.
I, uh-
With-
So I came to Varonis in 2006 because the technology excited me. I saw, you know, a demo, and it was actually down at Stout on 34th or so, near Penn Station. Our Jim O'Boyle, who's still, you know, kind of, I forget his tech title now, but he was SVP-
Yeah
Of Sales for many years. He showed me the demo, and I said: "How are you doing that?" And that's what excited me then, and I'm still just as excited by the technology, if not more so, because of what we've been able to do in SaaS. We basically rewrote everything from the ground up in cloud, and all the lessons we learned, we've put into the SaaS technology that is working so well. And it is, as Tim mentioned, it's kind of opened the floodgates for innovation, as we've had so much more development in our SaaS solution, just that, you know, the more announcements, more things we've come out with, more coverage that we've added, more functionality, more automation.
That's what's fun for me, is to see how well we're able to address what is a key challenge. You know, when I started in 2006, data security wasn't a thing. I always knew that, like, you know, I worked in security, I deployed security technologies, deployed network management. I knew that it was a problem, you know, and it needed to be solved, but it didn't have nearly the recognition that it does today of how important a problem it is. So to have a really important problem to solve and such a unique technology that just keeps getting better to solve it, I don't know, that, I, I'm excited.
So with that, Tim, Dave, thank you so much. Thank you, everybody, for attending. Appreciate it.
Thank you.