How's everybody doing? Pretty good, all right.
Lively.
The last meeting, I was just like, I just did the introduction without talking to, you know, the crowd here. So I want to try to, you know, get people a little livelier. But thanks for coming. Very excited to have the guys from Varonis here, Guy Melamed, who's the CFO and COO, and Scott Shafer, Director of Sales Engineering. I'm Jason Ader with William Blair. I've covered Varonis now for several years, watched the company go through a bunch of transitions. It's been an interesting ride. And now, it certainly feels like there's a, you know, there's a big opportunity in front of this company.
Before we begin, I'm required to inform you that a complete list of research disclosures, and potential conflicts of interest is available on our website at williamblair.com. Scott's going to go through some slides, and then we'll have some time for Q&A at the end, and the breakout will be upstairs in Adler. Not Ader, Adler.
Very good. Thank you. Thank you so much. So thank you, everyone, for being here today. Just give you a little backdrop here on exactly what we're accomplishing and how we're accomplishing it. I think it'll give you a good baseline, at the very least, to kind of guide some of the questions that you may have, as well as give you a really good view of where we are in the world today. You know, from the position, and you know, I'm sure you're all looking forward to a PowerPoint show here on a lovely morning, but I'll try to keep these as pictures more than what I'm going to be talking about. You know, largely, there's never been a point in time that data's been more important than it is right now.
You know, with the advent of AI and where we're sitting, specifically in how everyone is talking about data, it's no longer maintained within an information security group or an information technology team. You know, you're really seeing data, especially when people talk about AI, they're talking about data. Data's never been more vulnerable, and it's never been the biggest asset; it is, I would say, the most valuable asset that you have. It always has been in a lot of capacities, but when you start looking at that against the vulnerabilities to it, how AI is going to surface it, how it's going to change it, how it's going to grow it, it really gives us a tremendous opportunity here to secure it. And Varonis has always been the premier data security provider as long as it's been in its existence.
So really, what we're talking about today is no matter... AI is now the latest generation and the latest driver, but everything for the case of how all organizations, once it's gotten data out of a filing cabinet, which wasn't that long ago, if you really think about it, has been around protecting data in a variety of different ways, whether it was from the perimeter through firewalls, you know, the days of the antiviruses and what have you. But it really, at the end of the day, when you're looking at the breach reports, you're seeing numbers grow. I know that even today, we've seen some news out there about a significant cybersecurity event that may impact every single person in this room. You know, the scenario that we're up against is that's not decreasing.
We're not in a scenario where it's even at a plateau. It doesn't matter what the next iteration of an attack is going to be. We don't know what the next version of ransomware, we don't know what the next APT, we don't know what the next zero day. These are all fancy words essentially to say, "We're coming into your organization, and we're taking your data." And that is the most lasting impact that every organization is up against today and what they're trying to solve. And so when you really start to think about how do we protect that, and what is our primary mission as Varonis, it is to eliminate the fact of breaches taking place. And if they do, because all it takes is for one thing to go wrong, you want to eliminate or limit the impact to it.
So when you start thinking about the element of data growing, and I'll, I'll give you a quick story here. I get-- I'm fortunate enough to be able to travel the world and talk to many people like yourselves, people in the space, people that are trying to learn, and there was a stat that was put out there. It said, "90% of the world's data has been created in the last 2 years." Inquisitively, I took a look, and I was just like: You know, that's a pretty interesting stat. I don't believe it, but I'm going to check it out. It turned out that it's been true since 2012.
The idea that AI, in how it's going to start to generate new data, and I'm sure, and I hope that most of you in this room have attempted to use it, you'll see that it's creating data all the time. They're expecting that the world's amount of data that has been generally generated in the last 2 years is going to shrink to about the last 2-6 months, and that's just speculation on what we're seeing from the public space. So the blast radius, I want you to think about this. We use a lot of terminology in a lot of different spaces, but if you were to, in your own organization, take any person out of their seat, and you put the bad actor in there, whether it's malfeasance or misfeasance, what is that person going to be able to do?
In a lot of cases, you find that people have far too much access to data. Day one, employees are sitting down when they should really just be learning who their team is, who their boss is, what is their, you know, plans, what are their insurance policies that they need to sign. Looking at policies, they have access to 17 million data files, essentially, across every single data store, and that's only growing. That day-one employee is the most dangerous employee that you largely have. They don't know how to operate. So when it really comes down to what you're trying to solve for is if we can identify all of the data that's available, what's the most important, what's sensitive, what's regulated? Who has access to it? Why do they have access to it? Who's using it?
And you're able to use that intelligence that you have to automate because data is everywhere, and it's accessible in a variety of different ways. It's permissioned in a variety of different ways, and it's very hard to understand. That's largely why a lot of organizations kind of pause and stop on: How do we solve this? And let's just put things on the outside. Let's put the harder shell on the outside. It doesn't solve anything. We're seeing that. It doesn't solve anything. So what we're really trying to do is take a lot of that detail. So again, what's sensitive? What's regulated? What is the compliance-based data? What is the intellectual property?
If everyone has Coca-Cola, what is the Coca-Cola recipe, and where is it stored? Identify where that's at, identify who and what has access to it, because it's not just people that are utilizing data anymore. It's applications, it's APIs, it's third parties. And then you also need to understand how it's being used. Not only do you need to know how it's being used to identify who's using it in, from the capacity of who should be using it, but who has access to it that's not using it, that you can take away, as well as if we're looking at how all of these breaches are taking place. If you really think about it, if you're identifying in peacetime what's normal, then all of a sudden, if somebody starts operating abnormally, it should stick out like a sore thumb.
So when you have all of that metadata, that visibility, this is table stakes. You can't do anything without it. When you get into the scenario then of being able to marry all of that together with technology and what we're doing from an automation perspective, this is where you start looking at, look under the cover of what automation means. Automation isn't generally the click a button. It's an easy button for so many people, but it could mean it's sending an email out. What we're doing is we're eliminating the potential of attack. We're eliminating the most egregious risks that are out there. For organizations, they can be a sledgehammer, or they could be a surgical scalpel and be very distinct and specific because of all the attribution on what our intelligence on data is. You're able to do things like identifying the abnormal usage.
It's not just event streams. We have to understand the analytics that are there. So if all of a sudden, Tom, from Accounting, is touching more than accounting data, and he's looking at, at HR data, and he's starting to pull that down onto his workstation, and he wants to send that out to the internet, you better do something about it, and if you don't, you end up in the news, unfortunately, or worse. So these are the things that when you look at how do we start to put the building blocks together and how do we solve and get true outcomes for organizations, this is how. You're able to take what is something that is traditionally very impossible and hard for organizations to do, and you simplify it, you make it easy, and you do so with the ability of showing them everything they have.
This is key differentiators. You can't just look at a sample set. If you're looking at a portion of a folder, of a portion of a server, you have no idea. I had the function of being a governance risk and compliance owner and leader at a payments organization, and if I didn't have the ability to walk up there and tell the board or the C-levels that everything I'm telling you is end-to-end complete, they would have laughed me out of the room. So you need to have the identification of everything in your estate, because if you have a blind spot out there, that's generally where you're going to get attacked and where you're going to get hurt.
You need to understand currency, because if I go back to that same story and I say, "Well, I saw this thing a month ago, and I'm not sure if it's still here today," it's not valuable. So if we're looking at the activity stream, and we're identifying everything that's changing in our environment, then I can start to drive what that currency is in the contextual use. So who's using it? Why is it being used? Where is it overexposed? Where is the risk? Because organizations have to define what that risk is.
So when you put these three things together, what it provides you is, at any point in time, if I look at my estate, I know exactly where the risk is, I know exactly where my data is, I know exactly who and what's using it, and I know when things aren't being used correctly, and I'm able to protect it through automation. And this is when you get into, very quickly, things that I was talking about in regard to you could be a sledgehammer. If we take a look at the most egregious risks on either side, what are the low-risk things that we can take care of, that this is the low-hanging fruit? What are the most egregious risks that, as an organization, you want to eliminate because this is just not acceptable? You can do that.
And then you start getting into the very distinct and specifics around how are we going to do things that are going to operate our business, that aren't going to introduce business friction? Because the days of a scream test, of unplugging a server or unplugging someone's access, those are long gone. You can't do that anymore. These processes need to take place all the time, real-time, right now. And so for you to be able to do so through automation, you need to have that level of intelligence that gets you to the ability to fix anything that's out there, fix your most egregious risk, take access away, fix some of the misconfigurations. A lot of the stuff that we see in the news are very simple things that there's a software package that allows someone to read all data and export all data at the same time.
Why is it there? I have no idea. I still can't come up with the use case, but guess what? It's present. These are things that, again, you start to look at how people and applications use data. Third parties are some of the biggest risks in most organizations. It's critical path. You don't have control over these types of integrations, so you need to understand how they're operating, what they're operating on, and have the capability of not requiring a person per se, to go in and click a button to say, "Stop this terrible thing from happening." These are the automations that are present. When you really start to think about where the impact to organizations come in, when you have a... You don't need a team or teams of people to go in and make these decisions.
You have automatic value proposition that's built in based on a ton of intelligence around the data, with a precision that is second to none, to get you to a position of comfort. We've seen time and time again for all of our customers that are utilizing this, and the most successful customers, even the least successful customers, are getting risk mitigation right out of the box. When we talk about generative AI, one of the things that I do want to focus on here is, you know, a lot of what we talk about is Microsoft. It's because Microsoft is doing a fantastic job at their marketing, and it's something that's familiar and relatable. Every person, again, from the boardroom to the mailroom, understands and utilizes Microsoft. It's something that's relatable. Data security and having this conversation before this was, yeah, it's somewhat of a mystery.
Again, let's put the harder shell around what we have. But now we have a scenario where whatever I'm going to tell you, it may be in the lens of Microsoft, but think about all of the other generative AI functions that are going to be available on every single platform, every single software, every single data storage unit that's out there to make everyone's lives easier, because we're at a position in technology of a revolution, of innovating and getting out of the tactical weeds.... And so one of the things I'm going to show you here is a story that we put in a little different lens, but it's something that we saw with our own eyes, and we put it in our lab to validate in a way that we could show you.
Essentially, a person was sitting down, and they wanted to identify what were some information on new employees. What this story really was, was a hedge fund in New York, where a junior trader was looking at their senior traders that were making more money than they were, and this person wanted to identify who were the highest earners, and he also wanted to identify what and how they were making those trades. Copilot is the worst version that it ever is right now. Just like if you use ChatGPT on your phone or on the internet, you ask something, you get a response back that you're just like, "That doesn't make sense." This is where we are, but again, this is just year zero, folks. This is where things are going to change. So in this scenario here, what this person did essentially was ask that question.
It came back because this person, a junior trader, mind you, had access to HR files, had access to benefit files. He didn't know, he didn't need to know, but the generative AI function of basically delegating as you, a person on your access, is going to go find this information. And what came back was their names, their Social Security numbers, their hire dates, their essentially, it was the last deposits that were made into their 401(k) accounts because it was just looking for who our highest earners were and what were their latest trades. Copilot's going to go and do its best job, but that issue doesn't exist if that person doesn't have that level of access a junior trader does not need. And so really, when you start to think about that, you know, this is... I'm not going to read everything on this slide.
You can kind of see, but this is Microsoft's report. They do this cloud permissions report. They've done it for roughly the last six years. They look at all of the tenants in their space, and they're doing a general risk assessment on usability. One of the things that just jumps off the page at me is essentially that 99% of the access we have, we don't use. So one time you might get a file sent to you, and you open it up, you never need it again. You may only need the first paragraph or the first couple lines of that.
It may have sensitive data in it, but this continues to perpetuate because every single person in this room, if we all work together, even if we didn't, we can send data to each other, and now all of a sudden, that goes day in, day out. Every single minute, every single second, data's being created, data's being shared, data's being used, and it's been forgotten about. There's a reason that the windshield in our cars is much larger than that rearview mirror, and it's because we're always looking forward to the end of the runway, and we're not cleaning up the garbage. So essentially, in these types of capacities, now you throw Copilot on this risk, and I always tell people, in a lot of cases, when you're managing risk, you are essentially looking at the impact of something going wrong.
It's going to be financial, it's going to be reputational, it's going to be operational, and the likelihood of that thing that's going to take place. Prior to generative AI, likelihood took time, energy, and effort. That's enough to say it's not immediate, it's not right now, but it's certainly something that we need to pay attention to because it is possible, and we're seeing that in the breach reports, and we're seeing that in the news all the time. With generative AI now, likelihood is 100%. You turn this on, you don't have your access right, somebody's going to ask for information, and they're going to get exactly what they're looking for. And they're going to be able to do things like create that new documents and share it, and it's going to also continue to be used once and never used again.
These are the types of things that we need to be very considerate of, and this is exactly why Microsoft and Varonis are partnering with each other because they are very motivated to get Copilot in everyone's hands. $30 per user per month, guaranteed for 2 years? Sign me up. Microsoft is looking at: How do we solve this problem? Well, Microsoft has also had a security solution in their space for a very long time, and it's not no fault of their own, but they're a collaborative data software. They're a business productivity software. They are an operating system. They are all these things, but what they are not is a premier security vendor or a data security vendor, and that's exactly where Varonis steps in.
What we're doing is we're collapsing that risk very quickly, and we're doing so in a way that's safe, and we're also doing it in a way that organizations can then collapse that risk in a very short amount of time and start getting the gains that generative AI is promising. So it's important to understand that while all of this is taking place, we have to be the net that catches everything else. So whether an organization wants to operate very quickly on risk mitigation or very slowly, whether they want to be the sledgehammer or whether they want to be the surgical scalpel, you've got to be in a position that we're going to protect everything that's happening in their data estate.
When you start to look at where Varonis began several years ago, you know, this is now several years ago, almost 20 years ago, showing our, showing our own age up here, I guess. But when it really comes down to it, it's pulling an audit trail, understanding it, looking at real-time alerts, if this, then that, getting into a position of user entity behavioral analytics. This is where you start to enhance data, so you understand who the user is. You understand what they typically operate on. You understand what the data is. You understand the device they typically use, the time they typically are working, the where they're working from in the world, and you start to analyze and synthesize that. So all of a sudden, if we start to get this baseline and they deviate from this baseline, we're going to identify it.
Using that information started to get us into incident response, where we have a team that's there to pick up the phone and call you, or you call us, and we'll work on some of the most egregious and crazy things that you can imagine, that are out there. And then our Threat Labs team started to look and be more of that, like bug bounty, where they're diving into different organizational platforms and identifying what are the misconfigurations that can wreak havoc in the world before any of these other software companies find it or identify it. Moving us to SaaS gave us a true, true position to be able to be proactive, and what that offered, too, being proactive, was that we start seeing any of the threat indicators. Think about what...
I don't know if any of you remember the SolarWinds attack that took over the news, or you see the MOVEit breach. When you start to see some of these impacts in the world that are the supply chain effects, and all of a sudden, you make that change, you identify that issue, you introduce a threat model, you remediate it and identify it right away. Now, we are ahead of the game... We're ahead of the issues. We're a part of the greater team. Every customer that we have is leveraging Varonis as an extension of their own security team, and we've taken that even a step further because, again, we don't know what the next threat's going to be. We don't know what the next attack's going to be.
AI is going to create new attacks that nobody knows about yet, but what we do know is it's going toward the data. So if we can identify it, we can respond to it very quickly, we can shut it down, we can fail safe, we can fail within the organization's threshold or appetite. That gives us an opportunity to not only call you, but offer you what is called Managed Data Detection and Response. That gives us the ability, 24/7/365, to be the only provider that is giving you an SLA of 30 minutes on stopping ransomware, 120 minutes on all of the other data breaches that are taking place.
What we're utilizing is AI and our own background to identify the threats that are occurring in our customers' locations, the network effect of seeing this across every single customer that we have. Now, we are a true part of the team. We are providing not only the intelligence on identifying the threats and responding to them, we're stopping them, we're doing the forensic analysis, we're doing the threat investigation, we're doing threat hunting actively. We're identifying the most egregious risk that could be low-lying in their environment, just waiting to strike at any point in time.
That gives us the ability to provide a tremendous advantage to all of our customers, and that also separates us from everybody else, because when it comes down to it, we are the premier data protection and data security provider, and now we have a team of people, as well as technology, that's going to stop and really make a difference to these organizations in impacting what their breach ability is, as well as if it does take place, you've got the A team on it to knock it down. This has made a tremendous difference for a number of organizations in how we're really solving the data security problem. We're seeing this time and time again to be a value driver.
So automation, we're driving outcomes to get to least privilege, where we have the detection, whether we're doing it through managed detection or proactive incident response, we are driving down what the impact of breaches are or stopping them altogether, and it is a significant position that we're seeing many customers be extremely, extremely pleased with. So at the end of the day, where we start, it's essentially we go in with a free risk assessment. This allows us to land our software in an environment. We treat them just like we would a real-life customer. They get to see the Varonis experience. It's not just technology, it's also people.
It is an unbelievable scenario to be in the front end of this and see it so many different times, but what we end up doing, essentially, is mapping all the data stores, identifying what's sensitive to them, what's the compliant data, what's the regulated data, what's the high-value security data, where are your clear text passwords, where's your intellectual property, what are the things that keep you up at night that if somebody got their hands on competitively or egregiously, what and where do we start? We identify all the access to it, the who and the what. We identify and drive into specifically, how is it being utilized, and in many cases, we've even stopped attacks that are taking place when we're in this free risk assessment.
Over a 21-day period, the organizations that are going through this process understand what their exposures are, and that gives them to a position on how do we stop and become part of challenging the data security paradigm and get control of it, as opposed to just reacting to it all the time. We do this in many different places. Microsoft Windows systems, we're looking at on-prem NAS devices, we're in the cloud and SaaS applications like Salesforce and Zoom and Slack and Box, and all the places like Microsoft 365, where data lives everywhere, in IaaS, in PaaS, which is your Azure, your AWS, and the data lakes and databases. Data is everywhere. If you really start to look at where it's sprawling, where it's being used, how it's being used, how are we going to protect it?
Where Varonis is from the premier data protection platform is wherever your data is, and that's exactly where most organizations want to be, and that's where we're here to help them. So the outcome becomes very quickly; is if we identify where the risks are, we can automate the reduction of those risks. If we're identifying any of the issues that are taking place and the threats to your data, we are there both to reduce that risk, whether it's at a short term or long term. Data is created, used, and shared every single day, and no matter how you want to go about doing that, we are the net that's going to catch everything else that's taking place in the environment.
Copilot, very quickly, where we look at this, as the story that I did tell you as well, is this is where Microsoft is gaining the partnership and where we're gaining a lot of ability to showcase within these organizations where those exposures exist and how we're driving the risk down tremendously. In a 10-day period, this is where we get to essentially allowing Copilot to start and not having the junior trader pull up the Social Security numbers and everything else that's in there. Just one very quick, real-life MDDR example. This, I'll just build this out for you so you could, you could see exactly how it came down, but that's essentially as I was talking about, if we had Tom from accounting all of a sudden operating differently, but this was a service account.
Service account's supposed to do exactly what it does every day, all day long. It's, it's Laverne and Shirley bunching out widgets. But when it really comes down to it... So Sunday night, we identified a service account that was using files abnormally. Then it started to use tools abnormally, things it had never done before. It started to pull down specific data. 10 minutes later, it exfiltrated that data to an online repository. We found, essentially, within that first 30 minutes, we contacted the customer, and we said, "We see something going on. I know it's Sunday night, but we really need to take a look." And roughly a couple of minutes after that, we identified what the issue was. We stopped the transfer from taking place, and that customer was able to go back to bed very quickly....
That's the type of power that we have when you're looking at the sensitivity of data, how people are using it, and what it's—what, and how, and where it's going. That is an extremely powerful thing, and I can tell you, of 20 years in the field of information security, I wish, you know, at any point in time, that every organization could experience this. Thank you very, very much. That's my time on the technology piece, but I think we do have a few, a few questions that we can open up for here before going to the next room.
Yeah. Thanks, Scott. I want to start out just with the question I think on a lot of people's minds, which is: What's the state of adoption for, especially Office 365 Copilot? And are you guys actually seeing active deals that you're closing and in your pipeline now, where, very specifically, the customer came to you and said, "We want to do Office 365 Copilot, but, you know, we're worried about permissions and quality," etc.?
That is the majority of the conversations that are taking place. There's never been a time that data security has been more important. Everyone's afraid about Copilot. Every single Board-level, you know, executive is looking for those innovation gains to get out of the hours to write prose, to the hours of data munging to get into Excel and start pulling data together and making it make sense. What their biggest issue that really comes into, though, is that they hear these stories. Everybody talks. You know, we see. And the stories that we hear are only the things that people are telling us. Think about the secret squirrel network that exists, that, "I found data. I better shove this away and not tell anybody because I don't want to get in trouble," but also information is power.
So the majority of the conversations that are taking place are, we need to be prepared for Copilot, whether it is from a board-level initiative or executive-level initiative, and the security and IT teams are starting to socialize exactly what that risk is. You put those two things together, and that's what really gives me hope for a change of the future here, is just the fact that everyone's talking about data, and they're afraid of the security to that data and, and the risk to it. And so that is driving, I would say, a number of conversations. How that leads to revenue, I'll let, I'll let Guy here cover that side of it.
I'll just talk about kind of what we've seen. AI, we didn't see that as a driver for any of the Q1 sales, and to be honest, we're not expecting that to be a driver in Q2. The one thing that we're definitely seeing is that everyone's talking about it. But if I asked any of you if your organization actually adopted Copilot for their entire organization, not for a small group of people, I'm pretty confident that there wouldn't be a lot of hands lifted, put up, and we're definitely seeing that with other companies that we're talking to. So everyone's preparing to do that change, but not a lot of companies have actually moved in that direction yet.
So from a guidance perspective, and we kind of didn't bake any of the Copilot benefits that we hope to see in the future as part of our 2024 guidance.
Are you guys at Varonis actually experimenting with it? And what are your sort of early comments on productivity and usability?
So it's... There's a lot of conversation about how it improves by, I've heard 15%, 20%, and very hard for me to kind of put a number and kind of stand behind it. But I think once you start with it and you play with it, it's very hard to take it away.
Mm-hmm.
So we're definitely trying Copilot at Varonis. And I think that the one thing that's pretty clear is that when Microsoft wants to push something, they do a pretty good job of doing it eventually. So I don't know if, again, if it's going to be an H 1 or an H 2, or when exactly it's going to come into fruition, but the other thing I kind of want to emphasize is that we're not becoming a Copilot-type company. You know, we're protecting data wherever it sits.
Mm-hmm.
Copilot just puts... It's not just Copilot, it's generative AI in general. It puts a huge projector on a problem that already existed prior. We can help with cyberattacks and insider threat. That's a huge issue we've been dealing with for many, many years. We're not going to become a Copilot-type company and not going to become a generative AI-type company and just protecting against that. We have a whole list of items that we can help organizations with. I think generative AI, again, just put that projector-
Right
... and the risk is exponentially higher with it.
So it becomes an accelerant-
Exactly
... for adoption of your technology?
Yeah.
It's an excuse to have a conversation, and we're gladly going to show potential customers how vulnerable they are with the data that's sitting out there, whether it's sensitive-
Mm-hmm
... and whether it's people that have access to data that they shouldn't have access to.
Okay, and I think we have time for one more, and I'll ask about the SaaS model transition because we didn't—Scott didn't really talk much about that, but I think that's obviously a major aspect of the Varonis story. Can you just talk through what's happening there and kind of where you are in that journey?
Yeah, it's a very important point. We've been through a transition, announced it at the end of 2022, kind of rolled it out from a commission perspective at the beginning of 2023. So we've been really five quarters in. We finished Q1 with 30% of our ARR coming from SaaS, so we've been able to move very, very quickly, kind of ahead of our plans. We initially rolled out kind of a 5-year projection of completing the transition, and we defined completing the transition when we get 70%-90% of our ARR coming from SaaS. So we're already at 30% and actually reduced our timeline from 5 years to 4 years.
The reason it's moving so quickly is because our existing customers are happily converting to SaaS because it's a much better product, and they're benefiting from a lot of efficiencies there. And our new customers, it's a no-brainer for them to start with SaaS. So there's a lot of benefits for the customers, but there's a lot of benefits for Varonis as well, whether it's higher expected renewal rates, shorter sales cycles. Our ability to kind of offer the MDDR is only under SaaS, so there's a lot of leverage in that model as well. So it's a win-win for everyone.
Okay, we'll leave it at that. Thank you, everybody, for coming, and thank you, guys.
Thank you.