All right, thanks a lot, everyone, for joining us today. We have the pleasure of hosting Varonis. So we have David Gibson, SVP of Strategic Programs, and Tim Perz, Director of Investor Relations. So thanks for coming. So we'll kind of have a brief overview to begin with, and then we'll jump into questions with the fireside chat, and we'll take questions as we go from you guys. So feel free to send over questions to me, and we'll try to squeeze in as many as possible.
So I'm, I'm pretty sure, the audience here would first, kind of love to learn, a little bit more about, about you, what are your focus areas, and, and the role that you guys play in, in the cyber landscape. So if you can provide us a brief overview, David, to begin with, and then we can jump into questions.
Sure. Thanks everybody for coming. Thanks for having us, by the way.
Absolutely.
So, I've been with Varonis since 2006. Varonis creates software that's now delivered as a SaaS to protect data. I think the easiest way to understand where we are is kind of start with the beginning and why Varonis was founded. In about 2003, Yaki Faitelson, our CEO and co-founder, was on-site consulting at an oil and gas company in Angola, and this oil and gas company had a data issue. What happened was, is that they would take images of the ocean floor with a lot of sophisticated equipment, millions of dollars of IP that they would use to decide where to drill and kind of get intel on the ocean floor, went missing.
You know, these images that they'd taken were stored as, you know, stored as image files in big file servers, you know, where files tend to live, and one day, gone. And so Yaki was on-site as a consultant and storage and security expert, and they called him in and said: "Yaki, can you tell us what happened and who deleted these?" And he said, "I'm sorry you're not tracking the activity on these really expensive images." And they were a little surprised at that, but then they said, "Okay, could you tell us who could have deleted all of these images?" And he went and said, "Okay, I'll look at that." And he did some research. That was not an easy thing to do.
Took him actually most of one or two nights to deliver an enormous spreadsheet of all the people that could have deleted the images if they'd wanted to. And he showed that to management, and they said, "This is crazy. None of these people have a valid business reason to look at so much data, much less delete it. Can you go and find all of our important data and lock it down, so that only the right people have access?" And he'd been working on the problem now for the better part of a week, and he said: "I don't think I could do that with 30 consultants in a year." It was a very different world in 2003.
But he said, "You know, if things keep going this way, where data's growing in size and importance, and is this out of control, there are going to be some pretty bad consequences." And that's really what gave him the idea for Varonis, is to protect data where it lives, you know, which it tends to be, not only in big collaborative file stores, but now we see data everywhere, in data centers and in the cloud and in SaaS applications. And I think, you know, you fast-forward almost 20 years, and what he saw then has really borne out. And just to give you kind of a few thoughts on what we've learned about protecting data over the past almost couple of decades.
So we've really seen that you need to understand three key ingredients to protect data. That is, what's important? Who's got access to it? And who's using it? And the reason that we think you need these three ingredients is because with one or two, sometimes you can see a problem, but you really can never solve a problem without all three. For example, if you go to exhaustive lengths to find all your sensitive data and do an inventory, which a lot more people are actually looking to do these days, there's a next natural question once you find it. Well, is it in harm's way? Is it locked down? I don't know. Who has access to it?
If when you find, as we do when we do risk assessments, that there's a lot of really critical data that is open to too many people, like everybody in the company or publicly, or just to way too many employees, the next question is, how do we lock it down without disrupting business? Well, I don't know. Who's using it? So it really.
This is one of the lessons that we've learned, is these three dimensions are really inextricably entwined, and you cannot get away from, you can't shortcut the solution to the problem, and this is one of the ways that our approach is differentiated, is we really kind of started, we started with the first two dimensions, who's using the data and who can access it, and we learned quickly that with so much data, we had to prioritize based on what's important. So we started classifying data, looking inside the contents in 2009. And really, we've added so much automation, so much functionality based on this start, that I think when it comes to protecting data, we've, we've built a lot of expertise, and a lot of functionality that has really, kind of set us on this path.
And so if I was just gonna cut to the bottom line, the outcome and people get with our solution is they're much less likely to have a data breach, because we've automatically locked down data to what people should have access to. And then we monitor the heck out of what people are doing with the access they have left, so that we can detect and stop threats to their data. And we've recently offered a solution called Managed Data Detection and Response, where the customer doesn't really have to do anything, in terms of even looking at the alerts. We take that on for them. So they're much less likely to have a breach, and if they do have one, the damage is likely to be far less.
And so this makes, you know, a very dangerous threat and an insider, right? This, when they have so much access, they're far more dangerous. Outside attackers have to do far less work. If so many people have access to data, they just need to compromise one laptop or one account. And recently, AI has shined a new light on these same problems. A lot of organizations now are using or thinking about deploying Copilot for 365 or Einstein or an AI assistant that will help them get more out of the data that they have. The problem is that the AI assistants look at the data that you have access to when you query, in order to determine what the response should be.
If you have access to too much data, then the response will contain things that you should not see. A lot of organizations that we speak with are realizing that AI is a data security problem, and they need to lock down their data before they can safely deploy these AI assistants. This is shining another light on the same data security challenges that we've been addressing for many, many years. Hopefully, that's a good start.
Yeah, that's great. Since you touched upon SaaS and SaaS applications, in late 2022, you yourself did make a significant transition towards the SaaS model. Can you guys give us an update on the progress so far? How's the journey been, and any milestones that you could talk about as of now?
Yeah. So let me take a step back and provide some context for everybody. So in Q4 2022, we announced the SaaS transition. In March 2023, we had an Investor Day, where we outlined a five-year plan to complete the SaaS transition in 2027. And for us, completing a transition means that 70%-90% of total company ARR would be coming from SaaS. We split that five-year plan up into two phases. Phase I would be focused on selling SaaS to new customers. phase II would be focused on converting our existing customers over to our SaaS platform. What we saw last year was that both new and existing customers were adopting our SaaS platform. We finished the year with 23% of total company ARR coming from SaaS.
That adoption allowed us to pull forward that five-year timeline to four years, which we now expect to finish in 2026. What we continued to see in Q1 was further adoption from both new and existing customers. We finished Q1 with 30% of total company ARR coming from SaaS. And if I think about where we stand in terms of phase I and phase II, phase I, I would say, is complete at this point. Last year, we sold more than half of our new ACV as SaaS, and phase II is happening in a natural way. We haven't provided any incentives to customers or our sales force to convert over to our SaaS platform. It's happening in a natural way because the SaaS platform offers better protection and less effort for customers, so it's really a no-brainer for them.
And then, our sales teams can actually get paid more money on SaaS deals because they're larger deals. They just earn more commission on those. And if I think about, as we're moving towards phase II, we'd expect to see more momentum throughout this year due to the timing of when we have renewals. That serves as a natural touch point to transition over to the SaaS platform, and we do expect a further acceleration in terms of the number of conversions over the next couple of years.
Thanks. Before we get into financials, just double-clicking into SaaS. It's. As you said, it's progressive, well ahead of expectations. So just curious, like, what is driving the success? Why is it so well-received, and essentially, what benefits customers are getting and experiencing from your SaaS offerings?
So I think it really improved on our self-hosted offering in a few key ways. The first is, you don't need infrastructure to run our software, which is good, that it, y ou don't need, you know, a SQL Server, right? A database server, big infrastructure, so it simplified the process in that way. But the big thing is that we've added a lot more automation so that customers have to do even less, the automation in terms of locking data down, executing tasks that they would otherwise have to do manually if they could see them taking care of that automatically, and then automatically detecting threats with our alerting, that now they don't even need to look at or tune or take any responsibility for with our Managed Data Detection and Response service. So we've added lot of automation.
We've added, we've made it easier to adopt, take less time. And since we've moved to SaaS, and everybody's on a common code base, between that and all the opportunities that the new cloud technologies offer, we're able to innovate far more quickly. So we've come out with a lot more coverage, and a lot more automation since we've come to SaaS, which has made it really fun. It's just, I think it, it's a big leap forward in our technology. We, we took all the lessons that we learned over the first 15, 16 years or so, and, and, and rewrote our software from the ground up, and put it in, in the cloud.
Thanks. Just on that note, you guys have mentioned that you started the year on a very strong note. So, just curious, if you can expand upon kind of the factors contributing to this trend, and were there any surprises, mostly positive or negative, that stood out for this quarter, and how should we think about the next quarter?
Yeah, so it was a strong start to the year. We're really happy with how the business performed. If I think about what drove that, it was really two things. One, the SaaS platform, which I already touched on. We're seeing that's helping adoption with new customers because, as David said, it eliminated the two biggest pushbacks around people and hardware that we heard. So we're seeing that SaaS is opening up new markets for us as a result of that. And if you think about something that we talked about in the first quarter, we said that a majority of our new SaaS ACV was coming from new logos specifically. And I think that's in an environment where most companies would say that adding new logos in this macro environment is somewhat difficult.
So we're happy to be able to report that. If I think about the other main driver in the quarter besides our SaaS platform, it's our recently introduced MDDR service, which stands for Managed Data Detection and Response. I would say that was probably the biggest surprise this quarter. And if I think about why that is, we introduced the product in January to our sales teams at SKO, and it wasn't announced publicly until February, when we reported earnings, actually. And typically, we see that new products take a couple of years before we start to see adoption.
With this one, we started to see adoption kinda right off the bat, less than a quarter in, enough so that we made it a major focus point on our earnings call because we wanted to make sure that investors really understood the opportunity that we have with this offering. And David, I don't know if you wanna provide some historical context around how we got to MDDR and why you think it's resonating so well right off the bat.
Yeah, that, that's actually a great point. You know, you think back to the story of where people didn't know what files were deleted. I always think of the data transactions a little bit like credit card transactions. And credit card companies have gotten really good at detecting fraud by looking at the credit card transactions. We've gotten really good at detecting threats to data by looking at the data transactions. That's really where we started. We added alerting, basic alerting in about 2014. And this happily happened right before Locky, for those of our customers that had this. Locky was an early version of ransomware, and I assume everybody now knows what ransomware was. At the time, nobody knew what it was. Now, it's kind of a household thing.
But we were able to catch that for our customers because we were looking at the data transactions, and we see an account rapidly modifying a bunch of files, then that really lit up, and we were able to detect and stop that. And it didn't really surprise us because of the nature of ransomware. Ransomware goes after files, which we're watching. So we weren't surprised that we were catching that, but we did start to catch a lot of other things that surprised us, in a weird way, like there's malware. It's okay, so that's accessing files, and it got past all the endpoint stuff and all the perimeter stuff, all the other security technologies. We were also catching APTs, more sophisticated threats, those are advanced persistent threats, like nation-states.
And we thought, "Well, maybe there's something here," and we really invested. We started using machine learning to do more behavioral models, more sophisticated detections. And because we understand the data so well, we have a unique vantage point into data activity, and so we started baselining what was normal for every user, for every device, and when we started to see activity that resembled an internal threat or an external threat or ransomware, of course, we would alert, automatically respond to that. And that Dat Alert product, which came out in, I think, 2014, really became a glue product for us. It would pull in support for other data stores. We would say, "Okay, you're getting nice alerts here. Wouldn't you also like to monitor this?" And it became kind of a glue. It really became the glue.
So when we went to SaaS. Actually, there's one other step before SaaS. Because of the success of this alerting, we created an incident response team, because customers wouldn't always have the expertise to look at every alert that they saw or either in our platform or other platforms. So we offered an incident response service, where any customer could call at any time, and we would help them out. We would help them investigate the alerts that they were seeing in our systems or in other systems, and really get to the bottom of what happened. And this became a really popular service. Customers loved this. When we went to SaaS, we had the opportunity to do this from the cloud, and we introduced a proactive incident response service.
So now the customer didn't even have to call us, and we could be a set of eyes on glass for them, and look at their alerts and call them when we thought there was something they really needed to look at. We did that when we announced SaaS, and a lot of customers said, "This is wonderful. I'd really like an SLA. That way, I know you're looking at it, and I can do other stuff." And so we introduced that as part of the Managed Data Detection and Response service. Now, if we see a ransomware alert, we have 30 minutes to call.
It's, it's very simple, and this is, this has been something that's going over really well, and I'm, I'm excited for it in the way that I was excited for Dat Alert in 2014. Because if you're getting such great detection, you know, response that you don't have to do anything with in one place, then chances are you'll probably want that for other stores, and we can expand coverage in that way.
Yeah, that's super helpful. And before kind of going deeper into MDDR and other drivers that you touched upon, just going back to financials and guidance, and it's just hard to ignore macro these days and already seeing some questions coming already. You guys have said that there's budget for right projects, but if you can give us a sense of the trends and the conditions that you are seeing from a macro perspective and how is it being reflected in your current guidance, if you can.
Yeah. So I'd say we're seeing additional deal scrutiny, but if I had to describe what we're seeing in one word, it'd be stabilization, which is the same word that we've been using for the past couple of quarters. I also think we're in a slightly different position than some other companies in this market. We came out with a SaaS offering, which is a better product than our previous self-hosted product. It means that customers have to put in less effort, they're more protected, they have a lower TCO and quicker time to value. In an environment where there's additional budgetary scrutiny, that's a pretty compelling pitch. If you think about a couple other things that are happening in the environment in general, I think the market's coming more and more towards data security.
Companies are realizing they're spending a ton of money on security, and they're still getting breached. Whether attackers are going around endpoints or firewalls, they need eyes on their data, and that's something that's helping us in this environment. And I think AI takes this a step further because AI is really all about the data, and in order to reap the benefits of the collaboration and efficiencies from AI, you need to make sure your data's locked down and that you're not exposing yourself to unnecessary risk. Also, we're seeing that regulations are increasing by the day. Those are focused on data as well, so that's another tailwind that we have at our back. As it relates to our guidance, while Q1 was a strong start to the year, we don't want to over extrapolate it.
We're continuing to take a prudent approach. We've guided for net new ARR to be flat for the rest of this year. We're not factoring any potential upside in from MDDR, even though we're very happy with what we're seeing. We haven't factored in any potential contribution from Gen AI this year as well, and we're expecting the macro to stay relatively steady from where it stands today.
Thanks. So since you brought up Gen AI, just switching gears a bit and can you, of course, start with your AI strategy and the role of AI in your offerings and the monetization and the business model? And also, give us an update on the partnership with Microsoft that just saw some questions coming on that. How is that progressing, and have there been any tangible benefits already? Have you started to see c ause you mentioned about the deal pipeline growing, but have you started to see any revenue from AI-driven deals yet? And how should we interpret the impact of these deals in your guidance as well?
Yeah, so I'll start with the end, and you can kinda cover the rest. So as it relates to actually contributing to revenue or ARR today, we have not seen a material contribution from Gen AI into our reported numbers, which is not a surprise to us. We expected that AI would take some time to see adoption. If I give you a little perspective on what we're hearing from customers, it's that they're piloting AI initiatives. Those pilots are stuck in pilot because companies are concerned about security, which plays in well for us. And all those conversations that we're having gives us further confidence that we should be a beneficiary of this secular tailwind over the next couple of years.
As it relates to our guidance, we haven't baked in any contribution into our 2024 numbers because we haven't seen it contribute to our reported numbers just yet, and historically, that's how we've built our guidance. We don't factor in positive assumptions until we actually see them. While on the flip side, we would be willing to factor in potential negative impacts into those numbers if we thought they would be coming, and that's just perspective on how we've built our guidance historically. David, I don't know if you want to cover the rest.
Yeah. The AI has become a really important part of our story, and it's also an important part of the Microsoft partnership which I'll cover there. But in general, I am talking about AI in every customer meeting. When we talk about the concept of the blast radius, the amount of data any user or API or account or system has access to, and we put that in context with insider threats, external attackers, and now AI, it's resonating very well. It does give people an excuse to do a risk assessment, which is our sales motion. We always want to install and take a look at an organization's data and show them how much important data they have that may be in harm's way, data that would be at risk even more so if they enabled Copilot, broadly.
And show them how we can clean that up and give them also detective controls after we've locked down the preventive controls. So it is helping us to get additional risk assessments. I am seeing it as line items on, you know, potential business justifications. As Tim said, it's early, I think, in the adoption of Copilot. So it's a big part of the story now. It's early. I think people are starting to get how important it is. It's not just Microsoft Copilot. Einstein has the same kind of workflow and the same dependency on correct access controls, people having correct access to the right data.
And we also see that with the external systems that, like a Copilot, would connect to, if you want to connect it to an Azure Blob Storage or Jira or another application, it's going to honor those access controls, provided you match that up and you do the integration correctly. So again, people are realizing they need to lock down data in order to not set it completely free with AI. Also, we find people are interested in building their own LLMs, large language models, and we're able to help them identify the data that would be going into those LLMs by, you know, okay, what is the important data? What might be regulated that you don't want in there? Where might you have credentials or keys in clear text, other things that you don't want to go into that LLM?
So there are a lot of different use cases there. As far as the Microsoft partnership goes, our SaaS solution runs in Azure, right? Microsoft's cloud. So there's a natural partnership there. We are on the Azure Marketplace, so there is a go-to-market component that we have with them. The sellers can actually retire quota on not only our solution, but the consumption that it generates. We've been helping people be more successful with Purview for quite some time. Purview is Microsoft's data loss prevention technology that relies on labeling files to make sure that they don't leave the building or get printed or get used in the wrong way. We can help people get more labels on more files far more quickly, so it enables that use case, and it helps people be more successful.
Now with Copilot, we not only identify the risks that would be present if you didn't fix them before Copilot, we fix those risks, we monitor how Copilot is being used and can detect potential abuse of Copilot, and we roll that all up into a nice Copilot dashboard as well.
That's, yeah, super helpful. We have a couple of more minutes. So it's clear AI is gonna be potentially a very big driver, still early days, but large potential opportunity. Just curious, given how landscape is evolving, right, curious to know how you view the competitive landscape right now, in light of AI and, broadly speaking, you guys just saw that today, Gartner recognized you guys as Customers' Choice for DSPM. So just curious, like in view of DSPM, in context of that, how do you view yourself and the competition? And, yeah, just your thoughts.
I've seen a definite change in the industry focus on data. More and more people are realizing, I think, securing data is the mission of security, right? So, I mean, the availability is important, but you can't un-breach data. You know, if data gets out, it's very hard to recover from that, you know, in the same way. So, we have more folks calling out different, you know, aspects of data security. So you mentioned DSPM. That stands for Data Security Posture Management. And we have a lot of people that are kind of starting to get into the data security space by trying to discover where sensitive data is. And this has been great.
It's generating a lot of activity because DSPM is a subset, I think, of what we do, a larger data security strategy, data security platform. So it's helping to drive more activity, more conversations, and I think that we're in a really great position to win any conversation that starts to go into data security.
Got it. That's super helpful. One driver, which is clear and which is here now, you guys touch upon, it's MDDR. So just curious, like how should we think about the financial impact of MDDR and how it's shaping your financial profile, both in the near term as well as how does it fit into your kind of long-term vision and scheme of things?
Yeah, so it's, that's a great question. From a margin perspective, we expect it to be software-like margins. The reason for that is we have a lot of automation built into the software, and I think the bigger picture opportunity, this is something that I would say investors are missing in the conversations that we've had so far this quarter. Everyone's kind of focused on what the near-term uplift to deal sizes could be and what that means for this quarter or this year. I think the bigger picture opportunity is what it means for customer lifetime value. And just to give you an example, imagine we're kind of protecting Windows on-prem and Microsoft 365. We stop a breach there, and we let the customer know that we've stopped the breach, but we don't have visibility into Salesforce or Amazon S3.
Would they like to turn that on? I think the value proposition that you get from MDDR, just the satisfaction you're seeing on the platforms that you do, the additional touch points that you have with customers, I think that lends itself to better gross retention, net retention, and overall higher customer lifetime value. And that's really why we've talked about it as a potential game changer for the company.
Got it. That's super helpful. I think we might be out of time, but some of you guys might already be meeting with them. But yeah, really appreciate your time. It was super helpful and yeah, thanks again for making it here.
Thank you.
Thanks, guys.