All right, I think we're ready to go. Thank you very much, everybody, for joining us. Home stretch of the afternoon here on day one of the Global TMT Conference here at Citi. I'm Fatima Boolani. I do software research team here, and I am so thrilled to be sharing the stage with Varonis. We've got Guy Melamed, and we've got Dave Gibson on stage with me, and I'm very happy to jump right into the discussion. So gentlemen, thank you for being here.
Thanks for-
Thanks for having us.
Having us. We came from the eighteenth floor. The elevators were stuck. We came down all the stairs, and we got out exactly on this door, so we're ready to go.
Except for me, I got out on the street, and I had to walk.
So we give you investor access, and we give you physical education at this conference.
The dictate.
All of the things, all of the things. Well, thank you very much. I wanted to start the discussion on kind of the thirty thousand foot level with you, and I think there's a lot of folks in the room who are very familiar with your story, but would love to kinda start at the highest level on an overview of Varonis, what you do, where you operate, and you know what part of the cybersecurity arena you're playing in.
Sure. So Varonis is a data security company. We sell a SaaS-based solution that helps people protect their data from external and internal threats, and these days, even potential AI abuse as well. So in a nutshell, we find the data that's important. We identify when it's exposed to too many people, right, or people that shouldn't have access anymore. We programmatically reduce risks like data that's overexposed or misconfigured. Then we monitor the heck out of what people are doing with data to detect when you've got an insider threat, ransomware, an external attacker, Copilot abuse.
Now with our SaaS offering, we have a new part of that called Managed Data Detection and Response, where we can be in charge of looking at the alerts and calling you when there's something we think you need to know, and which we do with an SLA. For example, if we see ransomware, we've got 30 minutes to call you. That's Varonis in a nutshell.
The one thing I would add is that in 2023, we started a transition from on-prem subscription to SaaS. In short, SaaS is a much better product that we have to offer, and another point to mention is that MDDR is only offered under the SaaS offering. So it allows us to provide a much better experience for our customers, and at the end of Q2, we had 36% of our ARR coming from SaaS. So we've progressed very nicely. We initially thought that it would take five years. We rolled that out in our Investor Day at the beginning of 2023, and we talked about a five-year transition period, where we defined the transition to be anywhere between 70%- 90% of ARR coming from SaaS.
At the end of last year, we actually shortened that period to four years, and we're very happy with the progress. We can talk more about that later, but at the very high level, the reason this is progressing so well is because it's a no-brainer for new customers, but we're also seeing our existing customers wanting to convert to our SaaS offering because of the benefits that it holds.
Now, you're touching on the whole concept and theme of transition, and there's a model transition that's clearly in the works. But before we get into the nitty-gritty of that, I wanna still take a step back and talk about the market transition, right? So you kinda gave us an overview of exactly what pain points you solve, and it's around data governance and data security. And, you know, you've been doing solving this problem for customers before it was in vogue, before it was cool, right? I mean, I think you're coming up on your 10-year IPO anniversary, so you've absolutely been holding the field on this for a very long time. But I think data security as a concept is becoming maybe more recognized in a mainstream fashion.
I'd love to get your perspective on, you know, what do you think has changed for data security to become maybe more of a thematic, obvious consideration? Whereas historically, it was you had to convince people they had a problem versus today, and why that change has taken so long, but also it seems like it's been very quick.
Yeah. First off, I think it was always cool, but that...
I think it was always cool too. You have my vote.
And when we started, definitely, I started with Varonis in 2006, data security really wasn't a thing that people were talking about. Most folks thought of security as firewalls, perimeter security, endpoints, and things like that. And that persisted, really kind of that mindset, that sort of perimeter mindset for a long time. And the perimeter controls got more and more sophisticated, and yet I think we started to see still many, many breaches. You know, I think about the last decade or so, you know, ransomware just started, you know, around 2014, 2015, and just has only kept growing and growing, despite all of the perimeter controls that are out there. Insiders have probably always been the scariest and most dangerous kind of attack that people worry about.
I think because of the light that some of the breaches continue to shine on data security, some of the regulations, the new SEC guidelines, more and more focused on data itself, and I think people started to realize, you know, all these controls really are in service of protecting data. If data is safe and an endpoint gets compromised, just another day, but if data is taken, no matter how that happens, all those other security controls have failed, so I think people are way more mindful, and we hear a lot more people talking about data security, for which we've got, I think, the most mature and comprehensive solution out there.
We want to be what the credit card companies are doing with fraud detection. And when you think about how they have the ability to do so well in understanding if a transaction is fraudulent or not, and I'm sure all of you get those texts, "Is it you? Is it real?" The reason they have that visibility is because they sit on every purchase that you're going through. We're trying to do the same with data. If you sit on the data, quote, unquote, "You can identify any abnormal behavior," you have way better visibility, really like looking at journal entries and understanding if anything is abnormal. So I think in the evolution of where we are and where we want to go and where we want to be, at the end of the day, it's all about the automation.
How can we protect the customer in an automated way? Customers cannot deal with this risk in a manual way. The headcount of security teams is cut very thin. They have a ton of projects. The risks are growing by the day, and they're craving for an offering that can help them manage that in an automated way. And we have focused for a long time now on trying to prevent and help customers protect their data in an automated way. MDDR is a whole new level that we have introduced only at the beginning of this year. This is a very recent offering. The reception of it has been very good, both by our customers and by our sales force.
The overarching theme is to protect data in the most automated way you can.
Yeah, so just back to this notion of data security becoming more prominent in the consciousness of mainstream organizations, CTO organizations, et cetera, and more awareness from a procurement standpoint, but look, there has been actually a lot of active kind of consolidation in the data security market, right? Some kind of larger players in the space have sort of picked up some assets on the data security side, right? So as that consolidation happens, you know, some of the M&A activity happens, how has that changed the competitive landscape for you, you know, when assets in the data security realm have been acquired and larger players are now maybe talking the talk? We don't know if they're walking the walk yet, but the larger players, you know, in some ways are certifying that this is a very legitimately large problem.
So how is that both an opportunity for you, but a potential, a threat or a risk from a competitive landscape standpoint?
So far, I see it generating activity in the form of RFPs in the form of, you know, conversations with customers that I have, so there are some new players into the space. There's definitely more focus on data, and the good news for us is we don't have to evangelize the importance of data protection as much, and when we get into these opportunities, we've always sold the same way. Don't take our word for it, put us in, look at some production data, and let us show you your risks, show you what we can do with those risks, show how we can help you, and when we follow that same playbook, we're still very much alone in the functionality that we can deliver. Really, we call them the outcomes-
Mm-hmm.
-that we deliver. I see DSPM, Data Security Posture Management, as kind of the new acronym-
Right
That everybody's talking about. It means something different depending on who you ask. But most of all, it's really a subset of what I think a larger data security platform is. So if we can leverage that concept to get the conversation started, it's a big positive for us.
Another way to think about it is, kind of the reason we focus so much on a visual sell, that Dave was talking about, is because when you talk in theory about the risk, it doesn't resonate the same way.
Mm-hmm.
And if I look at this crowd and let's assume that the people here were the CISOs and they were the decision makers. If I said that on average, each company that is represented here has millions of files open to everyone in the company, people would shake their heads, and they'd go make coffee. Because you really can't understand the implication, and it doesn't resonate the same way.
But if we did a risk assessment, and we showed people here that the list of their both long and short ideas, investment ideas for 2025, could be accessed, that Excel could be accessed by anyone, whether it's a guest that joins the company's Wi-Fi or whether it's anyone hacking in a simple way, and it could be provided to everyone within the organization, I'm sure the reaction would be very different. That's all we try to do. The risk is there. We need to show it in a visual way, and through the risk assessment, we can show the decision makers how vulnerable they are and how we can help them with our software.
So part of the opportunity is that, you know, some of your peers are also picking up the slack on educating the market, right? So that helps indirectly, the productivity of your sales organization, because to your point, you're not actually spending, you're maybe spending less time evangelizing, educating that a problem exists and then evangelizing that you were the right solution, right? So in some ways, that's helpful. But how do you think about, you know, the potential for, you know, fractionalization of some of your capabilities and other control points? And as a related matter, you know, when you think about the opportunity at large, I mean, it's been vastly greenfield, but just from an in-the-trenches perspective, has the incidence of the types of competitors that you're seeing in RFPs, changed in a material way?
I think some of the names are different, and there's a little bit more of a focus on, you know, kind of the initial phases of data protection, kind of a discovery. Where do we have data that we care about? We've been doing this for two decades now, though. Like, we've kind of thought about the questions that people have next, which is, okay, what if you find sensitive data? How are you gonna figure out whether it's in harm's way or not, right? If it is in harm's way, how are you gonna determine what the right course of action is, especially if you're not sure who's using it? And really, how often are we going to update the inventory? Maybe we better do that continually, which means we better be tracking how the data is being accessed.
There's some new faces. I feel like when we have a real conversation about what is it that you're trying to do to protect data, that's when a lot of the new noise kind of really starts to fall away. And I think, like I said, we've been doing this a long time. We know what the ingredients are to protect data. You need these ingredients. There's no real shortcut to getting the kind of information that we've been getting for a long time and refining. And then doing productive things with that information is another river to cross, which we've already crossed, and we keep going further and further.
Guy, how does this translate into the fast transition you were talking about earlier, right? So you were always doing these POCs, illuminating for customers that, wow, you've got a massive data access risk problem, and then your eyeballs just pop out of your head, right? So you've always been doing that from a POC perspective. Can you give us a sense of how the timing of those POCs has changed since you moved to the SaaS model?
The whole customer experience is different, and I'd say better with the SaaS offering compared to the on-prem subscription. So the whole risk assessment is done in an easier way. I think the customer experience is better through the SaaS offering. And we've actually called out at the last earnings call that the sales cycles of SaaS, compared to on-prem subscription, are better. They're shorter. We expected that to happen when we announced the transition, but this was kind of the first time we came out with that data. And we're very happy with that because it kinda ties to everything that we've talked about. We wanna make sure that customers have a great experience with our product, and they understand that they are better protected with our offering. I think the risk assessment is part of that.
Getting them to value through the SaaS offering is done in a very different way than the on-prem subscription from an efficiency perspective. We're seeing that the offering. When we talk to customers about outcomes now, these are the outcomes. We've done some consolidation over the last couple of years in terms of the licensing offering, and we can spend some time on that if there's interest. We used to have forty plus SKUs when we had the on-prem subscription offering. It was getting very confusing both for our sales force and our customers to understand what every single SKU is doing, and we took the opportunity with our SaaS offering to consolidate, and now we don't offer those individual licenses.
That's actually helping us in landing those deals that are larger because some of our customers, when they convert, they don't have the ability just to buy the same, quote-unquote, "number of licenses." They have to increase their spend, but they're getting more value. So the SaaS offering is on price list is 25%-30% higher than the on-prem subscription. But we are seeing that with the MDDR and the fact that we are providing the outcomes, we're resonating, landing larger deals. Customers are seeing the value faster, and the whole experience is very in their favor.
So I think historically, with all of the experience we've had in, you know, learning about model transitions and different precedent examples of companies that have gone through model transitions, you know, I think there's a carrot approach, and then there's a stick approach. Our sense is that you've taken a carrot approach, and I think you've brought up MDDR a couple of times. But I'd love for you to spend a little bit of time on what is the philosophy and ethos around the transition, right? Because you do have the benefit of a captive install base, right? At the same time, you are, the SaaS model is helping you drive new customer acquisition velocity, but the bigger chunk of it right now is still, hey, how do you uplevel your own install base to get the goodness of SaaS, right?
So can you talk a little bit about where you are in this journey of conversion of the base, but doing it with, you know, a gentle approach as opposed to pulling the plug on them? Because I know that's not been your approach. And how does this factor into the way you're thinking about the momentum on the ARR metrics and momentum of growth?
... How many hours do you have?
All day. I'm here all day.
We are going through our second transition. Our first transition was from perpetual to on-prem subscription. We did that in 2019. We were actually able to complete that transition within five quarters, where I'd say the average is four to six years, so we were able to move very, very quickly. The second transition, the transition to SaaS, is a very different transition, and we never intended to have that type of speed. We rolled out a five-year plan, as I mentioned, when we did the Investor Day, and we've shortened that to four years, and it's progressing really well. I think there are basically three pillars that are essential in any type of change, like the one we're experiencing.
The first and foremost, and the one of the most critical components, is the technology. The change has to make sense to the customer. We have made that 2019 transition in thinking about what's best for the customer. It made sense then, and I can tell you that the change to SaaS, when you think about the technology and the value that it provides our customers, it makes sense now as well. I'd say that's the building block when you think about kind of the three pillars. The second pillar is, I'd say the commission aspect. How do you incentivize your sales force to change and move from one type of selling to another? It was way more challenging to convince, quote, unquote, "the sales force" in 2019, to move from perpetual to on-prem subscription.
It's way easier to convince them now because they understand the value proposition. They understand the simplicity of the MDDR offering. They see the conversations that they're having with customers, and it's resonating really well. Regardless, you still have to make sure that the commission plan makes sense. I'll touch on the commission plan in a second, just in terms of what we did with new customers, but I'll get to the third pillar. The third pillar is, I'd say, management commitment of making the change. You can have the first pillar and the second pillar in place, but if your management's not entirely focused, that that's the right thing to do, you'll get stuck in limbo, and I think in 2019 we were very committed.
We are very committed now on moving, and providing that value to our customers, and there's a lot of leverage in the model for us as well in this move to SaaS. We see the leverage in the different departments. We see the leverage in the shorter sales cycles. And there is additional leverage that we think we can see in the future with this move to SaaS. So those are kind of the three pillars. When we broke out the plan to move to SaaS, we talked about two phases. The first phase was targeting new customers and trying to sell them SaaS. That happened very quickly, very nicely. New customers are adopting this offering because it really is a no-brainer.
We also talked about phase II, that we initially thought would kind of start when phase I ends and within one or two years, but what happened at the beginning of twenty twenty-three is that we started seeing our existing customers asking to move to SaaS, and they were doing it in a natural way. We didn't incentivize our sales force to do it. We didn't provide any monetary compensation on top of just the uplift that our reps were selling, so we were extremely happy that it's happening in that natural way, and it continues in twenty twenty-four, so when you think about kind of that carrot and the stick conversation or that debate that you were talking about, right now, we're using a lot of the carrots. It's a better product.
The customers see the value. They can be better protected. We're not going to customers and forcing them to move to SaaS. I think we want to be a SaaS company. That's our goal, that's our intention. We don't want to support two types of code forever. That's not our intention either. So, there will be points where you use some of the sticks. I don't think we need to use them quite yet, and I think the fact that when you go to a customer and you show them the value, and they understand the technology, and they understand the benefits, it really is a no-brainer, and that's the best way to do a transition of such magnitude.
In the framing of some of your longer term targets, it's sort of implied that ARR has a path towards, you know, acceleration to the, you know, twenties zip code, right? What is it gonna take for you to get there? You know, what milestones do you need to hit so we start to see more visible acceleration in the business? Because clearly there's pent-up demand. You're doing the right things from a model transition standpoint. So what do you think some of the lagging factors are that's, you know, maybe slowing some of that curve up into, you know, your medium-term targets and what your medium-term targets imply?
There are three tailwinds that we're kind of. We laid out at the beginning of the year. Not all of them are baked into our guidance, and not all of them are baked into our kind of-
... forward, but I will walk through them. When you look at the MDDR, again, this is a newly introduced offering. We only had one full quarter of MDDR, really, when you think about it. I know it sounds as if we've been selling MDDR forever, but we only really had one full quarter of that, and the way it's been adopted has been so positive that I get asked a lot, what is the right kind of breakdown of MDDR within your existing customers? And the answer is, we believe that every single customer should have MDDR. It doesn't happen overnight. It takes time.
You have to educate, you have to show the value, but eventually you should get to a point, or at least the belief is that all of our customers should have it, because they're better protected that way. So MDDR is one element. The second element is really just the environment. There are more and more breaches that are happening every single day, becoming more and more sophisticated. The risk is growing, and we could cater to that and help our customers in protecting against it. The third element is Copilot and AI, and it's not just Copilot, but it's all of the different AI functionalities that prevent a focus on how vulnerable organizations are if they haven't sorted out who has access to what data.
Because in the past, someone had to get in, and they would have to find where the data is and whether it's sensitive or not, and it would take them time. Now all they need to do is put it in the chat box, and who got a raise last year? And if they have access to that type of information, even if they shouldn't have access, guess what happens? They get the full breakdown of the entire organization of who got a salary increase, and that could be catastrophic for an organization. You could put in the chat box, "Where's the IP? Where's the sensitive information?" and that's a risk, so we talked a lot about the Copilot opportunity and the AI opportunity.
We haven't baked that part into our guidance because we don't know when that starts picking up, but it comes up in every conversation. Almost every conversation with customers, they're concerned about it. We are ready to help customers in that regard, so there are a lot of elements that could help us continue to grow the business. We're very happy with the opportunity. I think as we sit here today, the opportunity is greater than we've ever believed it could be. Our ability to provide value to customers through our offering and that automation component is what we aim to do now and going forward.
Can you spend a little bit of time on the relationship that you have with Microsoft? I mean, clearly there is a little bit of a chicken and egg dynamic here with the generative AI monetization opportunities, because you do need organizations en masse to adopt Copilot so that you can be right at the front door to help do the governance around that. So fully appreciate that's kind of out of your control, but you're ready to kind of step up to the plate when the time is right. But in terms of the relationship that you have with Microsoft, specifically around this, can you talk about, you know, some of the joint go-to-market initiatives that you have in place? Any elements of exclusivity you have with Microsoft that, hey, are they the...
If the Microsoft rep's first call to make is, "Hey, you better get some Varonis around this environment," because of all the reasons you pointed out, right? So, as we think about what that generative AI Copilot opportunity could look like for you, how does that relationship with Microsoft differentiate you and your ability to achieve that monetization objective?
So the way I think about it, we've got a few legs to the Microsoft partnership, and we've been adding, you know, as we go. The first one is we run in Azure, so we're in there-
Exclusively or?
No, but enough so that we're on the Azure Marketplace.
Okay.
And that the, you know, reps can retire quota, you know, and so there's a go-to-market function there. Then we've been, for a while, helping people protect their data in the Microsoft environments, helping get more value out of Purview Information Protection. So that's been another nice leg to the story. And then more recently, the Copilot leg has gotten a lot of attention, and we're helping people get the right controls around their data so they can feel good and safe about deploying Copilot. And we're also monitoring Copilot activity in a way that is helpful for folks and really interesting for a lot of folks.
While I would love if we were the only call and the first call, you know, they have a lot of reps and, you know, there's a lot of education to do, but that relationship is growing and continuing to be more positive.
Historically, you've had very strong ties and connectivity to Microsoft environments, but I think what sort of flies under the radar is all the work you've done around being the data security entity for non-Microsoft data stores, right? There's been a lot of R&D effort around that. Can you talk a little bit about what the estate looks like in terms of if you had a telescope on the data under management in your whole environment, in your entire customer base? You know, how much of that was Microsoft five years ago, and, you know, what does that pie chart look like today between the variety of data sources that have really propagated over, you know, the last five years?
Sure. The way we think about the data domains or the big buckets of data, we put them into collaborative stores, which can be on premises, or in the cloud, right? So we've, you know, covered historically big NAS devices, big Windows shares, big Unix shares. Collaborative stores certainly have got a huge presence in the cloud with 365 and with Google and with Box. And then there's the second kinda category is what we would call the Infrastructure as a Service or IaaS.
... So these are like the AWS environments, the Azure environments, where people are spinning up massive object storage, object storage or blob storage, and also databases. I used to have to rack a server when I wanted a database, now it's just code, so it's a little bit of a party with no parents for the developers, and a lot of data sprawling there. That's the second domain, and then the third domain would be SaaS applications, so like a Salesforce or a Jira or a GitHub. There are many of them out there, and that's really where we cover, and, you know, we've focused on coverage and automation. Certainly, we have more time behind us with respect to the Microsoft environment, so we do have more of a presence there, but the others are starting to become a thing.
I don't know whether that's me.
No, you're okay. Guy, all of these efforts around, you know, driving new customer velocity, you know, selling more to the install base, you know, layering on, you know, MDDR monetization, right? You've been able to do this while doing a very respectable job on improving your ARR contribution margins, right? We've come a long way. So can you talk about the investment priorities relative to all the tailwinds that are on the horizon? And we have seen a great big improvement in terms of organizational efficiency. But where do we go from here after having seen such a nice step up in ARR contribution margins, and how you're thinking about the investment profile near term, but also medium term?
It's a great question. Going back really years ago, even when operating margin wasn't as sexy as it is today and everyone's talking about it, we constantly talked about growing the business, but bringing some of it to the bottom line, and the focus of generating cash. Those are really the three essence that we believe in, and investing a dollar in order to generate fifty cents never made sense to us. When you look at where we are today within this transition, I'm really happy that we were able not only to grow the top line and progress within the transition, but also improve our ARR contribution margin and start generating cash. We raised our free cash flow numbers to $80 million-$85 million for the full year guidance. We did that last quarter.
So when you look at where we are, we see this opportunity as one that we want to take advantage of the much larger opportunity as we sit here today. We want to invest, we wanna make sure that we invest in R&D and sales and marketing to take advantage of this larger opportunity. We've also. We did our first acquisition in Q4 of 2020. Going back to what you talked about, of protecting other platforms that we didn't protect before, there are additional platforms that we want to protect going forward. We want to go wider and deeper, so we constantly look at M&A as well to see if there's anything that would make sense and speed our time to market.
But overall, when you think about how we want to invest, it's gonna be, let's say, taking advantage of the larger opportunity, but still thinking about things in a prudent way, to make sure that we can increase our cash generation and bring some of it to the bottom line. When you look at kind of the five-year model that we laid out, we felt comfortable about an ARR contribution margin of about 20%. And when you look at where we are now, just under 15%, I think it's been progressing very well. And I think it's a testament not only to how we're thinking about the business, but also on how efficient the SaaS technology is.
We've built it in a way that allows us to see leverage within the gross margins of our SaaS offering, but also generate leverage in some of the different departments that are supporting the company.
And just specifically from an investment standpoint, what do you feel are your biggest constraints? I mean, you know, from our vantage point, there hasn't been a shortage of innovation in the platform, right? Your ability to do more automation faster, you know, data detection and response, MDDR, right? Doesn't it seems like the R&D engine is firing on all cylinders. So, is the correct inference that you are sales capacity constrained, and this is incrementally where you're going to focus, so you have a bigger, larger, go-to-market footprint? And any nuances you can share from a go-to-market perspective, especially now that, you know, when we talked earlier about, "Hey, this problem is becoming more of a mainstream problem," so maybe that takes pressure off, you know, the go-to-market organization in some ways.
But, how should we incrementally think about the investment dollars and where they should be, or where you're thinking about allocating them for the course of this year, but also, you know, within the medium-term, long-term target model?
I'm not sure I would use the word constraint, but I think one of the areas of focus and what we see continuing going forward is that visual sale. This is not a, an antivirus that people buy without kind of seeing what it does. We have to get to our customers. We have to do that installation and show them how vulnerable they are. We need to have that conversation with people within the organization to, to . . . that understand what the risk, how big the risk is if when they have millions of files open to everyone, and when they have sensitive files that everyone can access. So that's something that we've always been focused on. We have increased our hiring.
We're definitely adding people, but we're trying to do it in the right spots that would generate the efficiencies that we were talking about.
What are these right spots?
Right now, I'd say the biggest focus is R&D and sales and marketing. Those are the two areas that we're hiring the most, but at the same time, we're also increasing our customer success team, and we're increasing our MDDR team because it's working, so we're kind of thinking of all the pieces together, but when you look at kind of the progression from an ARR contribution perspective, it's still progressing the right way, so that's kind of how we're thinking about it. We're definitely gonna think about it going forward the same way, but sitting here today, and I said this earlier on, we have a tremendous opportunity ahead of us. We're gonna try and capitalize on this larger opportunity with additional investments, but doing it in the right way.
Fantastic. I think that's a good place to put a bow on our discussion. Thank you so, so much for all of the insights. I appreciate them.
Thanks very much.
Thank you.