All right. We will get things started. Thank you all for joining. I'm Roger Boyd. I cover cybersecurity here at UBS. My pleasure to introduce Brian Vecci, Field CTO of Varonis.
Thank you.
Thank you for being here.
Thank you very much.
Awesome. Before I get started, if you wanna ask a question, there should be a QR code. You can use the app. I'm more than happy to weave it into the conversation. But with that, I'll kick off the fireside, so I think most investors are familiar, but maybe it's helpful to start with kind of a brief overview of Varonis, and I think the story's changed a lot over the past years. Like, what's been kind of the driving forces as you think about, like, the last two years or so?
Sure. I don't think the core of what we do has changed. So Varonis, we're a data security company. We create software that helps organizations protect their data. And what we find is, over the past 20 years, enterprises have really struggled not only to know what data they have and where it is, what data's sensitive and important, but where it's at risk.
Mm-hmm.
Who and what has access to it? How is it being used? Is there a threat actor, like an insider threat or an outside attacker? And is any potentially sensitive data open to people or applications that don't need it? To your point, what's changed in the last couple of years is now with GenAI-based copilots, like Microsoft Copilot for 365 and AI workloads being built in cloud data stores like Snowflake and Databricks and in infrastructure as a service and Azure and in Google and in Amazon, the impetus, the need to properly secure that data, to do it automatically, and to minimize the time it takes to detect and respond to a threat is greater than it's ever been. So we solve that problem.
We do it automatically, and we make sure that our customers not only know what data they have, but that it's properly protected.
Yeah. Makes sense. I wanna talk about MDDR. And I think if you look at kinda the changes that have been made to Varonis over the past couple of years, a lot of it's been designed to help customers better, better use the platform, better adopt the platform. And I think MDDR is kind of the next step in that. So can you just talk about what that product actually does, and how unique is that in the market? Is there anybody else doing any sort of managed data detection?
Yeah, so the right way to think about this is the MDDR, the Managed Data Detection and Response, is a managed service that sits on top of the Varonis software platform.
Mm-hmm.
So to answer the second part of your question, there's nobody else that does that because there's nobody else that's Varonis.
Yeah.
What we've learned over a long, you know, I've been at Varonis for 15 years in that if the outcome, meaning the measurement of success, isn't automatic or we don't do it for you, there's a good chance that it won't get done because everybody tends to have more projects than they have people. What MDDR has done is allowed us to do a lot of the work for our customers so they get more value more quickly. MDDR is a service that's built on top of our platform where if we have the Varonis software generates an alert, for instance, Brian's account is now accessing a bunch of sensitive data that he's never used before, maybe using a device I've never used or coming from a place I've never been. Instead of waiting for our customers to call us for help.
Mm-hmm.
We call you because we will see it, so that service becomes a massive value add, and it's been hugely successful. Almost every new Varonis customer has it as part of their package. Most customers that are converting to SaaS have it as part of their package, and we're aggressively upselling it to our existing SaaS base.
Yeah. I think about, many years back, kind of Varonis on-prem term-wise, and it's like a lot of the pain points I would hear about was it's hard to get it running. It takes time.
Yeah.
It's maybe somewhat expensive. And, to your point now, it feels like most new customers are picking it up. And it's that idea of you don't need to spend more infrastructure. It runs in your cloud, and you don't need someone to really learn the product because you're getting the information fed. Is that what we're doing it for you?
We're doing it for you.
Yeah.
Yeah. We wanted to get to a point where you wanna protect data, let us do it for you.
Yeah.
The software, because it's SaaS now, deploys extremely quickly. You're talking about an hour, 90 minutes. We turn it on. It's why we can run so many risk assessments and provide so much value with both the automation that is now built into the SaaS platform that didn't exist in the self-hosted world and with MDDR. We can make sure that our customers are getting value without having to dedicate people or infrastructure. To your point, the biggest hurdles that we saw to self-hosted customers getting value was, "I don't have the people to run this, and I don't have the hardware and the infrastructure to make sure that it's working properly." We've eliminated those objections.
Yeah. Makes sense. You talked a little bit about the feedback and what it, how it's showing up with new customers. Can you just remind us how you expect to monetize this? I know there's a couple different angles, and the ultimate goal is to get broader platform adoption. But what have you said around kind of monetization?
Yeah. So MDDR is an incremental module. It's an incremental spend on top of the Varonis software platform. The way we license is Varonis for what do you wanna secure? Is it Varonis for 365, Varonis for your on-premises file systems, Varonis for Amazon Web Services, Varonis for Azure, Varonis for Google, Varonis for Salesforce? What the MDDR does, in addition to providing an incremental license that we are generally including as part of a software package, it incentivizes you to have Varonis in all of those places. Because if we are providing value in minimizing how long it takes to detect and respond to a threat for your 365 environment, don't you want Varonis monitoring Salesforce as well? You don't wanna miss something.
What it does is, to your point, it incentivizes our customers to expand their Varonis footprint and consume more of what we have to offer.
Got it. Okay. You mentioned it earlier, but I think the beginning of the year you launched additional support for some more structured data stores with Snowflake and some others. I feel like that's been maybe under the radar. Can you just talk about what the customer reaction's been there and to what sense are you getting some momentum with that side of the business?
Yeah. I mean, it's still early, but we were now in a position where there is no other product or even combination of tools that have the coverage that we do.
Yeah.
You know, 10 years ago, we would hear the objection, "Varonis is great for my files, but I've got databases and I've got applications, and there's not a whole lot Varonis could do to help secure and protect that data." That's no longer the case. Varonis supports databases on-premises and in the cloud. Varonis supports data lakes like Snowflake and Databricks. Varonis supports SaaS applications like Salesforce and GitHub. So there's nobody that can touch us with coverage, and that eliminates the objection of, "Well, I've got Varonis for X, but I also need coverage for Y." Now there's no more, or there's very little, data that we do not cover.
Yeah.
We want to protect data wherever it is, however you're using it.
Got it. Okay. We're gonna talk about generative AI. Is that all right?
Of course we are. Yeah.
Okay. I think on the 3Q call, you talked a little bit more about seeing a little more momentum with that. And I'd love if you could just kind of high-level parse out what your conversations with customers have kind of tracked as we look throughout the year. Are we getting to a point where there's a little more recognition around the security risk of deploying something like Copilot? And just broadly, how are you thinking about generative AI as a tailwind from here?
I don't think we're, so I think the recognition of the security risks have been there for a year. Your colleague who I've been quoting, so the number one barrier to adoption of Copilot is privacy and security.
Yeah.
What we're seeing now is, you know, our story has been Varonis will automatically solve that problem. If you wanna use Copilot, you need Varonis, and we'll get you there quickly, and we'll get you there automatically. The fact that we called out that we are now seeing contributions from, you know, AI pipeline is that we're seeing deals close that were because customers wanted to use Copilot.
Mm-hmm.
We're seeing them use Varonis to eliminate the security risks and safely and confidently and automatically fix them so that they can safely use Copilot. It's also not just Copilot for 365. It's agents and other platforms like in Salesforce. We're also seeing deals that are being driven by customers building workloads in the cloud on top of AWS and S3, Databricks, and Snowflake, so we're seeing deals that are being driven as AI-first projects where Varonis is a key component of that.
Got it. Okay. Maybe specifically with Microsoft Copilot, can you talk about where you kind of fit into the customer journey there? And I think you've talked about in some cases there's customers that feel like they need to go to Varonis before they deploy it. There's others that maybe deploy it and then later on realize that.
Yeah.
They're maybe exposing the network. Kind of what, where do you fit in those conversations? And have those kind of changed as you've gone throughout the year?
They haven't changed so much. It's still a combination of both.
Yeah.
We see a lot of customers that are taking a very thoughtful and careful approach to Copilots and other AI tools and are talking to us first because they wanna make sure that they don't expose themselves to risks that they don't know about. We've also seen, and I think I've told you this story before, examples of customers like one of the banks did a Copilot pilot, gave it to users on their trading floor who started asking questions like, "What stocks do employees invest in?" figuring that somebody's written a report about this somewhere, and I'll get a summary of it, and that'll help me. But instead of getting a summary of a report, they got employee 401(k) data, including names and socials and positions, and those kinds of privacy and security risks prevent organizations from deploying Copilot.
We've now solved that problem for it, for them, and they're happily using it. We're seeing more and more, so the customer journey. It's not really one or the other. We're seeing examples of both.
Gotcha. Okay. I wanted to touch on the revenue transition and the conversions you're seeing. Can you just frame out what you've talked about in terms of the timeline to convert to SaaS? And in many ways, it feels like you're tracking ahead of that. There's elements of Phase 2 that are showing up now. Kind of where are we today in that transition?
Yeah. We're ahead of schedule, because the SaaS platform is a better product. So, you know, the Phase 1 or the first step of that transition was to basically have all of our new customers taking SaaS. And that has happened.
Yeah.
That happened faster than we expected because the SaaS platform worked better than we expected. Related to that, organically, a lot of our existing customers said, "Hey, no, I want that. I need automation in 365. I need MDDR." So they are coming to us even before, when we thought customers would convert. So we're ahead of schedule.
Mm-hmm.
We've also now closed any capabilities gaps. So there's no reason that any customer would not move to our SaaS platform. The only caveat is in U.S. Fed where we are in process for FedRAMP certification. We believe it'll be in the first half of next year, and that will eliminate any roadblocks for customers that require that any SaaS application that they take on be FedRAMP certified.
Yeah. Can you just talk about how the conversion actually plays out? I mean, you think about some customers that would maybe be up for renewal and buy an incremental self-hosted license. How does that kind of look if those customers wanna go to SaaS?
Technically, it's very easy. It's basically a cutover. We spin up a SaaS tenant. We decommission their own, you know, their self-hosted Varonis environment, and they're good to go. From a contract standpoint, it might take a little bit longer, because we have to work through the legal and procurement issues of selling them a SaaS platform.
Mm-hmm.
Versus a self-hosted one, but technically, it's very easy. There's nothing standing in the way from all of our customers from moving to SaaS.
How about from a sales perspective? And I know you have incentives for the sales force to push the SaaS product. But if I'm a salesperson and I'm looking at a customer, how difficult is that conversion from that end?
It's mostly bureaucratic. It's redoing the contract, and getting through the legal and procurement hurdles. But from a sales perspective, or if you're a salesperson, you wanna get all of your customers to SaaS, because you're gonna see a 25%-30% uplift on an apples-to-apples, just because we're taking on the costs of hosting and the sales reps can realize that. And also because you now have the opportunity to sell so much more, like MDDR and Copilot licenses and support for all of these other platforms that we now support.
Yeah.
So it hasn't been an issue of our sales reps not wanting to convert everybody to SaaS.
Yeah. One of the stories this year has been the conversion of the maintenance customers. And again, that's tracking well ahead of where you talked about in terms of the transition. But I think today still all of those conversations are customer-led. That's not something that's being incentivized through your Salesforce, and can you just talk about kind of the incentive for a maintenance customer to move to SaaS? I think sometimes I get questions from investors about the rationale of why a customer who's paid it for a perpetual license would wanna move over to SaaS.
Because it's a better product that delivers more value more quickly.
Yeah.
There's no trick to it. There's nothing, there's nothing hidden there. Varonis SaaS is a better platform. You can get more out of it with far less effort, far more quickly. There's more automation. It's easier to use. It's easier to deploy. A 90% reduction in support tickets. The only hurdle for a maintenance and perpetual customer is honestly the price, the cost. Because if they're maintenance and perpetual, the delta between their maintenance and a SaaS subscription could potentially be significant. But when we can show so much value, what we're seeing is our customers wanna switch. They're willing to pay for value.
Yeah. And to that point, I mean, a lot of the new functionality's only available in the SaaS platform.
Correct.
How, I mean, how much do we look at MDDR as kind of a driver of some of these maintenance conversions? Is that a significant factor?
It's a big one. It's, I would say the most significant factors are MDDR, the automation that we have that doesn't exist, for platforms like 365, and the dramatically lower resources, resource cost to running Varonis. All three of those work in concert to make it just a more valuable and a better platform.
Got it. Okay. I wanted to touch a little bit on the competitive environment. And a lot of investors recognize there's some level of overlap with Microsoft. Can you just talk about, I mean, I think the generative AI use case is an interesting kind of example of that. But.
Yeah.
Where do you line up? And as Microsoft adds to Purview, I think they had a DSPM earlier this month or last month, just kind of how that's kind of impacting your view of the competitive environment.
Yeah. We're a very close partner with Microsoft, and we integrate with Purview.
Mm-hmm.
Most of our customers that are using us also have Purview, and they'll tell you they get far more out of Purview and out of the Microsoft security stack because they have Varonis. We also close a lot of gaps that neither Microsoft nor any other vendor can close, like eliminating the exposure safely and MDDR and things like that. We're available on the Azure Marketplace. Microsoft customers can use their Azure commit to procure Varonis. We have a co-sell agreement with Microsoft. Microsoft reps can retire quota on Varonis deals, and because we make Purview better, we make it far more likely that a customer can leverage Copilot and expand their Copilot footprint. Because we support data stores and applications outside of the Microsoft framework, our customers just get a whole lot of value above and beyond what they get with Microsoft.
Microsoft has made huge investments in security, and they will continue to. And our job is to be better together to make sure that Varonis and Microsoft customers get the absolute maximum amount of value out of the capabilities that they have with Purview and, of course, with Varonis.
Yeah. How about the broader competitive landscape around data security posture management, DSPM? And a year ago, there were 10 of these companies, and they've all, half of them have been acquired. And I look at my security coverage, and a lot of companies are talking about data security.
Mm-hmm.
How do you think about DSPM, which I think is a feature on your platform as well, and the competitive landscape maybe opening?
You kind of said it. DSPM is part of what we do. It's a capability that Varonis has, but we go so far and beyond. We're seeing lots more conversations that are either involve DSPM or start there, which wasn't the case three or four years ago. It means there are more vendors that come up in conversation. But our sales motion involves installing Varonis and running a risk assessment. We don't compare on data sheets or a paper assessment. We install, and we run, and we show customers the MDDR. We show customers the depth of analysis that we're doing. We show customers the automation.
We show customers why DSPM tools that they might be looking at, whether they're bundled with another, you know, adjacent technology that they might be using, like their endpoint or their network vendor, or it's a DSPM that hasn't been acquired yet. We show them why they can't reach the same outcomes as they can with Varonis.
Mm-hmm.
Varonis is the number one DSPM, but DSPM doesn't actually solve all the problems that we do. So in some respect, it's been great because now there's a lot more marketing money behind what we do. Everybody, yeah. Data security is at the top of everybody's list.
Yeah.
That's great for us. It also means we need to execute our sales process properly.
Yeah.
Because there's a lot more noise, and there's a lot more potential vendors. We still don't have any direct competition, but when there's noise, you have to execute the sales process.
Yeah. Makes sense. I think that's a good point that the level of marketing and the level of interest around data security is kind of all-time highs.
Mm-hmm.
If I think about Varonis five years ago, there was maybe more of an element of you needed to maybe evangelize the sale a little bit.
Yeah.
Come in, do the risk assessment, prove it out. Can you just talk about, like the level of evangelization that still needs to be done or, or not, and just kind of broader budget availability? Like, or my impression from talking to customers and partners is that we're starting to see budget line items for data security. And I don't think that was the case five years ago.
It wasn't the case five years ago, and five years ago, we would have to evangelize the problem to a certain extent, find budget that didn't exist. We would also have to do a risk assessment that involved a lot more work from a customer. They would have to procure the hardware.
Mm-hmm.
And run the infrastructure. We could do a lot of the heavy lifting for them, but it was a heavy lift. Now with SaaS, the lift is much, much lighter. It takes almost no time and energy and infrastructure from a customer in order to get a risk assessment up. The budgets are there. What we need to evangelize is why you can't solve this problem with another tool or a combination of tools, why only Varonis can do this. And because we can execute the risk assessment more quickly and with less pain or minimal time and effort from our customers, we're able to spend our time evangelizing the solution rather than the problem.
Yeah.
It's been a great change for us. We launched SaaS at exactly the right time because now we're in a position where we don't need to evangelize the problem, and we can deliver value so much more quickly. If we had waited, you know, we would be behind the eight ball. We were years ahead of this, which also means our technical moat, going back to your competition question, is a decade ahead of everybody else because we've been doing this for so long. Because when we built SaaS, we disrupted ourselves before somebody else could.
Mm-hmm.
We have so many more capabilities and so much more automation and the MDDR built on top of it. Nobody else can touch that.
Yeah. Just another question on budget availability. In what ways does the MDDR product change that? And you're not a managed security service provider.
Mm-hmm.
But there's a significant amount of customers relying on those vendors to help them. How does that maybe open up the budget further?
It opens up other potential budgets. We're seeing that organizations may not need some of the managed services that they've had or been considering because any managed security service is in service of protecting your data and your infrastructure, and that's what Varonis does, and because this isn't MDDR, I wanna make sure that I emphasize this, our MDDR does not exist by itself. You can't have Varonis MDDR unless you have the Varonis platform. You know, MDDR is built on top of that, so we've certainly been able to get budget from other places, but it's all in service of delivering value as quickly as possible.
Yeah. I know you don't disclose a customer account number, but I know one of the focuses of the SaaS transition and now with MDDR is to maybe pursue a broader cohort of customers that Varonis has typically looked at. Can you just talk about historically what an average Varonis customer looks like and some of the new logos you're picking up, and how much has that changed or maybe not?
I don't think the profile of the customer has changed. It may sound trite, but our market is any organization that has data, public, private, it doesn't matter. But everybody has data. What has changed is now because we are a SaaS-first platform or cloud-first platform, we can sell to customers that don't have any on-premises footprint at all.
Mm-hmm.
We can sell to customers that would never have considered a self-hosted solution. Because we support so many more data stores and applications and infrastructure beyond the Microsoft stack, we can target organizations that never used Windows and aren't using 365. That wasn't the case, you know, five years ago, so our, the kinds of customers that we can target continues to grow as we expand our coverage, and because it's SaaS now, there's really nobody that we can't sell to, and the new logos that we're seeing have borne that out. We're really encouraged by the new logo growth this year.
Yeah. I wanna talk about DLP. And I, you've been very clear in the past that what you do is not, not really DLP.
Mm-hmm.
I think some others in the industry have talked about DLP and DSPM and data governance to some degree converging, and there's been some acquisitions there.
Mm-hmm.
How do you think about DLP versus what you do, which I think is still fairly distinct?
Yeah. It's so DLP or data loss prevention kind of sounds like the goal of everybody. You wanna prevent the loss of data. What I've always said is Varonis prevents the loss of data because we ensure that it's not exposed to people who don't need it, and we monitor data and detect when something goes wrong. That's not really what DLP does. DLP is very much a, you can think of it as a perimeter control.
Mm-hmm.
It'll block things from being sent or shared. You can use some DLP tools these days to do things like encrypting data, but that doesn't solve the same problem. In order to effectively use DLP, and I'll use Purview as an example, the data that you want to prevent the loss of needs to be properly tagged, and this speaks to the power of our integration with Purview, is that we tell Purview, "Hey, this data is important and sensitive and is not tagged appropriately," and then Purview and the DLP functionality that either Microsoft or another DLP vendor provides can do, take those actions on it, so the right way to think about it is Varonis is a force multiplier for DLP.
We make DLP work, and we do it automatically so customers can get more value out of DLP with less effort, which is, again, in service of everything that we're trying to do.
Makes sense. Maybe two more high-level questions.
Yeah.
You spend a lot of time talking to customers. What's your perception around just broader budget availability? And I know we've talked about data security kind of climbing the ranks in terms of priorities, but just a broader demand question, like what are you seeing in terms of broader budget availability and speed of customers?
Data security budgets, as you say, are now a budgeted line item, which is good for us. We're seeing more budget from privacy and compliance use cases.
Mm-hmm.
A lot of companies really need to make sure that especially customer and employee data doesn't get into the wrong hands. We're seeing budget come from modern workforce and AI workloads and Copilot, so we're continuing to see the ability for us to capture budget from more places, and the fact that there now is data security budget that we can capture directly has been great for us.
Yeah.
To your point, one thing I wanna validate: we're seeing data security climb up the priority stack.
Yeah.
We've been arguing for years that if you're investing in cybersecurity, you're investing in protecting data because what's the point? Otherwise, nobody breaks into a bank to steal the pens or after money. If somebody gets access and an attacker does not break in, they log in, they're going after data. That's how they're gonna take down your infrastructure, and that's the valuable asset. That's what we protect. So as data security becomes a higher priority, Varonis is becoming a higher priority.
Yeah. Maybe one or two more quick ones. Again, high level is, as we head into 2025, there's, I think, a lot of avenues for growth with MDDR, generative AI, continuation on the transition. But in your words, kind of what are you most excited about? What are customers excited about? And how should we think about kind of the puts and takes of next year?
We're really in a position now where if you have data, we can protect it. We don't have any coverage gaps. We continue to invest heavily in R&D to build more automation, to ingest more telemetry. We're now ingesting alerts from endpoint providers. We're going, you know, we integrate with Purview, and there's certainly other security technologies that we're going to continue to integrate with and make more valuable and vice versa, and the fact that Varonis now covers and secures data wherever it is, whatever it is, means that our story is much easier to tell. Going back to one of your first questions, we need to evangelize our solution. That is becoming easier because I can basically look you in the eye and say, "If you've got data, we're gonna protect it, and we're gonna do it automatically. And if anything happens, we're gonna call you.
If you've got data, just let us protect it. Just give us money, and we'll do it," and with SaaS and with the automation with MDDR, we're in a position now where the opportunity has never been greater for us.
Yeah. And just to round it out, I mean, how do you think about routes to market? It sounds like, again, relative to a few years ago, there's more coming to you. But as you think about channels, I know Azure Marketplace has been.
Yep.
Pretty influential for you. How do you think about how that could potentially change or build upon strength in the next year?
Yeah. Azure Marketplace has been a great vector for us, and it continues to grow, and it's really exciting. We're also on the Amazon Marketplace. We're in the Salesforce AppExchange. There are other ecosystem and alliance partnerships that we're exploring and working on. We are solving a problem that every ecosystem provider, Microsoft, Google, Amazon, everybody else knows that their customers need to solve. We're solving problems that our customers need to solve right now or else they cannot take advantage of generative AI in the ways that they want to. We're doing it automatically without requiring headcount, which means that we can provide value that nothing else can. And as we continue to build more automation, as we continue to have Varonis not just integrate, but collect telemetry and collect metadata from places we've never been, that story is gonna get easier and easier to tell.
As long as we execute from a sales standpoint, we're in a position to take advantage of that.
Awesome. I think that we'll do it. We'll wrap there. Thank you all for joining. Thank you, Brian, for being here.
Thank you, as always.
Yeah.