All right, we'll get started. Good morning, everyone. My name is Brian Essex. I'm JPMorgan Security Software Analyst, and I'm delighted to have with us today Guy Melamed, the CFO and Chief Operating Officer for Varonis Systems. At the end is Brian Vecci, the company's Field CTO. Thank you all for joining us. Guy, maybe it'd be a great place to start, particularly for those that may not be super familiar with what you do, is just a brief overview of the company, what you do, and where the company's origins came from.
Sure, I'll start. Varonis was founded because enterprises, organizations, public, private, big, small, but especially big ones, really struggle with protecting data, especially in a world where data can live in on-premises data stores, databases, and file systems. It lives in cloud applications, the hyperscalers, Azure, AWS, and Google. Everything is connected together. People are creating and accessing more data. Organizations really struggle with protecting it. The core of Varonis technology is to help organizations understand what data they have, where it is, what's sensitive and important, how it's being used, and then we build useful, safe automation so that without requiring a lot of effort or people, they can ensure that that data is properly protected.
When anything happens, whether it's an insider threat, an outside attack, a cybercriminal group, a nation-state, a ransomware group, they know about it quickly, and they can effectively respond to it. We have built a technology platform designed to do that with very little effort for our customers.
Just to add, for the non-technical people, the best way to think about us as a SaaS company, we've announced the transition to SaaS in 2023, and we're way on our way to complete the transition at the end of this year. The best way to visualize what we're trying to do is just think of a bank. There are a lot of ways to protect a bank. You need the cameras outside. You need the guards. There are so many things that you need in order to protect your most valuable asset. We sit on the vault. We protect the vault. We protect the data, the sensitive information that sits there. Whoever finds a way to get in will try and access that most sensitive information. Through very sophisticated algorithms, we can identify if there's any abnormal behavior.
With one of the new offerings that we came out with last year, which is the MDDR, which I'm sure we're going to talk more about, MDDR basically allows us to go to the customer and say to them, we will do everything for you. All you need to do is pay. We have a team. Through the software and the algorithms, we can identify if anything is happening that should not happen. The other component to think about is that when you have a bank, people from the outside want to steal money. There are also people from the inside that might have access to that vault that should not have access to the vault. That is exactly what we do.
We can identify who within the organization has access to information they shouldn't have access to, clean it in an automated way, and help the organization be better protected.
Great, great. Maybe you mentioned data. I've heard a lot about data security at RSA. Can you talk about how the market opportunity for data has changed and for Varonis has changed over time?
I think the biggest thing that has changed is that organizations are now realizing protecting data is priority number one. Traditionally, in security, where a company has spent money is on what we think of as perimeters. They have spent money to protect the endpoints, the devices, the laptops, the workstations that people use. They spend money on the perimeter of, say, a data center, like a firewall, or they spend money on network protection. As Guy said, nobody breaks into a bank to steal the pens. They are after money. Data is what is really important. Data security, especially in a world of generative AI, which is all about data, AI security is a data security problem. Data security has rocketed to the top of the priority stack for basically every organization, from the CIO or the board on the way down.
We're in a unique position in that we've been building data security from the very beginning. This is what we do. This is in our blood. At RSA, every single security company is talking about data security, but they're all coming at it from different angles. They're coming at it trying to protect data by protecting the endpoint or trying to protect data by protecting the network. Everybody is talking about data security. We're in a unique position in that we're the only ones that protect data in the way that we do because we protect data from the inside out.
Any sense why I've been kind of doing surveys for 20 years, and it's always been in this, not necessarily in this order, but identity, network security, endpoint, or endpoint identity, network security, data has always been a little bit lower. Why do you think that is?
It was a very, very hard problem to solve. Identities and network, it's a much simpler problem. You can control identities with what we call role-based access. If I just know the people that are in HR and the people that are in finance and the people that are in legal and the people that are on our R&D team, I can do a pretty good job of protecting the identities. If I understand the geography, I can do a pretty good job of protecting the network. Data is, by its nature, cross-functional. There is data that Guy and I use together, but we're in different departments. We do different things. We have different roles. Data is much harder to protect. There is more of it.
The complexity, especially in a world where everything is in the cloud and all of this infrastructure is connected together and everybody is expected to work on anything from anywhere, from any device, it's a much, much harder problem to solve for.
I want to add, again, from a slightly different angle. We went public in 2014, and we had roughly about $100 million of sales at the time. I remember there were a lot of people that were talking about, you're only covering a niche problem. Then at $200 million and $250 million, we still kept getting that niche problem. It's not a niche problem. We're roughly, when you think about kind of the run rate for the year, approximately, I know the guidance is precise, but roughly $750 million of ARR, and we laid out the plan on how we get to $1 billion. If that's a niche problem, I'll take the niche going all the way to $2 billion.
Seriously, when you think about kind of where Yaki and Ohad, the two co-founders, they had the foresight to identify an issue that was way before it became at the forefront of everyone's discussion. We have the experience, and we have kind of the expertise that allows us to take advantage of the opportunity.
I think, Brian, you mentioned that data is starting to get more attention, and certainly everyone at RSA was talking about it. It is now the fuel for AI. I think people are realizing that. How do we think about the competitive environment and other vendors that might be competing to secure that data? What do you see in the environment from a competitive perspective?
I think the fact that there are many more players in the space validates what we're saying, that data security is the single most important problem from a security perspective that companies are facing. What's interesting is that all of the investment in the space is basically coming from two different directions. One are what I think of as adjacent product categories: the endpoint vendors, the network security vendors. They are talking more and more about data because, of course, they want to capture some of that market. Fundamentally, their technology is different. The other side of that is there's been a lot of investment in the space in a category that's now called DSPM, or Data Security Posture Management. There's a lot of new players there.
What's interesting about them is that they tend to solve the easier problems in the easier places to solve them, where there are low barriers to entry. They're doing basic discovery. By that, I mean they'll help you find where sensitive data is, typically in cloud databases. What they won't do is actually provide real security. They won't help you actually fix any problems that you find. The number of CISOs that I've met who have said, we get lots of findings, but findings aren't a solution. Findings are just lots of problems that I need to go try to solve, and I don't have the people to do it either. None of them offer the kind of automation that we do, and none of them monitor all of the various data sets that we do. With Varonis, you monitor not just databases.
You also monitor applications, and you monitor files. You monitor data on premises. You monitor data in the cloud. You monitor the identities. You even monitor how data is being used by all of the human and non-human accounts, all of the people either using AI or AI applications. We offer a much broader and deeper set of capabilities, which means our customers actually secure data rather than just getting lots of findings.
Great. You mentioned non-human identities, and I wanted to talk about Gen AI and Copilots. I think quite a while ago, I think you flagged, rightly so, that there should be demand in front of that. You mean enterprises need to get their data state in order and understand what they have and control it before they go and adopt the new generative AI.
In theory, they should. They do not always, but yeah.
Maybe touch on that. Where are we in that adoption life cycle, and where do you slot in in terms of the timing of when enterprises engage with you so that they can adopt Copilot or generative AI securely?
Sure. When we talk about Copilots and other agent-based AI tools that organizations want to leverage, what we've been saying for a couple of years now is unless they address the privacy and security concerns of all of their data, unless they make sure that people and the agents that they're going to be using, like Copilot or Agentforce and Salesforce, only have access to what they're supposed to, they will introduce a lot of new risk. That's exactly what we've seen happen. Every Copilot pilot got stuck in pilot because as soon as they turned it on, people would search for things like, what's the CEO's salary, or where is our source code, or show me information about employee data, or show me information about M&A activity.
It would just pop up because these companies had data in places that they did not know about, accessible to either everybody or people that were not supposed to have access to it. What has happened over the last year is, first of all, that has borne out in every Copilot pilot we have seen. We have seen a lot of organizations now use Varonis to automatically and very quickly secure their data and now go wide and deploy Copilot and Agentforce and other AI-based tools to their user base, and they are seeing the benefits there. You asked about kind of when this tectonic shift, when will everybody be using this. I think it is probably not in the next few weeks. It is going to happen in the next few years. We do not know exactly when.
I think a lot of companies are being very careful about both the privacy and security concerns as well as measuring the ROI of some of these capabilities because they're not cheap. It has been shifting exactly as we predicted. It is still relatively early. Yeah.
I think what Copilot and all of the AI functionality is actually doing is putting a huge projector on a problem that always existed. When you think and kind of visualize kind of hackers coming into the organization and trying to find that sensitive data, you kind of visualize them trying and finding where they can get it and what's the easiest path to do it. They have to spend time and all of that shenanigans. With Copilot, all they need to do is go into the box and ask, where's the sensitive information? Kind of think about it. If you have kind of a list of your best ideas to invest in, long and short, that you worked months on, and now you have a competitor that logs in, and they don't even need to look.
All they'll do is click in the box, what are the best ideas to invest in? All the work that you've put in goes to waste. Copilot really makes everything become simpler on kind of the hacking side, and even from people within the organization that don't have any malicious intentions, but now have access to information they shouldn't have had access to. Copilot and Gen AI in general, it doesn't matter what platform it is, really generates a significant risk for the organizations if they don't take care of it in advance.
Got it. Super helpful. Would love to hear about any kind of quantification you can provide on Copilot AI adoption or insight that we may be moving out of that kind of hype phase that you kind of alluded to we saw last year into more rubber hitting the road, actual investment being made, actual adoption. Anything with regard to the level that you're seeing in the business of Copilot-influenced revenue or ARR?
I'll start. I think we started getting questions from investors about Copilot in Q4 of 2022. Investors wanted it to take off within hours, not even within days. We were very, very consistent in our messaging saying this is going to change the world. It's pretty obvious to us. This will have a tailwind contribution, but we just do not know exactly how to quantify when this takes off. We have been extremely consistent since in our messaging saying Copilot, we still believe, is going to change the world, and it definitely poses a significant risk on the organizations. What we have started to see is that it actually is helping in our sales. We started seeing it in the last couple of quarters. For years, we sold single SKUs when we had on-prem subscription.
One of the moves, one of the best things we did when we moved to SaaS is literally consolidate and sell packages. We are selling the platform as one SKU. One of the best-selling platform sales that we have is Copilot together with MDDR on the Office 365, and we have it as a package. We are definitely seeing that both on the new customer front, the conversation is much simpler because we are doing everything for the customer, and we are offering that protection without necessarily the customer having to have a high number of headcount to actually monitor what the outcomes are. We do that for them through the platform and the MDDR offering. The Copilot, as part of that package, is definitely one of the more interesting sales that we have and has definitely helped us over the last couple of quarters.
I really think it's in the early innings. We're not even close to that point where we believe this takes off. Definitely started to see a contribution. Very helpful, and it is part of the conversation with customers, but very early innings from our end.
Yeah, I would agree. Customers are certainly piloting it and testing it. Once they have overcome the privacy and security issues, which they need us to do, we're basically untouched in that space. There's no one that can solve the problem in the ways that we do it as quickly as we do it without requiring effort or services in order to achieve that outcome. We're still seeing a lot of organizations that are, I don't want to say wait and see, but they're being careful about how widely they start deploying Copilot just because they're measuring the value and which roles and which capabilities are going to benefit most from it.
Got it. While you take a drink of water, you mentioned MDDR, and maybe this is on the Brian pickup if you want to take a drink. You mentioned MDDR a few times, and it's become a meaningful driver of the business. Can you give us a little bit of insight into what it does, why it's taking off, why it's resonating, and what you expect for contribution to the platform going forward?
Sure. Core to what Varonis does is we're monitoring every data touch, every time someone logs in. We understand the devices that they use and which accounts and identities are human and application. We know what data is relevant for AI. We know what data is sensitive. You put all that together, we have more context than anybody. We also have telemetry, behavior. We're monitoring data in a really useful way. Core to what Varonis does is we know what's normal for users, for data, for applications, for devices. We know what's abnormal. If you've got Varonis, you get a very small number of alerts that have a lot of context that tell you when something is going wrong.
Brian's account is now behaving like ransomware, or this application is now suddenly behaving like a human being, or it looks like you have the indications of either ransomware or a nation-state actor or whatever it might be. That is core to what Varonis does. We've been doing that almost since the beginning. With SaaS, with relaunching Varonis as a SaaS platform, those alerts that get generated, we see them. We see them because we see the behavior and the telemetry for all of our customers. That means we've got a team, a 24 / 7 global team that's looking at this. When we see something that you need to know about, we call you. MDDR is a service that takes all of the people that we've got, this global team that's looking at the alerts for every customer that's a SaaS customer for Varonis.
When we see something they need to know about, we give them a call. We say, listen, it looks like you've got ransomware. It looks like you've got an insider threat. It looks like there's a nation-state actor. It looks like we see the indications of compromise that we see at these other customers happening in your environment too. Let us help you. Let us make sure that no damage is done. It's a no-brainer. You deploy Varonis software, now you've got eyes in the sky that are going to ensure that you never miss anything, and you get the benefits of the visibility that we have across our entire customer base. Basically, every new Varonis customer is taking that as part of their package because it is an absolute no-brainer. Why wouldn't you want that force multiplier?
The number of organizations that have a 24 by 7 team, even internally, is very, very, very small. The number of organizations that can benefit from not only our technology, but the people making sure that they never miss anything is everybody.
Super helpful. I think you alluded to, Guy, that you're going through a bit of a transition. Maybe could you give us an overview of the transition from on-prem to SaaS that the company's going through, and how does that affect your business model?
I wouldn't say it's a little bit of a transition. It's reinventing the organization. That's the way I would phrase it. We announced a transition from on-prem to SaaS at the beginning of 2023. We laid out a plan in an investor day that we did in Q1 2023 that we said initially we expected to take five years. We cut it to four a year ago. A quarter ago, we actually announced that we're cutting it by another year, and we expect to complete the transition at the end of this year. The way we define completing a transition is when we get to ARR, that anywhere from 70%-90% of it is coming from SaaS. We finished Q1 with 61% of ARR coming from SaaS, and we raised our full-year number from 78% - 80%.
We expect to be at the end of this year with 80% of our ARR coming from SaaS. We took the history of Varonis and all the experiences that we had with customers and all the lessons learned and took all the goodness, put it as part of the SaaS, and took all the hardship and the challenges and the customer challenges of them having to do the stuff themselves and kind of eliminated that with a SaaS offering. The MDDR is not offered on the on-prem subscription. It is only offered with SaaS. I think that those who follow Varonis for a long, long time remember when we talked about Dat Alert in 2016 as kind of changing the organization completely.
Dat Alert at the time was kind of the abnormal discovery of what's happening within the organization and on any abnormal behavior related to data, and it changed the organization. At the time, I talked about the fact that we believe that every single customer should have Dat Alert, and that's obviously now a given. I think MDDR is another one of those. We believe it's the glue. It allows customers to understand the benefit of being protected on the platforms that they have. We believe that it should be with every single customer. It's going to take a while, obviously. It's not overnight. I can tell you that MDDR has been by far the fastest adopted platform we have ever come out with. People forget, it's only five quarters. We came out with it at the beginning of last year.
We are very happy with where it is right now. Still ways to go, and we definitely want to provide that value to the customers that do not have it yet. We also believe that it generates a tremendous opportunity of upsell because if you go to a customer and you say, we discovered an attempt or a ransomware attack or abnormal behavior on the platforms that you purchased, and by the way, just so you know, we do not follow the other platforms that you have not purchased yet, that conversation becomes much, much simpler than if they do not have the MDDR.
Got it. Super helpful. What is consumption like when a customer adopts SaaS? What's the uplift to revenue and ARR when they're on the SaaS platform versus like an on-prem solution?
I'll start with kind of the numbers and what we're seeing so far. When we look at the NRR for SaaS, not the NRR for the company, but NRR for SaaS, which means it doesn't take into consideration any of the conversions, we have seen that the NRR is significantly higher than the reported NRR for the company, which last quarter we reported as 105%. We have seen the SaaS NRR be significantly above, and that's part of the reason that I get a lot of questions about how do we feel about going back to 20% plus. They say, we're at 19% today.
If we can continue with the growth of the new customers, which has been phenomenal with the SaaS offering because of the simplicity of the conversation and the fact that the whole implementation is much simpler and kind of the offering of the MDDR and the Copilot is something that's very appealing. If we can continue with the new customer growth and the SaaS NRR is higher than the reported NRR, that simple math gets you to the above 20%. That's part of the reason that we feel good about kind of the statements that we provide on going back to that 20% plus growth rate. When you look at kind of the offerings that we have, it's not just the MDDR.
We have significant platforms that we haven't even scratched the surface with, whether it's the Salesforce offering, whether it's the S3, whether it's Google Docs. There's plenty of more.
All three hyperscalers, yeah, the collaboration platforms, all the massive SaaS platforms. Salesforce is an absolute monster from a security and a data protection perspective that we are so far ahead of anybody else. There is much more in front of us than behind us, but we have so much to sell to our existing customer base.
Got it. Super helpful. Maybe one of the points of pushback I've gotten, and I'm sure you've heard it too, is the focus that your Salesforce is having on converting existing customers to SaaS versus going out and selling more new logos. Maybe help us understand what the sales organization looks like, and then how should we understand the dynamics of what your Salesforce has to do to convert customers and how that might take away from new logo productivity on the platform?
What is exactly the pushback? I just want to make sure I address it heads on.
They’re focused on the conversion.
Yeah, that the growth is coming from existing.
They're pushing not new logos, right? So.
The numbers do not support that, to be honest. Especially when you look at the reported numbers at the end of Q4, we had ARR growth of 18% and NRR of 105%. You could see that the growth actually came from the new customers, which is something we were very vocal about throughout 2024 because we saw how the SaaS offering really opened up kind of our ability to go out and sell to new customers that we were not able to go and sell to before when they did not have the SaaS offering. The numbers absolutely do not support that. There is definitely time consumption on the conversions that reps are putting time to get customers to convert. That is why we want to be done with it at the end of this year.
We want to be a SaaS company, and we want to go back to the base and sell to them the additional platforms that we have to offer and then continue to sell to new customers in the way we've done so far. There were definitely lessons learned that we implemented in Q1 of 2025 on how to simplify the whole process of the conversion. When I talk about simplifying it, it's not the technological challenge. It's a documentational challenge of getting the right documentation and checklists and the paperwork. We definitely learned a lot throughout 2024 and implemented that in 2025. The results in Q1 of 2025 actually show that we continue to sell very strongly to the new customers, and the conversions were very healthy. We were able to accelerate our growth to ARR of 19%.
I can tell you, there is nothing we want more than to be a SaaS company. If that theory was correct, we would milk this transition for years to come and just benefit from the conversions. We want to be done with it. We want to be a SaaS company. That is why we shortened the length of the transition from five years to four years. Completing a transition in three years, it is not that easy. It sounds easy. Trust me. There are so many components to it. I think we have done a good job so far, and we definitely want to execute and do well this year as well.
Got it. I think one of the really interesting things is you already have good SaaS contribution to the platform and already generating healthy free cash flow for a company that's still in the process of its transition, I think earlier than many expected. How are you able to deliver that profitability and cash flow relative to maybe other transitions that you might have studied?
It's one of the things that we're most proud of. I think we were able to start the transition and still focus significantly on the cost structure and keep it intact. There's a lot of leverage in the SaaS model. I can tell you that the margins that we have seen on SaaS have been better than what we initially expected. We're definitely happy with that component. There are other departments that could leverage from kind of the SaaS platform, and we're seeing that on the number of tickets that customers kind of handle on the on-prem subscription. It's much higher than what we have on SaaS because, obviously, for obvious reasons. There is additional leverage on the sales and marketing department. We're seeing sales cycles on SaaS being shorter than the on-prem subscription. We're still managing two types of code.
I think there will be additional significant leverage in the R&D front once we do not have to support on-prem subscription in the same way we have done so far. There are additional leverage components that give us the comfort and the confidence to believe that we can do better on the ARR contribution margin. Just to note, when we did the investor day in 2023, we talked about a 20% ARR contribution margin when we get to $1 billion of ARR and get in there in 2027. When you look at the ARR contribution margin, I think everyone that looks at the numbers in that 16%-17% range, you can see that we are literally already there.
What we are doing right now is actually putting some money to work in order to ensure that we can continue to grow post that $1 billion ARR number because we see this as a tremendous opportunity, and we want to make sure that we capitalize on it in the years ahead.
Got it. I'll ask one more, then I'll ask the audience if we have time, if there are any there. I wanted to just touch on the results for the quarter. You increased your ARR guidance in SaaS mix despite an uncertain macro environment. I mean, how would you characterize the macro environment as you see it? Are you seeing any pressure? How does that affect your business? Because I think some companies are seeing more pressure than others.
There is definitely uncertainty on the macro front, and I think everyone sees that, obviously. We did not see anything in the Q1 results that were impacted by macro, and we have not seen it so far. When we look at kind of the pipeline and when we look at where we are headed, that gave us the confidence with everything that we track to raise guidance. I know many of the companies have not done that, but we felt confident in raising it. At the same time, I think that the philosophy of guidance has stayed the same. We started with the same net new ARR from last year as the starting point for this year. We did the same in 2024 when we took the net new ARR from 2023 as the starting point for the guidance for 2024. We were able to update the numbers throughout the year.
From a philosophical perspective, our guidance has stayed in that same framework, but we felt good with the numbers, and we felt good with where we are and kind of the pipeline to raise guidance for the full year.
Great. Thank you. Any questions from the audience? If you could maybe do me a favor and wait for the mic. Otherwise, I'll have to repeat your question. All right, great. Thank you. What do you anticipate? What would be the conditions to which you would stop writing dual code and maybe withdraw your legacy product and go only one direction and get rid of those costs? Who do you most often bump into and challenges when you're selling any products?
In terms of maintaining the on-prem subscription code, what we have done, and again, to keep in mind, it's only two years in the making of the transition, it's not like we're going to announce anything in the next couple of months. If we get to a point where in the 80%+ SaaS mix, I can say that the majority of the non-SaaS sales relates to state and federal, and we are working on FedRAMP certification, which should arrive very shortly. One of the things that we want to make sure is that we work with our customers to find the best solution that would make sense for them, but would also make sense for us.
I would not say that it is anything in the near future, but definitely something that as we gradually move way more towards the SaaS being the vast majority of our sales, it would make more and more sense.
As for competition, what's interesting is traditionally we haven't faced any direct competition. We've been facing competition from point tools or other adjacent categories, as I mentioned earlier. What's interesting in the last 12 months- 18 months is that we are being brought into far more RFPs than we ever were. That's the result of the fact that we've expanded our coverage to the point where there really are no types of data—structured, unstructured, cloud, on-premises, application data. There's nothing that we don't cover anymore, which means that if a company is putting out an RFP for privacy or classification or compliance or data security posture management or AI security, we're invited to all of those now. It means that we're facing more competition because we're in more fights. The competitors that we do face are adjacent product categories, network security, endpoint security.
In many of these, we face discovery or classification-only products like DSPM, data security posture management. There still are no competitors in particular that we see in more deals than others, but we're in a lot more competitive deals now.
Great. With that, I think we're out of time. Guy, Brian, thank you so much for joining us, and thank you all as well.
Thank you.
Thank you.
Take care.