Good afternoon, everybody. Thank you for joining us. I hope you have all enjoyed lunch. Shaul Leal, research analyst covering cybersecurity for TD. Very happy to host Guy Melamed and David Gibson from Varonis. This is a fireside chat. I'm going to leave some time, probably the final five minutes or so, if anyone has any questions. We have plenty of questions here, so do not hesitate to kind of raise your hands and kind of keep it as interactive as possible. Maybe we'll kick it off with, I'll tell you this. Somebody once told me that you are the guy who describes Varonis the best. I had somebody sitting actually here, I think like two years ago, came out of the session and said, wow, now I really understand what they do. Swear to God.
Maybe just for the sake of the audience, slightly less familiar with Varonis, maybe Dave, in a sentence or two, what is it that you guys do for a living?
[crosstalk] No pressure, David.
Yeah, no, whoever that was, I got to give them another 20. Varonis makes software, now delivered as a SaaS, as of about two and a half years ago, that protects data where it lives. We are talking enterprise data that has been accumulating both in the data center and in the cloud for many years now. The way we protect it is we map the data stores, find what's important, lock it down so that only the correct people have access to the data that they should have in a couple of different ways. We monitor the heck out of it to detect when you might have an insider or ransomware or an external attacker or potentially somebody abusing AI. Now is another thing that we detect. That is what Varonis does in a nutshell. We have been doing this since 2005 or so.
We have quite a bit of success helping people get their data protected much better. I think one of the big things is with SaaS, we've delivered the solution with so much automation that we're able to help people avoid breaches, reduce their impact, respond to them more quickly, become more compliant more easily without much effort, because we're doing so much for them.
Shaul, I'm a competitive guy, so if it's OK, I'll [crosstalk] give my shot.
By all means, go right in.
No, but honestly, just to give some additional color for the non-technical people like myself, the way to think about Varonis is literally when there's a bank and you're trying to protect the vault, there are a lot of ways to protect it. You need to have the guard outside. You need to have the cameras. You need to have the fence, the security, the gate, and all of the perimeter defense securities. We think about data security in a slightly different way. We protect the vault by sitting on the vault and trying to see who's trying to touch the data. Any abnormal behavior that is in relations to data, we can identify through pretty sophisticated algorithms. It doesn't mean you don't need the guard. It doesn't mean you don't need the fence. You need all of those protections. But eventually, someone will try to break in.
When they do break in, we can identify it through those algorithms. What's also important to note is that when you're protecting the sensitive information, it's not just people from the outside that are trying to come in. It's also people from within, employees within the organization that try to get the information, either sell it to competition or they're about to leave, and they take the information with them. If you have an organization of 10,000 employees, and as an executive, you think that all 10,000 employees are ethical, you probably shouldn't be on the C-level executive of that firm. What we try to do is identify anything that is happening, whether you're logging in from a different computer, you're logging in at a different time, you're opening files that you don't usually open.
If that happens, for the most part, someone has taken over your credentials and is trying to get access to that sensitive information. No one tries to break into the bank to steal the pens. Eventually, they're trying to get to the crown jewels. We sit literally on those crown jewels to identify anything that's happening within the organization. Fair enough.
Maybe Guy, if we go and look back at your first quarter results several weeks back, absolutely solid. Maybe can you recap it for us? What is it that you would have loved the audience, buy side, sell side, to take away and walk away from the recent set of results?
Yeah, I think you kind of nailed it. It was a strong quarter. It was pretty straightforward, driven by momentum that came from new customers and existing customer conversions. We finished Q1 with 19% ARR growth. 18% was in Q4, so we were actually accelerating our ARR growth. We were able to finish Q1 with 61% SaaS mix. That allowed us to raise our SaaS mix guidance for the year from 78%- 80%. I think what was very interesting is that there were a lot of lessons learned from 2024 when we did kind of the full year of conversions and transition. We know what we need to do in order to improve kind of that whole conversion process. There were a lot of things that we implemented that actually allowed us to cut the transition period from five years to four years and now to three years.
We plan to be done with the transition at the end of this year. We are definitely seeing good momentum with new customers. We are trying to kind of be done with this and be a fully SaaS company at the end of this year.
RSA also took place late April, beginning of May, concluded, I think, the beginning of May. One of the, call it takeaways, one of the hot topics discussed during RSA was data security. Aside from Gen AI and agentic AI, we'll get to that in a few minutes. I wanted kind of to ask, what is it that you're seeing from the data security as data volumes actually continue to grow exponentially? How does that impact your business? Just, yeah, anything on data security and the fact that it is becoming, again, it's been around. It would appear as if this market is seeing good vibrations, seeing some renewed interest based on some of the underlying drivers. Just how do you guys see it?
Yeah, I definitely see more activity and more thought about data security than at any point in my career with Varonis. And I've been with Varonis since 2006. It makes sense. People have done just about everything else. They've secured their perimeters. They've secured their networks. They've secured their endpoints. Yet we still continue to have breaches and breaches. I think it makes sense, OK, maybe we better protect the thing that people are stealing, which is the data. I think people are coming around to the idea that data protection is a thing. I think there's some debate on how to protect it or what it means, which solutions. I think there are a lot of different solutions that people have tried historically that they're now looking to augment with something that's a little bit more like a data security platform.
There are a few different technologies around there. I think our methodology is that you need to understand where the important data is, really understand all of the controls that govern access to that data deeply, and then also understand who's using the data, kind of like the camera in the vault, or like a bank keeps a register of all the transactions. You need these kind of three pillars as ingredients to enable you to actually address the problems out there. We're focused on delivering outcomes in an automated way, making sure the data is more protected, all those controls that I mentioned are optimized, making sure that you've got those detections that Guy talked about, when we see an insider, somebody behaving strangely, somebody maybe asking weird questions out of their AI, that you've got some detection that will flag that.
Even though data is locked down, as Guy said, chances are somebody is going to be compromised, either an insider or an account is going to get compromised. To be able to spot that activity and stop it in its tracks is another big outcome there. I think we've been doing it for a while, and our methodology has proven effective in that space, which is getting a lot more attention.
Maybe if we stay and maybe double-click on that point, maybe a little bit of a compare and contrast on DSPM, [crosstalk] Data Security Posture Management. What is it, the view that you guys are taking towards DSPM? And maybe how do you separate or differentiate yourself from the competition? Because by the way, DSPM, that's another very noisy category [crosstalk] over the course of the past several years and also coming out of RSA.
That's a great question. I see DSPM as a subset of what we do. It is focused on discovering what's important and maybe wrapping a little bit of what people call posture. That is the P in DSPM. What posture really is, is kind of broad configurations. Like have you enabled multi-factor authentication? Do you require strong passwords? It is important to get these things right, but you have to go much deeper to actually protect the data. I guess the big important message is discovery is not security. Discovery is a start, but you actually have to be able to do deep discovery and then address whatever you find. Otherwise, you are left with liability or a lot of manual busywork, which is not actually doing the security of the data.
Understood. As we think about some of the investments that are being done within the category, and indeed we had seen several huge investments, how would you compare and contrast what is it that Varonis kind of has to offer? Maybe I would say, given your kind of tenure in the market versus some of the new emerging products or solutions out there.
What I see is that from a discovery perspective, most solutions started in the database world. They also started with sampling. They said, let's look at a small piece of data. Just really, let's try to identify what's sensitive. As I mentioned, maybe throw in a little bit of configuration. When you contrast that with our approach, which is that you can sample in databases that may make sense for you, really you have to be built to look at all the data. People have these massive data stores, both in the data center and in the cloud. You have to have the coverage footprint to be able to do something meaningful, to be able to look at all the data and then go more deeply into the controls around that data and how it's being used.
That's where I think we've got a lot more mileage. I think if you think about it rationally, it's not enough to just see smoke. You might see smoke in one room, but the other part of the house is actually on fire. I think it's a very different approach to securing data. We're seeing, I think, definitely like you, a lot more noise around DSPM or a lot more talking about that, as well as just discovery. That's really good for us. We're able to participate in many more discovery RFPs, many more DSPM RFPs. If there's any kind of willingness or any kind of desire to secure data, which for most people there is, then that is a very good situation for us to be in.
I think you had MDDR, I think, for about a year now. It is seeing great success, interest, which is being translated into hard revenues. What is driving that success, that MDDR product?
The value proposition is simple to digest for the customer. It eliminates all the hardship that they have to go through in ensuring that their data is protected without the need for real manual labor on their part. The environment is extremely complex. Hacking is becoming way more challenging to try and address. When you have technology that provides automation, can identify anything that's happening in an abnormal way, and if there's anything that pops up that is truly strange, you get a phone call. It doesn't get any better than that. I think that's the reason it's been so well received by customers. When we look at the SaaS offering and the fact that we were able to increase our footprint with new customers, increase our ASPs, it really is coming from the essence of, we'll do everything for you.
All you need to do is pay. That is resonating really well. MDDR is by far the fastest growing platform Varonis has ever had, and not even close to any second. We are really happy with the way this has been adopted. It has definitely been consumed by the vast majority of every new sale we sell with MDDR. We still have existing customers that we need to get on the MDDR side. We have talked a lot about the fact that we see MDDR as a need for every single customer. This should have a 100% attach rate. Eventually, it is going to take some time. We truly believe that customers need it no matter what.
It's customers of all market tiers. Doesn't matter. Yeah.
Yep.
Understood. We promised to double-click again on Gen AI and the opportunity that you're seeing. I'll tell you this. We have heard from some companies that AI has been around for several years. They've been using it maybe a little differently. Now maybe the time has arrived for mass deployment. How do you guys think about Gen AI, and where is it beginning to impact your set of products, platform, and also from a customer perspective?
I don't think we're even close to seeing Gen AI in its mass deployment stage. I think it's in very early stages, very early innings. I think when you think about the world evolving, I don't see a situation where it doesn't get to that mass deployment stage. If you look at even ChatGPT and the personal behavior of people on using ChatGPT, once you try it, are you going back to your old search ways? Probably not, no.
I know a lot of organizations are extremely hesitant to deploy Copilot because of the risk of having things blow up. We have seen some scary, scary things with customers that have not taken care of the sensitive information prior to deploying it. Have an employee that goes into a chat box and says, who got a raise last year, and suddenly gets the full list of employees with their salary increases. That is catastrophic. Or an employee that asks for the equity file gets it in seconds because they did not have the sensitive information blocked where only the right people have access to the right data. You cannot go and roll out Copilot without thinking about the unintended consequences of what can happen if you are not locking down the data properly.
Are companies going to be prevented from rolling this out in four or five years because they're afraid of sensitive data? No, they're going to have to fix the sensitive data because there's going to be demand from the field to improve productivity. I think if you look at the end goal of how the world looks in five years, it could be five. It could be six. It could be seven. I don't know when this happens. Does this move in a direction where everyone needs those productivity gains? I think it's a safe answer to say yes. When exactly is that inflection point? Is it this quarter, next quarter, a year from now, two years from now? No one knows. Anyone that knows, please send me his number. I'd love to know. Eventually, it's going to get there.
We're there to be able to capitalize on that opportunity. By the way, it's not just Copilot. It's any Gen AI that is out there, whether it's Gemini, whether it's Salesforce. Eventually, you get to a point where employees are using whatever tools they have for productivity gains. If you don't take care of the sensitive information in advance, you're going to have real, real problems.
Maybe in that context, and you've recently kind of introduced support for Agent Force, what's the implications of that as it touches on Varonis?
As Guy said, there are many flavors of AI. Whether it is Agentic or it is a Copilot, the underlying problem is a data security problem. I think with Agentic AI, the stakes get a little higher because the agents can take actions and go to multiple sources. The important thing I think that people are realizing is they are going to have to protect the data that AI harnesses and uses, or else there are going to be situations where data is exposed way more quickly than before. I just see this. I was just saying AI is like salsa. It seems to make everything better. It goes with everything now. It is just coming up in all sorts of places and in all sorts of use cases that I think it is part of the momentum behind why people are talking about data security.
Guy, it would appear as if the SaaS NRR is tracking significantly higher than kind of the overall NRR. Maybe can you walk us through the cornerstones and kind of what's driving that much improved SaaS NRR?
First and foremost, it's the richness of the platform. It's the richness of the technology. The fact that once you see the value with the SaaS offering, you want to be protected on additional platforms with the same offering. It goes back to the ease of use, where the hardship of the on-prem subscription and the challenges that you had to face are eliminated with the SaaS offering. We took all the goodness from the on-prem and put it in the SaaS. We took whatever was challenging and improved it. It is a much, much better product. The value proposition there is much easier to digest from a customer's perspective. When they try it and when they see it, there is so much more for us to sell, which gets us to a point where the SaaS NRR is much higher than the reported NRR.
I think one of the biggest misconceptions that investors still have is this notion that we're growing because of the transition and because of the conversions. We believe that once we get through the transition, we go back to the base, and we can start selling additional platforms. The SaaS NRR gives us that confidence. Part of the reason of talking about going back to the 20%+ growth rate of ARR. We're growing now at 19%. If we can continue to increase our new customer base in the same rate, and the SaaS NRR is much higher than the reported NRR, that gets you to the 20%+ already in simple math. When we look at where we are from a technological perspective, from the amount of platforms that we have to offer that we can help protect, we feel very good about the opportunity.
By the way, part of the reason we were trying to squeeze this transition and make it shorter, we believe that if we can get this done in three years, then you do not need the same attention that the reps are putting on the conversion side. They can start spending their time on upselling to the base. Definitely part of the thought process that we had in this time frame of shortening the transition.
Super. Questions from the audience? You in the front.
Yeah. So Guy, can you talk a bit about, can you decompose the NRR improvements in terms of upsell, pricing, stuff like that? How does that sort of break out? For David, you mentioned again, you talked about all the different flavors of AI and how they all benefit you. Two questions on that. One is, does that mean that you go from, in the old days, sampling data, when people used to sample, what you talked about before, to checking all the data? Now with AI, there's so much data that some platforms have to go back to sampling? Or is it always going to be sampling? You have the capacity and the performance to sample everything.
I can talk about that. [crosstalk] You want to.
You can start with yours, and then I'll.
OK. It's a great question. When we're talking about sampling, the other technologies that I've seen, when they're trying to handle large data sets, go to sampling. They often use it as a rationalization for not being able to scan everything. We are built to scan all the data and keep up as data is created or changed. That's one thing that's a big differentiator for us, because we actually see the data activity, we can do that and keep up with these massive data stores. I see that the AI problem, the data security problem that AI exacerbates, will encourage people to not only understand what's important, but make sure that the important stuff or the wrong stuff isn't in the training data. Make sure that the training data has its integrity intact, right? It hasn't been poisoned, things like that.
There are all kinds of use cases when you're developing a model there. The data that the model's being trained on has to be locked down because almost all these AIs work the same way. When you ask a question or an agent asks a question, it looks at all the data you have access to to formulate the response or to derive whatever action is going to take place next. If that user or that agent has access to too much data, the chances of data being exposed or misused, it becomes almost a certainty. I think that's one of the reasons that this lens on data security has gotten so bright. It's because people realize they need to lock the data down better where they cannot use AI safely, whichever flavor of AI they want to use.
To answer your question about the SaaS NRR, where is it really coming from? The one important thing to note is that SaaS NRR does not factor any conversions whatsoever. It is taking SaaS customers a year ago and trying to see a year later what their ARR is. We are seeing that coming mostly from additional platforms that are sold. That is really driving kind of that NRR being significantly higher than the reported number of 105.
Like-to-like customers, you see their total price of purchase going up as they move to SaaS?
The price list, apples to apples, SaaS versus on-prem is 25%-30% higher. What we are seeing is that some of the customers are buying the larger platform. Eventually, kind of having the MDDR and Copilot as part of the platform is one SKU. MDDR is really what we believe to be the glue. Because if we're doing everything for you, and we call you up and we say, listen, we've discovered some strange behavior, whether it's a ransomware attack or a hacking attack or even an employee within the organization that is trying to take data and give it to competition, but we're not covering these platforms because you didn't buy them, so just keep that in mind. It becomes a way different type of conversation. We believe that can kind of help us in the upsells once they have the MDDR and they see the value of it.
Guy or David, how has your TAM evolved over the course of the past few years? How did this SaaS transition assist in expanding that?
The SaaS offering has opened up new markets, new customers that we couldn't really address before because they didn't want to deal with the hardware. They didn't want to deal with the headcount. It definitely increased our opportunity to sell. When we look at kind of the spaces that we have kind of gone to, we're definitely seeing the TAM increase. I think when you look at kind of the new customers that we have and the existing customers that are buying more, there's so much more, so much more meat on the table for us to take advantage of. We're definitely seeing that as a huge opportunity for us. We didn't talk about the Cyril acquisition either. [crosstalk] .
Yeah. [crosstalk] We can squeeze, let's squeeze that in [crosstalk] before we wrap it up.
Sure. Very exciting. Monitoring the activity in databases is something that this acquisition helps us accelerate. This is very important. We've been monitoring activity just about everywhere else, but the databases, some of the databases, the capturing that activity has been difficult. Excited to be able to offer that and fold it into the rest of the platform because we've been classifying data in databases now for over a year, looking at some of the configurations and the security of the database. To be able to add the activity into our stack gives us an end to kind of capture that market as well, which is sizable.
Got it. Maybe Guy, final thoughts. What does excite you as we look into the next several years from a Varonis standpoint, of course?
A lot of things excite me. No, honestly, when you think about kind of the path, the five-year plan that we laid out during the Investor Day in 2023, talked about getting to a billion dollars in 2027 and completing the transition by then. We cut the period of the transition from five to three. Our free cash flow has shown real improvements. We're guiding for $120 million-$125 million of free cash flow compared to just over $50 million a year ago and break even the year prior. From a profitability perspective, we're absolutely ahead of the game. Not only that. When we look at how we grow post that $1 billion, we're making some short-term, medium-term, and long-term investments to capitalize on a much larger opportunity.
Super. Dave, Guy, thank you so much.
Thank you.
Thank you, everybody. Appreciate the time.