All right, good afternoon. Welcome to the afternoon of the conference. Very happy to have Varonis here. We've got Guy Melamed, the CFO and COO, and David Gibson, the SVP of Strategic Programs. Before we begin, I'm required to inform you that a complete list of resource disclosures or potential conflicts of interest is available on our website at williambler.com. With that out of the way, we're going to see some slides, and then we'll have some time for Q&A, and then the breakout upstairs right afterwards.
Great, thank you so much. My name's David Gibson, and Varonis is a data security platform that's delivered in a SaaS model. We protect data, and we kind of, I guess the real easy way to think about what we do is we find data that's important and in harm's way. We lock it down so that only the right people can touch it, and then we monitor the heck out of it so that we can detect and stop threats to data like ransomware, like external attackers, like insider threats, and like AI abuse. I'll be talking a little bit about how we do that today. Here are some stats. We've been doing this for a while. We have many customers that say wonderful things about us, in addition to having good analyst feedback because of the mileage that we have.
This is the way that I try to explain what Varonis does when I'm talking to new customers and existing customers that haven't seen us for a while, and I, in my role, get to talk to our larger customers. This is kind of the way I walk through what Varonis does and the value that we help people get. Varonis has been protecting data since we saw a while back. It was before data security was really a thing that anybody talked about. When people talked about security back then, it was endpoints and perimeter and a lot of different things that people have. I think people have realized that all of them are usually in service of protecting data. If an end user gets phished or somebody downloads malware, if no data was taken, it's just another day. Right?
If data gets taken or exfiltrated, then it's a really big problem. This is where we started and where we've developed our solution, and we've learned a lot over the years about protecting data. One of the big things that we've learned is that data is very hard to protect when so many people and identities, human or non-human, have access to so much data that they don't need to have access to. We have seen this phenomenon wherever we looked, and people have data in a lot of places. Wherever it's stored, when we do a risk assessment, and that's the way we sell, by the way, is we look at people's data through our lens and show them where they have risks. Wherever we're looking, we see data is open to way too many people.
Often, everybody in the company has access to sensitive data. As cloud stores like 365 and Google Drive and Box have become popular, end users are sharing without any IT help or oversight, and it's a bit like a party with no parents. People are sharing file by file, link by link, you know, with everybody in the company, with external users, publicly if it's allowed many times. A lot of the data that's being shared this way is sensitive. In the cloud infrastructure world, it's very easy now to spin up infrastructure. When I was working in IT and infrastructure, if I wanted a database, I needed to spin up, I needed to rack a server and actually configure the operating system and then load the database and then populate the database. Now it's just code. It's a shell script.
It's a bit of a party with no parents for developers, right, to spin up infrastructure. SaaS has become very popular. Wherever we look, people typically have more access to more data than they need, whether you're a human or a non-human identity. We call this concept the blast radius. If a user was compromised, if it was an insider, how much data would they have access to? What would the damage be? We've been talking about this in the context of insider threats because the more access an insider has, the more dangerous they are. We've been talking about it in terms of ransomware, right? If a user gets ransomware, the bigger the blast radius, the more damage that will happen. External attackers have a much easier job if the blast radius is big.
In fact, we're seeing that attackers aren't breaking in these days so much as they are logging in. When they log in, they compromise an account, they have access to a lot of data, right? It makes their job easy. We also now are talking about the blast radius in the context of AI. People are starting to realize that most of the enterprise AI assistants use what you have access to to create a response. When you ask a question of Copilot for 365 or ChatGPT Enterprise, it looks at the data that you have access to to generate your response. If you have access to more data than you need, the chances that you will see data that you shouldn't see go up that much more with AI. There are a lot of use cases.
I think people are starting to realize that AI is a data security problem. This is one of the big problems that we see in data security that we help solve. There are some others as well. It is not like people have not been doing anything to protect data. They have been trying a bunch of different techniques. DLP, or Data Loss Prevention, is probably in its third iteration now. Many people that I talk to have several scars from going through different DLP projects. A lot of people that I talk to are trying to do data loss prevention by putting a label on the files that they do not want to be leaked, that they do not want to be sent by email, they do not want to be saved to USB key. This is one technique that people have tried. A lot of people are starting to do more discovery and classification projects.
The rationale is, well, we better understand where the data we care about lives so that we can go lock it down. And people have also been using the native tools that are inherent in each of these platforms. But how is that going? When we ask people how their DLP projects are going or how the discovery projects have been going, the answers that we hear are like this. Well, if we're doing DLP, we struggle to get enough labels on enough files accurately enough to actually do any meaningful blocking. So we're doing not data loss prevention, we're doing data loss watching. How's discovery going? Well, my scans didn't finish. They're scheduled, right? We're lucky to get an incomplete scan every six months. Oh, and by the way, we didn't get enough context to actually figure out what problems we needed to solve.
None of these solutions actually monitored what was happening with data, so we could not detect any meaningful threats with data. We do not hear people get to the outcomes that people want to get to with data security very often, unless they have Varonis, which is data is locked down, that blast radius is closed, and it is monitored very tightly for threats. How do we do it? Wherever enterprise data is stored, and these days it is stored in the data center, it is stored in the hyperscalers like AWS and Azure and GCP, stored in SaaS applications like Salesforce and ServiceNow and Databricks and Snowflake, there are many of them. Wherever it is stored, we have seen you need these three dimensions in the middle in order to protect it. What is important? Who has got access and who is using it?
If you don't have these three dimensions, sometimes you can see a problem, but it's very hard to actually solve the problem. If you know where your sensitive data is, the next question is, is it locked down? Is it at risk? I don't know. Who has access to it? What are the permissions? What are the configurations? Is it masked? Is it labeled and encrypted? You have to actually look at the state of all of these preventive controls in order to see if it's in harm's way. If it is in harm's way, as we find almost all the time, actually every time in risk assessments, how do I fix it without disrupting business? I don't know who's using it. Right? We see very quickly if you have one or two of these dimensions, you need the other dimensions in order to protect data.
Now, with that, we give, and actually I'm quoting a recent customer, unprecedented visibility into where sensitive data is, where it lives, where it's in harm's way, how to fix it, how it's being used. From there, we automate the outcomes that people want to get to. We safely lock the data down. We'll safely apply a label to it. We'll safely restrict the permissions, fix the entitlements, fix the masking. All of the preventive controls we can optimize, fix the configurations or what people are calling posture these days. We'll also monitor the heck out of it to spot insider threats, ransomware, malware, external attackers, AI abuse, all actually without the customer having to do anything with our managed data detection and response service. We will baseline what's normal, detect abnormal behavior, and be responsible for calling you with an SLA if we detect something.
For example, if we see ransomware, we have 30 minutes to call you. This is how we're actually able to get to the outcomes that people want. With Varonis, data is locked down and it's monitored much more closely for threats so people can spot them proactively. These are the kind of real-world outcomes that we're able to help people achieve. Imagine this in the AI example. A lot of organizations that I talk to are under pressure to deploy some kind of AI, whether it's Microsoft Copilot or ChatGPT Enterprise, but security teams can be scared. If I do this, what are people going to see? Sometimes unintentionally, people can stumble onto stuff much more easily if they're using AI. We're able to right-size the access controls, fix the links that shouldn't be out there, and then monitor it to prevent breach.
To go a level deeper with our visibility, we're looking deeply into the content. We're looking inside the contents of files, of object stores, of databases to see what's sensitive. We are mapping the permissions and the configurations, the masking, seeing the label. We're looking at the activity, what people are doing, what files they're opening, creating, deleting, moving, and modifying, what changes they're making, what SaaS applications they're going to, all sorts of telemetry. You may have seen, we go very deeply. We actually did a press release on this yesterday about our identity component. We've seen as we go outwards from data, understanding the identity layer, understanding who has, what's a risky identity, what people are doing from an identity perspective, both human and non-human is a big component here.
These are some of the elements that we have in visibility, which provide a lot of context. Not just where the sensitive data is, but where is it at risk, how's it being used. One thing that's really important is because we see the usage of data, we're able to keep up with these very large data stores. Our inventory, our visibility is always current. This is something that other solutions aren't providing, right? They do periodic snapshots of where sensitive data is. Because we have the access activity, we're able to keep up with the pace of change on even the largest data sets. We also, because we're able to do that, we've built our solution to look at all data, not just a sample of data. Real-time visibility, again, this is repetitive here, but the find.
When we have that visibility, we're able to automatically fix what we found in terms of the risks, excess of access, misconfigurations, labels that aren't applied, third-party applications that might be risky or stale or not being used that people are installing in Azure and Salesforce and things like this, disable stale users, and also delete the data that is not needed anymore, which is often called ROT when you're talking to IT or compliance folks. That stands for redundant, obsolete, and trivial data. All of these are really optimizing the preventive control set that has been woefully unaddressed over the years. This is all happening in an automated fashion with Varonis. From a detection standpoint, we're giving people a lens.
Often, if a user is compromised, one of the hardest questions for IT and security teams to answer is, did this user touch any sensitive data? How much sensitive data? What data did they touch over the last 30 days? Where? We have that activity stream. Just like your credit card company monitors the credit card transactions to detect fraud, we monitor all the data transactions to detect insider threats, to detect ransomware, to detect AI abuse. We are monitoring this. Our behavioral models are firing if we see something that looks like a deviation that's interesting. Our MDDR analysts combined with agentic AI are triaging the events, investigating, and calling if we think there's a real breach in progress, a real incident that you need to know about. All of these use cases are very relevant for AI. AI is the new salsa. It makes data taste better.
It goes well with everything. We're seeing that there are multiple use cases for AI. People have started with copilots like 365, ChatGPT Enterprise. There are many of them out there. People are worried about data being exposed through AI. They're looking to shrink the blast radius and monitor what people are doing through AI, as well as just on the data set in general. People are worried about AI agents, which have the same core problem. If they have access to too much data, not only could they reveal things that shouldn't be revealed, but actually create more derivative data using that and proliferate the risk further.
There are also some risks that people are worried about as they start to build and train their own models to make sure that the training data is intact, verify the integrity of the training data, make sure it's not poisoned, make sure the data doesn't contain things that should not make it into the model, secure the models themselves, also secure the underlying infrastructure that goes into creating the models. There are many use cases here that are providing a tailwind for us in addition to the core security use cases that continue to be very, very important, as well as compliance. We want no breaches, no fines, no effort. That's what we're helping our customers achieve. The way we start is we sell through a risk assessment. We want everybody to take a look at their production data through our software.
It's a quick install because it's a SaaS solution that's very quick to spin up. We can start to assess a portion of the customer's data very quickly. We'll take a look at what's sensitive, the state of those preventive controls that I mentioned, and start monitoring it for threats. Once a potential customer starts looking at their data through our lens, it's very hard to unsee the risk. It's the best event that we can have from a sales perspective. This is part of our sales motion. I guess with that, see if there are any questions.
Okay, great.
Maybe to start out, it's a dynamic space that you guys are playing in. Historically, you've talked about sort of only seeing competition in like one out of 20 deals. How has that changed over time?
Are you seeing kind of a new sort of vector of competition coming in that whole DSPM category, which maybe we need to define for folks here, but maybe just talk about that competitive evolution.
Sure. I don't think that the competition has changed much in the areas where we've been traditionally, in the data center and 365. As we've expanded our coverage and gone into structured data and more of the cloud stores, the more SaaS applications, we're able to participate in more discovery and DSPM opportunities. With those, we're, of course, encountering, because there are fees, there are RFIs, we're encountering other discovery and DSPM vendors in these new areas. I say that's changed. There's a lot more activity, a lot more focus on data.
With that, some of the new players there, which I think the important thing to remember is discovery is not security. Discovery, we think, is just a sliver of what you need in order to actually protect data and get to those outcomes. You need to not only see the sensitive data, discover that, but also have deeper discovery. Where are the risks because the preventive controls are not in place? How is it being used so that you can then automate fixing the things that you find? Otherwise, you are just kind of left with liability and busy work and then followed by a breach.
Is that the right way to think about your differentiation, is that you guys have the sort of breadth across on-prem, cloud, SaaS, as well as that ability to go beyond just discovery and classification? Is that the right framing?
I think both the depth and the breadth. Coverage has become a huge weapon for us because we do have coverage for all the enterprise data stores. That is often right out of the gate, a big differentiator. It is not just the coverage, as you mentioned. It is the functionality, the ability to remediate the risks that we find with the automation to do the managed data detection response, the automated threat detection from a data level. These are some of the differentiators we see. Whenever it is really a data security use case as opposed to just a discovery or maybe a privacy use case, we are in really good shape.
I want to maybe visualize it for some of the non-technical people in the room because everything sounds the same, and it's very hard to understand what we are doing different in comparison to some of the other verbiage that all sounds alike. The best way to visualize it is a bank. When you think about protecting the vault within the bank, there are multiple ways to think about it. You need the cameras outside the bank. You need the guards. You need the fence. You need all of that protection. We sit on the vault itself. We identify any abnormal behavior that is in relations to data.
If someone touches data from an IP that isn't recognized or opens 1,000 files or 10,000 files instead of five files, touching sensitive information, someone's trying to get into that vault, and we can disconnect the account and make sure that nothing happens. It doesn't mean you don't need the fence and you don't need the cameras and you don't need the guards. You absolutely need them. At the end of the day, in order to identify if anything abnormal is happening in relations to data, we have the sophisticated algorithms to identify if something's happening. On top of that, at the end of the day, no one breaks into the bank in order to steal the pens. We really sit on what is the most sensitive part of the organization.
Not only are we protecting against someone trying to come in from the outside, if you have 10,000 employees and you're a C-level executive and you believe that all 10,000 employees are ethical, you probably shouldn't be running a company. We protect from the inside out, trying to make sure that no one takes information and gives it to competition. We've seen so many instances where an employee was either selling information to competition or was about to leave, and they were gathering all the sensitive files so they can take it to their next jobs. Either it's from within or someone taking over your credentials from the outside, we can identify that through the sophisticated algorithms.
Okay. By the way, is anyone else freezing in here? It's like a meat locker in here. Guy, can you talk about the SaaS transition? Because David didn't mention that.
He did a little bit in terms of how it's helped you guys with the risk assessment. Talk about from a financial perspective, how that transformation has gone, where we are in the process, and then what it brings to the table across all elements, sort of the win-win-win aspect.
In order to understand the financial kind of implications of the transition, I'll touch first about how much better the SaaS product is because that's where everything starts from. We have been able, we announced the transition at the beginning of 2023, and we initially talked about a five-year transition period. We defined the transition to be complete when we get anywhere between 70%-90% of our ARR coming from SaaS. We cut it from five years to four years, and we recently cut it to three years.
We expect to be done with the transition at the end of this year. We just raised our SaaS mix guidance from 78% to 80%. We expect to be 80% of our ARR at the end of the year coming from SaaS. We talked about three North Stars when we initiated the transition. We talked about ARR because revenue becomes noisy with kind of the way revenue is recognized on the on-prem versus SaaS. In SaaS, it is ratable. In the on-prem, there is a big chunk that is recognized upfront. We talked about ARR as one of the North Stars. We talked about ARR contribution margin, which takes into consideration kind of the cost structure. We have done a very good job in maintaining the cost structure even during the initial stages of the transition. The third North Star is the free cash flow.
We have shown some pretty significant improvements on our free cash flow. We guided to $120-$125 million of positive free cash flow for this year, which is a significant improvement from last year. We are very happy with kind of the leverage we have in the model. There is noise on the standard P&L, if you think about it, just because of the revenue side. From a cost structure and from a generation of cash, we are ahead of schedule. When we laid out a five-year plan in our investor day at the beginning of 2023, we talked about a $1 billion target by the end of 2027. We talked about having ARR contribution margin in that 20% range. When you look at the levels that we are today, we are in that 16%-17% ARR contribution margin.
We're literally ahead of schedule and kind of on the path there. Where we sit today, we have never seen the opportunity as large as it is. Some of the investments that we're making today are actually to support growth post that $1 billion mark, as we see a path to capitalize on a much larger opportunity than we originally thought. Copilot is one of them. David talked about it a bit.
When you see companies rolling out Copilot and realizing how vulnerable they are, if you have an organization that rolled out Copilot and then one of the employees goes into the checkbox and writes who got a raise last year, and suddenly the full set of data of all the raises within the organization pops up within seconds, that's a disaster for an organization if that employee shouldn't have had access to that type of information. Copilot, and it's not just Copilot, it's any GenAI, is really putting a spotlight on a problem that always existed, but now it's just becoming simpler not just for employees, but also for hackers to take advantage and find where the sensitive information is.
Copilot and GenAI as a whole has really helped us in kind of seeing how this world is in the direction it's moving, and we want to capitalize on that opportunity. Is it a catalyst at this point, the GenAI stuff and Copilot? It's coming up in every conversation. We actually started seeing it as being a contributor in the last one to two quarters, but it's not anywhere close to where we think it could be. It's probably in the first inning, if at all. When you think about the rollout of Copilot, we've been very consistent that I think investors expected Copilot to become a thing way quicker than the way it's happening. We've been very consistent that you don't really know if it's going to happen the next quarter, the next year, but eventually it's going to happen.
Organizations that won't roll out productivity tools, I don't think will exist. Whether it happens in six months or a year, we don't know, but we're there to capitalize on it. Okay. And then just to round out the SaaS transition question, can you talk about what it has done for customers and for your Salesforce channel, etc.? From a customer perspective, it's simplified kind of the whole way they think about the problem because MDDR is only offered under the SaaS offering. And in MDDR, the only thing you need to do is pay. We basically will take care of the rest.
At the end of the day, you can save on the hardware because you're buying the SaaS offering, and you can save on the headcount because the automation of the product takes care of a lot of the alerts, and you don't have to manage it yourself. We do it for you. From a SaaS perspective, we expect renewal rates that have been consistently over 90% to actually improve because of that stickiness that the MDDR generates. When we look at the sales cycle, sales cycles of SaaS have been shorter than the standard sales cycles for on-prem subscriptions. From a financial strength perspective, SaaS is a no-brainer for us. It's also a no-brainer for the customer because of the value of the product. What's the uplift versus the on-prem? Apples to apples.
If you're buying the same number of licenses, it's a 25%-30% uplift. The total cost of ownership for customers is lower, still even with that uplift because they can save on the headcount, they can save on the hardware. In some cases, we see customers actually consuming more of the product, so they pay more than that 25%-30% uplift. Okay. We'll have to end it there. Thank you, everybody, for coming. Thank you, guys. We're going to go upstairs to.
This presentation has now finished. Please check back shortly for the archive.