All right. We will get going here. Thank you all for joining. I'm Roger Boyd. I cover cybersecurity here at UBS. Very happy to have the team from Varonis here: Guy Melamed, CFO and COO, and Brian Becci, who's Field CTO. So thank you guys for being here.
Thanks for having us.
Thank you.
Cool. We're gonna do some fireside chat. I've got the iPad here, so if you have questions, feel free to submit them, and we'll try to weave them in. Maybe to get started, I know many people are familiar with the story, but a broader audience here, for the investors who are less familiar, can maybe start with a quick overview of the platform, the history of the company, and kind of the use cases you've addressed and the ones you've expanded to address.
Sure. Varonis is founded because enterprises, of all kinds—public, private, big, small, in every vertical—struggle to protect data. They struggle to understand what data they have and where it is and what the risk is associated with it. Who and what's got access to it? How is it being used? Where is sensitive data living in places it's not supposed to be? We started 20 years ago because answering any of those questions, let alone doing anything about it, was basically impossible on even small data sets in the enterprise. Over the years, we've expanded our coverage to cover everything from databases and SaaS applications to file systems and collaborative platforms. We reinvented our platform as a SaaS-first solution a few years ago, and now Varonis is a SaaS company.
Use cases are really visibility, understanding what data's where, reducing risk automatically, and then minimizing how long it takes to detect and respond to threats. Catching threats quickly and minimizing any damage.
I think, if I try and bring it home to the non-technical folks, what we're trying to do is what the credit card companies did to the fraud detection. Obviously, when people travel and they have a transaction that is abnormal, they get a text message, "Is this you? Yes or no?" The accuracy levels of those credit card companies are pretty, pretty amazing. The reason those credit card companies can identify if this is an abnormal transaction is because they track every single purchase that you have. They know where you buy, where you travel, who you eat, who you're eating with in the restaurant. Based on kind of putting all those pieces together, they can identify what's abnormal. We do the exact same thing with data.
Because we see who touches files, who opens files, who deletes files, and what files are sensitive, we can identify if someone touches a file that they usually never touch from a laptop that is unidentifiable to the organization, from an IP that usually does not get accessed at a time that is abnormal. When you put all these pieces together, we can identify if something abnormal is happening. That is what we are trying to do.
Cool. We'll come back to the bigger picture, but I wanted to jump in and tackle 3Q. You guys announced the change of the subscription transition, what you're doing with the on-prem customer base. Can you kind of just remind us what's going on there, and what you've seen from that kind of on-prem customer base since that announcement last month?
We will start with our announcement to move to SaaS. That was at the beginning of 2023. We talked about it initially. We talked about a five-year plan on getting over and completing the transition, and we defined the transition to be complete when we get anywhere between 70%-90% of ARR coming from SaaS. I can say that the first part of the transition went really, really well. We lowered the period from five years to four years, and then when we gave guidance for this year, we kind of lowered it to three years. Transition was progressing really well. In Q3, our on-prem subscription renewal rate did not behave in the same fashion that we have seen. Historically, our renewal rates have been consistently over 90%. I will say that in Q1 and Q2 of this year.
Mm-hmm.
Our renewal rates actually improved, which.
Mm-hmm.
I think kind of threw us off. What we actually saw is that in the last two weeks of the quarter in Q3, we started to see a lot of those customers that decided not to renew. We are in conversations with many of them. I think we can get some of them over to SaaS. When we looked at what happened, there were basically three key elements that contributed to the underperformance on the on-prem subscription renewal rate. One of them had to do with customers that were single-threaded, meaning they bought us initially for a specific use case and auditing tool. They did not get the full value of the platform. If they do not renew, nothing really bad happens the next day. That was something that we identified as an element that impacted Q3.
I do wanna note that when we looked at Q1 and Q2, those single-threaded customers did convert and renew. This was something that we didn't see coming, and it had an impact in Q3. The second element was sales execution. We did see some of the sales team that kind of reverted away from our game plan, including having QBRs with customers, making sure that they see the value, understanding what the benefits of SaaS are and what's the next step for them in their kind of journey with Varonis. I think that in neglecting that, those conversations with some of the on-prem subscription customers, it kind of generated additional friction that impacted those renewal rates. The third element that we saw was additional deal scrutiny in the last two weeks.
When you kind of just look at the environment, I don't know if we can distinguish this from a macro perspective or anything else, but it was definitely something that we saw, and we wanted to call it out. Sitting here today, looking at those three elements, they still are there. We haven't seen anything different in terms of the analysis that we have done, and we spent a lot of time in analyzing everything. One of the things that we did do is call the end of life of the on-prem subscription. We can talk more about that later. We did that as an attempt. We only kind of pulled it up by one quarter. The plan was to announce it anyways at the beginning of 2026 during our SKO.
When we saw kind of the underperformance on the on-prem subscription renewal rate, we decided that we wanna put it out there because, obviously, investors would like to know what is the expectation for conversions in 2026. I think it would be irresponsible to give them a number and announce the end of life at the same time and then have an additional point that can have an impact. We felt that if we are going to give a number and kind of some sort of expectation for 2026, then we have to do it where everything's out there and all the data is known, and we can see the behavior in Q4, which is a large denominator, and then kind of have a much better understanding of how things could look next year.
Yeah. Makes sense. Appreciate the color there. I wanna go back to the timeline. We did this the other week, but when you go back to what you guys talked about in 2023, when you first laid out the transition, you were kind of projecting around $200 million in ARR from SaaS by 2025. Today, you're closer to $600 million. Obviously, transitions have been a big part of that. I wonder if you could talk a little bit about what you've seen in the SaaS Business X conversions. I think it's kind of gotten lost in the debate over 3Q. I think it has outperformed your expectations. If you could have any color there, that would be.
I'll start by saying that it definitely outperformed our expectations. Our ability to shorten the transition period from five years to four years and then from four years to three years is a testament to how well the transition was going. I absolutely agree with you that the on-prem subscription renewal rate kind of put a cloud on a business that is performing really well. The SaaS business is really hitting, hitting on all cylinders, and we feel very good about that business, which kind of brings the point that we understand that in 2026, we need to ensure that investors see the strength of the business through the SaaS and not have any of the on-prem subscription renewal rate overshadow our performance.
I think the focus, in 2026 is going to be on providing the metrics to investors that allow them to see how the business is performing, how the, the business that is going forward is performing, not the one that's in the rearview mirror. The rearview mirror is gonna be done anyways by the end of 2026 because by December 31, 2026, we're gonna have zero non-SaaS ARR. Whatever impact we have on conversions, it's gonna be short-lived. We believe that we can drive this business, on the SaaS front, in a very healthy way.
Yeah. Just to touch on that, you, you've talked about a SaaS net retention rate and the new logo growth, which is now almost all SaaS. Are there other metrics you're thinking about, to help kind of frame the strength of this new business or features?
We're definitely playing around with what would make the most sense in providing color to investors. One idea that I think would make a lot of sense is just breaking out what is the SaaS number in each quarter, excluding conversions, and then just putting that on top. I think that would provide a lot of comfort to investors because I know, in many cases, they wanted to know how the business is performing. This puts kind of the spotlight on the SaaS front, excluding conversions. At the end of the day, when we have roughly $175 million of non-SaaS ARR, with about a third of it coming up for renewal in Q4, I think by the end of the year, we'll have a much better understanding of how 2026 is gonna behave on that front. That's not the focus.
The focus is, obviously, we're gonna try and get everyone over, but the focus is to continue to drive a healthy SaaS business that can continue to grow and provide value to customers. That's really at the forefront of everything.
Perfect. Cool. I wanna get back to the bigger picture and get Brian back in the conversation. High-level question, how do you think about the demand level for data security? There's a separate question here on AI, but even going back a couple of years ago, it really felt like you guys had to evangelize the space. I think that's changed a lot. Can you just talk about what you've seen from a customer perspective, like the definition of data security budgets? Yeah.
The short answer is budgets are going up, and data security, if it's not at the top of a CIO and a CISO's list of priorities, I would question why not. That's what an attacker is after. When we talk about insider threats, insider threats are after data. Data is where the damage is done. That's where security priorities have aligned over the last few years, which is exactly what we've been predicting for a long time. The advent of generative AI has only accelerated that. Generative AI is all based on data. It's based on learning from lots of data to build useful models that you can monetize. It's also based on giving people productivity tools like Microsoft Copilot that allow them to better use all of the data that they have access to.
If you're gonna deploy those kinds of tools, you better make sure that your data is secure. I've told the story a number of times, but one of the banks that we work with found that as soon as they gave Microsoft Copilot to one of their traders, the trader asked the question, "What stocks do our employees invest in?" Instead of getting a couple of paragraphs summary like you'd expect from ChatGPT, got thousands of lines of names and social security numbers and positions of employee 401(k)s. That's exactly what companies wanna avoid. They want to reap the benefits of all this technology, the benefits of generative AI. They wanna, they want their employees to be more productive. They wanna monetize these data sets. Unless your data is secure, you're introducing far more risk than you can control.
You can't get the benefits of AI without data security, which means data security is not the top of everybody's list.
Yeah. Makes sense. I think what else got kind of lost last quarter was just the strength that you've had across the broader portfolio. And so features like AI security, MDDR, you launched a Copilot SKU a couple of quarters ago. What, what's the update on those? I mean, those sound like they're doing well and, again, kind of lost in the shuffle of last quarter's earnings. What can you give us there?
Yeah. I mean, we did not have to talk too much about them 'cause SaaS is doing so well. And the innovation, both through the acquisitions of Cyril, which adds database activity monitoring, gets us visibility and observability in places that we did not have before. The acquisition of Slash Next gets us next-generation modern email security and show me a data breach that does not involve an email somewhere. Phishing is still, and spear phishing, especially in the advent of ChatGPT and Microsoft Copilot, is still the primary threat vector. The right way to think about this is our product platform is going as far wide as we can. If you have got data and you have got infrastructure, we want to cover it. We want to give you visibility there. We also want to build useful automation.
That means not just having coverage, but also the right telemetry and automation to get these outcomes, to make sure that data's protected, that you minimize threats, without having to do a lot of work. Because the other key theme from every one of our customers is that they don't have the people to go and implement lots of new complicated technology. It needs to be automatic. The various pieces of our platform that we've been adding and building are allowing more of our customers to do more of that with a lot less effort. It's all going really well.
Cool. Just to touch on, on database activity monitoring and email security, how do you frame the, like, the near-term versus longer-term opportunities there? It sounds like DAM might be a little longer life. Email security contribute earlier. Is that the right way to think about it? And how do you think about sales enablement around those products? You're obviously growing the platform quite a bit.
I'll take the last part of that first. Sales enablement has been relatively straightforward with these additions to our platform because, you know, our reps and our teams get it. We're protecting data. This is all in service of protecting data. All of our customers have email. All of our customers have email security budgets. Now we can attach to those and do a risk assessment just on email before expanding into a broader security platform. All of our customers that use us to protect our file systems on-premises and in the cloud, they all have good databases too. And they've been asking us for coverage in databases. So database activity monitoring is another natural addition. The sales enablement piece has not been, I mean, it's always a priority, but it hasn't been a challenge. It hasn't been a roadblock.
The reason that email will probably contribute more quickly is only that it was a more mature product. Whereas database activity monitoring, we are folding into our platform. That said, DAM is a, for those that don't know, DAM is database activity monitoring, DAM. That's a, I don't know how many billions of dollars of business that we can go attack. It is, there are legacy players there that customers are ready to move on from. It is a market that is ripe. With emails, again, everybody's got email. Everybody's got an email security budget. It allows us to do risk assessments in places that we didn't before, more easily with less friction, while also allowing us not just to get the new logos, but then to expand our broader offering with those logos.
I wanna talk about the email security offering because I think it has to be seen in the context of MDDR. We are not going into the email security as a standalone product. This is not kind of the direction we're going, is just protecting email. I wanna probably touch on how we got to the thinking of acquiring something that's related to email security. It really stems from the MDDR offering. When we analyze and we track this, the MDDR offering is really, when you think about it, it only started to be offered at the beginning of 2024. It's been so well adopted, obviously, with almost all of the new customers and definitely by many of the existing customers. We're not anywhere close to 100%, which we believe is the right number.
We think every single customer should have the MDDR offering. The MDDR offering is when you buy the platform, the alerts that are provided are analyzed by our engineers that know how to analyze those and make sure that the right alerts are being handled by the customer. In a way, it helps the customer in a tremendous way where Brian talked about this before. They do not have the right increase in headcount to deal with the sophistication of attacks. Also, the alerts and the hackers are getting more sophisticated by the day. This really helps in making sure that customers are better protected. When you see that so many of those attacks are coming from email, by having an email platform, you are providing way more value to your customer because you are not just protecting them.
You're also showing them where it's initiated from, and you can protect them at one step, quicker than what you would do otherwise. I think the important emphasis I have here is that the email security acquisition was done in the context of MDDR and not, and not as a standalone.
Yeah. Makes sense. Cool. I wanted to press on DAM for a second longer. Can you talk about what makes that market so interesting to go at right now? You mentioned there's some vendors in that space that you feel like aren't working for customers. What does it take from your end? Do you have the suite today? I know you've expanded coverage to Snowflake and Databricks and Oracle and SQL. What else do you need to do on your end to be a competitor there?
I think it's, we have the, we have the technology. It's integrating the acquisition of Cyril, which is database activity monitoring for on-premises legacy databases from the SQLs and Oracles and Postgreses, and MySQLs of the world. We have all of the coverage that we need, both now and in our near-term roadmap. What this allows us to do is not just replace the DAM tools that enterprises are currently using. They require a lot of OPEX. They don't, customers generally don't use them to cover all of their databases. It's a technology that is ripe for disruption. However, we're not just replacing DAM. Much like how Guy talked about us going into the email space, it is valuable, by itself, but also in the context of our broader offering, and especially with MDDR.
Now we're monitoring databases, which allows us to perform behavior analytics on databases that we couldn't before, which allows us to also build automation for automatic risk reduction in addition to data classification. What this does is it really expands the Varonis value proposition into new places. Our goal is if you've got data, and I don't care if it's in a file or a database or an application. I don't care if it's on-premises or in the cloud. I don't care if it's in a hyperscaler or in your data center. We wanna be able to protect it. DAM is both a product category that we can disrupt while also giving us coverage and visibility where we need to have it.
Cool. I wanna touch on U.S. Federal. I think it came up a little bit short in 3Q, and you had some pretty specific comments about some of the issues that you saw there. Can you kind of rehash what happened? I know part of it was that you got FedRAMP earlier this year, and maybe that introduced a little confusion in the buying process. How do you think about the federal agencies as a vertical market going forward?
We believe there were three components that contributed to the shortfall in the federal business. One of them is DOGE. I don't know how much of an impact that was. It probably wasn't the largest contributor to the shortfall, but it definitely didn't help. That was one element. The second element was similar sales execution that we saw with some of the enterprise business sales teams that we saw in the federal where they didn't have the same conversations with customers as they should have. I think the third component, which probably had the largest impact, was the timing of the FedRAMP certification. We got a moderate FedRAMP certification really at the beginning of Q2. One of the things that is important to note is that sales cycles for the federal business are much longer.
I think it probably generated more chaos in the, in the sales campaign because now, can you switch it to SaaS on time? And if you are trying to switch it, does it generate more turbulence within the deal? I think the timing of it definitely didn't help us. We absolutely believe in the vertical. We think we can, we can solve a lot of problems there. To be fair, we have been underperforming in that vertical for a couple of years now. What we decided to do is reduce some of the team and make sure that we can see productivity levels go back to kind of numbers that we expect to see and make sure that we put additional investments at the right place.
I think that the FedRAMP was the right thing to do because not only does it help you with the federal business, it also gives a lot of comfort to a lot of the enterprise customers that ask for the FedRAMP certification. It definitely was the right thing to do, but probably did not help us in the Q3 sales cycle for that vertical.
Yeah. Okay. I wanted to touch on competition. I get asked by investors all the time about competition for data security. For a while, it was very hard to kind of line up a truly competitive platform. I'd argue maybe that's changed a little bit in the last few years. You have some competitors in the private market who are pretty vocal. How do you see competition? Has it changed at all? Conversely, has some of the new entrants in the space created a bigger kind of demand pool for you? Have there been deals where maybe others have initiated that you've come in and won?
Yeah. That's happened a number of times. And it's great that other people are spending money on marketing for us at this point. Yeah, there is a lot more investment in the space, and there's been a lot of acquisitions. What's happened, there's a couple of things that have happened. There are more players. We believe really strongly in our ability to execute. Outcomes matter in security. I don't really care what anybody says they can do. I care a lot more about what they prove that they can do, which is why we do our sales motion and our sales execution is actually running a real data risk assessment. Let's, let's prove that we can scale. Let's prove that things are accurate. Let's prove that we deploy incredibly quickly without a lot of noise. That's why we, that's why that's our motion.
What has changed, in addition to lots of other players, because data security is at the top of everybody's priority stack, is Varonis now covers files and emails and databases. We cover the hyperscalers. We cover on-premises data. We cover cloud data. We cover SaaS applications. No one can touch us in coverage, which means if you're an enterprise and you have a project for DSPM or for compliance or privacy or for AI deployments or AI security, and you put it on RFP, we're in those. We're in every fight now. We're not getting boxed out like we were a few years ago because we didn't cover databases or we didn't cover some SaaS application. Now, because nobody can touch us in coverage and nobody deploys faster than us and nobody's as accurate as we are, we need to be in every fight.
We are in every fight. That is why sales execution is so important for us. We need to not only be in the RFP, we need to deploy and run a real risk assessment and prove that all of the capabilities that we offer that no other product offers, the automatic remediation, MDDR, in addition to the coverage we have, we have to prove, we have to show a customer just how valuable that is and how quickly they can realize that value, just how much they, how quickly they can get to these outcomes without a lot of effort. It is so important for us to do that. We can. Our win rates have not changed. You are probably right now that there are absolutely more competitive products, but there is still nothing that does what we do everywhere that we do it.
and so, you know, the technical moat that we've built around us is big and continues to get bigger because there's more innovation in front of us than behind us.
Yeah. I'm gonna weave in a question from the audience just because I think it fits well. How do you think about competition from the data resiliency backup vendors? And, conversely, how do you think about that as part of a broader kind of data security platform, the data backup service?
I would never tell a CIO that they do not need backup, but I would also tell them backup is not security, just like discovery is not security. We have not seen any of those players be credible competition for us. Many of our customers use backup and cyber resiliency providers and are very happy with those capabilities, but are still Varonis customers because, again, resiliency, backup, that is not security.
Yeah. Cool. Guy, you mentioned this before, but some of the customers that didn't close in 3Q are still in the pipeline. Can you just talk about kind of what the game plan is from here? Any, any, have you seen any customers come back thus far in 4Q? When you think about different verticals, federal, like, are there anything to note there?
We definitely saw some of the customers that actually did convert, post Q3. And we're in conversations with, still with, with many of those customers to find a path to get them over to SaaS. Obviously, we understand that not all of them are gonna, are gonna move. I think that when we look at the behavior, we're definitely in conversations with a good chunk of those to get them over. I think the understanding for us is that we are, by the end of next year, 100% SaaS business, hitting on the strength of the business and making sure that, kind of what happened in the last two weeks of Q3 doesn't overshadow where we're planning to go. I think that was an important realization for us post, kind of the unfortunate events of Q3.
I think with that said, obviously, we just wanna make sure that it doesn't overshadow the strength that we see in the business. In the past, we talked about a price uplift and on getting customers over, from on-prem to SaaS. I can tell you that we will do everything we can to get customers over to SaaS as quickly as possible, obviously without having any customer abuse, the situation. At the end of the day, we just wanna get them over, show them the value that they see with the SaaS platform, and then we can go back to them and show them additional platforms that they can come and purchase.
Cool. Maybe to close, you've talked about this goal of 20% growth, 20% ARR growth in the past. How, if at all, has 3Q kind of changed that goal? And if it still stands, what does the path look like going forward? What needs to go right to hit that target?
Obviously, the on-prem subscription renewal rate was a bit of a curveball for us in the last two weeks. We wanted to see if this was a change in trend or if this was a one-off. That is why we said, let's see how Q4 behaves, and then we can give more color on how 2026 will look like. I do wanna note that obviously we're going line by line. We're going with every single customer, having discussion on whether they will move or not. Some of them we understand are not gonna move to SaaS. I think there's a lot of financial benefits for the organization of being fully SaaS at the end of 2026, whether it's less tickets on the support side, whether it's not having to manage two types of code.
There are, it's not just the fact that the SaaS offering is significantly superior than the on-prem subscription and the value that we can provide customers is much more significant. It's also the financial benefit of not having the on-prem to manage and also the time cannibalization. You have to deal with way more issues with the on-prem subscription with your customers. And we wanna make sure that we focus on what's right longer term.
Cool. We'll wrap it there. Thank you all for attending. Thank you, Guy and Brian, for being here.
Thank you.
Thank you.