All right. Welcome, everybody. While we get situated, I'll read the disclosures real quick. For important disclosures, please see the Morgan Stanley Research Disclosure website at morganstanley.com/researchdisclosures. If you have any questions, please reach out to your Morgan Stanley sales representative. I'm Meta Marshall . I cover cybersecurity here at Morgan Stanley. We're delighted to have Varonis, Guy Melamed, CFO, Brian Vecci, CTO.
All right, perfect. Maybe just to kind of start with, in terms of, you know, just those who are kind of less familiar with Varonis or kind of data security in general, just kind of giving an overview of the company.
Where I'd start is almost all aspects of cybersecurity touches on data, right? Nobody breaks into a bank to steal the pens. They're after money. Nobody gets access to an account, an identity, an API these days, an agent, your infrastructure, unless they're really after data.
Companies face when it comes to data because they have so much, not just in data centers these days, but in various cloud platforms, all of the hyperscalers, the applications, all of the AI workloads that they're building. They face a lot of regulatory risk. What do I have? Where is it? Are all the right controls in place? A lot of reputational risk. They don't wanna be on the front page of the Wall Street Journal because they got breached. They need to do more with less. They need to be able to automate fixing all these problems.
That means they face a lot of operational risk. Not just in protecting data, but in making sure that they can do all this effectively. We have an automatic security platform that answers all those questions, helps them implement controls safely, quickly, automatically. If you're a CISO, what that means is if you're a Varonis customer.
We stop breaches, we stop you from getting fined. We make it really easy to automate all of the workloads that you need to automate from a security perspective. We minimize how long it takes to detect and respond to threats. If you do all that really well as a CISO, you're doing a very, very good job, and you can deploy AI safely and quickly, which is at or near the top of everybody else's, you know, priority list.
Got it.
I can always give the non-technical answer. Sometimes it's easier to think of us. We're trying to do to cybersecurity what the credit card companies were trying to do to fraud detection. When you think about credit card fraud, all of us when we travel, we get this text message. "Is this you? Yes. No." The credit card companies have become really good at identifying what is abnormal.
Yeah.
The reason they have become so good in detecting what is outside of the spectrum is because they know everything about us. They know what we buy, where we travel, who we're eating with. By having that full set of, information, they can identify if there is behavior that is out of the norm.
Got it.
We do the exact same thing with data because we see who opens files, who moves files, who deletes files. By having that full visibility, we can identify if someone's opening way more files than they usually open or if they're deleting files that they shouldn't even have access to. Whether it's someone from the outside that's taking over their credentials in order to get access to data or that employee's about to leave and now they're kind of getting ready for that next job, and they wanna take some of that sensitive information. It doesn't really matter what the reason is.
Yeah.
We can help those customers be protected. As Brian mentioned, there are really three things that we try to do. One is ensure that you don't have a cyber attack and you can be protected. Second thing is that you won't have any fines that are related to sensitive information that you're not guarding the right way. The third thing is just the implementation of AI. We can help the organization be better protected towards that implementation because it's becoming really scary with the, data that's going out there.
Got it. I mean, I wanted to kinda jump to that next. You know, we've highlighted before that data security becomes increasingly important with AI. You're having an expanse of the attack surface, different types of data that you didn't even think were, you know, critical before or aren't critical before. You know, in the past, you've talked about AI being a net positive for you 'cause it's just easier than ever for bad actors to use AI to create attacks. Just what are you kind of seeing in terms of the marketplace, in terms of, either attack velocity or customers being concerned about kind of AI security?
When you ask a customer about not just AI security, but AI in general. If the word data isn't in the first 15 words of their answer, they're probably just making it up, and they don't know what they're talking about. AI security and data security are incredibly tightly related. It's not just because it makes the job of the attacker easier. It makes the job of the defender even more complicated than it's ever been.
Okay.
Guy was giving you an example of, you know, somebody using your credit card, and a credit card company detecting fraud. Well, with data security, we need to make sure that not only is the data monitored, but the attack surface is much bigger because. It's not just one user. It could be one user that's interacting with 1,000 agents.
What are those agents actually doing? What infrastructure's out there? For AI security, which is really what you asked about, companies generally wanna do a few things. They wanna inventory what AI workloads are out there. What models are they using, whether they're foundation or fine-tuned? What agents are out there? How are models and agents, end users and applications and data stores and code libraries all interacting with each other?
That's what happens in an AI world. I prompt one tool or one application or one agent, and now it's talking to an MCP service. It's talking to large language models. It's talking to other agents. It's talking to my code libraries. It's talking to my data stores and other applications. Usually some combination of all of the above. An inventory managing the security posture. Are all of the pathways, the configurations, all of the things that a smart person is going to take advantage of, is everything set properly?
Are all the access controls set properly? Are you watching how things are using? Do you have the right guardrails in place. So that people don't put sensitive information into prompts or that models don't return sensitive information? Can you prove that you're compliant? You know, we're talking about security. Security and compliance are very tightly related. There's the EU AI Act, there's the NIST RMF framework for AI. There's all these controls that companies now want to put in place so that they can safely deploy it.
Yeah.
This is what Varonis does.
Right.
Especially with the recent acquisition of AllTrue, we can now offer those capabilities at a depth and a breadth that nobody else can. Means if you're concerned about AI and you're not talking to us, you're missing a trick.
Yeah. I mean, maybe what you described is like, this is already what Varonis does, and so, do you know. Investors are always kind of obsessed with what is the AI security versus kind of what are the other pieces. Is it, you know, is it just, it should be a tailwind for the entire business? Are there kind of areas where we should see, or product sets where we should see kind of more attention be paced to with AI?
I'll give a qualitative answer. I'll let Guy talk about anything quantitative. We just announced the acquisition of a company called AllTrue that does AI inventory, AI posture management, AI red teaming, AI compliance, monitoring, and LLM gateway and guardrails, that is additive to the capabilities that we had for securing underlying data stores and infrastructure and monitoring and securing AI tools like ChatGPT and Microsoft Copilot.
We now have the ability to do inventories in new places, to scan and secure models, to scan and secure code libraries, to scan and secure and monitor agent usage and the interactions between them. Those capabilities really matter, and that is-- We announced the acquisition a few weeks ago, and customer response, this is-- I think someone from AllTrue said that we've done more demos in two weeks than they did in the history of the company before that.
Okay.
The demand is off the charts.
Okay. Got it. You know, data security is also just an area where we've seen a lot of startups, you know, particularly kind of labeled as DSPM. How do the increasing number of competitors influence either just customer sales cycles or the journey of customers finding their way to Varonis?
It's nice that there's lots of other, there's lots more investment money out there doing marketing for the problems that we solve. Which wasn't always the case. It's kind of like we were screaming into the void for a lot of years. Now everybody has finally caught up that data security is a really big issue. It's been-- I don't know. It's really helped us get into a lot more conversations. That said, it means that we're in a lot more fights.
Yeah.
The DSPM market has been. I would argue that we created it 20 years ago, and it didn't exist, and we were the only ones in the space for a long time. Even now, the players that are out there are only doing pieces of what we do. If you're a startup, you're really only gonna do this in the cloud, and you're really only gonna do this, by this, I mean the visibility that they offer, in cloud stores that are relatively easy to connect to.
We go into deep water. We don't just do this in the cloud. We do this on-prem. We do this not just in databases. We do this in files. We offer far more mature capabilities, and by that, I mean, we automate things that the other DSPM tools can't. We detect things that the other DSPM tools can't. To answer your question, we are now in many more fights because there's nobody that touches us in coverage anymore.
Varonis for files? Sure. Varonis for databases? Sure. Varonis for the hyperscalers? Sure. Varonis for SaaS applications? Yes. Varonis for AI. There is nobody that's gonna do anything related to data security or privacy where they offer out an RFI or an RFP. We're gonna be part of all of those conversations now.
Yeah.
We're in a lot more fights 'cause there's a lot more players in the space. When we execute our sales process properly, our capabilities, and the maturity of our platform means that our win rates have remained really high.
Okay.
Just to add to that, the vision for Varonis for many, many years has been to provide the customers one pane of glass, one dashboard that can allow them to be better protected on whatever platform they're using. When you think about, and we get this asked a lot about kind of supply consolidation and where's the space going? When you look at kind of some of the acquisitions that we have made, all of them are targeted to provide way more visibility on way more platforms.
Yeah.
The email security, we got a lot of questions about that. Are you going into that space? It's part of the MDDR offering. This is not a standalone offering. Now we're just focusing on email security. That's not the intention. That's not the case. When you think of email together with the MDDR offering, when you think about the AllTrue acquisition with the platform that we have to offer, it makes it way more interesting. One plus one does not equal two. That's been the premise of how we thought about kind of the roadmap. I think we're kinda moving in that direction.
Got it. I'll circle back to some of the kind of platform building through the acquisitions that you guys have done in a little bit. Guy, maybe, you know, just recapping Q4 earnings, just in terms of, you know, you had some higher conversions than you were expecting. Just kind of level setting where, you know, you were encouraged, kind of coming out of Q3-- Q4.
It's a very good question. Going into Q4. When we announced the end of life, we had about $180 million of non-SaaS ARR that we wanted to convert. I know the number one question we got throughout the quarter was how much of that number will be converted?
We were able to convert approximately $65 million of non-SaaS ARR in Q4. I think part of the reason that number was so high was because of the end of life announcement. It generated urgency within our customers, and it allowed us to have that type of conversation of be moving, and what's the path to move to SaaS. Now we are able to give kind of a range for 2026 on what we expect will be converted, and we put a bear case scenario and a bull case scenario, and I think we fall somewhere in between. In a very, very high level, that $180 million going into Q4, a third already converted.
Yeah.
A third is expected to convert. Another third is going to churn. That third is mostly focused on kind of the federal and state type customers. That vertical and those type of customers are the ones that are probably gonna be impacted the most. That would have happened no matter what. If we would have dragged this transition over several years, those customers eventually would have kind of churned. We're just kind of speeding things up because I think when you think about the risk to the organization and the fact that the difference between the on-prem subscription value proposition and the SaaS value proposition is night and day.
Some of the other companies that have kinda stuck with the transition for many years and weren't rushing to get customers over didn't have that big of a difference between what they were offering on the on-prem and the SaaS side. For us, there's been a leap in terms of the functionality in SaaS and in orders of magnitude, it's a better product than the on-prem subscription. Kinda dragging it doesn't help the customers, and it doesn't help us, and it doesn't help the financial kinda structure and model from a leverage perspective.
When we look at where we are going into 2026 compared to where we were when we announced the end of life, we now have guardrails of what we expect to see on the conversion side, and I think they are much better than what they were when we announced the end of life in Q3. I think part of it definitely has to do with the announcement of the end of life and the urgency it generated for our customers.
Got it. you know, there's a lot of additional disclosures you gave around your business in Q4. Just where do you think investors should be focused on from a metric standpoint as we head into this calendar year?
Everything and anything we got asked. No, no. In 2025 was how would the business grow post-transition? Are you only growing because of the conversion? Can you give us metrics, about SaaS growth excluding conversions? We opened the kimono and gave everything in Q4, then the first couple of questions we get is, "Why is total ARR X% growth?" Which is counter to everything we were asked about. I think that the focus is exactly where investors wanted it to be.
We're giving the numbers, we're giving the conversion number on a quarterly basis. We're showing what is the growth ex conversions. I think that looking at a business or a part of the business that will be zero at the end of this year. The non-SaaS ARR is not the focus.
Honestly, like, the bull case and the bear case. Getting another $5 million of conversions will have an impact. But they're not as significant as how the business is growing on the SaaS side. That should be the focus. That should be where investors that have asked us all year long for that type of information, and now we've provided it, that's where the focus should be.
You should always know, investors will always want something slightly different than what you.
No, no. We gave everything we were asked for and more, I think we were trying to be as transparent as could be on this side.
Yeah. Maybe I wanna take it back to, you know, just discussions that have happened over the past couple of weeks around AI and security and just this idea that, you know, cyber can be vibe coded. You know, which I think generally misses kind of the competitive moats that you guys have. Just how-- You know, I can give my own response, but you can give a much more intellectual response.
I think you summarized it very well. The technical moats that we have. And they are many and growing. Means that there's-- Listen, I spend my time in front of customers. I don't know anybody that's thinking about vibe coding security, period.
Yeah.
I don't think anybody that thinks that's a serious. There are tools. There are certainly software. There are some types of software that are going to be that are under a threat. The ones that are unique platforms in the ways that Varonis. There's nothing that does everything that we do in the ways that we do it.
All of the places, like the depth and breadth of not just the coverage and the automation, and we are using modern tools to help build our technology even faster. That's not to say that. I think you summarized it well. I'm gonna leave it at that.
Okay.
Yeah. We don't see it as a threat to our business. We see that there are AI tools that are gonna help us innovate even more quickly. Varonis, and data security as a whole, I don't think is under attack.
Okay. Got it. I wanna dive a little bit more into AllTrue, which you just kind of mentioned. Just how does this fit into the strategy and, you know, particularly given, you know, you've done kind of a number of these, like, smaller acquisitions over the last couple of years?
I think AllTrue, which is now Varonis AI Atlas extends our visibility into places, and I'm restating some of the things I said before, but it's really important. The AI inventory now, where it's not just the data stores and the supporting infrastructure, it's also the models and the code libraries and the agents themselves, including their interactions and behavior, along with the automation to fix those problems, 'cause that's key to what we do, as well as the behavior analytics, connecting that into what we do from a threat detection standpoint and the best-of-breed data classification. And posture management that we do already.
It's a bit of a game changer, because if you're any kind of organization that is either building, thinking about building, or has built, any AI workloads, and at this point, everybody is in that boat. You need this level of visibility. If you had asked me that question a month ago, that would have been my answer.
Because we have a month of runway of putting this in front of customers. I've been able to see the reaction from CISOs who have said, "Not only do I need this, I need this yesterday. What you just showed me is light years in front of what anybody else can do." Our roadmap includes connecting it into the Varonis data classification and behavior analytics which lets us not just secure AI, but secure and monitor AI with the context for intent.
Meaning, we know exactly what data and why it's important and how the data is flowing and, we understand behavior in a way that's unique. The breadth of visibility that AllTrue adds for us, the ability to do things like AI red teaming. I can throw the Varonis AI at your model now, and it'll test for things like jailbreaking and bias and prompt injection. The ability to do so much more by just with less people, with fewer man-hours, but just by extending the Varonis platform, it's a real game changer for us.
I mean, I guess, you know, Guy, part of the decision to end of life was almost to just kind of focus salespeople around, you know, selling the broader platform. You know, you have multiple other categories that you've talked about expanding into as you've done kind of some of these smaller acquisitions, AllTrue kind of being the latest one of these. Just how are you seeing kind of that process of getting salespeople to kind of focus on selling the broader platform now that they're kind of done with the conversions piece?
In 2025, our commission plan was focused on obviously selling to new customers, existing customers, but also getting through a large part in dollar terms of the conversion, and we were compensating reps on the conversion side.
We talked a lot about the fact that the conversions were actually cannibalizing the time of the reps because they had to deal with a lot of the paperwork and the bureaucratic checklists related to moving customers from on-prem to SaaS. In 2026, back to basics. Reps will not be making money on the conversions. They will be making money on selling to new customers and selling to existing SaaS customers. I think that's an important component that generates the focus where it should be. That's part of the reason that we just wanna be done with that process, being 100% of SaaS out of ARR by the end of this year, but having throughout this year the focus on kind of the right elements.
Got it. I mean, from a, just from a technical standpoint, you know, you're obviously talking about customers want all of these different areas that you guys have extended the platform into. Just, you know, is there early evidence of really being effective at selling kind of, the greater breadth of products?
Keep in mind, the Interceptor, SlashNext acquisition was closed in September. AllTrue was closed a couple of weeks ago, so it's still early stages. From all the conversations that we're having with customers, we feel very good with those acquisitions and where they can take us in the years ahead.
What I'll also say is it's very easy for the sales force to sell. The story is doesn't change. Varonis will find, we'll tell you what data is out there and what's important with all the context. We'll fix, we'll do that automatically. We'll alert when something goes wrong.
Yeah.
Now we do that for your email in ways that you couldn't before. Now we do that for AI in ways that you couldn't before. Now we do that for databases in ways that you couldn't before. For our sales force, it's not like they're changing their motion, it's just where else can we do those three things for you.
Got it. Just in terms of kind of this data-driven moat that you guys have, you know, can you just talk about how the, you know, increasing amount of data that you guys are gonna see, and particularly as, you know, we start to do AI, how that moat kind of grows, versus kind of the competitors in the space?
Yeah. A big part of the technical moat we have is that philosophically, we are going into the deepest water, the biggest data stores. It's not just the amount of data, it's the complexity of data. In a place like Microsoft 365, in order to really understand all of the context of the data that's there, you're not just scanning for what's sensitive. You're also looking at where that data is living, everybody's OneDrive shares and SharePoint sites and Team sites, and you're looking at all of the shared links and the relationships between the identities and the directories and the data and the classification and the-- That's what we mean by deep water.
Yeah.
We have done that everywhere, and we don't use shortcuts, where the startups and the other DSPM tools, they kind of have to. Because they were never built to scale in that way, which means they're really only giving you basic visibility. They're only doing it in places where they can take shortcuts. Philosophically, for us, we scan everything completely, and we go into deep water everywhere, wherever you have data. That technical moat is key in a world where the amount of data isn't just growing, but the complexity. We talk about it's not one user, it's one user + 1,000 agents. It's not one data store, it's a galaxy of cloud data stores all connected together. It's not just one model, it's the 1.5 million models that somebody has access to on Hugging Face.
There is the complexity is much higher and i t is growing. Our technical moat that is built at a core of unraveling all of that complexity without taking shortcuts is going to serve us exceptionally well in a world where the amount of complexity related to the data is growing faster than it even was before.
Got it. Guy, you mentioned kind of changes to the compensation structure around kind of changing what you're incentivizing. Are there other ways in either, you know, through partnerships that should expand or other kind of channel expansion that can kind of help amplify the reach that Varonis has?
Yeah. Absolutely. I think that partners are very much interested in what we have to offer because of the value that we can provide customers. We're trying to focus on the right partnerships, not necessarily the number. It's not the quantity. It's the quality. We're definitely putting a lot of emphasis there. I think the marketplace, both Microsoft and AWS are good partners to ensure, and they are interested obviously with kind of the consumption part of our selling. We're definitely focused on that. I will say, though, that we always wanna make sure that we take our destiny in our own hands. It's not like you outsource it and sit.
And not do much. We're definitely focused on the outside sales team and the marketing campaigns that we're running together with the focus on, reaching out with some of the channel partners.
Okay. We've spent a lot of time talking about kind of top-line drivers as you do at these conferences, but just how does that, kind of trickle down to the bottom line? Just how do you see the margin trajectory of the business over the next couple of years?
The conversation about margin, I think let's start from 2023. When we announced the move to SaaS, we laid out a five-year plan. We put, kind of, expectations from an operating margin, ARR contribution margin perspective and free cash flow perspective. People were somewhat skeptical in our ability to generate cash throughout the transition. Especially in the early years. We have done a great job of improving our, not only the margins but also the free cash flow and generating some significant cash, in the early years where you have the most investment, that relates to the transition.
We were, I'd say, probably two years ahead of plan in getting to the numbers that we have in the model from a bottom-line perspective and getting close from a free cash flow perspective. The only impact that we have on free cash flow in 2026 is that component of customers that aren't converting, mostly that state and government that, as I mentioned before, and that's roughly in that $30 million-$50 million bucket, that instead of dragging that over multiple years, is happening in one year of churn, and you don't wanna kind of eliminate all your investments because of that one isolated event.
In 2026, there is somewhat of a headwind related to that element only as you continue to invest. There's no change in the philosophy and I think we've actually been one of those companies that have always been focused on top line and bottom line and free cash flow generation, and we always believe in making investments that make sense from an ROI perspective. That philosophy hasn't changed.
Yeah.
We've been very focused in kinda getting to that model, and I think that the path for that model, the 2027 numbers is still there. We see how we can get there. We feel very good with the cost structure, and there's also some benefits to the bottom line that can happen post-transition. Post that 100% SaaS of ARR at the end of this year that we will benefit from in 2027. Ripping off the Band-Aid has an isolated impact on the free cash flow. I wanna remind everyone that our guidance philosophy hasn't changed either.
We have guided for top line, bottom line, and free cash flow in the same way that we have guided in the past, which means that that's the starting point. We hope we can do better than that. I would say the only KPI and the only metric that we have guided in a different philosophy is the conversion number, with a bull case and a bear case. The expectation is that we will be somewhere in between.
All the rest of our guidance, including the free cash flow, is the starting point for the year w ith a hope and desire that we can do better than that, and progress throughout the year with better numbers.
Got it. you know, just the last question, obviously, it's become a more of a discussion point of late around stock-based compensation. Just how are you guys thinking about stock-based compensation? Is there a need to kind of rebalance stock-based compensation, cash compensation? Just what are those discussions you're having?
If you go back several years and analyze stock-based compensation, there are really three metrics that we look at. One is obviously the dilution side, the other one is stock-based compensation out of total ARR. If you look back, that percentage has actually come down dramatically over the last couple of years, and we've made a conscious effort to ensure that, we're kind of thinking of it holistically. The third component is the stock-based compensation in dollar terms.
I think if you look at kind of the elements that we have focused on, we have done a good job. We obviously put a buyback in place of $150 million, and that also offsets some of the dilution. I think for obvious reason, I think we put that plan in place because we believe that it's the right time to do that. That will offset some of the dilution. If you look at some of the metrics on stock-based compensation out of total ARR, we have reduced that percentage significantly over the last couple of years.
Got it. All right. Well, Guy and Brian, thanks so much for spending some time with us telling us about Varonis.
Thanks very much.
Thank you very much.