Good morning, everybody. Thank you for being here for day three at the Morgan Stanley TMT conference. My name is Hamza Fodderwala. I'm the cybersecurity analyst here at Morgan Stanley. With me, I have the pleasure of having the team from Varonis. We have Brian Vecci, the Field CTO, as well as Tim Perz, the Head of IR. Before I begin, just a brief programming note for important disclosures. Please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/researchdisclosures. With that, Brian, Tim, thank you so much for being here this morning.
Thank you.
Thanks.
Guy, if you're listening, I hope you feel better. You know, Brian, I think I'll start with you, before we kind of get into the weeds. You know, you hear a lot today from CIOs, CSOs, that cybersecurity is increasingly becoming a data problem.
Mm-hmm.
Especially as you move to the cloud, the infrastructure layer, gets more obfuscated. Talk a little bit about that trend and Varonis' positioning, against that.
Our position from the beginning has always been the point of any security initiative is to secure data. The infrastructure, the endpoints, the applications, they can be rebuilt, reconfigured, no problem. If data is stolen, you can't get that back. That's the business asset. That's always been our position, and it remains so. You made a really good point. With more and more data and applications moving to the cloud and collaborative stores, we're expecting to work from anywhere. All these applications are connected together. The infrastructure becomes more and more obfuscated. There is no more perimeter to protect. What are we doing? We're protecting data, and that's e xactly what Varonis does. We do it in a unique way. I'm sure you're gonna ask about competition at some point and where and how we fit in the landscape.
We're the only ones that look at data in the way that we do. We're the only ones that can automate protection in the way that we do. I think if you ask all of those same CISOs and CIOs, they'd all say, they're stretched thin, I think is maybe the most diplomatic way to s ay it. There's not enough time and people to do everything that you need to do from a security perspective. Automation becomes absolutely critical, especially when it comes to data, because there's so much of it.
Got it. You know, to what extent do you feel like you're still evangelizing the market in many ways? Because this should be a bigger problem, but it seems like a lot of customers are still very much greenfield.
I think we don't necessarily have to evangelize the problem as much anymore.
Mm-hmm.
Everybody knows they've got data. Everybody knows that data is the target of every attack. Everybody knows that data is the target of every insider threat. What we have to evangelize is what we do and how we do it, and the scale of the problems that we're trying to solve. You can't solve data problems at scale, especially in the cloud, with endpoint protection or with bigger fire walls or with SIEM, it just doesn't work. What we're evangelizing is not necessarily the core problem of protecting data. What we're evangelizing is what you need to do in order to effectively fix it, if that makes sense.
Got it. Got it. Tim, feel free to chime in here. From a macro standpoint, the September quarter was considerably weaker than expected for Varonis. Seems like a lot of customers scrutinizing their budgets. EMEA was quite weak and, you know, you would expect to see some spillover in the U.S. I think for the most part you did, other vendors did as well. Just talk to us about, has the demand environment started to stabilize, and how are you thinking about pipeline for the rest of t
he year as you talk to customers?
Yeah. Just a little bit of background. So kind of third quarter is when we saw demand kind of soften in Europe. We kind of saw that spill over to North America in the fourth quarter. That was in line with our expectations with where we guided to. We haven't seen any meaningful changes kind of year to date so far. Structurally, we see data continuing to grow in more places and risk accumulating, which bodes well for us, longer term, even if in the short term we're seeing, the macro environment kind of impact customer budgets.
Got it. Got it. Was Q4 a leg down versus what you saw in Q3?
Yeah, I would say we saw more of a deceleration in 4Q, but that was as expected. Since then we've kind of seen demand stabilize. We haven't seen it being much worse year to date. It's been similar to what we saw in 4Q.
Not much worse. Not any better either, though.
Yeah.
Okay.
Exactly.
Okay. shifting gears towards the SaaS transition. You guys came out with a new SaaS product and you announced that you're really gonna, you know, put the pedal to the metal on gas, SaaS, I guess.
Mm-hmm.
Sorry, long week. Yeah, on SaaS. Talk a little bit about why you decided to do that, why maybe later relative to some of your peers? You know, what was the thought process of announcing it when you did?
Three really good questions there. I'm gonna take them in kind of reverse order. Why did we announce it when we did? 'Cause that's when it was ready. It was two years, $100 million+ of development. The why, you know, it took time to build. There was a lot of lessons that we needed to learn. We wanted to make sure that the market was ready for a SaaS version of Varonis. We started work on it, and we announced it when it was ready. That's kind of that's how we think about the timing of it. The why, I mean, ask any one of our customers now that's using it. It's there's so many benefits for both us and our customers. It's easier to deploy. It's easier to support.
It's there's functionality there that doesn't exist in our on-premises offering, like automation for Microsoft 365. We can offer proactive incident response at no additional cost, which I don't think any other vendor can do. The TCO is lower for our customers since they don't have to worry about database licensing and infrastructure costs. You add all of that together, and it's a better product that delivers more value more quickly, and time to value is everything. It's why we did it, and when we did it is as soon as we could. I'll put it that way.
Got it. Got it. No, I mean, you know, we've been doing a lot of work on this space. You know, cloud data security, or I guess what Gartner calls DSPM or whatever you wanna call it, is definitely a growing priority within security budgets. I think the problem with cloud relative to on-prem, just so most of Varonis' business today is sort of the scale and the dynamism-
Mm-hmm
of cloud data stores. How are you addressing that problem with this new SaaS product that you have? Is it gonna be harder to do? Are there any cost or compute implications with your product that we have to consider?
The answer to the last part of that is no, and it's also important to realize when we announce Varonis as a SaaS, this is support for on-premises data storage and Microsoft 365, which we already supported.
Mm-hmm.
It's just delivering the platform as a SaaS.
Mm-hmm.
For the last few years, we've also supported and helped protect data in other SaaS platforms through what we call DatAdvantage Cloud, which is Salesforce, and Google Drive, and GitHub, and Box, and AWS, and S3, and, you know, S3, and Azure Blob, and Zoom, and Slack. To your question is really speaking about what are the challenges with protecting data in a world where everything is in the cloud, and everything's connected together? DSPM is a good example where it's often very surface level, and it doesn't help you actually take action. Our challenge is helping our customers understand what they need to do from a depth perspective. What's the depth of visibility that they need, and how do you build automation on top of that to actually protect data?
Our SaaS offering doesn't change the outcomes that we're selling. It just makes it easier to get to them, if that makes some sense.
Okay. From a pricing standpoint, is there any difference between SaaS and on-prem product at all?
Yeah. On an apples to apples basis, it's 25%-30% higher, which is justified by kind of all the additional benefits that we expect our customers to see, also the TCO savings that Brian had mentioned. One thing that we're changing with SaaS, we're only selling platform packages. Rather than buying 40 individual licenses, we're making it simpler. We're kind of doubling down on bundles like we did last year, we're really trying to simplify the selling motion further as we move to SaaS.
In terms of pricing, like, what is it gonna be based on? Is it more seat-based? Is it gonna be some consumption elements there as well?
Yeah. It's still seat-based. You shouldn't think of any major changes to that. That's how we've always kind of priced our product. We do have some additional measures kind of built in for customers who might use the product more than we expect, that way we kind of keep our margin structure in place.
Got it. There's gonna be some charges for overages if you're securing more hosts than you expect.
Yeah. I would expect that to be a very small percentage of the customers.
A lot of that is baked in when we do the risk assessment. It's one of the reasons that we do the risk assessment is to get a good sense of sizing and scale so that when we price a product, when we price the platform for a given customer, they're not gonna be surprised by any consumption charges.
Got it. Got it. I mean, Varonis has long been a leader in the data governance space on-prem. As you move to the cloud, you know, there are a new competitive set these days, right? You've got the Wiz of the world that just came out with their DSPM product, and a lot of the cloud workload security CNAPP vendors are coming into the space. Why do you think Varonis' positioning is differentiated relative to those people who are coming at it from the cloud side?
Fifteen years of actually going in and securing large data sets, both on-premises and in 365, it's impossible to overstate the lessons learned from a technology and operationalization perspective. Every customer environment is different. That's a massive differentiator for us. We rebuilt our platform as a SaaS to make it easier to deploy, and easier to deliver features, and easier to add automation, but it's built on the 15 years of experience that we have. We're the only ones that do the depth of visibility to not just classify data and map configurations to build a dashboard, to actually look at where all these configurations and entitlements and permissions and sensitivity combines to put data at risk, and then build automation on top of it.
One of the things a lot of CISOs will tell you these days if you ask them is, any company can give you findings, but what do you do with the findings? It used to be alert fatigue, now it's findings fatigue. Like, what action can I actually take with this DSPM dashboard? We're the only ones that'll actually help you fix the problems that we find, 'cause we're the only ones that really understand where these configurations and these risks combine at the depth of every one of these platforms. The flip side of it is, you know, we're not a SIEM, we're not a CASB, where we can just connect into everything. We need to build support for a platform.
When you think about on-premises data sets, which are in the petabytes now, 365, which is just a massive problem, and then you add in the Salesforce, and the S3, and the Azure Blobs of the world, that's where most of the risk is, and that's where we built our company, and only we can solve these problems in these ways. We are running up against, I would say, other adjacent technologies, but, you know, CASB is just DLP in the cloud. It's a lot of the same stuff with different names on it. While those other vendors that you mentioned do offer some value, they can't solve the same problems that we do, especially when you're in a hybrid environment, which most companies are.
Got it. I mean, do you see any value in partnerships with those types of vendors?
Potentially. We're always looking at those kinds of things. These days, the partnerships that we have, primarily with SIEM vendors and then especially platform vendors like Microsoft, we feel like are kind of where we need to be. If there's an opportunity to partner with another vendor, because we can deliver value together that we couldn't deliver, you know, separately, we're happy to do it.
The other question I get, Brian, is just around, you know, Microsoft-
Mm-hmm
... as a competitor, and I know as a partner as well. They have a data governance, data protection offering, Purview.
Mm-hmm.
To what extent is that driving any changes in sort of competitive or pricing dynamics, or perhaps slowing down the sales cycle even as customers, you know, look to consolidate their security tooling?
I don't think it's slowed down anything, frankly, they don't really compete with us 'cause Purview does a completely different set of things. In fact, we have a lot of customers that have told us flat out, "I couldn't have made Purview work without Varonis." It's because Purview doesn't do anything with the permissions and the access or the monitoring. Doesn't have any kind of automation that we provide. The automation that you can get with Purview Information Protection and the Microsoft tooling depends on files being properly tagged, which we do better than anybody else, and that's where the crux of our partnership with Microsoft is. We make Azure more valuable. We see Microsoft as a partner.
We wanna be a force multiplier for all of the functionality that you get when you're E3 or E5 or G5 or whatever level you are. We make all of that tooling and all of that automation much more effective.
Got it. Shifting gears to maybe some of the financials, you know. I don't want you to give away what you're gonna say at Analyst Day in a couple of weeks, but, you know, I think, you're expecting SaaS to be about 15% of net new ARR in 2023, versus I think 5% for 2022. Why, I guess, such a low percentage of net new ARR when you do have that ASP uplift and, you know, you are making this big push to have more and more net new business go to core towards SaaS product?
Yeah. Let me give you a little background on that. We guided to a 5% mix of basically gross ACV new business and net new upsell ARR for the first half of 2023 originally. We did 10% in the fourth quarter, we guided to 15% for the first quarter and full year 2023. In terms of why such a low number, we're just getting started here. It's early in the year. We wanted to take a prudent approach with our guidance. If you think about our sales cycles as being three to nine months, upwards of 12 months, all of the deals in our pipeline or a majority of our deals in the pipeline have started as on-prem subscription. A lot of those will still close as on-prem subscription.
Obviously, we're going back to a lot of those deals, asking if they wanna do SaaS. If we close a lot of those as on-prem subscription, we wouldn't expect to kinda start to close more SaaS deals as we move throughout the year, and we kind of transition the pipeline over to SaaS. From a transition perspective, we kind of expect, the back half to be cleaner from like a sales cycle perspective.
Got it. Got it. 25% to 30% ASP uplift when you move from the on-prem support base to SaaS. You know, typically we hear uplift as high as 2x- 4 x, why only 25% to 30%?
I mean, we're already a premium product, so we didn't wanna make the product too expensive initially.
Right.
If you think about the pricing uplift versus kind of the maintenance customers, it is like a 2.5x- 3x uplift at list.
If you're looking at just maintenance ARR versus SaaS ARR, it is a two and a half to 3x uplift?
Yes.
So-
For on-prem subscription is the 25%-30% uplift.
Okay. Got it. Got it. Okay. You still have a pretty considerable maintenance ARR base that's still left?
Yeah. We have about $100 million of maintenance ARR.
Okay. Got it. Got it. Got it. In terms of the incremental hosting costs, I'm sure you'll probably give more color at a future date, but can you give us any sense of what the gross margin differential would be for a SaaS product versus the on-prem?
Today we're at about 90% gross margins, best in class. Obviously, those will come down over time. We expect them to be more in line with other SaaS companies, which I think is kind of high 70s, low 80%. I think that's the right way to think about us kind of longer term in terms of gross margins. Obviously, this year with only a 15% SaaS mix, I wouldn't expect there to be much of an impact on gross margins. Thinking about operating margins, we kind of expect to drive leverage within R&D, sales and marketing, and kind of support which kind of offset that gross margin pressure that we expect from SaaS. Net-net, we expect operating margins to kind of be better on SaaS versus what we would have expected for on-prem subscription.
Got it. Got it. Brian, what are some of the things you have to do from a go-to-market support customer success standpoint to make the SaaS transition successful?
I think we've spent the last five years doing all of the right things to make a SaaS transition successful. What you need to do is make sure that your customers get value quickly, period. The way we do that is we have the best support team, and we've had this for years, the best support team in security, as many CISOs will tell you. We have a customer success team. All of our field teams meet with every single one of our customers every single quarter. They do all the initial configuration and deployment work for them.
We have an incident response team that makes sure that the alerts aren't noisy. You're getting a really small number of alerts, 10-15 for every half a billion events or so, that you know how to use them. We've set up automated responses. With SaaS, we can be proactive. The same IR analyst can now support 10 times as many customers. Ask any CISO, "Do you want an extra set of incident response hands that'll reach out to you if we see anything?" Show me somebody that says no to that. We have a classification research team that'll make sure that, you know, when we start looking for sensitive data, that we're not finding any noise. If classification is noisy, it's useless.
In fact, it could be, you know, it could give you negative value 'cause you're spending time chasing ghosts. We will make sure that all of that is accurate and there's no noise. We have an ops team for deployment. We do all of this in service of ensuring that our customers see value immediately and over time, and that they recognize the value that they're getting. That's how you make a SaaS transition successful. We built all of that infrastructure before the transition. That was all in the run-up to launching it. We think we have everything that we need in place right now.
Switching back to some of the financial topics, Tim. I think you've got over three-quarters of your customers now that are adopting four or more products. You know, how much can you really continue to sell into that install base? To what degree are you gonna go back towards sort of bundling, rather than selling these individual licenses as customers really wanna rationalize the number of, you know, tooling that they have?
The average customer has about five or six licenses today under the on-prem subscription licensing model. We think that can go to double digits over time. While we're changing how we package our products in SaaS, we still think there's potential to basically double the value that we have from our existing customer base, just in terms of penetration of our products. If you think of 6 licenses on-prem, typically you'd be protecting an on-prem Windows deployment with all the automation that Brian's talked about, kind of the classification and alerting that we have. Going from 6- 12 would kind of be adding 365 classification, 365, kind of alerting and all those licenses associated with that. That's kind of why we see a pathway to double-digit licenses.
Okay. I'll ask one more question to open up the audience to Q&A. Can you remind us what the net retention rate was for this year? If we think about 2023, to what extent is that gonna be driven by upsell versus new customers?
We reported 115% NRR for last year. That was 117 on constant currency, and that's only on our subscription base of customers. Thinking about 2023, we don't guide to NRR or anything like that. If you think about kind of our guidance of 10%-12%, obviously, we do expect that to come down somewhat just with the tougher macro environment impacting upsell and kind of higher unemployment rates just impacting seat counts. That's all baked into our current assumptions for our 2023 guidance.
Any questions from the audience? Okay. I can ask more. Just on a growth versus profitability standpoint, you know, we've always felt like Varonis with 90% gross margins and a pretty sticky enterprise install base that the margins haven't quite been optimized. Historically, I know you guys have been focused a lot more on growth. You now have the SaaS transition. Can you talk us a little bit about how we should expect operating margins to progress throughout this transition? Are they gonna continue to just remain steady, grow? Yeah.
We've always kind of focused on balancing top line growth, operating margin improvement, and cash flow generation. I don't see any of that changing. What will change during the transition, at least, is the accounting treatment of SaaS versus on-prem subscription, which will obviously cause a headwind to our income statement metrics. That's why we've kind of pointed people towards looking at ARR and free cash flow as the leading indicators of the transition, because neither of those are impacted by the speed of the transition, right? ARR is recorded exactly the same way for an on-prem subscription deal and a SaaS deal. Same with free cash flow. Free cash flow will be billing and collecting annually in advance. There's no headwinds there from a free cash flow basis.
That's why if you wanna look at profitability improvements throughout the transition, I would point you to free cash flow margins. In terms of top line growth, I'd look at our ARR improvement.
In terms of free cash flow margin, I think you're guiding to about 10%, if I'm not mistaken.
It's actually about 4.5%.
4.5. Okay.
Which is about a 400 basis point improvement versus last year. Historically, you've kinda seen us drive about 200-300 basis points of operating margin improvement each year.
Okay. 4.5 % free cash flow margin. Both the term license subscription and the SaaS subscription is annually invoiced. Shouldn't the free cash flow margins be much better than 4.5 %?
Well, they're still showing a 400 basis point improvement versus last year, so you're seeing the leverage kind of being driven on a year-over-year basis. We do expect those to get better over time.
Okay. Okay. Going back to the product. There are a lot of, you know, cloud native data governance players out there. You know, they haven't reached the scale that Varonis has. How do you feel about your positioning relative to those competitors and the penetration rate when it comes to cloud data security within your customer base?
We feel really good about it because none of those players can do what we do, especially when you talk about where, you know, we're still supporting, even with our SaaS offering, protecting on-premises data, which isn't going anywhere, right? None of them can touch the petabytes of file systems that we're looking at. None of them do a really good job at 365 either. They can't offer the same amount of automation and visibility that we do. We are now able to, both with Data Management Cloud and with Varonis as a SaaS, expand into other cloud stores much, much more quickly. When we support a, say, an application or a data store, Salesforce is a good example. There's nobody out there today.
There's no other vendor that can do what we do in Salesforce to find sensitive data in both fields and attachments and figure out the combination of settings and profiles and objects and rules that grant different people access to different sets of data and then fix all of those problems. Nobody else can do that. We feel really strong about our position as a data security player and the only ones that can really protect this kind of data at scale.
From a partnership perspective, can you remind us how much of the sales today are coming direct versus channel? As you move to SaaS, are you exploring other partnership opportunities, whether it be like cloud marketplaces or otherwise?
We have 100% of our sales kind of coming through the channel. Channel's important for kind of the introductions and helping us close the deals, finding out who procures like the software at customers. Our sales force is really running the risk assessment process. We don't really see that changing at all in SaaS. We are able to sell our products on the Azure and AWS marketplaces though with SaaS, that could be a potential avenue of growth going forward.
Got it. Can you remind us, what are the sales cycles today? Then to the extent that you have data, are they different at all for the SaaS product?
Our typical sales cycle today is 3-9 months, upwards of 12 months for the larger deals. Obviously we've only introduced the SaaS product since October, on average, any SaaS deal that's closed so far has to be shorter than the average 3-9 month sales cycle that we've seen. I'd say it's too early to really comment on what we're seeing from a sales cycle perspective. We do expect those to come down over time because of a lot of the reasons that Brian talked about lower infrastructure requirements, easier deployment, and our updated product packaging as well.
Got it. Oh, sorry, we got one here. All right.
Question.
Do you wanna wait for the mic or, I guess, just so the people on the webcast can hear you?
Two questions. One, how much is the SaaS is giving you net new customers? How much of it is just converting old customers? Just, I don't know if there's a sense on that.
Yeah. Right now it's all net new or mostly. We haven't started converting existing customers except on a case-by-case basis when they've come to us and said, "I really need this," like, "We wanna move to SaaS ASAP," and we'll work with them to do that. We're taking a phased approach. It's all new customers for the most part right now. We started with smaller customers, SMBs, and then very quickly built to enterprises. We're not yet at the point where any new prospective customer should be in SaaS. We're very quickly getting there.
Got it. The second question, you said something about You need to integrate back into the apps more with you than standard DLP type solution. Can you just sort of double-click on what that means?
Yeah
... and both what the value add is, but also what's the incremental labor or effort required to do that?
Yeah. Maybe I misspoke. We, we give a depth of visibility that none of those other tools do, but it doesn't require engineering or configuration work. One of the advantages that we have, and this is core to what Varonis does, is, you know, when we look at a data store like a file system or 365, we have solved all the technical problems to gather all of the information we need at all levels of the tree and the different kinds of metadata like classification and behavior and identities and entitlements. Like, to gather all of that for a Windows file server or a NetApp or a Isilon is a different challenge than to do it in 365, is a different challenge to do it in Salesforce, is a different challenge to do it in S3.
We've solved all of those problems, so it doesn't require any engineering or configuration or operational work for our customers to do it. It's click a box, connect it, and we've already done all the automation to gather it all. That's one of the massive advantages that we have.
I guess we'll end on that note. Brian, Tim, thank you so much for joining us.
Thank you.
We look forward to Analyst Day next week.
Yep.
All right.
Thank you.
Thank you.