Great. Good afternoon, everyone. My name is Brian Essex. I'm JP Morgan's cybersecurity analyst, and so thank you for joining us. With me today, I have Guy Melamed, the CFO of Varonis, and Brian Vecci, the Field CTO. Thank you both for joining me as well.
Thank you.
Thank you for having us.
Maybe a great place to start, Guy, if you wouldn't mind just, maybe an overview of the company, what you guys do, for those that might not be familiar with it, and, yeah, I mean, where exactly you participate in the security landscape.
We protect data, and at the end of the day, there are a lot of companies out there that protect the perimeter. We're under the assumption that someday, somehow, someone will get in. What you're supposed to protect is the, I'd say, the second most valuable asset that every organization has, which is data, first being their employees.
Not only do we wanna protect against people coming from the outside trying to take that sensitive information, we are also protecting against people from the inside that are trying to take either PII, patents, employment information and give it to competitors. That's how we think about cybersecurity.
Mm-hmm.
It's a very interesting place to be in.
Got it. Then from a competitive standpoint, you know, how fragmented is the market, and who do you typically see when you're, you know, out competing in the marketplace?
Yeah. We don't typically see... or we don't see any direct competition, right? There's no other company that does what we do in all the places that we do it. Identify data, make sure that it's properly protected, monitor it so that you can reduce the time it takes to detect and respond to a threat. That said, these are really big problems.
This is a big business problem. When we do see competition, and it's still relatively rarely, but when we do, it's typically point tools or adjacent product categories like DLP or posture management or configuration management tools, which really focus, to Guy's point, on the perimeters. There's nothing that protects data in the way that we do.
There's certainly point tools that organizations use to try, which is why we do our risk assessments to show them that they're almost certainly failing.
Yeah. Maybe that's a great segue, too, to like, you know, how you actually go to market-
Mm-hmm.
with risk assessments. I mean, how do, how do companies think about solving for the problem of data at risk? I mean, is it something that, you know, a CTO is gonna have a Magic Quadrant, and they go to the, you know, see which vendors they need? Or is this something where, you know, maybe their eyes need to be opened a little bit and they need to be educated around, you know, what kind of data landscape they have at risk?
They almost certainly do. You asked like three questions in there.
I know.
I'm gonna take one at a time. The way we go to market is that we do what we call data risk assessments, which you might think of it as an evaluation or a proof of value, but what we're really doing is we're taking our platform and looking at some or all of an organization's data and showing them what they have and where it is and how and where it's exposed and how it's being used.
To your question about how is, let's say, a CISO thinking about this typically, is that they're looking at technologies where they know they need to look. They're looking at the perimeters. They're looking at endpoints. They're looking at gateways. They're looking at configurations in the cloud. They probably have a SIEM to aggregate logs.
The reason we do the risk assessment is that we show them that while those technologies are certainly useful, I would never tell a CISO, "Oh, you don't need endpoint protection." It'd be like saying you don't need antivirus. That would be crazy. The risk assessment shows them that while they have all of these other technologies at the perimeter, the data itself is not properly protected, which is why we do them.
Mm-hmm. In how do you I'm sorry. Go ahead.
I just wanna emphasize one thing about how the risk assessment helps us in the whole selling motion. You know, if you look at the room here, I told each and every one of you that you have 10 million files open to everyone in the company, you'd shake your head, you go get coffee because what else can you do? If I actually showed each and every one of you how the list of best stocks for 2023, long and short, is open to everyone in your organization, that's when you take notice.
Mm-hmm.
The whole visualization of the risk is what is the jaw-dropping moment and what's worked very well for us.
How do you get an audience with your customers and, you know, get to that assessment process? Is this, you know, you cold call a list of customers, or you have customers that have certain attributes, and you know that those are target rich, or you have, you know, partners that are already involved with your customers, and they bring you and say, "Hey, you know, there's this customer that has these attributes. We should bring you in here." Like, how do we think about the way that you penetrate your markets?
It's kind of all of the above. There's lots of different reasons that we would engage with a customer. We're obviously aggressively reaching out to anybody that'll take a phone call or read a website or a blog. Our partners will help us with introductions.
Mm-hmm.
You know, one of the advantages that we have is that every single enterprise has these problems. Nobody. There's no vertical or even organizational size that has solved for this. Really all we need is the introduction and all of the reasons, all of the above are reasons that we might get introduced. Maybe they had an incident, security breach, and yeah.
Yeah. We've definitely seen more and more the market coming to us. There's, you know, we're at a mass of, you know, just shy of half a billion dollars of ARR. We have the name in the market, and there are many incidents where we get a phone call where something happened, or they're afraid that something will happen, and they reach out to us.
Mm-hmm.
In a desire to see how vulnerable they are, and that's when we go through the risk assessment process.
Got it. Maybe as we think about the shifting landscape of compute, more stuff moving to the cloud, including data, how does that affect the competitive landscape that you see in your markets?
A couple of things to think about is once you start moving more data and more workloads into the cloud, which is happening everywhere, the risks associated with that data become much higher because it is so much easier for not just an outside attacker to get a hold of it, but for an insider as well. I can just go to OneDrive and right-click and create a link.
Mm-hmm.
I can exfiltrate data without needing access to anything. The security and data protection issues become much more complicated. From a competitive standpoint, you know, I mentioned that we're most... When we do compete in about 5% of our deals, it's often against an adjacent product category like SIEM or identity or DLP-
Right
That doesn't solve the problem. In the cloud, the categories are a little bit different. You're talking about posture management or configuration management, CSPM, DSPM. You might be looking at something like CASB, which is really just DLP for the cloud. All of those are adjacent categories with lots and lots of point vendors, none of which solve the same problems.
Mm-hmm.
We can do a risk assessment on your data on premises. We can do a risk assessment on your data in the cloud. Often these days, we're doing all of the above because as a CISO, I can show you a list of logos, and I'm using Microsoft 365, and we still have a NetApp on premises. Yeah, we use Salesforce, and we've got Amazon S3 as well. It's easy for us to do a risk assessment on all of that data very quickly.
Mm-hmm
Show you that an adjacent category, a configuration management tool, or CASB isn't solving the problem and can't.
Got it. Next one I want to hit on is, you know, structured versus unstructured data.
Mm-hmm.
You know, how do we think about the potential to, like, go deeper into structured data?
Mm-hmm.
As you know, maybe, you know, clarify how you focus on unstructured.
This helps with understanding the history of Varonis. We were founded because the problems that we're talking about were so much more complicated and harder to solve on unstructured file systems.
Mm-hmm
They were basically chaos and growing much faster than anywhere else. That said, there's important data in lots of places. Unstructured systems on-premises in the cloud, which we fully support. Object storage, which has lots of structure to it, like Amazon S3 and Azure Blob.
Mm-hmm
We support that. We also now support structured databases through Amazon RDS. Our goal is to follow the data to give our customers visibility and automation to properly protect that data and detect threats wherever it might be. We started unstructured, and now there's a variety of places, both structured and unstructured, that we can support.
Got it. How do I think about the platform? I think there are vendors out there that do, you know, kind of data discovery, data mapping.
Mm-hmm
you have a much deeper platform.
Yeah
In terms of remediation, actual protection of the data.
Mm-hmm.
Maybe help me understand what that platform looks like and how that might be differentiated from others that kind of are just kind of maybe to describe it like at the surface.
checking... You're making a motion like checking a box.
We're checking a box.
A classification or discovery tool is a good way to think about why we don't have any direct competition. If I'm a CISO or a privacy officer or a data management officer or something like that, I might think that my biggest problem from a security perspective is that I don't know where all of my important data is. I might look at classification vendors, of which that's a piece of what we do. It's a big part of what we do.
Mm-hmm.
Let's say I find, this vendor finds all of my sensitive data. You haven't actually solved one problem. You've created hundreds of thousands or millions of new problems.
Mm-hmm.
We have hospitals, for instance, that'll tell us, "We don't have any patient information on our file systems. It's all in our medical record systems." We'll say, "Are you sure?" Then we'll find it everywhere. "We don't have mortgage applications as a real estate company in Google Drive." "Are you sure?" We find it everywhere. To your question, what When Varonis can provide a deeper level of protection, what we do is once we found it, that the fact that we know that something is sensitive is context.
We can identify the exposure because we map all of the ways that somebody or something could get access to it. We monitor it, and we tell you when somebody, like an insider or an outside attacker, starts accessing that data strangely. We can implement stricter controls safely because we know how the data is being used.
When you think about what data protection really means, just finding and discovering data doesn't protect it. It in fact probably shows you where you have gaps, which is one reason that our risk assessments are so valuable.
Mm-hmm.
When we support a platform, for us to say we support this kind of data, it means that we're applying that level of automation to protect it, to monitor it, to detect threats to it, which at the end of the day, keeps it private and makes it easy to be compliant.
Got it. Super helpful. I wanted to maybe shift gears a little bit and, you know, talk about the macro. I think every vendor that we cover is talking about the macro in one way, shape, or form. You guys certainly talk about it on your earnings call. Maybe just an update in terms of what you're seeing. Are things the same as, you know, maybe that you relayed on the call? Where are you seeing any macro issues? How might you be addressing those?
I'll start with the end. In Q1, we saw the macro be very similar, in terms of challenges to Q4. It wasn't any worse, it definitely wasn't any better.
Mm-hmm.
and if I go back, we were kind of one of the earlier companies that called out some of the macro challenges in our Q3 earnings call. The macro that we see is longer sales cycles, more deal scrutiny. I think the problem of protecting your data is there. When you think about the transition to SaaS, and we can talk more about that.
Mm-hmm.
The transition to SaaS is definitely at a good point because it provides. It's a better product. It provides more value to customers. It eliminates two of the biggest friction points that we got from customers, which is, one, we don't have hardware or we don't wanna buy hardware.
Right.
Two is we don't have enough people to manage, this problem, and SaaS eliminates that. In this environment, we're very happy that we came out with the SaaS product, and I think we're very well positioned to weather the storm and be stronger on the other side.
In specifically with where the pressure that you're seeing, like from a geographic perspective, I think you called out Europe, as being a little bit more pressured than U.S., for example. What is it about the European market that is providing a little bit more macro pressure?
I don't think that there's anything in the European customer that is any different than North America. I think that what we're seeing is slightly more deal scrutiny, in terms of looking at every single expense.
Mm-hmm.
The problem is the same, and our way to solve that problem is the same. We did call it out in Q2 as longer sales cycles and gave more color on that in Q3, but we also called out kind of some of the spillover into North America, which actually happened in Q4 of last year. In our guidance for 2023, we actually baked in deterioration in the macro environment.
Mm-hmm.
An expectation that it would get worse before it gets better. Hopefully, it doesn't happen.
Right.
that was part of our, numbers that were put out for 2023.
Okay, great. You, you mentioned the transition, so maybe we'll dig into that. Maybe just walk us through the evolution of the transition that you're currently in progress with. You, you went through a transition a few years ago, which was extremely successful. Now you're going through a transition this time, you know, to a SaaS platform.
Mm-hmm.
How did that evolve? You know, in terms of the timing, why now?
In 2019, as you mentioned, we announced our transition from perpetual to on-prem subscription. When we did that transition, we knew that there was another one in the cards.
Mm-hmm.
Move from on-prem to SaaS. Over the last couple of years, our R&D has worked very hard in order to come out with a product that is stable and has, in a very simplistic way, is a much better product than the on-prem subscription. We talked about investing more than $100 million in R&D over the last two years in order to come out with the SaaS offering.
Our first transition, as you mentioned, was very successful. It took us about 5Qs to move from literally no on-prem subscription sales to 99% of our licensed sales to be on-prem. This transition is slightly different.
Mm-hmm.
It's not a financial engineering exercise, that's why we talked about the fact that we expect it to take longer. The value that we provide the customers through the SaaS offering is significant. The leverage that we can get on the sales and marketing department is significant. We expect shorter sales cycles.
The risk assessments are easier to run. The demands from your customer are lower, so you don't need them to set up the way they did on the on-prem subscription side, and we're kind of managing the whole process. So that's eliminated a lot of the heavy lifting for customers. The leverage that we expect to see on some of the other departments is significant.
Whether it's the R&D that eventually won't need to support two codes, will move into kind of supporting one code only and going from R&D investments that have been in the high 20s out of revenue and ARR to what we expect, and we talked about that in the Investor Day, we expect it to be in the high teens by 2027.
Still investing in the next year or two in order to kind of get the SaaS up and running and improve it and get it to a place where we want it to be. Over if you look at the five-year horizon, see some significant leverage from that department. There's leverage in the customer success and support and the sales and marketing, as I spoke about before.
There's definitely a lot of benefits for the customer in moving to SaaS, but there's also a lot of benefits for us in our desire to move there. We talked about the phases.
Mm-hmm.
There's phase one and phase two. So far we've only been a quarter and a bit in the transition, but we feel very good about where we are.
Right. I think you touched on it real quick, but just to kind of go back to it, I mean, why the timing now as opposed to maybe like, I don't know, when you did the first transition, do it all together? Was it more just an allocation of technical resources to build the platform? How should we kind of-
We definitely had to spend time and money in order to get the technology. It's not easy to come with an offering that is, you know, we've talked a lot today with our investors about the fact that the offering as it came out is one of the most stable versions we've ever come out with.
Mm-hmm.
The fact that the feedback has been so well received by both our sales force and our customers, and you have to invest time and money in order to get there. I also think that it's easier to make the transition from on-prem subscription to SaaS, than from perpetual to SaaS.
Mm-hmm.
We kind of had that in-between phase, but we always knew that the kind of end result, and part of our strategic thinking was to get to SaaS, and that's where we are today.
Got it. I guess with regard to the first transition that you did, what are the most critical takeaways or experiences from that transition that might help you execute better with this one?
I think there are three pillars that will determine whether a transition is successful, and I'd say change in general in an organization. Pillar number one is the technology. If you don't have technology that is supportive of the change, it will never happen. We had that when we moved from perpetual to on-prem because it allowed customers to consume more of the product.
In the move to SaaS, we definitely have that in a much better product that eliminates a lot of the friction for our customers. Pillar number one, I think is in a good place. Pillar number two is the comp plan. If you wanna generate change within your sales force, you have to make sure that they understand how to make money.
Mm-hmm.
We did that well in the move from perpetual to on-prem, and I think we have a good comp plan put in place that aligns with what the company's trying to achieve. We put that in place in January when we announced the transition, and I feel good about where we are and how to take advantage of the technological capabilities of SaaS and the benefits that it provides customers because the reps understand how they can make money or how they can make more money, and that's through that plan.
That's pillar number two. Pillar number three is management commitment. You can have pillar number one and pillar number two, but if your management isn't committed in moving and making that change, I don't think it really matters, and you get stuck.
We faced that in the move from perpetual to on-prem. Many of the investors in this room that were part of that transition, remember some of the stories that we had to face in Q1 of 2019. We had a very committed management team to support the change. We have the same commitment from management to move from on-prem to SaaS.
I can tell you that we have way less resistance from our sales force because I think they understand the benefits of the product, and they are definitely pushing for a much simpler selling discussion, which they see. I think those three pillars are the lessons learned from the previous transition, and I think they're very well aligned for this transition as well.
Right. Great. Then maybe can you talk about the pricing uplift that you can see from SaaS? You know, I think it makes a lot of sense in terms of easy deployment and the robust technology and, you know, customers get the best version, you know, all the time. What is the pricing environment like as customers shift onto SaaS or initially deploy SaaS, the initial land?
There are two components of my answer. The simple answer is that same product, same users, we have our price list at 25%-30% higher when you buy SaaS versus on-prem subscription. The second element of the answer is that in 2022, we came out with bundles because we got to a point where we had 40 SKUs.
It became too challenging for our sales reps to have conversations about every single SKU, and it became very challenging for our customers to understand what every SKU does. In 2022, we came out with bundles to try and consolidate, and that was very well received by both customers and reps. We decided to double down on that. In 2023, with our SaaS offering, we're not even offering it as bundles anymore.
You can't buy the licenses in an individual manner. If you're buying SaaS for Windows, it would appear as one SKU, and it's a combination of about seven SKUs that we had in the on-prem subscription. The same with the Microsoft 365. We're definitely moving to an offering that talks about outcomes. What do you need in order to be protected? It's the platform.
One of the things that we talked a lot about is that at Varonis, more is more, which means the more licenses you buy, the more you would want to consume more of the platform. Because there's an element of automation that can only be provided if you have five , six, seven licenses at a minimum.
We always talked about the fact that getting a customer from five licence- 12 is easier than getting a customer from one license to five. The move to SaaS definitely helps on that because it gears towards the automation and the outcomes, and the benefits that customers see will get them to buy and consume more of the platform.
Got it. I think, you know, you've talked a couple times, you know, whether it's Investor Day or earnings calls about customers in the pipeline that have expressed an interest in, you know, maybe on-prem.
Mm-hmm.
You know, there are some incentives to get them onto a SaaS platform. You know, I guess, if we think about how a customer that's currently looking at an on-prem license, what are some of the things that would kind of cause them to pivot and then adopt SaaS instead?
Simple answer, it's a better product.
Yeah.
A lot of our existing customers understand that and are asking for that. If I take a step back, yes, during the Investor Day, we talked about two phases. Phase I is focusing on selling SaaS to new customers, and we estimated that to be anywhere between one to two years. Then we talked about the fact that as we approach the end of phase I, we'll start focusing on phase two, which is trying to convert our existing customers to SaaS. We said that that would take anywhere between, our expectation is that it would take between three to four years.
Mm-hmm.
In the last earnings call, we gave a lot of real estate in the call, talking about existing customers and the increased pipeline of those existing customers wanting to buy SaaS. Now, in Q1, it was a very small dollar amount, couple hundred thousand dollars of existing customers that converted to SaaS. In Q2, we have seen the pipeline increase significantly. The reason we called it out is because if that number actually, if that pipeline actually does convert, there will be headwind to revenue and operating margin.
hat's a good thing as you look at kind of the customers converting to SaaS, and it's actually happening very naturally. We're not incentivizing reps, just to go to existing customers and convert. The only money they are making towards their quota is on the uplift.
Getting a customer from on-prem subscription to SaaS, they will make towards their quota anything above the on-prem subscription amount, we're definitely seeing the ability to get that uplift from our customers. Overall, it's a very positive thing. We're, we'll update as we see things progress, the Q2 pipeline has definitely increased compared to what we saw in the past.
Got it. I'll have a follow-up, and then I'll open it up for others to ask questions if you have one. Maybe the follow-up to that is, you know, during the earnings call, you actually, you know, talked about much higher than expected conversion rates. What drove those conversion rates? I think initially you were expecting about 15%, it came in much higher than that, you know, in terms of, you know, new business that's accounted for with SaaS. You know, what drove that higher adoption rate and should we just expect it to kind of like run at that higher rate going forward?
Just to emphasize, I think you're talking about the SaaS mix.
Yeah.
which was 37%. The SaaS mix is new ACV, basically gross ACV that we're selling, and the percentage of that being SaaS, we guided for 15% and came in at 37% and actually increased our SaaS mix guidance to 35%.
Mm-hmm.
I think the reason it was as high as it was straight off the bat in the Q1 we did the transition is because the product is better and customers understand the benefits of SaaS, how they are better protected. Think about this landscape of additional hacking going on and how vulnerable customers are. In SaaS, you can actually see an incident in one part of the world and distribute it in minutes to the rest of your customers that have SaaS all over the world. You don't need them to do anything.
Mm-hmm.
In on-prem subscription, if you found something that was problematic or an attempt to hack into an organization that requires an update, once you have the update ready, you need to make sure that you call every single customer and make sure that they download and install whatever you sent them. The value in SaaS is so significant, and it's a no-brainer for customers to want to buy it. I think that was the main driver for the 37% SaaS mix we saw in Q1.
Got it. Super helpful. With that, any questions in the audience? All right, we can keep going. At your Investor Day last year, you laid out a path of, you know, to $1 billion in ARR and 20% contribution margins. What progress have you made and, you know, how are you tracking towards those goals?
Yeah, in the Investor Day we had in Q1 this year, we laid out a five-year plan talking about a $1 billion ARR by the year 2027. I think what's very clear to us is our ability to increase top-line growth but keep the cost structure in the right way. I know it's very the new fashion right now is to talk about operating margin and profitability. If you go back to all of our transcripts years ago, we talked about the desire and need to grow the business but increase operating margin and increase free cash flow. Cash flow generation is an important concept of every business.
The 2027 plan talks about getting to a much higher ARR number, but also kind of getting to the Rule of 40. We define the Rule of 40 based on ARR, which is the leading indicator.
Mm-hmm
... has less of an impact when you move from on-prem subscription to SaaS because of the accounting treatment going to the ratable recognition. ARR is the leading kind of metric on the top line. The Rule of 40 is comprised of ARR and ARR contribution margin, which is ARR minus your non-GAAP operating expenses.
That's really kind of the right way to think about showing investors that we're keeping the cost structure even during a transition. As we exit the transition, we should start benefiting from the leverage that the SaaS has to offer. I think we're very well positioned to take advantage of a tremendous opportunity, and we wanna execute against it.
Right. Typically with these transitions, I think what you see is you do see the revenue headwinds. I think investors are used to like, all right, now we need to stop paying attention to revenue and look at ARR and cash flow. Over time, you'll see ARR and revenue growth rates converge. Any sense of what the timeframe might look like in terms of, you know, what you forecasted out in internal expectations of where revenue might hit that kind of like normalized run rate and align better with ARR?
It really depends on the pace of phase one and phase two. Especially phase two, when you have such a large base, that is recognized upfront, the quicker the pace of the.
Mm-hmm.
the more headwind you will see on revenue. I think it's a bit too early to call out when you'll see revenue converge. I reemphasize the fact that ARR is the leading indicator.
Right.
throughout this transition on the top line. We talked about free cash flow, and ARR contribution margins is kind of the North Stars together with ARR that will show and kinda signal the health of the business throughout the transition.
Mm-hmm.
Those are the right metrics to focus, in the next couple of years.
Right. I guess one of the things that happened this quarter was, you know, you actually increased your guidance for ARR and cash flow. I guess, what are you seeing that allowed you to raise guidance just in the first quarter of this year?
Q1 was, we baked in a lot of things that could go wrong. The adoption of the SaaS by our customers and our sales force was very good. Very early in the year, I know. We baked in the full year guidance, a lot of things that could go wrong from a macros perspective and a lot of friction on the transition, especially in the first six months-
Mm-hmm.
of the year. We talked a lot about that in, the last, two earning calls. I'd say overall, we feel good about where we are. Still a lot of things that we wanna do and execute against. It was a good start for us that gave us the confidence, to raise, our ARR number and still bake in a lot of things that could still go wrong.
Mm-hmm.
throughout the year.
You came in, like you said, at 37% mix. You guided to 35. Why the lower guidance relative to where you came in this quarter?
It's a very good question. I'd say, first of all, we take our commitments to the Street very seriously.
Mm-hmm.
The SaaS mix is no different than some of the other metrics that we put out there. When you think about Q1 has historically been the lowest quarter in dollar terms of the year.
Mm-hmm.
When you think about a SaaS mix that is much higher, 35% for the rest of the year, in $ terms, that's a significantly higher number than what we have achieved in Q1. The other element is the federal business. We're not FedRAMP certified yet. In Q3, which is the largest quarter of the federal business, they are expected to be headwind to our SaaS mix.
Mm.
We wanted to factor that in as well. Those are kind of the reasons.
Super helpful. With that, I think we're out of time. Guy, Brian, thank you very much for joining us. Thank you all as well.
Thank you.
All right.
Of course. Thank you.
Thanks.