Cloudflare, Inc. (NET) Earnings Call Transcript & Summary

All right. Thanks, everyone, for joining us. My name's Sterling Auty, software analyst here at JPMorgan. Very happy to have with us the team from Cloudflare for our next session, Matthew Prince, Co-Founder and CEO; Jayson Noland, Head of Investor Relations. Guys, thanks for joining us, really appreciate it.

Thanks for having us, Sterling.

Maybe just to get us kicked off, understanding that some of the investors are still new to the Cloudflare story, can you kind of briefly explain why your business is not a content delivery network company like Akamai or at least the part of Akamai that's CDN.

Yes. I think that from the beginning, almost 12 years ago now, when Michelle and I started working on Cloudflare, what we saw as the opportunity was to really replace all of the network security hardware that used to exist, so from companies like Cisco and F5 and Riverbed and Check Point. And the same way that AWSes of the world were replacing what EMC and Dell and HP sold and the same way that Salesforce was replacing what Oracle and SAP and Microsoft sold, we thought there was just a huge opportunity to replace those boxes. And the initial realization that we had was that if you got a large cybersecurity attack, you didn't get a bigger bill from Cisco. And so from the beginning, if we were replacing boxes, we couldn't bill based on use because it would just be gross. It sort of starts to be something almost extortionary that you get a bigger attack and you get a bigger bill from your security vendor. And so we started with the basic idea that if we're replacing the hardware, we needed to bill for it in a very predictable and reliable way. And I think that then led to a million other decisions. It meant that we had to, instead of just buying bandwidth for X and selling it for X plus some percent, we instead needed to find ways to drive the cost of bandwidth to close to 0 over time. Instead of deploying different hardware to service different functions, we needed to make it so that our software-defined network could allow any server anywhere in our network to run any different function that we did and to be able to shift traffic around to deliver a level of efficiency that no one else has. And so you fast forward to today, companies around the world that range from everyone from JPMorgan, to individual small developers, to pharmaceutical companies, financial services, health care, entertainment, others are all turning to us in order to make sure that they are, yes, fast, but more importantly, reliable and secure online. And so where I think a typical CDN company worries about things like how many people are going to tune into the Super Bowl and is the new show on Disney+ going to be popular or not, I spend my days worrying about what are the new cyber threats coming out of Russia or Iran, around the world and how do we stay in front of those. And so again, just completely different businesses.

Makes sense. And the follow-on to that was just going to be, I know you don't break out revenue by product, but how much of your business is actually priced on that kind of metric, so consumption-based?

Yes. So around 5% of revenue is any type of consumption, but it's only about 1/3 of that, that's actually based on bandwidth. And so it's a tiny percentage of our business is based on bandwidth, which is kind of the interesting thing. The only time I've been jealous of CDN businesses was during the pandemic because all of a sudden Internet usage went through the roof. And the somewhat common misconception was that, that was good for our business. It was actually incredibly hard for our business because 2 things happened simultaneously. The first was that every CIO in the world that we would usually be able to get on the phone to sell new products was suddenly fighting for their lives to keep the lights on as their businesses completely shifted. And so it was more difficult in 2020 for us to sell to new customers and new logos. And then the second thing was, all of a sudden, we saw this dramatic uptick and a dramatic spike in the amount of bandwidth that people were using across our services. And unlike traditional CDNs, we couldn't just pass those costs on to our customers. And so those actually, I think, were pretty substantial headwinds to us, and I'm proud of our team for really adjusting, solving customers' problems, focusing on expanding our existing customers and making them bigger customers and getting more efficient over time. And so I think that what were headwinds for us are turning into tailwinds now, where we're seeing the sort of bandwidth usage plateauing, which is attractive for kind of our cost side of our business. We're seeing CIOs start to return our phone calls again, which is great. And what we don't have is a giant overhang into Q2, Q3 of this year where usage is not going to be growing as quickly. And in fact, as usage slows, we have a predictable subscription-based pricing that gives us a lot of confidence as we look forward in the year.

But there are some other elements to the pandemic that you benefited from as well in terms of work from home, remote access, et cetera. Are those benefits permanent for your business?

I think so. We really are one of the pioneers of a different approach to how security works. And the best analogy that I've found to describe it is to think about boats. Once upon a time when you're building boats, the way that you built boats was you built them with really strong hulls and really thick hulls. And you just hope that nothing penetrated that hull because if something penetrated a hull, if there was a weak weld or a bad rivet, then all of a sudden, water would come flowing in, fill the entire boat up and the boat would sink. And that was kind of the old approach to security. You built a perimeter, and that was like the hull of the boat. And you hoped it was strong enough, then there weren't any weak welds or bad rivets. The pandemic, all of a sudden, meant that you couldn't put everyone in the same boat. And so they were scattered around between different places. And I think that, that approach generally is a pretty bad approach. In boats, the way that we solved it was with bulkheads, where you created different compartments where if there was a leak anywhere in the hull, it didn't take the entire boat down because there are always going to be weak seams and there are always going to be bad rivets in the same way that I think we're never going to be able to write perfect software as an industry. And employees are always going to accidentally click on phishing, cleverly created phishing scams and other things. And so the real challenge is how do you limit the blast radius when there is some sort of a problem. And so Cloudflare has really pioneered a number of what are now being known as zero trust approaches to security. I think that, again, it was tough for us to sign up new clients over the course of the pandemic. We saw a lot of our existing clients who we already had a relationship with say, wow, we really need your help in being able to launch this. We also because, again, we wanted to make sure that organizations still ran and that the world continued to be able to work to the extent it could over the last year, we made a lot of those services free throughout 2020, which built an enormous amount of goodwill across the industry. I think you're seeing that now turn around. And what I would point to, in particular, is the Biden administration's executive order saying that if you're doing business with the federal government, you have to adopt a zero trust approach to security. And reading it was like reading the Cloudflare product catalog. And I think that what you'll see is that those are the sorts of things where the pandemic really taught the world that they couldn't rely on the sort of old just strong hull approach to security and needed to move to something that was much more bulkhead and distributed. And I think we're extremely well positioned to take advantage of that trend.

Given that you brought up the executive order, I was going to kind of finish with that, but let's jump to that since you brought it up. There's also what appears to be a heck of a lot of spending that's expected to come along with his announcement and push on cybersecurity. How do you see that impacting Cloudflare? And how long does it take before those things, it's great to hear the announcement, but what's the time frame between that announcement and when it shows up in the results?

I think that there will be different waves of that. Obviously, the spending that is directly federal spending takes some time to work its way through. I will say that the good news for us is that we've had relationships with federal agencies for quite some time. The FBI is a customer of ours. State Department is a customer of ours. A lot of others use us for various aspects of our system. And I think that we have been an organization that has been trusted to win that business. And that was true even before we had a federal sales force and all of the other things because I think that my experience with the federal government is that while it's sometimes very easy to criticize them, there are some incredibly smart, incredibly talented people who are there that have an awesome responsibility, and they want to pick the companies that are the real winners and the real innovative leaders. And so that has meant that they have bet on us from even our earliest days, and I think that, that will continue to pay off. But I think the bigger deal is that we had seen a lot of kind of the early adopter, forward-leaning companies adopt services like Cloudflare for what we're doing. But there's always the people who are laggards at some level. And so having the federal government say, this is the new standard for how security is developed, if you sell to the federal government anywhere, if you touch the federal government anywhere, which almost every U.S.-based company does, then now you have to, there's a new standard that is out there. And I think that, that will very quickly start to get people to say, the old approach of just buying a whole bunch of boxes and sticking them in an IT closet somewhere, that doesn't work anymore because here's a document that says it doesn't. And I think we're likely to be a beneficiary of that. I think companies like Okta, Zscaler, even Akamai. I mean, I think Akamai is, you can be very bullish on us and bullish on Akamai at the same time. I think all of us are very well positioned to be at the vanguard of what this new approach to security will be. And I think that, that's going to be good for lifting all of our boats.

Listen, having a 3-letter agency, FBI, NSA, CIA, any of them, was always the holy grail for cybersecurity. So the fact that you're already there, so I guess it also begs the question, are you FedRAMP-certified at this point? And how big is that federal business to the overall?

So we are on track to meet the sort of FedRAMP certifications that we've committed to and watch this space because I think there might be news in that space pretty soon.

All right. Excellent, glad to hear it. Let's turn to, as I think about it, I think investors are challenged. So okay, you're not a CDN, you're a security company. But for a lot of the security companies, Okta, clean bucket, it's identity. Palo Alto Networks, it's a clean bucket, it's a firewall company. I know Nikesh will call and yell at me for that. But just when you talk about Cloudflare, because of the way that you also bundle your solutions, I think it's tough for some investors to understand what are you. So how would you explain kind of the bundles or the solutions and kind of what the tip of the spear that why somebody buys Cloudflare?

So we actually think of ourselves as a networking company. So the reason that we picked the ticker symbol NET was because, fundamentally, what it is that we sell is the network that you plug into and then you don't have to worry about anything else. And so that's what we want to deliver. And so a piece of that is you want to make sure you have a fast network. A piece of that is you want to make sure you have a reliable network. But a big piece of that is you want to make sure that you have a network which is helping you solve the security problems that you have. And so when we talk to our customers, what they fundamentally are buying from us is that next-generation network that allows them to solve their various problems. And we're pretty clear on what we're not. We're not an endpoint security company. So we don't build the software that runs on your laptop or your phone. We partner with all of the leading endpoint security companies that are out there. We're not an identity company. So we're not competing with Okta or Ping or Microsoft Active Directory, but we partner with all of those. And maybe the best analogy would be, if you imagine in our current pandemic world that you fly into a country and you go to show up at the border. And at the border, you have to present your passport. The passport might be issued by Okta or Ping or Microsoft Active Directory. You have to do a COVID test where they take your temperature and maybe even swab your nose. And that's sort of like, that's the device posture and that's endpoint security. So that might be provided by CrowdStrike or a VMware Carbon Black or a Symantec or others. But there's a border agent there that then takes the data from Okta and takes the data from CrowdStrike and maybe does some other things to assess whether you're going to be let in or not, and that's the role that we play. We're the border agent that is connecting you from where you were to where you're going. And that, I think, is what we are really good at. And so foundationally, Cloudflare is a network. We connect together both content and individuals that are using that network. And we power a substantial portion of that, and security is one of the big aspects of the value proposition of our network versus others. But I think that, that ends up being just one of the many features of what this next-generation network is able to deliver. And that's why our ticker symbol is NET, not CFLR.

I love it. So you've heard me say this and some investors as well. I think about the dominance that Cisco has had in the network, and there have been lots of people wondering through the years what could challenge that dominance, and I've said that Cloudflare is the one company that I think is best positioned for everything that you just said. So I remember we used to have something called the DMZ or the demilitarized zone. That was kind of that protected area and then we eliminated the DMZ and got closer as we exposed more services to the Internet. Where are we? And do you envision to the point that you just kind of alluded to, do we eliminate all of the, not only the network security, but the networking equipment at the edge? And are we left with one simple box on customer presence just to connect to? Kind of like the home, we have the cable modem, if you will. Do we go to that extent and everything is delivered as a cloud service to companies in the future?

So first of all, Cisco is a company that we have an enormous amount of respect for. I know Chuck and think that they're incredibly smart. I mean, they are both a customer of ours and a vendor to us. We buy a lot of their gear as we build out our network. So I think that they're someone that we really do respect. I think that increasingly, though, as we think about what networks look like, it's not that network hardware goes away. I'm sitting in Cloudflare's office in Austin, Texas. My laptop is connected to probably a Cisco WiFi spot, then goes back from there to a switch, which is in an IT closet somewhere. But I think from there, what's interesting is that there's a piece of fiber optic cable that goes from that switch back to Cloudflare's nearest data center. And that is both a connection then to the rest of the Internet, where we're effectively almost acting as the ISP. But then all of the intelligence around how is that traffic then routed from one point on the Internet to another, how is the security policy put in place, how do we make sure that only the people who are authorized to use that network can use that network. And what's powerful is that, if I'm going from Cloudflare's office to any of the Cloudflare customers that are putting content online or I'm going to AWS or I'm going to a Facebook or I'm going to a Google, you often pass from one part of the network to the content that you're trying to access, to the application you're trying to access without ever touching the public Internet. And because of that, we can actually provide it in a way which is much more secure and much more reliable, much more performant and actually much more cost-effective to our end customers. And so when Cloudflare says that our mission is to help build a better Internet, that's not a metaphor. That's what we mean literally. How can we take content from any place on the Internet to any other place? How do we make it so that anyone who is trying to put applications on the Internet or use the Internet in any way can deliver that better through our network? And I think more and more of the intelligence that used to live in those boxes that sat out in those IT closets, I think that gets embedded in the network, and that's foundationally how we think of our business.

Makes sense. I had to mute because my 2 guardian guard dogs out there are going nuts on some sort of delivery here. So apologies for that. A couple of questions from investors. First one was, you've added an enormous number of new customers in just a single quarter. How should they think about your ability to upsell into those kind of new paid accounts as well as how should they think about conversion rates of free to paid?

Yes. So great subscription businesses do 4 things well. They have good unit economics. And I think our gross margins are, we really designed the business to have good unit economics. They have low cost of customer acquisition, and we've been in top decile on that. They have low gross customer churn, and we've been very, very strong on that. And then they have really great expansion rates. And historically, if we had a weakness, I think it was actually that fourth bucket where expansion wasn't our strength. And part of that was because we didn't have usage-based pricing. So there wasn't sort of just a natural expansion lever that was for that. A couple of things, I think, have helped. First is, we are just a relentless innovation machine. We love to build new products. We love to launch new products. We're always getting things out there. And we want to have a broad, we think of this as a platform where we're bundling together all the functionality that boxes used to provide in the past. And so that has continued to flow. I think the other thing is that one of the consequences of the pandemic was when new CIOs stopped returning our phone calls, it actually forced us to get better at selling more to our existing customers. And so we've come up with much better sort of customer journeys and playbooks on someone who's using us for one thing and how do we get them to use us for more. I feel pretty confident that over the course of the next however many years, the vast majority of the world's companies will use us for one thing. I think what we are figuring out is, how do we, once we get you to use this for one thing, use us for more things. And the huge advantage that we have is that once any bit of data is flowing through our network, we can learn from that data. So an example of that would be something like bot management, where we could look out across all of our customers and run our bot classification services against their traffic and give them a report that says, here's how many bots you're seeing. Here are the good ones. Here are the bad ones. Here's a bunch of information. By the way, would you like to get this report regularly and would you like to have tools to be able to control how bots access your network? And that's a super compelling value proposition where someone goes, absolutely, of course, I'd like to do that. And I just have to click one button. That makes our sales team's job extremely easy. It means that, then once we get someone on our network, we can then sell them pretty quickly. To the question about free to paid, I'll tell you, that's not something we spend a ton of time thinking about. We do have a free version of our service, and it generates an enormous amount of value in a number of areas. The one that is probably the least appreciated but maybe the most important is that it gives us the world's biggest, most sort of diverse QA team in the world. So if we're going to launch a product for JPMorgan, who we're proud of became a customer last quarter, we can actually test that product across literally millions of free customers very quickly and work all the bugs out before we take it to your team in order to be able to adopt. And so that gives us the ability just to do product innovation significantly faster. So one of the questions we always get is, how does Cloudflare release product so quickly? And the answer is because we have this huge free customer base that we can literally test with and that raise their hands to try anything new. Like if Bob's blog is using Cloudflare and using the free version of our service, we don't think that Bob's blog is someday going to develop into a $1 million customer with us. Like Bob's blog is going to continue to be Bob's blog for a long time. On the other hand, Bob often will turn out to be the CIO of a much bigger organization. And so by building a great relationship with Bob on his personal hobby site, he'll often then take us to work. And so Bob may end up being a very large customer, but it might not be his blog that's there. And so we don't spend a ton of time trying to convert Bob's blog, but we do spend a ton of time trying to get a good relationship built with Bob so that when he brings us to work, his employer then spends a lot of money with us.

That makes a ton of sense. Another question that came in from an investor is around Amazon. So they're like play out the paranoid thinking. As we move forward, what could Amazon do that could become a competitive threat to Cloudflare? Or flipping on the other avenue, is there an opportunity for Cloudflare and AWS to really partner together moving forward?

I think Amazon is the one company that really keeps me up at night. And if there's any CEO speaking at this conference and they don't say that Amazon is the company keeping them up at night, then they're not paying attention because Amazon's ambitions are boundless. I think that we go into everything we do with the assumption that whether it's Amazon or Microsoft or Google or any of the sort of hyperscale public cloud, there's no line of code that we can write that is so clever that it gives us a long-term durable advantage. And so as you sort of think about what are the things that we can do that Amazon can't do, the list is, at some level, it's not very long. But I do think that there are some things that are really important. And what we hear from customers is that foundationally, they are going to have a heterogeneous network. And you might talk about that as hybrid cloud or multi-cloud or whatever it is, but people are going to maybe use a lot of Amazon services, but they're still going to use Workday for managing their HR and employment. They're going to use Salesforce for CRM. They're going to use NetSuite for their financial records. And so they're going to use multiple different SaaS vendors, multiple different clouds. And what they want is they want one consistent plane that they can then manage all of those services. They need a security layer that sits in front of the other public cloud instances, which may be on Amazon, they may be on Azure, they may be on Google, they may be in more than one of those. But they also wanted to sit in front of Salesforce and Workday and they may not even know what's running behind the scenes in all of those things. And so foundationally, what Cloudflare is, is the network that can sit in front of everything. And that's different than what the hyperscale public cloud providers are providing. And so I actually think that if you play this out over the long term, that it could be that we end up being the network that carries a lot of traffic for the big public clouds. And it could be that we increasingly are almost a vendor to those large public clouds as they're trying to figure out how do I connect these various pieces together. And so I think that neutral network that can sit in front of anything is very different than the model of what the big public clouds are providing. And I think it is the reason why we do have strong partnerships with Microsoft and Google. We have a little bit of a tense relationship with Amazon. But again, I think they respect us and we respect them, and we're coming at this problem from 2 completely different directions.

Makes sense. Next one is investor asked, Workers didn't seem to get as much of the attention on last quarter's earnings call as previously. Any updates on kind of the traction that you're seeing there?

I wouldn't read anything into that other than we just had a lot of things that we do every quarter. And you can only fit so much in a script, and to some extent, it depends on what questions you and other analysts ask us. But Workers is super exciting for us. But what I will say is, what I'm the most excited about for Workers is that Workers is the engine that allows Cloudflare's own development team to run as fast as we run because we build our products on Workers. Now that said, we also have a rule internally that any API or any development tool we built for ourselves, we also release to our customers, unless both our CTO and I sign off on us making it private, which we almost never do. And so that is making it a more and more robust platform. And so I think that whether you're at sort of the very earliest stages, we're increasingly seeing individual developers or whole start-ups that are being built relying on Workers as their development platform. And that's cool and fun, and it's what makes our team excited. What makes me excited is that we're increasingly seeing really large legacy companies. So we have 1 of the big 3 credit reporting agencies switch a big portion of their application over to Workers in the last quarter in order to help meet some very not sexy and maybe doesn't motivate our average developer but is a big issue, the regulatory challenges, which they had not just at the country level but actually in the individual state level. And the fact that with Cloudflare Workers, they could say, we will make sure that data on a customer stays not just in the United States, but in Texas or in California or in any place that they wanted is an enormous amount of power that gives you a flexibility that you can't get with any other development platform that's out there. And so again, it doesn't make for great earnings call content, but the regulatory compliance angle of Workers is super important. We're hearing that from more and more of our large customers. And I think that, that ends up being one of the most important features of what it is that we're building around edge computing.

So I think that's super attractive because it shows the use cases are beyond just, the ones that get talked about are the things where you have hypersensitive response times, right, where you need to be close to the user. This is something that's completely different than that because it actually leads into the other question that another investor asked, which is, what are the 1 to 2 killer apps that you expect for Workers? So maybe that's one of them. So are those the 2, regional need and performance?

Yes. So I think that I am not very bullish on if the only thing that edge computing delivers to you is it's a little bit faster. That's a very big market. And I spent, like Tom at Akamai says that Akamai has been doing edge computing longer than anyone else, and that's true. They have. They launched the first true edge computing platform back in 2001. Danny, one of the co-founders, designed the entire thing. It was amazing. It ran .NET and Java, which were the 2 dominant languages at the time. And the pitch for it was, it's a little bit faster, and it's going to shave 100 milliseconds off of network latency, and that was a big deal. And yet somewhere in the sort of late 2000s, they basically shut it down. And the question was why. And I spent a bunch of time tracking down all of the old engineering managers and product managers that built that platform and saying what went wrong. And the answer time and time and time again was that just being a bit faster didn't compensate for the challenges that having something that developers have to think about my code is running not in one place but in many places all around the world. And I think that, that really has informed a lot of how we have thought about it in 2 different ways. The first was a recognition that just being a little bit faster, yes, there are certain applications, credit card processing, human-computer interaction. There are some things that it matters but it's maybe $100 million market. It's just not that big a market that exists out there. And then the second is that developers are super lazy. And I know this because I used to be a developer and we're all super lazy. And so they want to do things that are really easy to use. And so that means that like you have to focus on ease of use as the critical function. And so I've kind of coined this idea of, there's Maslow's hierarchy of needs, and so Matthew's hierarchy of developer needs. Like self-actualization in Maslow's hierarchy of needs, the very top of the pyramid, that's speed, right? That's the nice-to-have we all aspire to eventually. But the thing that's more important than speed is consistency. I have light switches in an apartment that I have where you flip them on and it takes 3 seconds for the lights to turn on, but it's always 3 seconds. And so you can adapt to it. So you just sort of, the first time you're over in my house, you're like, flip the light switch on and you think it's broken. But what would be worse than it taking 3 seconds is if it sometimes it was instant and sometimes it was 3 seconds because anyone didn't quite know what to do, right? And so actually, consistency is more important than speed. Cost is more important than consistency. The reason that I have these light switches is I was cheap, and so I didn't upgrade to the more fancy light switches. So it turns out, just like developers, cost is going to beat consistency and people will pick what's cheaper. More important than cost is ease of use because developers are lazy. And so we have really focused on, yes, we're the fastest and we're the most consistent and we're the most cost effective, but if we don't nail ease of use, then this could be a niche platform. So we're really focused on how we build out the ease of use. And the only thing that trumps ease of use is actually the really boring but foundational food, clothing and shelter, which is regulatory compliance if you're a CIO that's out there. And so that's the one thing where you can find some incredibly amazing new developer platform, which is really fast and really consistent and really cheap and really easy to use. But if it's hosted in North Korea, like it's going to be a nonstarter for JPMorgan to be using it. And so I think that what we really think of as, yes, fast is great and consistent is great and cost-effective is great, but we've got to nail ease of use. And where I think the real killer functions come from is actually that compliance piece because I think more and more countries and even down to states are going to be saying, a user's data has to stay in this particular region and be processed in that particular region. And that means that if the first thing that you're doing when you're using your cloud platform is picking what region you're using, then you're doing it wrong. Whereas in Cloudflare's case, you write what code once, you label the data and say that data has to stay in that particular region and then the application just works and makes sure that you're complying with whatever it is that you have, your obligations are around the world.

That's awesome. Listen, unfortunately, we're out of time. Let's set up a session where we do like, welcome to the Actors Studio, and you and I sit down for like 2.5 hours because I'd love to keep talking. But anyway, stay safe and stay healthy, and thanks again for joining us.

Thanks, Sterling.