CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

Good morning, everyone. Welcome. My name is Erica Smith, and I'm the Vice President of Investor Relations here at CyberArk. We are happy to be with you today for our first virtual investor event. Thank you for joining and for your interest in CyberArk. We are covering a lot of ground today in our agenda. To kick off the formal presentations, Udi Mokady, our Founder, Chairman and CEO, will detail the transformation of our business over the last few years and provide a look ahead. We will then move into the market dynamics leading us to Identity Security with Clarence Hinton, our Chief Strategy Officer and Head of Corporate Development. Chen Bitan, our Chief Product Officer, will advise about our Identity Security platform, and how our solutions are solving mission-critical security challenges for our customers. On the heels of that, Clarence will segue back for an engaging customer panel. Our customers will talk about their real-world challenges, trends in the industry and how Identity Security fits into their overall strategy. From there, we will take a very quick 10-minute break. Matt Cohen, our Chief Operating Officer, will bring us back from the break and outline how our go-to-market engine is set up to really execute. He will finish by interviewing Colin Williams, Business Line CTO of one of our great partners in the U.K., Computer Center. Lastly, Josh Siegel, our Chief Financial Officer, will outline what the business looks like today, how we expect to progress through the transition, and importantly, what we are working toward longer term from a financial perspective. Josh will hand it back to Udi, who will take us to the live Q&A. But it wouldn't be an investor event without an important quick reminder. We will be making forward-looking statements today. For example, our expectations and beliefs regarding our projected results for the first quarter and the full year 2021, our ability to complete the transition in the time frame expected, our ability to meet our financial and operating targets during the transition period and the long-term model expectations. Our actual results may differ materially from those projected. The forward-looking statements come with risks and uncertainties, and we direct your attention to our Form 20-F, which is filed with the SEC and can be found on our website. CyberArk expressly disclaims any application or undertaking to release publicly updates or revisions to any forward-looking statements made today. We're also going to talk about GAAP and non-GAAP financials. There is an appendix, which we already posted to the website, and that appendix contains a non-GAAP to GAAP reconciliation. This same appendix can be found at the back of Josh's deck. Before we dive in, there are just a few housekeeping items. [Operator Instructions] As I mentioned before, after Udi does the quick wrap-up following Josh's presentation, we will move into a live Q&A with the team. Our plan is to answer questions submitted online and via e-mail. [Operator Instructions] With that, let's get started. I will turn things over to Udi Mokady, our Founder, Chairman and CEO. Udi?

Thanks, Erica, and hello, everyone. Welcome. I'm happy to virtually be with you and would have loved for us to be in-person. Hopefully, we'll be able to get back together soon. In the meantime, stay safe and healthy. I appreciate everyone joining today, and I'm excited to introduce you to additional members of our management team. This is an amazing time to be at CyberArk as we execute our subscription transition strategy and capitalize on the tremendous opportunity in Identity Security. Before we dive in, I want to take a moment to highlight the key points we hope you'll take away from today. First, our Identity Security strategy is not only aligned with the market trends, it is also a significant differentiator for CyberArk; second, we continue to evolve our product strategy and now have a SaaS-heavy portfolio; third, CyberArk has built a go-to-market engine that is ready to scale and deliver against our opportunity. What's more, we want to use today to provide you with a framework to evaluate the success of our subscription transition and outline what the business would look like on the other side. Throughout the day, we'll center our discussion around 4 major pillars: Growth, innovation, subscription transition and profitability. Collectively, they represent our key objectives for the business over the next few years. Let's start by taking a look at how much CyberArk's business has changed. We took a similar walk down memory lane at our last Investor Day in 2018, but today's exercise is even more important. It demonstrates how CyberArk continues to transform itself to take advantage of the significant opportunities ahead of us. When we initially talked about the Privileged Access Management market, we were really focused on providing security measures for IT administrators, especially those with credentials to highly sensitive information assets and systems or the keys to the kingdom as they came to be known. In 2014, the year we went public, we were about $100 million in revenue, with nearly 1,800 customers, including about 15% of the Global 2000. Back then, our solutions were delivered on-premise and were sold as perpetual licenses. Putting the keys to the kingdom in the cloud was not a viable alternative for enterprise customers then. Yes, times have changed, but what hasn't changed is the role of privilege in the attack path as it continues to be the most common exploit strategy for attackers. Today, Privileged Access Management, or PAM, is now recognized as a critical layer of security and the key part of security strategies at the world's largest organizations across all industries. That doesn't mean that the nature of privilege has stayed the same, far from it. Privileged users aren't just IT admins anymore, they are now across the business and can be humans and nonhumans in the office or remote. Privilege Access is powering businesses in the modern IT environment. We see this across our now 6,600 customers, including almost 40% of the Global 2000, who rely on CyberArk to help secure their enterprise IT environments. In recognizing the changing role that Privilege plays, CyberArk has continued to innovate. When cloud adoption was growing in other segments of software and security, even before enterprise demand emerging hours, we were busy innovating and developed our Privileged cloud offering. It is more than 3 years old now and really picking up steam, and it's joined by a host of other in-the-cloud solutions. Today, enterprise customers are putting the keys to the kingdom in the cloud. Later today, you'll hear from one of our customers, Ricardo Lafosse, the Chief Information Officer at Kraft Heinz. Ricardo is using Privilege Cloud as the foundation of the Kraft Heinz cloud-first strategy and will share his views on identity and the cloud more broadly. Today, our recurring revenue, which includes SaaS, on-premise subscription and our maintenance base, exceeds 50% of total revenue. And as always, execution is a key priority for CyberArk. We've consistently delivered profitable growth, and in 2020, generated more than $460 million in revenue and $90 million in non-GAAP operating income. In fact, let me take a moment to dig a little further into the revenue growth trend over the past 5 years. The execution of our strategy, the expansion of our market and the fact that we solve a real customer need has enabled us to deliver consistent growth. If you look at the business, we have grown at a greater than 20% 5-year CAGR. Considering the 2020 revenue headwind created by the relative increase in SaaS and subscription bookings, our 5-year CAGR is now over 25%. Later on, Josh is going to give you some more detail on this. So the question that is naturally in your mind is, what's driving this growth? Well, first, we've got the benefit of strong secular tailwinds. Our Identity Security strategy with PAM as the foundation is at the center of every major industry trend. Digital transformation, cloud migration, hacker innovation and compliance. When it comes to digital transformation and cloud migration strategies, highly distributed IT environments, increased automation and application development are expanding the attack surface and resulting in the proliferation of Privilege across human and nonhuman identities. The attack surface and risks are exploding. And the risks are real. Companies need to reduce exposure to breaches, takeovers, theft and the reputational damage, and that's on top of increasingly stringent compliance regulations. At the same time, attackers are stepping up their game with hacker innovation, becoming more like businesses and even more concerning, acting on behalf of nation states, which I will come back to in a moment. Second, we've been able to take advantage of these trends and the expanding nature of Privilege to execute our land and expand strategy. Within our Privileged offer, we've shown that every company regardless of size or vertical needs PAM. This provides a lot of places to land and tremendous room for expansion as customers secure more of the IT environments. And we've rolled out new use cases like cloud workloads and applications and more users. We've also extended our capabilities beyond Core PAM into adjacent areas, ahead of the rest of the market. For example, we've offered innovative solutions to secure remote access to PAM or by locking down Privilege on the endpoints via our Endpoint Privilege Manager or by addressing Privilege in nonhuman environments via our DevSecOps solution. Each of these areas has yielded incremental growth for us. These are not only expansion points. Customers are landing with solutions like endpoint and access, increasing our vectors for growth. Both Chen and Matt will talk about the expanding portfolio, and how we can execute on the opportunity against our existing customers and new prospects. Third, another part of our growth engine is our ability to consistently innovate and deliver solutions that address the rapidly changing threat landscape. We stay ahead of evolving customer needs, and most importantly, solve real-world problems. We mean it when we say, innovation is in our DNA. From our core product development team to our research and innovation labs team to our product strategy and leadership folks, innovation is our not-so-secret secret sauce. Our ability to innovate isn't just a growth driver, it's an important part of what sets us apart, and we've been able to pioneer and help architect the PAM market because of it. In 2020, we further extended our leadership position in this market. Let's now take a look into the future and discuss what lies ahead for CyberArk. First, it's critical to understand that the secular trends I mentioned earlier, digital transformation and cloud migration among them, are experiencing a step-up function acceleration due to the events of 2020 and early 2021. COVID-19 was certainly a major factor in driving reliance on remote work, distributed infrastructure and online everything. Digitization is now an existential mandate for most businesses, but it's also critical to note the corresponding prevalence of new high-profile attacks on major organizations. Hacker innovation is well-funded, accelerating and more unpredictable than ever. Take SolarWinds' Orion. I've been in security a long time, and I believe this is one of those seminal events, a once-in-a-decade kind of occurrence like the attack on Target or on the office of personnel management. Supply chain attacks are not new, but the SolarWinds attack is unprecedented in scope. Many watched and waited for the next headline, but think about the CIO and the CISO of an enterprise. The SolarWinds attackers leveraged one of the most sophisticated exploitation of Privilege Access called a Golden SAML attack, an attack vector first identified by our research team back in 2017. During the Senate Intelligence Panel at the end of February, they discussed how attackers had forged access that enabled them to elevate privileges and move across the cloud and on-premise environment. This was certainly a wake-up call, an important reminder that demonstrated yet again that privilege exploitation is at the center of every major attack. I am hearing it in customer engagements. They are rethinking their security strategies. And beyond SolarWinds, in 2020 and in early '21, we are seeing a significant increase in high-profile attacks, Twitter, daily ransomware attacks, attacks on critical infrastructure, all proving that identity is the new battleground. So there is a sense of urgency behind cybersecurity, but also a realization that the way cybersecurity is delivered is in need of a paradigm shift. This is giving rise to concepts like zero trust and the assumed breach mindset. The response to these attacks has clearly been a flight to trust, that is companies are adopting an assumed breach mentality and are turning to trusted security partners who have comprehensive solutions and deep experience remediating post reach situations. Security partners that have been vetted by leading global enterprises time and time again and are trusted by them. We expect that this mentality will continue to be a tailwind for our business over the long term. If you think about our mission, we have always focused on protecting customers from these advanced cyber threats with a meaningful mission-critical layer of security. IT environments are changing daily. Application development is changing by the minute. Cloud digital transformation, the explosion of new technologies, applications and automation tools and the evolving attack methods to exploit them. These changes are not only blurring the lines between a privileged user and a workforce user, but also between human users, applications and bots. We are helping secure our customers in this complex world by delivering on our mission with a modern approach to Identity Security centered on our core competency of Privilege. Identity is the new perimeter, more critical than ever to securing the enterprise. I'm excited for you to hear directly from customers on how we are helping them address their Identity Security challenges now and as they move forward. To that end, we're developing a comprehensive, SaaS-based Identity Security platform. It will provide secure access to any user accessing any type of application or system from anywhere using any device. A unified platform with a security-first approach. The idea is to leverage CyberArk's unique expertise and expand our Privileged Access Management capabilities to a broader range of identities whenever Privileged Access is required. Identity Security is beyond PAM combined with IDaaS offering. The sum is greater than its parts with a comprehensive approach that extends across access, DevSecOps and PAM to secure the modern enterprise like never before. You'll hear more about this from Chen, but I can tell you, we're very excited. Our Identity Security platform is going to provide us with a powerful vehicle to take advantage of the large and growing market opportunity in front of us. As you'll hear from Clarence, CyberArk's TAM is rapidly growing and is about $20 billion annually for PAM, identity-as-a-service, secrets management and lease privilege on the endpoint. Looking ahead, we see the tailwinds that I talked about earlier, extending our reach even further. We believe we can take this $20 billion TAM and expand it to a $50 billion annual opportunity by pushing our solutions deeper into areas of security that we're already in like DevOps, Identity Access Management and Cloud Security. In addition to our comprehensive Identity Security strategy, we're also looking forward to our overall transition to a subscription-first business. The timing is right. We already have a mature SaaS portfolio. We clearly understand how to operate a subscription business, giving us confidence in our ability to execute. Our goal over the next 8 to 10 quarters is to transition to a model where 85% of our license bookings are from subscription. The rationale for doing so is multifold. Customer consumption preferences are already trending in this way, and it provides tangible benefits. For CyberArk, a subscription-based recurring revenue stream provides us with better visibility into the revenue, a more durable growth trajectory and the higher overall lifetime customer value. A subscription-based approach also means that we can accelerate the velocity of additional products and services. The customer benefits have been well proven, too. Subscription customers, especially those on our SaaS platform, can realize faster time to value and faster delivery of new platform innovations. This really creates a virtuous cycle of success between us where we deliver more value through our software and our services, our customer satisfaction increases, and they add-on business more quickly. It is a win-win. We believe this transition will ultimately drive greater shareholder value, and you'll hear more about this transition from Josh and Matt. I don't want to steal too much from Josh's presentation, but I will give you a preview. We are in great shape as we kick off the subscription transition. More than 50% of our business already comes from recurring revenue, and this grew over 40% in 2020. We shifted our subscription booking mix by 4x naturally, based on customers' buying preferences without any changes to our go-to-market, and ARR reached nearly $275 million last year. You will hear more about Matt's comprehensive strategy and how he plans to drive even more energy into the go-to-market machine, deliver on the subscription opportunity and drive growth in ARR. For those of you who know me and our team, we are incredibly proud of the culture we've built at CyberArk, and we view it as the cornerstone to our success. As we go through the transformation I've outlined, I truly believe the thing that will make us successful is the power of our people. Our core values are here on the slide, and while all of them are important to our future, I want to focus on those most directly relevant to today's discussion. Number one, being customer first is what got us where we are today, and our continuing focus on customers will ensure ongoing excellence. It means that we must give our customers the tools they need to run faster as they execute their mission-critical strategies. And it also means providing them with a peace of mind, secure in the knowledge that despite the ever-changing IT environments and increasing threat landscape, they always have a partner in CyberArk. Number two, continuous improvement. It's what keeps us ahead of the market. Our innovative spirit. Our commitment to providing real-world security solutions. Our ability to improve on good ideas and make them great. Our anticipation of emerging threats and evolving our solutions accordingly. We tackle real hard security problems every day. We will continuously improve and get it right for our customers. And when we get that right, everyone benefits. Ultimately, we need to cultivate, develop and retain our people. We embrace diversity of experience, culture and modes of thinking. Maintaining our thriving culture is critical because as a founder, I truly believe that our culture is the bedrock that will ensure our success. So looking ahead for CyberArk, where do we want to be in a few years? I believe that our Identity Security and our subscription transition strategy will deliver transformational value to CyberArk, our customers, our partners and our shareholders. We will be the leading global Identity Security provider. We'll protect Privileged users and a broad range of identities wherever and whenever they need protection. We'll serve tens of thousands of customers via a world-class SaaS platform and will deliver innovation on an ongoing basis. With a successful transition to subscription, our goal is to be a highly profitable, best-in-class subscription company. We have set our sights on generating $1 billion in annual recurring revenue. Of course, it won't be easy, but I have a lot of confidence in our team's ability to deliver on this vision. In short, I'm incredibly excited about where we are as a company. Our innovation engine is operating at full steam. Our go-to-market strategy is going full force ahead. We are the leader in a rapidly growing marketplace, and we have major industry tailwinds driving our business. Thank you again for joining us today. Enjoy the rest of the presentations, and I look forward to hearing your questions later on in the Q&A session. Now I'm going to hand things over to Clarence, who will spend some time talking about the market dynamics, our Identity Security strategy and that growing TAM that I just mentioned. See you in a bit.

Thanks, Udi, for that terrific overview. I absolutely share your enthusiasm. I'm Clarence Hinton, Chief Strategy Officer at CyberArk. It is my pleasure to be part of this virtual event. I will further explore several of the topics Udi highlighted, including our perspective on the trends shaping the present and future of our market. I will also elaborate on our Identity Security vision. In the home stretch, I'll take you through the tremendous opportunity that we have in front of us, and why we are in a strong position to win in this market. The themes of our Investor Day are: top line growth, continued innovation, subscription transition and of course, profitability. This session will focus on growth and innovation. For several years leading up to 2019 and continuing into the early portion of 2020, we were already experiencing a very high velocity of both business process and IT infrastructure modernization. You could have described this as being driven by a combination of 3 compelling forces in the broader market: First, digital transformation. Enterprises were racing to make large-scale improvements to their organizational agility. They were automating business processes and digitizing business data and communication, particularly with their partners and customers. Second, cloud migration. Organizations increasingly use third-party software, deliver services and migrated business applications and workloads from on-premises data centers to public cloud infrastructure. This enabled them to expand computational capacity in an elastic and on-demand manner. Finally, DevOps, or shift left, defined by the rise of continuous integration and continuous deployment of software applications to increase velocity and frequency of application and service delivery. While IT leaders broadly understood the increasing IT security risk associated with this transformation, the primary focus for the most part was on enabling transformation. As modernization progressed, fueled by digital transformation, cloud migration and DevOps, the tech surface expanded exponentially and the threat landscape shifted dramatically. A proliferation of identities and entitlements were created by the dynamic and elastic enterprise IT infrastructure. In parallel, we witnessed a steep rise in the sophistication and aggression of cyberattacks, primarily driven by financially motivated cybercriminals and nation-state cyber attackers. In this environment, traditional network perimeter-based defenses proved inadequate. This deficiency led to the emergence of zero-trust architectures, focus on securing access to assets, applications and workloads at a granular level rather than trust devices and endpoints, simply because they were connected to the network, zero-trust architectures verify the identity, integrity and privileges associated with any given access request. Against this backdrop, the phrase identity is the new perimeter, has grown from an interesting catch phrase to being a widely accepted truth. We hear from CISOs and CIOs regularly, and we will discuss it later today with several of our customers. Perhaps, more importantly, we now see identity as a key topic at the nexus of enterprise IT security, IT operations and developers representing lines of business. This focus on identity as the most important control point has informed our Identity Security vision. Then, of course, COVID-19 hit, disrupting life as we knew it across the globe. Enterprises initially scrambled to enable remote work, remote customer and partner engagement and remote delivery of products and services. While the emphasis was clearly on enablement, even survival, enterprises understood the importance of securing their businesses in this time of transition. While enterprises were processing the initial shock and managing to get through the first phase of work from anywhere and to centralize everything. Cyber attackers expanded their operations and reach. Ransomware attacks shot up almost immediately followed by attacks on large social media properties, and a wide range of companies in health care and financial services verticals. The numbers were staggering as we average more than 4,000 breaches per day in the months following the onset of the pandemic. Then along came the SolarWinds breach. Although much has been said about the attack, the full extent of the damage caused by this attack is yet to be understood. Perhaps, most importantly, the attack returns to the forefront, the critical importance of security, serving as a clear reminder to global enterprises that robust cybersecurity is even more important in this time of transition and transformation. Quite literally, no one is safe. What we do know is that the SolarWinds breach was a highly sophisticated supply chain attack that played out over a long period of time. Malicious code was inserted into a legitimate software distribution. While approximately 18,000 SolarWinds customers are believed to have downloaded the infected update, we do not know with certainty how many were actually attacked or if attackers led dormant and undetected in their environments. The sophistication of the attack places extreme emphasis on comprehensive cyber risk reduction and commitment to implementing robust security controls across the entirety of your enterprise. Even a cursory scan of the headlines, it brings the impact of this event into focus. Identity is the new perimeter. Zero trust rises in the area of work from anywhere. Managing identities and Privileged Access Security is the key to it all. These are the themes that have come through again and again. Enter Identity Security. In the context of classic on-premises enterprise IT security, the disciplines of Access Management and DevSecOps run in parallel to our core strength of Privileged Access Management. While these disciplines can exist somewhat separately in a traditional environment, the forces of digital transformation and cloud migration make it necessary to address these identity-centric threats in a coordinated manner. As the lines blur, new methodologies come to the forefront, which enable robust end-to-end identity-focused security. SSO and MFA broadly addressed the front end, while lease privilege and just-in-time access provide robust security and control and secrets management runs across modern on-premises data centers as well as cloud-native environments. This is all required to fully secure modern enterprise IT environments. Our fundamental vision for Identity Security is to provide robust industrial strength, identity-focused security across all identity types, all devices and endpoints, all workloads and applications and all IT environments. CyberArk's Identity Security vision has privileged access at its core. Expanding to Access Management use cases where essentially all identities have some degree of privilege to DevSecOps, where machine-to-machine access based credential sharing in exchange is by very nature privileged. Further, as we continue to execute on our Identity Security vision, certain adjacent areas become relevant as well, such as those of the intersection of identity, cloud and network. In this new world, easy Access Management is no longer sufficient. Enterprises must secure identities from end-to-end across all environments rather than simply manage them. Identity Security is a bold vision, but we are well positioned as we've already mastered the most critical aspect, the most difficult aspect of Privileged Access Management. We formally launch Identity Security with acquisition of Idaptive last spring and followed it up with the launch of Cloud Entitlements Manager a few months later. Combined with our core capabilities, these solutions deliver a robust foundation for our Identity Security platform. In 2021, we are focused on execution, acceleration and scale, leveraging our speedboat go-to-market construct to drive growth across a wide range of Identity Security use cases while executing the pivot to a SaaS and subscription business model, which aligns with the transitions our customers are undertaking. You'll hear more about this from Matt later today. In the meantime, we'll continue to execute on the product integration, SaaS platform enhancements and organic innovations required to ensure long-term success and leadership in Identity Security. CyberArk has a long and successful history of organic innovation and market leadership. This organic innovation has been supplemented and accelerated by targeted M&A activity over the past several years. For example, Viewfinity and Cybertinel provided endpoint strength, while Conjur accelerated our efforts in sequence management and DevSecOps. And most recently, Idaptive delivered Access Management capabilities and strengthened our security-as-a-service platform. As we look ahead, we have a strong balance sheet, and we expect strategic acquisition to continue to play a role in our long-term strategy to strengthen our core and expand the perimeter of our reach and capabilities. Having discussed the trends and the nature of the opportunity, I would now like to put more specific figures behind it. It is important to note that all figures here are annualized and intended to align with our ARR metrics, consistent with our continued transition to a SaaS and subscription business model. In sizing the current opportunity, we've taken a bottom-up approach based on existing product capabilities and realize historical pricing, starting with our Core Privileged Access offering, expanding to lease privilege at the endpoint, sequence management and DevSecOps and now IDaaS. We estimate the current TAM to be in excess of $20 billion per year. However, we view this as a baseline opportunity. As we continue to deliver on the Identity Security vision, we intend to expand our offering, incorporating additional aspects of cloud security, DevSecOps, customer IAM and security intelligence. In combination, this progression will more than double our current addressable market, expanding the TAM opportunity to more than $50 billion per year. A series of events have dramatically accelerated the rate of change in business automation, digitalization and IT infrastructure modernization. It is widely agreed that we've seen years of change condensed into months as a result of the pandemic. After all, if businesses are going to be conducted in a socially distanced, lockdown world, then it must be conducted digitally. We have also seen an explosion in the number of machine and human identities, and the proliferation in the magnitude and nature of privileges associated with these identities. Combined with the increase in sophisticated and motivated cyber attackers, enterprises today face an exponential expansion of underlying security risk and the potential economic impact of cybercrime is measured in trillions of dollars. As we execute on our Identity Security vision, counteracting these threats. We see a $20 billion annualized TAM opportunity increasing to $50 billion per year as we execute on our strategy. CyberArk is in the best position to secure the IT enterprises of today and tomorrow with identity at the center, fortified by excellence, leadership and Privileged Access Management. Now you're going to hear from Chen Bitan, our Chief Product Officer. We work closely together on strategy, and he will describe how we are executing against our product road map and how that aligns to key customers' use cases. Off to you, Chen.

Thank you, Clarence. It is always great to hear you. Hello, and welcome again to CyberArk Investor Day. As Clarence mentioned, I'm Chen Bitan, Chief Product Officer and General Manager of CyberArk. I've been with the company since the beginning, and I'm very excited about the journey we had until now, but even more energized about the opportunity ahead of us, the evolution of our product offering and our Identity Security platform. During the coming session, we will share more information about our product vision, and how well it is aligned with market ends that we see and our business strategy. We'll focus on the innovation pillar, but would show our innovation, supports our growth and our transition to subscription. You just heard from Clarence about major trends that are driving our Identity Security strategy broadly. I would like now to focus on more specific complementary trends that are informing our product vision and strategy. The first important trend is that identity is becoming the center of cybersecurity programs. Rapid shift to remote work or work from anywhere started way before COVID-19 as part of digital transformation. But it was definitely accelerated in 2020, and we believe that this is only the beginning. In today's environment, employees and third parties are required to access corporate resources from almost anywhere while corporate resources are located in multiple locations from hybrid to multiple clouds. This quality makes a traditional perimeter security model less and less effective, putting the identity at the center as the only truly effective new parameter. The second important trend is the expansion of privileged identities. As Udi mentioned, if we think about our business several years ago, only IT admins were considered privileged users. That is definitely not the case now. The definition of who is a privileged user has been expanding. In today's environment, almost any user can be privileged under certain scenarios. This can be developer or DevOps engineer who has access to [indiscernible] or DevOps tools, it can be a machine identity or application such as robotic process automation, or RPA, which requires high privileges in order to automate tasks. And it can even be a workforce employee with high-level access to a sensitive financial system. All these type of privileged access represent high-risk to the organization and, therefore, need to be protected by a strong and comprehensive security program. The third market trend that we see is the shift from traditional saying access to more just-in-time approaches anchored on the concept of this privilege. While standing access is not going to disappear and will still be acquired, just-in-time access is starting to become more common for daily operations. A modern Identity Security offering should provide both secured just-in-time and secure standing access capabilities to cover identities across the spectrum of business operations. In the last couple of years, we have added significant capabilities in both of these areas and continue to innovate. The fourth trend is adoption of SaaS Identity Security solutions for privilege and assets management. This trend had definitely accelerated in the last couple of years across enterprises of all sizes. As Udi mentioned, we anticipated that enterprise will shift to consuming PAM as service, especially for new PAM projects. And our team delivered a solution in 2018 to ensure we are ready to meet the change in delivery preferences. That being said, for Privileged Access Management, we do see large enterprises in certain geographies and verticals such as government and heavily regulated industries that are still in earlier phase of SaaS adoption. We expect this customer to continue to consume PAM solutions on premises for some time. Let's see how these and other trends are shaping our Identity Security vision. CyberArk's vision is to provide an end-to-end SaaS-based Identity Security platform to secure access of any user, whether it is an IT admin, developer, cloud engineer, workforce employee, third-party user, customer or any nonhuman identity across any type of application or system, whether on-prem or in cloud, from anywhere using any device. This entire offering is being built on a unified platform, applying a security-first approach. It leverages advanced AI capabilities to automatically and dynamically applies the needed privileged security controls to each session based on the level of permission that is required. The permissions are defined closely by the risk associated with the session or activity, and our approach is truly unique. CyberArk's deep security expertise allow us to expand our Privileged Access Management capabilities such as session as relation, session recording, continuous authentication, just-in-time access and so forth to a broad range of human and machine identities whenever privileged access is required. Our product offering directly aligned to our Identity Security vision and is built on 3 major pillars: [indiscernible] center is our privileged pillar, the anchor of our entire offering. Privileged Access Management is one of the most critical security layer in any cybersecurity program, and definitely, when it comes to an Identity Security solution. It's the pioneer in this market. We have known for years that privileged escalation plays a central role in any targeted attack. Mainly all major cyber events of the past decade, including the recent SolarWinds attack as well as others emphasize it further. This makes Privileged Access Management and must have security layer in any organization. Under the Privileged pillar, we continue our investment in Privileged Access Management, which can be delivered both as a service with storage cloud and on-prem with our Privileged Manager on-premise sales. We also continue the investment in our vendor Privileged Access Manager, which includes PAM and our highly successful remote access offering, formerly known as Alero, to enable secure remote access to PAM for both third-party and internal employees. With endpoints often the first stage of an attack, we are always working on exciting enhancements to extend our capabilities with endpoint privileged manager. Recently, we have added to the privileged pillar, our Cloud Entitlements Manager, an innovative solution for reducing the risk of excessive cloud permissions, a growing challenge for cloud security architects. I will elaborate about it later in this session. Next to the Privileged pillar, we have our speed bots for access and DevSecOps. We will show you more about the speed bots format. The assets pillar provides our identity-as-a-service, or IDaaS offering, which is based on our acquisition of Idaptive in 2020. It includes workforce identity solution with all the relevant IDaaS capabilities such as single sign-on, multifactor authentication, life cycle management, directory services and so forth. In the DevSecOps pillar, we are focused on securing secrets used by nonhuman identities. Just to brief for everyone, previously, DevSecOps would have fallen under application access manager. This includes tickets management for dynamic and cloud-native application with Conjur and tickets management for traditional static application with our credential provider. We see increased demand in this area as customers increasingly shift left to bring security in sooner to better secure their software development pipelines. Given the trends that we discussed, we see great opportunity here as a combination of our industry-leading plan, Access Management and DevSecOps solutions will enable us to bring some highly differentiated Identity Security capabilities and best address the market trends and needs. Our comprehensive Identity Security offering provides great flexibility to our customers to start the Identity Security program with some elements of our offering and gradually expand to additional areas based on their needs and requirements. As you've heard from Udi and Clarence, and as we discussed in this session, Privileged Access Management is one of the most critical security layer and is the top priority of enterprises. Therefore, typically, our customers will start their Identity Security journey with our Privileged Access Management solutions. This will allow them to focus on securing the most powerful access to their applications and infrastructure, whether on-premise sales or on cloud. This Privileged Access is usually ended by the customer's IT teams, but in many cases, it is also done by third parties that need to access the customers' IT environment for remote to maintain and support systems. In this case, it is common that the customer will expand the solution to our vendor Privileged access manager. In other high priority initiatives that our customers often take on is to secure their end points, especially since end point is often the point of initial infection in a cyberattack, including ransomware. Removal of endpoint local admin rights is a key step in preventing attackers for moving laterally. It is done as part of a defense and depth strategy alongside antivirus and IDaaS software. This can be achieved by deploying our endpoint Privileged Manager Solution. Our PAM customers also turn to CyberArk for their Access Management modernization projects. Organizations with one or more legacy Access Management vendors sees the opportunity to modernize the Identity Security stack to reduce costs, strengthen their security posture and drive more efficiency into their business. We are supporting our customers in this journey by providing modern IDaaS for single sign-on, Idaptive benefit and life cycle management. This is a great new landing point for us, particularly for customers who recognize the benefits of our Identity Security vision. They appreciate that in today's IT environment, we need a combination of ease of use and strong Identity Security controls to defend against attacks. Another common way for our customers to leverage our Identity Security offering is by expanding from securing privileged access for human identities to also secure projects for applications and machine identities. With our secrets management solution, customers can secure credentials used based security, IT management and RPA software by leveraging more than 200 out-of-the-box secrets manager integrations available from CyberArk and our partners. They can also secure credentials and secrets that are used by ongoing traditional applications, DevOps tools and cloud native applications. We provide a highly differentiated, unified approach to secure application credentials from main form to hybrid and multi-cloud. And last but not least, as part of their cloud journey, customers are increasingly asking us to help them reduce the risk of accessing the cloud permissions or permissions drift. Our innovative Cloud Entitlement Manager solution that was launched back in November last year help the organization to simplify the process of assigning and reviewing entitlements for human and machine identities for infrastructure-as-a-service and for platforms-as-a service. This offering mitigates the risk of having over permissioned identities, which is a critical vulnerability in today's IT environment. All the elements of CIBA's Identity Security portfolio are based on the core principle of our bridge. This is also a key principle in zero trust, and we are seeing customers use PAM and our Identity Security portfolio as the foundation of these initiatives. To sum it up, as you can see, our Identity Security offering, this is a major pain point for our customers across access, PAM and DevSecOps. Our Identity Security platform provide us with multiple opportunities to deliver more value and deeper security for our customers, starting from a position of strength with PAM. The Privilege, Access and DevSecOps solutions, together with our ongoing innovation, are all designed to share the benefits from our Identity Security SaaS platform. Looking under the wood, the platform is being built as a cloud-native serverless architecture. It will provide an integrated and holistic user expense for end-user and the admin with an API-first approach to easily integrate our SaaS applications onto the platform. In addition to the direct value to our customers, the platform shared services will also shorten our time to market. We will be able to deliver new SaaS-based services at rapid pace and continuously enhance the functionality we provide. It is particularly important given the dynamic nature of today's IT environment, but also as we deliver ongoing value to our customers as part of our transition to a subscription model. In addition, the platform will integrate with on-prem PAM products to enable these customers to consume modern SaaS offering as a hybrid integrated solution. The integrations between our on-premises PAM subscription offering and our SaaS platform will enable large enterprises who prefer to keep the keys to the kingdom on-premises to benefit from our robust SaaS capabilities. We've already made considerable progress executing against this vision, including developing integrations between our Privileged and Access Management solutions. In addition, as Matt will talk about, we introduced new PAM subscription offers in January that combined PAM with remote access and our workforce identity SaaS capabilities. We are incredibly excited about our Identity Security platform and our SaaS strategy. But it is also worth taking a quick look back and realize how advanced we are in our SaaS journey and how much of our portfolio has changed in a relatively short time. It is almost hard to believe that at our last Investor Day in March 2018, the only SaaS offering that we had was Endpoint Privilege Manager. Look where we are today, and we have a lot more exciting SaaS innovation planned across all our 3 pillars. CyberArk is well positioned to deliver our new SaaS Identity Security platform while continuing to provide the required functionality for customers running our software on premises. We have a strong global R&D organization with highly talented and experienced engineers and a proven record of continuous innovation. Based on working with some of the world's largest organizations and most forward-thinking CISOs, we've had to inform a strategic direction. We are investing and expanding the team across our R&D centers around the globe, including Israel, India, the United States and Ukraine. In addition, during the last several years, we have added 2 important arms to our innovation engine. CyberArk is one of the most sophisticated cyber research lab with cyber researchers who bring unique expertise and knowledge in both defense and offense attack techniques. The cyber research lab investigates our new attack techniques and technology trends might impact the threat landscape. We incorporate these insights to our product strategy to ensure CyberArk provides the most advanced Identity Security solution to our customers. A couple of years ago, we also established a new innovation lab that provides an incubation platform to expedite the validation of new innovative ideas and nature, the more promising ones from an idea to product offering. The innovation lab has already proven itself, but then a critical role, introducing our remote access and Cloud Entitlements Manager offering to market. This unique experience cannot be replicated. Our approach, extensive security expertise and leadership position in Identity Security put us in a great position as we deliver against this vision. To conclude, as a 20-plus year veteran of cyber, I've never been more excited about the opportunity ahead of us. Our world-class product and R&D team is building a highly differentiated Identity Security platform end code in Privilege. We're investing in SaaS while continuing to address on-premises PAM needs. And with our kind and future product offerings, we are well positioned to lead this expanding Identity Security space. I will now hand it back to Clarence to hand our customer panel. Thank you and enjoy rest of the event.

A few days ago, I had the opportunity to meet with several of our key customers to discuss the trends in our industry and how that's impacting the threat landscape. More importantly, we talked about what they're doing to address it, and how CyberArk can work with them. That was a phenomenal session with a great set of people. I welcome you to go back and relive that moment with us.

In today's session we'll explore key technological and cybersecurity trends shaping the market and share ideas on how to address the challenges organizations are facing as a result of them. So I would jump into it. I'd like to start by asking each of our panelists to provide a background on themselves, their organizations and then talk a bit about how CyberArk is helping them execute on their respective strategies to secure higher risk identities. Melissa, why don't we start with you.

Okay. So my name is Melissa Carvalho. I'm the Vice President of Identity and Access Management at Royal Bank of Canada, often referred to as RBC. We have approximately 80,000 to 100,000 internal users, which I secure and provide identity solutions for. And we have 14 million to 16 million customers across the globe. In addition to my role at RBC, I'm also the Canadian ambassador for Women in Identity. What is Women in Identity? Well, it's a not-for-profit organization run completely by volunteers, whose purpose is to promote parity with respect to opportunity, reward, recognition and professional mobility in relation to gender intersectionality, age, race, ability, ethnicity, sexual orientation, creed and social status. Basically, equality for all. I have about 20 years of experience in identity and Access Management across various industries in North America. I'll allow the others to introduce themselves, and then I can jump back into the strategy of what we're doing at RBC.

Absolutely. Thank you so much, Melissa. So Ricardo, if you don't mind, why don't you tell us a little bit about yourself.

Absolutely. Thank you. My name is Ricardo Lafosse, and I'm the Chief Information Security Officer at Kraft Heinz Company. For those not familiar with Kraft, for over 150 years, we have produced some of the world's most beloved products. We're one of the largest global food and beverage companies with 2020 net sales of approximately $26 billion. Our portfolio is a diverse mix of iconic and emerging brands. As a guardian of these brands and creates of innovative new products, we're dedicated to the sustainable health of our people and our planet. A little bit about myself. I've been in cybersecurity for over 16 years in various different industries from legal, government and health care. And I'm a staunch advocate of cybersecurity initiatives across not just the organization I'm part of, but globally, I speak quite often in national forums and international conferences. Thank you very much.

Thanks so much, Ricardo. And Tom, why don't we go to you next.

Sure. Thank you, Clarence. This is Tom Malta. I am the Head of Identity Access Management, Navy Federal Credit Union. Navy Federal is the largest credit union in the world. We have over 10 million members. We don't like to call them customers. We actually like the call them members. These are all military, active military, retired and their families. So very proud to be part of the organization and giving back for the last 4 or 5 months since I've been here. As part of our strategy, in Privileged Access space, we're looking across the entire enterprise, and CyberArk is really key to that as we're growing the business as we're continuing to roll out services in the IM space. The Privileged Access arena is by far one of the most important. And a little bit about me. I've been in IM about 20-plus years now. Been in the financial services sector my entire career before IM as a developer, and happy to be here today with all of you.

Thanks so much, Tom. That's excellent. Dipak, let's round it out with you, but tell us about yourself. And then also your history with CyberArk.

Thank you, Clarence, and glad to be on this panel with distinct panelists. My name is Dipak Rath, and I'm Manager for Identity and Access Management in Delta Airlines. Responsible for various services within the portfolio, authentication, identity and Privileged Access Management. We look at our enterprise and our partner and customer, managing hundreds and hundreds and thousands of accounts. But primarily, on Privileged Access Management space, running the program for the organization is the foundation for how we look at securing our footprint. Regarding my career, 2 decades of cybersecurity experience leading program for Fortune 100 companies. A lot of that has been in the identity and Access Management space, but also across other sub functions, network, endpoint, data protection and governance, risk and compliance. And my relationship with particularly Privileged Access Management in CyberArk, as the company goes back to my prior life, which was in the retail industry and had the privilege to implement CyberArk on the backs of a massive data breach for the retail company. And you speak of having the luxury of implementing a program over weeks and months and so on and so forth. When you try to bring that kind of speed to recovery mode from our data breach. Everything goes out of the door. So we really implemented at a fast pace there. The company was always there alongside implementing it. Personally, I have learned a lot from that experience, which have brought into the aviation, the airline industry, we've implemented CyberArk, with the lessons learned so on and so forth. It's been great. And I've seen the company from pre-IPO, and at this point, having gone public. I think the company retains its spirit of nimbleness and acting like a small company and always being there from a support perspective. So it's great.

Excellent. Thank you so much. And if I circle back quickly to Ricardo, if you can tell us a bit about how you're working with CyberArk, and how we're fitting into what you're doing with cloud and hybrid.

Yes, absolutely. So identity is at the core of our strategy. Controls should always pivot back to the identity and then follow the data and controls regardless of where the endpoint is. So for this year, we have 5 key tenants behind our overall strategy, and identity and privileged access is core to all those different pillars. The first one is visibility. As following the data and protection for on-premise and in the cloud, again, pivoting back to that identity that really designates what type of controls, where and how they're implemented. The second one is really important to me, and that's the user experience. To ensure that these new controls and experience is not causing additional friction to the end user community because in my experience, a poor user experience results in poor adoption. You're going to ask users to use privileged access or privileged session monitoring, you want to be seamless and easy for them. Otherwise, there's going to be that friction and the adoption is not really going to be there. Third is proactive protection through automation. The threat actors are using automation. We need to match the speed and protection behind our threat actors and being able to quickly pivot and fed within our code privileged access instead of hard coding passwords, really helps us have that complete ecosystem of automation privilege access across our organization. The fourth one, what I'm really proud of is our cloud transformation. We have 2 main tracks: one around SaaS, having the additional visibility and controls across our SaaS, going back to that federated Identity; and then IaaS, our developer friendly guardrails and governance, again, focus on the identity. As you onboard a new subscription, the identity drives all the controls for that specific user. And most recently, we moved from our on-premise cyber to a PAM SaaS solution, which allowed our teams to focus on strategy, application and not worry about the back-end infrastructure. This has really relieved our teams to ensure that they can focus on the key attributes of the product and continue to expand the adoption in the cloud. And more importantly, in the cloud, the CyberArk solution allows us to be able to use native cloud tools alongside CyberArk to ensure that we have that cohesive and collaborative environment with our development community. And then fifth, operate at the speed of business. If it takes us 4 weeks to provision account, the business is going to go around this. So being able to be lockstep with them and provide the controls, safety and assurance that we're here to protect the business.

Thank you so much. And Melissa, I did want to go back to you because you were so kind to kick us off and then allow us to go into the flow a bit. But if you could share a bit more about your background with CyberArk, and then really your strategy is to secure identities.

I think I would agree with everything Ricardo said, so I'll try and talk about something slightly different. One of the struggles we had before we met CyberArk, and we adopted the CyberArk solution was just figuring out what our privileged access was, getting inventory. So something as simple as figuring out in inventory of our privileged IDs, and CyberArk was instrumental in helping us accelerate that journey and get that done. Many organizations go out there and they get a questionnaire, and they start asking the business, which know nothing about identity. What is your privileged access? We then moved quite fast into cloud and SaaS solutions and looking at securing that. And one of the things that we're really proud about that we started doing is looking at behavioral analytics in our strategy moving forward. That's become pivotal and important in what we do, not only analyzing the behavior and the patterns but putting risk scoring behind that, adapting our controls, looking and monitoring and usage of that, and the PTA solution is important to that. Another aspect that I'd like to talk about is things like stronger form of authentication biometrics, the Alero solution, for example. We need to look at layering our authentication, increasing it and then offering a higher or a step-up authentication when we look at higher asset transactions, et cetera. The higher your privilege, the higher the authentication you need to provide. Those are a couple, not to take away from like what Ricardo said, but additional things that are in our strategy as well.

I think in terms of trending, as we think about just moving to the cloud, and you guys covered some of it in, I think, the Zero Trust model, in particular, giving out access to people, the way we used to do it the last 20-plus years, we really need to minimize that, the whole concept of just giving people what they need at the moment they need it, that just-in-time concept, I think, is going to be really big and something that we're looking at sort of dynamic authorization of access as opposed to, hey, I'm going to give Tom these 12 things. And yes, maybe he doesn't need all 12 of them to do his daily job, but he might need some of them at some point. No, we don't want to be doing that anymore, right, because it drives up our provisioning cost, drives up our certification costs, it increases a lot more risk for the firm, right? So Zero Trust in an identity-centric security program is absolutely paramount, right, in trying to minimize that surface area.

Excellent. So we've heard a lot of great things here and talked about the shifts in the market that were occurring even before COVID hit and definitely before SolarWinds and the proliferation of identities and privileges and how controlling and managing them really needs to be -- and securing them really needs to be at the center of it. Before we leave here, are there any other thoughts here on specifically how securing identities is really at the center of these security strategies? Anything else that we should make sure we get out there before we wrap as a panel?

I would say, from our perspective, it's -- as we start embracing the cloud and then also being manufacturing many of our IoT and OT devices don't have a user interface, their main way of communicating is through machine identities. I think there's going to be a larger proliferation of the importance of machine identities, and they need to be treated just as like normal user ID. One of my engineers jokingly calls it, we need to secure both carbon and silicon identities, and they must be both secured equally. I love it. I think it's really lovely. And I think also to that is expanding our PAM to also the social media of the house. So as a big brand, we have a big social media presence, and that's also core to our business because we have reputational damage if someone can take over an account, post whatever they want. We see in the past that an account takeover on Twitter can actually impact stocks or the way people perceive an organization. So we started to review and do additional pilots with a great balance of how I see of usability and security using the Alero platform through our marketing team, where they really don't need to know what the credentials are. They can check in the account, do what they need to do in social media and check it out. It's that perfect balance, in my opinion, from security and usability with the best user experience. We have a lot of external trusted partners that help us engage in the social media side of the house. I know I've been harping on Alero. It's a really slick and nice solution, specifically for our social media side of the house. And then kind of hitting on the least privilege, we're going through a transformation and transformation under coverage is also a bit of cleanup to ensure that our least privilege becomes and stays least privilege. As you have identity sprawl and people transfer, so on and so forth, those privileges on occasion can transfer with them and being able to really put the nail in the coffin specifically for the privileged account. If you transfer your privileged account, it must be destroyed. And once they're destroyed, you can restart from the bottom up, and I think those rituals and routines is really what we need to work out.

Yes. I was just going to chime in and just to add to what Ricardo just said. I think as we're moving to the cloud, particularly the big 3, right, each of them have their own identity and access management solutions, right? So you end up with apples, oranges and bananas, if you will. And now you have that explosion of identities, Ricardo touched on it. Machine identities, API identities, VMs, et cetera, have now exploded, and you need to manage all of that, right? So that sort of IdP orchestration of bringing all of those different identity providers together and knowing how all those credentials mapped are key, right? Particularly if you're using a multi-cloud strategy, either for BCP purposes or just as a backup or maybe have different businesses, right, that one of them likes Google, the other one likes Azure. And now you need to manage all that, right? It becomes really challenging because you don't really have a good way to orchestrate it with each of these different big 3. Looking at this problem, I think people are in multi-cloud today, right? And even if you're using just a software-as-a-service provider and you got an on-prem solution, you're multi-cloud, right? So that really starts to bring in challenges of how am I managing those identities, again, that are going up to each of these providers. Particularly if you're doing like -- using the cloud for multiple deployments at the same time, right? Through your DevOps pipeline, you might want for either scalability reasons or geography reasons, right? You might be splitting your stack across multiple cloud providers. Well, now, again, you don't have apples-to-apples anymore. So you start the need to manage those provisioning of that authorization, right, within each of those providers is different. So you have to have a way of bringing it back together. And so that's the pineapple, by the way, right? So if you think of apples, oranges and bananas, we need to transform them -- my food analogies, guys, sorry, into a pineapple, right? We can manage policies through the pineapple, right, as a centralized service, and then we need to push them back as an apple, an orange and a banana. And that's the way that I think people are starting to think about how to manage that multi-cloud problem, right? So if you've got a privileged support person who has access in multiple cloud environments, multiple different levels of access, right? Now you can control it through a centralized point. You tie it back to your identity life cycle event, a person leaves or transfers, now you can drive workflow to manage all of those connections, right? So it's definitely a complicated problem, but we're starting to see a lot of buzz in the industry. And again, of course, you layer privileged on this, right? It gets much, much more complicated, right, because of, again, the explosion of identities in the cloud itself.

Yes. I would add to it that I look at the -- in the heart of the Zero Trust model is identity. And when you look at identity-centric security, matched up with network-centric security, and both being aware of each other, identity-centric security and network-centric security, that's kind of sort of the building block of Zero Trust, and it really comes down to the identity-centric. And doing so with a sense of automation, right, API first. So you're not slowing down the DevOps pipeline. At the same time, you have the guardrails in place where they can drive their car through, right, things of that nature. That's going to be at the heart of it. Fundamentally, we've all turned the corner around privileged credential in the platform environment in our databases, servers, endpoints, network devices, directory, so on and so forth. But now the universe is expanding so fast and so widely that all of these -- what I call the environment that needs to be protected at the same time with identity-centric approach, security approach.

Obviously, a lot has happened with COVID and with SolarWinds, et cetera. How do you really see that shift your business, change the threat landscape? And what can you tell us about how you're addressing that? And I'll open it up to the floor. Anyone who would like to jump in on that one?

Sure. I'll take the first stab at it. So the trends that we're seeing are -- phishing is getting more and more sophisticated. They're really hitting that emotional string on a lot of our employees. Specifically when COVID first happened, there were very targeted attacks related around COVID. Click on here, and you can see a map of your neighborhood of who's infected, this emotional string they were pulling. And behind the scenes, it was either a malware or an attempt to do an account takeover. Going back to the second, you can get that access, you can start escalating privileges within your organization. So seeing that -- a continuous evolution of phishing across organizations has been very prominent. It spiked up now to plateau. Now we're seeing little spikes up and down from our organization and I think the industry as a whole. And then on top of that, I have to talk about SolarWinds. It wouldn't be fun or a panel if we didn't talk about SolarWinds. So it's really around reviewing how supply chain risk is being analyzed and reviewed. I think the SolarWinds attack really highlighted that we have severe gaps in our third-party risk. Even though, in my opinion, I don't believe even a full-feature third-party risk would have caught this. This really goes back to the crux of supply chain. Are we reviewing and analyzing every single open source library that we're embedding into our products? Or are third parties doing the same type of due diligence? So I think this is just a tip of the iceberg and there's going to be a lot more coming out of this. We're already seeing new anecdotal evidence on a daily basis on different types of attacks that have similar threat profiles. And then finally, I think API is going to be the next major attack vector. As more organizations go through a digital transformation, start adapting automation, real-time data analytics, APIs are at the core of these communications. And I don't believe all organizations are ready to fully adopt the API and be able to fully utilize it in a secure manner. So I think there's going to be an uptick on misconfigurations or not properly authenticating API communications.

I'm just going to add to what Ricardo was saying around APIs. I know that one of the things we're looking at is -- we often look at user identities when we think of privileged access management. But what about all the RPA and the robotics identities and do we consider those privileged? I know many in the organization start to argue with us when we say, no, those are also privileged identities that we need to monitor them and secure them. Also, when you talk about phishing, spear phishing, so that more targeted phishing on individuals of high access or high value, we see impersonations as well, so executives, investors and exploiting their credentials. And then even things as simple as weaknesses in our Zero Trust implementations and weaknesses in our security solutions, just simple user ID and passwords can be hacked very easily.

Yes. It's a grim reminder what happened with SolarWinds is the backdoor and channels which are traditionally very trusted. But Zero Trust kind of puts that back on the question of trust but verify. And the way we look at it is, particularly is -- I think Ricardo touched on it is the foundation. The foundation of privileged access management needs to be really put in place. A lot of times, implementations are done on the backs of compliance in its software check box item. We've got to go beyond compliance. Security goes beyond compliance. And that's how our privileged access management program powered by CyberArk has helped us achieve that. PAM solutions to deploy foundational capabilities, making sure the governance is in place, the discoveries are done. You should be able to answer that question, how do you define privileged credentials? And what kind of inventory do you have with your privileged credential? That's basically the foundation aspect of it.

Thanks so much. This has been truly outstanding. It's been a pleasure. And of course, we appreciate you not only as our customers but also as our partners. So I'd like you all to stay safe and be well.

Thank you.

Thank you very much.

Thank you.

Thank you, Clarence.

Thanks, Clarence, for moderating that engaging panel discussion. At this point, we plan to take a very quick 10-minute break. When we come back, Matt will provide more details on our go-to-market strategy before Josh outlines our subscription transition and what the business will look like. See you in a few minutes. Thanks. [Break]

Welcome back. For those of you who don't know me, my name is Matt Cohen, and I'm the COO here at CyberArk. And today, I'm going to help explain our go-to-market vision and strategy as well as our go-to-market priorities for 2021 and beyond. Now when we think about the 4 pillars we've been talking about throughout this morning, I'm really going to focus in on growth and the transition to subscription. But clearly, we and go-to-market have a role to play in constantly innovating around our go-to-market engine and helping to drive profitability and health and financial strength through driving leverage and scale and ultimately, productivity throughout the go-to-market organization. For today, I'm going to detail a little bit of my perspective around the TAM and market opportunity, then go into an overview of the subscription transition at a high level and what it means for the go-to-market organization. And then I'll spend most of my time on the core go-to-market priorities that will help you understand how we're going to execute against the great opportunity we have for CyberArk. So let's start with the market opportunity that Clarence did such a great job just a little while ago outlining for all of you. I have the unique opportunity to talk with customers day in and day out. It's actually my favorite thing about my job. And when I talk to customers today, there is a shift in how customers are thinking about this market. It's no longer a question of why. It's really a question of how. How they can get to the level of security that the identity security space and PAM at its center can deliver for each one of these customers? That validates our role, the actually unique opportunity for CyberArk within this overall TAM. And it speaks to the $20 billion opportunity that's on the slide. What's more, we're able to engage in these meaningful dialogues with our customers, and they're helping to shape our vision around how we approach the tailwind side of this slide. They're actually engaging with us and encouraging us to move into these other adjacent areas. And by virtue of that, we understand well where we can capitalize on the greater $50 billion TAM that's outlined on this slide. As a member of the go-to-market team, it's exciting to actually be in this position with our customers and have this much market opportunity to go after. So now I want to move on to the subscription transition as a whole. We've all seen these transitions happen, and they really have become part and the mainstay of how software providers are delivering value out into the industry. The relationship that gets built as a subscription business model is a much healthier one. It allows us as a company to focus on delivering value over the lifetime for the customer. And in return, we get more revenue, more ARR and ultimately, more value back from all of our customers. Ultimately, this creates a more stronger CyberArk for our investors, for our shareholders and for all of us. But in order to succeed in this subscription transition, it requires a shift in focus for the organization, for the company, for CyberArk. It requires us to focus in on these value elements. It shifts the focus from presales to post-sales. And what that means is it starts with a relentless focus on the ability to be able to deliver first value. For many of our customers, this first value revolves around the idea of satisfying audit or compliance or maybe a Board initiative or maybe a post-breach remediation effort. But we really strike up a new relationship with our customers when we move from first value to recurring value, and recurring value comes in with the idea of driving operational efficiency and defending against attacks. Ultimately, though, our goal is to get to transformative value to create a more meaningful relationship. And for us, transformative value is defined as our ability to help our customers drive their business objectives without fear around their cybersecurity posture. As they move through digital transformation and move to the cloud and respond to the hacker innovation that Udi talked about this morning, transformative value comes when we can make sure they can move with ease and without fear. Now in order to get this shift and focus towards value, we at CyberArk had to engage differently with our customers. We had to have a different customer engagement life cycle and something that I've implemented around this CARE model. Now CARE stands for close, adopt, renew and expand. And it's a way of unifying the go-to-market organization as one entity to make sure we're approaching the customer with one voice to help prospect and land in the close phase, to make sure everybody in the company is focused on adoption, so we can get to renewal and ultimately open up the opportunity for expansion overall. This CARE model is -- will help us drive the up and to the right growth of our ARR. And the good news is this is something we've been implementing for more than a year to get ready for this subscription transition and to make sure we're ready to respond. If I move past the high-level subscription transition, I now want to spend some time on our go-to-market priorities themselves, and there's 4 of them that drive our strategy. The first is how do we operationally execute the subscription transition effectively and efficiently. The second is how do we drive top line bookings growth for the organization and for the company. The third is how do we protect the ARR we have with a customer success culture and mindset. And the fourth is how do we implement a series of scaling functions that allow us to get the most out of those first 3 priorities that I talked about. So let's dive into each one of those for a couple of minutes, and I'll spend the most amount of time on this first one, which is the subscription transition. Now many of you know that I've been through this subscription transition before, and what I've learned is the more programmatic, the better. We have to hardwire our success to make sure we're in control of the subscription transition throughout every phase of its life cycle because the goal isn't just to get to the end where we have the business model, but to get there as fast and efficiently as possible. And so our programmatic approach starts with the idea of creating a pull from the market. Now we're lucky here at CyberArk that a big portion of our portfolio is SaaS. And when it's SaaS or you're a SaaS-heavy transition, there actually is an inherent value in SaaS that customers just recognize. And so much of our portfolio is SaaS that it's compelling for them to move to that without too much incentive, primarily for our PAM portfolio, where we expect to actually deliver a large portion of on-prem subscription. We want to make sure that there is a pull in the market to take customers that might be on the fence between perpetual and on-prem subscription and move them as fast as possible. These new subscription seats with inherent value and built-in capabilities around things like remote access; MFA; single sign-on; LCD, or loosely coupled devices, these are extra capabilities that our customers get when they procure our subscription seat. And it helps create that pull in the marketplace. But in addition to the pull, we need to have a push. And anyone who's been through this transition knows that the sales professionals can help guide the transition process very effectively, and the way you do that is with a well-designed compensation plan. Rest assured that we've designed a plan for 2021 that incents our go-to-market resources to push subscription in SaaS. They make more money and they make more money in a very specific way if they can engage with customers and help them make the right choice in their buying motion. But there's 2 other areas here. One is we have to actually continue to enable and support our go-to-market resources. And we're doing that, not only training them on the new offerings or the new comp plan but actually on the inherent benefits of a subscription model, the flexibility that comes with that, why a customer has a lower cost of ownership with a SaaS portfolio or a SaaS product. And then finally, we have the idea of creating a common support mechanism. And one area of focus for us here is a global deal desk with embedded resources in the field that can help to consult with the field resources on how to package something up, on how to position something. And also some of the uniqueness of selling subscription in SaaS, like yearly price increases and how they actually can purchase follow-on purchases in a seamless and easy manner. Altogether, this programmatic approach to our subscription transition is going to drive success. It's going to drive us to the finish line that Udi and, in a couple of minutes, Josh will talk about. And it gives us a tremendous sense of confidence that we can get through this in a very effective and quick time line. The second go-to-market priority for us and really, the heart of any go-to-market organization, is around growth. And our opportunity to both grow our base of customers, 6,600 and growing; and pursue new prospects that are out there, more than 70,000 that we think are ripe for our solutions, is really the underpinnings of our overall growth strategy. You heard Chen talk this morning about some of the use cases that drive this growth. I want everybody to understand inherently that deep within our base is customers who can have more capabilities deployed across their enterprises within our PAM suite. So many of our customers are sitting where PAM started, which is protecting the most critical users with the most critical on-premise assets. But the reality is that we see so many customers now starting to expand. They're expanding to hybrid and cloud workloads, and then they have entitlement creep within those cloud workloads. They're expanding to the end point where privileged access and the ability to be able to remove local admin rights and implement a least privileged approach is taking off. They are actually seeing the proliferation of nonhuman identities that come into play in the DevSecOps world, where we're talking about custom and dynamic developed applications throughout the DevOps world as well as off-the-shelf applications and bots and RPAs. And then you see customers really starting to understand how customer and workforce identity becomes a key driver as privileged proliferates where any user, as you've heard this morning, can become a privileged user at any moment. When you start to think about that opportunity, so well described this morning, you start to understand our ability to expand the base as well as land new logos. And so within go-to-market, we're focused on a couple of areas here around growth. First is extra capacity. We need more feet on the street. Actually, the opportunity is so large that we're adding capacity into all territories in all regions around the world. But we also have to be smarter and more efficient in how we do that, and that's where this idea of speedboats come in. Speedboats with business leaders that are helping to organize our perspective on who to target, what the use cases are, what the core sales plays are that will help us win against those use cases and then bringing to bear overlay, sales and technical expertise that actually help to augment my core sales capacity and how they go and drive business. And so when we think about our ability to expand the 6,600 customers that we have, these new resources are going to help us with the up-sell and cross-sell motion. But they also give us an opportunity here to go land across those 70,000 prospects with new tips of the spear. The idea that we can hunt with workforce or customer identity, we can hunt with endpoint privilege, we can hunt with DevSecOps and secrets management. All of this together represents such a great opportunity for growth. The third go-to-market priority, which builds off of that, is our ability to be able to secure that growth, which actually is our ability to be able to protect the ARR that we have and that we'll be building. And here, we've been focused on building a customer success culture and mindset for a while. This year, we're focused on actually elevating the capabilities within the organization by bringing together our customer success org, our services org, our support and education orgs all into one unified customer success group under our first Chief Customer Officer. And then we've supported that organization with new packages that allow us to be able to offer a 365-day view of adoption and support to create a better relationship with us, our partners and our customers to drive overall success. And then we further augment that with an investment in our PAM blueprint, which gives the adoption, know-how and steps of how someone should move through their PAM program and data and analytics to help us understand who's at risk to churn, what are their health scores and how do we have clear interventions to make sure no customer is left behind. The final area of our go-to-market priorities is really a reflection on the first 3. It's our scaling factors. And it starts with the idea, most importantly, of building out and scaling our partner ecosystem. Now we have a great partner program here at CyberArk, and it runs the gamut of advisory firms like PwC and Deloitte, Accenture and the like to strategic resellers, down to what we'd call transactional resellers or distributors and even into the MSP world. But when we think about our partner program and scale, it's really about enabling those partners to be able to sell the full identity security vision, to help support them as they transform their businesses to make sure that our partner program is supportive of incenting the right behaviors. And building out some areas that, frankly, are in the early stages, like, for example, our MSP program, where we've signed up 22 of the top 25 rated MSPs around the world, but we're now building a model that helps scale with them. Partners blend into marketing where we're working on co-marketing with those partners. But we're also focused on building up our marketing engine, making sure that we use the latest analytics and data to drive our targeting intent scoring. To make sure that we actually have a full digital motion, which COVID has been wonderful at building up those capabilities throughout our enterprise. And ultimately, our ability to be able to approach those 70,000 prospects to make sure they understand the full value story that CyberArk brings to market. The third area on the slide is this idea of operational programs, and this can run the gamut of enablement but also into core, specific programs like deal scoring. Deal scoring is something we're implementing here at CyberArk that allows us to be able to incent our sales professionals to sell at a lower discount or drive up the ASP and actually allows them to get real-time feedback of how they're doing versus their peers and incents them where they make more money if they can cut down on that discount. It's something that's been implemented at many organizations around the world. I've implemented it before, and it has a real impact on our ability to be more operationally efficient. And then finally, you've heard it throughout my whole presentation today, which is this idea of data and analytics. Data and analytics are a core driver of our overall success in marketing, in sales where we put our resources, in customer success, predictive churn and across the entire go-to-market enterprise. And it's a really exciting opportunity for us to scale up 1, 2, 3, 4 steps more and driving our overall go-to-market engine. So as you think about what I've outlined today, the core market opportunity and our ability to have how conversations with our customers, our readiness to embrace the subscription transition and then the go-to-market priorities that will drive our success, you can see why I'm so excited about what we have to offer and what we're able to drive here in 2021. You'll also see why we're so confident in the numbers that Josh is going to talk about in just a couple of minutes about our long-term plan as well as how we're going to do in the short run. But before we get to Josh, which we're all excited to hear from, I have the unique pleasure of introducing a video segment that I recorded earlier in the week with Colin Williams, who is the Chief Technologist at Computacenter U.K., a key partner for us at CyberArk. And I was able to talk with Colin about his view of the identity security market, CyberArk's role in that market and why he chooses to partner with CyberArk at all. It was a great conversation. I hope you enjoy. Thanks for your time this morning. So Colin, as you know, and you're right in the center of it, we believe that our partners are going to play an increasingly important role in our go-to-market and our positioning out amongst our customers. And we want to take a little bit of time and just pick your brain a little bit about what you're seeing out in the industry so that we could share your viewpoint with our investors. So I have a few questions for you, and maybe we can just dive right in.

So Colin, if we start with, how do you see the role of securing privileged access evolving? Are you seeing organizations change or mature their approach in this area?

So they're now starting to take it more seriously than they ever done before. Previously, it was deemed to be important but not essential. Now it's considered essential. There have always been a massive spate of highly publicized cybersecurity attacks, and I suppose, organizations got somewhat numb to the most recent bulletin about an attack. What makes it different right now is the impact and the ferocity of the attack once it actually starts in an organization and how fast it spreads. So let's raise the awareness of people that least privilege-type architectural ideals, privileged account security, privileged account management is no longer a nice to have. It's a fundamental security control to minimize the impact of an attack if it happens or ideally to be one of the most important parts of your armory to stop it happening in the first place.

Yes. I think we're seeing that awakening moment, if you will. Maybe -- could you comment, it's in the press a lot these days, and we talk about it a lot with our customers, this particular event around the SolarWinds attack and kind of some of the elements you were just talking about. Do you see that playing a part in conversations with customers these days or in their rethinking their approach?

SolarWinds was a wake-up call. I think we will be talking about the consequence and the learnings of that attack for a long time. And it's changed organizations' thinking about how effective their existing perimeter-centric or quite siloed security controls are. So people are now seriously considering, do I have too many technologies, overlapping functionalities from vendors that actually don't integrate very well? Do I understand if I really do have a least privilege? And I won't even use the word Zero Trust as a moniker that's used. It's almost a dynamic privilege way of delivering IT security controls. And do I have comprehensive visibility of my estate? If you don't have many of those, if something like the SolarWinds attack happens -- and for many people and many of the analysts who will discuss this, even with the security controls many of our organizations have had, it was one that was hard to defend against. So if you end up with an attack of that level where your existing defenses, for whatever reason, can't actually support the defense of that attack, you've got to have other controls that minimize the impact of that attack. Least privilege is probably the best of all at minimizing the impact of lateral spread, lateral movement. So if an attacker does get in, which is pretty straightforward in the modern age, I've got a reasonable -- reasonably clear understanding of how far they can go. I've got a reasonable understanding of how quickly I can address them and stop them. And I know damn well that the attacker themselves, if they can't get much further than the direction of travel they wanted, they'll quickly move on to another target. So SolarWinds is an absolute wake-up call for the industry. It's a rethink of the multiple decades of security. And from an identity point of view and from a least privileged point of view and last but not least, Zero Trust point of view, it's put all of them firmly back on the table.

That's really, really well said. And with your expertise, I think it's very relevant to where we go as a company at CyberArk, kind of listening to those type of guidance around how we need to rethink the industry. Can you share a little bit about what you see around the larger identity security kind of vision that we have and how identity and PAM are coming together?

Almost going back to basics to understand what does digital identity mean for me in this new age, a new age of transient workers, a new age where work is no longer a location-dependent activity. It's an output of somebody's labor or product of their labor. So if work is no longer an output, so if work is no longer on location, I can deliver work wherever I choose. Your security controls, my digital identity needs to give me the access you expect, irrespective of my location, and I decide where my location is in real time. That's a completely different way of looking at the identity conundrum that we've had for years. And so organizations like CyberArk that bond the 2 together are in an advantageous position because whether we bundle it together in a platform or you bundle it together operationally further downstream, somehow those 2 elements have to work hand in glove to deliver that dynamic, sometimes just in time, but most importantly, a tested degree of security that you expect your users to have, irrespective of what they do, irrespective of where they are.

Yes. I think that's well said. And I think the other area that, that brings up is beyond the proliferation of users and the evolving of where they work and how they work is the increase in the amount of nonhuman identities that an organization has to manage and monitor from RPA bots to custom and off-the-shelf applications. And so maybe the other area I'd like your thoughts on is in this DevSecOps space of secrets management. What are you seeing there around awareness and trends for nonhuman identities?

So that market is almost one that's emerging. It's a problem that everyone has been aware of for many, many years. But because that team speaks to people like themselves and they speak to an awful lot of niche vendors and they speak to team members -- if you're an application development team, in many cases in an organization, you're pretty much ring-fenced. As long as you produce and deliver applications within the right time frame and life cycle, you're left to your own devices. And for too many years, outside of static and dynamic testing, there was an expectation security would happen upstream, think of that as being bolt-on security. But it's now a realization that built-in security is fundamental. So it goes beyond adding security champions into a team, but really changing the application development life cycle to make sure it's inherently secure from the start throughout the last cycle, and it continues all the way through until applications are released into production. That's -- again, there's a lot of rethinks going on, but that's a rethink of the behavior of developing and delivering applications, which puts security front and center at the heart of all of that. So for many of our customers, you're right, the proliferation of identities and secrets that now can be anywhere and everywhere are key. Cloud is doing a massive job in highlighting that. When you have the potential for roles, identity, access, secrets to be everywhere in a very dynamic way, how do you track that? How do you police that? How do you stop people embedding things in for convenience when it actually opens a door to a massive security vulnerability? So I'd say right now, that market is almost coming towards everybody as something to be actioned because it's moving out of the shadows of being a siloed market. And it's moving into the broad line arena, where there's an expectation that the corporate security governance controls policies will now affect that previously siloed application development team as well.

Really, really fascinating area. Maybe I'll wrap with a bit of a self-serving question, which is, I mean, obviously, we see you as a strategic partner and really key to our growth. Why do you partner with CyberArk? And how do you view the strategic nature of that partnership?

That's a very easy one. We're an organization that likes to partner, and we use that word intentionally. Us and the vendors that we work with have a single mutual customer, and we're a very, very customer-centric, customer-active organization. So the customer asks, the customer needs, the customer outcomes are key at Computacenter. So any partner that we work with has to have a similar value proposition, a similar moral compass, for want of a better term, to guide how they behave. So we work with CyberArk not only because they're a market leader in their space, but you almost take that as given. It's more about how CyberArk behaves as an organization, very customer-first. All about working together, we're in it together, that's the partnership that's fundamental to Computacenter. And all those -- it sounds a bit glib to say this, the people themselves need to be good people to work with. And all the people that we've worked with within CyberArk have been amazing people to work with. So the experience of working together and winning together is a great experience. That's probably longer than you expected, but it's something I can easily convey firsthand without notes because we live that experience with CyberArk every day.

Very kind, very much appreciated. We feel the same way about the partnership. Listen, Colin, thanks for joining me today and answering the questions and helping to really explain a little bit of what you see out in the market. It's really appreciated, and I've enjoyed the time very much.

Thank you very much. Much appreciated.

As most of you know, I'm Josh Siegel, CyberArk's CFO. I want to start off by thanking Matt for his discussion of the market opportunity, transition strategy and go-to-market priorities, not to mention that great follow-up with Colin. We're getting close to the end of the prepared remarks. [Operator Instructions] We are looking forward to the Q&A session later this afternoon. So let's begin. We want to start off today showing our confidence in the quarter and the year by reiterating the guidance we gave on February 11. We expect revenue for the quarter to come in between $106 million and $112 million with operating income of breakeven at the midpoint. This includes a mix of about 47% from subscription bookings and a $10 million revenue headwind created by the bookings mix shift. For the full year, we continue to guide revenue in the range of $484 million to $496 million with an operating income of $25 million. For the full year, we expect to see about $39 million of headwind created by a 55% mix in subscription bookings. Udi, Clarence, Chen and Matt, they all covered growth and innovation. They outlined our tremendous growth opportunity, our differentiated identity security strategy and our high-performance go-to-market engine. I'm going to focus on the subscription transition and its impact for financial durability. I'll set the stage and provide a brief financial overview. I'll outline the key elements of our subscription transition and then define what we expect the business to look like after we exit the transition and over the longer term. The CyberArk story has always been one of consistent growth and profitability. The business has been growing faster than a 20% compounded annual growth rate over the last 5 years. And if you take the revenue mix shift headwind into account, our CAGR was faster than 25%. We heard earlier about the market dynamics and our land-and-expand strategy. Our growth is also driven by diversity across products, diversity across geographies and verticals and delivery systems. On the product side, in addition to the long runway for growth in PAM, which Matt discussed, we are also excited about putting more muscle behind our DevSecOps and our access speedboats. DevSecOps Secret Manager, formerly referred to as Application Access Manager, was about 12% of revenue in 2020. Access, which includes our Workforce Identity solution or Idaptive, was about 4% of revenue. In addition, DevSecOps, in access speedboats, we see strong growth in our Endpoint Privilege Manager, which was about 8% of revenue. Revenues from our access are 100% SaaS, and EPM bookings have shifted already to more than 85% as cloud delivered. We plan for our subscription transition, coupled with speedboats, to accelerate adoption within our base. We can already point to many new logos who landed first with our Workforce Identity solution, our Endpoint Privilege Manager, before their entry into PAM. Geographically, we've consistently sold globally with about 60% in the Americas and 30% in EMEA and the balance in Asia Pacific, Japan. Regardless of the geography, companies from all verticals, though, need identity security. Last year, CyberArk had 9 verticals representing 5% or more of the business. And the great thing is, there's more room to expand within each of these markets. Let's consider for a moment the impact of digital transformation on the retail vertical or ransomware on hospitals, cities and towns, all of which are creating new identity security needs for these verticals. While still getting 800 new customers, we also saw our customer mix shift up to 75% from existing customers in the last year with really 2 major dynamics at play, emphasizing our growing opportunity. First, in the last 5 years, our customer base has more than doubled to about 6,600 customers at the end of last year. And we sell into large enterprises with meaningful IT environments that are undergoing radical change with cloud and digital transformation. This is really creating lots of opportunity to grow. As Chen and Udi talked about, we continually innovate and have more things to sell into our customers. There's Secrets Manager, there's Remote Access, Cloud Entitlement Manager and our Workforce Identity solution, all of them are new over the last few years. The second dynamic we saw was COVID. New customers starting smaller, buying for immediate need. While COVID impacted the size of the initial land, we'll continue to see the upside from these 2020 customers in the add-on business over this year and going forward. With our disciplined investments, we've consistently delivered profitable growth. We delivered 28% non-GAAP operating margins in 2019 and 20% in 2020. If we took our headwind into account, our non-GAAP operating margin was 26% last year, and our non-GAAP operating income in nominal dollars expanded over 2019. Our profitability also generated free cash flow of about $100 million in 2020. That's a 22% margin for the year, and that is after the approximate $45 million revenue headwind flowing downstream, which effectively further reduced profitability and free cash flow. Clarence talked a bit about our M&A strategy, but one thing I'm particularly proud of is that to date, we have funded our acquisitions, including Idaptive from last year, with internally generated free cash flow. As I wrap up the overview section, I would summarize that our strong and efficient business model gives us incredible confidence in our ongoing investments in the business. Our investments in landing new customers, expanding those new customers and delivering innovation and scaling the business, all of those combined are producing strong returns. Now I'm excited to dive into what to expect from and how to evaluate our transition to become a full subscription company. First, an update on how we'll begin reporting our revenue starting in the first quarter 2021, and we're making this change to our presentation to make it easier for you to see the subscription trends. Historically, we've shown 2 lines of revenue: a license and a maintenance and professional services line. Starting in the first quarter, we'll present 3 lines to clearly demonstrate the trends in our revenue. We'll isolate our perpetual license, break out our subscription revenue, which will include SaaS and subscription term-based license revenue, and a maintenance and professional services line. You can see the historical reconciliation of the 2 views in the appendix posted on our site. And we believe this new presentation accurately reflects the direction of our business towards subscription and helps to illustrate the resulting impact on the perpetual license and related maintenance revenues. Second, I want to present a dashboard of financial indicators to align you to where we are today and which metrics we believe together will tell the story of our transition and provide visibility into the health of our business. Let's begin with our recurring revenue. In 2020, it reached nearly $250 million, growing 41% from last year. Next, the subscription bookings mix will help you track the pace and success of the transition. And looking at the middle bars, you see an increase from about 9% in 2019 to 37% last year, and this is what has created the headwind we've been talking about over the last 2 quarters. And remember, our goal is to get this mix above 85% at the exit of the transition. Perhaps the metric we are most excited about is our ARR growth you see on the right side of the slide. At December 31, our ARR was $274 million with growth accelerating to 43% year-on-year. With that context, I want to focus the rest of the presentation on the key financial implications of the transition and the milestones ahead. First, we expect annual recurring revenue to grow by 30% through the transition with a little bit more on this in a few minutes. I would point out on the revenue line, we expect our transition to be unique. And what I mean is, even with the increased ratable revenue coming from both SaaS and term-based license subscriptions, we expect total revenue to grow through the transition. We did $464 million in 2020, and we are guiding to grow off that base in 2021. While on the operating margin side, our model should behave really very similar to other transitions you have observed. We said it in our February earnings call, and I'll repeat it here, we are confident in the opportunity and our intent is to make the necessary investments for technology innovation, the go-to-market capacity and infrastructure to secure our leadership position and capture market share. Yes, the increasing ratable revenue, coupled with the ongoing investments, will naturally create a disconnect in the business and the P&L in the near term. As we get to be a fully recurring revenue company, we can expect margin expansion in 2023 and return closer to historic profitability levels in 2025. Lastly, a minute on cash flow. The headwind dynamics naturally will impact free cash flow at the nominal dollar level. And if we consider the shorter duration on our maintenance as well as more market-based annual payment terms for SaaS contracts, we will expect the free cash flow margin to be closer to our net income margin as compared to our net income margin plus 5% or the 10% that we were able to enjoy with selling majority perpetual. Based on the number of questions we receive, I would be remiss if I did not spend a few minutes on the dynamics of revenue recognition during this transition. We expect a SaaS-heavy transition and our SaaS solutions, of course, are going to be fully ratable. And incrementally, we also introduced in the first quarter new Privileged Access Manager subscription packages, which integrate more SaaS functionality, and as such, will lead to more ratable revenue recognition. And we're working out still the final treatment under 606 accounting, but with the SaaS capabilities, we already can expect these new solutions to have about 65% to 70% ratable revenue recognition and only the balance upfront on delivery. As we disclosed in the past, our historical packages were recognized with 40% ratable and 60% upfront. So how should this impact our forecast? With our 6- to 9-month sales cycle, our revenue guidance assumes already that the 2020 offering will be the lion's share of our business. The new 2021 offering should start to roll into the P&L in the back half of 2021. As I know 606 accounting is not always intuitive, it is worth showing an example. The slide illustrates an assumed 3-year $120,000 contract of the 2020 offering on the left side of the slide versus the newly introduced solutions on the right side of the slide. Under the new offering, revenue recognition will be about $129,000 in the first period and about $21,000 quarterly over the full contract, and that's compared to $228,000 upfront and $12,000 each quarter from our 2020 offering. It follows 1-year contracts renewed annually for our new offering will behave even more ratably with only $36,000 recognized upfront at each renewal. Our growing SaaS portfolio, coupled with the new on-prem-based subscription solutions, moves us on that critical path to increase our annual and quarterly visibility into revenue that subscription companies enjoy. I want to mention one more thing on breakeven with our customers. If we were to take a new customer purchase, a Privileged Access Manager, as a perpetual license versus the equivalent purchase for our SaaS Privilege Cloud, the revenue breakeven point would be about 2.3 years. And if we put that into perspective, say the perpetual customer paid us about $250,000, the Privilege Cloud customer would pay about $140,000 annually. So over a 5-year period, we would generate about 1.5x or about $700,000 of sales compared to approximately $450,000 for a perpetual license, and that's assuming no add-on sales along the way. Considering we do typically expand with our customers, you can see how powerful the transition to SaaS will be on our growth opportunity. I thought this chart would be helpful to visualize the slope of our transition on revenue and profitability. In short, we expect our revenue growth to accelerate more meaningfully in 2023 as we exit the transition. And for profitability, the rebound will really begin in 2024. And by 2025, we should be back to the Rule of 40. Hitting the slopes for revenue and profitability I just showed you will depend heavily on the pace of our subscription bookings mix increasing. We exited the full year 2020 with just over 35% of our license bookings in recurring. We expect the first quarter to come in at 47% and the full year at 55%. If we exit the transition in 10 quarters, we expect to be at about 75% mix in the fourth quarter of 2022. And if we come in at 8-quarter transition, we'll be at an 85% mix. So for the full year of 2022, we should have a mix of about 70% to 80% from subscription bookings. Having now gone through some of the mechanics, let's move to our outlook. As this chart is intentionally not drawn to scale, please put your rulers away. We expect annual recurring revenue to grow at a 30% rate through the transition period and the dynamics driving annual recurring revenue include the subscription portion, but being offset by the maintenance contracts related to perpetual licenses forecasted as flat to single-digit growth as we move away from selling new perpetual licenses. We believe in setting realistic but meaningful goals for CyberArk. When we model out the 30% ARR CAGR during the transition, we believe that a goal of $1 billion by 2025 is both realistic and substantial. With our strong foundation as we begin the transition, we are well on our way to achieving this target. We expect this annual recurring revenue growth to translate into a 90% of revenue from recurring, which should make our top line very predictable and durable. We also believe that once the business model transition is complete, we will also naturally look like a Rule of 40 company by 2025. Before I conclude, I'll take this opportunity to update our long-term model framework. Our guidance for the year is 6% revenue growth and 5% operating margin, and that assumes about 55% of bookings from subscription. As I illustrated in our line chart regarding transition trends, we expect to see revenue grow a bit faster in the 10% to 15% range in the exit quarter of the transition. So think the fourth quarter of 2022 or mid-2023 in an 8- to 10-quarter transition, where operating margins will likely run at about 5 percentage points. As we exit the transition, we believe we will return to 20-plus percent growth and approximately 20% operating margins. We're not changing our disciplined approach to investments. Essentially, we should resume the growth and profitability levels that we were on before we entered the transition period. And this will come by our SaaS solutions reaching scale, allowing us to improve gross margins upward and R&D and sales and marketing running similar to pre-transition levels. We're incredibly excited about our opportunity and confident in our ability to execute our strategy and achieve the targeted financial durability, the visibility and increased shareholder value as a result of this success. Now I'll turn it back over to Udi for a quick wrap-up before starting the Q&A.

Thanks, Josh, and thank you to the team that just presented, our great customer panel and to our partners. I am sure you can sense our strong sense of mission, our deep customer commitment and our excitement and confidence about the opportunity ahead as we leverage our market leadership, innovation muscle and go-to-market engines and execute on our subscription transition. Thank you again for joining us today. And with that, we will now be happy to take your questions. [Break]

All right. Thanks again, everyone, for joining us today for our first ever virtual Investor Day event. I'm excited to be here with some of the management team. Before I turn it to Erica for the Q&A, I wanted to add a few things of what you heard today. You heard today that we are in the intersection of major industry trends, digital transformation, cloud migration and zero trust. In the wake of the recent cybersecurity attacks, the accelerating pace of what we call hacker innovation, our solutions have never been more relevant or required than they are today. We have the right solutions, a strong SaaS portfolio, a comprehensive transformation strategy that puts us on a path to $1 billion ARR company, unlocking tremendous value for us, our shareholders, our customers and our partners. We're incredibly energized, as you can see with the team that presented today and our great panel, about our opportunity and our position. And with that, I'll turn it over to Erica.

Thanks, Udi. Just again, we want to thank everybody for joining today. We really appreciate the time and attendance. And we're going to dive right in and start off with the Q&A. We're going to -- first with Rob Owens and -- on phone line. And so, Rob, I think your line should be open.

Great. Can you guys hear me okay?

We can.

Okay. Great. Can you guys give us a little insight into where current customer conversations are? And you talk about the accelerating pace of hacker innovation. There's obviously been a lot going on with news over the last 6 months with increased nation-state hacking activity. Is this causing any sense of paralysis relative to customers? Is it fair to include what's going on? Or are you getting increasing engagement in a sense of urgency on their side?

It's a great question. Definitely a lot going on. If you combine SolarWinds and also the recent Microsoft Exchange hack, I actually think that and what we're seeing is that it's causing a sense of -- a stronger sense of urgency and also stronger clarity. I think, first of all, clarity, that cybersecurity is a board-level topic. I don't think there should be a Board of Directors anywhere in the world right now that doesn't put cybersecurity as a major risk factor to look at and address. And in our world, the clarity is the fact that you need to assume breach that the sophisticated attackers are going to make it inside, and therefore, defenses have to be in-depth. In SolarWinds, it was very clear. It was an attack on privilege. It was an attack on identity. And that a big part of the solution and the big part of really buying more time for the defenders is putting up Privileged Access Security, Privilege Access Management, Identity Security deep inside in the organization. So I think in this time, and as Matt mentioned earlier, we're having more customer meetings than ever. And we're seeing that sense of clarity, that sense of urgency and that PAM, and Identity Security is really a top priority.

Great. And then I guess, second, relative to some of the puts and takes around ARR growth of at least 30%. And Josh, really appreciate you unpacking all that for us. But I understand that the flat maintenance component is going to weigh on ARR growth. I think a lot of your business actually comes from expansion of existing customers. So that should be a benefit to that recurring portion of ARR. So how do we think of that component influencing ARR growth, especially over the near-term as you start to see that mix shift?

Yes. Thanks, Rob, and thanks for that question. So we're really excited, first of all, to put out that target of hitting $1 billion of AAR (sic) [ ARR ] by 2025. And I think you're right. When we look at our customer base, 2 things are going to happen with our ARR growth. First is that we're going to have really kind of hyper growth when we think about our SaaS piece and our term-based license piece for our new customers. And also, as we extend out to our existing customers, a lot of our new SaaS products. One of the things that will balance that out a little bit though is that on the maintenance side, as it relates to perpetual, that will, of course, have a much slower growth and that will start to -- that will balance it out. Where we look at the transition period over the next 8 to 10 quarters, we're looking at a 30% CAGR, annual recurring revenue growth and that coming off of our $274 million that we ended December with, it really creates a strong base for us to be able to hit that $1 billion target.

Thanks Rob. We are going to move to our second question, which is going to come from Saket Kalia from Barclays. Saket?

Okay. Great. Can you hear me okay, Erica?

Yes, we hear you great, Saket. Good to hear you.

Okay. Okay. Awesome. Awesome. I thought it was really well done. Maybe 2 questions, first for Udi. Udi, can you just talk about the faster innovation on a SaaS platform and how you can monetize that? And specifically, what I mean there, and I think you touched on this a little bit during the presentation, but what opportunities do you see for customers to use more CyberArk products as part of the SaaS platform? And do you do anything proactive around bundling to encourage that as part of this transition?

Absolutely. I think the SaaS platform is out there. Our privileged cloud is on the platform, our EPM is on the platform, Alero and Idaptive. I think what it allows us is to quicker time to market with new innovations. One example, a fresh example for 2020 was our Cloud Entitlements Manager. We saw the problem. We saw tax that with regards to over privileges in cloud environments. We innovated, in this case, internally, when the cyber collapsed, and we're able to launch it with a go-to-market solution on the SaaS platform that customers can enjoy. And as Chen talked about in the presentation, that's going to be the power of the platform for continued innovations throughout the year. In terms of adoption, we're seeing customers that want to buy SaaS already picking up those solutions. In some cases, there's bundling optionality for them, definitely as we combine more and more solutions with Idaptive. And so it does give us a lot of room for that. And I think Matt touched it in his presentation.

Got it. Got it. Very helpful. Josh, my follow-up, maybe for you. I guess the question is, how are you thinking about the mix of SaaS and term subscription as part of this long-term framework with respect to ARR and revenue? And maybe the question is, how much flex is there in the model if SaaS or term were, for example, higher than kind of what you're expecting? Does that make sense?

Yes. Yes, I think so. And we actually are pretty excited about the fact that we see this transition as what we call being a really a very SaaS heavy transition. We saw that already in 2020 naturally as the customers started to pull us towards a subscription business. And we saw pretty much a ratio of 2:1. And that's what we kind of have in our plan or thinking as a baseline for 2021. And I think clearly, when we think about the ARR -- the annual recurring revenue target, that will be influenced, of course, by that mix and by how fast we achieve, first of all, our total mix of moving to recurring revenue bookings. And then, of course, it will be influenced as well to some extent around the SaaS piece versus term-based license. And one of the things, and you heard a lot about it this morning, is how much we box after the market. So I think everything we've done in terms of really increasing our SaaS products around Privilege Cloud, around Alero, around Cloud Entitlement Manager, around now all of our Access play. We don't see a reason why we shouldn't continue this, really being SaaS heavy, probably, certainly in the next kind of year or 2 being in the 2:1 range.

All right. Thank you, Josh, and thanks again, Saket. So at this point, we're going to move over to Jonathan Ho at William Blair.

Yes. I wanted to start out with some of your commentary around the tips of the spear, particularly with the noncore PAM products. Can you talk about how you maybe are seeing them act as a tip of the spear today? And how do you see that evolving over time?

Matt, do you want to take that?

Yes, definitely. So I think it's one of the exciting pieces of our overall approach today. And that we do have these multiple ways to land new customers. And a good example of that is EPM, Endpoint Privilege Manager, where we can go in to really any customer, even into some of our competitive base, and basically talk to them about implementing a least privileged approach, removing local admin rights and getting started on their privilege journey at the point where a lot of the attacks are coming from at this endpoint or at the server level. And so that gives us a new way to be able to approach our customers, to talk to our customers. Another good example is, obviously, on the newer area, the Access area, where we can go in and actually engage in conversations with our customers around where are they around single sign-on, multifactor authentication, Idaptive MFA. And actually, again, bring them into the story. The remarkable thing is once we get them in, then we're talking to them about the Identity Security vision. We're talking to them about the larger TAM blueprint or privilege blueprint that we've worked on with them. And we move them across the product suite pretty quickly. And we see add-on purchases come in within the same fiscal year for additional products within the suite. So I'm really excited actually about the new motions we have to be able to go land. Clearly, our main landing spot is with our core story or core strategy around PAM and Identity Security, but it's a great opportunity for us to bring in new customers to fold.

Excellent. And then just as a follow-up for you, Josh, when we think about your vision of achieving this $1 billion in ARR, can you give us a sense of maybe what you anticipate the subcomponents will be relative to -- I guess, you gave us some color in terms of how large some of the newer noncore PAM products are today? And so I just want to get a sense of how big these businesses will be -- sort of the contribution rates as we start looking at that composition of $1 billion in ARR.

You heard this morning about the $20 billion TAM, and clearly, our privilege is the largest portion of that TAM. And also, our penetration is really highest there. So even at $1 billion when we get there, we do expect PAM to be at the core of our sales and really still be the majority of the annual recurring revenue that makes up that $1 billion. But we can definitely see DevSecOps and Access grow faster. Certainly, it's starting off their smaller base. So we do expect it to grow faster than the business. And one of the other things I would add is our ability to really execute in those other markets like DevSecOps and Access, can really be actually triggers for exceeding the annual recurring revenue targets. So I think when we think about that bundle, it's going to be -- the majority will be coming from our core Privileged Access Management and then on the side on the DevSecOps and Access, but there'll be meaningful pieces of the business.

Thanks, Jonathan. Thanks, Josh. And our next question is going to come from the phone line again, Sterling Auty of JPMorgan.

It's Matt on for Sterling. So you guys mentioned many times about different ethos inside of the product and the sales organization. I was just wondering, could you elaborate a little bit more on that in terms of do you kind of envision having to get a dedicated sales force for specific parts of your product to initially land and then expand with the customer success into maybe other areas? Just wondering if you could give us a little bit more color on that.

Yes. Sure. So let me jump in a little bit here. So when we think about our speedboat concept, you really should think about it as a virtual business unit, if you will, with a general manager at the top, kind of thinking about the strategy and growth opportunity of those areas and then helping to derive the right approach to be able to optimize on that opportunity. So what are the core sales plays that we should be running? How should we be thinking about enablement? Where should the product strategy go to be able to support both the larger CyberArk vision, but also that speedboat vision? And so really thinking about it from a business management perspective, and then we've layered into each of the speedboat for Access and DevSecOps sales capacity and technical capacity, but they're really overlaid forces. So they're out to augment the existing. Every deal right now, our core sales are still involved, and these experts are really helping to make it. And I have different people who are actually focused on qualifying those customers to bring them back into the core sales engine. And we think that will give us the most amount of productivity and throughput without worrying too much about segmenting our go-to-market in any dramatic way.

All right. Well, thank you, Matt, for asking that great question. And now we're going to take a question from online. That's going to come from Jonathan Ruykhaver of Robert W. Baird. And his question is, can you talk a little bit about the product functionality of Privileged Cloud, and -- versus the on-premise full core PAM offering. And so we're going to pass that question over to Chen for you to start. And the follow-up to that would be the Matt on enterprise adoption of Privileged Cloud. So off to you, Chen.

Great. Thanks, Erica, and thanks, Jonathan, for this question. So in fact, actually, we did invest a lot in Privilege Cloud and now as the future -- from feature parity and scalability point of view, Privilege Cloud and the core PAS on-premises are almost equal, except of minor different -- differences between the 2. And in some cases, Privilege Cloud provide more functionality. In some cases, the On-Premises provide more functionality. But definitely, we invested a lot to support the scale of a large enterprise with regards to the customer needs because of the amount of customers that we need to support on our platform. Privilege Cloud is also integrated well with all our different type of offerings, including the secret manager of Conjur as the traditional AAMs, Alero and so forth. So actually cast on which consumer solution is a SaaS solution can leverage the entire PaaS CyberArk care offering. So actually, it brings a lot of incentive to our customer-to-consumer SaaS offering. And again, looking forward given that there's a trend of more and more customer prefer to consumer SaaS sale offering, we do continuously investing on the back-end environment to support the next level of scales, which are required. So again, more or less, a feature parity is equal.

Yes. Thanks, Chen. I think with that feature parity and ability to scale up into the enterprise has common ability to pretty much go into any customer that has a cloud strategy and land them or even transition them if they're an existing customer to the Privilege Cloud platform. And it's really an exciting opportunity because I -- when I started it was exactly as you described, we were targeting down to the mid-market, which is a great opportunity, and it plays really nicely there. But we've actually seen some of our largest enterprise accounts start to adopt the Privilege Cloud, be successful. And when we land a new customer with Privilege Cloud, the great thing is, time to value is so much quicker, time to adoption, and ultimately, time to expansion.

And you saw a great fortune of members of the Senate Intelligence Panel adopting Privilege Cloud with Heinz.

Okay. Great. Well, thanks for that question. And now we're going to move back to the phone line, and Andy Nowinski from D.A. Davidson.

So I had a question on your TAM estimate that you provided of $20 billion, that implies about -- that you have about a 25% share of the market currently. So I'm wondering which vendors comprise the remaining 75% of that market. Or do you think some of that 75% might be a greenfield opportunity or they aren't running anything as it relates to Privileged Access Management? I'm just really trying to assess how difficult it will be to increase your 25% share of the TAM going forward.

Sure. I can talk a bit about market share in TAM. And thanks so much for the question. So we really think about this in terms of the size of the broad opportunity. So we think about the total addressable market. And we've talked about the $20 billion annualized TAM that we see. And as Josh said earlier, TAM is the largest portion of that. But when you look at our penetration of that opportunity, we're still in the single digits, right? So we see very, very significant upside over time as we continue to grow our penetration of that TAM. And in parallel, we'll continue to increase our penetration of the remainder of that $20 billion TAM that's associated with the speedboats with DevSecOps and also with Access. So we see this -- we're very excited by the opportunity. We see this as having a very long runway, and again, there's -- this is a worth-it kind of a very, very critical combination of digital transformation, cloud migration, and as Udi said, hacker innovation.

And maybe if I can just add in 1 comment on top of Clarence's answer here is just from what we witnessed within our customers themselves, the penetration of the opportunity within our existing customers it's still so large. I think I go back to what I said earlier this morning, and when I first learned about the PAM space itself, you think about the heaviest user running around protecting the most critical assets. And that's who we've sold to in the past. And then what we've seen really start to take off here over the last 2 years, 3 years, and specifically over the last year, is as any user can become privileged at any time, the definition of what the opportunity within an account starts to grow. And so we have conversations with customers every day. And it's not about protecting super admins or just the IT department. It's business users within the organization. It's the broader workforce that comes with workstations and servers and access. And then it's all the non-human identity. So when we start to think about penetration and how we get a bigger piece of that TAM that Clarence is talking about, there is all of the prospects out there, but there's still so much opportunity right within our customer base, and we see it each and every day when we're talking with them.

Okay. Great. We're going to move on to the next question, which is also coming from the phone line. Thank you, Fatima Boolani of UBS.

Either for Matt or Clarence, I think both of you very consistently talked about the theme of the explosion and proliferation of nonhuman identity, so machine identities and API calls. I'm wondering if you can comment on what implications this has on pricing strategy, pricing models, because you almost have to shift away from sort of the per seat concept. So I'm wondering if you could sort of flesh that out because the DevSecOps space is so much white space right now. I would be curious to kind of get your thinking around that. And then I have a follow-up for Josh.

Yes. I can just start providing some color on the opportunity, and Matt, of course, dive in on the more complex pricing implications of that. But you hit it exactly right. When we talk about the proliferation of identities, not only are we talking about humans and different humans across different applications and platforms. You have all the machines, all the things. So you have endpoints, you have servers, you have network elements, you have applications in there and each and every one of them has their own set of distinct entitlements. So the problem becomes verifying the identity of each and every single one of those things, those machines, understanding their entitlements and then enforcing them. So we're at the front end of a massive in proven space quite frankly. And that's only partly even contemplated in the TAM that we're talking about. But with that, I'll hand it over to Matt.

It isn't until within the DevSecOps space and the secret management space, there's multiple tweak even within the DevSecOps world, where we can take care of legacy and dynamic and future applications. And that makes us truly unique in that secret management space.

I appreciate that color. Josh, maybe for you. If I think about your gross margin guidance in comparison to some of the targets you had shared with us historically, we're certainly a bit lower than we had been in the prior iterations of your long-term target disclosure. And I can appreciate that the mix of the business has really swung towards SaaS. But I'm curious how your reliance on hyperscaler or a public cloud infrastructure is influencing this? Or if there are any other dynamics that are keeping the gross margins maybe more tamped down than we would have otherwise expected?

Yes. Sure. Thanks, Fatima. When we think about the gross margin, it's really though -- we've always been a perpetual license on-prem business model, which from that really we are able to enjoy the highest gross margins. And when -- you can't help it, but when you start to sell a lot more SaaS than we are using and really dependent upon our third-party hosted environment. So that is the #1 really contributor to lowering the margin off the bat. But I would say, it also has to do with scale. So when we think about it from our SaaS perspective, EPM, which we've been selling SaaS now for several years and now is one of our leading SaaS products, we have actually higher than -- higher gross margins and well into the 80s, but when we think about a lot of our new SaaS products around Privilege Cloud, which only was introduced in -- and has ramped up in the last year, our remote access and as well the Access -- all of the Access products, which are still smaller in size, then that has kind of been a bit of a drag on the SaaS portfolio. So the second piece I would talk about that's a little bit new now that we're doing a lot more SaaS products, and Chen talked this morning all about the SaaS development teams, and the increase in investment there, some point now or some percentage point now also goes to the capitalization of our software and the depreciation of that capitalization as we bring the products to market. So that also is an incremental impact to the gross margin for a SaaS model as compared to the on-prem model. But overall, I think we're excited about and feel good about the target that we've set out. And I think once with a heavy transition towards SaaS, and I talked about it in the question a couple of minutes ago, the scale is going to really help us over time, and you heard me present the medium- and long-term model that we actually have some percentage points here that we can bring back when we're bigger scale on the SaaS portfolio.

Thanks, Fatima, for those questions. We are now going to hand it over back to phone line with Brian Essex with Goldman Sachs.

Maybe a question for Udi, maybe just a follow-on to Fatima's question. Udi, I was wondering if you could give us a little bit of color in terms of how costs are trending with the transition to cloud and -- primarily around, if you think about some of the components, including system integration, deployment, license, maintenance, how each of those components may be different with cloud adoption? And is the environment as we saw some friction, I think, last year due to pricing, which got alleviated, obviously after the SolarWinds attack, how are customers thinking about costs for cloud versus maybe perpetual or term? Is that kind of greasing the rails for adoption or pushing them in that direction because of, I guess, greater efficiency with regard to integration, license maintenance?

Yes. I'll start with the latter piece and the first part back to Josh. Whenever I think cost, I think Josh, and he handles it so well. But definitely -- thanks for the question, Brian. And definitely, the recent trends, and Matt talked about the transition and the great timing for us now, is that customers are much more open definitely to SaaS as a delivery mechanism and COVID kind of shed the light that they want to less and less send people to their data centers and have to manage setting up servers and all of that environment. So there is a strong trend towards that. And of course, they're doing their TCO calculations. And they are seeing that over time, actually, they won't have to manage the back-end infrastructure. I think it was great, our panelist, Ricardo from Heinz said that very clearly. They actually transferred from being an on-prem customer to a Privileged Cloud customer so that they can focus on the strategic elements of security and not have to handle the back-end. So that's with regards to SaaS part. With regards to subscription, we just saw an ongoing trend where more and more customers are open to even if they're consuming us on-prem to pay with subscription pricing, and it's going to be a healthy transition over time, and we're going to incentivize them to continue to do that.

Yes. I think just to the beginning part, I'll jump in. Every once in a while, I'll jump in for Josh, so he gets a break there as is -- we're seeing our ability to be able to get a premium for the subscription product based upon what you described as those dynamics, the ability to be able to drive quicker time to adoption, the ability to be able to get them stood up and functioning, cut down our total cost of ownership. And so we saw throughout COVID even as budgets decreased because of COVID, as you brought out -- brought up, we saw actually spend on cloud accelerated because it was a quick return on investment that a company could justify. And so we see that price premium going up for SaaS over time for sure across our product suite.

Okay, great. We are going to take 1 more question from the online chat, which is related to our C³ partner program and the importance of C³, and that I was going to hand over to Clarence. Clarence, if you wanted to take the importance of C³?

Absolutely. So our C³ alliance is a critical part of what we're doing as a company here. And we all know that the threat landscape is extraordinarily complex. And there's no way that any one company or even small group of companies can really cover it all. So as we focus on the identity vector and securing that, end-to-end, we still maintain very strong alliances and partnerships with well over 100 other vendors in the space. And that's a critical part to our operations and our future growth. And with each of those, we have robust certified joint solutions. And then we have approaching 1000 integrations with our marketplace. So we just have a very, very wide scope there that will increase in importance going forward. So it's a great question and definitely something we're putting a lot of focus on.

Thanks, Clarence. We're going to go back to the phone lines. And the next question is going to come from Hamza at Morgan Stanley.

Just 1 quick question from me. I know it's early with the go-to-market alignment around the SaaS transition. But wondering if you could give any color around how SaaS is already helping to really shorten the sales cycles and whether you're able to reach those mid-market customers or customers that are not traditionally have been CyberArk focused with that SaaS model as well?

Sorry, I apologize there. So I think when we think about this from a go-to-market perspective, we saw SaaS start to accelerate really -- and when COVID hit, and we've been kind of tuning up that ability to go-to-market with SaaS for a while before then, but it really took off here in Q3 and Q4 of last year and as we go into Q1. And we feel like that's a muscle that we've really started to develop and allows us to be very effective in going out and hunting in the marketplace. And kind of as you talk about that and you think about kind of the core component of success in SaaS selling, absolutely we can get customers to move lot quicker through their evaluation process because they can understand quicker how they can get to value. Now one thing I would tell you is we're still an enterprise software solution. And so deal cycles are still quarters, not weeks. But when I mentioned about landing, we can land, as you mentioned, down market in the mid-market, or land with maybe our endpoint product or access product, and those sales cycles start to accelerate, where we can actually start to see pipeline get generated and closed within a quarter or 2, much -- at a much quicker rate. And so we've actually focused within the go-to-market or even more on down market and what you call the mid-market, we call the low end of enterprise market to focus deeper there so that we can go and capture more market share down market even as we continue to win in the enterprise accounts with SaaS.

Great. Thanks, Matt. And thank you, Hamza, for the question. We're going to go back to the phone line, Imtiaz from Guggenheim.

I had a question for Josh. Josh, you mentioned that the ARR growth should be 30% through the transition. But once you're out of the transition, I'm assuming that the -- because most of your revenues will be recurring, the revenue growth and ARR growth should converge after that? Is that a fair assumption that once you're out of, I guess, Q4 '22, your ARR growth and revenue growth should look very similar?

Yes. I mean, that's exactly what's going to happen. It's going to -- after we come out of the transition, then you'll see a convergence of ARR and the revenue growth, exactly.

So we should see revenue growth accelerate for fiscal '22?

Yes. So we talked about an exit growth of around 15% when we're coming out of the transition. But then as we move forward, we're confident in the opportunity and investing for the opportunity that we should definitely see that over 20-plus percent revenue growth as we kind of progress beyond the transition. And that's where we're setting our sights on.

Got it. And just 1 question for Matt. Matt, you mentioned about the tip-of-the-spear strategy with the noncore products driving new logo growth. Are you seeing any of that right now? Do you have customers who land with Alero or your non-privileged products today?

Yes. I mean, absolutely. We see that throughout the back half of last year, and we see it in the pipeline that we're creating this year. But not Alero per se because Alero would generally be a follow-on sale on top of PAM or a combo sale with PAM. But some of the other suites, like I keep mentioning, EPM is a great, great landing strategy, Access is a great landing strategy, DevSecOps in the other world. So the key piece of how we're going to market today. And when I look at pipeline generation, which continues to be remarkable to me, it's like quarter-after-quarter the engine is really kicking in and that pipeline gets bigger and bigger. We look at it in those categories, and we're seeing a nice segment of that that's in that kind of hunting motion with the new tips.

Great. Thanks, Taz. Thanks, Matt. We've -- we're going to wrap things up. We're going to have time for 1 more question, which is going to just to Josh Tilton from Berenberg. We want to be mindful of everyone's time today because we know that there's -- we want to just make sure we're mindful of everyone's time and other events. So Josh, your line should be open at this point.

I just wanted to touch on during the presentation, the commentary suggested that the acquisitions are going to continue. You guys lead in PAM, you bought Access Management. Should we expect the purchase in the governance space anytime soon? And if not governance, what areas of the market are you looking to make purchases in?

That's a classic Clarence. Off to you, Clarence.

Absolutely. So thanks so much for that. First and foremost, when we look and see to extend activities, of course, and then also through acquisition, and we have quite a bit of range in terms of what we're able to do. You see the balance sheet in front of you, but we're very, very thoughtful about how we deploy that capital. But we're really focused on the growth areas. We're really focused on driving long-term shareholder value with transactions. It also has accountable, acceptable, if not attractive, near-term dynamics as well. So I'd just say, holistically, we're looking at everything that will actually contribute very meaningful shareholder value over time and is consistent with our strategy. And so for now, we're very happy with where we're playing. Everything we've talked about in terms of the speedboats and DevSecOps and Access and Core Privilege, those are all areas we're looking to extend and to strengthen as we pursue both organic and inorganic efforts.

Great. Thank you, Clarence. Thank you, Josh. And now I'm going to hand the formal presentation back to Udi for a few final comments. Udi?

Thanks, Erica. It's been a great day. And as we wrap up, I just want to thank everyone again for attending today and for diving deeper on the -- into the CyberArk journey and our great opportunity ahead. You saw the passion and the drive of the team that's here with me today, I want to thank them. And I want to thank our 1,700-plus dedicated employees around the world who are pushing hard every day passionately on the CyberArk mission. Our broad network of 450-plus partners, and there are almost 7,000 amazing customers, you saw a glimpse of some of them today at the panel. Again, I want to thank everyone, and wishing you all the best. Thank you.