CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

Thanks, everyone, for joining us. My name is Sterling Auty. I'm a software analyst here at JPMorgan. Happy to have with us for our next session here at the 48th Annual TMC Conference, Udi Mokady, who is Co-Founder and CEO of CyberArk, Josh Siegel, who is CFO. Gentlemen, thanks for joining us. We really appreciate it.

Great. Happy to be here.

Yes. Thank you, Sterling.

All right. So I'm going to jump right into it. After begging, borrowing and pleading with you guys for years, you took the plunge and went subscription. What was kind of the first kind of impression that you got from your customers? How did it go in that first quarter out of the box?

Well, first of all, thanks for pleading and also waiting. We wanted to do it when we felt that the market and the customers are ready, and we really found the perfect timing to announce in November and then really begin to do it in January of the -- announced in November 2020 and begin to do it in January. And the reception was great, both from our team and our channels because we had the opportunity to train them and get them up to speed. And also, the customers because we're giving them optionality. We're giving them the ability to buy SaaS solutions. We're giving them the ability to buy a subscription on-prem or self-hosted. And those that are on perpetual, they know that we will continue to support them in the foreseeable future with that. So the reception has been great. Again, doing what's right for the customer is working well for us. I think the biggest adoption is clearly here in Americas where we see the -- that in the subscription mix, even more leaning towards SaaS heavy, which is, of course, super strategic for us, and we're pleased about that. But the same for, I would say for EMEA. The pipeline is building with subscription. And even APJ is surprising us positively on that front.

That's great. Actually, take a quick pause. [Operator Instructions]. So what would you say is the kind of the mix of uptake in terms of new customers versus existing that chose subscription.

Yes. So I'll jump in here, Sterling. And we did -- 51% of our bookings in the first quarter came from SaaS and subscription. And if you think about the split, so if you take that 51% of those bookings, about 2/3 were coming from existing customers and about the balance coming from new customers. If you kind of look even deeper into that mix, you'd see that on-prem subscription is weighted towards more of the existing customers, while more than half of our new business bookings were for SaaS. So really, new customers are moving towards SaaS faster, even more fast than we expected.

What's the delineation or which products are available on SaaS today? And how should that evolve as we move forward?

So I would say the only product -- I would say the other -- the entire portfolio is available on SaaS. The only product that is more on-premise is the DevSecOps element. But that also integrates with our Privileged Cloud. So Privileged Access Management, Privileged Cloud delivers the full capability. Our access speedboat is, of course, based on the Idaptive acquisition. Was a born -- was a SaaS company to begin with. Endpoint Privilege Manager used to have the optionality of on-prem or subscription, but a while back, we moved to -- on-prem versus SaaS, now it's SaaS only. And so it leaves the DevSecOps, which is managing application secrets, but that can also integrate with Privileged Cloud. So there could be combinations with that in the future.

Why would an existing customer choose to go subscription?

An existing customer? I would say, first of all, they -- if they are back to DevSecOps that I mentioned now, if they do expand or add-on the DevSecOps capabilities, today, we're selling it as subscription. And so if they didn't have it before, they're buying DevSecOps, they would be buying already. So they would be an on-prem customer getting subscription. We also saw adoption by customers liking the new pricing model. They already have to -- they already want to convert to the new pricing model, and they see that we have new and exciting packages to take them on the subscription journey. So they're getting more value as they migrate, but we're working with them and to do that when the time is right for them.

All right. Josh, the exciting stuff. How does the revenue recognition work in these subscription programs?

Well, Sterling, yes, indeed, it is truly exciting, and it's not always a simple answer in the world of high-tech but -- and 606. But really, I'll break it down simply. If we look kind of back at 2020 packages and before that, kind of -- we're working at a 50-50. So 50% of the subscription package on-prem would be recognized upfront with 50% along with the term of the contract. When we think about the new packages that have been introduced only in January, and we already had a handful -- more than a handful of new customers buy into that in the first quarter. It's going to be 30% upfront. So closer to fully ratable and 70% over the time of the contract. And it's really because those new packages now include SaaS components. They include our MFA. They include SSO, they include a SaaS service for loosely connected devices as part of the on-prem Privileged Access Management subscription package. SaaS is, of course, fully ratable. And if we think about it, the mix of our bookings today is about 2/3 SaaS, 1/3 on-prem subscription.

Okay. Excellent. So as you think about this transition, is there another one of the companies that have gone through a subscription transition that you think most represents how you're approaching this?

You know, we always like to create a best-in-class category of our own. I would say that I think the benefit of transitioning now is really to have a couple of companies to model after and look at what's working, what's not. Obviously, we looked at PTC because Matt, our Chief Operating Officer, was at the role there and part of their transition. So that was an example we looked at. Varonis, we think did a very good transition. But we have some differentiation because we are very SaaS heavy and more oriented towards the enterprise. But we saw how they managed the team and how they managed the adoption there and did well. We sell to the enterprise. So we have the 6- to 9-month sales cycle to manage as we go through this. But I think we're looking to do a best-in-class transition and take positives from these companies, PTC, Varonis, Adobe and the others that preceded us.

So one of the things that investors have struggled with through these subscription transitions is trying to understand how the health of the business really looks regardless of the transition. What are the metrics that you would point investors to, to say, yes, this is where you can see that things are on track and things are going well?

So Sterling, I think I would talk about three things, and it's not just beyond the speed of the transition because I think you really do need to look at the speed of transition, and you want to look at the bookings mix because if we don't keep hitting our new booking mix targets, then it will just be cloudy for everybody for a long time. And so clearly, we've been giving a very clear indicator of what should be the percent of bookings coming from SaaS and subscription. And so far, we've been kind of ahead of our expectations for the first quarter. I think the second piece, though, going towards now, what are the metrics around the health of the business is subscription revenue and total recurring revenue. And that really demonstrates the cumulative strength of our subscription bookings over the last few quarters. So our subscription revenue grew about 180% year-on-year to $25 million. And that represented, I think, 22% of total revenue, and that's compared to 8% if we look at Q1 of last year. And this was really driven by the strength of our SaaS bookings over the last several quarters. And our total recurring revenue reached 70 -- I think 70 -- just over $75 million in the first quarter or 68% of the business and grew 41% year-on-year. And the third piece of the puzzle, Sterling, is really what we've been talking a lot about. We talked a lot about it on our Investor Day. We talked a lot about it on each of the earnings call, and that's annual recurring revenue. And subscription annual recurring revenue to really determine how is demand trending, and ARR reached $288 million. That grew over 40% in the quarter in the first -- for Q1. Even organically, it was about 34% year-on-year. And then if you kind of dive into that ARR and you look at just the subscription component of it, it was $88 million, growing over 250% in the first quarter. And the ARR really indicates, in our minds, that we have a large and rapidly growing subscription business already. We kind of want to look at those 3 metrics really to give an indication of our success. One, towards are we moving along through the transition, meaning we're going to get to the other end according to schedule. And will we be successful as a subscription company the day after.

So along those lines, I think one of the things I heard coming out of the quarter was, if I look at total net new ARR that you added about $14 million sequentially, and that was down from what you added in the fourth quarter, but it was up versus year-over-year. But so people looked at that sequential change and maybe we're picking out a little bit, thinking maybe subscription would contribute more. Is that a meaningful metric? Or is there seasonality that's going to cause that to ebb and flow?

So sequentially, the ARR, particularly during the transition period could -- is not a great way to look at the business. It could be dangerous. And really for 2 reasons. First, there is seasonality in the business, and that's particularly -- we saw that in the fourth quarter, and we've seen it for years in our fourth quarter over -- for the last several years at CyberArk. And second are the components. You have to dig down into the components of our annual recurring revenue. And if you think about ARR, about $200 million is maintenance. And last year, more than half of our ARR in the first quarter was related to the base of perpetual maintenance. Where Q1 of this year, all of the $14 million change in annual recurring revenue between Q4 and Q1 was from subscription, which is where you want to see it. So while it was only a $14 million incremental, it was a very high-quality $14 million incremental and really a big step for our transition process.

So I think you guys talked about returning to being a Rule of 40 company as you exit the transitions. Is there anything that you guys saw in the quarter you just reported that changes that idea?

So nothing that has changed our mind. We're on a path to deliver against that Rule of 40 and also to deliver the $1 billion of ARR that we kind of set out at Investor Day last month or a couple of months ago already by 2025. We had, in our minds, a really good first quarter. The demand environment is healthy. Our productivity rates are getting back to what we would call pre-COVID levels, and we have really strong industry tailwinds, whether it's the ransomware attacks, whether it's the solar winds, whether it's just in general, education around PAM. And we're confident that we'll be able to deliver against the targets we've outlined.

Udi, I want to take what Josh just kind of alluded to and go a little bit deeper. Where do you think kind of Privileged Access and the rest of your solutions ranks in terms of the priorities for security spend in this current environment?

So I would say that the only one wave before us, the post solar winds is things that come immediate with incident response and follow after that, but I'm very close to the CEOs of our partners. And of course, in many of our CSO conversations, they talk about PAM and identity security being the second wave. Like this is not -- we could be part of a recovery following these things, but it's clearly the long-term thing that they have to put in place. So I would say, a very high priority. In the past, we had the top 10 projects that Gartner consecutively put PAM up there. I would now say PAM and identity security because these attacks are showing that they go after all types of users. And of course, with the aim to get to the strongest access that they can.

And are you actually seeing that in your pipeline in terms of companies that were in government agencies that were hit in the solar winds breach that they're taking that approach?

Yes. We gave an example on -- in the earnings call as well of a company that went strategic -- it was a telco that went strategic following what they saw in solar winds where PAM was maybe an important program, but it was semi-compliance driven. And post solar winds, they understood that, hey, this is what prevents a lateral movement and privilege escalation and they expanded their program also on the human and also the nonhuman side. They took it into the sequence management. So we are seeing it show up in pipeline. Again, in the right way, in kind of a long-term, nice dug. And the advisory firm that I'm very close with are all speaking at our upcoming customer conference. They talk about the second way, where the second wave is. Take an existing customer, make sure they went broad and, of course, landing new logos with PAM and identity security.

When you talk about the nonhuman portion, can you remind people -- I think that started with your Application Identity Manager, but how has that evolved?

Yes. Yes. I can say that everything that -- CyberArk pioneered the privileged access management market originally for those strong users. And Sterling, I remember when you challenged us when you're going to cover all users. And finally, we've done that with the acquisition of Idaptive. But a second dimension has been growing over the years, whereas applications also consume credentials and secrets for access. And CyberArk originally developed and again, pioneered the ability to connect -- make a connection between those applications to databases and others. And now with DevOps, it's really booming, where you have thousands of applications running. Sometimes for a quick moment in time, but they all are consuming a secret. So we call it secrets management, and we expanded to that through the acquisition of Conjur in 2017. And we're just seeing it everywhere, where every company has some development going on. You could be an insurance company. You can be a delivery company, you have software. And some of the bigger part of the footprint is automated and not necessarily in the human hands. And so we have the ability to cover both grounds. We'll cover the human access, and we'll cover that secrets management. And it's -- for us, it's a growth engine, and that's why we also aligned it under a speedboat, where we want to be able to fine-tune that muscle that also sells to developers.

How does -- how does Conjur in your secrets management -- you kind of talked about what sounds like in production applications, but everybody wants to talk about shift left and go back through DevOps. And I think there's notable private companies in that space like Snyk. People think about HashiCorp. So how does your secrets management play inside of DevOps alongside those types of solutions?

Yes. It actually -- it can actually be part of the developer life cycle variably. So Snyk and others are code scanning and, code scanning is part of what you need to do for DevSecOps. And we're complementary to that. Competitive to Hashi in secrets management but complementary to Hashi in developer tools. And it could be very early on where we actually -- the developer can use us to transparently deal with coding and not have to do with inserting secrets and saying my application has access to these resources and inserting credentials and doing all of that. So actually, we actually show customers that they can start early with Conjur, make the developer life easier. But also put the security control in place and make the security folks happy. Now the DevSecOps is an opportunity to get it right from the get-go versus the legacy application world where it was very hard to go and find those applications. This is kind of a new way where if they start early, they can get the paradigm nice and clean from the get-go and manage it under the CyberArk platform.

Now, that's great. Let's talk a little bit about Idaptive in terms of where is it playing in that identity market overall, both on-premise, cloud, et cetera?

So when we looked at how we expand to identity security, we were looking to not just be, okay, let's enter access. We wanted it to be, we're a market leader in PAM. Let's expand to more and more use cases that cover all users. Again, as you've been asking us over the years. But let's do that playing to our strengths as a security company. It's a cybersecurity company. It's a company that call itself CyberArk before it was even the terminology for the space. And so we looked for a company that would be completely born in SaaS and further help us as we were modernizing ourselves. But give the simple access to the workforce user but have more security controls in place. And the combination is such that we can bring some of the controls from the makers of PAM, we give you controls that now you can give and apply to the CFO, into the HR department and others that are now getting this privileged access. But remember that they are a user that wants minimum friction and make it easy. So combining -- they're giving us the simplicity, the SaaS first, and we're adding controls to it for our ability to answer the PAM use case and also the workforce use case, and all SaaS delivered.

[Operator Instructions]. One question I got from an investor is kind of a follow-on to that and just saying, when you're competing for those deals, who's the shortlist, who else is there? Is it Okta? Is it Ping? Is it somebody else?

Yes. So first of all, in the PAM market, it's very clear. We're -- the competitive market is super favorable, and most of our direct competitors have been just -- have been owned by private equity and further exchange hands in private equity. And so we really saw that as we continue to innovate, continue to break away. In a pure -- but to answer that, in a pure access deal, we could see Okta and Ping and OneLogin and some of those players. But more often than not, we actually see the legacy players like RSA and NCA and others where the customer -- our enterprise customer like is looking for the opportunity to replace them, and they want to do it with a security-first mindset. So it could be any of the above. The big advantage we have is going into the customer base that already adopt -- trust us for PAM and then expanding to workforce scenarios with a security-first mindset.

That would suggest to me that it's more of user access on-premise and not necessarily either remote access or cloud access. Is that the right way to think about it?

No, I would say it's -- they want to monitor -- they kind of have legacy. They now want to modernize. They're going to do the leap of faith and consume that access. And so we will give them single sign-on and solve some of their classic on-prem, but then expand them to single sign-on for SaaS applications.

The other question that obviously has come up a lot of late is Okta's announcement of coming into both privileged access and kind of governance with SailPoint. How do you view their entrance into the market? And how do you expect to compete going forward?

Yes. I think as a leader in the space, what got us here is to always take everything very seriously and to break away with innovation. And so I talked about direct competitors in the space. And in PAM, we really reinforce our market leadership. Yes, Okta pre, I call it, pre pre-announced because they talked about a 2022 offering from -- but from what we gathered, it's very lightweight use cases for simple environment. So we expect that we will need that more in the mid-market. But we're also attacking the mid-market now that we have Idapted. I think it's a huge market. But on PAM, we're going to protect the enterprise business, which is -- has a very complex use case in the hybrid environment. And it's very much not about ease of access, which really I complement Okta for coming in and making user access easy. PAM is very much about preventing the attacker from network takeover, cloud takeover. So we see enterprises really wanting the keys of the kingdom and the keys to the IT kingdom to be in a security-first mindset. So that's going to be our continued differentiator. There are going to be some things we're going to show also in our upcoming impact conference, June 8 and 9 on how -- why identity security is so much different from when it comes from a maker of PAM. And in many of these companies, we will continue to complement other identity investments in an integrated way. It's not a zero-sum game.

So another question I came in from an investor is, okay, based on the moves that you've made, based on the moves and announcement Okta has made, it's clear that identity, IGA, PAM, are all coming together and consolidating through single vendors. Who, in your opinion, has the upper hand to sell in each of the market segments and why?

Look, I'm not -- maybe I won't rate the various vendors. I think the enterprise really wants the best of breed, and we're seeing that. And then often, they welcome some adjacencies. But the -- what we've seen is PAM is the holy grail. And that's why we said where security is centered on PAM. And so we really see us with a very strong advantage with the existing customer base and continuing to land PAM customers. It's a huge market that's only now getting in shine. It was -- most of the attention earlier was on the access and others. We continue to collaborate with SailPoint on the enterprise front. We have multiple integrations, many joint customers. And I think Okta has the way to come into the mid-market for access. But we fight with that with Idaptive, whereas PAM is the most strategic. Now then I have to augment it with what we talked about earlier. We come in with PAM, we have access but we also have the DevSecOps. We have that angle that has to do with the secrets management, which is more and more strategic for our customers. And so the combination is very strong.

So President Biden recently signed an executive order, and it looks like it's being backed up with a significant amount of spend to target cybersecurity. How do you see that benefiting CyberArk?

A, we like that. And we also like it when things are called out because this country has really been under attack. And again, us and other companies have been researching and building it up. So we see this as a great long-term opportunity. We've always viewed U.S. government but also global market -- global government as a great opportunity, and especially with spending coming behind it. My anticipation is that it's more of a long-term tailwind into -- for us and not something immediate. We know that PAM and access is actually weaved into it, and we're going to continuously push forward with the strong partners we have for federal. But I would say, let's put it as a positive, but a long term positive, but we're going after. We're also going after global government.

So how long do you think it takes before some of it shows up in your results?

I would give it as a pipeline creation within this year, but not necessarily a pipeline completion within the year.

Makes sense. Josh, maybe you can help us with what portion of your business at this point actually comes from government? And I know that's government on a global basis.

Yes. We're seeing low double digits coming from global government, whether it's in the Americas, Europe and APJ.

And has that been consistent?

Yes. It's been pretty consistent on the kind of the 10% to 13% level, yes.

But we really grew since time of the IPO. I think when we went public in '14, it was really a much smaller sector for us and really expanded here, U.S. federal, but also more and more global government, putting this as a central element in their cybersecurity posture.

Is being FedRAMP certified something that's on your road map? Or can you serve through the prime contractors and resellers just as well?

We definitely -- every time we roll out a new SaaS solution, we definitely have to get it FedRAMP, and it's become a part of rollout or M&A consideration. So we have to do that. Yes.

And where are you on that FedRAMP?

It depends on the products. Some are really in advanced state. Some are earlier, I would say, Privileged Cloud is the most advanced. And -- but we're -- but we have a lot of cells that where government is actually wanting on-prem. So we're filling demand while building pipeline for future when we're ready.

Udi, you kind of touched upon that in privileged access some of the competition is private equity owned and has changed hands. Does that change in hands create disruption and opportunity for you to gain share?

It does. It does. I mean I think we always, as a company, always took the high ground in everything we do. But we really hear it from the customers that PAM is a strategic investment, especially when you're beginning to do the application site, where you're getting into the plumbing that you want to put in place and have it there for the long run. So we've heard customers or prospects voice concern over the fact, for example, that Thycotic and Centrify are now being merged under TPG. We've heard it in the past about BeyondTrust, changing hands. So it's -- it creates a positive opportunity because PAM is really a strategic investment. It's not something where you want to switch on and off between vendors. And we have some examples. I think even in the customer event, we have examples where we're taking the high road, even if the customers landed somewhere else, they come to us when they think strategically.

Got it. Josh, I want to circle back to the transition for a moment. And just a question that came in here for our investors. How should they think about the pace of expense spending, especially as the pandemic kind of comes to an end and knock on wood, we actually see a return to some business travel for sales-oriented opportunities?

Yes. So first of all, we're investing in the business. So anyway, you heard the bullishness by Udi about the market, about our products and where we're going. So we're investing into the business into next year. When you're selling enterprise software, you have to invest ahead of the business on the technology side. And you also have to invest ahead of the business on the go-to-market side because it takes time to ramp up all the sales and account executives and marketing teams to be fully productive. So we'll be ramping up for this year. And in terms of the travel specifically, I'd say we're still kind of in the, let's call it, the 10% range of travel, but I certainly can see, as we get into the fourth quarter and certainly into the back half of -- at the end of the year being already getting -- it's going to be about probably a 50% travel level.

Compared to pre-pandemic, you are saying?

Yes. Yes.

Yes. Got it. Another question that came in is, all right, so 51% mix in terms of subscription. Can you remind us what your target is? And would you consider eliminating the option of perpetual licenses as you move forward?

Yes. So our target to be out of transition in the 8 quarters, 8 to 10 quarters is north of 85%. To get there, we're talking about -- I think it's -- I think we mentioned 57% for the year this year, which was a bit higher than what we talked about in our February guidance. And that goes to our kind of being raised in May. And what was the second question?

Would you consider eliminating perpetual as an option?

So at this point, this year, no. First of all, again, we have a lot of life cycle of our pipeline coming from the 2020 quotes and even some from 2019 that are still in the system. And we spent a lot of time listening to the customers, and that's what's gotten to our success, where we are today. And so we're not going to give up that axiom. But I think when we get above the 85% number, and we start to just see a sale of maybe it's just certain governments, maybe it's certain very large enterprises. We'll evaluate then. For existing customers, there may be an extended tail. But certainly for new customers at some point down the road, we can see removing perpetual.

All right. Last question with our remaining 1 minute or so here, Josh, you kind of pointed this out. On the last quarter, you did talk about, hey, you still have quotes that you were -- deals that you were managing that started prior to the announcement of subscription. What does that kind of get behind us? And so everything in the pipeline is really under the new mantra? And how much of that existing pipeline said, oh, wait, you got this now, maybe I will consider it?

Yes. So I think by the time we -- I think we move through 2021, we'll be really at the tail end of the kind of the old quoting, whether it's perpetual or even 2020 subscription packages. I think we'll be pretty much at the end of that. And the good news is that actually what we already saw in the first quarter is even though the new packages only came out kind of in mid-January. And the sales guys only knew how to quote it probably by the end of January, we already saw, I think, already into the double digits of new -- of our new customers coming in and buying off the new subscription packages. So when we look at our pipeline today, and someone asked me that earlier in one of the one-on-one investor meetings. When we look at our pipeline, it's being very heavily weighted towards SaaS and subscription. And we're seeing already now going into the second quarter, a big way towards the new subscription package.

It's happening.

So it's happening. I love it. All right. With that, Josh, Udi, thank you so much for joining us. We really appreciate it.

Great. Thank you.

Thank you.

Have a good one.