CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

All right. Well, welcome to the UBS 2021 TMT Conference. I'm Roger Boyd, I cover Cybersecurity Software here at UBS. Right now, we have the pleasure of being joined by CyberArk, and we're very happy to be hosting Josh Siegel, CFO; and Erica Smith, Head of Investor Relations. I want to alert all of you listening, we do have a Q&A option available if you have any questions. Please submit them using the form, and I'll be happy to forward them on to the management team here. So with that, Josh and Erica, thank you very much for being here.

Thank you, Roger. It's always great to be at the conference.

Thanks, Roger.

So maybe we can start off. It's been an eventful couple of quarters for you guys. Maybe we can start with a brief overview of the subscription transition you announced at the beginning of the year and continue to work through and biometric seems to be tracking ahead of schedule. So what did you propose at the beginning of the year in terms of timelines and booking targets? And then where are we today?

Yes. Thanks, Roger. We're really -- we're really excited about the whole transition process. If we back up when we announced this subscription transition, we outlined that we would exit the transition between the end of '22 next year and mid '23 or would take essentially 8 to 10 quarters to reach 85% of our bookings from subscription. In our second quarter earnings, we updated the expectation that we would really be able to complete that by the end of 2022 or just in 8 solid quarters. And then in our most recent quarter that we just talked about in November, we actually already pulled that in again. to be hitting that 85% level of bookings coming from SaaS and subscription already in the third quarter of next year. So we really like the fact that we've been able to bring that in really hit kind of a faster pace than what all of our -- what all of our homework and the playbook that we set out earlier. In March, at our Investor Day, we talked about the mix for this year being about 55% for 2021. We're exceeding those targets. Our guidance for the year now when we came out in November, is to have an average mix of 65% of 2021 bookings coming from SaaS and subscription. And if you think about it already in Q3, we were at 72%, but we do anticipate and guided for a bit of a reduction in the fourth quarter to closer to 68% given the fourth quarter business and the nature of budget flush and the likes. I think when we think about the transition, I want to really emphasize that it's ahead across all metrics. And really, it's because we're seeing an acceleration in the business. So as we look ahead, the durability of this momentum is really supported by, I would say, stronger close rates. The record pipeline that's continuing to build. We talked about the record pipeline all the way back in 2020. We're continuing that record pipeline into this year. And when we think about what do we look at to really see the growth and the acceleration that I'm talking about in the business, the key metrics that we want to look at is, first of all, annual recurring revenue which now is at -- for the third quarter, we said it grew 38% year-on-year to $344 million. And if we kind of parcel out within that annual recurring revenue, the subscription portion, it grew by 131% year-on-year and now represents 40% of our annual recurring revenue. If we look at recurring revenue overall, it's growing 41% year-on-year. And if we kind of -- we call it like level the playing field for the revenue headwind for shifting to subscription, then we would see revenue really growing at 30% year-on-year basis in the third quarter. And the license portion of that revenue, we talked about it in our earnings call, is really growing on a 50% year-on-year basis. When we think about the third quarter revenue -- for license, when you bring back in the headwind on what it would be like on apples-to-apples. So the underlying business this year is growing way faster than 20%. I think if we add all that up, the transition is ahead of plan. If you look at the metrics, at the shift, at the mix shift or at our hard core metrics as they are and what portion of that is coming from SaaS and subscription, and it really represents kind of the fundamental growth of the business. So we're -- you can -- on the first question, you got me excited because we really like what we're doing on the transition.

Yes, for good reason, for good reason. So maybe a step deeper. You've talked through the drivers of why that transition continues to track ahead of schedule. But in addition, you talked about SaaS being -- it's been a SaaS-heavy transition. And a lot of the new bookings are coming from SaaS versus term based. So I wonder if you could talk through that dynamic and then particularly what SaaS products you're seeing the most success with?

Yes. I think I would point to several main things when we talk about the subscription model resonating really well with our customers. One is the macro trends, they're really accelerating demand. I've talked already about our pipeline already going back to 2020, growing at record rates, continuing into 2021. And we're really seeing an urgency to deliver against -- to deliver the cybersecurity. We're also seeing enterprise customers really embracing SaaS. There's been a record amount of adoption for our Privilege Cloud. And enterprise customers are moving faster than we expected even given the macro trends. So when we thought about our Privilege Cloud, we knew that kind of mid-market and down market would adopt it well, but also we're seeing even larger enterprises starting to adopt Privilege Cloud. And if you think of that 72% bookings mix in the third quarter that I mentioned, so within that mix, approximately it was $2:$1 SaaS for every subscription dollar. So we're a SaaS-heavy transition within our products. I think I would add that we've had really good execution, good productivity from our sales teams and that's really important to how and if the transition is going to work well. Will the go-to-market teams play ball with the corporate strategy of the transition? And we devised, I think -- on 1 end, we devised a good compensation package for them to be aligned with selling more and more SaaS subscription. And also, we devised, I think, good subscription packages that are -- that the customers can choose from that actually make it a win-win for them on saying, you know what, I prefer to buy either the SaaS products that you're offering or the subscription version of the on-prem because of the other things that -- of the way you price that subscription package for a year. And 1 of the things we did there was also add in some of our SaaS multifactor authentication and single sign-on for the privileged users within our Core PAS annual subscription. I think kind of to round things out to really give you a sense of where we are on the success of this transition with new logos more than 80% of the new logos in the third quarter, bought SaaS and subscription products.

Got it. Very clear. Maybe shifting to a little more high level of a question. There's a lot of talk about the convergence of the identity security market. And historically, it's been very segmented and you partner with customers there. I think CyberArk's interesting position relative to that convergence with, call it, the leading PAM solution and a Gartner Visionary in access management. Can you talk about what makes the CyberArk approach to this convergence trend a little different and really the importance of security and having Privilege in the center of that convergence?

Yes. Roger, I think I'll just start with kind of a general statement, and then I'm going to let Erica kind of go deeper into that convergence. And it's really that, yes, we are seeing the market moving to us. You really do have entitlements in the cloud and privilege escalation for SaaS users. And we brought Adaptive on board in order to be able to move to a very -- in a very powerful way to identity security, understanding that workforce becomes privileged as well. And we have a lot of things -- we're really on that strategy. And I think, Erica, why don't you kind of expand on kind of what the real convergence means to CyberArk?

Yes. Sure, Josh, happy to. And thanks, Roger. It's good to be here today. I think when you're hearing it broadly, right, that the proliferation of privilege is everywhere and Josh just mentioned it, and that goes from human identities all the way through the DevOps life cycle from humans, machines, applications, bots, everything in modern enterprise and IT has -- every access has a privileged element associated with it. And we firmly believe that we can actually treat all of that access to the same. However, that access does need controls, right? And so we've been hearing from customers over and over again and what they were looking for was more controls but in a seamless fashion. And that's on the workforce and even on the application and on the machine identity side. And so we've strategically made a lot of moves to make sure that we were able to meet that demand and that need for our customers. And to your point, look, we think we're in a unique position because what we do, we know that the privileged access component of it is incredibly hard and being able to work across a hybrid environment to be able to secure your modern applications, your modern cloud, your consoles, all the way to your on-prem environment, it's difficult and challenging, and we think we're in a great position to be able to offer something unique to our customers. Secure Web Sessions is the first application of -- it's actually demonstrating that what we view as our long-term vision where it's a blending the access side and the privilege side to be able to introduce those controls around the broader workforce in a seamless way and protect that session. And the interest we've gotten from customers is incredibly powerful. So we're really excited about this transition, and we think we are in a good position here.

Yes. Great. Great. To put it in context, I mean, at your Analyst Day earlier this year, you talked to a $20 billion TAM growing to $50 billion as you expand into these markets. Can you just talk about the components of that TAM relative to those 3 markets, PAM, Access Management and DevSecOps, how each filter? And then specifically on the PAM side, there's maybe this thought amongst investors that the PAM market is -- is maybe closer to being fully penetrated than it is, and if you could talk about maybe the greenfield versus brownfield opportunities you see in that market specifically?

Yes. Roger, I'll jump on that. And the fun thing is that the majority of our new logos are still greenfield. And if you look backwards, even we have seen kind of rip-and-replace numbers starting to tick up. but we're still seeing most of our new business as greenfield opportunities. Regarding the question on penetration; PAM, we're seeing about 70% of upsell coming from existing customers today, which is a little bit more than what we would have said 2, 3, 4 years ago, which was more around 65%. But nowhere even in our most kind of mature verticals are we really feeling like we're hitting a ceiling when talking about just PAM. And when we talk about the total available market or the TAM, we talked about a $20 billion estimate. The lion's share of that really related to Privileged Access Management, EPM and secrets management. That was really a much smaller being allocated to the early use cases that we're addressing in access. And so if we think about all the innovation that we're doing around identity security and moving more and more into DevSecOps, we'll be more into access. We're really extending that by to really around $30 million -- $30 billion TAM that we discussed also at our Investor Day.

Got it. Got it. Okay. Maybe to touch base on Adaptive, you're now about a year of that acquisition. Can you just give us the high-level thoughts on what you're seeing from that customer base and product and where we are in terms of integration, what the opportunity really looks like for cross-sell and cross-sell in that customer base?

Yes. When we picked up Adaptive in May of 2020, and our focus in 2020 was really on the integration. And in 2021 was product development of secure web services that we announced earlier this quarter, and I'm building out our enterprise sales team so that our go-to-market during 2021 starts to understand what it means to sell not just to privilege users, but also to the entire workforce. And now with Secure Web Sessions kind of released this quarter, as we look into 2022, we think that's going to be a really pivotal point for our go-to-market teams to differentiate between just identity management, which a lot of our competitors sell and secure an identity security because as Erica was alluding to before, and the convergence are really now able with Secure Web Sessions to show how when you're managing the workforce at different privilege levels during the day that you can actually apply more and more security to that identity management. In the last 2 quarters, we've really been pleased with the new business activity with Adaptive. We're seeing this both as a landing spot. So it gives us another way to get new logos, as well as looking at our 7,000 customers and being able to use selling into the entire workforce as a cross-sell into our base. And we talked a little bit a few minutes ago about how deployed are we within our -- with our installed base. And this really gives us another whole avenue in which to upsell our very large installed base as well. It's still, though, let's keep it in perspective, a small part of our business, but we're seeing strong demand when we look at our pipeline and the customers that we won are really are great customers. I think we talked about it maybe in the call in the third quarter an existing customer in financial services, wanted the benefits of our identity security platform is actually replacing a legacy access solution with CyberArk Identity. And those are the types of wins that we want to continue to work on within our entire installed base today for PAM.

Makes sense. Makes sense. Maybe continuing on in the SaaS bucket and the SaaS transition, I wanted to touch on Endpoint Privilege Manager, which -- it sounds like it's doing very well. It seems like it's maybe 1 of the better solutions to address ransomware, which is quite prevalent this year. Can you talk about how this solution is doing and then also how it differs from call it, traditional endpoint security vendors and how -- what you're seeing with this product, not only with the customer base but also landing new customers?

Yes. Roger, you're right. You kind of heard us talk a lot in the third quarter earnings call and in the investor sessions before, I was talking about it. EPM has really had a standout quarter. We've had record bookings with Endpoint Privilege Manager, and we're increasingly seeing the Endpoint Privilege Manager. It would be not just an add-on sale, but almost infrequently, it's a landing spot as well for new logos, which is turning -- which in turn, obviously, opens us up to be able to sell PAM, the larger PAM or access or DevSecOps. And that's really being driven by kind of the threat landscape, you alluded to it with ransomware, which is really driving kind of the urgency and for Endpoint Privilege Manager and particularly speeding up what we like about it is that it's a faster sales cycle for Endpoint Privilege Manager. First of all, it's 100% cloud has been for the last really -- this year is the first year we're only selling it in cloud. Last year, it was about 90% sold as cloud. And before that, it was around 50%. So our go-to-market team already understood how to sell it as a cloud. And when we think about the -- when we think about where it sits in the enterprise, we sit along kind of the other endpoint vendors. So we're not replacing other endpoint vendors. We're sitting together with a crowd strike, and they're actually a partner of ours. And it's about running the endpoint, either as a desktop or server in these privilege form in order to get the full impact of being able to, one, prevent credential theft at the administration point and to prevent downloading a ransomware has a great listing functionality and theft blocking. And -- we -- it's really been kind of a key component for being able to round out our whole Privileged Access Management solution for the enterprise. And we're really excited about the pipeline that's building for now and going into next year.

Right. And then on DevSecOps, you acquired Conjur back in, I think, 2017. It's now becoming a much more relevant market. I think maybe you were probably ahead of the game back then. We're now seeing a lot of trends around the importance in secrets management and continuing to machine identity, how does that fit into your broader identity strategy? And what has customer reception been to that product? And how crucial is that going forward?

Yes. Erica, do you want to jump in here because I think it's a continuation of kind of strategy behind the convergence and where we're seeing the enterprise go?

Yes, sure, happy to. So I think, Roger, when you think about digital transformation, that's a major driver of our business broadly. And certainly, again, those lines between the application side, the human user, they all continue to get blurred. And so from our perspective, when we acquired Conjur back in 2017, we were hearing directly from customers then that this was a problem they knew they needed to solve. And when you think about what happened with SolarWinds, that supply chain attack certainly has an application element to it, and it just underscores how important the security elements are to the enterprise as it relates to secrets management. And so we've -- the same trends are happening. You're just seeing that acceleration of privileged access as it relates to those Internet of Things. You've got the applications, you've got APIs, you've got keys, you've got bots, you've got RPA. And that's just a continuation of that same problem. And so what we hear from customers is that they want more security. They also have the same challenges we're seeing with their traditional applications. So where we really see a lot of traction and a lot of differentiator for us in the market is the fact that we can give them a single pane of glass across both their dynamic applications as well as their more traditional applications. And the reception has been great. I mean I think we've done a really nice job of integrating into that market. I think we have also had a competitive differentiator because of our relationship with the CISO because this is a secure -- also a security problem. And so our go-to-market is kind of two-pronged where we go into the DevOps with secrets management from the CISO level, but we also have an open-source solution. So we're penetrating the market most in the top down and the bottom up, and that's worked well for us.

Yes. No, I think that's right. And to continue on with that, the multiple go-to-market motions. Correct me if I'm wrong, but I think it's fair to say that the typical PAM sales motions through the CISO. But when we talk to customers, it seems like more often than not, the access management piece is owned by the CIO or someone in operations. So how do you think about some of the multiple areas of enterprise? And I mean you talked a little bit about on the DevSecOps being able to sell to the C-suite and also developers. How do you think about just selling more personas within the enterprise?

Yes. That certainly has been a focus of ours for quite some time. I think if you go back a number of years probably 3 or 4 at this point, we did start to up-level our conversation, not just in the CISO, but also to the CIO level. And so that is kind of a common thread for us to have those -- the CIO into the CISO relationship. You're thinking about PAM the right ways, that oftentimes it is more of a security sale, but it's often also in a broader identity project, right? Like when you got to think about our sales motion, particularly when you sell with the system integrators or any of the influencers, those are oftentimes much bigger projects. And so our team is very accustomed to selling across the personas. But it is an area when you think about the move of our room into DevOps, that was an area that we had to also kind of focus on the developer community, which was much a different function for us from our perspective. But we've got in since 2017, to your point, we were a bit ahead of the market or ahead of particularly where investors were thinking we were going to go. We've had a lot of experience kind of moving in that direction. There's still work to be done there. But what we did last year was we created the speedboat structure construct where we got subject matter experts across both access and DevOps and for DevSecOps and that's really helped us to be able to get into some of those discussions and establish baseline credibility from the get-go. And that's a relatively new structure at the beginning of the year, but we're seeing nice traction momentum, and we expect to continue it as we move into 2022.

Got it. Got it. Okay. Thinking about margins, you did a great job of providing some operating margin targets as you work through the transition. And I guess I'm wondering if you can refresh us on what those target operational metrics were. And now with the transition may be running a couple of quarters ahead of schedule, how that might change your outlook on the margins coming out of the transition?

Yes. So, Roger, I'll start there. And Erica, if there's some things you want to fill in, feel free afterwards. But -- so in terms of margins, look, the dynamics of the transition really dictate that the margins will -- are impacted by the transition. So they're going to kind of bottom out as we exit the transition. So that's -- we've kind of pegged that at the third quarter of 2022. And from there then, you would start to see margins gradually improve as quarter 1 and quarter 2 and then so forth as we exit past the transition. And I think, though, what's really important here is that we -- is that I really focus as well on our overall approach to the investment and to profitability because I know that that's an interest. And first and foremost, despite the transition creating this different view of our margins over time, our investment philosophy hasn't changed. And it's still kind of a core tenet for CyberArk that profitability is at the center and really what we mean by that is that we're also going to be investing with the demand environment. So we invest -- if there's demand environment, we invest. And as demand environment goes up and goes down, that will certainly impact our investment. So if you think about for context, for next year, the underlying business in 2021 is growing today well north of 20%, even over 25%. No matter how you kind of look at it, if it's from annual recurring revenue, if it's from our bookings growth, if it's from trying to create an apples-to-apples comparison of our revenue between a SaaS and perpetual. And it's really because of the lot of things that we talked about here today. We've executed well, productivity has improved. And overall, there's been a lot of acceleration in the different aspects of the business. So as we think about 2022, it's really important that we're going to continue to invest keep up with the record pipeline growth that we're seeing this year that continued on from 2020. Obviously, we're not guiding yet for 2022, but we'll probably see some continued decline in our gross margin as we do more and more SaaS business. So there will be some pressure on that. And we're going to be continuing to operate, invest in our operating expenses in R&D and in go-to-market. There's some FX impact as well, certainly in our development arms in Israel, as we all know about the shekel. And of course, there's been impact on overall inflation and the tight employee market. I think though 1 thing that is really important is that all of how we invest and we come out of the transition and we start to improve our operating margins, all of that -- all of what remains intact is our long-term goal that we talked about in the Investor Day of getting back to the Rule of 40 in kind of a balanced way of both growth and operating margin when in the 2025 time frame. So that's the end game, and we're confident that we know how to get there. But it's going to get there through continuing to invest because the underlying business is continuing to grow at a very fast rate.

And then on to the -- if you wanted the second part of the question on the margin kind of profile when you get out there it's -- we're mid-teens in terms of percentage of revenue for R&D is the target that we put out there and then 36% to 38% from sales and marketing and then single-digit 6 to 8 -- 6% to 8% of revenue in the G&A line and a gross margin level of between 79% and 81%. That's out at that 2025 time frame, which gets you to a 20-plus percent operating margin. Again, not reiterating those are the goals that we have kind of outlined back in the March time frame at the Investor Day. The one thing to keep in mind on that sales and marketing as a percentage of revenue. That also assumes that we're growing faster than 20% on the top line, right? Like it was a 20-plus percent growth rate. So it's important to keep that into perspective that there could be -- if the growth rates were to decline, there could be leverage there if the growth rates were much faster that number may look a little bit different, too. So that would be the big leverage point there.

Got it. Makes sense. And then, Josh, can you talk a little bit about sales productivity and the labor market. I guess I'm just curious at a high level, there's a lot of focus on the talent shortage and the so-called great resignation. How has that showed up in your business in terms of attrition and your ability to hire talent? It seems like you have continued to grow headcount quite rapidly. So just any thoughts on that concept?

Yes, Roger, I mean you're right. I mean we're not immune to the overall tight employment market. It wasn't created by us. It was created by a very robust tech market, which has done very well in the last 12 to 24 months. We, on the other hand, as CyberArk have been able to manage through it pretty well, I mean I think we've hired a net increase of about 400 people. It's about 25% increase year-on-year during the first 9 months, and I expect that we're continuing to hire into Q4. And we have plans to, as we said, to continue hiring into next year. I think we've been able to help manage we have churn, but it hasn't gone out of proportions. I think we've been able to help manage it. One is we continue to invest in the people. I mean, we all recognize at CyberArk and it's about the people to make to really be successful everything in everything we do. I think if you -- if our CEO was here today, he would say he gets up in the morning and thinking about how does he keep the 2,000 strong employees happy. And I think they feel that and that's used, and that's helpful. We also get ranked externally. I think we've been in the top 5 place to work either in our Boston headquarters or Israeli headquarters. Now for the last -- several times, we've been ranked very favorably there. And I think the fact that we are a leader in our space, helps success begets success and people want to be part of the leader in the space, and we are the de facto leaders within PAM. And the fact that we continue to invest in -- in transitioning and transforming ourselves to not just see what we were, but also to now be able to meet the next wave of innovation, becoming a fully cloud-based and subscription recurring revenue company, I think, has really also attracted people to stay within CyberArk and also to attract people to join the goals of what we're trying to do. It is tight where there's clearly going to be some impact. There is an impact, but this is what good management hopefully can do in an organization is be very agile, address what's going on, and not just bury our heads in the sand and accept the fact that today's world is very different if it's because COVID related or if it's just because market-related and take very proactive measures to continue to strategically build on our resources. One thing I would add is that we're not just -- we're expanding our locations as well. We've developed strong development resources in other parts of the world, other than Israel and Boston. So we now have capabilities within other parts of Israel and within India, also within Eastern Europe as well. And that's part of good strategic initiatives.

Very, very clear. One last question on the model. You talked a little bit about the cadence of ARR growth, and you've done a good job of separating out subscription and maintenance portions of that. Relative to where you're growing ARR now and the longer-term goal of 30% plus over the next couple of years, how should we think about the maintenance line and your ability to maintain that? You've talked a little bit about how that might converge in calendar '22?

Yes. Erica, do you want to address that?

Yes, sure. So if you think about the maintenance ARR line, it's been relatively flat sequentially this year. I think the expectation for next year is that at this point, it will continue to be relatively flat. As we exit the transition you could see a sequential decrease or decline in that maintenance ARR line, but there's a lot of parameters that, or inputs into the maintenance ARR. There's -- we are still maintaining our really strong renewal rates on that maintenance space. But there is some natural churn that happens with that maintenance line like the north of 90% renewable rates there, but there is the churn. You'll have less coming into the top because we'll have less perpetual license. And then we do have some select conversion activity, which we've talked a little bit about, meaning that we have some perpetual maintenance customers that are either migrating to a full SaaS solution, which is a complete tech upgrade or they're moving to on-prem subscription offer. And so that also could have an impact on the maintenance line. But it would be -- it will be a drag next year or continue to be a drag as it has been this year on that sort of growth ARR, which is why we're giving you the increased disclosure to make sure that you can appreciate that, that subscription line has great growth and it's the drag would be coming from that maintenance line.

Got it. Okay. So maybe moving to the federal market. There's a lot of focus on modernization there. I think historically, CyberArk has talked about global government, including the Fed being a 10%-plus vertical. What are you seeing from the federal market here in the U.S. around demand and deployment preference and across your customer base, it seems like momentum is moving towards SaaS and term-based license. I think in the past, you've talked about the federal government may be leaning closer to perpetual on-premise side there. Just curious what you're seeing or what you expect out of that market over the next year or so?

Yes. First of all, there is a lot of discussion at the federal government level around cybersecurity. That's for sure. Obviously, there's been a new administration that's come into play. So typically, what you frequently see in the first years of administration is a lot of discussion, but it's warranted discussion. It's not -- they're not broken away from the reality of what we're seeing in the rest of the world around cyber breaches and the threat landscape. Interestingly enough, in the third quarter, we didn't see necessarily a huge budget flush or even the same from the U.S. Federal as we've seen in previous years. But I really think it's related to what I just said as being the first year of the new administration and the federal government not necessarily traditionally moving that fast in the first year. Having said that, it's a hot item, there's executive orders out there, there's cybersecurity initiatives coming out of the Biden administration. So clearly, cybersecurity is going to be high on their priority in this. We've seen in the overall engagement with federal agencies and partners an increase [indiscernible] -- so our teams in Washington, D.C. are definitely engaged. I would point out that actually one place that we are seeing an increase already also in purchasing, is at the [ SLED ] level at the state, local and education level, they're really very much moving forward and has performed really well for us this last quarter, and we also see a nice pipeline for them going forward. And you mentioned that we really think about it from a global government perspective because we're in many governments around the world, whether it's in Asia Pacific, Japan, whether it's in Central Europe or Eastern Europe. And so we've had a -- in the third quarter, while we had a great overall accelerated quarter that we talked about earlier in this call. We had -- but we didn't necessarily get a big budget flush out of federal, but we had a nice global government quarter as is, and it was actually one of the high growth -- one of the high-growth verticals. It grew over 100% year-on-year in [indiscernible] Q3 and Q3 last year. So we're -- we think our investments in the public sector are paying off. I think federal will be down the road, but more so. And -- but overall, we're very much focused on the global government.

Good stuff. Okay. Maybe just from another high-level perspective question, the convergence of identity. Over the next couple of years, how do you think about the balance between organic and inorganic growth? And you obviously made a big leap into access management with the acquisition of Adaptive? How should we think about CyberArk being potentially acquisitive in other areas of identity?

Yes. I mean we've -- we are going to be acquisitive. I mean, I think first of all, we believe that we need to be innovative. So you're either innovative organically and/or innovative through acquisition and a make or buy or basically new vulnerabilities come up and you want to jump into the market there. So we've retained our leadership in PAM and we're going to keep pace, not only with the competition but also with where the attackers are going. We have a theme within CyberArk of things like an attacker and we have research labs that are around, okay, think like an attacker and where are the new vulnerabilities coming up. And then as they come up, we'll be in a build versus buy mentality. We've done well with our strategy of acquiring Endpoint Privilege Manager, which is one of our early acquisitions. Conjur on the DevSecOps side, more recently, Adaptive. There's been a few others in between. And we'll definitely be looking at acquisitions that could range from tuck-in of -- you talked a little bit about the resource void or competition for resources or there could be acquisitions just to get technology resources all the way to acquisitions that are going to be already be able to go to market on day one with particular products that will help us in our identity security platform as it relates to IT infrastructure or cloud environments.

Great. Okay. We've got about 5 minutes left. I just wanted to reiterate the ability to submit questions. Otherwise, I'll ask a few more and we'll wrap up here. But on the channel, you've historically taken most of your revenue through partners. And I guess I'm just curious how that channel strategy has changed over the past couple of years and what you're seeing out of the partner ecosystem relative to Privileged Access Management?

Yes. I think we're -- it hasn't changed per se as much as it's evolved and matured a lot because it's moved -- we continue to sell through VARs. We continue to sell through distributors. But what's really evolved and matured in the last several years is our partner relationship with advisory firms like the Big 4 or Accenture or the likes, where they're really involved in either actually processing the business or just very much a major influencer in the business in the transaction as well as they're advising many of the enterprises. And so that's kind of like that's been a big focus of ours. And I would say the other area that's matured and evolved over the last several years is our ability to train the partners to provide services to the enterprise to be smarter about helping us in customer success activities and the likes. And that's been a critical component of where we're investing on the training side to our partners. And we have -- when we pick partners, we're not necessarily caring about the total number of partners we have, we really want the partners that are going to provide us the biggest leverage point to get to more and more customers that are used -- that are willing to learn about CyberArk and actually put CyberArk feet on the street and not just be a gateway. Erica, do you want to add about the -- the Amazon?

Yes. So I think the one other area that we're really excited about, which is relatively new for us, is building AWS [indiscernible]. We've been in the marketplace for quite some time but really getting some leverage out of AWS. Because they have a lot of street on the feet (sic) [ feet on the street ] and the ability for customers to be able to use the AWS credits and apply them to CyberArk, right? And we're seeing some nice momentum in that as a channel. We have some really great wins in Q3 and -- but the pipeline has actually builds incredibly well. And so as we look into 2022, we think that could also be a nice contributor to growth because we'll just get better and stronger with that motion and there'll be a deeper understanding within the AWS that this is an option for the customer base. So we're excited about that as well.

Awesome. Well, I think we're about time here. Lots of great stuff going on. Josh, Erica, thank you so much for joining us. It was a great session, and I hope everyone has a nice rest of their day.

Great. Thank you, Roger.

Great. Thank you, Roger.