CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

Okay. Thanks, everyone, for joining us. Good morning, and welcome to the Citi Tech Conference. I'm Joel Omino. I am Fatima Boolani's research associate, and I support her in covering CyberArk. And this morning, we're very happy to have with us CyberArk's very own CEO, Matt Cohen. Thanks for joining us, Matt.

Great to be here.

Okay. I think a good place to get the discussion started would be just an overview of CyberArk's journey. Obviously, we're more familiar with the privileged access security background, but there's some exciting stuff happening in identity security that you are working towards. So could you tell us a bit about that?

Sure, sure. So I think if we start with that idea of, okay, what was PAM? I mean, PAM was the idea of how do we secure the most privileged identities, generally sitting in IT, and as they access the most critical targets, generally sitting in a walled data center, within -- with the 4 walls of an organization? And PAM was really founded in that idea of how do we protect and secure and make sure those accounts, those identities, don't get taken over because that will lead to a full-scale breach. And what's happened over the last decade or so is this idea of a couple of forces. The proliferation or an increase in the number of identities within an organization, not only human but now also nonhuman machine identity, and the increase in the number of environments that need to be protected, no longer just the 4 walls of a data center, but also cloud and multi-cloud, hybrid cloud environments. And those 2 forces combined with a third, which is the innovation that's happening within the bad actor, the attack community, the attack vector, kind of create this need for a much broader solution for identity security, but still that's centered on the idea of intelligent privileged controls. Because if you understand how to protect or secure the most critical users and you expand the right level of privilege controls now to the workforce, to the developer community, to the machine identities, then you can actually ensure that an entire enterprise is secured even in this threat environment and in this threat landscape. And that's where CyberArk is really focused on today is one integrated platform to provide identity security for all identities as they access all environments.

Makes sense. And I think the clear follow-up question is it's not just CyberArk doing this in terms of bringing together IGA, PAM, access management. There's other vendors doing this as well. So what makes CyberArk different? And what about your background makes you a better vendor to consolidate all these identity subcategories?

Sure, sure. And when we talk about consolidation, there's many different reasons for consolidation. A lot of industries go through consolidation when actually things become commoditized or the idea is we can get lower cost of ownership throughout an [ over ] industry. In our space, in identity security, what's really happening is more of what we call a consolidation of trust. In this threat landscape where identity is the target, the prime target for where bad actors are focused, the idea is how do I get a vendor that I actually can trust? How can I get a partner that I can trust? And our unique positioning as CyberArk is we come from, as I just mentioned, core security controls. We are the inventors of PAM, and that allows us to be able to bring a unique perspective of how to apply intelligent privilege controls to all identities. So when you start to think about other people in this space, they're really more focused on how to manage identities or how to create easy workflows. And our idea is, no, actually, in this day and age, it's how do you apply the right level of core security controls to every identity in an organization. That's our differentiator, and that's what helps our customers. The enterprises out there in the world really trust us as a partner in the journey.

Okay. That makes sense. And I think that's a good place to just level set in general. But I think you also do a really good job breaking down your product suite into these different pillars. And I think it's important for everyone to have an understanding of what these different pillars are and maybe the maturity that CyberArk is at within each of them. Obviously, privilege management, that might be a bit more mature compared to some others. So can you just help us break down these pillars and where you are in the market?

Absolutely. Let's start with PAM, most mature for sure. We're the clear leader in the space. The idea there though within PAM is there continues to be a lot of room to be able to grow and accelerate as every identity starts to have and look like a privileged identity. And as we start to expand into this idea of, all right, let's make sure we can take care of every environment. So there's still a lot of runway left in our PAM business. Actually, it's still growing incredibly strong. But it is the bread and butter of who CyberArk was and is. As you move across the portfolio, you can go into endpoint privilege security or endpoint privilege management, very basic concept, very powerful security control. Removing admin rights at the workstation and making sure that you can implement a least privileged approach for workstations and servers. That's a fast-growing part of our overall portfolio. It represents over 20% of our ARR. And it actually is, again, something that every single desktop, laptop, server needs to implement and it's a pretty mature market for us in terms of an add-on or a cross-sell into our base. In addition, we go into what's called secrets management or DevSecOps. That's the idea of machine identities and how do you actually secure with common policy and a common foundation or backbone the secrets that applications need to use as they're accessing other data sources, other applications. That, for us, is over 10% of our ARR, and it also is an area that's exploding pretty fast. For every human identity, there's 40 to 45 machine identities and all those identities need to be secured as well. Another area for us is this idea of access, which is a more established market. We're definitely not the leader in that space. But we are growing rapidly with the story of how you create access, multifactor authentication, single sign-on. How do you make it more secure? How do you apply these intelligent privileged controls? And we're increasing our win rates and our position in that space as we've expanded into the identity security space overall. And then we have this idea of cloud privileged security or cloud access, and this is the ability to be able to take the developers within an organization who need a different type of privilege control and make sure though that you're still securing them when they're accessing the cloud console, the native services that sit behind the CSPs and how do we make sure that they're actually secured and not off just doing whatever developers want to go do. That's the most nascent piece of our overall portfolio, but it's also one that we're most -- we're extremely excited about because the kind of proliferation and importance of securing development within an organization.

Okay. Okay. Thanks for that breakdown. So I think a question we will get is the competitive positioning, right? If you're playing in all these spaces, you have to be dealing with the different competitors that you're trying to replace or maybe some are a little bit more greenfield. So could you take us through the competitive positioning in each of them in workforce, VPN, privileged, et cetera?

Sure. And I'll start by saying though that the core competitive differentiator for CyberArk, we emphasize it a lot, is the nature of the identity security platform itself, the idea of securing any identity, human and nonhuman, with the right level of intelligent privilege controls for any environment, on-prem and cloud. And that's the competitive story. It's the better together story that we bring to market. Each individual product is still a point level solution for most of our competitors, and that's not how we want to compete. We want to compete with the total story. Within PAM, you have the other providers, the BeyondTrust, Delineas of the world, they're PE-backed, PE-owned. And we continue to feel our leadership position in that space. Within access, for sure, it's the Microsofts, Oktas, even to a degree, Pings of the world. And in that space, again, it's less of going out and competing head-to-head for a stand-alone access deal but expanding our base of customers to be able to take advantage of our unique differentiators in the access space itself. In the secrets management or nonhuman space, you see people like Hashi. But Hashi really thrives at the developer level, at the workgroup level. And once security gets involved and wants to implement an enterprise layer of security and an infrastructure backbone for all applications, that's where CyberArk differentiates ourselves from a Hashi in that case. And in the piece of the cloud security market where we play, which is really cloud access, there really isn't anyone else doing what we're able to do, which is 0 standing privilege for developers to native cloud services.

And maybe just on EPM, could you just explain to us the difference here and why EPM perhaps is not going against a CrowdStrike or a Sentinel?

Yes, sure. So we see the EDRs out there, providers -- CrowdStrike is an example, as an essential security solution. You sometimes hear me differentiate between security controls and management of identities. In CrowdStrike's space, they're a core security control of being able to sit on the endpoint, detect threats, respond to those threats, okay? But what EPM does as a complement to EDR is it locks down that endpoint so that configurations and changes can't be made without permission. The #1 thing that an attacker will do when they get to a workstation, your workstation, the first thing they're going to try to do is actually turn off that CrowdStrike agent because they don't want to be detected. And what our EPM agent allows that -- protects that endpoint with is it doesn't allow any changes. It removes local admin rights and implement what's called a least privilege workflow, where you have to go through a process to make any change. So that attacker, when they get to that endpoint, they're not going to be able to turn off that EDR. They're not going to be able to go around the core security control that is the EPM agent. So it's a great complement. I say it all the time. You need an EDR, all organizations need EDR. CrowdStrike has a very strong EDR. We go to market as a complement to that, that's really about implementing least privilege and really starting the PAM journey, if you will, at the endpoint.

Okay. Complementary, not competitive. So maybe just to round out the discussion on the platform, right? Could you talk to us about some of the advantages that customers get when they adopt it? I mean are we purely talking TCO? Or are there some deeper technological integrations that they benefit from?

Yes. For sure, you're going to get any of the benefits that come with a normal platform. You're going to get things like unified audit. A lot of our enterprises that we're dealing with don't just have to audit their PAM users. They have to audit all of their identities and they have to provide that actually out to third-party auditors. You get unified audit within our platform. You get unified reporting. You get the unified ability to be able to do identity management and workflows within our platform. Those are core capabilities that actually just come with the solution, but it really goes beyond that and the ability to be able to implement multiple layers of privileged controls. For example, within one platform, you might have users, when they go to certain targets, you just want to have single sign-on. You just want them to click on the tile and go through. Those same users, when they go to a different system, a different target, they may have more credential access, more privileged controls, and you want to put in something called session recording or session isolation. For other users, you might want to have -- they have standing access, which is called like always-on credentials for an Oracle DBA. But for when they're going actually to the cloud console, you want them with 0 standing privilege, no rights, and you want to assign the privileges just when they hit that target. All of that is configurable within our platform from one unified administrative policy, administrative approach. And so what you're really doing is not just reducing TCO, you're allowing the security professional to manage the way they actually set up privileged controls for all identities all within one system, within one platform.

Okay. And maybe just sticking on the platform. I think some people wouldn't be happy if I didn't ask about AI, so I'm going to ask about it. I think it's very clear and a lot of vendors have been clear, including CyberArk, about what they're doing in the space. So I think the question right now is what the differentiation is, right? When you look at what you're doing and what your plans and your road map is in AI, how is that different from what some of your peers are talking about today?

Sure. And I'll answer that, and I'll say beforehand though and we emphasize it a lot, that one of the biggest impacts on cybersecurity in general, certainly a tailwind for CyberArk, is the AI as a copilot, a help to the bad actors that are out there, right? The new methods and the enhanced methods of how attackers are able to go after enterprises, go after governments, leveraging AI technology is a scary proposition. And it actually increases the need for companies to do what we call assume breach. And assume breach is you can set up your cybersecurity strategy trying to keep people out, or you can set up your cybersecurity strategy assuming that people are going to get in and you better be in control when they get in. CyberArk's bread and butter, what makes us special, is our technology is about what happens if somebody gets in. And so this whole idea of assuming breach, which a lot of enterprises are now having to do because of AI, sets up the story for actually implementing the CyberArk technology within an enterprise. Now to actually answer your question, for us, we see AI as an enhancement of the technologies that we bring to market. We're investing a lot of money. I think we've issued a press release maybe this morning about the expansion of our center of excellence around AI. But our whole concept is how do we embed AI into our existing products and tools to make them more effective. And it might be to make them more effective at analyzing data so that we can put in place better controls or better authentication, but it also might be simply using AI to make the product easier to adopt. We launched a product earlier this year called EPM with AI. And the idea there is actually analyzing policies from the global community and then being able to automatically apply the policies locally within an organization and using the AI engine to refine those policies. It's not really about making the product better. It's about making sure that people actually adopt the product in the right way. And so we see it in both vectors. One, how do we make our products use data, use analytics, use AI to be more effective? And then how do we also use AI to make our products better adopted? And that's where we're spending our money in. I think there's a lot of excitement about AI, on what we can do in cyber. But we have to really focus on how do we actually understand what AI is going to do for the attackers and make sure we're prepared.

Okay. And you mentioned the press release from this morning. I did want to give you a chance to talk about that. I think it also mentioned that you're making some specific investments in AI. So could you just talk about what those investments are, whether it's engineering or from a sales perspective?

So we've always had, as one of our differentiators, a very strong, what we call CyberArk Labs in our headquarters in Israel. And in that team, where we have invested millions and millions of dollars over the years, we're always looking at the latest and greatest of what's happening out there from attack perspective and what we can do about it. What we've done over the last year or so has been investing in how does AI actually affect our overall labs approach. And what we've now solidified on is actually a larger center of excellence in Israel with teams of people focused just on this concept of how do we infuse AI into our technology and actually educating and propagating the ability for our overall R&D organization to leverage that information. And then also, how do we research the advanced threats out there? That Labs was the first cyber lab in the world to actually go out and demonstrate that ChatGPT could be used to actually create polymorphic malware. And that's the type of thing that, that lab is doing all the time.

Okay. Got it. I think when we look at all the technological advances that are happening here and the technological leadership that CyberArk has in some of these spaces, a question that comes up is how much of customer education do you have to do to show them where the next steps are versus how much of it is customers actually coming to you and saying, hey, we need this to be developed. Could you help us understand the balance over there?

Yes. I think it varies depending upon which part of -- or which identity we're talking about, in which environment. I would tell you that the notion of implementing privilege controls within an enterprise is a pull from the market, meaning we show up at customers, they already understand they must implement core privilege controls. They have to have a PAM solution. They have to be able to actually be able to go to their Board now and talk about their identity security strategy. It's a Board-level topic. And so we show up and there's not much evangelism or education that's going on around that basic concept. And that's basically also what's helped us navigate some of the macro environment because people know they have to answer to their Boards about their identity security strategy. The area where maybe it's a little bit more still education is in some of the newer areas around, for example, developer security. A lot of organizations have kind of left developers by themselves. They're such a precious resource. They add so much value to the company and all the applications that they're building. They're the backbone of innovation. And so they've kind of left them to go do what they want, don't slow them down, let them -- and now they're understanding to a degree that they have to have a security posture. But they're not quite sure what to do and how to balance speed of innovation of development with core security. That's an area where we're educating a little bit more. We're bringing together, for example, the CTO's office with the CISO's office and educating them together on how we can provide a core security solution that also enables innovation and allows developers to work natively. That's a good example of somewhere where we're still educating.

Okay. Got it. So there's a bit of a balance depending on the product pillars. So you mentioned the macro, right? I think that's another key topic that I have to touch on. Now the thing is with CyberArk, you've been relatively more resilient than some of your peers, even in security and in identity. Could you talk about what has supported this resilience? Is it something to do with the PAM market? Is it something to do with your individual execution? Just shed some light on that.

Yes. I think it starts with the understanding, as I was kind of hinting at, around the importance of identity security. When companies are putting forth their budgets for the year, we've always said this, cyber generally is higher prioritized than the rest of the IT budget given the threat landscape. Within cyber, there are certain areas that are critical to the overall implementation of the strategy. And EDR often makes that list. Cloud security often makes that list. And frankly, identity security, as a concept rooted on PAM, makes that list. And so those things are kind of above the line, if you will, of what's been budgeted for the year. That's great. That makes it a more fruitful environment even in this macro. Then you have to execute against that, and you have to make it easy for the customer to buy. You can't show up and try to supersize every deal and sell them 2 or 3 years' worth of software in this environment. You can't actually ignore the fact that the CFO is going to get involved. For years and years and years, you try to get the CFO out of your decision-making tree. Don't bring them in to a meeting. Let's stay in the CISO, CIO's office. Now I tell the team, get the CFO involved early, get the finance team involved early, because they're going to sign off on it. So make sure there's a value story and a value presentation specifically for them. Let's make sure that we actually are creative in our terms with the customer. Ramp them up if that's required, rather than getting them all out of the gate. So again, it's in execution, absolutely, and I'm proud of the team, and they've gotten even better in each quarter that the macros have continued. And you see that in our results, and I'm confident in our team and our ability. But it starts with the fact that you need a market that recognizes that you're above the line, and we certainly are in that market.

Yes. I mean it's certainly been impressive to see the relative resilience. I think I also wanted to touch on the channel and partnerships. You did talk about this a bit on your Investor Day. But can you just highlight for us how important this is to the business today? And how important this is for your growth strategy going forward here?

Yes. I mean I think channels is like the primary way that a company like CyberArk scales. We're 3,000 employees. We're over 1,000 in -- over 1,500 in go to market. But the market itself is so huge that it's partners that are going to allow us to get there. Now what we've seen though is a shift from traditional reselling partners to really people who are able to go out there and find us customers, drive bigger deals and expansion across the platform and focus on the value realization, so that we're able to expand those customers, drive cross-sell, drive up-sell. The GSIs have always played a big role at CyberArk. All the major GSIs have dedicated CyberArk practices. Not PAM practices, CyberArk practices, where they really have built a foundation of expertise in the industry around CyberArk. We also see now an expansion into MSPs and this movement of really solidifying the backbone infrastructure of identity security on the CyberArk platform. And we're really excited about that because that embeds us with the value-add services that they build on top for years to come. So as they become the outsourced MSP, and this is not just down market, this is also up in the enterprise, then CyberArk comes along for the ride, and that's excellent to see. And we also see new routes to market like, for example, the AWS Marketplace, as an ability to be able to lubricate deals, get things across the finish line and, by the way, helping these macros. Because if somebody already has a bunch of AWS credits that they prebought and they can use it to buy CyberArk, it helps with the CFO conversation.

Okay. And maybe can you share anything in terms of the types of partners that are most important, the level of contribution that you're seeing today? And maybe if you can talk even in terms of geographic regions or business segments?

Yes. I mean, we've always been partner, not just friendly, but dominant. Our EMEA business and our APJ business, which are good-sized components of our business, 40% of our business is outside of the U.S., are almost 100% through partners. Now we're in the enterprise helping and driving sales alongside of them. And increasingly, that's why we love the MSP program because that allows them to actually go drive new logos without our involvement, which is a more cost-effective way to go sell. But even here in the U.S., we see most of the -- again, the bigger GSIs. A lot of the big cybersecurity partners like the Optivs of the world, even down market, the CDWs of the world, helping to drive our business across the board. We continue to see partner growth kind of outstrip our overall growth. And I would tell you that what I'm really excited about is more and more of those partners, to our earlier conversation, are moving beyond PAM to really embrace the nonhuman side, the machine identity secret side and even into the access side. We highlighted it at the last earnings, British Telecom, as an example, of a telco that's out there that's actually standardized their MSP offering not just on our PAM, but also on our access portfolio to make sure that they can provide the entire platform out to the market. That's a good exciting example of how they're moving and helping us solidify.

Appreciate it. Those are some good details for us to digest. I think cyber insurance, something else I wanted to make sure to touch on. Over the past couple of quarters, it's actually been mentioned as a growth driver. Could you just explain to us what CyberArk's exposure is here? And what these types of deals look like?

Sure. I mean I think cyber insurance should be thought of as an influencer in the market. It's been the case for about 2, 2.5 years now that cyber insurance, so the cyber insurers themselves, tried to get control of an out-of-control situation, where basically they were paying out more in ransomware payments in responses to the breaches that were happening than they were bringing in for premiums. So you saw premiums start to just accelerate on enterprises, accelerate. There's stories in our customers and enterprises of 5x, 7x, 10x premiums. And then there becomes the discussion of what can drive down that premium? And how do I even get a policy? And a lot of what the cyber insurers are now focused on is besides just raising rates is recommending architecture for cybersecurity that helps to protect core security controls so that they can be protected from their business perspective. And one of the things that they increasingly recommend to customers is you must have a PAM tool. You must have an identity security strategy. You must have implemented privileged controls. That helps us then when customers' enterprises can't get cyber insurance, if they don't have a technology that looks like CyberArk in play. And as the leader in that space, we're able to be able to capitalize on that. So it's a nice kind of tailwind that consistently kind of drives deals. It also drives time lines because a lot of times, the cyber insurers will put hard fast dates on these companies on when they have to implement some of these technologies.

And maybe how competitive are you when it comes to this cyber insurance use case? I mean in order to meet the same requirements, do customers have to have multiple other vendors with what they can just do with CyberArk? Just help us understand the dynamic there.

Listen, I think there's -- within the identity security space, there's a big piece of the core controls that need to be implemented. But for example, do companies -- customers do need to have implemented, in a lot of cases, a basic firewall. They need to have EDR implied, so it's not a CyberArk-specific area. It's just that one of the core security controls and one of the ones that's most meaningful since identity is, again, the #1 place where attacks happen is to implement our space. And so you can't really get away from not implementing it.

Okay. Fair enough. I think I'd like to talk about the model just a bit. I think there's about $200 million of maintenance ARR that -- it's been holding pretty strong, only recently started declining year-over-year. And there is that 2x to 3x uplift on conversion. So how are you thinking about this bucket of ARR over the next several quarters? And maybe are you thinking about doing anything to incentivize conversion at a faster rate?

Yes, sure. So I mean, I think let's start with that $200 million bucket, which will be declining now that we really rarely sell any more perpetual licenses. We're well above the kind of mid-90% level of resell subscription in SaaS. So that maintenance, by its very nature, has to start declining because it's not being fed with new perpetual licenses. But it is a very healthy base of customers. And as you mentioned, what we see is when that customer decides to move to our Privilege Cloud, it's mainly PAM. And when those customers want to move to our Privilege Cloud solution for like-for-like, so just for the seats that they own, generally, we're getting almost 3x uplift. So if they were spending $100,000 in maintenance, for those same seats, they're going to spend $300,000 a year for the SaaS seats. That's a pretty nice uplift. In addition, at that moment in time, they're generally buying more product. They might be buying more seats. They might be buying some of this great rich portfolio that we have now to cross-sell in. So we're generally realizing even more than 3x at the point of deal. It is a really, really nice monetization model. And so my philosophy is, I would rather realize that monetization in a partnership model with the customer than somehow drive some arbitrary they must convert by a certain time or give them too much incentive to convert, and now I'm getting 1x or only 2x multiple. So what we have done is we've taken our maintenance base, that $200 million of ARR, and we stopped selling 3-year contracts. By the way, a lot of those 3-year contracts, we used to bill upfront, which helped our cash flow. So that's part of the cash flow story is we're taking that 3 year, and we're making it now 1 year, and we'll catch up on the cash flow because we're still going to get it every year. But by having an event every year, that opens the door for a conversion every year. We can talk to that customer more regularly about the conversion and the value add. I see the conversions playing out not over the next couple of quarters, but over the next couple of years. I think over the next 2 to 3 years, it will accelerate and become more and more. Customers need to have a real thoughtful approach to how they move their PAM instance, which they've generally invested years of effort in, into the Privilege Cloud environment, and they have to be ready for that. And so we work with them to create that road map. There's no customer that we're not having a conversation about already. But a lot of times, the road map looks like 2 years down the road, we'll do that. And again, I'd rather get 3x plus 2 years from now than 1x right now.

Okay. Okay. Steady Eddie. I think we've just 5 minutes left. I'll poll the audience if there's any questions. Just raise your hand. Okay. Perfect. Just a few more for me then. I think sticking on the model growth levers, ASP, deal size, that's been increasing. Customer growth has been pretty healthy. We're seeing expansion continue. So if all these levers are at play, how are you thinking about what are the key drivers of growth over the next couple of years?

I think we've touched on a lot of them. With this rich portfolio, with the platform approach, with the ability to be able to easily up-sell and cross-sell customers to these new solutions, it really becomes about how do we step the foot on the gas and the things that drive scale, that drive us to more enterprises that are out there. We talked about the channel play. The channel play is critical for our ability to be able to get more feet on the street beyond just the CyberArk seller to reach new enterprises. By the way, marketing and our investment in marketing helps there as well as we build up the brand to identity security beyond PAM. So that's one area that I think will really drive growth. The second one is up-leveling our sales capacity, which is a really strong sales capacity to be able to approach the platform selling motion versus the kind of individual solution selling motion, to basically be able to address more of the C-suite challenge versus just the CISO challenge. And we see that kind of capability taking off and allowing us to be able to scale. And then frankly, we also see the ability, again, for the market to kind of help push this by just the attack landscape becoming so difficult, so complex, so risky that, that in itself will create kind of fervor for us to be able to grow more.

Okay. And when you look at the deal sizes, customer growth, expansion, should we think of those all in tandem driving growth? Or are they -- are any of those maybe going to come out as a key driver?

Yes. I mean I think more than 50% of our new logos are purchasing more than one product when they land. Generally, they're coming back within a year to expand. That land-and-expand motion of multiproduct and then still, the ability to come back pretty quickly and expand them even more, is the lifeblood of the organization. We have basically what we put out at our Investor Day. Within our base of 8,000 customers or so, we've got about an $8 billion TAM just to expand those customers with our existing solutions. We got another, call it, $30 billion, $40 billion of TAM outside of our base to go after. There's plenty of market. Market is not the constraining factor. It's our ability to be able to go scale and execute against there. And then as you said, we'll land with multiple products. The ASPs are going up. Our ability to be able to go down market, grab new logos, all those things are part of the firing engine that we're building, and we're pretty excited about it.

Okay. Fair enough. Maybe just one or 2 more here. I think it's fair we've talked about growth. We have to talk about profitability. These days, everyone wants to see profitable growth. So what are some of the levers and the specific ways in which you're going to maintain profitability improvements but make sure that you're not sacrificing on growth opportunities?

Yes. I think we're set up really well in this regard. First of all, we're at the point where we're exiting the subscription transition and getting to where we can return to some of the profit levels that are inherent in the business but have been covered up by the business model change. And a lot of our profitability -- the lower profitability, lower cash flow is simply a subscription dynamic that you have to look through. But in addition, we've invested through this period in, for example, the platform. And the platform allows us to be able to develop new services in our R&D organization much quicker and much more efficiently. And that will drive down our total cost of R&D, our cost of research and development of product as a percent of revenue. And so we see scale coming out of our R&D organization now that we're able to develop on a common platform. On the sales side, we've invested heavily in our channels and also in our overlay sales motion to help with some of these newer product areas. And we start to see that being ready to really scale up, which allows us to be able to drive better sales productivity and drive down the cost of sales and marketing as a percent of revenue. So we really see the opportunity, one, for just finally getting through the subscription transition and then adding in the benefit of sales and marketing efficiency from channels and overall productivity gain. And most importantly, on our product side, where we've really been investing heavily to be able to bring that down now that we have the platform to innovate around. And I'm sorry, I'll add. And that's why we put out the 2025, 2027 kind of profit goals that we're very confident in because we can see how those will materialize in the near term.

Okay. And maybe can you talk about the cash flow dynamics for a bit as well?

Sure. So again, we're navigating the cash flow of the subscription transition and navigating the cash flow dynamic of multiyear maintenance contracts coming down to 1-year contracts, where many of those multiyear were paid upfront. So those are just a little bit of headwind and noise. We see ourselves emerging from that with the profitability in kind of 2024 and then really resonating in 2025 where we put out the target of $200 million of free cash flow. And then it accelerates even further as we get into 2027 when it starts to double again. And that's kind of where we see it really starting to normalize, if you will, from all the headwinds.

Okay. Perfect. Well, if there's no last minute really burning questions -- there you go.

So if this happens, free cash flow [indiscernible] cash flow [indiscernible] balance sheet, how are you thinking about that?

Yes, I think we continue to always look at how to make that capital work for CyberArk. We're -- we have an M&A strategy that we're always looking at in terms of how do we boost up our technology within this identity security space and where can we add to from that perspective. And we're always analyzing the best way to put our cash into play. But we're -- yes, we will absolutely be in an enviable position from a cash perspective.

Okay. Thank you. I think that's a perfect place to cap the discussion. Thank you so much, Matt, for joining us. Thank you, everyone, and enjoy the rest of the conference.

Thank you.

Yes. Thank you.