CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

Good morning, everybody. Thank you for coming to our Morgan Stanley TMT Conference. My name is Hamza. I'm the Cybersecurity Analyst here at Morgan Stanley. And this morning, I'm very pleased to have the CyberArk team. We have Josh Siegel, CFO; and Erica Smith, Senior Vice President of IR and Finance. Josh, Erica, thank you so much for joining us.

Thanks, Hamza.

Thank you. It's great to be here. Thank you.

And then before I begin, just a brief housekeeping note. For important disclosures, please see the Morgan Stanley research disclosures website at www.morganstanley.com/researchdisclosures.

With that, Josh, maybe first question for you. Identity Security continues to be a top priority for CIOs and CISOs for many years now. But for some reason, over 80% of cyber attacks are still related to identity, in some ways. So why do you think that is? And what do you think CIOs and CISOs need to do to beef up their Identity Security posture? And how is CyberArk helping to do that in a differentiated way?

Yes. Thanks, Hamza. And again, it's really great to be here today and -- and actually, you said over 80%. Actually, we've done surveys that show it's well over 90%, even over 95% that all cyber attacks are some former fashion, are going after the credentials within the organization. And we basically say, all roads in cyber attack lead to identities. And I think CISOs and certainly enterprises are seeing that. And essentially, what they're -- the reason why that, that's become so proficient is because it's the credentials that basically, once you compromise those, then you have access to what the bad actors are trying to get to. Whether it's personal identifiable permission, whether it's the IP or whether it's to wreak havoc in their IT, or even to bring down the entire IT system. It's going to be through a credential. And basically, it's not through the first credential necessarily that they're actually compromising. It might be over quarters or over several months of moving from credential to credential, escalating their privileges through the organization. And so what CyberArk has done, and we've done this from the beginning of time is basically really try to push that you need to block the attack chain of bad actors moving from credential to credential within the organization. And I think what differentiates CyberArk today, when we think about Identity Security, is that we think about identity management is not security. And you actually have to now secure the process that identities are being managed within the organization and not -- and that basically where one time it was just around a group of privileged IT administrators. That group has now proliferated to developers. It's proliferated to workforce. And also as well, machine identities as well also to nonhuman identities. And what differentiates CyberArk is the fact that we actually do all of those credentials, whether it's the privileged administrators, whether it's the workforce, whether it's developers and whether it's machine identity. It's all on an integrated platform. And that allows the CISO and enterprise to really have a single pane of glass of what's going on for all their credentials. And also really be able to manage the level of access that each of those credentials have because you don't want to give the same level of control to a developer that you would have to an IT administrator or maybe to just Josh Siegel at the workforce level. And certainly, it's going to be different as well from machine identities. So CyberArk has been successful over time to continuously really develop that out because of our expertise in security and be kind of ahead of the attackers in that game.

Yes. It's a good segue into the next question. Maybe I'll throw this to you, Erica. There's been a lot of debate about platformization and best-of-breed lately. I'm curious with CyberArk, you've obviously had really strong growth, over 35% ARR growth for the last several quarters. You're about 5 quarters away from $1 billion ARR. I think, Matt, this most recent earnings call, talked a lot about how you're really doubling down on this platform strategy. To Josh's point, not just for the IT admin, but for machines, for developers and then broader workforce users. Do you think there's value in having a cohesive platform in identity? And what drives that value versus having maybe disparate point products in each of those domains?

Absolutely, Hamza. Like if you think about our Identity Security platform story, there is so much value in having across each of the disciplines, from workforce to privileged, all the way to identity management. And I think across that, it's really the fact that you're able to secure the identity holistically, exactly what Josh just talked about from the workforce perspective, to the IT perspective to the developer into the machine. Those personas have proliferated across the organizations that we're selling to. And those personas need different levels of privileged controls they also need intelligent controls that can be adapted to exactly what the user is doing. And with a platform strategy, you're able to actually accommodate those level of security controls in a way that's very unique as opposed to selling disparate solutions or point solutions because you have more visibility across what the user is doing to be able to do things like step up authentication or things like secure web sessions where you're actually monitoring a session of a general workforce user, in a way that's very unique to that user, which you can't do if you're just selling a point solution. So we believe that you have to have identity across the platform.

Got it. Got it. And then maybe just keying in on Privileged Access Management, which I believe is still around 60% or so of your ARR. There's this concept that every user within the organization should be a privileged user in some way to provide that best sort of the optimal identity security. What do you think is the penetration rate just for the PAM product alone?

Yes. I mean we've been selling PAM -- actually CyberArk led and built the market on Privileged Access Management over 20 years ago. And when we look at our business today, probably 85% of our customers have Privileged Access Management, even kind of from its original purpose of let's secure and lock down administrator session, rotate their passwords and know everything what's going on for those privileged users. But over time, we continue to expand that market for those same privilege. Like who is even a privileged administrator? And today, those have moved into database administrators, cloud operations. And so now you have IT administrators or database administrators, who have standing Privileged Access Management, but they may also now move into have just-in-time management for federated access to their cloud access.

And then one thing just to qualify around that 85%. We estimate that only about 50% of the privileged users within that organization are actually being secured today. So within that 85% of customers, we believe that we have a lot of opportunity to expand and add additional traditional users. And you see that in our results. So the reason why we're still at 55% of our ARR coming from PAM is because there's such a tremendous opportunity to expand within that customer base. And so we've taken a traditional land-and-expand model even within that 85% of the customers that have had a starting point with a small footprint of their PAM users.

Got it. When I think about CyberArk over the last couple of years, I think one word comes to mind, it's transformation, right? There's the transformation of the product suite towards cloud and SaaS, and then transformation to go-to-market. Maybe starting from the product side. How do you think having a more robust SaaS portfolio has allowed you to go after customers that you previously weren't?

Yes. I mean I'll start and maybe, Erica, if you want to add. But I think first and foremost, it's allowed us to really stay with our current enterprise customers who are on their own digital transformation to the cloud. And so we've had a number of those be able to say, okay, we either want to move our PAM and with CyberArk to our Privilege Cloud, or the new identity management tools that we want to bring in-house will be your SaaS tools because we want that holistic approach for identity security across a single platform. I think the other place that has really helped benefit for our growth is going over the last several years, is that we've been able to move. Obviously, more down market, where smaller and what we call the corporate enterprise of $500 million to $1.5 billion of revenues where they typically now are only looking at cloud-based solutions, and we've been able to make very strong inroads there and progress. Erica?

Yes. The other thing I would just add on to that is the velocity of the add-on, right? So we're seeing much faster where, as I talked about the fact that customers land with a small number of their users, that's pretty much across the portfolio, right? So if you look across each one of our solutions, even though more customers are landing with more of the platform today, they're actually adding on much quicker than they would have when we were a perpetual license model. And so we're seeing that velocity of the add-on and also the cross-sell. So we're really excited about the fact that we can see that translate into our strong ARR growth. And we're just getting started there. And I think one of the intents this year is to invest on being more programmatic in that cross-sell motion.

Yes. And speaking of which, your go-to-market has evolved in many ways, too. It's not just for traditional resellers, but you're also leveraging MSSPs, marketplace. Can you talk a little bit about that? How that's giving you more leverage and expanding and broadening your customer base?

Yes. I think that some of the key things that we've been really successful with over the last several years on broadening out our channel, we've always been a channel company where well over 80% of our business is through channels and influenced by channels. But I think some of the key areas over the last several years is, one is around system integrators and advisory firms. We've built and invested a lot of effort and time in training those system advisors, the advisory firms, then building out their own businesses around CyberArk as well. And that's been extremely beneficial for us as we go into -- not just for the enterprise but as we go and expand our platform because that's really where their expertise is. I think the other area we -- Erica mentioned it, selling through MSSPs and MSPs, has really allowed us to broaden our new logo approach. And also to be able to go not just down market where kind of the natural space for MSPs are, but we're also finding that large enterprises as well are starting to use MSPs as their security providers. And that's not just about developing the channel. That's also kind of working on our product as well to make sure that, that's very much something that the MSPs will want to be using. And I think the third area that's been incremental and strong for us in the last few years is how we've developed out marketplace specifically around AWS. And that's really allowed us to get new budget dollars for enterprises that have very close relationships with AWS and credits there. And that's been another entree to first of all, building out our overall partner market, but also a new entree for new customers that we may not have seen before.

Maybe just stepping back a little bit on just the broader spending backdrop. So you had ransomware attacks were up 70% last year. You had significant breaches like MGM, Clorox, new SEC regulations. Although maybe some of the cyber security companies have reported besides you, I think it's been a little bit mixed. So what are you seeing in terms of cyber demand broadly and as it relates to you guys?

Yes. So we've been seeing, and you saw it in our fourth quarter results, really strong demand across the board. So we think it's partially because of the prioritization of identity and where we sit in the stack. Really, from a customer perspective, they recognize that identity security is mission-critical. And the demand environment has been very strong for us. Even throughout, there was the economic downturn that we kind of saw for late 2022 into the first half of 2023. Demand for our solutions persisted throughout that time frame, and everything seemed to firm up in Q3 and Q4 from a macro perspective and the brand environment coming into this year remains very strong for us. So we just haven't seen the same noise that other vendors have seen.

Got it. And then zoning in on the MGM attack specifically, that was an identity-related attack involving one of your vendors as well. I'm curious after that event in September, did that increase awareness of TAM and for CyberArk products in any way?

I think all of -- MGM and all of the attacks that we're reading about. And it goes really back to your first question, right? You said over 80%. We have surveys talking about over 90% of attacks are credential-based. And I think that clearly having breaches in the front page and things that are like that, adds to tailwind and adds to market demand. And it shows how high the threat environment is for the enterprise and that everybody is vulnerable. So we don't really see these types of breaches as kind of the next day being a surge of purchase orders, so to speak, or necessarily even a surge of overnight pipeline growth. But absolutely, we see the fact, it goes to the threat environment. And the threat environment is very high based on actual breaches, but it's also very high because of the discussion going on in the board room, whether it's for SEC regulations, whether it's for privacy regulations and the like. And -- so that -- from that perspective, it just raises the discussion not just at the -- even at the IT level, but across the C-suite level and at the Board level.

Maybe shifting on the SEC regulation. So for context, starting in December 2023, public companies now have to comply with new cybersecurity disclosure mandates, including reporting a material breach within 4 days. Josh, as a CFO, one of your jobs is risk management, right, for your organization. So I'm curious, when you talk to CFOs and Boards, how are they thinking about cybersecurity in the context of this new regulation?

Yes. I mean people are scared. Like CFOs, I mean, basically are -- this is a top item on their agenda to ensure that as they help manage their Board, and bring the right topics in front of their Board, this is -- this now becomes -- it always was an important topic. But now, this is something that even the Board is going to the CFO and say, "Hey, what are we doing about this? Do we -- what things do we need to be thinking about?" And so it's kind of -- I think most CFOs have always brought cybersecurity to the forefront, but now it's got the backing of the entire SEC. And I think that, again, this by itself is not the demand generator for cybersecurity, but it absolutely creates a very high level discussion at really the decision-maker's point of view. And we take it really seriously. It actually now takes a pretty significant amount of time also at the Board level to ensure that they're doing the right governance on what is their enterprise doing related to cybersecurity.

And then just to kind of double-click there on what it means for CyberArk. If you think about it from an identity perspective, you need to secure all roads like Josh said at the beginning, lead to identity in cyber attacks. And so it really -- we've talked a lot about the fact that, our solutions have stayed at the top of the priority list. They've stayed at the top of the priority list because of the fact that there's regulations like this that are coming forward. There's things like GDPR, which seems to have been forgotten long ago. But it's still a tailwind that impacts our business because you have to actually secure the identities to actually be able to say that, "Hey, we're doing a best effort to make sure that our environment is actually protected." And our solutions help them be able to give that message when push comes to shove when these regulations come to bear.

The other tailwind, if you will, has been cyber insurance. Nowadays cyber insurers requiring, as part of the underwriting criteria, that companies have some sort of Privileged Access Management capability in place. I'm curious how that has been driving pipeline? Is that something that you see inflecting in any way?

Yes. I think where it's driven pipeline, first and foremost, is kind of in the smaller enterprise because those are organizations that necessarily we're not putting cybersecurity at the top of the list. It may not even have had the most basic protocols in place. If you think about large enterprises, where cyber insurance is going is they really want to check the box that you have the low-hanging fruit of cyber protocols across your organization, not just that you bought them, but that you're actually using them. And somebody as a company who buys, we have to also buy cyber insurance. So we see their due diligence processes and absolutely they're asking about what are you doing around identity management? What are you doing around your privileged users? And they're actually very specific and prescriptive of what you need to do in order for them to even qualify you as a potential recipient of the insurance. And so again, I think as we've been kind of talking about, it clearly has been -- in that case, it could be a generator if somebody wants to renew their insurance and they actually don't have some of the basic program in place, then they come to us and they say, "Hey, we need to have this". But for the most part, it's kind of a long tail of all enterprises need to know in order to run their business and to be properly ensured that they're going to have to create a very holistic strategy across our cybersecurity. So that even if they have it in place that they'll be able to renew it because on every renewal, they're going through the same exercise of, "Well, show us how you progress from last year to this year to know that we've lowered our risk with you," because they're just seeing the threat environment skyrocketing. And they want to constantly manage their risk profile against where the threat environment is going.

Erica, maybe going back to the multi-product traction. Can you remind us what percentage of customers or ARR are using multiple products with you? And I believe there's 3 main pillars for that. There's the Access Management; there's the EPM, the Endpoint Privilege Manager; and then there's the DevSecOps, Secrets Management portfolio. So maybe if you could contextualize how many customers are using multiple products? And then how much do each of those pillars make up as a percentage of ARR?

Yes. It's a great question. And I think this is an important discussion that we're going to have more and more this year, right? Because that cross-sell motion is something that we're really investing in, and we want to make sure that customers are taking advantage or having more security controls around all of those identities that you just talked to. And so Josh mentioned earlier that about 85% of our customers have PAM and that there's a lot of room to expand there. If you think about the Secrets Management business, it's in about 30% of our customer base. But that includes both the traditional applications to on-premise applications and the Conjur or the more modern applications. So you should think about that as being more like -- of that 30%. Half and half would be using the traditional applications and the modern applications. And then when you go into Endpoint Privilege Manager, that's in about 20% or 25% of our customers. Access is in 10% and then you have about the single digits for Identity Management and what we're -- our secure cloud access today. And so there's lots of room to expand across that customer base, of those 8700 customers that we have today within those various product pillars or solution pillars. When you think about the ARR representation there, it's about 55% coming from PAM, about 20% of our ARR coming from endpoint, about 15% coming from access. And then the last 10% is coming from that Secrets Management business. And those are rough approximations in terms of the percent of the subscription ARR. When you think about the customers landing with 2 or more solutions, we're seeing more than 50% of new logos typically now land with more than 2 products or two or more products, I should say. And we expect that to continue to increase as we look ahead that more customers are going to take more of our platform as we move through this cross-sell motion and the platform strategy.

And is there any one particular product area today that is driving more incremental growth for CyberArk?

So if you look in the back part of the year, we really saw access do incredibly well. Endpoint Privilege Manager has been a very nice workhorse for us for a number of years now, and we continue to see that as a solution that every one of our customers can have and certainly should be in every one of our customers. Right now, it's only in about 20% or 25%. So our expectation is that those 2 solutions should, going into this year, do incredibly well. And then when you look at what we're doing around Secrets Management, we introduced Conjur Cloud in AWS Secrets Hub as 2 areas where we think there's a lot of expand opportunity. Conjur Cloud is very new. It was just introduced in the back half of last year. And so that will take some time to ramp, but we are seeing really nice pipeline. And then I would be remiss if I didn't talk about Secure Cloud Access because it's the solution that we're most excited about. It's a very small percent of our overall business. But when you think about that, the developer persona -- the developer within an enterprise, it's growing at an exponential rate. And there haven't been security controls around that developer. Think of secure cloud access as PAM for the cloud. So it's a motion that we understand, and it's an area that the CECL absolutely has to take a look at and make sure that, that developer is being secure when they're accessing cloud workloads. And we believe and our pipeline suggests that we have a great opportunity for secure cloud access, and we're very excited about that as an expand motion as well.

Just drilling on the access management side. There's been a lot of consolidation in that space from private equity and whatnot. Has that changed the competitive landscape at all for you? And has that been helping at all in terms of the pipeline? .

So I think if you think about the workforce identity, we absolutely are seeing a lot of opportunity there. And we've engaged with and really started to step up our marketing and sales channel. We think that their -- from a security perspective, if you think about things like Super Web Sessions and things like Workforce Password Management, we're very differentiated in the market. And -- but we are taking that holistic approach from a platform perspective.

Got it. Josh, shifting back to you. So you mentioned CyberArk, very strong growth over the last few years. Throughout your subscription transition, you're now 4 or 5 quarters away from $1 billion in ARR. At this point now, about over 90% of your new business has move to the SaaS and subscription product. The majority of your revenue base is recurring. By your guidance, you now have to add around $200 million in net new ARR. I'm curious, as we go forward beyond the transition, what continues to drive 25% plus growth for CyberArk now?

Yes. I think it's -- it's coming from 2 sides. One is, first of all, what we've been talking about for the last 30 minutes. It's just the threat environment is going through the roof. The demand environment remains robust, and we talked -- and the need and the focus around identity security clearly remains as a top 3 priority when we think about different cybersecurity strategies. And then I think about it from the CyberArk perspective, and we also have talked about that over the last 20 minutes around the fact that we keep expanding our platform to get more market within an enterprise. So it's no longer where we were 10 years ago, where it was really focused around just the IT administrators and around application credentials. And we've moved that across now to now the developers, the personas and the developers across the entire workforce. And again, it's not really just around workforce for kind of more commoditized Single Sign-On and Multi-Factor. It's really around how do you secure all those personas through lots of product that you need to have above and beyond the Single Sign-On multi factor, which really just manages them. And we talk about secure web sessions and password management. So when we think about kind of our -- the new pieces of our platform over the last 12 to 36 months that we kind of have developed so that an enterprise can look at us across their entire organization for human and for nonhuman users. As we adapt to where they're going in their transformation, and then you combine that with the pipeline, with the record pipeline growth that we've had over several years, including 2023. We see -- we add that to how we've developed out our partners who are becoming a stronger and stronger organic boost to how we're hitting the marketplace, whether it's through our advisory firms or whether it's through our resellers or whether it's through marketplace. And we're really confident on the growth projections.

And I think, Josh, you touched on something super important, which is us reimagining what it is to secure the workforce. If you think about something like a secure browser, which we're introducing now as we speak, the -- that's another security element that's really important. It's to be -- make sure that you don't have things like session high jacking, that you can't steal cookies, that the actual session is protected. Everybody is accessing cloud applications today, in order to get access to their resources within the enterprise. And by introducing something like secure browser, that's another really important layer of security but it's all part of our holistic approach to reimagining how an actual workforce user is secured. And that's something that I think we should just continue to remind everyone that we are really thinking about this differently, not the way that you're traditionally looking at it from an MFA or Single Sign-On perspective. This is about holistic security controls around that workforce user.

And we're just at the beginning of that journey.

The phrase renewal tsunami was used on your last earnings call, a good phrase. You have about 2-year average contract durations, you started selling SaaS as a subscription products about 2 or 3 years ago. So that tsunami, if you will, is coming up now. I'm curious, what do the upsell rates look like so far?

Yes. So we're really at the beginning stages of the renewal cycle, which is an important renewal cycle. And I think we've put in place mechanisms to really make sure we're getting in front of those customers from an upsell perspective. I think the other thing, it does give us -- now I know you're going to ask or I suspect you're going to ask a couple of questions around our ability to convert those customers as well. I think we're likely not going to see a major inflection in that conversion activity this year, but it does give us an opportunity to sell additional products within the base. And we are seeing that. Even the customers that have the traditional perpetual maintenance or on-prem subscription, they're buying more and more of our SaaS portfolio. And when you look out into the back half of the year, the vast majority of our pipeline is actually coming from SaaS, and that's a lot of add-on opportunities but also a lot of new customers. And so part of that is that cross-sell motion because we have more opportunities when those customers come up for renewal to get into that base, and actually be able to cross-sell those products and solutions.

One quick follow-up to that and then I'll open up to the audience. Just on the maintenance of SaaS that you referenced. I think you've talked about how converting the maintenance to SaaS has been about a 3x uplift. It's not obviously a big sample size yet, and it's been driving low single-digit percentage of your ARR growth. Do you foresee that upticking at all this year or in the coming years?

So we think it will be still a single-digit percent of the growth this year. I do think when you look out in the future years, you're likely going to see that increase. I think the important thing for us has always been to go with our customers on their journey to SaaS, meaning you could do 2 steps. You could take the customer from maintenance, perpetual maintenance, to an on-prem subscription. Or you could do the one-step journey, which is from maintenance all the way to the SaaS. And much of that base that you're looking at, that roughly $200 million of ARR, are in very highly regulated industries. And so they have a path to get to putting their vaults in the cloud, but it's not a pathway that -- or a strategy that's going to necessarily get them this year or next year. It's over a longer time horizon. And from our perspective, as long as those customers are adding on our SaaS solutions, and they're not stagnant customers that aren't active on CyberArk, we're fine keeping that base of maintenance and going on that journey to get the 3x with them. Because oftentimes, they are consuming more and more of our solutions. And so we're getting the growth with those customers, they are becoming more secure. We're a more integrated part of their overall security platform and fabric, so we're stickier. And so we'd rather do that as part of their journey to try to force convert them or do something unnatural at this point.

It's a CyberArk way.

Do we have a question here? Can you wait for the mic? Sorry.

Can you talk a little bit more about the competitive environment? In particular, you talked about the importance of identity platform, how Single Sign-On and MFA is not adequate. In particular, Okta, could you talk about Okta?

So obviously, when we think about our competitive environment, we -- on the access front and for the workforce, we obviously see Okta. There -- that's where they're coming from. And the way we look at it is that we're actually -- and Erica talked about it is this notion of being able to think about the whole workforce and having, it's not about managing the workforce and it's really about applying a security-first approach to how we secure those identities. And by the way, those identities across the entire workforce need different level of controls depending on what they're doing. And that's something that CyberArk has brought to the table. And so as we look at all of our enterprises, certainly in-house on the upsell side, and we just finished talking about the cross-sell. That's where we compete very strongly with any of the other access players because these are enterprises that already understand the importance of having different levels of controls for all the identities and also, how important it is to -- for identity security. As we go to new customers, what's been really successful for us is basically things and we talked about the MGM Grand, and we talked about where the threat environment is. And actually, enterprises are coming to us and saying, "What we thought was okay, is no longer okay." And so our goal is not to necessarily go up against an Okta and replace them for Single Sign-On and Multi-Factor across the board because that's not going to be the play for us. The play for us is going to these enterprises who are now inbounding to us and saying, "Hey, we need to think about this differently". Not only do I need to manage these identities, but I also need to understand that we're securing them and that the vendor of choice is going to be a security-first vendor of choice. And I'll be able to then move across my entire organization, whether it's also for the administers. But then let's not forget, there's a lot of nonhuman credentials and securities there, which Okta doesn't play with at all. And then they see things that where CyberArk coming out and Erica referred to our Secure Cloud Access, that's really -- and it's PAM for the cloud. And that's really kind of going up to say, "Hey, we're not just about what's going on the sell posted, and we're not just about what's going on with the administrators. We're going about also where is your enterprise going and where are the attackers going?" And to be able to say, "Developers and workforce need to have different levels of control so that the management doesn't get in the way," the controls don't get in the way, but there's still a security-first type of a solution. And so far, we're seeing and we talked about it the last 6 months, really a lot of growth, not just on the pipeline side, but also turning that pipeline into revenue and into ARR and our access piece of the ARR growth is one of our fastest growing.

We got one more question.

Josh, how do you set pricing or look at the market size for the nonhuman side of the business now that evolves? What's the size of that? That seems to be becoming more and more of an issue, especially with AI and all these apps getting abilities to do a lot more things then they ever did in the past?

Yes, it definitely is. It's a huge area of growth. And if you think about the nonhuman side, we estimate that for every human identity, there's about 45 application or machine identities. And so there's a massive amount of growth for us in that market. We're really looking at the pricing as per environment. So if you think about like an AWS environment or an on-prem environment, we're kind of pricing our solution per environment, which has worked out really well for us, which is a little bit of a differentiated approach in the market than what you see from other Secrets Management Solutions that may be out there. But the growth in that has been with the business, so we're really happy there.

All right. Great. I think we're just about out of time now. Josh, Erica, thank you so much for your time, and thank you, everyone, for joining us.

Thank you.