CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

I'm honored today to host CyberArk. We have Erica and Clarence. It should be a great discussion.

And if we reflect just on this past earnings season across software, it's been a pretty difficult, challenging season for a lot of companies, but there's been 2 standouts, you guys and CrowdStrike. And I guess I just want -- would love to hear what's driving such incredible performance from the CyberArk perspective?

Yes. So I think as you think about our overall growth, we're very excited about our platform selling motion. And so there's that really great land opportunity for us not only in Privileged Access, which has always been our bread and butter, but also across the broader Identity Security platform. And consistently, we've been signing about 200 new logos in any given quarter, and that's really helped drive and fuel the growth over a longer time horizon. But then we also have a really strong expand motion. So our ability to be able to cross-sell and upsell across the [ beast ], across the product portfolio has really been very powerful as well. A lot of that has been driven by the tailwinds that we have in our industry, because at the end of the day, all roads in cybersecurity do lead to identity. And so when you kind of combine that with our really great execution, it's been driving that growth that you've seen. So our ARR has been very powerful. If you look at that subscription ARR line, it's still growing north of 50%, and I think our expectations are -- is that we should be able to continue to have very healthy growth here.

Maybe let's take a step backwards and talk about platformization in cybersecurity. I mean 2 quarters ago, right, Palo Alto came out with this, their definition of platformization, I think it's been [indiscernible] since then. But if you look across Identity, Identity has been a little bit slower to get to that platform motion. So maybe could you talk about why that's been the case in Identity specifically and especially over the last year, how you guys have really transformed into being that more a platform identity player?

I think I can start with that. So if you go back to traditionally how Identity has been set up with Identity Access Management, you have the silos of Privileged Access Management and Identity Management became IGA. In traditional legacy environments, you can kind of get away with that separation in terms of the actual capabilities. But as you move into more modern and more cloud-friendly, cloud-forward environments, the laws of separation become a little bit blurrier, right? And so I think that's what we're starting to see in terms of actually having to deliver real security capabilities across all identity types and to bring all -- each of the disciplines to bear across the different identity types in a different environment. So for us, what we're really starting to see is, as Identity really becomes the focal point of security for the attackers and therefore also of the defenders, vendor like us coming to the forefront in delivering real security capabilities, the right level of privileges across each of the identity types is really starting to resonate in a very, very meaningful way. So I think that is a change here. That's what's driving a bit of the convergence, obviously, the consolidation of trust on the Identity side, because before, again, there were different silos and you thought about each of them differently and you thought about management of access and management of the -- in governance of the identities and it wasn't -- it hasn't been until fairly recently, there's this broad-based thinking that you have to actually secure identities of all types, from Privileged within IT to the developers, to the broader workforce, external workers and contractors and, of course, the whole entire suite of nonhuman identity. So that's what we're seeing.

And maybe if we just stay in Privileged Identity, how has that definition expanded and changed, especially as we've come through digitalization and then really moved to the cloud? Is everyone considered a privileged user these days? And how do you think that that's expanded your opportunity to continue to grow in that market as well?

Yes. So if you go back to that context, that's a lot of what we saw when we were focused more exclusively on PAM is it -- you had this long tail of human and then even nonhuman identities that under certain substances could be privileged. And even if the users themselves didn't understand that, the attackers for sure understood it. And so therefore, you have this massive attack surface. And the only way to effectively secure that is to provide our principles to a broader set of identities. Now again, you're not going to be able to vault and rotate and record every single user. So you need different types of privileged controls, which is what we start to develop organically and inorganically with adaptive and the like. But that's the mindset that it really takes to protect this broad range. But what I'll say is, interestingly, as we go to market and go to customers with this broader Identity Security approach solution set and vision, oftentimes, the customers will come back and say, yes, we're all in. But we have to finish the job that we started with traditional PAM, because to your point, there are actually more identities out there that have very, very high levels of privilege, especially when you look to new environments like cloud environments, where you have tens of thousands of unique entitlements, whatever. So is this off now? Very good. All right. So sorry for making everybody deaf here, where it was worse listening. So I'm going to go through all that again. I won't go through all that again. So -- but when you think about cloud environment, for example, where you have tens of thousands of unique entitlements, many of which are extremely powerful, you therefore have all the admins, the developers, the cloud engineers, the cloud architects. They're now part of this privileged set where they wouldn't have been years back with a more traditional enterprise IT environment. So we are seeing -- again, more broadly speaking, everyone can be privileged. And then even with the classic definition of privilege, there are a bigger set of identities that fall into that as well. I don't know if that...

When you go into a new customer, do they know how many privileged identities they have? Or is that something that you kind of awaken them to you to say, okay, this is your existing group that you thought were traditional privileged, but actually, here's the scope of what privileged identity should look like for your organization?

I'd say that broadly speaking, no one really knows the exact number. They have -- some customers have better directional sets than others. When you're talking about the discreet humans, it's easier. But when you start getting into the -- again, this is the blur of highly privileged nonhuman accounts. But for example, service accounts, which we -- that are nonhuman identities, which we protected for a long time with our PAM solutions, those can be more difficult to discover. So I think there's a lot more uncertainty there. But when it comes to the -- identifying the specific users, they have a good sense for traditional like domain admins, AD admin, et cetera. But when we talk about some of the things we're just mentioning like cloud architects and engineers, developers, when it starts to get gray, that's where there's much -- is a greater degree of uncertainty. And of course, with the nonhuman identities, it's really largely unknown for many categories.

And I think one of the things that we do do is we work with our customers to help them identify who those privileged users are either on the human side or the nonhuman side. And one of the reasons why we've consistently had such a strong add-on business is because of that expansion and our ability to work with those customers to programmatically at the initial engagement, how they roll out a program. So they can say, okay, we're starting to identify where our human users are and then where those nonhuman users are, and we can help them map what will be the most critical to start with and then expand beyond over a period of time.

And maybe, Erica, if you could just go a little bit deeper into that, because I think this is a really interesting point and a good growth driver for CyberArk. If we think about core PAM, right? A big misconception is that you're penetrated broadly in the market. So what's really the opportunity left? But I'd love to hear how you guys attack this PAM deployment throughout the organization and what that tail is for growth?

Yes. So it's one of the things that I think has always been mischaracterized about CyberArk and CyberArk's growth potential, is that PAM initially was seen as being a relatively small market in that, that expand motion was eventually not going to be as strong as we've seen. But consistently, when we look across our base, there are more users and also the customers themselves are growing and expanding. So they're looking to have more and more security controls. And so one of the ways that we go in is oftentimes we define a specific set of users that need to be secured first. Oftentimes, it's those that have closest access to domain controllers, and then they'll expand beyond that to different types of users that are actually privileged. And so that expand motion, if you think about our business, roughly 30% of our ARR typically comes from new customers. The additional 70% comes from add-on. And a lot of that growth does come from privilege. And when you think about that subscription ARR base that we have, it's about still 55% coming from PAM. And that PAM growth rate is -- you look across those lines, they're all growing 50%, right? They kind of -- the business has all been growing in step with each other. And that just shows the power of that expand motion because a lot of that is coming from expand.

Great. And maybe we'll take a different direction and talk about those other products outside of core PAM, because I think a really smart way that CyberArk grows its business is by going into really hot cybersecurity markets, but in a very complementary way. What I mean is we see them in cloud security, right, but you're not competing with Wiz. We see you in endpoint security, but you're not competing directly with CrowdStrike. So can you talk about the markets that you play in with your identity products and the strategy behind that?

So I'll start with the strategic approach. And one thing that separates us from others that have been in the Identity Access Management more broadly speaking for a while is that we really do focus on this thing like an attacker mindset. So where the attack is now, where they're going next. That drives our strategy, drives our road map, and it drives our prioritization. So as you go through those innovations, think example for, well, why did we go into secrets management with Conjur, is because we saw that developers as they're building out applications where when we build in connections to databases and identity stores, well, you need credentials any passwords. So they're hard coding them into the actual lab because, of course, that's a huge security risk. So we go out and it's taking a very, very similar approach that we do in PAM, bringing it to secrets management. We're abstracting that, broking the assets, et cetera. When you think about the endpoint and least privilege at the endpoint, again, we have local admin access, right? This is extremely powerful access, we're giving to end users who don't really need it, don't really know they have it. But every single attacker knows exactly what to do with the access. So you think about putting least privilege at the endpoint, taking away admin rights and only escalate as needed for things like adding printers and things like that. You continue on to, as you mentioned, with cloud. Well, with cloud, you have the access to the consoles. You don't need standing access to the console. And again, this is very PAM like, highly privileged access, but it's a different type of access. You want dynamic, just in time, 0 standing access to the cloud consoles is more appropriate. And you look at securing the workloads and the infrastructure behind the cloud, again, is dynamic, just-in-time access and security. So for us, it's always thinking about what the next attack surface is that the attackers will go after and then the most effective and appropriate way for us to apply privileged controls to it. And getting that focus, that's why you see us going to these markets, and we're not stomping on ground is being tread by others because we're not going through and just checking boxes on different markets. We're not going and chasing TAM. We give you updates on TAM because it's needed as appropriate, but we're going after the most important security problems as we see it, as we look to secure the entirety of the identity vector with the appropriate privilege controls.

And maybe if you could just talk a little bit, too, around your technical moat that you have in these markets as well. And what makes customers come to CyberArk for these solutions?

Yes. So I think as you think about customers coming to CyberArk, to our solutions, it really does stem from the fact that we're the leader in the space, right? And exactly what Clarence has been talking about that we are really kind of going after that -- those attack vectors that are most critical to the customers. And so when you look at privileged access specifically, it's always been CyberArk, you're the leader, you can't go wrong going with CyberArk, right? We have the broadest solution. We have the solution that covers the most use cases. And then when we went into kind of the access or the single sign-on MFA market, it was never about trying to just go head-to-head with other players in the market. It was about taking our unique approach and applying those privileged controls and taking that security-first notion. And one of the beautiful things that we talk about, Clarence has mentioned it, is our ability to wrap those controls even around other vendor solutions when you think about single sign on MFA. So there is another vendor that has a SaaS solution out there. We can just take our controls and wrap them around and then keep create a beachhead for us to expand at a future date. More and more, we're seeing that competitive position really be driven by the fact that customers want to have that consolidation of trust. So they're looking for fewer vendors when it comes to that identity stack, and we're the ones that can secure the most use cases. And if you think about our move going into Venafi, that acquisition was and is another opportunity where they're looking to us to actually be able to secure those nonhuman or machine identities beyond what we're doing in secrets management, and we really will have that opportunity. But it will be the breadth of that offering that will create a really great competitive advantage for us in the broader identity security market.

And then I definitely want to talk about the acquisition because I think it's a really important strategic path for you to be on. But I guess before that, too, as you think about becoming this broader identity platform and having products outside of core PAM, are you starting to see customers come to you for those different use cases at the initial landing spot?

I'll start with kind of the land on some of the additional solutions and then certainly add in there, Clarence. But I think, yes, what we are seeing is -- if you look at the lands, we still see a lot of our customers, about 85% of our customers land with our traditional solution for the IT persona, right, so Privileged Access. We have about 10% of the customers that will land with the endpoint solution. And then the other 5% tends to land with the workforce identity or single sign on and MFA solutions or the ancillary products that have privileged controls surrounding that. But what we also are seeing is that increasingly about 50% of those customers that land -- even more than 50% that land with our Privileged Access solution are taking 2 or more solutions along with that. So it's not just a land with PAM anymore, it's a much more -- it's a much broader landing spot across the portfolio. And I think that's an important distinction. It's one of the reasons when we went through last year and we were a bit consistent in our net new logos at about 200 per quarter, we actually saw that new logo land the dollars coming to us increased meaningfully throughout the year last year. And it's because they're landing with more and more of our portfolio. And again, it comes back to the consolidation of trust, people wanting to buy from CyberArk and believing that we can give them the security controls they need in the face of the attack vectors that they're facing.

And when you go in, if you think about vendor consolidation, right, we heard CrowdStrike earlier this morning say for every dollar you spend with CrowdStrike, you save $6 from all the vendors we consolidate. But again, Identity is a little bit of a different beast, right? So are you coming in and consolidating other vendors? Or is it truly just more of a greenfield opportunity because there really is not as much in terms of legacy vendors in these new areas in the market like cloud security, right, and like secrets management?

Yes. I can start with that. And so the way we're thinking about consolidation of trust is as we all know, you're the typical enterprise, you have 70, 80, 100-plus discrete security ISVs that they're really dealing with, they're managing. And they're still unaddressed security concerns and questions. The last thing they want to do is go out and add another 1 to 2 dozen vendors to the mix to solve all these problems. So that's the first aspect of it. But also, this is an area where you can't check boxes with security, not if you're serious about it. So all of our customers want best of breed, but they wanted as much of that best of breed -- talking about a best of suite as it can from the most credible vendor. So for us, we're increasingly seeing our customers come to us and even encourage us to get into new areas and say, well, could you also solve this problem for us? And of course, tell me -- let me make sure I understand everything that's in your portfolio, so we can evaluate it closely, because you developed this incumbent type position as they look to expand their footprint. Oftentimes, that does mean displacing an existing tool that they may have. Oftentimes it does. Sometimes it doesn't. It just means you have first right of offer refusal whatever you may call it, legal sense, when it comes to them adding new capabilities. So that's really how we see it from our perspective. So yes, there's greenfield for the new capabilities, and we feel we're strongly positioned. We're also replacing and effectively consolidating vendors as well, both existing more established vendors and also some of the start-ups that at times can be marginalized when customers are going to consolidate a bit.

Sure. And then maybe now we will focus on Venafi, really exciting acquisition. I guess high level, easy question, why machine identity and why now?

Sure. I'll start and at this point, Erica and I will both go through this. But just to frame how we think about nonhuman identities, and again, I talked about some of this, but when I had a bad mic as well. But you start with the service accounts. There's a smaller number of identity. So we give this 40x or whatever. You've heard 40, 50x nonhuman to human ratio. That's a smaller set of identities. It's not diving into that, but very, very important, very powerful identities. But again, we've protected for quite some time with our core pillars access. So we're not new to nonhuman or machine identity. Then we move to, as I mentioned, secrets, a larger number here, and I described what those were before in terms of secreting code. We've done that with Conjur. Now again, these are places that attackers were going. And we start to look at where attackers are spending more of their attention. They're starting to capture, gather, steal these certificates associated with endpoints. So think laptops, desktops, servers, physical and virtual and use those to do what they always do, move laterally, escalate, et cetera, until they get to their desired endpoint. So for us, it's very, very important to start to protect this set of nonhuman identities and the numbers start to get quite large. What's particularly exciting about Venafi, not only did they effectively create that category, but they've also invested heavily in the more modern infrastructure. So when you think about containerized environments, you're looking at an order of magnitude greater number of nonhuman identities. If you think about the Kubernetes containers, et cetera, with their TLS Protect Kubernetes, you think about the north-south traffic certificate life cycle management Internet to the cluster to handle that as well as the east to west effectively serving as -- with Firefly serving as a certificate authority for the Kubernetes environment for the underlying clusters themselves. And there's a path to -- with the focus on workload, machine identity management and security to address the long tail of nonhuman identity. So I think the cloud roles, cloud service accounts, et cetera, they get to an even larger set and the actual workloads running across each of those combinations of clusters and containers. They have investments in thought leadership as well. So all of this -- this represents the new attack surface with this vast number of identities. And for us, it became really acute when we have our customers increasingly saying, this is a real problem for us. We have to think about security here, work with us on a solution. So this is really -- it's important for us to address this. And again, we've been talking about it for a while, last 1.5 years with crescendo of activity. So here, we're taking real action.

The other thing I would just add from a financial perspective that also gets us super excited about Venafi is the fact that they have historically been a 20-plus percent grower. Obviously, a smaller vendor as many small vendors were impacted last year by the macro environment. But I think from our perspective, when we look at our 8,800 customers, they have about 550 customers, a little bit more. But there's only 200 customers of overlap. What does that mean? That means there's a massive room for us to take their solutions and be able to cross-sell those solutions into our customer base. And we actually know from our diligence and also from some independent research that we've done that it's actually oftentimes the same buyer. And so when you think about that sales motion, it really does reduce the friction for us to be able to sell this solution. Clarence just articulated the fact that it's a real problem for our customers. We can take our extensive sales force and actually take it to those customers. Beyond that, when you think about it geographically, they were really -- about 80% of their business was in the Americas, right? We're 60% of the Americas, 30% in EMEA and 10% in APJ. That international expansion is really considerable, and then we can also take it to our channel. Then the top line is certainly really exciting, something that we've been focused on, but they're also very highly profitable. And so when you think they're going to be accretive for us immediately, which we've always and traditionally had very strong margins. But both from a cash flow perspective, operating margin and from an EPS perspective, they'll be accretive right out of the gate. So those synergies, both top line and the contribution to the margin, makes it a very financially attractive acquisition as well.

And maybe a 2-part question for that go-to-market strategy with this product, right? The first part is maybe help us understand on a like-to-like basis, which identity is more vulnerable, a machine identity or human identity? And then to follow up with that, do you think the market has reached that inflection point within your customers where your customers do understand this is more of a need versus needing to go out and do that market education?

Yes, it's a really, really compelling and interesting question. I'll talk about it this way. So the human identity is overwhelmingly the most heavily attacked. And as we had one customer describe, end users will go through great lengths to disclose and give away their credentials. So the human firewall is quite porous and quite weak. That's why the attackers keep going there. However, it's also the most heavily protected identity, right? So it's understanding this balance of, well, that's -- you have MFA for the human identity. You don't really have that for nonhumans. And you have varying degrees of power. You have some humans that are extremely privileged and powerful. Others not as much. So it's really a mixed bag there. We do see the balance of power shifting to away somewhat from human identities because they're so heavily protected. Even on the nonhuman side, by default, they're very, very heavily privileged. Now to date, they're not as heavily attacked because it's not as straightforward to get there. You can't phish a nonhuman identity. You can phish a human, right? But once you get there, almost certainly -- you oftentimes have less to do in order to actually escalate privileges once you find one of these powerful nonhuman identities. So it's a very, very ripe attack surface. Again, a little bit more difficult to get to versus a human that you can phish and you can't go out and necessarily find all the credentials out on the dark web, even though increasingly you can if they're -- they've been stolen. That's starting to happen. But you take the combination of highly privileged in the nonhuman side, vast in number. It's a massive attack surface. It's just a matter of time before that becomes a real massive problem even relative to the human side, where, again, that's where most of the attacks are because there are so many different ways to get to humans. I don't know if you have anything to add.

We have a couple of minutes left, so I'll see if there's any questions. I got to keep going for a while. Anyone? Okay. Great. So I guess just turning over quickly in the last couple of minutes more to that business model. CyberArk has always been historically incredibly profitable. Obviously, now capturing more of those growth opportunities on the tail end of that transition more to SaaS and subscription. So how do you think about investment, not just over the next 12 months, but over the next 2 to 3 years as well as that balance of profitability?

Yes, great question. So I think as we look at our financial model, we have always very much valued profitability. Even we were much smaller organization, we were giving investors 20-plus percent operating margins. And I think from our perspective, we continue to have that commitment to growth and profitability. But we're at a much larger scale now. And we believe that as you look out for the next few years, you will see leverage across our lines. So when you think about the R&D line and the sales and marketing line, specifically, going out the next few years, you are going to continue to see that leverage. But the wonderful thing about our business model, you mentioned our subscription transition, which finished up a year or so ago now. But we still are just -- we're just beginning to see the fruits of that in the free cash flow, right? And so you saw a very strong free cash flow in the first quarter. You're going to see that free cash flow as we go through the year here. But what's going to happen is that that will still continue to expand into the next few years. And so we will continue to balance that growth and profitability even with this acquisition of Venafi. We believe that we'll be able to retain and expand our margins and that you should see that cash flow potential continue here from this point forward.

And what are the important areas of investment over the next couple of years?

Yes. So I think we're going to continue to invest in R&D across the board. I think we're looking at the various areas where -- I'll let Clarence talk certainly about some of the strategic areas where he's being -- or focusing on. But then we'll also continue to expand on the channel side as well as on the direct sales force side. So on the strategic part, I'll pass it up to Clarence.

I think we've talked about a lot here is an ambitious undertaking to protect all identities, human to human end-to-end with the appropriate level of privileged controls. Again, we focus and prioritize based on where the attackers are and where we think we can provide the stronger solution. By no means do we have it all covered 100%, we believe that we're systematically reducing risk. But this is an ongoing effort. And so you go identity type by identity type, use case by use case, making sure that we can provide the highest level of security in a way it is nonintrusive, in a way that actually provides value to the business. And there's a lot of that. And so we'll continue to do a lot of this organically, will leverage our partnerships, and we'll selectively acquire where it makes sense.

Great. Perfect. We're out of time. So Erica and Clarence, thanks for spending the afternoon with us.

Thank you. Appreciate it.