CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

Thank you so much for joining us for day 2 of Citi's Global TMT Conference. If you haven't met me yet, I'm Fatima Boolani, I jointly head up our Software Equity Research team here and I am absolutely delighted to be hosting the CEO of CyberArk, Matt Cohen, this morning. Thank you so much for being here.

Thanks for having me. I'm excited to be here as well.

Right. Well, I want to waste no time. I want to get right into it. I had a little bit of a monologue here. I think when we look at your financial results over the course of the last 2 quarters, but frankly, the last 4 to 6 quarters, there's clearly been an upswing and a trend that certainly intrinsically is really impressive, but even more so in the context of the broader performance of the peer set in cybersecurity. So the question I want to start with at the highest level is how are you continuing to demonstrate such strong execution? And Matt, what do you think specifically is working so well that your results both from a relative and absolute perspective are so starkly in contrast to your peers.

So listen. I think it comes down to a couple of different factors. You start with a market that's at a turning point in understanding the importance of identity. And when you look at the threat landscape and the constantly elevating threats that are out there, every organization is under attack. Generally speaking, ultimately, where the bad actors are trying to get to is to identity. And so you have this like growing lies of awareness just overall of the importance of what it is that we do. And then you combine that with what I think is a differentiated strategy for us, which is the idea of we can secure every identity, human or machine, with the right level of privileged controls. And so we're able to actually take what was traditionally -- our market of securing IT and expand it from securing IT to securing the workforce, securing developers and securing machines, which fundamentally allows us to be able to cover more of the identity market. So you have a growing market that really cares about it. You have a differentiated platform. And then as you mentioned, our ability to be able to execute, I think, has been pretty solid. Our reliance on really strong partners. We've always been partner first, partner-friendly, they help drive the business. Our sales and marketing team are some of the best in the business around their ability to be able to execute. And ultimately, you see the results that we've been able to perform against.

Sometimes I forget that it's only really been 3 years since you've been a SaaS company just because the cadence you've had and the reps you've developed kind of makes you forget that you were not doing SaaS the whole time you've been in existence. And I think I'd like to remind people that CyberArk has been around the block. You've been an established company for some time. And so can we maybe walk down memory lane a little bit and talk about the SaaS transition and how that's potentially been another vector that's really helped you ride this wave of the growing awareness about PAM, these attack volumes have just shown a very bright spotlight in the value proposition you offer. So just purely that SaaS transition, how that's put more wind in your sales?

So CyberArk is a 25-year-old company. We celebrated our 25-year anniversary this year.

That's about as old as I am.

Exactly. So we share a birthday maybe. It's been 10 years being public. So we've been 10 years as a public entity, which also is a nice milestone. And I came to CyberArk 5 years ago. When I came to CyberArk 5 years ago, we were a perpetual company. And I showed up and I actually couldn't believe that I was back trying to run a sales team selling perpetual licenses. It's not fun. Every quarter starts over again. And since that 5 years, yes, we've been able to move from perpetual to subscription with a dominance on SaaS, and what that's done for us is it's opened up the opportunity to be able to improve sales cycles. It's allowed us to be able to perfect the land-and-expand motion. It's helped us to be able to talk to customers about a platform versus products because we built it out with a common architecture and a common set of services. And ultimately, what it does is it just changes the dynamics of the business, the velocity, if you will, of the business. And we've seen that lately in our Secrets business, Secrets is a part of the machine identity persona, where that was one of the last areas that we actually launched the SaaS version of the products. And since we launched the SaaS version, that business has accelerated. And it's accelerated again because that's a particularly tough spot to adopt. And when you have a SaaS solution and it can be deployed in weeks versus months and developers can use it quickly within their whole environment, it makes a giant difference.

I want to go to the -- I want to break down the business from a pillar perspective. You talked a little bit about, not only touching the IT persona, you're touching the business persona, the developer persona. And so we'll certainly get to that. But I want to talk about the bread and butter business. It's kind of your claim to fame right, Privileged Access Management. So you've historically shared with us and even kind of talked very publicly about the fact that many organizations still just don't have robust privileged access controls, right? So with today's landscape, a very elevated threat landscape, breach activity and all of the nefarious things that are happening. Why do you think we haven't seen more kind of notoriety with the PAM category in the same way as network security and firewalls have become a household kind of concept, so to speak?

Listen, I think at some level, we were -- when we were only a PAM company, we were playing in a part of security that is like the security, security. The people who really know security, they know PAM, and you're locking down -- originally, you're locking down the most critical users, a pretty small user group when accessed to most critical targets. That's what PAM was founded. And I think that name you well known within the deep security profession, but maybe not that well known across the broader idea. And by the way, it led to maybe slower adoption because PAM was hard. I think what you're starting to see now is with what we call modern PAM, which is the ability to be able to not just -- so basic PAM for a second is, you take a user, you vault their credentials, you vault their password, you rotate that password on a regular basis, and you broker the session. So you stand with the user when they're accessing critical targets, so that you're isolating that session, you're recording that session, you're making it more protected. That's traditional PAM. Well, now we've been able to launch offerings around just-in-time or zero standing privilege or modern PAM. What that means is you actually use your -- as a user, you use your own credentials, your username and password. You don't actually have to vault your password. And we'll see you with no credentials, no entitlements when you're outside of a target, and we'll start to apply those same controls, isolation, recording, step of authentication at the point of access when you actually log in to these targets. Well, that changes fundamentally the dynamic of how easy it is to deploy, how easy is to use, the change management changes. And that opens up the opportunity, which I think a lot of investors don't quite get around the runway still in securing IT, like we've been securing IT admins for a very long time. But now we can secure everybody in IT from the database administrator to the data scientists to the cloud architect, all within one solution.

You ran the sales organization before you moved into this broader CEO role. When you were thinking about the privilege access, security, privileged access management market opportunity, what does that runway look like for you in terms of market size and penetration? And the spirit of the question here is, again, you've been doing the yeoman's work for 25 years, telling people this is a big problem. And yet there's still so much greenfield opportunity. But we're also in a different environment in that. One of the big questions I get is, hey, you aren't -- 2 decades in, shouldn't we be closer to maturation, closer to saturation. So what are some of the greenshoots of growth within your core PAM market? Because like I said, there might be some perceptions or misperceptions that you've kind of run the course in your core market.

I mean, I think it comes back to really a basic concept, which is what a privileged user is today is different than what a privileged user was yesterday. And so if the very nature of privilege had not changed, that would be right, we wouldn't run in saturation because we own the IT admin. But because you now have to think about anybody in IT as a privileged user because you have to think about, by the way, a business admin sitting in the business, accessing a SaaS application as a privileged user. Because you have to think about a developer. Developers are some of the most privileged users in an organization. When you start to think about all that, it just creates a much longer runway for us to be able to go after these new identity groups, excuse me, not even talking about machine identity.

And within PAM, I know you've made some kind of changes and new packaging changes. You've introduced a new Chief Business Officer to the executive team earlier this year. So what is the impetus for some of those efforts to help drive ongoing momentum in your core business? And then I definitely want to shift gears to some of the other categories that you've been building a lot of momentum.

I think from a packaging perspective, we wanted to simplify. And we still have a lot of customers that are kind of a la carte offerings of our old PAM solution, and we wanted to get them into the SaaS platform and get them on standard or an enterprise bundle. And we went out with that package. And that package includes some of these newer just-in-time zero standing privilege approaches to privileged access management to PAM. And that's really resonated with our customers. By the way, as we get to it, the base notion that we have these 4 persona groups. Securing IT, securing workforce, securing developers and securing machines, we wanted to have packages that map to that were, again, very easy. That's how you sell. You sell and you walk in and you say, where is your risk? Is your risk in IT? Is your risk in workforce? Is your risk with your developers? Is your risk growing in machines, and we want to have packages that map to that. Eduarda who is our COO, who came in kind of run into all of go-to-market sales, customer success channel. I mean she's really focused in on kind of the next level of growth, how do we get the channel partners and the MSPs in the marketplaces to where we need to get to. How do we get customer success to be able to service in foreign accounts so we can free up the sales reps. How do we get marketing and sales to even be more effective together. That's where she's been focused on and has done a phenomenal job in the first nine months, as you can kind of say.

So PAM is about 55% of your total ARR, that means there's another half of the pie that we need to talk about, right? We did discuss kind of the spectrum of personas and identities that you are tackling with a broader platform. Within the remaining 45% of the business, how should we think about the most sizable pillars of solutions and capabilities. And what do you think about kind of the growth prospects of each as we work through?

So core PAM, 55%, growing in the mid-teens, really healthy business. And I think that has a lot of runway as we were just talking about. Then we've got workforce. And in workforce, we've really got 2 buckets. We've got the traditional access space and we've got -- that's really where we put our EPM, our Endpoint Privilege Management, is securing the workforce. So EPM, Endpoint Privilege Management, which sits alongside in EDR, it's another agent that basically removes admin rights and locks down the desktop or the server, is our second biggest business. It's a greater than $100 million ARR business. And for a long time, it had incredibly high growth rates and still grows faster than PAM, but it's becoming a more sizable business. I think that's the second biggest one we have. If we go over then to the workforce side, the access side of the workforce, that's where we would compete against a Microsoft or an Okta. And that's where, I think, we have hyper growth potential. I mean we're a distant fourth in that market. I mean we're not claiming to be anything other. But that growth rate over there is phenomenal. And it's based on the idea that single sign-on and multi-factor authentication, the core offering of Okta and Microsoft is not enough. It's not actually securing the workforce. And so we estimate that about 20% to 30% of enterprises really care about this on the workforce side, on the access side. And by the way, if they don't get about security and they're just doing it as a check-in-the-box, they should choose Microsoft. That's who they choose. By the way, they choose Microsoft, not Okta, they go in. And that's fine. But when they choose it, when they care about security, we can wrap MFA and SSO with secure web sessions and with password management and with a secure browser, and we can actually make the workforce secure. And that is, for us, the differential. So we go in on the workforce side and we say, "Hey, our $9 package is as good as them -- is the same as their $9 package, but you can actually get security out of it." So that seems to work for us, and that's a high-growth area for us. Developers is the smallest business for us by far, but it's also a really interesting business. And this is where we go in and we say, a developer should never have privilege at all. Like most developers sit out there and they do whatever they want in AWS, Microsoft and Google. That's really dangerous to actually turn off all their entitlements, turn off all their privileges and let's let them at the point of log in get a signed privilege and at the point of logging out, remove and degragate that account completely. That for us is a high, high-growth area, very small business because we just launched it. And then we've got machine identity as the fourth persona. So the 3 humans are workforce, IT and developer. Now we go to machine. This is where we've had the Secrets business. It's growing at a very high rate as well, like the Access business. It's kind of taken off in the last 18 months or so based upon some market factors, and we can talk about that in a little bit. And that's where we obviously also have acquired Venafi to boost out and make that machine identity business bigger.

On Venafi, this was a pretty significant acquisition for you, it was a $1 billion deal. So one of your biggest ones. And you've been fairly judicious, generally, in the history of the company. And certainly, I want to ask your perspectives on the broader trends in VC-backed companies and private company trends. But -- so we'll put a pin in that and come back, but Venafi, a very significant for you. What was it about Venafi that struck you as this is an incredible value proposition that synergizes brilliantly with the portfolio and what are you expecting to do with the asset that they weren't able to accomplish stand-alone?

Sure. So I mean I think in order to understand Venafi, we have to understand the larger machine identity market for a second. And so let's just sit there for a second. Machine identity is any application, IoT device, bot, can be a RPA bot, it can be AI Copilot bot. Think of all of this cloud computing and AI-generated innovation, it just creates a sheer number of devices and applications that are unmanageable. Those devices and applications need to be able to access data and talk to each other. The way they access data, the way they log into a database is with a secret, just like we log in as humans with the username and a password. So our Secrets Management business is the act of securing the username and password that an application would use when it's logging in to get data. That's really foundational security and it's very similar to PAM on the human side. What Venafi does is there's another form of identity for applications, there's these things called certificates or keys. What those are, are really identifiers of who this application is. It's like a birth certificate mixed with a driver's license. It says, when was this application born and why should I trust this application that it says who it is, and it's all encrypted. And in order for an application or a device to be able to communicate, to be listed on the web for what people come to work with it, it needs to have a certificate or a key. So proliferation of number of machines, okay? Then a growing recognition that, actually, these are security risks, that actually more and more attacks are happening at the machine layer, okay? Now on top of all of that, you've got regulation coming out around what you have to do with these things like certificates and keys. So Google has come out and said, every 90 days, you have to reissue a certificate. It used to be two years. So if you have 5,000 or 10,000 -- some companies have hundreds of thousands of certificates and you're managing on a spreadsheet or in an automated fashion kind of with maybe Microsoft or ServiceNow. But you're trying to figure out how to discover tens of thousands of certificates and now you have to be rotate it every 90 days, you need an enterprise-grade solution. So we started hearing this more and more from our customers that they want us to do more in machine identity. We went out and looked. We've been partners with Venafi for seven years. We knew them well. Frankly, I didn't think they were probably the right target to begin with. Because I could imagine that they had the latest and greatest and best technology. We went out and looked at all the start-ups. Then we went back and looked back to Venafi and we found that they spent the last 3 years, ground-up building a SaaS offering across both legacy and modern applications that was heads and shoulders above everybody else. Nobody knew it. The customers didn't really know it, but we saw it and we're like, okay, so we can get $150 million of ARR. We need a highly profitable asset, actually margin accretive for the company and we can get the best technology in the market. It's a pretty good value story. So we went out, we spent $1.5 billion plus. Hopefully, we'll close the transaction here in the back half of -- we will close the transaction here in the back half. And ultimately then, all right, now what can we do with it? And there is the second part of your question, which is what were they doing that wasn't quite right, given how excited I sound about the overall market? Well, they were a small company. They had 23, 24 sales reps. They hadn't built out a really strong go-to-market engine. They didn't have a partner ecosystem. And in security, you can't really live without a partner ecosystem. So they didn't quite understand how to scale from a go-to-market perspective. And even if they did, I'm not sure as an independent entity, they would have been able to go do that. If you take their 23 reps, their products and you put it in the hands of about 200 reps and our market reach and our market scale and this market problem, and that's where I get excited about what we can really do. Long answer, but I think it's an important one.

No, I appreciate the detail. I mean, look, I think one of the questions we get a lot is why is it the time now for machine identity to kind of come out from the wings on the side? And why is the time now? So with the benefit of hindsight in terms of how the PAM market has evolved, do you see a lot of comparable parallels between what's kind of germinating in the machine identity market to give you confidence that this category is on the cusp of being ready for prime time and you are at the ready to monetize this in a disproportionate way relative to anyone else and your peers in the market?

I think the PAM analogy is a good one. And I think what we see is that the market is probably where the PAM business was about 5 years ago or so, where post-Equifax breach, post some of the big prominent breaches where it became top of mind for everybody. I think machine identity was always not that cool to be in. Certainly certificate life cycle management doesn't sound all that cool to be in. But the idea here is it is having its moment. It is this idea where all of a sudden, machine identities are proliferating like I said, at this such a fast rate. And the factors that will drive more growth are kicking in. We get really obsessed with AI, but AI is going to drive more and more machine identities. And so I do think it is this moment in time where people are recognizing it. And then in addition, I referenced the Equifax breach and some of the big breaches, the [ Meryx ] breach back in the day of PAM. More and more of the recent breaches are at the machine identity realm. The most recent Microsoft breach on the e-mail service started with a service account in a machine identity. And so you see kind of the public consciousness around machine identity as a breach point becoming more and more important. And I do think it's an inflection point. The interesting thing is even though we haven't closed the acquisition, I am allowed to do some things, but I'm allowed to talk to their customers, our customers and prospects. And the reception has been remarkable.

What is that overlap in your customers?

So they have about 500 so change customers, about 300 that are overlapped. We've got close to 9,000 customers overall. So there's a lot of white space to cross-sell into. But these customers come and they're asking me about the acquisition. Well, at times when you acquire a company, you have to say to them, "Hey, let me tell you about this company I just acquired." They're starting the conversation with me saying, "I heard you acquired Venafi, can you talk about what that means. Can you talk about your road map." Another data point, by the way, and again, I get excited when I'm talking about it, but like we have standing room only of our partner community around the world getting trained and certified at Venafi now, we haven't even closed the acquisition, we didn't invite them. They've been showing up because they want to learn about this space.

We discreetly talked about the opportunities within your portfolio. But I think a magic happens when you drive network effects between linking the IT admin security to the dev admin security to the workforce business user security. So just to put some quantitative framing around it, in a world where you were just doing PAM, right, you had more of a niche focus, right? But subsequent to having expanded the portfolio, can you talk to us a little bit about what happens to your deal sizes? What happens to your customer engagement? What happens to the types of outcomes and ROI you can deliver to customers when you layer on Secrets on top of an existing PAM footprint, you layer on workforce on top of an existing PAM footprint.

Yes, I think it makes you the strategic partner of these customers at a more meaningful layer. I think it makes you their identity security partner. And I think it opens up the space for us to be one of the couple adopted platforms. Sometimes people ask me about this platformization concept. And do I think the whole world is going to consolidate. And the answer is no. It's not going to all consolidate. But what a [ CECL ] wants is like 4 or 5 main partners and then they're going to go buy a bunch of point solutions to try on new areas. And I think it opens up the door for us to be the identity security partner for the major enterprises around the world. What it then does is, as you said, it increases the deal sizes. You see that in some of our new business where we're landing not just with PAM, but we're landing with multiple products. More than 50% of our new logos, we did 245 new logos, which is a healthy number in this economy last quarter. And they're landing with 2 or 3 or 4 of the persona groups being covered, you see that in our ARR growth in our 500,000-plus cohorts. I mean our fastest-growing cohort as a company is our 500,000-plus cohort of ARR. That's because they're expanding their footprint from just PAM to all these other areas. So I think it will play out more and more in the months and years to come, but we can kind of start to create a deeper enterprise relationship with these customers. And ultimately, the ARR per customer should be going up.

So land sizes and land deal sizes are getting bigger. That's directionally very positive. What about expansion? Have you seen a very discernible improvement in your expansion velocity, whereas maybe it took you 12 months to convince a customer to expand their footprint with you? Has that drifted to 9 months to 6 months, especially under the SaaS form factor?

Yes, absolutely. The land-and-expand motion and the time between first purchase and second purchase and third purchase is the most dramatic element of the SaaS transition and of the importance of our breadth of portfolio. So if we closed somebody in Q1, like a new logo, we're expecting they're going to do the second purchase in the same fiscal year. Within the existing base, they're making multiple purchases throughout the year. And they're kind of tying it to the overall road map as they go forward. So we've seen acceleration in deal cycle of deal #2, deal #3, deal #4. We see that since we shifted to SaaS, and we've also seen it in the breadth of the portfolio. It's a key piece of our growth story.

And just as a frame of reference, what did that expansion conversation and time frame look like before the SaaS transition?

I think you along time saw the second or third purchase come 12, 18 months later. And I think now you see it come 6, 9 months later. So halved in terms of what kind of the acceleration happens. And then again, what you see is more and more solutions being taken and being adopted.

We talked a lot about the model transition. We talked a lot about the portfolio expands and the green space from a penetration standpoint. But another angle that I really want to kind of sink my elbows into is just around your installed base. So you've had the benefit of having a very captive, very loyal installed base that for the most part, hasn't actually fully moved to SaaS, right? So a lot of that momentum that you've been seeing in your financial results, frankly, has been from newer customers or existing customers maybe expanding their footprint. And so what I want to get your perspectives on is this notion of, hey, converting the base because there is some immediate financial benefits from taking an old stodgy perpetual customer and getting them to SaaS because there's immediate sort of ASP uplift, right? So I'd love to get maybe a flavor of where you are in the journey of your installed base being completely forklifted to SaaS. And secondarily, what the implications are of that because in the interim, you are having to manage 2 software codes and 2 forms of software architecture, right? So certainly, that has margin implications, which you can get to in a second, but would love to kind of get your views on where you are in that converting the installed based journey.

Yes, I mean I think we're in early days still. And I think we've taken a -- I think, smart, but also carrot-based approach to getting them over. We wanted to get the landing spot to be better than the current spot. We're finally there. We wanted to make sure that customers were doing it on their own time. We started with, we have a very loyal customer base. We do. And what I study most is what is the different cohorts in terms of their buying patterns. If I started to see that the existing customers who were on-prem weren't expanding at the same rate as customers who had moved over, I would take a more stick approach. I would get them over cohort. But that cohort actually is buying at the same rate as people who sit on the subscription or a SaaS platform. So that means they have no urgency because they're partaking. Secondly, we still see a 3x multiple on average when they move to SaaS. We set about 1.5x multiple if they move to on-prem subscription. I don't want to force them to on-prem subscription like a lot of other companies have because I'd rather get to 3x and I'd rather get them to the mom-and-pop platform. So I'd rather plan it out with them. And a lot of our customers, we have our plans over the next 12, 18, even 36 months because we have that type of relationship to kind of detail out when they're going to move. And it becomes a steady tailwind for the company but not something that's going to like accelerate in one quarter or the next. In addition, there is real reason why certain companies want to have their vault on-prem. And financial institutions, highly regulated industries, government accounts. I'm not sure they're ever going to change. So then the question becomes, how do we actually keep their vault on-prem even do other aspects of PAM in a SaaS format and then do everything else in SaaS. And I think that's maybe more of a long-term strategy for some of these customers.

Fair enough. On the R&D engine, aside from basically architecting a SaaS form factor for the entire business, you've still been pumping a lot of new product, right? So identity threat detection and response has been kind of this new bubbling topic in the space, and we've seen kind of that DR moniker in all the different control points, right? You've got DR for endpoint, you've got DR for network, you got DR for cloud. Now we have it for identity. So it was a long time coming. What is your approach here with identity detection and response? What's the driving force behind introducing this product? And what are some of the differentiating factors for you in terms of, is this going to be an incrementally monetized SKU? Is this just going to make the whole CyberArk user experience better?

Listen, I think ITDR, Identity Threat Detection and Response is not a market unto itself. I think you see that in some of the start-ups that are out there that have been acquired, I don't think it has legs for that path. I think that it needs to be built into a platform. That's our take. That's our approach. What you can do is you can use it to be able to identify all privileged accounts, all accounts and what entitlement then they have, where risk lies. More importantly, though, because that's kind of table stakes and kind of easy to do, you may be able to respond. DR is actually the most important component of ITDR, right? And the ability to be able to understand what to do with the risk when it starts to materialize. We at CyberArk are differentiated in that we live in the session with the user. And that's really important because there's not many security tools that actually do that. Live in the session with the user. We're brokering the session. We're monitoring the session. We're recording the session. So we know what's going on and we can spot anomalous behavior. And we can spot it particularly against high-risk users and high-risk targets. So our ITDR approach is to enhance the platform to leverage the data to make sure that we are the best at spotting and responding to risks around identity. I don't mind on charging separately for it. I think it's a way to get more and more people on to our platform. And that ultimately will be the growth of CyberArk. If we get more identity on the platform. We have runways of growth that are beyond years to come. And ITDR will be one way we differentiate the platform itself.

Now I wouldn't be a card-carrying enterprise software analyst if I didn't ask you about your generative AI strategy. So I think there's generally 2 ways most organizations have gone about this, right? You make generative AI seen and not heard by way of platform experience or you're actively modest approach to infusing generative AI in the way you're thinking about your ROE.

We launched this concept of core AI. That's our AI. It needs a name. So we call it core. It's the core of our platform. It has what we'd say is the brain and we want to use all of the data that we have within sessions. We want to use the ability to be able to manage and automate policy. Obviously, we wanted a system that will make natural language an easier way for people to interface with the product itself. And we want -- again, like I was saying about ITDR, we want to make it core to our platform. So when you're on it, you're getting advantage of it. So again, not planning on selling it, not planning on monetizing it, planning and building it into everything that we offer. We have a center of excellence out of our headquarters that is just an AI center of excellence and its job is to infuse the AI into every solution, every product, every nook of CyberArk, even the internal side of CyberArk. That's our approach. I think there's 2 other things to say around AI. One is I think people need to understand that the biggest place AI is having an impact is with the attackers. The attackers are ahead of us as an industry with the use of AI to be able to come after us. And part of why the breach environment has become so bad, the threat landscape has become so bad is their use of AI. We need to respond to that with core tools. Second of all is how do we secure AI is an increasing component of thought within the industry, AI can be thought of as data sources or give me thought of it as identities. Our belief is that AI ultimately should be secured as an identity, and we need to secure that as any other machine identity as part of our overall platform.

Matt, really quickly on how you're thinking about the investment envelope and the OpEx posture. Certainly near term, but medium term too, as you acquire and digest and incorporate and integrate Venafi certainly. So when you think about the growth and profitability algorithm, I think one of the concerns is, hey, Venafi, great asset, respectable growth but they're going through a model transition. And we all know what happens with model transitions, right? There is sort of this transient kind of temporary dip in your profitability profile. So how are you hoping to manage some of that impact into your P&L because you do have targets out there with respect to commitments on free cash flow generation and operating margin generation.

So I think we will continue to transition more and more to SaaS. That creates a little bit of a revenue headwind, but clearly, we still deliver a good number. I think Venafi also as they go through, we'll have a little bit of a revenue headwind, but it will be pretty countered by the growth that we think we can drive overall in the business. We're very comfortable with the long-term targets that we've put out there for 2027, a 20% plus operating margin, 25% plus free cash flow margin. We'll update targets at some time in an investor event in first half of next year with the Venafi model, with our model overall but we're well ahead of our profit kind of plan. We guided to a midpoint of 12 points of profit this year kind of really coming out of the trough of the subscription transition. And I think there's -- as we think about our long-term profit is something we feel very comfortable we'll achieve. The question will be, okay, when do or do we modulate that profit at above the 20% level because we're investing for growth. I think the 20% bar is a given. And then we'll figure out what do we do with that.

Matt, the last question I have for you, and I think it's a good place to kind of put a capstone on our discussion is you've kind of already hit the [ elusive ] $1 billion ARR mark. That's an incredible milestone for a software company to hit. When you think about the pass to $3 billion in ARR, the pass to $5 billion in ARR, what are the priority sequencing of the key inputs towards you achieving those levels of ARR from here? So what needs to happen from a go-to-market perspective? Where are you the most confident from a portfolio monetization scale perspective. I know you love all your products equally, but what are you most excited about?

Yes, I think the short answer on that is we turned our attention to the $2 billion, $3 billion mark a year or so ago when we really understood that the $1 billion that we hopefully -- roughly that we'll achieve by the end of this year is kind of hardwired in. So I think that we think we have the go-to-market engine with a partner ecosystem, the investment in MSPs, the investment in the marketplaces to be able to grow. We already put the portfolio and platform in place for our $2 billion, $3 billion company by going into these other personas. Venafi and machine identity is probably where I'm most excited about overall within the growth opportunity that we talked about. But across all of that, workforce, IT, developers and machines, we've got a lot of runway and the TAM supports being a $2 billion, $3 billion, $4 billion company. I think the company is wired now for that. That's what we've been working on over the last 12, 14 months is that vision of CyberArk.

It's been incredible to watch. So we're going to keep tuning in. Thank you so much, Matt. We really appreciate your insights.

I appreciate the time. Thank you.