CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

Cool. Well, let's get started. Thank you all for joining. I'm Roger Boyd, I'm the cybersecurity analyst here at UBS. It's my pleasure to introduce Eduarda Camacho, who is COO of CyberArk. So thank you for being here.

Yes. Of course. My pleasure.

Awesome. Before we get started, if you want to ask a question, you can submit it through the app. You can get the app through the QR codes on the table. There's also a mic being run around if that's easier. Happy to incorporate those questions. And with that, we'll jump into a quick fireside.

Sounds good.

Awesome. Eduarda, you're relatively new to CyberArk, not fresh, but maybe you could just start with giving your background. I think most investors are aware of who you are, but just kind of your background and what you've been focusing on at CyberArk over the past year.

Sure. So I joined CyberArk in January. So it's going to be here a full year soon. Before CyberArk, I spent more than 2 decades at PTC, doing very different go-to-market roles living around the world, Europe, Asia and then in the last few years in the U.S. For those who know PTC and know Matt Cohen, we actually -- I almost say we've worked together there. We worked together for more than 15 years. in the organization. Then Matt left, came to CyberArk. I left, I went to BMC software, so two different enterprise software companies, are now COO here since the beginning of the year. I run all of the go-to-market teams and customer success teams. Obviously, coming in, Matt had this role before I did and before he became CEO. So we are very aligned in terms of how we think about go-to-market and priorities. So it's been more tweaking and adding my own point of view a lot around the end-to-end of the customer experience that I've been focusing on. But -- and as any company, continue to evolve the organization.

Got it. Maybe that's a nice jumping off point. I mean I think most investors think about CyberArk as one of the smoother operators in the space. In the past 12 months -- 11 months, like what have you seen as areas where you've been able to tweak things and improve things?

I'd say there's maybe a few areas I would call out. Continue to accelerate the investment and work around some of the partner channel overall opportunities. We see a lot of momentum and evolution in the strategic nature of our relationship with the global SIs. That just got accelerated now after the acquisition of Venafi and some of the other competitive dynamics. Aligned with marketing around more program dollars around acceleration of demand gen together with partners and the MSP routes, I think that continues to be one of the big focus areas. So a lot of that tweaks in that area. Overall end-to-end experience, making sure we get a very well-aligned machine all the way from demand gen all the way to implementation, successful adoption and expansion, experience, making sure our customers are in the latest of the platform so they can grow from there. Those have been some of the tweaks that I've been focusing mostly on.

Awesome. Okay. Well, a couple of things to come back to, but maybe let's zoom out a little bit and talk about the platform story as a whole. I think 5 years ago, most investors and probably customers too thought about CyberArk as the leader in PAM, but maybe focused on PAM. And it's a much different story today. But I'd love to hear in your words kind of where you think you are in the transition we all know kind of the breakdown of ARR, but kind of where do you think we are in kind of this broader identity push?

It's, again, not having lived through some of the earlier days, but it's really interesting. I had the opportunity since I joined. I think I've been in all of the major regions, a lot of customers, either through our customer events that we do in 20 cities around the world as well as not just visiting. And a very, I would say, very consistent and well received and resonating story about the transition of CyberArk, right, from being that strength around the core PAM to identity security platform and where we are in are where our customers are in that journey. So as I think most -- everyone knows, like from that space where we were -- we invented the PAM space and are still a leader in that space, the broadening of that definition of identity security becomes so much more critical for CISOs and in general and where a lot of the breaches come and really being able to talk and resonate when we talk to our CISOs and our channel partners around how that definition of privilege has expanded, our vision that every identity in the company needs some sort of the right level of privilege control. I think that transition, you see it is not just us pushing it. We see the CISOs. We see the market talk back at us in those terms. And I think that is a big part of that transition, right, where we are talking with the customers about, okay, here's how you protect your high-risk workforce users. And here's like a comprehensive plan around machine identities, both the secrets tie and how we identify. Hey, let's start -- get at the table and start having a real conversation about protecting your cloud developers and that we have growing exponentially growing part of the human identities that has possibly the least protections today when it comes to. So I think that transition both internally, but also in terms of the resonation when I go talk to customers and partners out there is it's done and now it's building on that power of that story and that platform.

I think I want to jump into nonhuman identity in a second. But just around core PAM, you've given the long-term target of what the ARR mix looks like over time, and it still calls for, call it, I think, 50% PAM when we look out a couple of years. You've talked a little bit about how underpenetrated you are within customers even in PAM. Can you just remind us kind of the view there and where you see that going separate of kind of all this.

Separate of the rest. So when we look -- we -- when you see our subscription mix today, like you see the numbers we reported in Q3, we are 55-45, right, 55 PAM, 45 non-PAM both growing, but the non-PAM growing faster. So at some point in time, it's going to, right, catch up. When it comes to the strength of the PAM and the growth in the PAM, and I'll address your -- how much we are penetrated is. I think from the penetration in our installed base, we say around 1/3, 30%. And a lot of the growth vectors there, a lot of it is on the story around modern PAM. So really the expanded definition of what a privileged IT user is, more use cases, cloud workloads operations, all of that has really been driving and then opening up to the developer community. That has been really driving the strength and the growth in the PAM. But again, the rest of the portfolio, growing at a faster pace is eventually going to catch up. When we say 30% in our installed base, like you see on the overall market, it's a much less penetration, maybe less than 10%.

Yes. Got it. Okay. To jump into nonhuman identity, you made the acquisition of Venafi earlier this year. I think the challenge is becoming more obvious, the millions of TLS, SSH certificates out there, IoT devices, different agents now with the generative AI. Venafi had some very large, I think, important customers, Southwest Airlines, BP, some other big ones, but it's a rather small business. And the question I get from investors is why isn't this bigger already. So I'd love to get your words kind of why do you think the nonhuman identity automation life cycle management business takes off from here?

We believe the -- two parts of that story. why the inflection point now and a little bit where the dynamics around the Venafi growth rates, right? So in terms of just the market inflation or the why now in those inflection points, the way we think about that, even before the Venafi acquisition, secrets, the secrets management piece had really seen the acceleration. And I think part of that is just the companies, the CISOs was realizing like with the scale of the machine identities and the complexity that it really became a big focus area. So we talk about the volume of the identities being one of the factors, right, volume meaning 1 human to 45 or even already 1 to 250 in some studies and machine identity is growing so exponentially. But also, there's a lot of different types of machines, right? The data centers, but also the workloads and the AI bots and the IoT devices and all of that complexity. And so you add the volume with the complexity, the variety of the types of accesses, right, certifications and the secrets and the tokens and the PKI and all of that complexity or variety. It just creates those two dynamics, right? And I think the third one, we've been saying third is the velocity, which is all of that is changing so rapidly. You have ephemeral workload. You have machines being spooled up and spooled down. And it just created, I think, that inflection point where the complexity is just not any more possible to manage with a homegrown solution or a manual process. And then you add on the regulatory or the Google effect of 2-year rotation certificates to 90 days and that just accelerated that. So I believe -- we believe, I'm just very bullish about it that, that inflection point is there. It's been there for a few -- maybe a few quarters. Venafi had invested heavily on -- in a great company, great people, invested heavily on the technology from a SaaS perspective, but decided to do it from scratch. So a lot of companies will lift and shift, they did -- they built it from scratch, which is better for now and for the long run, but it created a delay in the go-to-market and not a lot of investment in a go-to-market organization. They will recognize that. I think that's what created a little bit of a slower growth pace for them in the last few quarters which we believe we bring the strength of the go-to-market that can accelerate.

Yes. Okay. I want to move to go-to-market in a second, but just one more on Venafi. You've talked about Venafi adding, I think, about $10 billion in...

$10 billion to the TAM.

And can you gave some color on the earnings call about kind of what that means at a customer perspective in terms of the upsell. Can you just remind us how big incrementally Venafi can be relative to a PAM deployment?

What we see today, if you see the average size of their ARR, it's almost 3x the size of ours. So we think like $1 PAM, if you have customers, it's $1, it's almost $2.5 to $3 on the Venafi side. That's how much it brings. And I think we also mentioned, right, there's not a lot of overlap in terms of the installed base. So we have 8,500 customers of CyberArk that are not Venafi customers.

Yes. And as we transition to this go-to-market kind of topic, I mean, what's been the reaction? The customer reaction sounds pretty positive to Venafi that Matt has talked about has been the GSI interest. Can you talk about the level of interest with the service or the systems integrators around building programs around machine identity?

I think the fast reaction of the GSIs has almost been the most surprising aspect of this. I mean we were expecting a pretty positive reaction from the customers. We had it from the market. The GSIs, we announced the intention back in May, immediately, we saw the traction from the GSIs wanting to get information even just through separate entities, get trained on Venafi and building practice. It's been -- I think not just for me, but also talking to Matt and others, the fastest that they've ever seen like the GSIs react in terms of wanting to be ahead of the others and compete for who certifies first and who puts more people through the programs. We still have -- one of the areas that we've been preparing in anticipation is making sure we have the training, the enablement, not just to train our people, but especially to train the partner ecosystem. It's been pretty amazing. Now that, combined with even the dynamic around the whole machine and even secrets, it just brings all of the machine identity practices to the forefront of the strategic areas of investment with our partners.

Got it. Okay. And then maybe more broadly around GSIs. I had always thought that CyberArk did pretty well with GSIs around PAM. I think you've talked about some ways to improve that. If you can expand on that. And then as you think about unlocking opportunities across the platform, how do you think about doing that on a per product basis versus selling the entire CyberArk identity suite as a whole? Does that make sense?

With the GSIs or just...

With the GSIs.

Yes. So I think some of those areas of or tweaks or elevation with the GSIs is the realization from their side and some changes to align more towards instead of having the PAM and kind of keeping it to the traditional definition of PAM, you really see them broadening that to what they call modern PAM programs, which are much more inclusive of the other offerings of the portfolio, being both on the developer side, starting to get the secrets piece in, getting into the high-risk workforce side. So that's been a lot of like this -- the concept of the modern PAM programs and that how that becomes broader in terms of the scope. It's been where I've seen a lot of the evolutions as well as working together with us on element as we enrich the platform, how we think about AI, how we think about securing AI. There's been a lot of great, I would say, strategic discussions with the GSIs and alignment around that. Another area, I think separate from the GSIs, but the GSIs are part of it is also the investment around their MSP capabilities to bring us to other -- bring the CyberArk and the whole identity security to other parts of the market that are maybe less capable of adopting it unless an MSP offering.

Yes. That kind of leads perfectly into my next question, which is the same question for MSPs. How do you enable them? And I think there's a loose estimation that Matt and others have talked about that maybe 40% of the cybersecurity tool stack will be delivered through some form of managed service provider. I know you launched some MSP-focused tools, including the dashboard, a console early this year. But what else are you doing to drive engagement and operationalization of those partners?

Yes. I think we've been -- that's when I said one of the areas of tweaks, right, in terms of investment, both from marketing, but also from programs in terms of recruiting and developing and enabling some of those MSPs, both stand-alone as well as additional to GSI type contracts and reseller type contracts, investment from a product perspective on those -- on those types of capabilities like the portal that really help scale that business from an MSP perspective. Working very closely with those partners. This is one area where we are learning from them, right, what works and putting their investment. It was one of our top strategic initiatives last year, continues to be this year, and it will continue to develop because we truly believe if it's going to be 40% or above down, but it's definitely going to be a big portion of how the -- we together can service that market from a security is going to be through the MSPs. So it's accelerating very nicely in terms of growth rates, but we believe like we are just at the beginning of where that journey is going to be.

Yes. Maybe to focus on a couple of other products. The secrets management product, I think everybody has talked about that starting to accelerate. It sounds like the competitive environment has gotten a little bit more favorable. How do you think about the trajectory from here? And how does Venafi potentially add to that? How do you think about the combined solution there?

So a couple of things. Even before, right, the Venafi acquisition, I think we had seen a really strong acceleration on the growth on the secrets in the -- outside of -- even before Venafi, it's -- from the portfolio, it's the fastest-growing area. It's secrets. And I think it took a while for us to find the right balance from a go-to-market and even from a product on, how do you balance not interfering with developer speed of how they want to develop and a security imperative. But the -- how we develop the portfolio, Secrets Hub has been one of the fastest-growing parts of the portfolio, Conjur Cloud, where it's transparent, right, from the developers developing the apps, but you have all the security controls in the background, working with your multiple cloud providers. I think we really hit the mark there in terms of like balance between experience, security. I think that has accelerated because it's a problem to be solved. And I think that's there, that's resonating. The competitive dynamic with IBM intention to acquire Hashi has created tailwinds for us. I think from a concern -- a CISO concern around the evolution of that portfolio inside IBM. It especially accelerated the interest in our partners in our GSI communities. It was an immediate reaction, as you can imagine. So all of the real need, the exponential of the machines, the security mindset and that balance accelerated. And now with Venafi I think there's different parts of that integration. So the most obvious one and the first one will work next year is Venafi has a control plane that really allows you in the security organization to see all the certificates and the keys and their status and where they are, like integrating the visibility of secrets into that control plane is going to be one of the first ones. But then from there, I think there's many, many other areas where the joint story and the joint development will continue to build. That being said, we don't need to wait for anything. Our go-to-market organization has the two in the back to go sell. Our channel partners, too. We'll, early next year, release like a joint bundle when the right use case is to sell it together. We can sell it together, we can sell it separate. So we are not depending on, let's say, the integration. But obviously, the more you integrate, the better the value it's going to be.

Yes. Got it. Okay. You talked a little bit about Secrets Hub and what's going on with kind of cloud developers. Would love to just get a broader perspective of the strength with Conjur Cloud and Secure Cloud Access. I think relatively newer products, you're not really giving metrics around, but what's the momentum there? And if you could talk about the competitive environment there, it would be interesting as well.

It's a new area for us, again, securing it both from a secrets perspective, right, and then from how the developers even access, right, their day-to-day workflows, where we see that as one of the higher potential growth opportunities. That community, one is broadly unprotected, and two, the fastest-growing human identity for sure. We had very fast growth product in our Secure Cloud Access in our Conjur Cloud portfolio from a small number, but a very high fast growth rate. And again, striking that balance where we are not interfering with the workflows and the way we work of the developer community, but we are securing them and removing privilege and granting just-in-time privilege and zero standing privilege to this community. From a competitive landscape, on the secret side, Hashi on, on the other ones, we believe there's more very niche type of applications. We think there, it's a lot more of a team support in that you've seen the announcement around the Wiz partnership as one of the areas where we are coming together as a team support to really secure that cloud environment. That doesn't mean we only partner with Wiz, but it's a very deep technical partnership integration. We're just saying like even in our customer impact event in Toronto, I was there a couple of weeks ago. The Wiz CTO was there. There's a lot of good, I think, aligned view on how to secure them coming from the visibility, discovery contextualization of the cloud entitlement just coming from, okay, now that you found this, how do you actually manage it, right, and do something about it. I think it's a very strong partnership that we can build in. So I would say that one, very nascent, very niche, like there's no dominance. And then I think, again, finding the right partnerships and the right model there is what's going to unlock more growth for us.

Yes. I wanted to ask about Wiz, but it sounds like a deep technical relationship, not a ton of overlap from a technology standpoint, maybe a little bit around cloud entitlements. But how about on the go-to-market side? Is there an angle to that as well? And if you can expand on that, that would be great.

Yes. So for now, on the go-to-market, first of all, we don't see a lot of overlap productization on technology. On the go-to-market, they've been historically very strong on the developer side, right, on cloud side. They don't have so much of a strength on their CISO relationships. It's a much younger company, right? We've had time to develop those relationships. We come from the enterprise side with the strength of the enterprise relationships and those two coming together. Right now, we are doing that at customers when the right occasion in the customer is. It's not a more delivered full-fledged go-to-market strategy, but it's a very young partnership, and we'll evolve it from here.

Got it. Okay. Any questions out there in the audience? I want to make sure I'm not missing anything. I'll pass on. Just around identity, I think you've talked about that opportunity is sort of evolving where you can go at that from an additive piece of technology that sits on top of other workforce identity products or you can go in and replace the whole stack. I mean what are you seeing from customers? And are those conversations changing? Are they kind of staying constant? Are you having more success doing the full stack? And how do you think about that kind of replacement opportunity over time?

Yes. So on the workforce side, like we always said that we have a very small percentage penetrated, right, on -- even on an installed base and definitely of the overall addressable market there. But where our differentiation comes in and aligned to our vision, right, of those privileged controls, applying the right ones in the right moment to the right identities, it comes into the workforce in two ways. As you said, it's either a full competitive replacement. I'll talk about that or it's complementary to your SSO MFA that is already in place. So the dynamics we are seeing is when you have kind of very security-minded organizations, CIO, CISOs that are really thinking about the workforce and managing more -- not so much from an operational efficiency, but having the security layer, two things may happen. One, they have more legacy types of solutions. Sometimes we see it with CA type products or RSA or Oracle. And they're like doing a full-fledged replacement. In those cases, when we are in there, we are in there because they have that security orientation. And we end up competing with the Oktas and with the Microsoft, but we compete on -- we have the SSO MFA and then we have the security controls on top. We win more than our fair share of those deals because we have that security on top, and it's a security-minded type approach. Many other occasions, you have the same type of security minds, but they have -- they have Microsoft, they have the Okta deployed and maybe they've done it the last 2, 3 years. We don't see -- occasionally, but we don't see a dynamic of, okay, now I'm going to rip and replace this. I'm going to start again. I know I think we always say like we don't want to compete just in SSO MFA to commoditize, not our -- where we differentiate. We want to either compete with the whole stack with a very competitive offering or complementary to already have. And that's really what's been driving the growth in the workforce. And again, after secrets is the second largest part of the highest growth in the portfolio.

Got it. Okay. Maybe one or two more. CyberArk introduced the secure browser a little while back. I think the intention was to not monetize it. It would kind of serve as a jumping off point to help customers adopt the broader platform. But I would love if you could just talk about kind of customer reception to that. It feels like broadly, we're hearing more security companies talk about secure browser and the role it could play and potentially user access scenarios. But what's been the CyberArk viewpoint? And what's been customer reaction?

We still have the same approach, right? We are not monetizing it. We are putting it in the hands of our customers that are on the platform. Again, from the two perspectives, right? One, jumping point to -- a jumping point into other areas of the platform. But from a security perspective, right, it's still the most widely used and very targeted, right, from post authentification, hijacking and others. So we've been having really good feedback from customers. We have customers that have widely deployed it. We have others trying different use cases. And we'll continue to monitor that evolution. We have very specific targets in terms of driving the adoption, again, not from a monetization, but because of the value that it brings to drive adoption of Secure browser into our installed base. We still believe the approach of making that as additional value into the platform is the right approach for us.

Got you. Okay. Maybe I'll slip one last one in. But I think at your Investor Day back in 2023, CyberArk talked about roughly 1/3 of net new ARR coming from new logos. Is that roughly still the goal internally? And you now have Venafi, which is a pretty big cross-sell opportunity, upsell opportunity. You've expanded kind of the presence with the GSIs and MSPs, which probably helps on new logos a bit, too. Is that still roughly kind of the target when you think about the growth formula?

It's still the same, and we could still keep that 1/3. I think we've been pretty consistent about saying we want to be above the 1,000 in every given year. We continue to think that and execute on that. It's not getting any easier, right, to go and capture new logos, but we've been -- I think all of those different routes. Venafi is another landing spot for us, right? Because, again, you can land with workforce, you can land with PAM, EPM, you can land now with Venafi, too. So it's another driver there to keep that, but 1/3 is still our target.

Got it. All right. We'll wrap there. But thank you very much. It's been a great conversation. Thank you all for joining.

Thank you. Thank you.