CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

Good afternoon, everyone. Welcome to CyberArk Investor Day. For those who I haven't met before, my name is Srinivas Anantha. I head the Investor Relations here at CyberArk. First, let me start by saying thank you. Thank you for joining us here in person and those who are joining us virtually. We are really excited about the day we have for you. We have a lot of great speakers, great content, and I think a lot of you folks will find it very interesting. For us, we want to make sure that your time is well spent here. Most importantly, we wanted you to have a better understanding of the underlying business momentum, but more importantly, where we're going from here. Since this is an investor event, I would be remiss if I don't show the safe harbor. We will be making forward-looking statements. Those statements contain risks and uncertainties that are fully disclosed in the Form 20-F that's filed with the SEC. For additional details, please visit our website. With that out of the way, let me briefly go over the agenda. We will kick off with our CEO, Matt Cohen, who will walk us through our vision and the growth opportunities ahead. He will then hand over to Clarence, our Chief Strategy Officer, who will talk about industry trends. But more importantly, he'll also talk about why Identity Security is becoming one of the most important pillars of security. You will then hear from our platform innovation team of Amy, Vice President of Marketing; Kurt, GM, Machine Identity; Peretz, Chief Product Officer. They will talk about the unique value proposition of our unified Identity Security platform, and yes, AI too. We will then hear from our go-to-market team of Simon, our Chief Marketing Officer; Eduarda, Chief Operating Officer. They'll walk us through how they are scaling the marketing and sales organizations to go after the large market opportunity. We'll then have a brief break. Coming back from the break, you will hear firsthand from our customer and partner panel about their journey with CyberArk. Finally, you'll hear from Erica, our new CFO, who many of you know, who will walk us through how everything comes together from a financial perspective. She'll talk about our financial model and where we're going from here. Let me set some expectations ahead of time. We will not be taking any questions during these sessions so I would request you to please hold your questions until the end for the executive Q&A. With that, let me turn it over to Matt.

Thanks, Sri. Welcome. I'll extend my welcome to everybody in the room here, everybody online who's joining us. We're excited for the next couple of hours. For us, this is a lot of fun. It's our opportunity to get away from what we often discuss with you all, the quarter-to-quarter performance or even the yearly performance and to get a little deeper into the longer-term strategy. Where is CyberArk going as a company? What is our vision? How do we view the market and how are we going to win? So my role today is a little bit as a tour guide, if you will. I will take you through all elements that we're going to cover at a very high level. I'll help you understand a little bit around the market dynamic that's going on, what we are doing in response to that around product innovation, around the technology itself, the solutions we bring to market and how all that comes to play from a standpoint of our go-to-market excellence or our go-to-market execution. When we add that all together, I'll give a brief update on the financials and let Erica go a little bit deeper into her section as she helps explore why we're winning from a financial perspective and how we see this playing out over the next couple of years. It starts, though, maybe with a moment of reflection on 2024. I got a chance to talk to many of you just 2 weeks ago about the year we completed. And it was a remarkable year for CyberArk, one of tremendous milestones, as I mentioned, when we were together. We really are proud of the year that we were able to drive from the $1.17 billion in ARR, over $1 billion organically, passing the $1 billion threshold from a revenue perspective, returning this company to a Rule of 40 and beyond. And you'll hear a little bit more about our perspective on what that will look like as we play out the next couple of years. And obviously, thanks to a lot of you, it was a strong year from a shareholder perspective in terms of what we were able to return in terms of value back. But it also goes beyond the numbers. It is the ability that we had throughout the year to bring to market a differentiated suite of solutions. And Amy and Peretz are going to talk you through why is that actually changing the game in the market for us and how it will carry us on for the next couple of years. We were able to complete the Venafi acquisition since 2024, the Zilla acquisition, and we'll talk about the future of machine identity security and modern IGA and how that plays into our strategy moving forward. We were able to really launch the next phase of our platform with the embedded core AI, which becomes a key piece of how we leverage and utilize AI to defend against this growing threat factor out there. But we also saw momentum within our customer base and within our employees. We reached close to 10,000 customers, 3,800 employees. We are very proud of the work we do with our customers, and we have a few with us today who are going to help tell the story from their vantage point and how they're achieving their return on investment, both from a dollar spend perspective, but more importantly, from a business outcome perspective as we think about how do we drive a more secure enterprise across all the markets that we serve. So 2024 was exciting but the opportunity from here on out just grows. And it starts with the threat landscape itself. And I think sometimes we get a little bit numb to what's going on out there that the headlines can become so pervasive that actually it becomes kind of noise in the background. But what we see every day, what our customers see every day is a threat landscape that is exploding. We see nation states taking new and risky measures to attack our government organizations, our critical infrastructure, our telecommunications. We even see nation states starting to participate in things like ransomware, where in the past, it was all about IP infiltration. Now it's actually a way in which they're funding some of their enterprises. We see cyber criminals shift their entire business models from other elements of crime to cybercrime because it becomes the most prolific and the highest return on investment for these criminal syndicates. And across both nation states and cyber criminals, we see the role of AI start to take off. A lot of times, AI is talked about, as we all do at all these conferences, with a little bit too much hype. But as it relates to an actual element of how bad actors are attacking enterprises, it's a meaningful contributor to their ability to be able to penetrate more effectively. Now across all of this attack landscape, what we see, what our customers see is identity is at the center. So ultimately, these bad actors are driving their enterprises, driving their activities to get to an identity. And that reshapes what the world is going to look like for the next several years. Now within identity, some market dynamics are at play, and Clarence is going to take you a couple of steps deeper in just a few minutes around these market dynamics, but I want to tee it up because it is the essential components that drive the CyberArk strategy. It's what guides where we invest, what we do organically, what we do inorganically. And ultimately, it allows us to have a sense of assurance that we are going to be successful moving forward because our solutions and our approach match to these market dynamics that we see. And those dynamics start with this idea of proliferation of privilege. When we started as a company 25 years ago, you really needed to secure the most privileged identity. And you all have heard me say this before, the most privileged identity often sat in IT. It was the IT admin. And if you could get access to the IT admin with all those credentials, all those entitlements, ultimately, you could secure your enterprise. What's happened over the last decade and accelerated over the last 18 to 24 months is privileges everywhere. Privileges found in access to SaaS applications, to cloud consoles, in machines. And as we understand the role of privileged accounts throughout the enterprise, our approach to how we secure those privileged accounts needs to shift, needs to change. The second market dynamic is the rise of machines. Machines are taking off from a volume perspective, from a variety perspective, and our response needs to change from a velocity perspective. Machines are everywhere. The team is going to talk you through this, and Kurt specifically, why now is the time where organizations are having to invest in their machine identity security strategy. But it comes back to the core market dynamic that machines are exploding at a pace that we haven't seen before on the human side, and that brings complexity, the need for automation and the need for response. These 2 dynamics lead to security teams being overwhelmed. We have great practitioners in the cybersecurity space but there are not enough of them. Those great practitioners are often managing hundreds of tools that are not integrated together. And as they try to solve the problem of privilege being everywhere in identity as the rise of machines take off, they are increasingly overwhelmed by the sheer task of keeping their enterprises secure. This becomes even more difficult when AI is everywhere. AI is not only embedded into the attack methods of the adversaries, but AI is also embedded into their enterprises, which creates new attack pathways for organizations. It creates new data sources that they need to secure. And ultimately, AI everywhere means chaos in the cybersecurity world as we try to figure out how to apply best practices against this emerging element of the tech stack. When you think about these 4 market dynamics in the context of that threat landscape, it is what creates a tremendous opportunity for CyberArk and our Identity Security platform. And we talked last Investor Day about a $60 billion TAM, and that was built on our traditional markets plus the adding in of the Venafi piece of the portfolio. Since then, the rise of machines, especially modern workloads and what that does for the attack landscape that needs to be secured, the rise of IoT and OT devices, the addition of modern IGA with our Zilla acquisition, and the tailwinds that come from AI being embedded everywhere has brought our view of the total addressable market to $80 billion. Plenty for us to go after for years to come. So all right, how do we do that? It starts with our vision as a company, which is every identity secured with the right level of privilege controls. Every identity, human and machine, secured with the right level of privilege controls. The only way that you can approach your cybersecurity and your identity security strategy in this way is if it's integrated into one platform. Every identity needs to be able to dynamically have the right level of privilege controls applied, which is why we're investing so heavily and continue to invest in building the industry's most comprehensive unified Identity Security platform. That platform is the key to accomplishing that vision, answering the call of the market dynamics that are out there and ultimately helping our customers secure themselves against that threat landscape. And our platform is the most comprehensive identity security platform out there. It starts with the ability to be able to discover all identities in context with their risk and then be able to apply the right level of intelligent privilege controls across credential management, authorization management, session management, and entitlements management. We then need to be able to wrap those controls with automated policy and automated life cycle to make sure that we can manage these identities from when they're born to when they're offboarded out of an organization. And sometimes that's years and sometimes that's minutes. And the platform needs to be able to adapt to the changing lifespans of identities across the board. And across all of that, organizations are required to understand who has access to what through audits and compliance reviews. So our platform at CyberArk is designed to discover, control, automate policy and life cycle and enforce compliance across what we call the spectrum of identities. And those spectrums can be the workforce as a whole, the IT organization within the workforce, the developer population within a workforce, the machine population made up of devices, workloads and as we'll talk about today, AI components like AI agents. Each element of that spectrum has multiple subspectrum identities. Within IT, for example, there's data scientists, there's cloud architects, there's shadow IT. So this is a broad spectrum of identities that needs this level of identity security applied. With our platform, designed the way it is, we are able to address what I refer to as the new paradigms for identity security across those spectrum of identities. We need to be able to reimagine how we secure the workforce beyond SSO and MFA, to apply the right level of intelligent light privilege controls across the entire workforce. We need to be able to modernize the way we secure IT and move beyond standing access, vaulting and rotating accounts to just-in-time access and zero standing privilege. We need to be able to start securing developers that are often left unsecured across the board as if they are privileged users without interfering with their efficiency and their productivity and their innovation. And we need to be able to scale our approach to machine identity across the enterprise. As the number of machine identities take off, you need an enterprise-grade cybersecurity system in order to be able to manage, secure, automate, and ultimately create a way to ensure true security in a really uncertain world. Now the fifth paradigm that we are bringing to market now with the Zilla acquisition is we need to reshape IGA for the modern enterprise. And I'm going to talk just a little bit more about that in a couple of minutes, but we need to solve the unsolved problems for modern IGA. When you combine these 5 paradigm shifts with our Identity Security AI-first platform, it allows us to be able to offer critical solutions into the market, solutions that secure every identity, solutions mapped to each persona from workforce IT developers, devices, workloads and AI. And we do it so that in combination with our customers, our more than 10,000 customers around the world, in combination with those customers, we can deliver true meaningful business outcomes by reducing cyber risk, by enabling resilience, by helping them satisfy audit and compliance and ultimately increasing efficiency in automation so they can drive their digital transformation strategies. Our focus at CyberArk ultimately comes to these value drivers. This is why we exist, because we need to partner with our customers, as we say, to help them move fearlessly forward, to drive their digital transformation without fear around cybersecurity risk. Okay. So there are 3 core areas beyond the basics that I just wanted to spend a couple of minutes on because these become hypergrowth opportunities for us for the future. I think everybody understands that as we modernize IT, we're going to drive significantly more penetration around what's traditionally referred to as PAM. And as we reimagine the workforce, we're going to drive tremendous growth as we've been seeing in the traditional access markets. But in 3 areas, we see even more outsized growth opportunities as we look to '26, '27, '28 and beyond. And the first one really is machine Identity Security. And as I said, Kurt will go much deeper on this, but I think we need to understand that the moment of machines is now. It's now because of the true volume that's out there. It's now because the variety is more than we've ever seen before from keys, to secrets, to certificates. And most importantly, maybe the velocity of change that's happening. It's happening on a daily cycle, which requires us to respond in an automated enterprise fashion. We cannot manage machine identities with disparate tools, and we cannot manage machine identities and processes with spreadsheets and nonautomated approaches. So machine identity security for us, above and beyond just Venafi or just secrets management, represents a growth opportunity for CyberArk for years to come. And Kurt will walk you through a little bit more detail around that. We also see the second opportunity to really reshape IGA in the modern world. Legacy IGA, which is firmly imprinted in the upper end of the enterprise, is focused on antiquated processes and really the legacy data centers that sit on-prem. But the stack that is taking off for organizations is SaaS applications. It's cloud environments. Often, these applications sit without a clear business owner, they sit without an automated workflow to grant access, they sit with tons of users with overprivileged and over-entitled accounts and they are so hard to set up that generally customers and organizations stop after the first phase of implementation gets started. Modern IGA and what we acquired with our partnership with Zilla allows us to address the problem differently. It's a SaaS-first, cloud-first approach. It's built on the idea of thousands of out-of-the-box integrations so we can get started and drive value quickly. And ultimately, it allows us to get control of the modern environments that are actually the riskiest places for organizations today. For companies that have invested heavily in a legacy IGA solution, we can sit side-by-side with them and cover the modern environment. But as you move down market outside of the top Fortune 500 and Global 2000 accounts where people have been unable to tackle the problems of IGA because of the cost and because of the complexity, we're able to go in and win those accounts from the start. Now we have Deepak in the room from Zilla Security, and he'll be available during breaks and after the session as well to answer questions. We couldn't be more excited to have him, Nitin and the whole team on board as we move forward into this modern era. All right, the third area is securing agentic AI, and Peretz is going to take you through a deep dive on this area. What I want to make sure everybody understands is that while overall AI in a lot of cases is a data problem, agentic AI is an identity problem when you start thinking about security. These agents are meant to act like humans. They're meant to access critical data, infrastructure and systems like humans, and they need to be secured across their entire life cycle like humans, but they operate at a scale like machines so we need to automate their life cycle, and we need to understand how to control like we control machines. So it's a human and machine problem that only someone like CyberArk, an identity security company, can answer. And on our customer panel, you'll hear from Damon from Accenture, who's also trying to tackle this agentic opportunity from the idea of bringing agents and bots to customers. And he'll talk a little bit about the strategic partnership that CyberArk and Accenture are forming to secure these agents, these bots in real time. When you start to think about all those opportunities against all those market dynamics and the runway we have ahead of us, the missing ingredient becomes go-to-market excellence and execution, and we have an amazing go-to-market machine. You've seen this in our ability to be able to execute in any macro environment, quarter in and quarter out. And it's built on the idea of high-performance marketing mixed with our go-to-market excellence of our CARE model, close, adopt, renew and expand, and Simon and Eduarda will walk you through what we believe is our core differentiators here. It's our precise selling engine. We don't just throw resources everywhere. We understand where the opportunity is, we align to that opportunity and we win. Our trusted and committed ecosystem, we have the best partners, and they are committed to the CyberArk partnership and story, and our proven ability to deliver adoption. Day in and day out, ultimately, it's the business outcomes that drive the relationship, that drives the trust and ultimately, will drive our customers to consolidate through CyberArk. So our growth algorithm becomes the tremendous massive market opportunity, our groundbreaking innovative platform, our differentiated solutions and our go-to-market excellence, all underpinned by our security-first DNA. This growth algorithm will drive our success for years to come. It will drive a durable growth model and a model that we are incredibly excited about meeting and beating in the years to come. It starts with ARR in 2028 of approximately $2.3 billion, free cash flow margin of $600 million, that's roughly a 27% free cash flow margin and our commitment from here on out to being a Rule of 45 company as we move forward in the years ahead. This durable growth model is something that will sustain our ability to give back to our shareholders, to drive the trust that we've built, and ultimately, in combination with our customers and our partners, set ourselves up to be the Identity Security leader in the market. With that, I have the pleasure of introducing Clarence, who will take us a little bit deeper into the corporate strategy and market opportunity. Clarence?

Thanks so much, Matt. It's a pleasure to be here, and I'm really looking forward to our time together. So let me just dive into it. Matt touched on this, but it's really helpful to frame the overall opportunity in terms of the threat landscape that we see. We like to look at it adversary by adversary, at least adversary category. So we start with the nation-state attackers. This is very, very important to understand. These are highly sophisticated, organized, coordinated, and well-funded attackers. And they're executing cyber crime and cyber attacks in advance of and alongside traditional warfare. And what that means, what we're actually seeing is tactics such as taking stolen credentials and tokens and then using those to compromise endpoints and sensitive accounts and capture intelligence. Let's move over to organized cyber criminals. Matt talked about this, but it's very important to remember, cybercrime now has a business model. That's a big change and they're acting like businesses. We actually have supply chains of criminals. You have some that focus on the creation of phishing attacks, others that focus on the creation of malware and yet others focus on the ultimate monetization of it all. And unfortunately, they're early adopters of AI. Along each of those vectors, they're using AI to create very, very realistic and compelling phishing campaigns. They're using it to create malware. They can actually outmaneuver many traditional offenses. And quite frankly, they're using this generative AI to analyze large volumes of data, find vulnerabilities rapidly and pounce on them and attack. Now there's another category of attackers that are really AI-focused. And they're perpetrating attacks that you really couldn't conceive of without AI. So you think about these examples where you have impersonation of senior level executives through multimedia; fake e-mails, not just one e-mail, exchanges; fake voice mills; fake conversations, even video and using this to basically deceive very well-intended, often fairly vigilant executives to release large sums of cash here. And as Matt said, identity is central to all of this. We've talked about human identities with credentials being compromised, machine with tokens, et cetera, and impersonating human identities. And it should be no surprise that over 93% of all organizations have suffered identity-related breaches. So when you go back to the dynamics in our industry, Matt talked about each of these, but I'm going to go through each one in a bit more depth. But again, high level, just a quick refresher, proliferation of human-linked identity privileges. We're not just talking about the number. That, of course, has increased with each new SaaS application, each new cloud platform, new GenAI engine that you access, it's a new identity. But it's the power associated with those. That's what's creating the explosion of risk there. Rise in machines. We talked about it, you'll hear more from Kurt, it's the sheer number. It's the volume that's really causing the problems here. And again, each of those is highly, highly privileged. And as Matt mentioned, security leaders are, in fact, overwhelmed. I'll go into the details of that. We're talking about an exponentially increasing threat landscape without an exponential increase in budgets. Things have to change, and AI amplifies all of this. So what we're really seeing here is that the status quo or at least the traditional means of securing enterprises just doesn't work. And we're seeing more and more of our customers converge their trust on a smaller number of vendors that can do more with them, that they can partner with to reduce their cyber risk in this environment. So let's talk about the proliferation of human identities. So again, SaaS applications, dozens and dozens deployed across each enterprise. The cloud platforms, 3 majors, but there are a long list of others. And AI platform, the GenAI platforms, great. But really, let's think about who's accessing them. It's everyone, the broader workforce, IT, IT admins, traditional PAM users, developers. And where they're accessing them from? Behind the firewall, at home, maybe part of your company, outside of your company. And this creates a very complicated web. But again, it's not just the connections. It's not just the number of identities, it's the privileges. For example, across the 3 major cloud platforms, there are in excess of 40,000 distinct privileges. And that's just the middle layer. That's what's really creating a problem that's just untenable. Next, rise of machine, so I'll just pause on our 45x. We have recent research here that says the number is even higher and growing. But just from [indiscernible] the number of machine identities relative to human identities. Now you grow this out a bit. And when you think about machine identities, a machine identity basically vouches for the underlying machine, whether that's a physical endpoint, virtual endpoint, physical component of the infrastructure, virtual, dynamic, Kubernetes cluster, et cetera, but then the workloads actually running on top of them. And given the ongoing digital transformation, cloud migration, proliferation of modern applications, new identities and new workloads are being created at an extraordinarily rapid rate. And again, AI only accelerates this. So when you ask how many identities, it's hard to count. It converges on infinite, quite frankly, for all practical purposes. And for AI anywhere, I just want to highlight how AI is creating more cybersecurity problems for everyone. So you start by enhancing traditional attacks. You've heard this. You'll continue to hear more of it, but we can't emphasize it enough. First, something as simple as a phishing attack. Now they're near flawless. You can't rely on grammatical mistakes. You can't rely on the misspelling your name. All that's cleaned up. That's one. And I mentioned malware. But think about intelligent GenAI-inspired malware that is actually designed to evade state-of-the-art counter defenses really. And then again, being able to sift through the large volumes of information, just like we do. We all use it. We all use generative AI. The adversaries use it as well, and they have bad intentions. And that makes them more effective just doing what they've already done. Expanding attack surface. And Matt mentioned some of this, perhaps we'll go into some more. But if you think about the engines themselves, the data that they collect, they train themselves on, there's a lot of sensitive data in there. That's a point of exposure. The models themselves. There are many bad actors who would love to compromise them, who love to point them in certain ways to really cripple or at least taint the analysis that comes out. And then think about prompt, the prompt sessions that all of us have. Think about the data that goes in, sometimes sensitive data. Think about the answers that come back, also sensitive. Along each path here, we're increasing the cybersecurity risk, the attack surface. And finally, agentic AI, as Matt mentioned, and as he said, yes, we have to treat them like humans. We have to secure them as such. The volume and scale is breathtaking. But think further still, these are highly privileged. They're not just like any human identities. They're like highly privileged human identities and they can create their own machine identities. They're creating their own applications, their own workloads. So it's a multiplicative problem. So as Matt said, there's no way around it. Security teams overall -- I'm just going to layer these out. We talked about the -- these are not to absolute scale, but think about it, human risk, you layer on machine risk growing even more rapidly and then AI amplifying that all. What's the context? Well, this has not gone unnoticed. Entrepreneurs and VCs alike, one part of the action on the defense side. New cybersecurity companies are being born every single day. And last count, in excess of 3,500 of them. In a typical enterprise, we'll have solutions for more than 100 distinct vendors. And meanwhile, the cybersecurity risk, the cybersecurity debt continues to increase. And you can't throw bodies at the problem. There's a nearly 3 million headcount shortage in terms of the demand and supply of cybersecurity professionals. And not only can you not just throw bodies one for one, but it's to the point where many enterprises can't even find the proper level of cybersecurity resource to evaluate, deploy, and manage this plethora of cybersecurity solutions. So we talk about the consolidation of trust. One manifestation of this is the consolidation on a small set of cybersecurity platforms. So network security platform, endpoint security platform, cloud security platform. But given all we said, it should be no surprise that not only has identity security emerged as a formidable cybersecurity platform, but we believe it is the most critical cybersecurity platform. And with that in mind, and Peretz is going to dive into it, and I give you a quick overview. But again, we have the most comprehensive identity security platform in the market from onboarding, to discovery, to onboarding with the appropriate level of privilege controls, wrapping that in AI aided and facilitated life cycle management. Our breadth of coverage enhanced greatly by the acquisition of Venafi to cover machine identities. We're very excited about what we're doing on the life cycle side with Deepak and team and Zilla and that acquisition. So TAM. A number of years ago, we introduced TAM at $20 billion of annualized opportunity. And this was very much focused on our classic markets. So think PAM and PAM extended markets, very sizable, no doubt. You fast forward, as Matt said, first, we expanded this with our entry of access management. We also expanded this with our organic developments to extend privilege to cloud environments with the console and the underlying infrastructure and more recently expanded it an additional $10 million with the acquisition of Venafi, which brought us to the $60 billion annualized TAM number last time you heard from us. And as Matt mentioned, we're now pursuing an $80 billion TAM. And to bridge the gap between those 2, first, of course, we acquired Zilla that brings us $10 billion of incremental modern IGA opportunity. But further, as we continue to refine our understanding of the machine identity space and that opportunity, we see more upside there, particularly on the workload side. And we're beginning to see the early stages of the agentic AI opportunity. But really, it's more broad-based than that. It's really AI amplifying all of that is really what makes up the rest of that, that brings us to our $80 billion annualized TAM. I'm excited about it. Massive opportunity, and I couldn't have a better set of colleagues to do this with. With that, I'd love to introduce Amy, bring to the stand and take you through our platform and our innovation.

Thank you, Clarence, and thanks, everyone. Very excited to be with you today to talk about our platform and solution innovation with Peretz and Kurt. So as you just heard from both Matt and Clarence, these market dynamics that are top of mind for CISOs and security teams are what drives us. These are the problems that we look to solve in the product and technology team, for overwhelmed CISOs who are looking to secure all identities because of the rise of machines and the proliferation of privilege. They don't want multiple vendors with point solutions. They want a comprehensive platform. And with agentic AI rapidly becoming a new imperative for identity security, they want an innovator. They want a vendor that they can partner with to stay one step ahead of the attacker. And this is why our Identity Security platform secures all identities, human and machine, with the right level of privilege control. Now our differentiated solutions that are derived from across our platform provide the right capabilities to secure each one of these identities commensurate with the level of risk and complexity. This provides that anecdote to the overwhelmed security teams. And ultimately, we drive business value in the form of measurable customer outcomes, enabling our customers to lower their cyber risk, to enhance business resiliency, satisfy audit and compliance, all while increasing efficiency in automation. This is why our customers come to us to solve one use case and expand to secure additional identities across our solutions. It is this value that they see that enables them to continue to invest in our platform and be customers of ours for a very long time. Now I'm going to focus on the human identity security solutions first, and I would invite Kurt up to talk about the machine identity security solutions as well. So let's first talk about this evolution of privilege. Because what we know to be true is that privilege is no longer just about IT admins. Now the idea of privilege started with IT admins because they needed access to long-lived systems through shared accounts. We solved that problem over 25 years ago with the advent of PAM. And that use case is still incredibly important to our customers because those credentials are the keys to kingdom. But in reality, there is privilege across the entire infrastructure that is now dynamic with SaaS applications, cloud and hybrid IT. All of these types of infrastructure need to be secured with the right type of privilege control and method across multiple different types of personas. Developers, for example, some of the most privileged users within organizations have always on standing access to cloud workloads, to cloud consoles, and the native services within. Workforce users have access to web and SaaS apps, but can become privileged because of the data that might be available to them through those applications or web. And what we see in reality actually happening is even more complex because IT users, not just admins, but cloud operations teams need access to cloud infrastructure. Workforce users, they may be dealing with big data, are working in medical research, they need access to cloud services as well. And of course, IT users and developers need access to SaaS applications and web. All of these need to be secured with the right level of privilege control. All of these also must meet the expectation of constraint that the user has because we can't slow down people when we're trying to have them do their work. So let's first take a look at the unique challenges in securing workforce users. Now today's workforce is dynamic and diverse and it's made up of employees, contractors, third parties who are oftentimes remote-first users. And because of the explosion of SaaS apps and the targeted threat landscape, we see these users being in the center of attackers, different attack vectors. It's happening both pre-authentication with attacks like [indiscernible] ransomware and post-authentication with things like session hijacking. Now those are on top of the continued focus at the point in time of authentication with SIM swap, MFA fatigue, no longer can we enable organizations to only use MFA and SSO at that point of authentication when the threat landscape has completely changed. That is why we have reimagined what it means to secure the workforce. Let's take a look at how we do this. So first, when a user logs on to an endpoint and launches an application, our endpoint sign-in and endpoint privilege management capabilities enable strong identity assurance and automatic log-in to that endpoint with least privilege. Then the CyberArk Secure Browser protects that user from session hijacking. Workforce password management capabilities embedded within the secure browser enable automatic log-in to applications that are nonstandard and require a password. And for log into applications of standard-based applications, we have our MFA and SSO controls with a wide range of authentication methods like push notifications and safe keys. But we don't stop there. We then enable users to be protected across their entire session. Those post-authentication attacks are now protected with the ability to record and audit that session to secure the user. This is true layered defense in depth. This is putting the right level of privilege control across the life cycle of the user. No other vendor in the market is securing workforce users like this today. And when we look at IT and developer users, we know that these are some of the highest risk users in the organization. And IT users like cloud operation teams and developers with engineers, data scientists, we can't get in their way. Because IT users keep our systems up and running for both internal and external customers. Developers are oftentimes revenue-generating, so we can't get in their way. So how do we ensure that they have access to the high-risk infrastructure that they need to while the attacker doesn't? Well, it's not a one-size-fits-all answer. For privileged roles that have access to SaaS applications, just like we talked about for the workforce, we enable that privileged access to be secure through a layered secured access and session monitoring capability. When those users have a privileged role that needs access to our cloud services, we have a hyper-secure method called zero standing privilege. So entitlements don't exist. They're brought to zero, zero permissions, zero privilege so that there is no credential for an attacker to use and leverage laterally. But when that user has a legitimate reason, they can request and receive and get access with just the right entitlement needed to do their job. When a session is done, that audit recording is sent to the audit service and entitlements are brought back down to zero, zero standing permissions, zero standing privilege, hypersecure way to secure IT and developers. And if there's a privilege role that needs access to cloud workloads like VMs or database in the cloud, this is where we provide just-in-time access with brokered session. So there is no credential to steal, but we still are providing the security in a brokered session in isolation to that infrastructure. And of course, we continue to secure access to long-lived systems with credential vaulting and rotation and isolation of that brokered session because this is quite often the capability that people know us for and will continue to come to us to solve. But this is all from one platform. This is the power of the Identity Security platform because we can secure the right use case with the right level of privilege control and not make customers have to go to multiple different point solutions to solve each one individually. And this outcome-based approach has made us so excited about bringing Zilla onto the platform. Because when you look at what Zilla does with modern IGA and simplifying the process of identity compliance, life cycle management and provisioning for the modern enterprise, we see that they have driven value into their customer base already. So what we hear from Zilla's customers is that they've been able to deploy 5x faster than compared to a legacy IGA. They've had 80% less effort when it comes to user access reviews and 60% fewer tickets when it comes to provisioning. This enables us to provide additional value to our customers. Yes, it's part of the platform, but also as additional modern IGA solutions that we can offer to our customers who are in the human side of our solution. And we really look forward to bringing this also to the machine Identity Security solutions in the future. And speaking of machine identities, I'm going to invite Kurt up to walk you through those solution areas.

Thank you, Amy. So here we are in a new era that we call rise of the machines. It wasn't that long ago that we put out our threat landscape report that talked about there being 45 machines for every human. But now if we fast forward to today where we have AI-generated agents that are identities, where we have AI agent copilots being used to build identities faster, where we have cloud workloads and an explosion of IoT devices, we see that the number of machines has far exceeded that original 45x number. With that, companies need a method and an automation to discover, prioritize and manage these machine identities. And it's fueling not just their concern, but also their concern brings them to us to help solve this problem. And that has resulted in a great boost to our business with a very successful 2024 in the secrets business, a great first Q4 together with Venafi, and what we see as a very strong pipeline going forward. Matt touched on the fact that why now we see an inflection point being driven by volume, variety, and velocity. Let me dive a little bit deeper into this and maybe demystify it if I can. So on the volume side, the evolution of software architecture has itself created more identities. When we first got started, we had monolithic applications, each very large application was one identity. Then we moved into virtualized environments. In order to scale up, we started cloning applications and each of those clones became its own identity. Now in modern microservice-based containerized applications, every microservice and container itself is another identity with reports as much as 6.8 billion container instances already running in enterprises. If we flip to the IoT OT side, the explosion of number of devices connected on the Internet estimated to reach over 30 billion by 2030 are themselves each yet another machine identity. And then the impact of AI is sort of twofold. We're using AI itself to create machines faster, if any of you have ever used a copilot in a coding IDE, it's amazing how productive it makes you as well as every agent created itself is another identity. On the Variety side, we can see it from 2 dimensions; environments and methods of machine identities. On the environment side, we don't have to look any further past cloud itself with 1 in 3 companies now saying that they have more than 50% of their workloads already in the cloud. But before I jump to that, realize that also it means 50% are still in data centers, right? So you have 50% in data centers and 50% in cloud. And then in the cloud, you have most likely 3 or more cloud providers. So think about that diversity of environments growing. Then machines themselves have many different methods to identify themselves, whether they be secrets, whether they be tokens or whether they be certificates. So just multiply those 2 things together, number of environments, number of methods of identity, and you get a very, very large variety problem. On Velocity side, it means we need to act faster. And there are several drivers that we see right now behind this. One is Google saying that they intend to have certificate length go from 398 days to 90 days and Apple soon after said they intend for it to go from 398 to 45. What does that mean? Whereas you might have only had to reissue a certificate once a year, you're now going to have to do it much faster. And that much faster means you can't do it with just human spreadsheets and calendar reminders. You have to do it with an automated system. There are also unplanned events in the case of where Google announced that they would no longer be entrusting the Entrust certificates in their browser as of a certain version. That meant that although no one had lined up projects to go find all their Entrust certificates and refresh them, they were going to have to. And then last, if we look at post Quantum, Quantum computers are getting faster and faster as we see the time compressing to when they become a reality. And it's not that far in the future where our current encryption algorithms just won't be good enough. What that means is we'll have to reissue certificates that match the latest encryption algorithms that are post-Quantum safe. So these are just examples of reasons on why we have to move faster in our certificate life cycle management and in our management of identities in their entirety. But this is not just a technical concern, it's also a business concern, right? When we don't do this well, bad things happen, attackers end up being successful, it hurts the reputation of a company. Secondly, production outages still have a widely caused reason of expired certificates. And if that expired certificate takes out a revenue-generating service, it's immediate business impact. And then thirdly, we just have an inefficiency problem. If we're still trying to do this with manual labor against precious security professionals, we're just not using our labor the best way we can. And when things go wrong, right, there are consequences. This is a recent attack that's been in the news where a cyber company left behind an API key. And as a result, an attacker was able to get a hold of that key. That key actually let them use a remote service that was intended to be used to manage that customer's end customers. From there, they used it against the treasury and were able to get access to treasury department desktops and have access to the confidential information on those machines. All of this basically started from an unmanaged API key, which easily could have been solved had they been using a solution like CyberArk's platform for well managing those API keys. So we're here to help companies do this in a better way using our platform fueled by new innovations that came to us from Venafi in the form of 4 solutions. The first is Secrets Management, managing secrets across all of those decades of tech, whether it be a mainframe in the data center to your latest thing in the cloud. Certificate Management and PKI so that we can automate and get our handle around this without manual inefficiencies. Workload Identity management and that modern workloads today need new methods that are not even secrets or certificate-based for fine-grained access control. And then lastly, agentic AI, securing both the development and delivery of those agents and the use of those agents. Although I brought to you the machine identity point of view, it's the same value that our customers want. They want to be able to reduce their cyber risk and improve their overall resiliency. So with this, I'm going to turn it over to Peretz to take you a little bit deeper into the machine and AI strategy. Thank you.

Thank you, Kurt. So let's take a look on how and why our unified platform approach really differentiates our solution to secure all identities. We offer the only platform powered by CORA AI to discover and find all identities that are out there with context. That means to understand their risk. Then we apply the right level of privilege controls. This is across credential management, where we are ensuring that the credential is available, authentication management to make sure authentication can happen at the right time that it is needed; session management to protect, detect and respond within all type of sessions; and entitlement management to provide just the right amount and type of needed entitlement. And now expanding with modern IGA capabilities through our acquisition with Zilla, we provide automated life cycle and policy continuously while providing modern governance and compliance. All of these capabilities apply both for human and machine. Our platform approach really enables organization to consolidate what used to be siloed approach into one holistic solution to truly secure all identities with best-in-class security-first controls. This differentiated approach is made possible through our innovation. And since the beginning, CyberArk has been an innovator, a pioneer and a disruptor ever since we created the PAM category 25 years ago. Since then, we expanded our vision to secure every identity with the right level of privilege control. We are not just investing in technology, we are investing in future where identity security is seamless and becomes integrated in every aspect of the business for all identities. So from pioneering the new market, breaking down the silos and now redefining the identity security. Security first is what drives us to protect all identities. Innovation enables us to provide customer value. There are many types of innovation. Let's zoom into one of them, which is, by the way, my favorite part, AI. So as we all know, AI is the megatrends of all trends, right? Securing against AI and securing of AI are soon to be, if not already, among the biggest challenges that we will face. There is really an intersection where AI meets identity security, and this is exactly what drives our research for the future. There are 3 critical pillars in this intersection: Using AI capabilities in order to secure -- securing against threats that leverage the AI technology, and ensuring the security of agentic AI systems, including the AI agent identities themselves. So let's take a look on each one of them. First, using AI to secure. This is exactly what CyberArk CORA AI, our cutting-edge technology solution is designed to do. It elevates security, boosts efficiency and effectiveness across the organization. And by embedding this identity security-focused AI into our platform, we significantly boost security for our customers' productivity and also accelerate the time to value. CORA AI can analyze user activity, detect risky behaviors and even often offer actionable security insights. It even recommends responses and actions to be automated, that's reducing the time that it takes for manual actions. Additionally, CyberArk CORA AI supports real-time guidance for securing privileged access. It actually enables natural language for admins to do their day-to-day work. So instead of writing a very complex script or calling any APIs, they just ask CORA AI to create sales, to query a data or to generate an audit report and CORA AI will do it for them. CyberArk CORA AI is really a game changer in identity security, enhancing both security and user experience. Second, AI is very, very powerful. And it's not just about enhancing the security. It can also be weaponized by the different threat actors against enterprises. We face a dual challenge over here. First, new threat techniques that are being presented by AI. Adversaries are employing AI to develop sophisticated and complex attacks. For example, it can be AI-driven phishing attacks or even impersonated deep fake technologies that used to plant misinformation in our systems. Second, enhancing the existing techniques. AI can also take the well-known techniques that are out there and really accelerate them, put them on scale and in a much higher accuracy, putting, for example, brute force or exploiting vulnerabilities in a much higher scale. To counter these evolving threats, we must continuously adapt our security strategies and also invest in advanced defensive technologies. The third pillar is ensuring that the security of agentic AI system themselves. First, we need to make sure the use of these AI system is secure. This includes managing, for example, our employees are using these AI systems and other systems, making sure that they're staying within the security perimeter. Next, the AI infrastructure must be developed and deployed with robust security practices. For example, this includes making sure that the training data is clean, cannot be manipulated, bypassed or biased throughout any exploit of attackers. And finally, and we would argue the most important one, securing AI agents, the identities of AI. These agents are machine identities but they really act like humans. And this is why an identity security platform designed to secure all identities, both machine and human, will be imperative. Let's take a deeper look on it. So we said that agents are machine identities, but they don't behave like machine identities. And unlike conventional machine identities such as service accounts or API keys, agentic AI operates with autonomy, making decision, scaling itself, interacting with humans and even adopt and change its behavior over time. And like human, they will want to grant themselves more access and more privileges than they need. Like humans, they can be phished, manipulated or exploited, hijacked to repurpose for a malicious intent. And lastly, these agents can communicate with each other over the web, opening additional attack vectors. If these agents are not monitored, controlled and secured; like their human counterparts, they become a far greater risk than any machine or human. And this is why we believe that securing agentic AI is an identity problem and not a data problem. These AI agent functions as digital coworkers or collaborators within the ecosystem, within the enterprise, requiring an identity security model that reflects their behavior by also providing the scale and technology needed. So as we saw before, let's take a look on how we apply that to AI agents. So we believe that AI will require an identity security platform, just like CyberArk to identify and discover the AI agents that are out there, understanding the risk and then provide the right level of privilege controls. Controls for what? Controls to manage their associated keys, secrets, certificates for thousands, if not millions of them. AI agents will need to be authenticated for critical system to make sure that they can access whatever they need to access. The session to communicate is being monitored and is being able to take any action that is needed right on time. The correct entitlement is provided, meaning that the right level of authentication is provided, nothing more, nothing less. And of course, the right policy, life cycle management and compliance throughout the life cycle of the agent, just as we do for humans, but at a massive scale like machines. We have the platform that secures all human identities and machine identities already today. And this is the same platform that will be used to secure the next wave of these identities of AI. Make sure you stay tuned for our IMPACT Event of 2025 in April, where we are going to share much more about securing these AI agents. So to sum it up, we talked about the future of agentic AI. We talked about the rise of the machine, the proliferation of identities and privilege and all are driving to an unknown when it comes to security. Our platform is built to provide the best-in-class security capabilities to drive customer value and outcome throughout our personas, both human and machine. We continue to solve the problems that the customers originally came to us for, but now we are expanding it with new solutions, new capabilities with our innovation. Where the future takes us is really unknown. But what we do know is that the future of security is identity and with CyberArk, the future of identity is secure. And with that, I'd like to hand it over to Simon to talk about the marketing engine.

Thank you so much, Peretz. I really love this tagline. I think it represents so much not only our innovation story, but our value story. So it's really great. I'm very excited to be here with you for a few minutes talking about what we've been doing so far from a marketing perspective and also share with you what's our strategy and our programs to really capture the market. We call this session precision marketing. We could have called it relevant marketing. We could have called it inspiring marketing. We could have called it marketing in the age of AI. The reality is for every single CMO in the world, we have to rethink the way we approach our markets and our different audiences. And I'm going to share a little bit about how we do that here at CyberArk. The reality that we see in every single engagement that we do with our customers and our different audiences is that the journey is now multi-modal. And what do I mean by that? It's not just voice, text, video, it's about making sure that we found and we found and engage with every single audience at the right stage, at the right time, at the right place. And it does require to rethink the standard way of doing it. The standard way of doing it, if you think about that, was what I was trying to do when I joined the team 2 years ago, a little more now, and really perfect this funnel view where you drive inbound, outbound, it's great for scale. It's great for really drive category leadership. It's great to really make sure that you get all the hand raisers that are in the market and you capture them. When you go into more propensity built precision, you have to go deeper into the account. The opportunity becomes the center of gravity. You want to engage with more people within the account. You want to have more relevancy and more precision and you want to make sure that the relationship that you create, including elevating your relationship with the CISOs and the CIOs is very important, and Eduarda is going to talk about that. So you move from demand-led to account-led. The reality is, today, we also have a lot of people looking for the same information and the same content and they want to self-serve. They want to get value. They want to get value moments across that journey without even talking to a human. So that's the multi-modal journey that I'm talking about. And it's really actually not exclusive. You will have people that are going from one way to the other, one mode to the other. And that's actually the story of Raul. Raul is a cloud ops engineer working for one of our global accounts. And Raul, one day, we didn't know about him but we started to know about him because one day, he was searching for a solution to do session monitoring and session recording for AWS. Click, that was on Google Search. Arrive on our page, product page, look at the information. Click, downloading one of our white paper. A couple of hours later, received an e-mail from our team, hey, if you're interested to know more about it, you can actually connect with us or join one of our webinar, click. The day after, we actually saw Raul going to the AWS Marketplace and trying one of our products, click. From that angle, we sent another e-mail, saying, "Hey, Raul, if you really want to engage on this product, we're happy to schedule for a demo." Next day, Raul came back to our website, clicked on our chat bot and say, "Hey, for regulatory compliance, I really want to get a demo of that product," click. Fast forward a couple of clicks after that, then Raul was about to get the -- managed to get a good demo of the product, really was convinced and then we sent a quote to him. And guess what? Instead of contracting the traditional way, went back to the AWS Marketplace because he wanted to use his AWS credits to contract. So that is the multi-modal journey that we see today. 15 clicks, very engaged. We have to be where they want to be, and we have to make sure that we can create the next logical step for them to convert. So we created that multi-modal engagement, and it has 3 pillars. The first pillar is about brand. How we help Raul and the others to understand that we can help them to go from chaos to consolidation of trust. The second pillar is how we make sure that when we engage with Rauls and the others, we really provide the logical conversation, the next logical engagement that will make sure that when we have that engagement, it's relevant, it makes sense, it's precise. And lastly, of course, because we want to be part of more and more conversation, we have to educate but we also have to make sure we activate our entire ecosystem, including cloud ops engineers or developers or even partners. Let's start with the brand. I'm very proud of the work that we've been doing to really differentiate ourselves with a very distinctive creative [indiscernible] with our teams. And that is really important because we want to make sure that we are memorable when we show up. We also want to make sure that we tell our customer stories, and you've seen that little video just before, so very important for us to really do that in a way that it's valuable for your time, their time, and really capture the hearts and minds. One other way to do that is really to leverage all our research-based capabilities and expertise, the labs, the red team, we have a research team, how we take all of this and repackage it in a way that is really easy to consume in a multi-modal way. Let's start also with the education of the market. We are definitely one of the only vendor in the world that can really claim to be either the leader across all the identity security categories or to challenge the, I would say, the legacy point solutions. So that's very important for us and we expand across that. We do a very good job. From a brand perspective, guess what, we measure it on a daily basis. We are talking about share of voice. We are talking about making sure that people understand what we do for identity security or solutions or even when we challenge the status quo. So really be creative really out there. Now I was talking about thought leadership. I would say thought provoking. We also created our thought leadership platform. We call it Security Matters. If you want to engage on blog, on podcast, on videos, on different publications, you have all the choice to be there. And that becomes very important, especially in the age of AI, where people are looking for information, not only going for Google or Bing, they are going through perplexity, ChatGPT and cloud. By the way, I forgot to mention, you probably have seen in your little bag that you have a copy of The Identity Security Book Imperative. That's signed by our CEO and Udi. Talking about precision. Of course, we are talking about ABX here. We want to surround the account. We want to manage the entire orchestration around the account, and this is where the partnership with Eduarda is so critical. We make sure that across sales, SDRs, partners, marketing, customer success, we really do a good job to be there where they need to be. And we touch more persona at each of the accounts. We go by vertical and we use our best AI tools to do so. From an [indiscernible] perspective, if you think about that, we've been perfecting our best-performing program, which is IMPACT. This past year, we went to 20 cities and it's about more than 8,000 people or more than $270 million of pipeline. This is a very, very performing program for us because when we go there, it's not just an event. There is the before, there is the after, there is the surrounding the account. So guess what, this year, we're going to do again the same thing. We're going to go to another 20 cities. And actually, we decided to go to 40. So we have Tier 1 cities, going to 20, we're going to have 20 other Tier 2 cities. But when I'm talking about Tier 2 cities, I'm not talking about just little gathering. Like a few days ago, one of our Tier 2 for the first time that we showed up in Dubai, we had more than 200 people. And then we had the UAE's cybersecurity chief on stage, Dr. Al Kuwaiti was there with us. So really Tier 2 doesn't mean small. Tier 2 means really going there for the first time and creating the market. From an execution perspective, consistency and being relentless on how we activate every single piece of our go-to-market is very, very critical. And then we make sure that on January 1, we are ready with all the bill of materials, all the assets, all the training, all the enablement for both sales and partners to really go and execute. Our campaigns are live on day 1 around the globe. So it's very important that our solution messaging converts into solution execution around our campaigns. Now let's talk about the last one because this is very exciting for us, too. We have done such a good job to work a lot with our partners this past year to double the number of activities we do with them. We have done a great job to really activate and maximize on some of our big alliances. And we also have done a great job to make sure that we are there where people want to meet us, including Raul and the other developers and cloud ops of the world. When we did the acquisition of Venafi, we did inherit of thousands -- millions, sorry, a day of downloads for cert-manager that Venafi has created. So really a great opportunity for us to get more into this developer community. And then from an alliance perspective, we announced the partnership with Wiz a couple of months ago. And as you can see, that was I think in Las Vegas during re:Invent, we make a big deal of it, and that really helps to drive a lot of pipeline for us. So across all these different pillars that we have for multi-modal engagement with our different audiences across all the accounts across the globe, this is what you get. What you get is you double the number of quality leads that you generate year-over-year. You double the pipeline that you create with your partners, and you present 69% of the total business closed for new logos. So hopefully, that's going to help you to see a little bit about how we approach the market, how marketing is a contributor to that, how we inspire, engage in a very multi-modal way. And now I'm going to invite Eduarda to talk about the go-to-market aspect of it and the partnership that we have together.

Thanks, Simon. It's great to be here and really talk about how the CyberArk growth algorithm has came to life for me in my first year as COO at CyberArk and came to life really in full colors. And I have to say that one of you said recently that CyberArk is in the right place at the right time. That's how I feel. I am very proud and grateful to be here in this moment and lead what I've got to observe as the second to none excellent go-to-market organization. So in this first year, I really had the privilege to travel the world and that's very literally. I think you can see by the map that I actually have a little bit of an European bias since I'm from there. And according to Simon, I'm going to get to travel a lot more this year with the 40 cities. But I have the privilege of talking to really hundreds of customers, customer teams, partners, and the CyberArk teams in all regions. And in those conversations, it came to life for me and some topics, patterns, if you want, themes came up. Number one really is how deep the trusted relationships are. Actually, they go deeper, I would say, unique from what I've seen throughout my career. And that doesn't happen by accident. That happens because we have the combination of the value, our solutions, our platform delivers with the expertise our teams, together with our partners, bring and the culture, really caring about the customer, and the value shines through every day, everywhere. The second thing I've observed, we talked about it this morning, but it's very real and you're sitting with them is the sheer volume and the overwhelming of the work that is to be done by the security teams. And in that overwhelming need to get, help to get to value, to outcomes to simplify, to reduce complexity, they are looking at us, a trusted vendor, a trusted partner to really help them on that journey and consolidate and really be able to move forward and be able to support their business. But three, what I've observed there is also is that actually, the teams together with our teams of customers and partners and CyberArk are delivering. They're very proud and they should be of the achievements and how they are able to execute. They are able to actually deliver and protect their companies. So that is a great place to be. The good news with all of that is that we all feel, and I feel, we are actually just getting started. Our teams here, they thrive with the purpose of CyberArk, our vision of securing all identities with the right level of privilege controls. And we've already heard from all of the people, my colleagues that were here presenting, we do that by really enabling value and outcomes for our customers against the value drivers. But in many of these conversations, I also talked to CISOs, CIOs throughout this year, they're looking for help in getting there and getting to these outcomes, but also in documenting and being able to quantify and to prove the value of the investments because it is a complex world right there and you have to keep fighting for budget and continue to be able to move forward. That's why we're really excited to see that at the end of last year, it was around November, this paper published by IDC Research, really analyzing real-world deployments in CyberArk customers was documenting measurable, quantifiable value that our platform and our solutions, with the execution of the teams on the ground, is able to deliver in which drivers in the security, really better security, and you see metrics, a 67% reduction in credential threats or in the reduction of malware spread. But also from an efficiency point of view and being able to satisfy the growing needs from audit and compliance perspective or from a developer community, we're just talking about that with the engineers, being able to be secured while not slowing down and being able to do their jobs in a native user experience. So you see metrics around increasing productivity, both for the compliance and for the developer communities. But at the end, being able to do this in an efficient way, deploying with low to no required footprint, the consolidation of tools so that you are not managing every day these dozens of siloed security tools brings to the most impressive of the numbers out here in this screen, which is more than 300% of an average 3-year ROI. That's a pretty impressive ROI, and it proves again the value that the platform, the solutions and the expertise brings to our customers every day. That value, those proof points really are informing our right to go win, and win a major opportunity. Part of how we're actually going to be able to do this and deliver on our vision is by using this precise selling engine and the path to land across the whole organization. We have a precise engine that is informed with data. And as Simon mentioned before, that precise engine informed with data is also informed with vertical-specific data, vertical-specific messages and plays that then really allows our teams to go and execute and pursue for these new logos in a very targeted way. Once we have that, and again, precise because we are not just putting resources anywhere. We know when to pursue, when, where and really with the right message, then we can orchestrate across our SDR teams, our marketing teams, our channels to be able and really maximize our opportunities to win. Our go-to-market multipliers, Simon did a great job explaining them, are just fueling that engine around what all the work we do with our partners and really in the mention the work, like you saw the example with Raul, that we're innovating with our digital channels, with the communities, and they just keep enabling us to go faster with our precise engine. So how do we land? We land many times and you know us for years with TAM, but with a different, more modern definition of TAM. You saw Amy explaining from securing access to long-lived systems to cloud workloads, to cloud consoles, from standing assets just-in-time to zero standing privileges. We also land with the workforce really both security-minded CISOs but more and more the organizations are really realizing that reimagination, how we secure the workforce, where SSO and MFA is not enough. But now we also land with machines, with acquisition of Venafi and as we grow, our machine identity security solutions that Kurt mentioned, we have Venafi not just as a huge cross-sell opportunity but also as an opportunity to land net new logos, and we already saw that here in Q4. Deepak, I'm just looking at him here sitting in the front. Now with the partnership with the acquisition of Zilla Security, we have also a path to land with modern IGA. To give you an example, Zilla closed around 50 new logos last year with a very small sales team, and we are absolutely convinced of the opportunity to go and land with modern IGA. But last but not least, more and more, as we expand our leadership in Identity Security, as our customers really understand that they need the unique comprehensive end-to-end security platform, we land with a commitment to the complete platform instead of a step-by-step solutions. With all this said, at the end, we get to the results. This allows us the precise engine and the different paths to land allow us to deliver more than 1,000 new logos a year and deliver those new logos with average 45% higher ARR per new logo in the last few years. Real testaments of the power of our go-to-market machine and of our platform. Give you a few examples here of this go-to-market machine before I move to concrete customer examples. Apart from this precise selling engines, as I walked you through on the land side, Matt showed this slide before, I consider these 3 the pillars of why we have a go-to-market machine that we define as excellence: the engine, the trusted and committed partner ecosystem, and our ability over and over, as you saw in the IDC report, that -- to deliver adoption and to deliver value and outcomes. Builder.ai is actually here in the room. James is sitting here, and we're going to have a conversation with them later is one example of a company that has recently chosen CyberArk. In their case, they're a newer company, around 5 years, that is actually using -- is developing AI software and application development company, and they evaluated us really across all of the modern use cases. They live in a cloud-first world. They're fast growing, and they chose us for the differentiators both on the Secure Cloud Access but also really because of the future-proofing of the platform that allows us to -- allow them to really continue to address their requirements as they grow. So we're going to ask James a bit more about that. A second example that I wanted to share with you, you may have seen now -- you heard Matt talk about it in the Q4 earnings. We are landing more and more also with the complete platform. In this case, Fortune 500 telecom company that had, for years, had in-house developed systems that just were not up to par in terms of the flexibility, the automation and the ability to scale. We got involved actually in a post-breach scenario and working with a customer throughout the sales campaign. We're really able to demonstrate the power of the platform to respond their needs of today and to respond to their needs to the future. The platform, our ability to integrate with their ecosystem and a trusted SI partner were all combined decision factors that took them to select us as their platform vendor in a 7-figure deal. Let's move to Venafi. I said we actually landed also Venafi here in our first quarter after the acquisition. This case, a European transportation government agency, is actually a really interesting case because it's about IoT devices. And how they selected Venafi and CyberArk, leveraging as a partner, a trusted partner of the agency that is also a CyberArk partner, to really go and select Venafi to be able to deploy PKI as a system, to protect all of these turnkey devices that you see here and the devices also that you can play with in the buses and to be able to that, including security, operational efficiency and knowing that they have chosen a scalable platform for their future. Super interesting use case. Although the Zilla team closed this logo before the acquisition so we cannot claim it as a CyberArk logo, I wanted to show you still the example because I think it's a really good example of why our way of thinking comes together so well. In this case, it was a fintech market leader that was getting ready for IPO and really had a very short amount of time to get ready. And over -- after selecting Zilla Security, they were able in 90 days to really deploy and integrate with more than 100 applications, have the applications onboarded, do the compliance reviews for over 7,000 employees globally. And we do this while automating more than 70% of their IGA processes. So a great example of how to think about modern IGA and fast time to value in an environment where possibly with another approach would have taken them months or years. So we spoke about the land side of the precise agent. Let me talk to you about the expand side. We have a massive opportunity in our inspiring customer base to expand. And as in land, we added to that precision engine a few characteristics together with Simon around data informed, and we have really an optimized account coverage, not just deploying resources everywhere but where the potential and the opportunity is. We have perfected our solution plays, and our platform play for all solutions and for the complete and the uniqueness of the platform. Simon touched on this, but we are very excited as we move from chaos to consolidation of trust, elevating how we engage with CISOs, how we are able to bring in all the strength of our expertise, have red teams, our labs, our best practices that are documented in our blueprint, our advisory teams to really bring all of these together and be able to help our customers, our CISOs create the right level of security strategies that really protect their companies for today and for the future. So with this, in our Precise Engine, we are able to go capture that expansion opportunity by securing more identities. But not just, also by securing in different ways and adding additional value to the identities we are already securing. What does it mean additional value? Everything from bringing these customers to SaaS, bringing them to enterprise SKUs and adding more use cases. Really be able to enable the modern version of TAM for a lot of our PAM installed base. So a lot of ways that we are adding more value to our installed base. And I mentioned the third one before but it's really also about those being able to get deeper in the strategic partnerships for the top end of our enterprises. That allows us to really be positioned and perceive the benefits as one of their critical cyber vendors. The results, we see a multiplication in the number of customers that are committed to the platform measured in terms of how many products they own. But also, we see the results in terms of the growth of the IRR for that cohort of customers that has went through that hump at 3 or more products. It's an impressive growth. I'll give you just some examples. A Fortune 200 insurance company started with EPM, the Endpoint Privilege Management around 2022. They were looking for more ways of securing their privileges. They were dealing with compliance. They were dealing with GDPR. They are expanding in Asia. And really, we were able to bring them with PAM and started upon deployment. We saw that accelerating in '23, '24, cross-selling machines, upselling TAM, upselling APM. The result, and this is a very typical path for our customers where you go through different groups of identities around the world, 10x ARR growth as we expanded these identities and the solutions. Second example, a large global airline, a customer that actually had a privilege to meet a couple of times last year, who started with them, your typical PAM deployment, secure the keys to the kingdom and as their PAM project mature, the deployments mature, we started really being able to expand that, first with Conjur, with EPM, but then in the recent years, really getting all in, in terms of the platform, moving to SaaS, adding just-in-time and zero standing privilege use cases. They are using Secure Cloud Access, they were using Secure Infrastructure Access, and they're really modernizing all of their IT, but also they are able to extend now much quicker to secure other subsidiaries. Results, a 13x ARR growth with a platform enabling all of these use cases. Finally, a large U.S. health care company, a bigger customer in terms of their footprint with CyberArk. Started with PAM. And then over the last few years, really going deep in the strategic partnership with Peretz' organization, with our executive teams, with our field teams and through that strategic deep partnership creates a solid road map where they start to do it in secrets, more PAM use cases, move to SaaS, modern IT, modern secrets use cases, EPM. But at the end, really getting to a stage where we have a very robust joint strategy to execute on our identity security program. Result? 6x ARR growth, really driven by that depth of the relationship. Take me to the second pillar here of the trusted and committed ecosystem. I did my observation here, the best -- by far, the best partner ecosystem that I've seen really across all elements and all types of partnerships. And as we expand, our partners expand with us in terms of the breadth of what they cover, in terms of the trust of the relationship, and the different types of partners that are requiring in this ecosystem. To give you some proof points of this. As we expand, we see an impressive growth in terms of certifications, which is a way to measure really the capabilities and the capacity of our partners to cover the whole spectrum of identities. And it's been amazing to see, for example, the reaction with the Venafi acquisition when we have literally certified hundreds of sales and sales engineers and are now in the process of doing deep certification workshops for their delivery teams all across and there's a long line to get into those certification workshops. I have to say the reaction to the Zilla acquisition has been equally spectacular. Second, CyberArk is a trusted partner to our partners. And that's because we are transparent, we are predictable. I've heard many times the word examplar to define our partner program over the last few years. And that's why we have our CyberArk sellers, they partner first. That's why we have the relationships we have reflected that we do business with and through our partners. And that is only growing as our partners also are living in this world of complexity and, like our customers, are looking to consolidate who they work with in terms of their cybersecurity vendors. And they trust us because we deliver value, because we are predictable and because of our platform. Finally, as I mentioned, we have very different types of partnerships across all types of go-to markets, regions and verticals because we meet our customers where they need to partner. An example of that is the managed service providers. We were talking about the shortage of cybersecurity talent. That's only one of the reasons why MSPs are critical to our customer organizations and why we have the investment and our partners have the investment in DSP is one of the routes. We can see a spectacular growth also in terms of ARR as every company is finding solutions to deal with an escalated threat landscape. Finally, and bringing us home where I started and we all started in really value at the center of what we do, we are able to get to outcomes because we have a relentless focus on adoption. Actually, being myself, a customer success person, adoption is and always will be front and center. The faster you adopt, the faster you start getting to those value drivers and to the outcomes, the faster the companies are secured. How do we do this? As I said many times today already, the expertise, the depth of the expertise across identity and across cyber in total is very unique together with our partner community. And the reason why we have the trust from our customers in us because we can deliver. Obviously, scaling that through innovative ways. Simon talked about the Raul example, but the reality is many Rauls out there that actually also need to get the tips, the techniques and to be able to access our expertise in innovative and digital ways. That is a big driver for us so that we can drive adoption and value faster. And last but not least, the ability to drive those outcomes in a prescriptive way so that we get there faster together with our customers, and they can move on, continue to enable their businesses to grow. Nothing tells the story better than really the amazing return on investment our customers are obtaining from our solutions. Actually, the only thing that tells that story better is to hear the story directly from our customers and our partners, which we're going to do here just after the break. So with that, we'll let you go to the break and we'll be right back here at 2:30 to hear the stories from customers and partners. Thank you very much. [Break]

All right. Thank you, everyone, for coming back. The most exciting part is always also to hear directly the stories from our customers. We have here, James from Builder.ai to hear the story; Richard from Quanta Services; Damon from Accenture, both a customer and a partner, and we're going to go through some of their stories. Why don't we just start with the first round of quick intros but also some fun facts about what you do every day. Why don't we start with you, James?

So yes, hi, everyone. James Kelly, I'm the Global Head of IT at Builder.ai. Fun facts around Builder.ai. Well, what we're trying to do with software development is that we're trying to make it as easy as ordering a pizza. It's kind of -- at the moment, our company is trying to reach out to not just enterprises but to everyone. So that's really exciting for me working in a company that's trying to break a mold as such. So yes, it's -- I've been there just a year now and yes, it's a pretty exciting place to be.

Seems so. That's good. What about you, Richard?

Good afternoon, everybody. I'm Richard Breaux. I lead IT security for Quanta Services. We're a utility construction services provider and solution provider based out of the Houston, Texas area. And even though we're in the construction space, we're hyperfocused on safety, and we own one of the largest fleets of AED life-saving devices, and we've saved about 42 civilian lives in the last couple of years that we've had that.

It's very impressive. Thank you, Richard. Damon?

Hey, everyone. Damon McDougald. I lead Accenture's Global Cyber Protection practice. At Accenture, we have 800,000 individuals around the globe that do everything from advisory system integration and managed services. And within cybersecurity, we do everything from cyber resilience, cyber physical, cyber strategy, and then cyber protection. So I'm responsible for identity and access management, securing cloud, securing [ work ], zero trust, securing data, securing AI and enterprise platform security. So if you look back at our fiscal year '24 earnings, our CEO at Accenture, Julie Sweet, mentioned security drove $9 billion in revenue. My business accounts for around 80% of that $9 billion. And I've been there going on 21 years now. And a fun fact is every Friday, we're still very highly technical, even myself. We have something called a standing meeting called Friday Night Lights, where we come on and we hack and code for 30 minutes. And with the -- there was mention, the AI-driven IDEs that you can use now. It has been a life changer. In terms of the amount of workable code that I can get working in matter of minutes, hours and days is so much fun now.

That seems a lot of fun, and thank you, all. You all traveled to be here so I really appreciate that. Let's get started, maybe, Richard with you. So you've been in security for a long time. We were just talking about that. You have seen the rise in the complexity of the environments overall in security, especially in identity. How do you think about that, especially recently, what is -- what calls your attention?

Good question. I've been a CyberArk customer for about 15 years now through 3 different companies that I worked for. And we always focus with EPMs close to my heart, the endpoint. And we start there because it not only provides the security that we're looking for, for local administrative privileges, but it gives the IT function a leg up of not having to run around and install software whenever you remove local admin. And then that always has grown our journey into next is our core paths of privileged access and something that recently has changed, and our perspective about that is not only everything that has been discussed today about the AI and the machines. But we're finding, if you talk to the business, the privilege of people out in the workforce so at accounting or HR or anywhere else in the company, really diving into what those privileged users look like and rolling out WPM.

So really, that proliferation, also privileges that you're seeing. James, you come from a very different company, right? Builder.ai born recently, born in the cloud. So you have a different perspective of what identity security really needs are in that type of infrastructure versus traditional more IT. What does it mean and why you need a modern identity security partner?

Yes. Well, we are very -- we're not mature at all at the moment because we're new. We're a new company, we're cloud-first. We're cloud first as a service. Really, everything that we use is as-a-service. And since my time there, the first priority really for me was to secure identity and access management. So it was really important to find the right partner for that. So yes, what we really wanted to do was to find a partner that could hit a lot of our core problems. And our first problem is identity access management just as the human side. And we went into CyberArk with that first problem. As we grew with the conversations with CyberArk, we then realized -- we literally rewrote our cybersecurity road map. Yes, we did because it was from just the identity access management, you've now got just-in-time access for cloud security access. And they're all really important features. Our environment is crazy and very complex and very hard to secure and manage. So partner with something like CyberArk that has all that solution in one is invaluable to us.

Well, we appreciate, and again, we are just starting in our journey together there. Different from Damon. You've been in Identity Security for a long time, both again as a partner and as a customer. But as a partner, you talk to a lot of customers. You watched us go through the trends we see. But what are you seeing? What are customers telling you? What are you seeing in terms of trends in identity security, especially around when it comes to this topic of consolidation, centralizing the platform?

A lot of organizations and the organizations at Accenture serves the G2000. A lot of them are on their third or fourth iteration of trying to get identity right, and they struggle. And now they're asking the organization, we need to modernize. And so there is a -- this project [indiscernible] organizations do, they get the infrastructure out, around 25% done, and then they struggle to get past 25%. And usually, you get your core services up, your IGA service, your access management service, usually you get a little more proliferation. And then your PAM service, you get a little more proliferation, but the IGA is really the one that slows down the entire organization because you need [indiscernible] in order to provision access, provision the right access, manage the right access, be able to tell your auditors who have access to what and why do they get that access. That's really important. Capability and a test against that access during certain periods, if you're under SOX compliance or any other regulatory framework. So what complicates that in organizations is technical complexities and a lot of organizations have a best-of-breed approach to identity. They have different tools that do IGA, different tools that do access management, different tools that do privileged access management. And one of the most extreme environments that I've ever seen was a bank that had over 90-plus identity tools that they use to manage. They had a head count of over 3,000 people that operated and engineered their identity and access management platforms. It is very extreme. They spent a lot of money on identity and access management. And so with that, there is a big play and that's some of the things that we do at Accenture and a different approach that we have at Accenture. And my mission is to keep the world safe and secure. And the easiest way to do is to simplify your technology that's doing that, simplify your processes, focus on automation. And in this given moment of time, we have, at our disposal, very powerful tools, generative AI, agents, AI itself, machine learning. We can use those to apply into identity and access management in order to take advantage of it. But if you got 10, 15, 20 different tools, managing identity and data all over the place, it makes it really hard to take advantage of some of those key technologies today.

Yes. Then that's the complexity you were talking about for certain this morning. Richard, you already mentioned some of this but it's going a little bit deeper. I know you've been a big advocate of our Endpoint Privilege Manager. Actually, I think even before you were at Quanta, you already were. Now you're looking into other aspects of how we secure the workforce with the Workforce Password Manager. What do you think sets us apart in CyberArk as you protect your workforce?

I think the leadership team that's been up today has really done a good job of painting exactly what a customer like myself is looking for is that platform partner. So that every time I do, the business pivots or changes and a new problem is represented to my team, I'm not going back to the drawing board to figure out how to do it. I view CyberArk as my trusted identity platform. So we talk to them first. They're helping us develop a solution. And time and time again, I mentioned it several times, but every time that we're approaching a problem, the acquisition strategy of CyberArk has been right there in lockstep of every time we're thinking about something, CyberArk is executing on that.

That's great to hear. And again, many years of partnership here, and we thank you for that. James, now talking about being all in, in the platform and the relationship. We talked about that, right? You're starting with developers, but you are thinking really across the board and you even pivoted, right, your road map. What's your description the benefit, right, of protecting all identities across all solutions with a single unified platform?

Yes, it's massive. In almost a start-up company, there's so many things going on that having a one-stop solution is really important, especially as the type of work that we do, we have a lot of privileged users. And we look at the chart previously and I saw software, yes, it resonated massively because it made me realize how many privileged users we do actually have. So to have a solution that can cover a lot of those spaces and especially as we move, we're looking at the human side, but especially as then we pivot across to the machine side. To have already a solution in place that we can almost access and upgrade almost is really easy for me anyway instead of trying to get more budget with a new vendor. That's always a hard part in a startup, but...

You want to make your life easier?

For sure, yes. So yes, I think the bottom line for me is the ease and that just holds value at that.

And yes, from what I understood, you're growing a lot but also you use a lot of external, right? Not everyone is in your organization or you're like the quintessence of somebody that has to manage really complex ecosystem?

Yes. And CyberArk has been great about that actually. It was a real funny use case when we put the problem out to tender and that we use a capacity network, which opens up expert skills that we might need for an application that we're developing. And that's thousands of users. And they, again, have a lot of privileged access that goes with that. And as the name suggests, Builder.ai, we have an in-house built solution but it still doesn't tick all the boxes that we need. So yes, we proposed a problem to CyberArk and they came back with a light user solution that really, really hit the spot. So yes, that's been massive for us and the implementation of that will actually be a return of investment in its own just because it lowers the risk.

It lowers the risk for you. What about because Quanta grows a little different, right? A lot of acquisitions, I think you said, I mean it was incredibly high number of acquisitions. So how you see proliferation of privilege there? It's a little bit maybe different than what James sees. How do you see that playing out?

It's funny because we do actually run into a similar issue whenever we're acquiring a company that's like is that they're on their identity journey or they haven't even started that we're a construction company. So what's the minimal viable product from an IT standpoint to be able to put an alignment on a pole safely and get them back home? So identity is really complex at Quanta Services with so many operating companies that we have. So that's where we focus on our risk-based approach of what are we going to tackle, what's practical to get where we're going to go. And to build off what Damon was talking about, we had to really think through if we went through all these different vendors, I would have to have a team of experts for each particular one, which is in our market today. We don't have enough security professionals. So getting something like a platform solution company with CyberArk has just been -- it takes that burden off of me.

That's maybe a good place to talk maybe and we can continue to reach more about the future. So like as you look into now '25, '26, you look at your road map, we talked a lot today about the human and the machine side. How do you think about your next steps in your identity security journey?

Yes, we're not immune to any of the benefits of AI or anything else that we're trying to do and cloud-first, getting everything, finding those synergies between. So we are 2025, '26 going through, again, like he was talking about, a revolution of what identity means for Quanta. And we're publicly traded so we have to follow the same regulations that most do. But we also serve the utility industry that have a lot of requirements and regulations that we have to follow as their third-party providers. So again, having the backing of CyberArk to where we go through that journey of discovery or help us understand what problem we should be focusing on now and then being able to provide that solution. So looking forward to it.

That's great. I know it's a little earlier, right, in the journey, and we were just talking your priorities around the human but as you think forward, with the environment you have, the machine side is equally critical. How are you thinking about that?

Yes. We're already thinking about it. We're in conversations with you guys about the next step. And that's definitely the area that we want to look at. Now we've stabilized the human side of identity and access management. But it's even more exciting with the acquisition of Zilla. We're at a stage that we want to be enterprise secure because a lot of our clients will start becoming more enterprise clients. So with that, you get the dreaded security questionnaire that you have to fill out and you want to make sure that you pass that questionnaire. So something like an IGA model that's coming is awesome. I've been part of manual user access reviews in the past. And yes, it's horrible. But so it's really lovely to know that's part of the CyberArk package. So I'm already looking ahead once because we want ISO 27001. We want SOC 2. What comes with that is audit and compliance. So yes, it's great. So yes, definitely in human, we're finishing off the human side, the machine side, a very complex environment. It really resonated the areas that...

The whole platform.

Yes, for sure. That will be the next priority. And then we will probably be in a position to go right, okay. Now let's look at our governance. So yes, it fits quite nicely.

That's good to hear. Damon's kind of teased that up a little bit in the morning -- well, in the morning in the initial session. So I think everyone's waiting to hear that, which is this exciting of CyberArk and Accenture partnering around security controls for AI and AI agents. Why don't you give the audience your perspective. What excites you about it? What is it? How do you see it?

There's a few things. And one first, when you all were talking about it, through our partnership, like we started working on this in November time frame, and that's when agents started -- the word started coming out a lot. And one thing I just want to rephrase at least from a messaging standpoint, at least from people that are thinking about using agents. Right now, there's a handful to hundreds of organizations running around these agents. They're going to start proliferating to thousands, millions, billions. They will be on the Internet. There will be a marketplace to sell agents. So there'll be almost like SaaS companies that will sell their agents and you can rent their time, they're going to need identities. All these things are hugely important. Think of everything that you do from a [indiscernible] give them the right identity, right, [indiscernible] stuff that they can use to say, "Hey, I'm Damon, this is what I have access to." You give them the right access at the right time, jus-in-time access. Agents are going to need that same thing. And the fun part about it is that there's going to be a parent agent or an orchestrator composer, however you want to define this. And his job is going to be able to much like a human supervisor manager, it's going to have teammates underneath it. And it might have static teammates, it might have dynamic teammates, it -- depending on its goal, depending on its mission. And so you're going to see agents come up and come down. You are going to see agents stick around for a while, run long-standing jobs that might take hours to days to finish up. Just a show of hands, who's played around with operator from ChatGPT? That's pretty cool. And you just open up a browser and say, I use it actually, donated blood a few weeks ago, instead of going through Red Cross and point and clicking on Well, maybe let's just try this operator thing out. And I said, "Hey, I want to get a blood appointment in Minnesota. This is the day time frame, I want to try and get it. And it just opened up the thing. It browsed through. When it needed my credentials, I went into the browser and typed in my credentials myself and then it went and got an appointment for me. I mean that's a very basic use case right now.

But one -- every single one of our users can -- like that's non-IT just going out there and telling a machine to do something.

We're not even have to interact with browsers and point-and-click. There's something called MCP, which I forget with the acronym is, but it essentially is the model -- it's a standard to be able to have agents interact with different pieces of IT or software stuff, which is extremely powerful. And so this stuff is evolving. And I feel like every week, there's something new that's coming out. And so we've been working with the CyberArk is and they set the table really well with the messaging, so I'm not going to repeat it, but it's going to be critical. You can't do this agentic stuff without identity. And identity is the strongest security control that's going to get these agents right, and it's going to accelerate the business, not slow it down. It's going to accelerate it because you need these capabilities in place in order to go fast. And if you don't have them in place and organizations have to stop what they're doing, they're going to be left behind because things are moving so quickly. Everything is getting disrupted. And that's one thing we're working on. Another thing we're working on is the -- at Accenture, we have our own horizontal agentic solution called AI Refinery that's powered on NVIDIA. And so we are infusing CyberArk into that solution. So by default, when Accenture takes this to market and takes it all over the place -- we do so many things at Accenture, by default, CyberArk capabilities go with that to make sure it's secure right away. That's one thing we're working on. The other thing we're working on is you all consuming the AI Refinery as well as a way to enhance some product features. So you can start spinning up -- you have your own agentic framework where you can start spinning up new capabilities on the CyberArk side, which I think is going to be really exciting as well. So the possibility of where we can take this is limitless. And there was a slide that I saw metric -- 22.5 million roles -- security roles that you can't find or staff or finding the right skills for, that's the opportunity right there. You can take out that problem. And at Accenture, we're building -- on top of the AI Refinery, for security operations, we're building right now end-to-end security operations using agentic AI, where -- there was another metric there, I think it was 80-plus security tools that an organization has. What I see is usually 90 to 100-plus tools. And so the agents would live on top of the software and processes and drive the automation on top of all these siloed systems. So for a breach that would happen, you detected at the network, it would work with your Zero Trust agent, it would work with your identity agent. It would work with your threat intelligence agent. It would work with your SOC agent, and it would start doing a lot of the stuff that these teams do manually, and that takes time. And then you can instantly have your RCAs documented, so the CISO can see what's going on, and then you can have that instantly stop an incident happening in chat. And so you won't need people to do that. You can replace L1 L2 with agents. And you can take disparate security controls that plague organizations and start fusing them together to actually accomplish things from an end-to-end perspective. So the tools in our place, like I haven't seen in my lifetime, I haven't seen a technology breakthrough like I've seen just in the past few years. So if you can't tell, I'm pretty pumped up about it. I'm pretty pumped about all the opportunities we have in front of us, and I'm excited that the CyberArk also sees the opportunities as well.

We are very excited about the partnership and this work we are doing together with you. And I think everyone understood here in the audience why it's so critical and why AI -- agentic AI is an identity problem and not a data problem. So with that, I really want to thank our valuable customers. Damon, I consider you a partner and a customer friend. So thank you very much for bringing everything we spoke about before to life with your stories, and looking forward to our continued work together. Thank you.

Thank you.

Erica?

Eduarda, all right. Thank you very much. Okay. So it's great to be here today, and I want to thank everyone who joined us. As many of you know, this is my 10th year at CyberArk, but it is my first as CFO. And it's been a really incredible journey so far. But I want to echo the sentiment that Eduarda talked about at the beginning, which is that I, too, believe we're just getting started. And I'm going to talk a little bit about why that's the fact, and some data points and reasons behind my conviction. So before I go into the details, we did file a 6-K this morning, which reiterated our guidance for Q1 and the full year. If you'd like more information, you can find it in the 6-K, but I will just dive right into the fact that we have consistently hit our financial targets that we've set out for Wall Street. We have a proven track record. And despite the fact that it's been a very busy few years between the subscription transition, delivering breakthrough innovation, also developing our SaaS platform, one thing has stayed constant for CyberArk, and that is the fact that we've been laser-focused on execution across the entire organization. And you see that show up in our financial performance. The fact of the matter is, is when we were last together at our last Investor Day, we set very ambitious targets for 2025. That was $1.1 billion in ARR; reaccelerating our revenue growth coming out of the subscription transition to 25-plus percent; 15-plus percent operating margins, and that $200 million in free cash flow. But that, as a reminder, was coming up from under $50 million at the trough of the subscription transition. We hit those targets a year ahead of our expectations, and we were able to do that in 2024. And the reason why was because of the enthusiasm you heard here today, we have the platform, the solutions in that go-to-market engine, all of which kicked in at the right time. And that is what has positioned CyberArk as the identity security company. And so I think some of you know that one of CyberArk's core values is smart, bold and humble. So when I looked at this slide, I was like, I'm not sure it fits our brand, but we did want to celebrate our success. And I think this is one of those things when you think about our performance, we've been in an elite class. We looked at enterprise software companies that were $1 billion in revenue, had grown 20-plus percent in 2024, and we're operating at a Rule of 40. There were 3 companies within the cybersecurity universe: CyberArk, CrowdStrike and Zscaler. And then when we open the aperture and we looked at enterprise software, there were only 8 additional organizations that fit that bill. So we were very proud to make and be on this elite list. And it wasn't just the folks in the room today, and this is back our brand. It was also the 4,000 employees that work alongside us that have worked tirelessly to make sure that we get here. But the important thing is we're going to continue to work hard to make sure we stay at this list. And so how did that translate into growth at scale? CyberArk has been consistently growing the business. And the reason we're anchoring everyone on 2021 is the fact that, that was when the subscription transition really kicked off. And so you can see here on that subscription ARR line, not just the momentum in the business, but also the increased value that we've been providing to our customers and that partner ecosystem you heard so much about, the fact that we were able to deliver that value through our solutions and our ability to deliver against our platform, plus the strength of the execution that Eduarda talked a lot about previously. And if I double-click into the subscription ARR line, this is an important chart. So when you think about IT and developers, that's the PAM business. It's about 50% of our subscription ARR today. What does that mean? When we were last together in 2023, it was just over 50%. The fact of the matter is, is that PAM continues to grow impressively at scale. The other important thing to take away from this chart, CyberArk is very well diversified. Our business, the subscription business is not just privileged access. The workforce and machine identity businesses have grown impressively. In fact, if you look at the workforce of machine identity business, it is growing at an 80% compound annual growth rate. Now that does include Venafi. But even if you exclude Venafi, the growth rate is at 60%. Now I want to just put a little bit of context. Many of you know the context already, but it's worth reiterating. When we acquired Idaptive in 2020, they -- CyberArk itself had only $12 million of SaaS revenue -- ARR, excuse me, and Venafi added $16 million of SaaS ARR. You look at that workforce business today, and it's $250 million in just 4 short years. And the machine identity business back in 2020 was less than $10 million. So the impressive growth, we've really been able to drive these businesses to scale on their own because of our execution and the market demand that Clarence talked so much about. So when we look at the momentum, we track metrics similar to you, and net new ARR is one that we've been certainly proud of. We've been one of the few companies in this macroeconomic environment, perhaps one of the only enterprise software companies that have been able to consistently grow our net new ARR over the last few years and reaching that $239 million we were very happy with. It's an important reminder, and I think most of you know this. This hasn't come from conversion activity. It's been coming from core demand within our installed base and that execution across that land and expand motion. And so from our perspective, it only reinforces the fact that we belong in that elite group of companies. And -- I'd be remiss if I didn't talk about profitability. So one of the reasons I joined CyberArk 10 years ago was because I was so impressed, by the way the executive team, [ Udi ] and Josh, were very -- they took their responsibility of shepherding investor capital seriously. And when I was looking to join another company, that struck me. Our DNA has not changed. We're still very focused on making smart investments that drive top line growth, but also delivering more value to the shareholders through the bottom line as well. So when we were in the subscription transition, we made a promise to you that we would leverage those operating expense lines. And we did just that. And you see it showing up in the operating margins. We generated 15% operating margins a year ahead, as I mentioned. But we -- what we were most excited about is that free cash flow at 22% margins. And the fact of the matter is there's more potential there, which Matt talked about in his introduction. And so as great as the past has been, we also did want to look forward because we are very excited, and I have deep conviction in our opportunity to continue to grow because of all the things you heard today. We actually are addressing and securing the most relevant and prevalent security challenges. That platform and the solutions are actually accelerating our growth, and we have supercharged that go-to-market engine, and we have more opportunity to continue to drive that growth through the channel partners and also our core execution. And how does that actually translate into the financials? So Eduarda has already mentioned the 10,000 customers. We believe that we have 80,000 prospects, which you've already heard, and that opportunity for us to continue to land across multiple spots. And you saw it in the examples we talked about today, we can land with endpoint, we can land with IT, we can land with developers, we're landing consistently with workforce and now we have a new landing spots of machines and modern IGA. We have that opportunity to land much broader and then continue to expand. And I think that's an important thing for folks to take away. When a customer lands, they don't stop. They continue to expand, but we'll talk more about that in a couple of slides. So Eduarda mentioned that 45% increase in the average ARR per land. It's an important statistics because we've been able to drive more value in that landing spot. Our customers are landing with more average ARR. It's because they're taking more products. If you look at the comparison period, in -- from 2021 to today, we've seen a 60% increase in those customers that are landing with 3 or more products. But beyond that, you've heard us talk about those platform lands. Those 3 examples of 7-figure deals that we had in the fourth quarter. But beyond that, we actually had another deal in those top 10. It was another 7-figure new logo deal. And again, another platform opportunity. And that's because of some of the initiatives that you heard Simon talk about. We're reaching higher up into the organization. When you think about the fact that we've got -- we have these established CISO programs as well as the CIO programs. And then when you think about that $5 billion addressable market within our current customers, that's what we talked about when we were together in 2023. And we believe that, that has expanded to $10 billion. It's for a number of reasons. So it's the new solutions that we've -- you've heard us discuss. It's the fact that we've modernized our IT or the PAM solution to include the developer community. It's the newer solutions that we've been introducing, but it's also the AI enhancements that we've driven into our existing office -- our offerings that is not talking about agentic AI. That's another -- that's a whole different pillar that we'll talk about in the future. This is just us taking AI and infusing it into the platform. As well as the fact that our go-to-market engine continues to deliver. And then I'd be remiss if I didn't talk about Zilla or the Venafi acquisition, both of which improves or expands the total addressable market that we have within that installed base of our customers. So how have we done so far? We've actually done a really great job. You see here on this slide that the average ARR per customer has increased by 90% since 2021. And that's because of the things that we've talked about today, more identities, driving more value because of the offerings that we have and that those deeper relationships within the installed base of customers. All of that coming together has let us or empowered us to increase our average ARR by 90% within that installed base of customers. But it's clearly coming from larger customers. And so I want to dig deeper into some of the bigger cohorts of the customers that we have. If you look at those customers that pay CyberArk between $500,000 and $1 million, they have increased at a rate of 55% CAGR. But what's more impressive is that the ARR from those customers have gone up even faster. Now I want to point out that this cohort of customers have fewer than 3 products per customer. Keep that in mind because we're going to come back to that from a staff perspective in a few slides. So what happens to those customers? They graduate, right? They move into the bigger cohorts. So we've seen a 75% increase in the customers that are paying us more than $1 million. But again, what's really important on this slide is that we've seen a 90% compounded annual growth rate of the dollars attributed to those customers. So to keep it simple, in 2021, the $1 million cohorts paid us $1.4 million. Today, they're paying us nearly $2 million. And these customers, on average, have about 3 products per customer. So they're buying more across the platform because we are seeing lands in the $1 million and above, like the examples we talked about on the Q4 call, but most of this expansion is coming from those customers continuing to expand, adding new users, expanding into new use cases or buying additional or incremental products. And so what does that actually translate into from a dollar perspective? We're focusing on products on this slide, not on the solutions we introduced last year, because of -- from a data perspective, we wanted to level set everyone on the products. But the data supports when you expand across the solutions that the same trends are holding. So when a customer expands to 3 products or more, we see a 6x increase in the ARR that, that customer pays to CyberArk. But what happens when they get up to the 4 products is magical. They go to 10x the ARR of that one product customer. And really what we see is that persona-based sales and the fact that, that go-to-market engine is driving faster upsell and cross-sell. And that opportunity here is definitely in front of us, not behind us from an expansion perspective. Again, why are we confident that the opportunity is in front of us? This slide gives -- is one of them that gives us confidence that we can continue to grow within that installed base of our customers. And so how does that translate? So I figured I'd take you all in a little bit of a journey of our ARR. When we were together, again, subscription ARR, this is back in 2021, we were under $200 million. Today, we're at $977 million of subscription ARR, and the mix, as we've talked about, is roughly 50-50 IT developer, machine and workforce. Our expectation when we get out to 2028 is that we can have over $2 billion of subscription ARR, and that mix is going to shift, but not dramatically because we do believe that IT and developer can continue to grow at impressive rates because those new use cases are also driving demand. With that said, workforce and machines will grow faster. And again, we're not assuming that agentic AI is in this number. This is something that we want to make sure everyone is level set on. This is the core opportunity for CyberArk. And so when we think about our long-term model, Matt gave you a lot of the highlights. We're expecting $2.3 billion in ARR. That should translate into about $2.2 billion in revenue in 2028. Our gross margins will be between 80% and 82% as we continue to see that mix shift more and more to SaaS. When you think about the R&D margin, it should be roughly between 15% and 17%. We have a lot of innovation we want to continue to deliver. Peretz walked you through agentic AI. You heard about the value we provide to customers through a unique approach to the workforce. That layered approach that Amy walked you through, no one else in the market is doing that. We want to continue to innovate on that approach. And then when you think about the machine identities, we have so much opportunity with Secrets and with Venafi, we will continue to invest. And then again, we're just getting started with modern IGA. So we're looking at 15% to 17%. And then on the sales and marketing line, 35% to 37% margin. Eduarda talked a lot about the fact that we're more efficient. We have the partner ecosystem to drive our growth. And so you'll see incremental leverage on that sales and marketing line. And then Simon did an amazing job walking you through how the marketing programs are going to extend our reach, significantly leveraging AI. And you're going to have a G&A margin of about 6% to 7%. All of that is going to translate into a 22% to 24% operating margin, and that $600 million in free cash flow or that 27% free cash flow margin. We are committing to being a Rule of 45 company. So we're very excited about the new models. And then we wanted to touch briefly on capital allocation priorities. We have about $800 million in cash on the balance sheet now. We acquired -- we made the acquisition earlier this year. So that obviously lowered our cash balance. We also are -- but to combat that, we are expecting to generate about $300 million in cash flow from operations due to very strong balance sheet. All in all, our plan is to continue to invest in organic innovation and drive the business forward. We also will continue to evaluate strategic acquisitions, but we're certainly going to make sure that we are focused on getting the modern IGA solution and the Venafi acquisition integrated into CyberArk, but we'll still continue to evaluate over time, incremental strategic M&A opportunities. And so just to wrap things up and put a bow on it, we do think that we'll achieve this $2.3 billion in ARR, that $600 million in free cash flow. And again, just to reiterate, our expectations are that we will be a Rule of 45 company when we're out -- when we're moving through and getting to 2028. And so with that, I'm going to pause, and we're going to ask the rest of the executive team to come up, and we'll have our Q&A session. But bear with us briefly because we have to reorganize the chairs.

We have 2 CyberArkers. They will come up. Please wait until the mic comes. Please state your name and affiliation and then ask the question. All right. First, we'll go to Brian here up in the first table.

Brian Essex from JPMorgan. I had a question for Peretz. I want to touch on a comment that you made that AI is an identity problem, not a data problem. I've had conversations with a number of GSIs and ASML enterprises understand their data exposure and their data estate, and they inevitably answer, it's a mess. We don't -- they don't have a clue. Where are enterprises today with regard to identity and AI adoption? And do you see adoption of identity playing out to secure AI and agentic adoption, do they get data in place first? And then identity, as you kind of alluded to, to accelerate utilization? Or is identity first and then they come through and adopt other security measures like after identity? Where is the priority level there?

So I will differentiate between the maturity level of adopting AI versus agentic AI. We do see more and more enterprises that are adopting AI in all sort of ways, right, automation, generative AI and so on, mainly to boost productivity and efficiency. Agentic AI is still a big question mark for them because it's only kind of the beginning of the new era of the technology. Just call agentic AI, it's really evolving very fast. We do know about their interest in adopting this technology in order to boost even more their productivity to reduce the cost overall. So we do see the opportunity over there. As for the data and the reason we are saying it's an identity problem and not a data problem because as you saw in my session, in all of the sessions, there is really a way to treat these AI agents that, on one hand, there are machine identities, but they behave more like a human. And when we see -- we talked with several companies, and they thought about, yes, LLM models will be able to solve, right, the security models as of today, all the known models can be hijacked and jailbreaked very, very easily, meaning that the models themselves will not be able to be the security guard, the security boundaries for the companies. Therefore, it's an identity challenge for the new type of identity.

Yes. I think it's really important to understand the distinction that Peretz did a good job of explaining there, which is companies are rushing to figure out their data models. You're exactly right. And rushing to understand what data they have access to, how do they actually make that data available. And for sure, there's a role there for any element of people who are participating in the data story, data security data area. Once the agents get turned on, those agents are acting as individuals, as humans, as agents of us, and as Damon did a great job of talking about the hierarchy of how they'll work, now it becomes an identity problem, just as if you just hired another 1,000 people or another 1 million people to your workforce. How do you onboard them? How do you make sure they have the right entitlements and privileges? How do you manage their access. How do you make sure you're controlling that access in. You're able to actually detect and respond to what's happening. And ultimately, how do you ensure that you're compliant with your processes and your approach? It's no different than the human problem at a machine scale.

Next up, we'll go to Saket there.

Saket Kalia at Barclays. Thanks a lot for hosting this session. Always very helpful. Matt, maybe for you. One of the themes from today that I think really resonated with me at least was this is definitely an identity platform, right? And it seems like you have the different product components. Could you just maybe talk about where the market is in their adoption curve of an identity platform, not just kind of point products, but the whole platform play? And is there anything that you want to do from just a go-to-market perspective to drive a platform sale?

Yes. Thanks, Saket. So like we saw an inflection in 2024 where we were landing really at a much more pervasive rate these full platform deals. And we talked a lot about it throughout the evolutions of the quarters because we started to see this momentum build on how we land and how we expand customers. And I think what you're finding and you heard it from our great customers that were up here is that, again, in this kind of complexity that they're dealing with. They may get started with a solution, but they're quick to figure out how can they take advantage of the full platform. And the full platform spans human to machine, and then it also spans the kind of traditional markets of IGA, access and PAM. So when I'm having my conversations with customers, you heard it from the team here, they are looking to adopt an identity platform, full stop. Now they may have invested a bunch of money in some existing point solutions and tools, and it means that it will take them time to move off those tools. And in some cases, they might layer our capabilities on top of those existing tools. You've heard me talk about that a lot on the workforce side. We don't tell people you have to swap out your MFA SSO to be part of our platform. We say we can layer right on top of Microsoft's or Okta's SSO MFA, and we can sit and bring privileged controls for the workforce into our platform. I think you're going to see that really take off over the next quarters and years. I think you see it in our CISO and CIO programs that we're running. And then to your last point, the key ingredient is just having the conversations with the customers so they can understand how you're future-proofing their investment. How they can get started in one place and they can move beyond that. I think Eduarda has done a great job of engaging our sales team, but also our partners like Damon and Accenture that help spread that message out into the ecosystem.

We'll talk -- Andrew Nowitzki here.

Great. I wanted to go back to one of the comments I think the gentleman from Accenture mentioned about how agents are transient.

It's a tough word, gentleman for Damon we'll go...

And comparing that to your comments about how agents are -- have to be treated like human identities. It seems like those 2 are in contrast with each other. So you can't just put an agent into active directory and control it with SSO and MFA. So I'm wondering if you could just talk about the form factor that's most appropriate for securing agents, whether that's certificates or something else, like how are you treating unlike humans?

So Andrew, thanks. And it's incredibly important. We have this debate. Simon and I had a debate about it. It was a couple of months ago. But why does AI agents show up under the machine side of our spectrum? Because ultimately, you need to be able to manage it in a way like it's a machine. It has the scale, the sheer numbers of -- as like it's a machine. It has ways of being able to identify itself or authenticate like machines, in some cases, it will be certificates, it will be keys. So it looks at one level, like a machine full stop, but the tasks that it's performing and the ability for it to be able to change the way it behaves, looks a heck of a lot like a human. And so we see it matriculating to all aspects of the platform. It's why Peretz did a good job of really talking about that. One is you need to discover it. Like you said, in the human world, it's not a big deal to figure out who the humans are. They actually generally are listed in a directory somewhere, and you can find them. The tough part is figuring out what privileges they have, what entitlements they have, what do they have access to. In the machine world, you have this exponential number. You have no idea where they even are, if they exist. Actually finding the directory of machines is the first problem. We have solutions for that, by the way. So once you start to have the directory of agents that exist, you've got to put them through the levels of controls that machines would have like certificates, like secrets management, like the entire life cycle, but then they're going to be logging in to your systems. If you go out and you outsource your HR department to a bunch of agents and they're logging into success factors, they have to actually be treated like humans with securing the access, with understanding how to actually manage that session all the way through. So it becomes this juxtaposition of both together. And I think that's what makes a platform approach like ours a requirement because there'll be no point solution that actually can manage the entire life cycle of these agents.

Next up, we'll go to Fatima, then John DiFucci and then Ittai.

Fatima Boolani from Citi. Erica, the question is for you. A lot of the conversation around the go-to-market and the emphasis on the go-to-market is now evolving into a persona-based selling approach. And I think that was a message that was pretty clear. So implicit in that message is you are going to be selling 2 seats and more and more seats, whereas historically, your pricing model had been more target infrastructure and systems oriented. So I was hoping you could walk through a little bit of that evolution and where you are. And then more importantly, when we think about the installed base opportunity -- the latent installed base opportunity, how should we think about the progression of seat penetration because historically, privileged by definition, it was finite, right? So how does that sort of change the P times Q equation of how you're thinking about the pricing model for the business?

Yes. It's a great question, Fatima. I think we'll start with the fact that we actually have moved to more of a seat-driven approach quite a while ago. And so when you think about all of the human identities, whether it be IT and developer or workforce, they've all been sold per seat for some time. And so that isn't really a change in the business model from where we've been over the last 4 or 5 years. Where we see the seat expansion coming from is the fact of the matter that there's more privileged controls and privileged access and more privileged users. So when you think about that expansion motion, you're really getting it not just from the traditional, call it, 10% of employees that come from your IT seat, it's much broader than that, and then you layer on the developer community. And as a reminder, that's just a PAM use case. And so that developer persona just exponentially increases the number of seats that we can actually target against when Eduarda and Simon are doing their targeting programs. And then when you think about the machine identities, that's just a completely different animal. And so we're seeing that really inflect, and that's coming from the increase in machines from that volume and velocity and variety that Kurt walked you through. And so -- and that isn't sold per seat. That's a different pricing model. But when you're talking about the humans, it's been there for quite some time. You've got the workforce piece, just coming back to that. I think the thing you should think about for us versus others is that, first, our offering is very differentiated which we've talked a lot about. The other piece is, is that our penetration is relatively low. So when you think about our opportunity to continue to expand on the workforce, it's really meaningful. And that's part of the reason that we think that we can still gain momentum and traction because it's a small piece when you look at that massive total addressable market for MFA and single sign-on.

John DiFucci.

It's John DiFucci from Guggenheim. I usually ask Matt this question, but I think I want to hear some of the technology people's response to it. So I want to dig a little more into what Saket was talking about. Because as you guys all know, 20 years ago, or maybe I'm the oldest guy in the room, and that's I remember anyway. This was tried before. And it made a lot of sense back then, too. Oracle tried to put all identity on one platform, IBM did. Even [ CA ] did. I think even [ Sun ] did, but it didn't work. It failed. Is it because the world's just evolved to a spot where the architecture of the world is just conducive to this now, and that's why it makes sense to do this now? And if that's the case, can you go even though, Matt, you did say, "Hey, we'll go over the top of Okta, work with Okta, but can you say, "Yes, we'll work with Okta." But think about this in the future, you really don't need to deal with any other identity vendor than CyberArk.

You say you wanted to hear from smarter people than me. So we'll look this way.

I would say that the world completely has changed since then, right? When it was mentioned, IBM, it was an on-prem monolithic set of capabilities, right? All of a sudden, we are talking about a very distributed system, micro services that are out there, consumption from the cloud. I think that there are elements of scale, elements of complexity, elements of even real time, in some cases, demand for action. I think it's completely different than what it was before. For me, it's not -- although as a technology person, it's not a matter of a guess, it's exactly what we hear from customers. So we're not guessing. And as a really customer-centric company, this is what we are hearing from our customers. This is what they want. And specifically, for your example, we're saying, hey, we can be on top. Yes, we are having this ability. But if you still want to do it with other companies, we are enabling you to do that, and keep the advantages of CyberArk in -- as part of your system. So I think it's a real different than what it was before.

The legacy world of yesterday still exists in a lot of large enterprise? Sorry. I'm sorry. The legacy world of yesterday still exists in a lot of large enterprises. Brian, at JPMorgan, I used to work there. There's a lot of legacy stuff there. It's a huge enterprise. So -- but today's technology can accommodate that along with "modern Zilla architecture.

Yes. And I'm going to jump in here. I think that's the power of CyberArk, okay? There are startups that can do some of this modern stuff all by themselves, not the full platform, but even specific use cases. This is not a specific use case problem. You need to be able to do the consolidated play in the modern world where these things have kind of all come together, and you still need to understand how to service the legacy world. And nobody understands that better than CyberArk because we did it at the most complex level with PAM, where we actually had to connect to all these legacy architecture, legacy systems, figure out how to manage and monitor the sessions for all of this heterogeneous environment. So we can do that on-prem. We can do that in the cloud. We can do that across PAM, which is the hardest thing to do. Of course, we can do it for access. We can do it for now IGA in these newer areas. So I think that's the special sauce of who we are as a company is understanding both worlds, but certainly, as Peretz said, in the new modern world, it's all one. And actually, they need one solution in order to be able to solve it.

Yes, up front here, Ittai.

Ittai Kidron from Oppenheimer. I have a question, I guess, from Matt and Erica, kind of cuts across. As I hear you talk about the agentic AI, it feels like it's not something that's really touching your business here and now. It's something that's coming, it's perhaps in customer conversations, but the dollars and cents are not there yet. So Matt, from a competitive standpoint, can you talk about the positioning of the cloud guys? Because most of the company -- clearly, agentic AI has always been deployed by large enterprises. What are they using here and now. From my conversations with them, they use the native cloud identity platforms for those machines. So are you waiting for that to fill and then for that to come to you? Why is that first wave starting with them? Are you perhaps late here? Help me think about how this evolves for you in dollar sense. And then tying it to you, Erica, the guidance for '28 -- or great that you saw that you delivered the '25 numbers in '24. So I guess the '28 numbers will be delivered in '27. But help me think about -- I just want to try to understand what is and what is not in that assumption. And if I heard you correctly, agentic AI is completely outside of this, but maybe you could break down a little bit more on the IGA path, how you're including that? So those will be my questions.

Sure. So let me start. Listen, I think the world of agentic AI at meaningful scale in enterprises is just getting started. And we believe that we are definitely not behind the curve, that we're ahead of the curve. It's why we started our partnership with Accenture early, and Damon has been a thought leader in this space. And our ability to be able to get out with an enterprise-grade security solution or agents as they're deployed, we believe that we're going to be ahead of the curve. A lot of times in tech, the software gets deployed, the security is playing catch up. And we saw that for sure in the cloud computing. We saw that in the Internet world decades ago. okay? In the agent world, if that happens, these organizations are going to open themselves up to just tremendous risk because the adversaries are going to use that as the soft underbelly of the organizations. So while we do see enterprise-grade adoption of AI and the kind of LLM models and the underlying technology and foundation, I think we're in the early days of true agentic, not co-pilots, true agentic AI being deployed at enterprise scale. We believe we can be on the upper end of that curve, and we believe we have the right to win. Now is that a 2025 monetization opportunity for us? Let's see. We have some things we're excited to announce. That impact, we like to save our customer announcements for the customer conference, but we have some things that we're excited to announce. It will start. But as you look into 2026, '27, '28, we believe it's an opportunity. Given that we haven't launched a product yet, I'm answering Erica's set of question for her. Given that we haven't launched a product yet, it's not right to put that into your model. So we're not going to put things into our model that we haven't launched yet. So that's your answer on agentic. She can answer the rest, though.

Yes. And so when you're thinking about the mix of the business, so the 2028 targets are for 2028, and the slide prior, where we had that mix of IT and developer being just under 50%, we're assuming that, that continues to grow at a very healthy rate. And then the workforce and the machine identities outstripping that from a growth perspective. Right now, where we have modern IGA with Zilla is in that workforce pillar. So when you see the speed of that growth in the workforce pillar, some of that is coming from modern IGA with Zilla today. So over time, we may break that out as a separate pillar. But at this point, given that the acquisition is about 2 weeks old, we thought it was best to roll that into that pillar for today.

Next up, Matt Hedberg there.

Matt Hedberg from RBC. Maybe just a follow-up to that question. I think the question that all of us are asking is like why now, from a consolidation perspective. And I just wonder, given there's so much legacy out there and you guys are focused on the modern enterprise, is it machines? Is it agentic? Because I have to think as organizations are thinking about, okay, maybe the old was fine to get us to today. But like is it all this radical change that therefore is to trigger to say, I'm going to get off this legacy identity solution. I'm going to move to a more modern platform. So I guess the question is, is it agents? Is it machines? Is it sort of a fresh approach to PAM? I guess how -- what are the customers saying that could trigger this $80 billion TAM?

Sure. I'm going to let Clarence jump in on this because I think he's running our Advisory Board. He's also off thinking a lot about this. That's what helps us detail out our strategy where we pivot where we invest. So let's Clarence comment on this.

Yes, absolutely. So I think a lot of this goes back to what Matt and even I had touched on earlier is the shift in the nature of the enterprise from a security perspective. Again, is the real movement from security being very perimeter-based, very hardened exterior to, really, there being no walls, there being no boundaries and there being no other way to really protect your most valuable assets. It also has become the most effective way as an adviser as we talked about to actually execute your tax. So that -- the primary change has been that the only way to really securely -- to really effectively secure your enterprise is to lock down the identity vector. And it goes across each of the types, regardless of who they are, where their traditional workforce, classic PAM, broader enterprise, engineer, developer, et cetera, that has become the most effective way to secure your enterprise. And that's what we're hearing from our customers. It even goes back to a couple of questions back. What's really changed is that before it may have been nice to consolidate the security of your -- or the management of your identities, but now it's an absolute necessity. There's no other way to protect your businesses. So that's what we're seeing in the market. That's what we're hearing from our customers. And as Peretz said, that's what drives everything we do strategically, is we're trying to stay out ahead of our customers, and the threat that they're seeing -- and you say why now is because we'd like to be just a little bit ahead. We don't want to wait until it's become until its on fire to go out and actually provide effective productions to our customers.

I think that's really well said. And just one thing I want to add on because it kind of -- we can use the modern IGA story to kind of help frame out what actually has changed here. For a long time, right, the reason why people started with their IGA, their big deployments with on-prem was because that's where they saw the risk. And the risk was trying to understand, wait, what do I do around entitlements? And how do I offer that? And they actually left their SaaS applications off to the side and they let the SSO companies determine who got entitlements and how that life cycle would work and granting kind of a group level privileges to users. And these SaaS applications have now become the privileged applications of the present. Think about the data that sits in a Snowflake app. Think about the data that sits in a Workday app, NetSuite app, all of these applicate -- Salesforce. Think about what's in there and then think about the fact that for most organizations, nobody knows who actually owns the app. The privileges are generally granted based upon like next best equivalent. Oh, Eduarda came into CyberArk, she should have the access of her boss, Matt. Like this is the way we're managing the modern real estate and it's incredibly, incredibly dangerous. So you have to get in there. You have to address it. You have to figure out to do it in an integrated fashion. And you can't just be doing provisioning or life cycle management, you also have to figure out how to grant access just in time, zero-standing privilege. At the same time, you have to be able to do compliance reviews. So it all comes together in this modern world. And to Clarence's point, the modern world is where the attacks are happening. So we need to figure that out in an integrated approach.

Yes, the next up, Adam, and then Shaul.

Adam Borg with Stifel. I really enjoyed the presentations. Matt or for Kurt on Venafi. So when you go through the process of looking to upsell that into the installed base, are there any commonalities of the types of customers that are ready to adopt a solution like Venafi? And maybe conversely, when customers are not yet ready, what are they -- what's the pushback you're getting? They're not ready for an enterprise certificate life cycle management solution? They don't have enough certificates. Kind of help me understand where you're seeing early success, admittingly, it's still early, and we're getting some pushback.

Yes, sure. I'll let Kurt and Eduarda to take that because they're close to the business.

Sure. So -- First, I guess you're asking is what's the characterization of somebody who's ready to take on Venafi? It used to be limited to kind of a large enterprise, and why is it now almost pervasive? It's the things I talked about earlier, faster certificate refreshes or shorter life spans hits anyone who has any certificates, right? Concerns over having to be able to have crypto agility as quantum computers come online. It's everybody who has certificates. So the problem went wider is sort of what created the inflection point. As a result, anyone who's a CyberArk customer has this problem. That's like a 100% hit rate as far as if I talk to people, like is this something you're worried about? Yes. Are they -- is it top on their mind to do it right now? Maybe not, maybe they're going to do something else off the platform first because I think it's at a higher risk, but they're not deferring it for long. They're like, I'm either going to solve this, this year or very soon after as part of my deployment of the CyberArk platform inclusive of Venafi. So they really -- I haven't seen like a slice that goes this amount of CyberArk customers will never have this problem this other slice does. Everyone has the problem, then it's just a relative urgency to their priorities.

Let me maybe just add that -- and we spoke about this before, like since the acquisition, we are unleashing fully training the whole CyberArk sales force our partner community. I spoke about that in my presentation on how that all is picking up. The reality today is when you talk to customers, like what Kurt explained, it's there as a priority. And again, it always depends on the road map. Can they hit it in '25? Are they hitting it now? Does it go after another project they're working on, but the need is there. And now with the workforce being trained on it and with the partner community really kicking in, that's why we are so excited, not just for the results, but also to see the acceleration in the creation of opportunities in pipeline as we get going here in '25.

Shaul?

Shaul with the TD Cowen. Matt, Erica, Clarence, Peretz, whoever kind of wishes to address my question. My question is actually about the prospects -- the new clients. Do you view it more as still this kind of high-end opportunity or mid high-level opportunity? And when we think about those potential tens of thousands of new customers, Matt, are these displacement opportunities or strictly greenfield? I don't even know, Erica, if we can attach that to your guidance? And are there some associated numbers, some assumptions for new customers into that 2028 ARR guide?

Yes. I'm going to let actually -- you didn't ask it to them as one of the ones who could answer, but I'm going to let Simon start because we have a T-shirt firm, which is "I eat new logos for breakfast." That's his bread and butter. You saw his stat that he's most proud of on the slide, is that 70% of our new logos were marketing sourced, which is a pretty impressive number for an enterprise company. So I'm going to let Simon start, and then we'll jump in.

Yes. No. Thank you. Definitely, that's been an obsession of me and my organization, to really make sure that we give to our sales teams and our partners the best opportunities to really get into broader identities, broader solutions within the new logos. And we have such a broad 80,000 prospective base, that it is absolutely the responsibility of my team and my organization to do that. We've been working very closely with Eduarda from a go-to-market perspective to make sure that there is -- we have a few, I would say, steps in there and say there is no MQL left behind, like when there is a lead or MQL, we jump on it. When there is a way to transform and sell new solution packages with more identities, more solution. We go and we sell that. The momentum that we see around this and driving more solutions than just point product, I think is definitely phenomenal. And we see that across the globe, by the way. It's not just in the U.S., we see that as much in APJ or in EMEA than we see it in America. So I can tell you that there's a lot of momentum there. I'm very proud of the 70%, and I'm excited to see it becoming even more.

So I think when you dig in a little bit deeper. So first of all, in the PAM market, believe it or not, there is still a tremendous market for new logo acquisition. We did last year, 80%, 85% of our new logos were PAM. And I would say it was less than 15% or so that were displacements. So there is still a really strong market for new PAM logos in the low end of the enterprise, which is, for us, $1 billion to $5 billion in revenue companies. And even in like the $500 million to $1 million -- to $1 billion. So I think you're going to see continued growth of new logos in PAM. I think what Eduarda did really well in our presentation is she talked about all these other landing spots that we have. When we look at the machine space, that there is just a wide swath of uncovered. We talked about that in our base, of, let's say, 9,000 customers or whatever that we start with from a PAM perspective. I think we think like somewhere around 7,500 don't own a Venafi equivalent solution. So there's an opportunity there. We saw a partner/competitor go public. They talk about having 2,000 to 3,000 customers. They're the biggest in the IGA market, 2,000 to 3,000 customers. When you move outside of those 2,000 to 3,000, there is a need for modern IGA. There may be some displacement of legacy and maybe some to get started. So I think you're going to see a lot of greenfield where we can go after for all of our solutions as we go through. In terms of what's baked into the guide, do you want to handle that?

So we're baking in roughly 1,000 to slightly over 1,000. We're not baking into the guidance a massive acceleration in the new logos. We're staying in that enterprise space. So if we go down market, you may see the new logos pick up, but 1,000 to slightly over 1,000 is where you should kind of be benchmarking at.

That's baked into the guide and baked into their comp plans, it's a little bit of a higher number.

So that was the last question. I know a lot of you guys have a flight to catch. Matt, do have any closing remarks?

No, again, I started with we enjoy this day. We enjoy spending the time with you talking about our strategy, talking about where we're going. I'll end by thanking all of you, but I'll also thank -- you see the team I get to come to work with every day. This is a portion of it. We've got other members of the team sitting throughout the room, but I've got the best leadership team in the business. I've got 3,800 employees around the globe that are dedicated to the mission, the mission of securing the world against cyber threats. We are just so excited to go drive our vision forward, and we appreciate all the support from all of you. So thank you.

Thank you very much. And sincerely apologize if we didn't get all the questions. So for those in the room, we have a cocktail reception down in [ grana ]. So we'll see you there.

If you don't have to jump on a plane, you're welcome to join us. The management team will be down there.

Thank you.