F5, Inc. (FFIV) Earnings Call Transcript & Summary

All right. Good afternoon, everyone, and welcome back to our continuation of the RBC TIMT Conference. My name is Matt Swanson, an analyst here at RBC filling in for Matt Hedberg. We are super excited to have Francois Locoh-Donou, President and Chief Executive Officer of F5 and Frank Pelzer, Chief Financial Officer. Gentlemen, thank you guys so much for joining us this afternoon.

Thank you, Matt. Pleasure to be here.

All right. Let's get started then. So looking at the overall demand environment, could you guys just talk a little bit about what trends you're seeing as we hopefully are emerging out of the pandemic? And then especially as it relates to application delivery and security, can you talk about what you see as kind of a durable aftermath as we're heading out and into '22?

Thank you, Matt. And just before I respond, I just need to get our safe harbor on record quickly. Please note that our discussion today may contain forward-looking statements which involve uncertainties and risks. Our actual results may differ materially from those expressed or implied by these statements. Please see our SEC filings for more information on those risk factors. With that, Matt, let me address your question around the trends we're seeing. So what we've seen in the pandemic, as I think everybody knows, is an acceleration, a rapid acceleration in the world of digital, of secular trends that had started before the pandemic. In the world of traditional applications, so these are applications that exist today, have been generating revenues or customer transactions or customer loyalty. We have seen a significant acceleration in the usage of traditional applications. And therefore, the amount of traffic between users and traditional applications. In the world of modern applications, these are cloud native or container native applications. We are seeing rapid explosion of building these apps and trying to put them in production at scale. And so we've got traditional applications carrying more traffic and new modern applications being built very rapidly. And then I think the third big trend of the last 2 years is heightened security awareness. Security and cybersecurity has grown for the last 20 years. But I think the high profile ransomware attacks on a number of companies in the last year has just caused a lot of enterprises to reevaluate their security posture and strengthen their posture. So I would say those are kind of the 3 big things that we have seen in the last 2 years. In terms of what it means for our product strategy, I would say 2 big things that we've been executing on. First for F5 is the importance, the criticality of getting to every application anywhere, meaning by that enterprises -- so if I step back. Large enterprises in the world of IT. The IT kind of vendor community, we've always come to large enterprises and told them, hey, the next thing is really the big thing. And you've got to forget everything and move to the next thing. Whether the next thing is client server or whether it's private cloud or whether it's public cloud or whether it's serverless or whether it's 0 trust and security, we've always said, no, the next thing is really the big thing. And the reality for large enterprises is it's never about just the next thing. It's about the next thing and the present and the legacy of everything they have in their environment, and trying to manage through all that complexity as they evolve their environment. And so for F5, a big priority for us is getting to traditional applications on-prem and traditional applications in private cloud and supporting modern applications in private cloud or automated environment, and modern applications in public cloud and modern applications at the edge. And so we have worked feverishly over the last 4 years, both with our organic investment and acquisitions, to make sure that we would be able to support all of these environments across the board. And that's really kind of the first priority. And the second priority is creating consistency across all these environments. So it isn't just about providing application firewalls for on-prem applications. It's providing that same application firewall and the same policy for security across on-prem public cloud and edge environment. It's doing the same for API security. It's doing the same for 0 trust environment. And so creating that consistency of security and delivery services across multiple environments for large enterprises is really where F5 is unique, because we really are the really only company in security and delivery for applications that can cover this breadth for large enterprise and this consistency across all of their applications, and that's really our focus.

Yes, absolutely. And keeping that holistic view throughout digital transformation really does feel paramount to what we always talk about, which is security transformation, hopefully a precursor to digital transformation, but at least having to happen at the same time. And I'm sure that's 1 of the challenges you're addressing. When we're looking at subscription growth, obviously it's been really strong as a percentage of revenue mix. Could you talk about some of the early trends we're seeing in renewals? And how you're thinking over the next several years of managing renewals as subscriptions become a larger portion of the business? And then kind of on the same note, what are you doing to change the perception of the company from hardware to now help investors and potential customers really realize that this is a software vendor and where the value of the story is.

Sure, Matt. Why don't I first start with that one. So on the renewal side of the business, we're really happy with the trends that we're seeing. Let's sort of split it out into its component parts. And so you start with the ratable pieces of the business, which today are largely Shape and Silverline. And in the future, will be Volterra as more of our solutions are ported over to that platform and pushed out to the edge. Those are anticipated to be sold on a SaaS basis and will be recognized ratably. And the renewals that we've seen in that business has been what you would expect out of an enterprise SaaS business. And so we've been very happy with that. The next are really our term subscription agreements. And those we see on a true forward basis. And then when you reach the second term of that multiyear subscription agreement, we will see a renewal cycle go through there as well. We're quite early on getting to second terms, because we really just launched that model in FY '18. And so we saw the handful of customers come up for renewal there. But really like to see that we -- we're really excited by the uplift that we saw from the initial contract for those subscription deals. For the true forwards where we've had more data points, we have seen nice uplifts in years 2 and years 3. Those are generally 3-year deals. And they're based on a throughput where a customer will subscribe to a portfolio of solutions, measure those throughputs at the end of the year. We don't do a true-up from over-usage of those solutions in the first year, but that level of usage becomes the basis in which years 2 and years 3 year are measured. And so we've liked what we've seen in terms of that uplift in the solution set. And in a number of these, we've also seen new products added into the overall bundle of solutions as more and more of those come online. So overall, we're really happy with what we're seeing. We've got customer success teams that are dedicated to getting utilization, and that's been 1 of the areas of investments over the past 3 years, and they are focused on making sure that customers are getting the utility out of those solutions such that when you get to that renewal basis, there's not really a big decision process, because it's pretty clear to a customer to see the utility that they've gotten. And they're just willing to continue on. So that has helped us lift up those renewal rates as well as a higher base of revenue on which to build some of these multiyear subscription agreements. And I think your final question in terms of perception. So from a transformation perspective, our customers see day in, day out the solution sets feature parity, and other things that we have been doing along the way, as we are investing in all of our software solutions. And so our customers already think of us as both a hardware as well as a software vendor. For external people from our customers, whether it's the investors or other areas, I think it just takes time. And we have been able to deliver so far on our growth targets and we expect to continue to do that. So we will think about additional software type metrics to launch. We did talk about a few of those in the last earnings call. And as we get more and more scale, and more and more predictability, we'll look at launching additional metrics in the years and quarters to come.

Yes. That's fantastic. And continuing down the software road here. Security has obviously been a tremendous focus for you. The acquisition of Shape and then Threat Stack more recently. And Francois, you talked about really being able to give a consistent view of security as new customers are going through their digital transformation. So can you talk a little bit more about trends you're seeing within application security and how the pipeline is shaping up for FY '22? And then maybe also what percentage of deals you're seeing are replacement versus greenfield?

Yes. So Matt, let me just -- so if you look at -- our belief system around security is that the area of application security is going to be the hottest area of security in the next decade. And network security has been very hot. Endpoint has been very hot. But when I say application security, I mean everything that has to do with protecting access to applications, whether it's 0 trust, the web application firewall or authentication or protecting how applications are used. So this is protecting against bot attacks or fraud and abuse. And increasingly protecting APIs, because APIs are increasingly the way that applications communicate amongst them. And so protecting apps and APIs is really where we have placed our focus. And so if you look at different security players out there in the industry, in terms of our area of focus, we're probably more narrow than, say, a Palo Alto or companies that aim to play in all areas of security, because we are absolutely focused on application security. However, we also are broad in that we intend to protect every application anywhere and every API anywhere, because of our customer base, which are large enterprises and have [Technical Difficulty] needs that are, by definition, hybrid or multi-cloud. And so within the domain of application security, we are now able of delivering application security in hardware form factor, in software form factor as a self-managed software, but we can also deliver it as a managed service, and we can also deliver it soon to come in leveraging the Volterra capabilities as a SaaS self-service security delivered from the edge. And so as far as application security, we are now able to deliver the breadth of form factors that large enterprises need and that they can choose from, but with a consistent set of security policies and across the application security spectrum. So that's been our focus. Our security business, as you know, has already grown. I think it grew 28% in the last year, but even higher if you take the CAGR over the last 3 years. We shared at the end of 2021 that it was about a $900 million business, and we expect it to continue to grow faster than the overall business, because demand for security continues to grow, and our application security portfolio is growing. It started really with web application firewall and authentication. We've added encryption to it. We've ported security to NGINX. We've now [ are ] adding Shape to the portfolio. And so bot and fraud abuse is spreading across our portfolio. Threat Stack will be complementary to that. And so the breadth of application security solutions that we have and the number of form factors in which we can deliver it are all growth vectors for consumption for our customers.

And I guess as a follow-up, like when we're talking about application security, clearly a strength is being able to manage across any environment with those different form factors. And when you look at large enterprises, hybrid multi-cloud, application portability is such a big theme right now. And can you just talk about your advantage in being able to secure by not just being cloud, not just being on-prem, but having all these different form factors, and what that means to your customers as they're going through this transition where things are moving around a lot?

Yes, I think the -- I think we've entered the era, Matt, of kind of distributed applications where [ A ] applications are way more distributed. And that's true today for -- if you're a large enterprise, you have a portfolio of applications. Some of them are in a public cloud, some are on-prem and some maybe even colocated. In the future, increasingly that's true even within a single application. That application will be distributed. If you take an app on your mobile phone, the back end of it may be running on mainframes on-prem, but the shopping cart may be in the public cloud and another part of the app may be kind of at the edge, because it needs content that is cached for you. And so when applications are distributed and their dynamic components will live in different places, I think increasingly large enterprises don't want to be locked in into a vertical stack of a single platform vendor. That's really the advantage that we provide, is we provide an abstraction layer of security that is horizontal and is not -- you can use AWS security if you want, but AWS Security works in the AWS stack. And if you want to port your application or you think it might move down the road or if you want to have consistent security between what's in AWS and what's on prem or what's in Azure, then you're going to need an abstraction layer that de-correlates you from the vertical stack. And that's true whether it's a private cloud stack or a public cloud stack. And that's really the advantage that F5 brings. And that's why we've been so focused on application security, because we also have the breadth of doing it across all these environments. And that's a lot harder to pull off than it sounds.

Yes. No, absolutely. I think we've seen the growing value of the Switzerland positioning right now in software, especially as we're seeing more multi-cloud hybrid environments. Moving on to another topic though. You're calling for a growth rate of 8% to 9% in FY '22, which is above your horizon 2 targets. Given systems outperformance in FY '21, so could you talk a little bit more about the drivers for systems strength and how we should think about the durability of this going forward?

I think the big drivers, Matt, are -- the first one -- I first mentioned at the beginning of this conversation is then the usage of applications, traditional applications, a lot of traditional applications are supported by big IT hardware. And when I say traditional applications, Matt, don't think just legacy mainframe 30-year-old applications, think about any application today that's been even built in the last 3 years that is generating revenue. It could be -- think of your favorite SaaS providers, a lot of them, their stack run on F5. A lot of the collaboration platforms that we're using for having meetings like today, their stack runs on F5. A lot of the big dot-com sites that you can go to, a lot of these run on F5. Now all of these platforms, whether it's collaboration or shopping or retail or anything, they are generating way more traffic, because we have all changed the way we live and the way we work and the way we bank and so forth. And that's causing demand for capacity that for those stacks that are run on hardware, they need to increment the capacity. And I think that, that is actually durable. The other thing that's causing demand for hardware is the increasing mix in security of our hardware that I also think is a durable factor. And so with that being said, the growth we saw in 2021 in our hardware, we don't think is a long-term trajectory for our hardware. I have said before, I don't look at our hardware as a growth engine for the business in the future. I think we have also in the growth we saw in 2021, we have some one-off factors. I think there was some catch-up from 2019 that was fairly depressed in the beginning of 2020. The price level of spending on hardware. I think people were really cautious about whether they were going to move everything to the public cloud, and really slowed things down for a period of time until they got comfortable with the hybrid architectures. There were a couple of one-off factors about F5, end of software development on a couple of platforms. So there were a couple of things that I think kind of exacerbated things. And I think, so therefore the growth we've seen in hardware will wane. That being said, I think the performance of our hardware, certainly in 2022, is going to be better than what we thought at the beginning of the horizon. If I step back from just the hardware, though, Matt, and I look at the overall franchise of BIG-IP, which is the franchise that supports many, many traditional apps out there and revenue-generating applications. If you look at hardware software combined, our prospects for BIG-IP are stronger today than they were even a year ago, because of very secular changes we're seeing with post COVID.

Yes, that's helpful. But flipping back to software here, you delivered 37% software growth in FY '21 against challenging comps from '20. So looking out to '22, we're talking about 35% to 40% growth in those horizon 2 targets. So we've covered a lot of ground in terms of applications and security. But how do you think investors should be thinking about kind of the core drivers of that growth from a go-to-market standpoint? And how are you thinking about hiring in FY '22 to really drive that performance?

So from a go-to-market standpoint, the core drivers of that growth in software is cross-selling our portfolio. So it's not really about hiring way more salespeople to go find customers that are not F5 customers today. We -- every quarter, we win new logos and new customers, but we already have close to 20,000 customers today. And the vast majority of them are still in their journey to software. And those who have started with an initial software product from F5 still have a lot of opportunity to cross-sell with new software opportunities. So in our go-to-market, we have been focused on 2 things. One is we are creating consumption vehicles for our customers around these multiyear subscription agreements that give them more flexibility in licensing and allow them to expand within a product in terms of their consumption or expand to multiple products without a lot of friction in procurement. So that's 1 part of our go-to-market. And the other part is we have been refining our go-to-market formation to allow more of F5 sales and marketing resources to focus on large accounts with cross-sell opportunities, and leveraging a lot of the investments we've made in marketing around propensity models, AI, account-based marketing, et cetera, to accelerate our awareness from our customers of all our new solutions. And I think we're seeing the benefits of that in the growth that we're seeing in our software. And then there's a third big kind of demand pull factor, which is that a lot of our customers want to move to software-first environments. And then a lot of them when they're in the software-first environment, it's easier for them to adopt security, to adopt new propositions. So that's the focus really on go-to-market.

Yes, absolutely. I mean that's super helpful. But as we think maybe even longer term, looking out beyond the Horizon 2 targets, really building on all the work you've done to build the software side of the business to date. What do you think growth rates could be beyond that point? And then maybe even more so, like what do you think the mix of software revenue is, or how big could security be? That's the piece I always like talking about the most.

The -- look, I think we will see -- of course, we're not guiding yet to our Horizon 3 and beyond 2022. But directionally, I think we'll continue to see our software grow, because customers want to consume that way. I think a lot of the growth that we have seen in this Horizon 2 has been about term subscriptions, which is where a customer buys license for BIG-IP or NGINX or any of our product, but they're essentially owning this license, so it's self-managed. I think what we'll see in the next Horizon is growing contribution from SaaS and managed services, where the customer doesn't own the software, but it's a service because most of them want to start consuming that way. And Volterra will contribute to that, Shape will contribute to that. Threat Stack will contribute to that. And so that's, I think, in Horizon 3, we will have more important contributions from these parts of the software portfolio, even though BIG-IP, of course, will continue to grow. Because we have -- as I said, we have close to 20,000 customers. Cumulatively, we've -- to date, we've done probably 500 or less multiyear subscriptions with customers. So you can see, the opportunity to further penetrate even our existing customer base with these multiyear software subscriptions is still enormous.

Yes. And then drilling down on 1 thing you mentioned. You acquired Volterra earlier this year, creating an edge platform for customers. And clearly, this has been something that's really been a lot of investor focus on the build-out of the edge, and from everything we're reading in security is going to become an increasingly important part of the conversation. So could you just provide us an update on the integration process and the time line? What is the opportunity for service providers around the Volterra platform in 5G? And additionally, could you just talk about the competitive dynamics there?

Yes. So the integration is going to plan. We are very excited about the first half of 2022. So we said it would take about 12 to 18 months to do that. We are on track for that. So somewhere between January and June of 2022, we'll talk more about completion of certainly the first big phase of that integration. And the focus of it has been that, if you think about it, F5 has a best-in-class security stack for application between bought technology from Shape, our WAF, our API security, our DDoS protection. But we haven't been able to insert that security stack as a service at the edge. And Volterra is going to enable us to do that. So that's really been the focus is porting that security stack on the Volterra platform. And it then allows us to really deliver at the edge. I think the competitive dynamic will be -- will increase with the CDN players that have been making moves into security. Because we will have an insertion point that is very powerful, as powerful as theirs, but probably with a security stack that is kind of best-in-class and more native. So that's really the focus. And then in the future, we will add additional services to the Volterra platform. We're seeing opportunities in multi-cloud networking. We're seeing opportunities in edge computing. So those will be adjacent opportunities for -- on Volterra.

Yes, that's really helpful to frame out that opportunity. I guess I've got a couple of more quick ones. I'm realizing we're running up against time here, I feel like we're just getting started. When we're thinking about the federal segment, there's a lot of different moving parts, right? Obviously, we're in, hopefully, the tail end of a pandemic. There's been a lot of high-profile security breaches, but then we're also seeing a lot of news coming out of the Biden Administration around reemphasizing the need for digital transformation, essentially, for the U.S. government. Can you just talk about what you're seeing from the segment? And maybe how are you thinking of some of these new drivers around security, around data, it seems like some interesting playing area for you.

I think there's heightened security awareness in the government. I mean you've seen this, the new cybersecurity orders that touch not just the federal agencies, but also the supply chain. So I think you'll continue to see a lot of work from the vendor community around meeting these standards, strengthening our own security postures [ in ] supply chains. But I think there is going to be more opportunity into the federal government for security, because clearly, this administration is taking the issue very seriously, and is putting more emphasis on it on all, I would say, agencies, including civilian agencies. So it's an area of focus for us that I think will grow -- that will only grow over the next 18 months, 24 months.

Perfect. And then 1 last one. It's always the way we like to end here for both Francois and Frank. What is the thing that makes you the most excited about F5? And you can put it on a 6-month, 2-year, 5-year horizon. But what's the thing that makes you most excited coming to work every day?

Frank, do you want to start and I'll...

[ Pardon ] let you end it, but -- so I think, Matt, I think we had an ambitious goal on our software transformation. And so far, the time lines that we've laid out even as of 3 or 4 years ago, we're on track. And so very much excited about all of the associates and what they've been doing to drive that, making sure we have the right product, making sure we have the right support, making sure that we've got the right go-to-market, making sure that we've got the right back end to support our customers. So all of that has been a tremendous amount of work underneath the surface, if you will, and just so appreciative of the F5 associates who have helped us get here.

Thank you, Frank. And I would just add to that. Maybe with a longer horizon, even if you take what we've learned over the last 2 years of the pandemic, and I said about these secular forces, the world is running on applications, period. I mean we talked about application capital and F5, the era of application capital 3 years ago saying that's kind of the most important assets that enterprises can possess that are their apps, which generate revenue, loyalty from customers, employees and so forth. You look at the last 2 years, the world is running on apps. It's kind of an acceleration of that is happening. And number two, digital security has become essential, because it's kind of essential to our way of life. And we see with so much of our assets, our data, our content flowing through these apps, securing these apps is essential to our way of life. And so you take these 2 secular forces that are going to be the next 10, 20 years, and you look at F5, and we are positioned, we have positioned the company at the epicenter of these 2 forces. And yes, there are companies that are focused on applications out there. Yes, there are companies that are focused on security. But there is only essentially 1 company that is -- that has the focus, the technology assets and the ambition to secure and deliver every app and API, and do that for any app anywhere. And so that's what I'm excited about, is what's next in the world of apps and security and our role at the center of these 2 big forces for the future.

Yes. No, absolutely. I mean we're talking digital transformation, DevSecOps, it's things that I think get everybody excited thinking about where we're going right now. And just thank you both again from me and everybody at RBC for giving us the time this afternoon.

Thanks.

Thanks for having us.