F5, Inc. (FFIV) Earnings Call Transcript & Summary

[Audio Gap] SVP of Finance. Thank you both for joining us today.

Thank you, Sami. Thanks for having us.

All right. So I wanted to kick it off to Francois. I think you and I have been in contact for a while. You deployed a vision a couple of years ago that at the time, maybe some investors did not fully appreciate, but here we are multiple acquisitions in what I think is a more constructive growth trajectory. Could you just kind of recap and review where you see yourself and where you see the company as long as it's transition or, I guess, you'd say, repositioning in the industry?

Yes. Thank you, Sami. We are -- yes, 4 years into that transformation. And at the time we started on this journey, we felt very strongly that our customers will move to multi-cloud environment. And that security, which was already a challenge for applications, would become an even bigger challenge in the future. And so we embarked on building on these trends. And when you look at where we're at today, we're benefiting from these trends, but also another one that we didn't quite expect. So if I look at the trends that we expected to have is, there is heightened security awareness of the need to secure applications and the importance of application security as a category in security that's gaining power is obvious. And when you look at what's happened in the last year, even during the pandemic, some of the ransomware attacks that we've seen, security is now #1, like top of mind for not just SecOps and Chief Information Security Officers, but for NetOps and DevOps and CEOs and Boards. And we're benefiting from that trend of heightened security awareness, because people are constantly upgrading their application security posture. And we have positioned F5 to be at the heart of that. The second trend that we're benefiting from is modern applications. And modern applications are why we bought NGINX, was the idea that more and more customers would build applications in container native and microservices environment. And over the last 5 years, we saw a lot of companies start to build these types of environments, and now they're starting to take these environments in production at scale. And when you take those environments in production at scale, there's all kinds of complexities that arise and NGINX is really emerging as the ideal platform to deal with these complexities. And so we're benefiting from that growth in modern applications. And then the third trend that we're benefiting from is traditional applications going in multi-cloud as we expected, but we did not expect traditional applications to be growing the way they are now. And that largely has been accelerated by the pandemic. And so I use the term traditional applications to describe applications that were largely built in a monolithic way as opposed to build natively in microservices. But applications that are built in a monolithic way doesn't mean all the apps that are not growing, because all of the retail apps, large banking applications, all of the apps that we use for all the digital healthcare, collaboration, financial services, et cetera, majority of these apps today are traditional applications. They're generating way more revenue, because we're doing all this stuff digitally, way more customer engagement. And so the application traffic, the growth of application traffic on traditional apps has surprised us. And we think that's more of a secular trend that is going to continue post the early stage of COVID. Because we're going to continue to do more via digital channels on these applications. So relative to where we were 4 years ago, we have now positioned F5 to benefit from these 3 trends. And they are modern apps, security and growth in traditional apps, and they're both, we think, here to stay.

Yes. And what I think was the most surprising thing from an investor community perspective, is this rebound in traditional application growth. But from an F5 perspective, how early on or how far back before the investor community realize this that you guys saw a traditional app growth is actually returning or strengthening ahead of your expectations?

I think, Sami, the -- at our Analyst Day, so back almost a year ago, November 2020. We had said at the time that the -- we could see the signals that we have seen some decline in our hardware and that we thought that this decline would moderate from double-digit back down to mid-single digit. And it was in part because of traditional application growth, though, I should say, when we look at traditional application growth, it's growth in software and in hardware. Now the growth in software, we could see what is happening. In hardware, as a form factor, we thought the decline would moderate. What we didn't see coming is that the hardware would go to not just moderate decline, but growth and growing double digits. And that has been a surprise. And we think it is because our customers, even though in the long run, they still want to move to software-first environment. The need -- the application traffic continues to grow and grow fast enough that there's not a lot of time to re-architect and say, hey, we're going to create the software-first environments and move these apps to the software-first environment. And so they start with -- we're seeing them start with adding more capacity with hardware. And then over time, be able to say, okay, now I've dealt with the immediate capacity issue, I'm going to move that to a software environment. And we're helping them with that transition from F5 hardware to F5 software over time.

And then typically, when enterprises make these big decisions, they're very long duration, durable, some things take longer than expected. And then going into this kind of next, I want to say, stride of traditional app growth. This is a relatively longer-term and durable type of trend once it commences. Is that the right way to think about it?

The trend of application traffic...

The traditional apps kind of strengthening their growth.

Yes. That we think is durable, because it's entirely driven by us. Individual users are consumption of digital channels, digital everything. And so if you have a simple case, if you think about it, this conference we're having today is the first in-person certainly that I've had since COVID. But the fact that we resumed conferences this way, I think we've learned about doing these engagements on Zoom and other platforms in the last 2 years. And I think we will make more use of these platforms in the future. So we'll have a combination of in-person events and collaboration virtual events, because we can have way more frequent interactions virtually. Take that example and apply that to how you exercise, how you shop, how you bank, how you health care, how you everything. And that's the durable thing that people are going to continue to do that. And that's why we think it's that digital acceleration. It's also causing customers to invest more in their digital channels. Both in the security of the digital channels, which have become essential -- almost essential to our way of life, but also in the kind of user experiences that you can have. Because once you've decided, okay, we're going to do things on Zoom more regularly, then the next question is, okay, but do we have -- the first question was, could we survive on Zoom, now is can we thrive? And so what do we need to do to enhance that, less latency, less problems and so forth? And that applies to every application. We speak to a number of our customers who say, hey, 18 months ago, we were heroes, because we enabled 10,000 employees to work from home on a VPN, and we were seeing an IT meaning -- we were seen as the heroes of the pandemic. Now the same employees that applauded us are complaining that this app doesn't work as well, and there's latency on this thing, and I can't access this in the same way, and that collaboration doesn't work. And so we need to add capacity. We need to add components. We need to modernize this thing. We hadn't thought about that. So all these things are durable, and I think will continue to grow.

Got it. Got it. So I wanted to ask you a question, I think, is very interesting for specifically the F5 team as a whole and Cooper, you can also chime in here if there is an implication that you can think of. But is there one thing in the tech sector, at least from a dynamic or dimension perspective that keeps you awake at night, right? Something that you're seeing, something that could be a headwind, an air pocket or you could -- it may not necessarily be something that negatively surprises you while you're sleeping, it could be a positive surprise where you can't sleep because you're so excited. So is there some kind of inflection occurring that's on the horizon, both positive and negative, that you could think of that is worth calling out.

Yes. I think the -- if I go back, Sami, to 4 years ago, what will keep me up at night was this idea -- there was a thesis that the world of applications was going to go to monolithic application -- monolithic and static applications that are in a vertical stack in a data center. That these applications will go to -- they will just move to another vertical stack in the public cloud. So they'll go from one location to the other. And therefore, the data center stack will disappear. And it will be replaced by this public cloud stack. And I think that was -- there was a sort of conventional wisdom that, that was going to happen. And I would say that was keeping me up at night. But our view was different. Our view was that customers -- there were very good reasons for a large number of customers why they would keep some applications on-premise and go into the cloud. So we felt they would go to multi-cloud. And we felt that we would end up in an era not of a single location, but an era of distributed applications. And what keeps me up at night today is my excitement about this era of distributed applications, because the more applications are distributed, the better it is for F5, right? The bet we've made for the company is that there is a strong case for a software stack that does all the things, security and delivery that an application needs, but a software stack that is location-agnostic. That is an abstracted software layer that you can stick next to your application component, wherever it is, and it will do all the things you need for that application to be up 24/7, always performing and always secure. And so if you think about it, if everything is going to go to a single location in the public cloud, then the case for -- well, the only thing we need are the native tools in the public cloud is strong. If everything is going to be distributed, then the case for a software stack that works across all locations is much stronger. So what I'm excited about is, we are in kind of Phase 1 of distributed applications, but we're already seeing Phase 2 and Phase 3. So Phase 1 is, if you talk to a large enterprise today, they have 1,000 applications. They'll tell you that they're -- 90% of our customers tell us they use multi-cloud environments. It doesn't mean that a single app is distributed across multi-cloud, but it means I have 1,000 apps, 100 of them are in a public cloud, 700 are still in my data center, 300 are in a private cloud environment, and I like it that way. Because I've done the learnings to know which of these apps could benefit from bursting in elasticity in the public cloud, for which apps there's no economic sense of lifting and shifting, like people have gone through these learnings over the last 4 years. But that -- so -- and when you're a CIO and you have apps in all these environments, you do want to have -- you worry about the consistency of security, the consistency of vulnerabilities. You don't want to deal with the complexity of having different stacks in all these environments. So -- and that's why we're seeing the traction we're seeing with BIG-IP, with NGINX, in these environments. But that is only Phase 1. And the excitement for us is we're now entering Phase 2, where a single application is now increasingly built on microservices and containers, and these microservices themselves, you may have some in public cloud, some at the Edge, some in a private cloud. Because at the Edge, you want to cash some pictures. In your data center, you may still have the customer information at your inventory that you keep there. And in a public cloud, you may have a shopping cart because it's more dynamic and this thing burst, right? So if your components of an application are distributed, then the case for a horizontal software stack that serves all these components in any location is even stronger. And then the Phase 3 of that, which we think we're going to get to is where the components of applications become dynamic. They're not static. So they don't stay in a single location. They could be at the Edge. But for IoT applications, things move to different locations. And there is no way you can actually achieve that level of dynamic real-time experience, unless you have the same software stack that can move with the components of applications regardless of locations. And so that's horizontal play, is a complete paradigm shift versus what we thought 4 years ago would be the winners or only the vertical platform stack. And this is not me saying that everything is going to go to this horizontal play, but I think the center of gravity is going to be moving there. Of course, there's going to be a strong play for apps that are built in a public cloud or in a platform stack that can only -- that only need to leverage that infrastructure and will be there. There will be millions of apps that are built that way. No question about that. But you will see a large ecosystem of apps that need that horizontal location-agnostic software stack, and that's the play of F5.

And then I just want to follow up here. When applications become this distributed right with all the microservices being deployed at wherever they're located and as the customer shifts and changes, how they're consuming it, where they're consuming it. Does this increase the monetization opportunity of F5? Or is it essentially neutralized based on the way you're already monetizing it?

It increases the opportunity very substantially, because we get in front of way more applications. For each application, we offer way more services, because when they're distributed, now you need, of course, the security stuff that we offer, but new security problems. You have a lot of API traffic between these applications. Securing APIs is just going to explode. Authenticating them, figuring out what new threat patterns exist between these APIs, which Threat Stack also allows us to look at. So you get all the security growth and the new security services that you need. You also need to have all of the networking between these components. And as you know, F5 has a very strong networking capabilities and networking heritage. Networking applications are very different than just networking the Internet. I mean the old problems of -- or networking a user to an application. But networking applications between them are components of an application, it's a very different problem. We happen to bring a huge amount of scales to that. So you get a much bigger opportunity for F5, because, a, the number of apps that we work for just increases by orders of magnitude and the types of services we offer also increase as a result of that distribution.

Yes. My follow-up is that means your guidance is conservative. No, I'm just kidding and kidding.

I'll let Cooper answer that.

I'll pass.

Thank you for clarifying a lot of that. You mentioned some of the big enablers of this mobility, these microservices, some of the enablers or even some of the acquisitions and maybe a good segue to talk about your acquisitions. You've acquired Volterra, NGINX, now Threat Stack. And investors are able to piece together those acquisitions really well into, I guess, you'd say, stand-alone F5 or legacy F5 and the services and customer portfolio or customers you already have. The one acquisition that I think people start trying to get their heads around is Shape Security. So how does Shape Security fit into what you're doing, the business opportunity? Maybe you could just reiterate some of the key points that you led with. And I think what people are trying to see is something similar to what happened with NGINX. With NGINX, we could quickly start to identify, this is the connection. This is why F5 got stronger with NGINX or why NGINX plus F5 is a better combination than 2 companies standing separate alone. Could you give us an idea on when that maybe aha moment could be for Shape Security? What would we need to see or what you're looking at to track that could identify similar characteristics of execution and integration?

Yes, absolutely. So Shape brought to us world-class anti-bot and anti-fraud capabilities that we didn't have before. So even if you just take it as a stand-alone, you can think Shape -- it's simply the greatest traffic profiling capability that is out there in the industry today. Because we put Shape in line of an application. And we know that application may be used by millions and millions of users. And we know if you're trying to log into that application, are you Sami Badri or not. Are you Sami Badri trying to log in or are you a bot or are you somebody pretending to be Sami Badri? And are your intentions about accessing that application legitimate or are they fraudulent? And that capability, knowing that allows us to do all kinds of things for the application. First of all, of course, securing it and stopping you from getting into the application, if you're not who you're supposed to be. But also changing how you use the application. Understanding how you're using it, but changing it, which leads to potentially enhancing the revenue of an application, because we know who you are, and we can reduce friction when you log into that application. Maybe you don't need multifactor authentication. Maybe you don't need to reauthenticate again, if you've been in this application in the last month or so, and we can keep your session going, right? These things allow a lot less friction and we can measure the implications for revenue for our customers. So it's not just the security capabilities, it's a friction removal capability for end-user experience. All of that, we can deliver stand-alone with Shape, putting Shape in line of an application. The big synergy with F5 is that for customers to benefit from the Shape capabilities, Shape has to be inserted in the inline of the traffic between users and an application. That is where the friction exists to say, okay, well, I've got to interrupt my application. I need downtime. I need to test this stuff. Once I put it in line and just make sure there's no new problems, et cetera. Friction is not something you want. So what we are doing is porting Shape and the technology is so powerful that it's going to be ported on BIG-IP, on Volterra, even on NGINX. Because BIG-IP sits in lines of millions of applications today. So with the right portability, essentially you can get the benefit of Shape to our customers without any other friction and you could basically turn it on pretty much immediately. We already are halfway through that. We have done an integration that say takes the friction from 10 to 5, and we're doing one that will take it to 0. So that is part of the magic. We're going to do the same on NGINX. And as part of our integration of Volterra, we're porting Shape on to the Volterra platform to allow customers to consume it also as a self-service SaaS offering and insert it at the Edge, closer to their users. So it's -- you're going to have a ubiquity of Shape technology delivered on all the F5 platforms. Again, location-agnostic and giving our customers the benefit of the traffic profiling capability.

I think you addressed something that answers a lot of question marks for the investors. And that is Shape is being distributed across the whole portfolio. And in each of the portfolio, at least the product suites, they're winning their deals for their specific reasons, but Shape is essentially being nested or inserted. So the credit ends up being NGINX controller, F5 BIG-IP, not necessarily Shape won this inside BIG-IP. Is that why we haven't heard much about it?

Yes. Well, you're hearing and Shape stand-alone itself is growing, because there is more demand for -- I mean the increase in bot attacks and they have increased again in the pandemic and fraud is there. And so customers, who have that pain or can identify that pain or really want to protect against that pain and have the insurance, they are going and pushing it stand-alone, even if there's friction in it. But yes, in addition to that, you're going to see more deals where the Shape was part of BIG-IP and it accentuated the differentiation for BIG-IP, and we're winning same with NGINX, same with Volterra. Where you have that bundle, and that security stack is best-in-class. And we win a deal, not just because we have web access firewall and API security, but because we have a best-in-class bot and customer absolutely needs that. And we've started to see that already in the last couple of quarters where we integrated Shape with our Silverline offering, which is a managed security services for WAF and DDoS. And we added the bot to that from Shape, and we've seen an uptick in the sales of that already. So -- but that will be -- we're in the early innings of that, and I think you'll see more of that through 2022.

Yes. And I think it's worth noting, when Shape was a stand-alone company, a common way that their customers would deploy Shape would be to leverage BIG-IP that they had in their infrastructure. So they would write best of my rules to enforce the policies that from Shape -- from the learnings from Shape. So that's a fairly bespoke high-touch, but high-value solution and leveraging BIG-IP now and building it -- building Shape in as an integrated offering, really will reduce that friction. And then similarly on the procurement side, we are looking to leverage our flexible consumption models that we've had for BIG-IP and NGINX and we're going to have Shape and Silverline now on these models going forward. And that allows customers to much more rapidly respond when they're under attack. Because we know that early days, that's where we've had the most successes when customers have had a security crisis and Shape can quickly resolve that. But there's still a procurement process that adds a lot of friction. And so having the Shape solution within that model, we think will really kind of accelerate the time to deployment.

Got it. Got it. I have a fun question for you. So NGINX, when it was announced, you knew what you were buying. But a lot of investors were not used to seeing those kinds of acquisitions come in. It was a new concept, it was a new asset, and you felt very strongly about it. And obviously, after the fact of it very successful. Do you have the same kind of conviction for Shape Security as you did for NGINX?

Yes. I do. But the thing with NGINX is the big -- I think the thing that maybe wasn't visible to everybody, there were 2 things. I think there were big questions, hey, you like an Open Source thing. How are you going to monetize that? And what has been clear over the last few years is developers love Open Source, and it's very important to have that brand and that presence with developers. Developers typically don't have budget. People who buy are IT and NetOps people. And we've been able to take NGINX, let developers start with it, but when platform teams who own taking thing into production go to platform teams and monetize NGINX. That made it visible at the time. And the other thing with NGINX is that the number of services that -- what we -- what was very obvious to us is that the BIG-IP playbook of consolidating a lot of functionality and taking slices a different market, all on to BIG-IP that we could do the same playbook on NGINX in just container native environments and add one module after the other. And that's really been the trigger for -- well, the initial trigger for growth was the higher distribution of F5. The new trigger was the addition of the modules, and we're just starting with that and we're seeing the growth. Shape is different. It's that the power of the technology stand-alone when we bought the company was already there, right? There were already capabilities that had very strong monetization stand-alone, both the security and the bot. And a growing road map of these anti-fraud friction removal, I call them, capabilities that would give a full proposition to our customers of not just security, but security and revenue benefits. The conviction for me from Shape comes from the demand I see from customers and our ability to eliminate the friction in moving Shape into production very quickly, when we're already in line of the applications, which is the porting of the capabilities to BIG-IP, Volterra and NGINX that we talked about. That's where the conviction comes from, but the package of capabilities that we acquired day 1 was already world-class and already very monetizable.

Got it. Got it. I think we just put a nail on the coffin and a lot of big question marks. I don't think we would have been able to get to this point, if it was an in-person actually. Just saying. I did want to talk about the 8% to 9% growth next year. And I guess the big clarification is this being driven by secular or cyclical demand and kind of how you guys identify the growth from these 2 kind of drivers. I was hoping we could unpack that.

Yes. I mean, I think it's largely secular. I mean, what we've seen -- and Francois alluded to it, but just the growth in applications, both modern and traditional that our customers have been seeing, has really driven a lot of demand for both BIG-IP and NGINX as well as all the security that's needed to support these applications. And I don't think that that's changing anytime soon. The cyclical question comes up, because a lot of that strength has been manifesting in our systems business, right. Because customers have identified the fastest way to quickly enable that growth is through systems in many cases. Longer term, we do think that they will still look to support very often in a software model, but the underlying growth from that application will drive BIG-IP and NGINX regardless of whether it's systems or software. So we believe that, that growth will continue beyond FY '22, where -- the question is what the growth rate looks like between systems business and our software business.

Got it. Got it. We are out of time. I want to respect everyone's schedules. So Francois, Cooper, I think thank you very much for participating today and spending time with us.

Thank you, Sami. It's been fun.

Thank you.