F5, Inc. (FFIV) Earnings Call Transcript & Summary

Excellent. Well, thank you, everybody. We're about to get started. Welcome to the F5 fireside chat at Goldman Sachs Communacopia and Technology Conference. I have the privilege of introducing Frank Pelzer, CFO; Kara Sprague, and Chief Product Officer. Frank has been at F5 since 2018, joining from SAP where he served as President and COO. Prior to that, Frank was CFO of Concur Technologies before it was acquired by SAP in 2014. As Chief Product Officer, Kara has a responsibility for the company's entire portfolio of multi-cloud app security and delivery solutions. She joined F5 in 2017 to run the ADC business from McKinsey, where she held various leadership positions across their technology practice. My name is Michael Ng, and I cover F5 and Comtech here at Goldman Sachs. We have about 35 minutes today, inclusive of Q&A. So if you have any questions at any time during the session, just raise your hand and we'll get a mic runner over to you. So first, Kara, Frank, thank you so much for being available for us today. It's a privilege to be able to host you guys on stage.

Thanks for having us.

So over the last several years, F5 has expanded beyond security solutions and security is about 1/3 or a little bit over 1/3 of revenue today. Could you just start by framing F5's history and leadership in ADCs and what makes that a natural extension into app security and the initiatives that F5 is pursuing to do more in app security? How much of this is an evolution driven by changing customer needs or something else?

Sure. And before I respond, I want to get our safe harbor on record. So please note that our discussion today is going to contain -- may contain forward-looking statements, which involve uncertainties and risks. Our actual results may differ materially from those expressed or implied by these statements, and please see our SEC filings for more information on those risk factors. So thank you for that. So to your question, F5 rose to leadership in ADCs in the early 2000s, and that was a result of the enormous performance, the capability and the programmability that we built into our BIG-IP product family, which is F5 historical product family and was F5's only product family until we acquired NGINX in 2019. People tend to think of these ADCs as very focused on traffic management and more load balancing. But because of the role that an ADC plays in the line of traffic for a customer's application, it's also a really great place to put security capabilities. So think about entry into a bar, the place you put the security is at the door, right? That's where you put your bouncers. And so a similar concept here in terms of ADCs that you can tie security into the proxy. So we began adding this application security functionality, and we put that in more than a decade ago. This enabled customers to then start consolidating multiple functions. So instead of having multiple vendors and tools along the application data path, they were able to do their load balancing and their web app firewall and some of their DNS and some of their DDoS all in 1 box, and that was the F5 BIG-IP ADC. So in the 2010s, as cloud started picking up speed and it became much more apparent that the future of the world was going to be more distributed and that application components, because of the rise of containers and microservices, were going to become a lot more fragmented and hosted and in a bunch of different places, we understood that, that was going to create a lot of important and significant challenges for customers and how they think about their applications. And we committed ourselves to being able to secure and deliver and optimize any application, any API no matter where those applications and APIs were hosted. So with these distributed applications, I would also add that the threat surface area is dramatically expanded and different. No longer do you have basically this kind of walled area where all of your important applications are sitting, but now your applications are running in all of these in different environments, spanning on-prem, multiple public clouds and edge environments and the components themselves are disaggregated into smaller pieces. And so that naturally means that your threat surface area is much, much bigger. And given today that we sit in the data path, that application data path of about 40% of Internet traffic, and we handle a large portion of that traffic daily in terms of hundreds of exabytes, we think that we are uniquely positioned to offer increasing value propositions to customers as they continue to optimize the security and delivery of their applications.

Great. Just sticking on the topic of ADCs for a moment. I was wondering if you could talk a little bit about what the typical refresh cycle might look like for ADC appliances? How often do they need to get replaced? And what are you bringing to market with things like the rSeries that's helping to drive refresh upgrades and new features?

Historically, F5 has released a new generation of our hardware appliances every 5-ish years. Now that might vary for different factors. And so it's not a hard and fast rule. And prior to the most recent generation of our rSeries, the last appliance that was released in the 2016 and 2017 period. So we're at about a 5.5- to 6-year cycle right now. And a lot has changed in the market and in our business. And what we've seen over the last several quarters, there's been customer caution around the macroeconomic environment. That has resulted in a lot of customers, what we call, sweating their assets. And so they basically run their existing appliances beyond what they would otherwise operationally be comfortable with doing. And they also drive -- they postpone the refresh, and they do that by driving higher renewals. As a result, what we end up seeing is that for our maintenance renewal business, especially for appliances that are 4 years and older, that has actually picked up and driving an increase in our services revenue, whereas our product bookings business has seen declines because of that macroeconomic factor. Now in rSeries and VELOS, as you mentioned, that's our next-generation system, the ones released most recently, and we're still in the middle of that refresh cycle. They bring really strong price performance value to customers. So typically, when customers go out and they take the next generation of a physical system, they're expecting price performance impact. That's a very standard expectation and vendors have to deliver on that. However, on top of that, and what customers and the market has not yet fully appreciated is the amount of innovation that we have packed into these systems. And if you want me to go down a rathole, I can talk about all of the cool things in here, but it includes elements of automation that makes them much, much easier to operate and maintain. There's also elements that make it much, much easier for customers to upgrade and migrate between different versions of BIG-IP and eventually other types of tenants. And I'm also really excited to say that as a result of all of these dynamics and what we're seeing with the hardware business, the hardware business remains a strong part of F5, but we've been very successful in also expanding into software. And our software footprint as of last year is now more than 50% of our business.

Great. And that's a good segue. I do want to ask about the evolution of F5's portfolio of solutions for both on-prem and cloud-based solutions like BIG-IP and also NGINX. How have you seen workloads and customers go between NGINX and BIG-IP, or use both solutions within their data centers? And maybe you can just talk a little bit also about the interoperability between BIG-IP and NGINX?

So BIG-IP and NGINX serve different kinds of applications. BIG-IP, it was something that was architected and built in the early 2000s and the kinds of applications that has been serving tend to be applications that were built and architected from that time up until, call it, the mid-2015, mid-2018. And those are all what we would describe as traditional architectures for applications, so monolithic applications, client server applications or client 3-tier applications. Once you -- once containers evolved -- past about 2014, container native applications and microservices are now the de facto development model for new application development. And so there's a whole bunch of new applications out in the market that are these container native and microservices-based ones. And that's where NGINX fits. And the reason why BIG-IP doesn't work there is literally BIG-IP does not fit in a container-native environment. BIG-IP has a footprint running of about 1 gig, sometimes bigger. And NGINX, on the other hand, can run the footprint of less than a floppy disk. So that's about 1:1,000 the size of a BIG-IP footprint. So it's important to recognize that there are fundamentally different technologies that serve different application needs and have different footprints. And an analogy you can think about it's kind of the difference of what would you use an 18-wheeler for versus what would you use a sports car for. So that should give you the intuition of how the 2 are different. So as I talked about it, just to summarize them, BIG-IP is for those traditionally architected applications that require a lot of protocol sophistication, a lot of programmability, very robust set of services. NGINX is lightweight, highly scalable, highly performant with more straightforward or less sophistication in its protocol coverage. And what we're seeing in the portfolio because we get a lot of questions from analysts and from customers and say, another shareholders, stakeholders of how are we thinking about applications migrating between these things? The reality is we don't see a lot of applications migrating between our product families because when you talk to customers, they are building a lot of new applications, but their work is less focused on the modernization of old applications. And so what we fully expect, if you look out 5 years from now, we expect the majority of our customers will be customers of many of our product families, including BIG-IP, including NGINX and including distributed cloud, which is our SaaS and managed services capability.

Great. I think that makes a lot of sense. And you touched on this earlier in your comments about how F5 is in a natural place to address application security. So I was just wondering if you could expand a little bit on that. How would you define what F5's security portfolio looks like today, and how those security products and those delivery products really work together to create comprehensive solutions for your company -- customers?

Sure. So I talked about our roots as fundamentally an application delivery company. We started out in the late '90s as a load balancer for helping dot-com companies figure out how to not take down their servers when they got a lot of demand. So that was our roots. But I also talked about why once you get that critical space in the line of a customer's application traffic, it's also a great place to start putting on security. So by the time I joined F5 in 2017, our sales team was already adamant that the vast majority of their sales conversations were security led. And so we have that distinctive value proposition in application security for a number of reasons. One is because of that control point in the line of application traffic, but also because we tend to be infrastructure agnostic. So what that means is that customers can deploy consistent security policy and consistent mechanisms in their security regardless of where their application logic is hosted. That is not the case if they go with a public cloud-native solution. And that's not the case if they stick with one of their on-prem security solutions. And so the fact that F5 capabilities, whether it's BIG-IP, NGINX, or distributed cloud, are consistent across their on-prem and public cloud deployments and edge deployments is a real advantage and differentiation for the portfolio. And then, at the same time, I talked about our different deployment options. We are also offering customers a range of consumption options, too. And so that's another advantage that customers see in consuming from us is that regardless if they want a perpetual purpose-built hardware thing because that's what they're used to operating in their on-prem data center, or they want a consumption-based SaaS capability, they can still get that policy consistency across them. And so when you start looking at the reality that customers have today, which is they're no longer dealing with an application footprint that is limited to their data center. But in many cases, we're seeing a large number of customers -- our estimate from our latest research is 85% of customers have what I call a complex application portfolio that has both legacy and new components as well as spans on-prem, public cloud and edge, 85% of customers. Those customers are looking for a partner that can provide a thin layer of abstraction for certain services like their application security, and that's where we come in.

Great. And as you think about the security portfolio and all the opportunities that you have in application security, do you see any gaps in the portfolio or other adjacencies that you might be able to expand to that could make the whole portfolio of solutions more compelling?

So in terms of gaps, no, and I'll say that because I'll just talk about what we have today. So today, we have the broadest and deepest portfolio of application security offerings, and we believe that we are the only solution provider in the market that can secure every app, every API anywhere. I know that sounds like a marketing tagline, but I am saying, we are the only solution provider that can secure every app, every API anywhere, and that's a tremendous value proposition to customers. Just to ask anybody to start talking about how they responded to Log4J. Second thing that our portfolio today has is we have a leading solution. We were literally just named as the leading solution by SC Magazine for our web app and API protection offering, which is a SaaS-based offering that includes the web app firewall, API security, anti-bot solution and DDoS. We also have numerous industry analysts that make us a leading solution in our web app firewall solution on BIG-IP. We have a similar web app firewall capability on NGINX. And then when you start looking outside of the web app and API protection space, we also have a portfolio that contains rich solutions for anti-bot, layer 4 and 7 DDoS, we have identity and access management. We have traffic break and inspect. And so the portfolio is quite extensive. And that portfolio that I just described, which we have today already competes in markets of tens of billions of dollars. So we're feeling very good about how we're positioned, and we're feeling very good about the chess pieces we have on the board. Now we do also frequently and very regularly evaluate our market landscape changes and also look at what compelling adjacencies our customers are asking us about. And so that is a part of our ongoing evaluation process. But at the moment, there are no burning gaps.

Great. Tying it all together, could you just talk about how this all rolls up into the distributed cloud services platform to bring a unified offering to your customer? What progress have you made in onboarding customers and adding potential new features to that -- to the platform?

Yes. So distributed cloud is really exciting. This is an offering that we launched about 18 months ago. And so it's very -- it's relatively new in the market, but we're seeing incredible momentum and excitement in our customer conversations. We primarily serve, with distributed cloud, two use cases. One of them is the web app and API protection use case or WAP, which includes API security, which, if you talk to any customers, if you frequent the halls of RSA or Black Hat, API security is the pain point that customers will talk about if you ask them about application security today. And so we have a very, very strong offering in that space. Also on distributed cloud, the second major use case we service is something that we call secure multi-cloud networking. So this solution addresses customers that do have those infrastructures that span on-prem, multiple public clouds as well as edge. And what they're looking for is an abstraction layer and simplification in how they operate across them. So there's a lot of complexity if you try to do this yourself in terms of the Layer 3, 4 through 7 networking across these different environments. And that creates a lot of opportunity for error and also a lot of security holes. But the fact that we have a capability that offers multi-cloud networking at the Level -- Layer 4 level, and it goes all the way up to securing that multi-cloud network because we cover Layer 7 as well, is a differentiating point for us. And we also offer that capability as a SaaS-based model as opposed to most of the other solutions today are packaged. So those are the 2 big use cases on distributed cloud. In addition to those 2 primary use cases, we also have some supplemental capabilities and services. So we've built out a DNS offering on it. We have a CDN capability on it that has been supplemented by a January acquisition of a company called Lilac Cloud. And we are continuing to extend the portfolio of services.

Great. I was wondering if you could talk to some of the changes in the F5 consumption model, right? You're doing more software, more subscription, that improves visibility into revenue and revenue growth. How much of the business is underpinned by multiyear subscription today? What are the typical terms of those subscriptions, and which services kind of lend themselves to more of a subscription model?

Sure, sure. So let me take that one, Mike. The -- we have -- when Kara came into the business, we were sort of a single-product company that offered perpetual licenses, and that was it. And what we have found is that as we've evolved our portfolio of solutions, our customers really value the flexibility that we offer them in terms of they can either consume perpetually, they consume through a subscription or they can frankly consume through a consumption or utility model. So we offer all of that flexibility to our customers. Not every product fits in each one of those buckets. But our goal, over time, is to normalize our product portfolio so that customers really can select from that basket of choices. That lends itself then to what we have as our flexible consumption program as a master agreement, if you will, for how customers may want to consume those solutions. That's typically a 3-year term-based model. There are some of our solutions that are offered only through a SaaS solution, and that's going to be a ratable revenue recognition. Now that flexibility does come with complexity, particularly in the way we model the business, the way investors have to model the business. And -- but we're willing to make that trade because our customers truly, truly value that. What we've seen in terms of visibility, though, over that period of time, again, flashback to 2017, 2018, where 90-plus percent of our revenue was through perpetual hardware. Now today, with over 50% of our product revenue coming from software, and in the last quarter, 87% of that was through subscription, we do get better and better visibility into what that's going to mean. With our ratable business, it's obviously very easy to model. For our term-based business, every 3 years or so, we get a new revenue recognition under 606. And so you will see some fluctuations in quarter-to-quarter what that revenue is going to look like. But as we get to the second term or the third term or the interim beyond, more and more of that software revenue is going to come through a renewal cycle as opposed to selling the new business cycle, which will give us a lot more visibility in the out years.

Great. That's really helpful. One thing that's obviously been top of mind for the market has been trends in enterprise spending. As enterprises more closely scrutinize budgets, F5 has noted that some customers have delayed or canceled new projects. Could you just update us on the latest that you're seeing here, and when you potentially expect these trends to start to reverse? And then on a related topic, we talked about refreshes. Like how long can customers actually delay refreshes on things like ADC and security before performance starts to get impacted?

Sure. So I'm going to take that question as of what we talked about in July. I'm not going to update anything inter-quarter. But what we talked about in July is that we saw a stabilization of demand. Now at -- a bit at a much lower level than what we would have expected going into the year, but it was an improvement from the declines that we had seen in Q1 and Q2 of our fiscal year. And so that was good from our perspective. If we take a look at the dynamics, I think they were similar between hardware and software, but for different reason. On the software side, we noted at the beginning of this fiscal year that our software growth rate depended on a little more than 50% coming from new business activity. That isn't necessarily new logos, but customers expanding their footprint with us or new customers coming to us. And then a little less than half of that was going to come from renewals. On the renewal side, we've actually seen that perform quite as we expected. On the new business side, particularly on the transformational deals that can be rather large, that's where we saw a tremendous amount of scrutiny, particularly in Q1 and Q2. A little bit of that got freed up in Q3, but again, at a lower level than what we would expected coming into the year. On the system side, I think, in hindsight, we're probably what we thought was just pure natural demand in COVID in '21 and '22 could have been some pre-buying into '23. And you're seeing customers work through the consumption of that, especially as supply chains have released, and we are able to actually work down the backlog that we built in FY '21 and '22. And so that is sort of a natural demand cycle that we do expect to come back more fully, particularly in '24 and beyond from depressed levels of what we've seen in '23.

I did want to just follow up on that a little bit. Just given where you expect to exit the year, could you just expand a little bit more on the setup going into fiscal '24 for system software services?

Sure. Yes, yes. And what we talked about at the beginning of '23 is we had a much larger backlog than we are used to running as a business. Our typical backlog is $15 million to $40 million at the end of fiscal year. You never know. We have 2-week lead cycles, in good times we never know what we need to build. And so you're always going to have something that falls into the next quarter. But we were seeing that at $231 million. So about a quarter of what we generally would see in hardware revenue in our backlog, not as big as some vendors out there, but still sizable in relation to us. And we just didn't know what the buying patterns were going to be. As we've worked through the year, we have seen more and more of that backlog being consumed because we are able to improve our supply chain and our ability to deliver that product but that's going to create probably a 6% to 8% total headwind for us in revenue going into FY '24. And we've talked about that. And so that will be "a revenue headwind" from the backlog reduction that we've been able to see, but for all good reasons.

Right. While certainly appreciating the comps from the backlog recognition in 2023, F5 has said that they expect to deliver double-digit EPS growth in 2024. Maybe you can just reconcile that. Obviously, some of it is cost management.

Yes. Most of it is cost management, Michael. So we are dependent on much of any revenue growth in '24 to achieve our goal. Now we did have to pull back a little bit from the statement of double-digit EPS growth in '24 to the pretax because of some of the benefits that we've seen in our tax rate from R&D tax credits and other foreign entities making -- foreign countries making determinations on tax plans have been a benefit to us in '23. But on a pretax EPS basis, we absolutely expect to have double-digit EPS growth. $130 million of that was coming from just the salary reduction of a 9% workforce reduction, and we'll get the full benefit of that rate -- that run rate in '24. We had about 5.5 months in '23 of that. We have also looked at some of our IT spend rationalization. So if you've got 3 collaboration platforms, can you do that in 1? If you've got cloud spending for workloads that have been built up and in development, but aren't still being used, but the meter is still running, can we get more efficient looking at those type of areas? We've looked at headcount -- I'm sorry, we looked at facility reductions based off our headcount reductions and our return-to-office policies. We've taken a look at event spending. We've looking at T&E. So we've uncovered all of those rocks and really focused on that. We do have a little bit of a headwind because in '23, we had an artificial reduction on -- of our corporate bonus plans to make sure that, that was in alignment to the revenue loss that we saw. And so in '24, that will be a headwind going in. But we've taken all that into account when we've talked about a target of 33% operating margins for FY '24.

Great. Why don't I squeeze one more in before I see if there are any questions from the audience. But just as a follow-up to that point about at least 33% EBIT margins for 2024. Maybe you can just talk a little bit more about the puts and takes. Obviously, you have the $130 million of savings, but how are you thinking about productivity, pricing and product mix as well?

Yes. So all of those factors that I mentioned, pricing is not going to be a big dynamic actually, pricing is probably a little bit of a headwind, particularly in our Services business where we had an uplift to our services revenue this year from some of the price increases that we put in, in FY '22, which took effect on the renewal cycle. But really, what we are seeing are the cost reductions that we already put in place in April plus productivity improvements. We are specifically using AI in some of our service and product development areas to get more efficient, but we're looking at standardization and automation and other areas of the business. There's going to be no stone unturned to look at for that efficiency, but all of that is sort of baked into that 33% operating margin guidance.

Great. Any questions from the audience? Maybe I'll just ask about the backlog. You mentioned the $15 million to $40 million as your typical backlog. And I think on your last earnings call, F5 have also said that they expect to substantially work down the systems backlog through the end of...

End of fiscal '23.

End of fiscal '23, right? So could you just remind us, are the supply chains completely behind us at this point. Will we go back to typical starting 1Q '24?

Knock on wood, yes. But I never underestimate what a macro environment can do and other policy decisions. But we've got -- I think we are back to where we were pre-COVID of, you're always going to have with 2,000 components in a box, some issues somewhere. But we're not seeing the same level of dependency across all of our hardware platforms on a handful of vendors that really were going through some serious straining and impacting our ability to ship product. And so that's the good news. I think on the demand side, that's still what we're trying to work through of when that will sort of change. I did fail to mention, I think, in the other question, when we've seen sort of a slowdown in demand in the past, when people sweat assets, as Kara was mentioning, for us, when we look back at late 2000s, early 2010s, 2 cycles that we went through, it was generally 4 to 6 quarters of slowdown before customers did snap back. Now I think a little bit of the difference here is the reason was the supply chain crunch now as some of that product has been shipped. I'm not sure the snapback is going to be making up for all the demand that we didn't see, but I think we will be in a better place in '24 than we were in '23 from some of those factors. I don't think supply chain is something that we are as concerned about now is we certainly were for the last couple of years.

Great. How is F5 positioned to participate in all this investment around generative AI infrastructure? And then how are you thinking about implementing AI into your products or into your internal processes?

Yes. I think we're positioned quite well. So if you think on an overall basis and look at what F5 is most -- F5's revenue and business performance is most tuned to, we are fundamentally tied to the growth in applications and APIs, APIs being a subclass of applications and the traffic flowing through those. That has driven all of our business dynamics for the 25 years that we've had in history. And when you look at the broad adoption of AI technologies, not just generative AI, but broad AI technologies, that is going to fundamentally be another accelerant the number of apps and APIs that are out there in the world. And those apps and APIs struggle from a lot of similar security challenges that regular apps and APIs do. And so there's an existing set of opportunities for F5 to attach our existing product base into those new workloads. In addition to the fact that there are some unique threats and risks that these AI-based workloads have. So folks are probably -- or maybe they are familiar with. There is a OWASP organization that traditionally is a public organization that categorizes the top 10 threats to different kinds of applications and workloads. So there's an OWASP top 10 that WAF vendors or web application firewall vendors deliver again. There's another one for API security that vendors work against. And there's equally one for large language models as well as one for machine learning. And in fact, F5 team members are leading some of the efforts to define and classify what the top 10 are for those last categories. And so that is a net new opportunity for products and capabilities that F5 is very well positioned with our capabilities and expertise to serve. So that's one dimension of it. Specifically in our products, much like you see these generative AI tools being used to enhance usability of other kind of products as kind of co-pilots A lot of opportunity in our product set for doing that as well in addition to using those technologies to surface insights into the hundreds of exabytes of data that I said, flow through our stuff already. And then you heard Frank mention AI and AI's potential in terms of transforming the productivity of several of our functions, right? So our employee base is about 6,500. We have a very large group of engineers. We have a large group of customer support personnel. And so if you think about anything from code support to case -- customer support case deflection, those are great opportunities for us to implement some of these tools and technologies.

Great. Why don't I see if the audience has any other questions. Great. Frank, maybe I'll kick a last question over to you. Sorry, was there a question there? Okay. Just on capital allocation, F5 committed to returning at least 50% of free cash flow to shareholders via buybacks. Maybe you could just expand on capital allocation priorities, how you're thinking about balancing buybacks with investing in the business and more M&A?

Frankly, our attitude towards this has really not changed since we talked about it in November of 2020 at our last Analyst and Investor Day presentation. And so -- at the time, we had stopped our share repurchase program. There was a lot of tech debt that we settled through some inorganic means. And so we were in the process of integrating those technologies. We had a sense that we were going to be acquiring one additional company in that, and Volterra has become a critical glue for our distributed cloud and the platform that we've been able to design around that. But at that point, we felt pretty good that we've got now the portfolio in place. Kara mentioned that earlier, and it was wonderful. But we -- at that stage, we said, okay, we're going to go back to at least $500 million for the next 2 years, then 50% -- at least 50% of our free cash flow going towards share repurchase. The rest of the balance of what we could do is higher than that for share repurchase, or we could use that for inorganic means, and that's the balance that we've kept since. So no change in that capital allocation policy going forward.

It's a good way to cap off the session. Kara, Frank thank you so much for joining us on stage today. It's a privilege to be able to host you.

Thank you.

Thanks so much. Appreciate it.