F5, Inc. (FFIV) Earnings Call Transcript & Summary

Thanks for joining us, everybody. We've got F5 here in this bleed-up-to-lunch session, and so I appreciate everybody in the room. We'll save some time at the end for questions if there are any. But joining us on stage, starting at my far left, Cooper, the new -- newly minted CFO, but not new to F5, but newly minted CFO of F5; and Kunal Anand, Chief Innovation Officer. Is that -- that's your title? Okay. Well, thanks for joining us, gentlemen. I think before we start, Cooper was going to start with a quick...

Yes. I'll jump into the safe harbor. Thanks. So please note that our discussion today may contain forward-looking statements, which involve uncertainties and risks. Our actual results may differ materially from those expressed or implied by these statements. Please see our SEC filings for more information on these risk factors.

All right. Now we can talk about updated guidance. Now we've got that out of the way. All right. Well, thanks for that. F5 has gone through a really -- it's been an evolving story over last several years, and certainly, the focus on cyber and the focus on software. Maybe just level set us, maybe from a technology perspective on what the company's primary focus are? Because it's a different company than it was a couple of years ago, let alone 5 years ago.

Totally, yes. Let's go back -- in the way back when you [indiscernible].

Yes, please.

And when F5 was created and when we saw growth initially as an organization, it was specifically around helping organizations load-balancing the application delivery in physical data centers. And that was a really important thing to do. So application delivery performance. And then you've got to see the initial era of application security. And so web application firewall became really important. We get into this ADC 2.0 era, we call it that, where organizations now start to move workloads to the cloud, and there is this big question of, "Where are these workloads going to reside?" And of course, we saw the inflection with mobile, during that cloud era. So we saw applications turning to APIs. We started to see new types of security issues, new types of things on the horizon, including fraud, bot attacks, denial of service, nation state issues. And now with a little bit of AI in the mix today, we're in the sort of third era of application delivery and security. And in this third generation of ADC, it's just totally different, because we're now hybrid in multi-cloud. Organizations are not in a single environment. The enterprises that we work with, it's common for them to be in 6 or more environments, and that can be on-premises, that could be in a variety of cloud environments. Their application delivery needs have changed. Their application security needs are really, really critical for them. And we are seeing organizations combine both of these things in their brains. We don't just need delivery or we just do security as separate things, we need these things to work and operate together. A broad sea change in terms of what the landscape and the technology looks like. And we've been there with all of those capabilities. So whether it's delivery, performance, secure multi-cloud networking, some zero-trust capabilities, web application and API protection and now some stuff around the enterprise AI delivery [method].

And I think that -- this is -- I cover a lot of companies that are -- very much hybrid. It feels like, I don't know if we were sitting here 5 years ago, it's like everything is going to the cloud. And I think the pendulum swung far that way. And it feels like hybrid is the new norm. I still get the question like how is F5 relevant in sort of like for the next 10 years? And it feels like it's all going to come down relevancy to hybrid cloud, and that is the new norm. And I guess how are you helping customers think through that hybrid mentality?

Yes. Look, what comes down to a couple of things. In a hybrid modality, for physical data centers, organizations are still typically deploying hardware appliances or hardware solutions. Performance is paradigm. So for them, they get the highest quality hardware paired with the best software in the world to fit those environments. But we see organizations that have gone to virtualized environments or they go to things like Kubernetes, we're there for them. Just a couple of weeks ago, we announced a BIG-IP for Kubernetes, so the ability to bring big IP into the modern workloads in these environments, we think is really important. Or if people want to consume it as a SaaS platform, we can meet them there as well. So choice and flexibility is important. And on the hybrid notion, we think that there is an element -- multi-cloud networking is really important for folks that want to bridge between these environments. And we're seeing some great places where organizations are leveraging us for application activity in bridging networks and also application migration. So more of that Layer 7 work as they're kind of across different cloud environments.

Okay. A couple more, and then Cooper we'll flip to you. But you've been spending a lot of time talking about sort of like the broadening distributed cloud platform. Just level set us for what's included there? And like when you think about that expanding platform, what does that look like in a year or 2 or 3 from now?

Look, when you look at the overall landscape today, you see organizations that have these cloud points of presence, right, large cloud PoPs. And I think about companies like the Akamais of the world, CloudFlare's of the world, et cetera. And so we are no different in that. We offer a point of presence as well. One of the unique things that we provide is for those organizations that want that hybrid deployment, where they want to be able to deploy that same set of technology, same exact products, same exact service, same exact set of features in their environment, they can do so. So our points of presence, we call them regional edges. We also have something else called the customer edge, where an organization can basically take the essence of our regional edge or PoP infrastructure and deploy it in their environment. And so this means they have that consistency, they have the multi-cloud networking, they've got the application security pieces. What I'm excited about is what we've been able to do and what differentiates us from our peers is not only can we shield right and help people with load balancing and security in production, but we can also shift left, and we can give people risk discovery. This is a huge topic for CIOs and CISOs. So prior to joining F5, I was operating as a CTO and CISO at Impreva. And one of the top things when you go and you talk to CISOs globally, the #1 thing in their risk registered is around data breach and data exfiltration. And where the biggest gaps right now in the infrastructure, it's not at the data layer, it's through applications and APIs. And so the cool thing that we've done through M&A that we did over the last year, we have the ability before people deploy applications to production to identify risks in those underling applications and in those APIs and with the tight integration that we have in our platform, we can actually go in and allow them to click the single button to mitigate. Now it doesn't fix the root cause of the source code or the weaknesses or the vulnerabilities there, we still have to do that. But the nice thing is it provides them an air cover. So we can do risk discovery and we can do risk buy down. That's what I love about what we have in the platform today is we can be that one-stop shop for those organizations and especially for the CIOs and CISOs that need to find and identify those risks and buy that risk down.

We've got a lot -- we got -- there's a lot of I want unpack there, but maybe we'll just pivot to Cooper a second. You talked about stabilizing demand. And actually, you've seen improving results. And the question that I get asked from a lot of folks, and you guys have such a broad perspective on IT buying, is like do you think we've seen the worst? And obviously, there's some idiosyncratic elements to hardware and other things that you guys are exposed to, but maybe some others aren't. But do you think -- where do you think we are from like an economic demand perspective? And acknowledging you guys have had some pretty strong results recently?

Yes. So we think that we're in a period of stabilization with customer budgets. So we're not anticipating a material improvement to the macro or immaterial increases to customer budgets, but our customers do have better visibility and accessibility to their existing budgets. That's allowing them to move forward in a more orderly fashion with new projects. We're not seeing the same kind of friction around approvals at the end of these deal cycles. And so that's helping. In addition to that, customers have a better understanding of their architecture going forward. So they have a better feel for which application workloads are going to live in a data center, which ones will be public cloud and so on. And so that's giving them more confidence to move forward with some of these opportunities, because they no longer have that uncertainty that they may be investing in the wrong technology or overinvesting in one model and underinvesting in another.

What do you think -- is that just general economic just more certainty around things or maybe less uncertainty?

No I think it's more certainty both on an economics perspective. But also, you got to remember that a lot of customers who are undergoing a lot of change in their own operating models in FY -- calendar '22, '23. There were changes with their rating teams. And so they had to get to those changes to then kind of be in a steady state with our operations. And we think that they're there now. And so that's allowing them to move forward with some of these larger projects.

The other question I wanted to ask you, and I know CFO is embedding any sort of December budget flush with their outlook. But do you typically that? Have you seen that kind of -- even just like on a hardware whether, hey, I have extra CapEx dollars, I'm just going to deploy them now because I'm going to lose them. Have you seen that historically?

Yes, we have some -- it's not super common, but you'll notice sometimes in our Q1, which is calendar Q4, we tend to see more perpetual software especially with service providers, and that can be tied to CapEx budget that closes at the end of the year. So it's not typically a major driver of our Q1 results, but we do see it from time to time.

You have seen it. Okay. And I can imagine you're probably not assuming any real benefit this Q1?

No, no. We typically just -- when you're looking at the individual quarter, it's more about what's in the pipeline and the current close rate that we're seeing.

And like through 4Q close rates, close rates seem to be improving?

Yes. The last -- second half of the year, we saw improved close rates and just more predictability. The sales cycles were back to kind of more normalized durations.

Yes. Okay. I want to get to some of the cyber questions, but you sort of teased out AI a second ago. What is F5's role in helping customers think through adopting AI and leveraging AI with increased bandwidths and increased data security issue, and we'll get to the security piece. But maybe just like what is F5's role in enabling AI for customers?

We've seen 3 really interesting use cases in the work. It's still early innings in AI, but we're winning opportunities there right now. And so one example is data ingestion. A lot of people have to move a lot of data around how they work, whether it's retrieval augmented generation, where they have to go and get better value out of these language models or if they want to go and train these models. That requires effectively moving a lot of data in between the structured, semi-structured and unstructured data source and these AI factories that have deployed. They will typically rely on an organization that can provide an ingress controller or high-performance ingress controller right in front of those data stores. And so that's a role that we can play at F5, where we can sit in front of those data stores, effectively do the load balancing, the traffic management and the security work in front of all those things to make it really efficient to move the data around. That's part one. Part two is intercluster and intra-cluster balances as well, and that's super important because the organizations that are out there that are building these AI factories and homogeneous sets of technologies, whether it's CPU, GPUs, DPUs, we find that a lot of organizations that are doing that because of how stochastic and variable F5 is, right? They need predictability. They need low balancing in front of that stuff. And so they need to load balance between the different AI factories that are out there even between cloud capabilities and local capabilities as well as intra-cluster load balancing. So a few weeks ago, we announced that BIG-IP with Kubernetes with NVIDIA, and the fact that we can now run on NVIDIA GPUs, the BlueField-3 DPUs and that's huge, right, because effectively, we can bring the years of experience and technology to run these modern environments. And that's a big leap for us, because we've been, for a long time in the building technology to run into the Intel, [AMD] x86 ecosystem and to run on top of the NVIDIA ecosystem requires us to run this code on top of mod, because of a big deal. And then the last example of this is specifically around API security. And you touched on cyber. APIs glue the whole AI ecosystem. It doesn't matter if you're calling open AI or a local model or between an application and any one of these different services or capabilities, they're going over APIs. And we think it's really important to do things like discovery, data analysis like what is the data that's moving between your applications and these AI solutions and then the ability to block.

Well, you see, that was literally my next question. It feels like you guys are in an enviable position with the traffic flow that you see to look at data exfiltration or sensitive data, what role does F5 have in the future there? Because it feels that's a competitive market and a lot of people are kind of getting at that with kind of deep inspection. What role does F5 play in kind of the data governance, data security landscape?

Look, I came from Impreva and we were focused on data at rest. And I think there's -- that's a very well-established market. But that's not the biggest problem that people have. It's data train issue. And the one thing I love about the BIG-IP technology that we have is years and years ago, F5 have ended up building this set of capabilities and BIG-IP called APM, that's around access policy management. That allows companies to do things like break and inspect, and we have many organizations globally that rely on the technology to do that level of breaking encryption, if needed, to do the deep packet inspection, where we can do things like data analysis today, we can do it directly inside the product. We can also connect to the broader ecosystem of people want us to connect to a different deal and then we can reencrypt if we needed to. And so we have organizations that are already using that. And in order to do that, you need an incredible data point. So you need high-quality software to be able to do that statefully, and then you need high-quality hardware underneath to do that. So we've been doing this for quite some time. And yes, absolutely over time you think about the fact that more organizations are relying on APIs, more people need to know how beta is moving around. I think there's a clear for organizations to get that level of visibility and observability. That's important for CIOs right now.

One other question here, and then I'll come back to you, Cooper. The other thing, I've always -- it struck me that you guys have a real opportunity or like you should be a relevant like SASE vendor just relative to where you're sitting in the network. And with points of presence, like how do you think about that market? Because obviously, it's competitive and there's a lot of going after it, but -- is that an intriguing opportunity?

Look, SASE is interesting from the perspective of what it is trying to be. I'll start there, which is people who are typically deploying SASE and I'm thinking of companies like Zscalers, et cetera. You're typically deploying those technologies because you want to bring your internal employees to applications and services, I get that. But I think if you zoom out a little bit, I think what's more intriguing isn't SASE itself, it is the concept of zero trust architecture. That is the part that is really intriguing. And so what we've been focusing on is things like access policy management, privileged user access, being able to do a federal authentical to internal systems, east west as well as North-South. That is the place that I think you're going to see F5 play a bigger role in not necessarily bringing internal users do internal applications, but that overall North-South and then the cascade and East-West flows that result from that.

And so what happened -- from a product perspective, what inning are we in sort of realizing some of that opportunity? Because it feels like that could be massive in and of itself.

We are already helping some pretty large organizations with the zero-trust network security, in terms of leveraging BIG-IP or NGINX to specifically deal with some of those ZTNA principles which were already in place there. So I think we've got the right technology to go after that.

Okay. Okay. I could keep going on this, but I'm going to make sure Cooper doesn't fall sleep over here. The question that I get all the time, and I'm curious for your perspective, the election just happened and we're still sort of not through it in terms of like thinking what the ramifications are. But I get asked the question, and I'm sure of curious on your perspective, there's obviously talk of lower corporate taxes, maybe increased tariffs, Dodge trying to make the government more efficient. What is your perspective on -- could any of that be a benefit to F5? Or is there -- maybe could tariffs negatively impact kind of the hardware ecosystem?

Yes. So the tax rate, of course, would benefit if we saw a 7% drop in the tax -- the U.S. corporate tax rate, that would -- or sorry, a modest decrease in the tax rate that would carry through. It's not likely that we would see benefit from that. And we're speculating here, but it likely would be up by 26 at the earliest. So that would help drive our overall profit growth. From a tariff perspective, there could be a modest impact. Again, it's a guessing game as to what tariff rates would be and where we would see them. The majority of our product is now software. So it really would show up in our component costs. We have pretty high margins even on the hardware side of the business. The direct COGS is kind of in that mid-teens as a percentage of our systems business. And so that would be the part that would be exposed to tariffs. And then we would have to evaluate how do we pass some of that through or not. So these are all kind of things that will be evaluated over the next couple of years. I don't think it's going to have a major impact to our gross margins over time. Now whether or not it impacts demand, we would see.

What about from a federal exposure? I tend to think software could be an enabler for more government efficiency, because it just feels like the user experience from a federal perspective would certainly improve. What is your -- do you think like F5's role in federal could improve with maybe whether it's us talking about AI or just government is becoming more efficient?

Yes. I mean absolutely, that's one of the big draws for our technologies. We can help customers, whether they're enterprise service provider or the federal government get more efficient in how they deploy their infrastructure, security remains of paramount concern, especially in the federal government. And so we don't think that that's an area that would be where the demand would be negatively impacted overall from any efficiency initiatives. So I think, potentially, there's a little bit of a tailwind on driving broad efficiency into those environments. And then security will continue to be a big driver of demand.

Have you talked about what your public sector exposure is?

Yes. We break that out. It tends to be in the kind of mid- to upper single digits as a percent of revenue over time. Now it varies quarter-to-quarter. September quarter is typically the higher quarter for that space and then kind of the mid-single digits for most other quarters.

That's helpful. All right. Flipping back to the product side. If we're sitting here a year from now and sort of like what -- you're sort of coming out of a lab and you're thinking about like from a product innovation standpoint, what are you most excited about for the next 12, 24 months? Are there things that -- I mean we probably talked about some of the things already, but like -- are there some incremental things that you think the product folks are going to be investing from F5?

Yes, look, I mean, I think number one, when you look at application security in general, applications have fundamentally changed. They're no longer just these large monolithic apps. We have APIs now. APIs makeup a massive chunk of public Internet traffic, even more internal traffic as well. So I'm encouraged about what we're seeing on that side. And I think you can expect F5 from a technology perspective to go a little bit deeper around what we see around APIs, additional protections, additional capabilities, improved discovery and things like that, that I think will really be important for CIOs and CISOs, especially if they try to get their arms around the API set of problems -- of course, AI is always interesting well. And again, early innings, it's going to be exciting to see how that develops, like what is the future in the data center. How is that -- that future of the data center going to evolve? Are they still going to be in the same set of physical appliances? Or is it going to be the same software that's running in a different form factor, it could be GPUs, IPUs whatever that might look like? So it's going to be exciting to see some -- flexibility is going to be important for organizations like F5 to be agile to meet the customer where they're at.

Yes. From a competitive standpoint, could you talk about thoughts on Citrix these days? And then I also want to double-click on Broadcom, VMware because obviously, there's some pricing pressure that Broadcom is putting on some customers there. Any kind of comments on the competitive...

Yes. I mean I expect just what we're seeing in the marketplace and then if you want to talk technology-wise. But yes, we are seeing -- there's definitely that dynamic of some pretty substantial price increases that some of these peers are introducing to their customer base. I think it's causing some disruption and frustration with customers, and it's really driving interest in evaluating alternative solution. So there's an opportunity, and we're starting to see that in some competitive takeouts. I won't name specific companies, but that momentum has increased. It's driving some of the hardware demand that we've been seeing. We try to take a more thoughtful, holistic approach to our pricing as we look ahead with customers and really just kind of monetizing the value that we're driving with our innovation, but doing them in a more sustainable fashion with our customers. And so pricing is an opportunity to kind of help drive a higher growth rate over time. But again, doing it in a way that is more sustainable with our customer base.

Yes. from a product innovation standpoint, have you seen any change competitively, whether it's some of the folks that we mentioned?

Yes. Look, I think what we've typically seen is some of those agency players like let's say metrics, they have not made the appropriate investments on innovation in categories like API and [indiscernible]. And so I think what we've seen is it's mostly relatively static and stagnant ADC capabilities, stagnant with load balancing capabilities and networking capabilities. Nothing really that's pushing more to the application side or to the API side that's solving these more modern challenges that people have. And certainly not flexibility in form factor not to run as a service or as an ingress controller or something in the Kubernetes environment and definitely not with a DPU or an IPU. So I think what we're finding is that some of those other players in the traditional ADC market, they have not made the right innovation. They haven't made the right move. And some of that might just be because they have not invested in the underlying data point. They have not invested in terms of what we've been doing on the F5 side, underneath the hood in BIG-IP is something that we called TMM, the traffic management micro current, the most sexy name I have. So the idea behind TMM is it is built around performance, it's built around speed, and it's also something that it's software, which means that we can literally take this and move this anywhere. I think what we found is that so many of the other players in the ADC market don't have that portability, they don't have that flexibility where they can bring the power of TMM to different environments. Some of that is just so locked into the hardware footprint that they have. And that gives us that optionality and it gives customers that flexibility of where they want to deploy the stuff.

What about -- that's helpful. That makes a lot of sense to me. Then within like VMware's, what are these [indiscernible] forget what that business or they changed the name a couple of times? How do you think about that? I guess, with NGINX in particular, like how do you think about that opportunity?

Yes. Look, I mean, I think -- so what Cooper was saying everyone who is a VMware customer right now is reunderwriting from first principles. How they want to continue leveraging that technology and how they want to continue leveraging the software capability. And so for us, I think there's one part of it switches. A lot of these big companies are kind of reunderwriting why and what they want to do from a deployment perspective, if they want to say virtualized, if they want to move to more consumerized workloads, if they want to do something else, that's a little bit different. We will meet them wherever they are. So to be really clear, if they want a consumer being on VMware, we can meet them with a virtual appliance or BIG-IP. If they decide that they want to change their architectures, and they're looking at the same type of interest controller, we can meet them with [indiscernible]. It's a tail of -- it really comes down to like where do they want to be and how do they want to protect themselves. And we'll provide the same capabilities, as I mentioned, whether it's load balancing, both application firewall, et cetera, we'll give them the appropriate ingress controller. It could be BIG-IP, could be NGINX...

It sounds like, really the ultimate flexibility from a customer perspective. But I think from an investment perspective, I think a lot of people would have to look at you guys as kind of more on the negative side than others, right?

Yes. I mean that's really always been our approach is providing choice to customers technology-wise, meaning their applications wherever they reside, commercial model -- finding the commercial model that fits their business model. And so we have systems, software, SaaS-based services. We have perpetual term-based subscription, SaaS utility. So it's -- we're trying to find the model that long term is going to fit best with our customers. And that's proven to be very beneficial.

I have a capital allocation question for you, Cooper, but I don't know if there's any questions from the group here. If you do, you can raise your hand, whether it's now or in the next 5 minutes, let me know. Not yet. So yes, capital allocation, how do you -- I mean, one of the other things is people are wondering, could M&A pick up a bit with the new administration. How do you think about overall capital? What is your philosophy on capital allocation? I guess, how do you think about M&A playing a role on that?

Yes. So I'd say no real change from what our approach has been for the past couple of years. We've done some smaller kind of tuck-in acquisitions over the last couple of years and have been very beneficial in terms of driving new functionality for customers to get better visibility into their threat landscape. As an example, we've been able to bring some new talent into the organization, but larger M&A is something that is -- not necessarily something we think we need. There's no gaps in our portfolio that we see, that we need to address with the larger scale M&A. It's not to say that we wouldn't continue to look and be open. But right now, it's more likely to be kind of in the vein of what we've done over the last couple of years. And then just in terms of how we use our cash, share repurchase continues to be our primary vehicle. We've committed to doing at least 50% of our free cash flow. We've done much higher rates than that over the last couple of years, and that's going to continue to be our model.

And then is -- if growth accelerates here on software -- continued software mix shift, how do you think about then from a margin perspective, would -- kind of thinking -- not just this fiscal year, but just longer term, how do you think about the margin progression with an accelerated top line deployment model?

Yes. So we expect that our operating margins will continue to go up. We increased them pretty substantially in the last year. We guided to a 140 basis point improvement in FY '25, but we would continue to expect operating margins to go up. A lot of that is that software subscription model. The cost to serve our customers continues to go down as more of that business is coming through in the renewal motion. gross margins, it's also beneficial, but we're already in the kind of 83-plus percent range. So it's a little bit harder to move the needle from there just because the margins are already so high, but we do see some opportunity to continue to improve the gross margin over time as well, driven by the software mix continuing to go up.

Okay. And then maybe from a technology perspective, I'm always curious, you guys are on the front line of innovation and you're talking to customers. And do you have any like interesting predictions from a technology perspective on -- obviously, everybody wants to talk about Gen AI and all that kind of stuff, but do you have any sort of like crystal ball predictions on, like from a tech perspective, what we should be thinking about?

I think cybersecurity is one of the most important...

Still.

Yes, still. I think the nation state attacks that are happening are in the same when you kind of take a step back, some of the campaigns that are run against critical infrastructure as well as some of the biggest companies in the world. It's so...

Mind-boggling when you see it on the ground.

It is and then also the software supply chain, can be underestimated as well and the attacks in the overall supply chain. Most people don't realize how many software component, open source components are in one of these deployments. And all of them are going to be targeted by all these things out there. So I just think that's still issue #1 for a lot of CIOs and CISOs right now is dealing with risk, risk discovery, and risk buy down top of mind.

And like from a cyber perspective, obviously, there's dedicated folks in that space that are -- that's all they do. Does F5 have to change anything to kind of be thought of as more like a first-party provider from a cyber perspective when you're competing with the Zscaler or Palo or some of the firewall vendors?

Yes. What was very encouraging was earlier this year, we ended up getting ranked by IDC in their market scape as the leader in web application security and that was awesome to see. And so just a testament to the fact that we've been either acquiring or bringing in the right pieces or developing the right technology on web application, API protection and bot protection as well. So I think we've got the right pieces to go after this and we really help customers.

Yes. Well, it feels like there's a lot of positive momentum both in growth and it sounds like you've been margins and who knows maybe we haven't seen the worst of the economic cycle and maybe some -- there's some green shoots in front of us. It feels like you're still maintaining a level of conservatism in the guidance, which is always appreciated from our side. But seems like there's a lot of green shoot opportunities on the product side to keep folks excited. So we're out of time. But listen, I really thank you, guys, from all of us at RBC, thanks for coming here. It's -- Cooper, congrats on the role.

Thank you, and it's great to be here.

And best of luck, guys.

Great. Thanks.

Thank you.