Fastly, Inc. (FSLY) Earnings Call Transcript & Summary

Good morning -- or sorry, good afternoon, everybody. Thanks very much for joining us for Fastly fireside chat. Today, we're hosting Joshua Bixby, CEO; and Adriel Lares, CFO. And we're going to be talking about the fundamentals of Fastly. The session is intended to dig deep into the offering, the competition, the opportunities, new areas of growth, et cetera.

And I want to start maybe -- Joshua and Adriel, I want to start maybe with the highest-level question. If you can discuss Fastly today and in the future, what are the -- what defines you in the last few years? And what's going to define you in the next few years? Meaning, what -- how are you going to address -- or what opportunities do you plan to address over the next few years?

Great question. Thank you, Tal. It's Joshua Bixby here, CEO of Fastly. I think to understand that, we have to zoom way out. And if you zoom way out, you see that there is a process of digital transformation that has been occurring, obviously, is changing a little bit, and I'm sure we'll get into how that's changing in this pandemic. But fundamentally, what's happening is organizations are looking to build differentiation. They need to transform themselves in many different ways. And transformation from where we sit looks like an organization that has to instrument and experiment, and experimentation is key. And so when you really look at what this means, it means developers that are being empowered in organizations to build differentiation, and that building of differentiation is driven by this new decision-maker, which is the developer. And so to really understand the opportunity we have today and more importantly, in the future, you have to understand Fastly was built by developers for developers. And we are here to allow developers for the first time to see the edge, so not just the web tier and the database tier and the application tier, but these servers that are housed all over the world as part of their playground, as part of what they can use in order to speed up their applications, have their applications scale to global scale and have them be secure. So fundamentally, we believe that all of the data that is now transiting the Internet will benefit from a performance scale and security front by using an edge cloud. We believe and we see this with our innovative customers that the most innovative customers have a new architecture. And that architecture involves their code at our edges. And so if you look at the opportunity that's in front of us today, it's taking legacy mindsets, legacy applications, legacy content delivery, structures and moving them to this modern era so that applications can be delivered completely from the edge. And in the future, it means continuing to layer on top of that security products to ensure that they are protected against distributed denial-of-service attacks, web application firewall, and rate limiting and other products that layer into that and then continuing to expand the types of applications that are in the purview of delivery. I mean right now, we have 300 enterprise customers. We're just at the start of this. Our largest sort of classic competitor, if you think of that, has 8,000 customers. But if you really look at the organizations that are delivering performance and security at scale at the edge, they've got hundreds of thousands of customers. And that's because their products aren't just geared to the largest web-facing enterprises. And I think what you're going to see from us in the future is any workload that goes over the Internet that needs security, scale and performance, we hope, thinks about leveraging the edge cloud in this new type of architecture. That's how we see the future. But it's important to note, we're really at the start of this, as you know.

Got it. So legacy -- you mentioned legacy CDN players, they have flat growth -- flattish growth. You're growing 30% a year. What is driving your growth versus the industry? And then can you discuss pricing trends, pricing pressure? I'm sure that legacy players are putting pricing pressure in the market.

Sure. So I think we are growing faster than 30%, we hope. If we look at what we've spoken about publicly and the change that we made to our guidance, and I think that growth is coming from 2 main areas. One is the market itself is growing. I mean we've got -- we have more content going online. We have more use cases going online, the Internet, and I think it's very clear in the last few months is the lifeblood. It's bringing hope into homes all over the world, and people are changing their habits. I think most of us on the coast in North America, for example, or in parts of Europe feel like everyone is already on the Internet, and everyone's already in the cloud, and everyone is ordering food through delivery services. But it's not true. I mean these technologies are still weakly penetrated across the world, and the opportunity is significant. So I think part of this growth is coming from the fact that the true innovators, those who have built online, choose Fastly, but they don't just choose Fastly. I mean there's a new architecture for the Internet. It's Twilio, and it's Fastly, and it's Datadog, and it's Slack for communication. I mean we are part of a user -- a serverless and user-based -- usage-based model that we're seeing come out of this very successfully. So I think there's an element of that. The other piece of this is we address use cases and we sell to a different buyer. So the traditional content delivery network is an IT product. It sells to an IT buyer. And as I started out with, that IT buyer is becoming subservient to the developer because organizations aren't buying differentiation. They're building it, and they're putting that in the hands of the developer. In terms of price, there are 2 very distinct markets here. One of the markets that is -- sort of overshadows, I think, historically -- or has overshadowed historically is the video-on-demand market. And this is a highly competitive market. This is a market that's comprised of Akamai and Limelight and Level 3 and Highwinds and Verizon Edgecast. And this is a market which is characterized by incredible price compression, very low margins. And price is the dominant sort of artifact. And that's because much of the content that goes over these networks is very difficult to monetize and increasingly difficult to monetize. And so what you see in that market -- so that's one side of the market. We aren't really in that side of the market. We do very little of that high-volume, low-value traffic. So I would say we aren't really exposed to the pricing in that in a significant way. But if you read posts from people like Dan Rayburn and others, you would see that, that is highly competitive. The market that we are in is a market of the enterprise and the very high-value video business, which should be live streaming and video-on-demand that actually feels like live. So when the Game of Thrones goes up, even though that's, in effect, a video-on-demand offering, everyone's watching at the same time, all eyes are on HBO, as an example. That's an example of the kind of thing that those companies are going to pay and think of as valuable. So from our perspective, we do not beat our competitor on price. In fact, we're more expensive in some cases. And we are seeing very little price compression in the value side, which is most of this market outside of the video-on-demand space.

So for those that don't know the company, how do you articulate your differentiation versus the CDN players you discussed, which is the Akamais and the Limelights of the world? And how do you define your differentiation versus the cloud titans who are also offering CDN like Amazon or Google?

Yes. So let's -- there are 4 characteristics or 4 moats that we've built and we continue to expand. The first is very much related to our core buyer, which is we are a programmable edge. We allow you, developer, to bring your code to our edges to ensure that as much, if not all, of your application can be delivered from the edge. And this is critically important. So when the -- when you go to the New York Times, for example, on your phone or on your desktop, that is a conversation with a Fastly server. On that Fastly server across all of our servers, the New York Times has uploaded their code to make sure their paywall is there, to make sure that they have the ability to determine what you're entitled to, what personalization you may need. And the value of having that experience, all of the experience delivered from the edge and not having to route you back all the way to an East Coast Google data center, of course, is performance, but it's also scale and security because at that point, we can enforce all of the security requirements, whether application firewall rules or DDoS. So the first element to compare, the first thing to look at is we are selling to developers. The traditional business is selling to IT. Developers can write code on us. Developers cannot write code on the legacy. So that's the first piece. The second piece is we have built the architecture completely differently. So we have one software-defined modern network, meaning all of our servers run all of our code all of the time. So we don't have 5, 6, 7 different networks. And one of the things that -- why that's advantageous is -- and Adriel can speak to this when we start talking about the financial model, we believe there are some long-term financial gains. But from a flexibility perspective, about 5 years ago, 40% of the Internet was not secure, if not 50%. Today, 90% of it is secure. So if you had a network that you built out over 10 years, which was one secure network for HTTPS and one for HTTP, and you couldn't send traffic from one to the other and there was no interoperability, you start very quickly to find that, that is incredibly inefficient structure and you need a tremendous number of servers. So Fastly has 2,500-ish servers in our network. Our largest competitor has 270,000, 270,000, and we are faster and more performant than they are. So the modern software-defined network is the second. The third and I think not as well understood about our business but we're spending significantly more time telling this story is security in depth. So instead of an approach of cobbling together 5 or 6 acquisitions, 5 or 6 screens and not natively integrating security, we have built a toolbox for security developers and security practitioners to allow them to see what is happening in real time in the network and react to it in real time. So our reaction times are measured in seconds and milliseconds. Our information that we are sharing with our customers, every single request that is coming to our edge is shared with our customers in real time. These are real-time systems on the security front as opposed to batch systems where you're waiting hours in order to see or react. And the last one for me, which is near and dear to my heart, is our philosophy of customer empowerment. We are a usage-based system. We are like the cloud. So tomorrow night, you have inspiration at midnight, you sign up, you're online, and our product is available in 30 seconds. All of the documentation is online. You have full access to the product. You can start using it. All of our pricing is available publicly. You don't have to get a massive professional service organization in order to do that. And that is in stark contrast from what our customers deem the anti-cloud methodologies of the competitors, which is you fill in a form, you call a salesperson, you have to go for a steak dinner. You get a team of professional services people. I mean our largest competitor, before they stopped providing this information, was generating 8% to 10% of their revenue on professional services. And professional services is required in order to make any major changes to the product offering. So I think in that context, those 4 differentiators from the legacy is very important. Now when we come to the cloud titans, I think one thing I -- it's important to emphasize is that we are both a partner and they are customers of ours in many different forms. And I think what that speaks to in terms of our go-to-market partnerships with the likes of, for example, Microsoft or Google or our customer relationships, I think, it speaks to sort of the sophistication of what we've built. And there's been some recent posts, which we can't speak publicly about, around that we're really on the crown jewels of some of these organizations. So long term, I think that there are a few phenomenon that we are seeing. The first phenomenon is many of our customers understand that being locked into one cloud is extremely dangerous. The best way to get a discount from Amazon is to bring Google to the table. And in order to do that, what we are seeing is a very strong desire to have a neutral third party that is able not only to direct traffic from one cloud to the other but also to centralize some of the core functions that are required. I mean whether you're in Google Cloud or Azure or Amazon, you need logging. You need to log. You need to make sure you have a security perimeter, which is consistent. You need to make sure you've got web application firewall rules that apply across all of your web properties. Well, if you are applying that uniquely in Google and uniquely in Amazon and uniquely in Microsoft, that's a big problem. And so I think what we are seeing is an evolution like we saw in the data center. I mean much to Cisco's chagrin when they came out with their blade server architecture and they wanted everyone to use Cisco from the database servers all the way through the edge router, that's not actually what took place in the data center. So I do think we're seeing a replication of the need to have a neutral third party that is able to ensure that differentiation. The last piece on this, of course, is this is a different problem. We are in the most connected data centers -- in the most expensive real estate in the world because that's how the Internet works today in terms of connected points. And so we don't have the luxury of building football-sized stadium data centers next to cheap power in Idaho or wherever the case may be. And so the actual computer science problem that we are solving is very different because we need to do it in a very compact form. None of that, of course, very -- the cloud giants are amazing in their engineering practices, but it is definitely a different problem. And when you refer, for example, to the cloud-front product, which is Amazon, it really spends a lot of its time on the video-on-demand space, and that's been sort of heightened through the Elemental acquisition, which is there's a lot of work that it's doing on that space, and we have not seen it evolve into the enterprise feature set that's required for these really important workloads in e-commerce or financial services or high tech.

So give me an example how you work with the cloud titans. And we don't need to go into names but rather just an example, if there is a major basketball game or a football game and it's being broadcasted. I know that a lot of CDN players are playing together, including Fastly. How does it work? What's the division of work between kind of a cloud-based -- cloud titan-based CDN and between what Fastly is providing? I'm trying to understand the relationship -- the technical relationship between your solution and your partners.

Sure. Absolutely. And so if we use a sort of seminal use case, the Super Bowl is a great one, I think, because it's of that sort of giant scale. And I think when you look at the Super Bowl or you look at Champions League soccer in Europe, the first challenge is that the eyeballs -- there's so much traffic that no one edge network has the capacity today to deliver it and gives you redundancy. So right away, you're looking at multiple options for these very large live, high-value streaming events. So what you're going to do is you're going to go find 3 or 4 edges. And those edges are going to take the stream, and they're going to serve it to most customers. So that's the edge of this. And we would be one of those in that particular case. So whether that's 1/3 of the traffic or 1/4 of the traffic or it's done regionally, people look at this in many different ways. So that's the edge of the tier. There's a middle tier, and this is, I'm thinking not as much sort of from the geographical sense but from a topographical sense. So then you have -- what happens when these edges don't have the content that they need? Where do you go? And that is where you get into our mid-tier, either streaming -- shielding or optimizing products. So we have another product offering because we are so good at the caching and the optimization. In these large event scenarios, all of these edges actually go back to another Fastly product. And that Fastly product, in a particular case, the Super Bowl, would be Media Shield. And the reason we do that and the reason organizations do that is because one of the things they really want their core central cloud to do is to be doing the encoding and to make sure that it can do -- to get these files, which are now very large with 4K ready, but they don't want it to be serving that. That's not its job. I mean they want it to serve it once. They serve it to us. And so we have technology, things like request collapsing and other technologies that allow us to -- for example, for every new segment, we only ask once. So we can tremendous -- with our shielding or optimizing products, we can offload almost completely that central cloud from doing any of the serving work. And then if we don't have the segment in our middle tier, we go back and ask the Amazon instance, which would be regionally distributed, let's say, one in the East, one in the West. And so it's -- we sit -- in that particular example, we sit in 2 of these segments. And obviously, very strategically important to be in that middle tier on these types of events. That's a very high-value position.

Great. You spoke about -- we'll go back to the shielding offering. I want to ask you more about it, but I want to switch for a second to security. Can you discuss your security offerings? What solutions are you able to attach to your core products? And discuss the completeness of the portfolio, the direction of the portfolio.

Sure. So if you -- the thing that is confusing in this market is there are 2 very distinct security buyers in an enterprise. And as you get smaller, these buyers merge into one. And so -- and I think this explains -- our product offering, it certainly explains the SMB product offering. So that, I think, is important. So in a large enterprise, you have an IT security buyer. They're worried about -- me as the CEO, they're worried about me getting fished. They're worried about my VPN. They're worried about my virus scanning, me going to a compromised website. That is an IT buyer. And they are worried about the IT side of the organization. That is not a place that today, Fastly has product offerings. There are some very interesting adjacencies and happy to talk about what that looks like in the future. But today, that's not our offering. We sell to the people, the security buyer who is sitting with the engineers who are standing behind the largest websites in the world. So if it's streaming, it's Spotify. If it's shopping, it's Shopify. And if it's communication, it's Slack. And it is the buyers that take on Shopify's actual product, the sites, that is our buyer. And what that buyer is concerned about is they're concerned about a number of different types of malicious actions. So all of them, honestly, all start from the same premise, which is, is this a bad actor? That's what it starts with. And so the first part of any of these transactions is, is this a bad actor? And it may be 1 million requests from a Russian botnet that are all coming in a second and maybe one kid in the basement, you're always trying to fingerprint, is this a bad actor? And then the next question is, what do I want to do about it? And so there are a number of products that help in this regard. The first most important sort of basic product is I should have my content be secure, so I need HTTPS across the board. So that we have a very strong offering on the TLS side, not only for individual customers, but one of our approaches in the small and medium enterprise space is around enabling platforms to compete. So instead of going after every dry cleaner and restaurant, we go after Adobe Magento as a company. And then they go after millions of customers or Shopify or GitHub for developers. And in those cases, they actually need millions of these certificates. So not only do we have a certificate product for individual customers, we also have very sophisticated products for platform. So that's the first piece. Of course, on top of that, you are going to have large-scale distributed denial-of-service attacks. These are often state sponsored. We have fought many of them against the regimes that you would expect. And they come with a very little notice and are incredibly sophisticated. So we have a number of very sophisticated distributed denial-of-service protection product offerings for our customers to ensure that they are protected and to give them basically insurance, to make sure that if they do get hit by one of these attacks, they aren't in a position to pay massive overage because these attacks can be humongous compared to the normal bills. So that is volumetric and really attempting to overload the organization. The next piece of this is web application firewall, and this is protecting against malicious actors who are trying to do cross-site scripting, trying to get your -- getting to your databases, trying to find -- I think of this as sort of less of a scale, slightly more sophisticated, and you're trying to find ways to mitigate those types of attacks. So we have a product offering in that space. And then there are 2 other elements to this. The first is rate limiting, which I want to say, okay, I don't care who these people are. But if you're coming from this location, there's no way you should hit me more than 100 times a second. And that's a product that we are -- don't have in the portfolio yet as a GA product. And then we partner on bot mitigation. Bot mitigation is more about -- less in some ways about the volume of it, but more in people trying to scrape your site, do -- elements of credit card fraud or credential stuffing. And that is a partner-based product today. We go to market with some key partners. I think what we talked about at the earnings call, we were asked the question in the last quarter, was those are 2 areas that our customers are coming to us and asking for our security and depth story to go deeper so to have a unified story arc there, and those are certainly areas of investment for us. And those are the main elements that this web security buyer is thinking about today.

I cover many companies in the space. Some of them are legacy. Take, for example, F5, right? So if you ask them, what are your areas of expertise, they'll tell you, DDoS and WAFs, which is exactly 2 products you highlighted. So the question is...

Correct.

What makes you better in protecting against these kind of attacks? Why you and not any other platform solution in the market?

Yes. So there are a number of attributes, and we've listed some of them. So the first that comes up over and over again is programmability and the ability to not only have programmability but real-time access. So we, for example, have real-time -- we have real-time logs. We have real-time configuration. And these attacks are very much cat and mouse game. So you make a change, and you need to propagate around instantly and you need all of these logs. And it's not just about configuration and propagation time. It's also about because these are developers now and not the IT people, they actually are looking for this information in a different way. So we have a vast relationship of logging platforms that we integrate intimately with. So Splunk threat intelligence is an example of this. We're right out of the gate. You're a Splunk Intelligence user and instead of this sort of walled garden approach, which is taken by many of the application delivery controllers or these other players where they expect all of the logs will be consumed in their product, all of the insights will go to their product, we take an approach that actually mirrors our buyer, which is they want best-of-breed. So we are not going to build every single feature because our developers are very used to an integrated approach. So they use Datadog, and they use New Relic, and they use Splunk, and we enable that as opposed to being a battle for those particular territories. So I think that one of the things we hear is programmability, interoperability and the ability to include us in that developer mindset. That really sets us apart. The other elements that set us apart of the same things in delivery and actually commensurate with our name, we're fast. I mean you look at our average time to run our set of WAF rules or you look at how quickly we can find and mitigate just in terms of the processing, like we are lightning fast and incredibly scalable. So this serverless notion, which we're starting to see, which is, hey, developer, don't worry about how many F5s you have. Don't worry about whether you have the right licenses. Don't worry about any of that stuff. That's our business. We're going to have a usage-based model with you, and we will take responsibility for scaling up and scaling down and doing everything like that. And traditionally, that hasn't been the business models of these companies. I know that some of them are attempting to move in those directions, but that's not how people experience them today. So I think there's an agility and integration of performance. Ultimately, all of that leads to more security and more control.

Great. So Joshua, one last question before we switch to Adriel. Many of your recent wins, you highlighted Origin Shield, you highlighted Media Shield products. Can you describe these solutions and how they are differentiated?

Sure. So really, they're very unique in the market. And as I described in that Super Bowl example, but it really transcends, is there is a need -- and this kind of ties it all together. So it's a great question. There's a need to have organizations have a layer within their architecture, which allows them to go to different clouds. There's a layer which requires -- which mandates centralized logging, centralized security. So these layers, this particular layer, which sits right at the -- right near the edge, but not the edge, is very, very important in both transitioning customers from one cloud to another but also one edge to another. And so it really has 2 functions. In the video example that I talked about, it has the function of really offloading the Origin, which is the case in almost every example. So I would think of it as an offloading product that allows you to have scale. And then I think the other piece of it is more along the lines of standardization, which is all -- no matter what cloud you use, no matter what edge you use, you can ensure that you are using one standard security logging system or whatever the case may be. And I think with the advent of Compute@Edge, which is a product we have in beta right now and which is coming out in GA, it's going to be increasingly more important, this particular layer, because it's really the place that developers are going to innovate.

Great. If we have time, we'll get back to Compute@Edge, but I want to discuss -- Adriel, I want to discuss the impact of COVID-19 on short-term demand. How is it playing out?

Yes. We certainly saw an impact from COVID-19. And Artur, our former CEO and current CTO, actually put out a blog post that was really interesting, which really highlighted what really drove a lot of Internet usage, which, given the customer set that we have, sort of experienced them to also show increased usage and then ultimately for us, sort of impacted us in Q1, really the last 2 weeks of Q1, really March 15 through March 31. And that was probably the peak points where folks were truly in sort of anxious point to check in the Internet, et cetera. And I think what we found prior to giving guidance in the early part of May was that most of April had sort of subsided to a new level. It was lower than that point in mid-March to the end of March. It was certainly higher pre-COVID. And I think it was fairly broad-based, whether you were checking the news or streaming the latest Moana video or you're sort of watching the latest live event, whatever that might have been virtually, or even just shopping online. I think we saw this across our customer base fairly broadly and fairly consistent, which then sort of gave us sort of the data points we needed in order to sort of give the guidance that we gave. So you saw sort of a meaningful increase relative to sort of the guidance -- excuse me, relative to the consensus that was already out there for Q2. And then just based on the research with working with Artur, we generally expected that folks would come back to sort of a more normal situation starting July 1 or so, basically starting Q3 onwards. So that's how we have sort of built up our guidance outward from Q3 to Q4, but you're sort of seeing that sort of higher level reflected in Q2.

Got it. Adriel, when you went public, you said that your target for gross margin is about 70% plus. You're now at about 60%. What drives your gross margin higher?

Yes. From here and to probably the mid-60s, it will be continued just scale. We will buy bandwidth in greater amounts such that we'll get a better unit pricing there. Our peering as a percentage of total traffic that we have will increase. We're probably, call it, 40-ish percent today. We believe some of the legacy players who are at scale are probably near 70%. We think we'll get some benefits there as well. We're in about 55 markets around the world. We think we need to be in about 100, excluding China, to cover the world. And I think once you get closer to that sort of critical mass, I think we will begin to see additional leverage in colocation facilities which is more of a real estate cost, that's sort of a component of COGS, as well as labor, which we've actually begun to see that more recently in terms of that leverage point because we haven't had to add the same rate of people in terms of the rate of revenue growth. And then ultimately, in the other category, which has a lot of allocation from the G&A portion of our business, hopefully, we will begin to see additional leverage within G&A, will then ultimately have an impact to gross margin. So that will get us to sort of that mid-60 point. I think beyond that, you will see further investment, as Joshua hinted at, with respect to security offerings and most importantly, with Compute@Edge. And the one key thing to remember with Compute@Edge and with some of the security offerings is that they are not necessarily, and specifically in the Compute@Edge case, bandwidth intent. That is -- we will be producing or taking on compute that normally would have existed at the central server or a data center, wherever it might be, from a customer's location and put it at the edge. And then you're not necessarily having to transport a lot to and from, which should actually also deliver a lot more leverage because you're not necessarily using bandwidth.

And is there -- that's probably my last question before we run out of time. Is there a differentiation based on type of customer or type of application -- gross margin differentiation that you're seeing?

Yes. Indeed, there is. I think if you think about it individually from sort of left to right, if you think about some of our live streaming customers, they're not necessarily utilizing some of the security offerings. I do believe there's opportunity in the future for Compute@Edge offerings. But today, they're not utilizing the offering, and they have bandwidth sort of COGS impact to us. Whereas if you move to digital publishing or e-commerce or financial services, those types of customers are more likely to use our security offering, and hence, they're also less bandwidth intensive. So their gross margins are much greater, which when you blend them together and you blend the mix that we have, that's what generates the current mix that you see today.

Got it. This was the fastest 35 minutes of my life. It's like speed dating. It didn't start, and it's already over. So I want to thank you sincerely for your openness to share with us the basics of the company. We ran out of time, unfortunately. And to the investors, if there is any question, please don't hesitate to call me or send me an e-mail. And if I don't know the answer, I'll forward your question to management. Thank you so much.

Thank you.

Thank you, Tal.

Thank you. Take care.