Fortinet, Inc. (FTNT) Earnings Call Transcript & Summary

All right. We will go ahead and kick it off. Thanks, everyone, for joining us on Day 1 of the Goldman Sachs Communacopia + Technology Conference. I am Gabriela Borges. I lead our cybersecurity effort here. And I'm delighted to have with me on stage Michael Xie, Co-Founder, President and Chief Technology Officer of Fortinet; and Keith Jensen, CFO. Thank you for your time.

Michael, I want to start with a little bit of a conversation on the architecture. And most of those conversations with Fortinet start with the ASIC, but I actually want to put the ASIC aside for a moment. When you look holistically at the market share that you're gaining in secure networking, what are some of the IP advantages and some of the technology decisions that you've made with the company that you'd highlight as driving some of that strength in addition to the ASIC, which I think is better understood?

Sure. So I think at Fortinet, we are both proud and also we felt very effective that we have what we call a full stack. So obviously, when people are talking about software stack, we actually extend that to the ASIC -- the hardware stack as well, but then we can talk about that later. But the fact is in our business, it's cybersecurity. And we're essentially driven by 2 things, right? One is how the attackers try to find like a vulnerability to breach into the enterprise network. And because of the ever-expanding attack surface, that basically evolved from the operating system to like the cloud and to IoT, all the devices. And I think second is more about compliance or how the CIO or CISOs wanted to build up their infrastructure to defend against potential breaches. And that basically requires us to have the stack components can be deployed both in the cloud, on-prem and cover pretty much all of the assets from IoT devices to storage. So I think like over the years, we've seen that these 2 like driving factors continuing to push the boundaries. The attackers have evolved into very sophisticated and especially these latest possibly nation state-sponsored attackers, very -- super sophisticated. And also, I think for a lot of the enterprise CISOs, CIOs, they have, over the time, started to adopt very effective, I guess, what we call it, architectures or enterprise models where they can have layered defenses. And then they can use very effective security operations to basically discover the breaches and defend against those breaches. So our business essentially is to build out a full stack to support the need today of -- could be very international, global enterprise with very distributed footprints and with assets everywhere, but yet they wanted to secure every single one of them against these attacks. So I think at the 10,000-foot, that's sort of the technology architecture we're building.

And I think about your conversations that you've been having with the company around AI since the time the company was founded essentially. Talk to us about what your AI road map looks like today. Are there a couple of milestones that you're excited to hit and problems that you're excited to solve for customers?

Yes, absolutely. AI is very, very exciting. And we believe it's -- we're sort of in the starting phase of that revolution. It's going to continue to evolve. But obviously, like what AI has been done in the past 20 years, it's going to be like fluctuate. It's not going to be like straight line going to the sky like any technology. So I want to just take a short history back. We've started the AI -- I mean this AI, machine learning. There's sort of a bigger concept. Essentially, what's been effective for us on the technology side would be like reinforced learning using the machine to basically figure out the stuff that's really hard or too big for the human eyes to spot. We've started doing that with the things like malware analysis, threat analysis almost a decade ago, and we've made like a lot of really good progress over the time. And the general, I think, AI technology starts to -- really caught the public's eyes I think maybe a couple of years ago when the OpenAI with the ChatGPT. I think the new sort of genre of AI, well, you could actually generate human readable, understandable language, natural language, which opened up a lot of new doors for us from the -- generating the right contents for consuming in the technical support and until we started the research into, in fact, how we can even do this without human intervention at all by generating, for example, the configuration files, generating direct languages that the machine can understand so that you can deploy all these devices into the places without even like human understand what's going on. But obviously, we need to still measure the results. So there is still a large, I guess, gap to fill from where we are until where we want it to be. Obviously, there's challenges on where the data come from. A lot of large customers, they don't want their data to be shared with other people to train the model. And also, like how do we determine the test data, the effectiveness? Like when we have a model, how do we know that it's effective? Like the threats identified, were they real threats or are they false positives? So there's a lot of the human involved in that. But I think overall, AI can be super effective and can -- like even today, we rely on a lot of that to do our threat analysis, threat discovery. But I think maybe in a few years, we'll be like in a place that we couldn't even imagine today with the latest technology advancement.

I wanted to also ask a question from a customer-facing standpoint. So Michael and Keith, you're both talking to, at the enterprise level, Fortune 500, Global 2000 companies that have road maps for their own adoption of generative AI and AI. How do those conversations intersect with customer plans on security, meaning does it change the type of security that they're looking for or the amount of product that you can sell into the customer?

I think I'll just maybe comment on the technology side, and I'll leave Keith on the -- more on the financial side. I think on the enterprise -- large enterprises, I've spoken to a lot of the CISO -- like visionaries. And I think almost all of them have a very big plan on the AI, at least for the long term. And in the near term, obviously, there's AI security. They want to talk about this, for example, like the data poisoning or how do they secure the data center to get things started. So we obviously were looking at -- I think right now, the most relevant technology still will be very fast data center firewalls as well as data protection. But I think over the time when things start to go mainstream, I think there will be like a lot more challenges on how to protect these really global enterprise for the AI plan that they plan to put in place. I mean there's still plenty of challenges, obviously, to be worked out.

Yes, I would just add to Michael's comments. I think that to your last point, Michael, unfortunately, I think if you look at cybersecurity, the history of it is that it tends to follow digital transformation. By that, I mean the new workloads and new use cases, the new ideas are rushed into production and development. And then maybe a little bit like we saw with COVID and work from home, all of a sudden, you're backfilling the security. So there has been a little bit of a lagging, which is not uncommon, I guess, if you will, approach to some of the AI solutions. That's perhaps a challenging comment. On the more less risky, if you will, I would say that in conversations I've had with customers and my peers, the use cases that jumped out very early on were, to me, one step removed from offshoring. And by that, I mean let's use AI to help us write our scripts for our earnings calls or let's use AI for FP&A use cases or customer services. I mean they aren't -- I think we'll look back at those things 2 or 3 years from now and find them somewhat simplistic compared to what AI can actually become.

Yes. I'll just maybe add a couple of more comments. I think today, on the technology side, AI is very effective if you have a clear definition of the problem, like playing chess or [ Go ] or like recognizing the handwriting of the letters and characters. Those are very well defined, and then you can test them positive, negative. However, when things are less clearly defined, for example, writing a good quarterly earnings scripts or like detecting an unknown breach, there's still challenges like how do you actually be effective and know that you are effective. So I think that's where a lot of the dollars are actually going into research to basically helping AI to be more effective in solving those problems.

I want to ask a more specific ecosystem question around AI, which is if you think about your typical data center today where you're putting GPUs in the data center, the GPUs will get faster and more efficient over time. And alongside the GPUs, you need to have storage, interconnects, networking switches, et cetera. It feels like in some instances, the networking equipment creates a bottleneck to how quickly the GPUs or the ecosystem as a whole can move. So maybe talk to us a little bit about that. Do you think that the networking and the security around the data center is a limiting factor? And associated with that, do you think that you can see an uptick in data center firewall demand tied to the build-out of data centers tied to AI?

I think on the macro side, I -- so I would need to get some data. But I think on a micro level, I do see there's been a surge of interest in building data centers, that including the GPUs, the CPUs, a lot of network equipment. A lot of the larger enterprise, including the banks or global -- Forbes 100. I don't know this is like if I can put into the -- quantitatively into the macro environment. They're lacking some data. But I do see a lot of interest of moving back from the cloud to an on-prem data center. And I think, in turn, that could translate into a lot of the network gear and security gear purchase for the more traditional networking companies or like firewall companies like us.

Yes. I would -- just from a demand viewpoint, if you will, and what we're seeing in the market and maybe using ourselves as a bit of an example, as we look at our SASE go-to-market approach, we are using a cloud provider to get to market very quickly. But at the same time, we're building out our own infrastructure with our own PoPs and our own data centers. It comes with a different cost structure. So obviously, that's very appealing to us. And it also perhaps gives us a little bit of better ability to deal with some of the issues that may be coming down the road related to data centers, including power availability, connectivity, capacity, et cetera. I think we're familiar with Microsoft and some of their conversations about CapEx is really the gating item, if you will, for the growth. So I think you can take what we're doing in response to that and what Michael is talking about is some of our customers where you're seeing an increasing interest in their own data centers. Workloads seem to ebb and flow in terms of being in the cloud or being on-prem as companies continue to figure out which use cases work best in which environment. I don't think any of us really believe it's going to be a one size fits all, everything goes to cloud, everything stays on-prem. But rather it's going to be this constant flow back and forth. And with that, the company-owned data centers, I think, continue to have legs to them.

Keith, I want to stay on the topic of demand and specifically a comment from the earnings call around a firewall refresh being more likely in '25 than it has been in 2024. Maybe talk to us a little bit about some of what you're seeing in the pipeline and indications for refresh into next year and some of the basis behind that statement.

Yes. I was thinking about this over the weekend. And when I look at our own pipeline and the enthusiasm, if you will, inside of the company -- and I'm not suggesting it's 2022 all over again at 35% product revenue growth. But when I juxtapose that against what I'm reading in the financial press about concerns and what the market did last week, I mean the -- it kind of gives me a pause because I've seen 2 very different realities, if you will. Early in the year, we talked about there was a possibility of seeing some firewall growth, whether you call it a refresh, renewal or what have you, in the second half of this year. As we've gotten further into the year, that appears to be, as I said, more likely in 2025. I don't have a great crystal ball, but I do have some indicators that suggest that 2025 will be stronger than 2024. Many of you probably heard us talk about days to register service contracts and that return to normal. If you look at our own inventory that we have on hand, our inventory balance was down about $100 million in very round numbers. I think that's $350 million at the end of June. That's a very good indicator. So we start looking at those things. We look at the pipeline. We start to see a little more tailwind. We do, of course, pay attention to what our competitors are saying in their firewall view, and I think there is some consistency that things look better than they did 6 months ago.

It's interesting that you called out the juxtaposition between what you're seeing in the pipeline than you were reading with respect to the broader economy in the press. How do you think about the way that plays out into the end of the year? And the one hypothesis I wanted to ask you about is, if you have a budget that's set for the year and you're intending to spend $100,000 on network security and the first half comes in seasonally weaker, does that then set you up for a stronger budget flush as you go into the end of the year?

Yes. This is the time of the year. It's kind of like the holidays. We talk about budget flushes, right? Everybody gets excited about it. Last year, we set a company record in the fourth quarter. We did 6, 8-figure deals. Loved it at the time. I'm not enjoying the comparisons right now that I have to go through. But I would say one takeaway from what we saw last year was that the budget flush, those large deals, it's really started to manifest itself towards the end of the third quarter to the fourth quarter. You don't start seeing it early on. I would not say that when I'm looking at the pipeline, when we set the guidance at the beginning of the -- for this quarter, that I was looking at a lot of 8-figure deals. Have a couple of things come up that maybe could perhaps happen in the fourth quarter? Sure, but that always does. I think we'll know more about the budget flush opportunity really over the next probably 60 days. I do think the election probably will create a little bit of uncertainty around some of those deals. We did have a conversation with a customer last week who was absolutely working through a bunch of flush with us. But keep in mind, that's a sample size of one. So I wouldn't draw great conclusions from it.

Well, I think on the other hand, right, I think there's -- obviously, there's macro economy. There's the election. The budget flush, that's sort of the one aspect impacting the purchases. But we also find there's still other areas, for example, like our own technology refresh. Like for example, when we released the FortiSOC5 and then we started to build appliances we call the FortiGate G models and then we start to see a lot more interest and then just spurt from the new generation of products which are several times faster than the older generation and the performance is a lot better. And I think another factor is the firewall, the terminology indicated is decades-old technology, but then it's just the content of that terminology continue to evolve. And today, the firewall includes VPN, SD-WAN, Zero Trust and SASE continue to push boundaries of the features. And when that growth starts to meet the customers' new demands, I think that also becomes an impact -- factor for the customer's purchase decision.

I want to stay on this idea of pushing the boundaries on the features and SASE. So let's talk a little bit first from a product standpoint, Michael. When I think about Fortinet's progress in SASE, you started out with an incredibly strong SD-WAN solution, and you've been building out the various pieces of that to get to a strong single vendor SASE solution for this year. Where do you think you are in terms of integration on single vendor SASE? And are there a couple of product milestones that you'd call out in your road map that will catalyze the next phase of adoption for SASE?

Sure. I think SASE is my favorite topic. Both have a lot of customer interest. And then obviously, we have a lot of activities inside the companies on the development and features. So I think one thing kind of unique for Fortinet is that we build a lot of things organically and grow, which is why the single SASE for us is -- it's a much easier problem to solve. We have all the components, the firewall, the SD-WAN. And what we need to do is essentially we could operate the SASE infrastructure, and we have a partnership with Google Cloud almost, I think, more than a year ago, which provide us with a quick access to a lot of the data centers around the world, sending the traffic much faster than just the traditional ISP and combine that with our own -- Fortinet owned and built data centers. We have like wide coverage of the networks. And what makes it easier for us is like a lot of the companies, they try to say, okay, SASE is cloud only, cloud native. They built specific software to run in that cloud environment. But then what we did is we just take the FortiGate. And it's both VM and hardware, and then we put in the data centers. And that basically -- because we have the whole stack, so that carries most of the computation load by itself. And we also -- definitely, we don't want to stop at just to sort of offer the SASE as traditionally defined. Our internal culture is we want to continue to innovate. And what we find is like if you look at the traditional on-prem protection, right, SD-WAN firewall versus SASE, and using our terminology, the only difference is that the SASE network is we operate, we administrate everything for the customers. I mean they still have some flexibility in the sort of configuration. But on-premise, they own hardware. They operate it. And then -- but what about that large gap in between, right? So I think like we've been sort of filling up gap with our technology that's sort of enabling, for example, our partners to offer SASE-like capabilities. And we've seen large enterprise, they wanted to offer SASE themselves. And so we've been doing that, well, since we started the SASE journey. And I think fortunately, Gartner came out with the terminology just a couple of months ago because we called it private SASE. We tried to call it something else. But then I think we go with Gartner's terminology to call it sovereign SASE, right, because essentially, what it is, is sort of between the traditional SASE and on-prem. It basically allows like a sovereign entity, right, enterprise or MSSPs to operate that security network and then basically either sell it to or offer it to the end user, just like the way that any SASE vendor would. So we try to continue to innovate this technology, the business model. And then I think a lot of the customer would find there's various degree of adoption they can get into by having all these different models that we can offer.

And when you think about private SASE or sovereign SASE, how does that impact your business on the branch office firewall?

I think speaking with some of the CISOs or MSSPs, I think it's great because we -- obviously, we are a very -- I don't know if we can say 100% channel company, but I think we're very heavily channel -- rely on the channel to do our business and then this -- the channel including a lot of MSSPs carriers. So I think a lot of them are less comfortable with the traditional SASE because it's -- the vendor operate that directly to the end user, and they would actually embrace the sovereign SASE model because they actually put them into the driver's seat and then to offer to their customers. So I think there's obviously a lot of interest in that model.

Yes. I think that's a little bit interesting on SASE. If you -- you'll talk to somebody in a little bit that's very focused on very large enterprise customers and their SASE solution versus a company like ourselves that has 600,000, 700,000 customers. And we're hearing more about the expansion of the SASE market, if you will, in different forms or use cases. Michael talked about sovereign SASE or private SASE. We're hearing a lot about resiliency. We were hearing about resiliency prior to July '19. That was a topic of conversations with -- in those industries that are heavily regulated. I think you're also seeing with the carriers and the service providers their own version of private SASE. And they've spent a lot of money, a lot of CapEx, building out their infrastructure. And they want the traffic to continue to flow over their infrastructure. They prefer not to see it to go to a cloud provider. So I think that the SASE market, which actually was defined, I think, fairly narrowly maybe 2 years ago, is actually starting to become something much larger than what's everything contemplated.

And Keith, as you see your customers look to SASE, is there a way to think about which cohorts in your base are most likely to adopt the first or are most likely adopting first today? And we're about a year on now from the wholesale education that you did with the Salesforce to be able to go to market in a more holistic way. So talk to us a little bit about how that's going and maybe a little bit on how deal sizes change when you successfully cross-sell.

Yes. I think the -- in most places, if you told that you have a very large customer base that you could sell something into, you'd be rewarded for that. I think we sometimes get criticized because we're selling into our installed base. But when the installed base is that large and we have a relationship with the customers, I think it's shown to be extremely successful. I think it's moved faster than at least I thought it was going to move. When we look at the pipeline growth, we're starting to see the improvement in the close rates. It is something that -- and Michael has kind of touched upon it, but in the conversation about the ASIC, just to be clear, SASE is part of the operating system. And really the ASIC empowers that operating system to continue to add more and more features and functions, whether it's SD-WAN, whether it's SSL encryption, whether it's SASE or what have you. And I think that when you look at our installed base of customers, they've become very comfortable with that combination of the ASIC in that operating system. And it tends to be "easier sell" to go back and sell them another feature of that operating system, which is SASE.

Keith, a few of your competitors talk about changing their pricing models. And what I mean by that is more flexible commitment terms, more flexible bundles, enterprise license agreements. As the Fortinet portfolio has broadened, which of those types of pricing models make the most sense for your customer base? And are there things that you're exploring to make it easier for customers to buy?

Well, Michael is the internal champion of what we call FortiPoints and FortiFlex. So I'll probably let him talk about that in a little bit. But I would just offer to set them up a bit. A very diverse customer base. I don't know that some of those concepts really work in the SMB space or maybe some international markets. At the other end of the spectrum, obviously, we're going toe to toe in large enterprise, particularly in the U.S. I think it's really incumbent upon us to provide things, selling to customers the way they want to buy. But...

So I think we -- our innovation is not just in ASICs and everything, but like sovereign SASE, which I bring to business model, but also our engineers and our, obviously, very innovative finance department. We brought on a program we call the FortiFlex, and then there's another one called FortiPoints. So for example, today, I'm sure a lot of people just flew in here from United, and we have the United mileage. So I think FortiPoints is almost like those mileage with the Fortinet. But obviously, we don't give anything of those away. But we do it either like an enterprise agreement where we started through the channel. When a customer has that, he can use that point to purchase any of the software services, cloud services or even consume hardware in a way that is sort of -- we offer hardware as a service. So you have the complete flexibility to basically consume our technology. And the FortiFlex basically is sort of a slight variation of that, essentially allows the customer to basically -- instead of committing like a year or several years on a particular technology, they can basically almost like run the meter thing. I want this one for like a day or 3 days. And then they can shift between these, which obviously, since we started, which is not too long ago, that we've seen tremendous interest both from the enterprise where they -- like in the beginning, it's hard for them to understand how much service for each of the offering that they need to buy, and then the traditional model will be a lot harder to basically make an estimate. But with the FortiPoints program, they buy a whole bunch of points, and then they can consume and then based on their need as well as it has a lot of interest in the MSSP partners where they could basically have a point in their repository. And based on what they can sell, they can continue to refresh the services offering from us. So I mean that's a maintenance term for me trying to describe what the financial [indiscernible].

Told you. He's the internal cheerleader.

I want to spend a few minutes on margins, both at the gross level and the operating level. So the gross margin question is, every quarter, you publish the pie chart showing that your share of secure networking is growing and specifically around we can look at market share in network switches and access points and some of the networking components that you sell. Historically, that has been a lower gross margin business for your competitors than firewalls or pure software. How do you think about the potential? Or how do you defend against a structural headwind to your gross margin as that piece of your business grows?

Yes. And there was a point in time 4 or 5 years ago where I was probably fairly shy about talking about access points and switches because of the perceptions of margins. I actually recall a conversation with Michael several, several years ago, saying I should be a little warmer to the selling of access points and switches. And if you look at it today, what it really to me is it's a proof point of conversions. I'm not typically out in the market necessarily making a first sale for access points or switches rather. I've sold them that FortiGate. I've sold them the ASIC with the operating system. And now with a technology called FortiLink that maybe Mike will talk about is we bridge together the switches and the access points and the firewalls altogether, as I say, as part of convergence. If I'm going to produce 80%, 81% gross margins, I'm not terribly worried about that drag of an individual product of a switch or access point. I think that we've shown the ability to be very, very successful with that convergence story.

And Keith, on the operating margin outperformance from 2Q circa 900 basis points, 2-part question. One is how do you think about the quantum of investment that you're going to make into 2025 trading off growth versus margins? And two is the longer-term margin model you talked about, I think it was a couple of years ago, over 25% long term. You're already in the low 30s. What's the limiting factor to potentially do north of 30%, north of 40% in the long-term model as well?

I appreciate you setting the bar fairly high on that. I think we're really, really pleased to put up 35% operating margin last quarter. And I think people know that we had some inventory risk that we had to work our way through and that we completed that exercise. It took about a year, and you saw the product gross margin move up almost 10 points a quarter or year-over-year. And that really flowed through to the operating margin line. At the same time that we put up 35% operating margin, if you look at the Q3 guidance, I think I'm very happy that we took that as an opportunity to close the Lacework transaction to get us into the CNAPP market. And while there's a margin headwind there of, what, 3 points, still keeping the guidance above 30%. I do think that the things that I talked about in the earnings call related to the gross margin that flow through the operating margin are sustainable. We had an increasing software revenue mix out of the -- on the product line. We have the benefit of net price increases over the last couple of years, and we have that inventory risk that now is in the rearview mirror. So I think we're well positioned for that. As we get ready for and prepare for the Analyst Day on November 19, when we'll talk more about 2025 and long-term goals, I think that we'll be able then to talk more openly about what is our operating margin model and how much are we investing back in go-to-market but also back into our R&D team.

So maybe we'll end on a cloud question, and I'll make it a little bit of an R&D allocation question, which is you have your core businesses. Today you have emerging businesses like cloud, EDR, what you're doing in the SOC. There's a lot of different elements of the security stack you could choose to invest in. So Michael and Keith, for you both, how do you think about the incremental R&D investment allocation? And where is it going?

I think we were like -- number one is we're a very innovation-driven company. So our culture is built on innovation. And then when we see a technology, whether it's cloud, EDR or even like switch and AP, that combined with the whole security fabric, which we call -- that's the other elements that we offer together, that would make sense for customers to adopt and protect these assets and build up this infrastructure. And we never hesitate that we would go out, whether it's acquire or grow, and then continue to offer that. But I think on the other hand, as Keith can attest, we're also very disciplined. Like we wouldn't spend -- I think some of the crazy ones like tens of millions of dollars to attract like one person to work on the product just based on the promise, like we wouldn't do that. So I think we're going to continue to operate in a very disciplined way and then make steady growth in the R&D investment.

Yes. From afar, I think there's a tremendous amount of discipline inside the R&D organization. I'm very pleased that we keep R&D spending at well over 10% every quarter. We are in a unique industry that has a catalyst called threat actors and nation states that force Michael and his team to innovate constantly, whether it's AI, whether it's quantum. We don't know what's next, but the threat actors are going to tell us as an industry, and we need to be prepared for that. And the way to do that is by continuing to make investments in technology and your R&D team.

With that, please join me in thanking Michael and Keith for their time. Thank you, gentlemen.