Fortinet, Inc. (FTNT) Earnings Call Transcript & Summary

All right. Well, hey, good afternoon, everyone. Welcome to day 1 of the Barclays Tech Conference. My name is Saket Kalia and I cover software here. Honored to have with us the team here from Fortinet. So we've got Michael Xie, Founder, President and Chief Technology Officer. We've also got Keith Jensen, Chief Financial Officer; we've got Christiane Ohlgart, Chief Accounting Officer in the back as well as well as Aaron Ovadia, Head of Investor Relations. So we've got a full crew and I know it's going to be a really fun discussion. Maybe around that point, we've got about 30 minutes together. Let's spend maybe the first 20 or 25 doing some fireside chat with the team, which I know is going to be fun. And then we'd love to make this interactive. So any question, just pop up your hand, and we've got a mic right here in the back. So, with that, Michael, Keith, thanks so much for being with us here today.

Thanks for having us.

Yes, absolutely.

Keith, I'd love to dig into the three different segments of Fortinet's business a little bit. And I think a good place to start is in secured networking. A lot of talk just about cyclicality in this business and different drivers. But if we think about this market sort of excluding the hardware cyclicality, how do you sort of think about the growth rate here in the medium term? And what are some of the main drivers that you're most excited about in that market, if you will?

Yes. I think you're making reference to the fact we have 3 pillars we talked about network security, which is the one we're talking about here, but also unified SASE and SecOps, we'll talk more about those. As we went through the process of building out the midterm model that we provided at the Analyst Day a few weeks ago, we look -- it's a little more complicated, it has been historically because we've extended well beyond the firewall now into SASE solutions in areas like SIEM and SOAR and the network equipment part of the business includes a healthy contribution from both -- pardon me, from access points and switches and also a significant contribution now from software licenses. So we kind of said, what are we going to start with, really we start with Gartner. I don't mean to give them an unfair plug, but I mean that is the place that we start with, and we look at the growth and what Gartner is anticipating over the next several years, probably about 7%, and then we add to that the growth in the other pillars. But as you look at network security, I think I would call out a couple of things. I think one is, I think the OT marketplace where we believe we have a leadership position has grown robustly, continues to grow robustly and we would expect that to continue on. I think also in this elevated threat environment, I think we're seeing a lot more, call it, regulatory influence, and that would include cyber insurance companies as well as a wide array of governmental regulators and industry regulators that are bringing new firewall use cases that need to be secure. We're seeing or having a lot of conversations with customers, particularly around that edge where they may be before we're not sensitive to it, but now they're being driven there through maybe an ISO or an NIST security, something like that. So the number of use cases continues to expand. And then the convergence, lastly, I would talk about the convergence of switches and access points. Honestly, I was very shy about talking about our switch business many years ago. I drove Michael crazy with my shyness. But now I'm completely a convert now because of what it really does in terms of creates that more of an automation and more of a consolidation function that exists with customers and is something that we're seeing a very strong pull from our customers.

Super helpful. Maybe the -- right, so that's kind of the normalized growth rate. I think that -- or the components of a normalized growth rate, Keith, I think you gave a lot of helpful information around this idea of a firewall upgrade cycle here in 2025 as a result of maybe some end of support in 2026. Rate is another driver, maybe a little bit more of a cyclical driver, but can you just remind us how big that cohort is and how much it could add to sort of incremental product billings over the next year or 2?

Yes, I'm going to be a little bit shy about talking specifically, if I can, in terms of numbers. But throughout time, when we've talked about the fact they have multiple products, and so you don't really see the evidence of a product refresh cycle in our income statement because it's just a series of overlapping product life cycles. As we sat down for the Analyst Day, the 2025 planning session, we were looking at some of our data and Christiane, again, thank you very much for that. What we really saw was something unusual, which is this cohort of refreshes in 2026. And more specifically, it's products that we announced in 2021 that we're going to go end of service in 2026. We've done some math on that. We look at the unit count, we provided that number, 650,000 units. And then as we converted units to dollars internally in some of our commentary, we took certain haircuts. We look at those units that are no longer pinging home, as I would call, and we excluded those is part of that conversion. We made certain assumptions around how much of that refresh has already started for a variety of reasons and how much churn we have. And then we quietly uttered a number of $400 million to $450 million for the 2026 cohort. I would encourage everybody in the audience to do your own math. I mean I think there's a fair amount of assumptions that go into it. But keep in mind also, there's another cohort for 2027 that follows after that. And also that we're talking here only about product revenue, we're not talking about the run rate for services nor the expansion for these other parts of our business now, these other pillars, whether they're SASE or SecOps solutions.

I think that's a great dovetail for you, Michael. I mean I think there's been a conversation just around whether future firewall cycles could be impacted by form factor shifts, right, and growing adoption of kind of SASE and SSD solutions. What's your view there? And I mean, I guess the question is, are you seeing SASE take share from the existing hardware firewall market, whether it be branch or data center or any form factor shift, right, so virtual as you think about, again, that big cohort that comes up for refresh.

Yes. So the SASE, I mean, if you break down the technology, it's essentially similar technology is what people have been running on the edge for a very long time is the user protection, single sign-on, application protection, the firewall inspection and the SD-WAN technology. So what we have seen so far is because in our business, particularly, it's more like customer driven, and the customer, they adopt the cyber security company when there is elevated cyber threats out there, which is happening today. And I think what we see from the customer is it's more common to see a much more like hybrid solution with both the edge and the cloud protection combined. And we do believe that is a very effective model where you have the traditional hedge production to protect your offices, data centers and like in your cloud and then you have the SSE protecting the people work from home or traveling employees. So when they leave together, they're becoming very effective. But if you try to rip one of them out to place like, for example, you try to use SSE in an environment, let's say, in the data center that's actually not suitable for SSE protection. I mean you can do that maybe with 10x the cost. We don't see users actually doing that. I think it's more common that user make sensible decisions when they combine these protection together to make it most effective, I mean, mostly in terms of the protection effectiveness as well as the cost effective.

Yes. absolutely. Maybe that's a good natural segue just into the second pillar of the business, right, which is Unified SASE and maybe build a little bit of what you said with the technical question. I think it's really interesting when Fortinet talks about SASE, it's something that turns on within minutes, right? But when other vendors talk about it, SASE sounds like something -- a lot more of an architectural shift. How do you think about the differences there, Michael?

So I mean, that is an interesting point of the differences from the messaging. But being a technologist, I think a lot of the customers on the technology side, they understand the SASE actually doesn't provide you with the additional features or capabilities that the traditional edge protection offer you. It's more a way of how you architect your network traffic to go through. how you consume that, whether by like subscription or by a traditional CapEx and then you own the device and then continue to pump traffic through that. So I mean it's one thing it's how marketing works. The other thing is sometimes not entirely exactly the same is like how technology works. I think on the technology side, the SASE and the edge protection provides very similar capabilities in terms of protection, but they do different when the particular use case to come into the picture, for example, A lot of the guys here travel from everywhere around the world to San Francisco today, where your home office may be at New York or maybe Sydney, Australia in the traditional way, if your protection is only provided by your home office, then you're either out of protection with your laptops today or your phones or you would have to [dial] back into New York or Sydney where have you to get the level of protection that you need. And with the SASE obviously offers a different option where you just basically assuming it's Forti SASE, obviously, you dial into a pop in Sunnyvale and then which gives you a much shorter path towards that, the protection and then that same firewall in Sunnyvale, we expect your traffic or log sent to the SecOps and do all the stuff that you would be doing if you were in your home office. So I think in that situation, basically, your IT department will enable SASE on your laptop, but you would not rip off your edge protection in your HQ office. Does that make sense?

Yes, that does. That does actually Keith, maybe for you, can you just remind us how big your SASE business is? And how much of it is maybe coming from SD-WAN versus SSE and whether that's a mix that's going to evolve over time?

Yes, I do think it will be a mix. And when you look at the 3 pillars, you start peeling back the onion on unified SASE. To your point, it includes not only the SSE functionality, but also other cloud functionality and SD-WAN. And SD-WAN is over half of that unified SASE mix. And then you have cloud and SSE that are kind of making up the remainder of that. SSE is not yet the largest, and I think it's got a little ways to go. But SD-WAN has gone through a cycle where the payback period and the ROI from the MPLS savings. I think a lot of companies moved into that in a very big way. And now you're seeing SD-WAN really evolve to being a key component to the unified SASE or the FSE technology. I would expect for the foreseeable future that SD-WAN, which as a percentage of total business is probably running about 12% or 13% to probably stay in that neighborhood. I think the SSE element, which people sometimes call SASE, but it's really the SSE element, as we provided some numbers about ARR growth and billings growth in that space. I think that will be easily the fastest-growing part of that segment, if not all the segments.

Yes, absolutely. Michael, maybe just to stay on SASE because I think it's -- this is really the future, I think, of network security in a lot of ways. Maybe just to stay on SASE, what benefit do you think the firewall vendors have here versus the pure SASE vendors that are -- the pure SASE vendors are trying to displace the firewall, right? Firewall vendors, right, have a natural advantage as well. How do you think about that natural advantage within SASE or SSE?

Absolutely. So I think for customers looking for effective cyber security protections, right? The -- I think there's a couple of options to do it. In the old days, where a lot of them rely on pure edge protection that basically they have on-prem devices, firewalls and SD-WANs only. And this proving difficult when you have a large number of people working remotely from home or like traveling and you want them to be brought up to the same level of protection. And then SASE comes into the picture that actually offers a very good connectivity, good low latency and good protection. But on the other hand, the SASE itself is more like complementary to the traditional on-prem protection rather than I think in some cases, there are companies at allocating, oh, we could maybe just tier the on-prem and then pipe everything to SASE. But that -- in a lot of cases, it does not make enough business sense to convince the customer to do that. I think in some cases, it might work. But I think in most cases, the two working together would form a much more effective protection. So I think in the case of the vendors, what we actually see is advantageous for vendors like us who came from the edge devices where we have the firewall, and we have all the on-prem solutions and we add the SASE on top of that. So we provide this solution. It's a lot more flexible than some of the newer vendors where they only have the SSE so which requires the pipe everything to one of their data centers to get protected. That in a lot of cases, would be either like too expensive. Or sometimes it introduces latency where it's absolutely not necessary. Because from the office network, you can directly go to the Internet, if you have on-prem firewall SD-WAN devices. But if you're SSE only then you got to take like one more hop to go through the vendor's data center. So I mean I'm not seeing that as a future. I think the future is more hybrid and then it's for the more flexible vendors to do more of those deals.

Yes, so interesting. Keith, when it comes to building out your infrastructure for SSE. I think you and Ken have talked about some of the longer-term cost advantages of building out your own PoPs as opposed to maybe using a public cloud provider like GCP, you can use it, of course, to accelerate some things, right, but I think there's a clear preference right for kind of owning that, if you will, long term. Can you just remind us maybe how many PoPs you've built so far? And how should -- we should think about sort of the CapEx moving forward as that coverage expands.

Yes. I mean, one of the attractions to our design, if you will, is that we have a -- we see a long-term cost to deliver the solution that's going to be much less than some of the competitors. A bit of a history here in terms of how we ended up in this spot as we're people were going through and evaluating new SASE solutions maybe 2 years ago, there was a very common question about how many PoPs do you have? And we had, at the time, 19 and somebody had a cut off of 20 that we felt was rather about either arbitrary or punitive. We're still not sure today which of it was. So we went out and we established a partnership with one of the global cloud providers that quickly took that number well over 100. And what it really did was remove that buying objection. I don't know that it was really core to our long-term architectural design that Michael has talked about. We will continue to have a relationship with that cloud provider or others for latency reasons in certain locations. But I think what's really key is the combination of our PoPs, if you will, in some cases, our data centers as well as colos because that drastically changes the cost to deliver. We will still continue to offer the cloud provider option to customers at a higher price point and they may opt to do that going forward as we would expect. But what the PoP and what the colos do in our own data center, it also allows us to run our SASE technology on our own technology, on our own firewalls inside of these locations, which provides, we think, an operational advantage and also an economic advantage. And then to the question, well, how much does this cost, right? And Ken and I had this conversation in the last week or so, and I said, it really can in terms of the pacing here as we build out PoPs. And let's not confuse PoPs for data centers because there's a very different price point. I don't have the energy capacity to take down a full data center. But as we move through this year, and we're probably in the range of $300 million or $400 million of CapEx spending. Ken, if we think that, that number is going to change dramatically, we should start talking to the Street about that. And the comment was no, it's not going to change dramatically. I would offer a caveat that when you're buying real estate or infrastructure, it's lumpy. You're not buying it one square foot at a time. So -- and deals can push from 1 quarter to another or be accelerated for different reasons. But I think that's kind of the number that we'd like people to be thinking about as we get closer and closer to maybe more formally talking about it when we give guidance in 2025.

Yes, absolutely. Michael, we talked about 2 of the 3 pillars. I want to make sure we talk about the third one briefly, which is just on the SecOps side. I think an interesting point that we took away from the Analyst Day was sort of the opportunity to use Fortinet's data like as a starting point to sell more services kind of across the portfolio. Can you just talk a little bit about that cross-sell opportunity and how you can use that data like as maybe a stepping stone, right, to show customers the broader portfolio.

Yes. I think in the past, a lot of the security data are very siloed. There is large different like geolocations and then there's sort of the firewall, there's the endpoint logs and all those are going to different consoles and there's a different technology, we're seeing onshore. There's all kinds of stuff, trying to basically make sense out of that tremendous amount of data. which is generated every second of the day. And so what we have provided is basically that we have a tier we call it fabric based data lake that we allow not only our own security data, but also secure data from our partners, security vendors to be aggregate together. And then on top of that, we offer features like SIEM or SOAR for additional visibility and automation. And then we provide that in a way that we can basically have a multi-tiered -- have them all linked together. And then the processing is happening at lower end nodes, but then you get visibility on the top. So for example, like a global company at the Fortune 500 CEO or maybe more like a CISO, he will be able to have a single console to see the output from all these different type of tools over his data or other devices at all the different geo locations. So we build out an infrastructure to help that still materialize.

Got it. Got it. I'm going to move to some financial questions here for Keith. But before we do that, any questions here from the audience? Keith, maybe for you. I mean, I'd love to spend a little bit of time just on the 3- to 5-year targets you provided at Analyst Day, which was a really useful event, by the way. And maybe we could just start with top line, right? I think we said we expect greater than a 12% CAGR on billings and revenue, you correct me there if I'm wrong. But I'd love if you could just walk us through some of the higher-level assumptions, right, that are underpinning that growth target.

I don't think people are going to be terribly surprised about our approach, but I'll recap it. As we talked about in the beginning of the conversation, if you look at the three different segments or pillars of the business, the firewall, the SASE and the SecOps and we start with the Gartner growth rates and we make some adjustments to that based upon our mix within that in terms of virtual firewalls and physical firewalls. But you're looking at about a 7% number there for that particular part of the business. And then you look at the SASE and you look at the components of SecOps, when you go through the same exercise and you start getting around to a range of a number that you might be comfortable with on 12%, let's say. And there's also the sanity check to it. Do you have the sales capacity to deliver on that 12% number? Are you going to have to do something more in your OpEx line to build the capacity, and we'll talk about margins, I'm sure and sales productivity because I don't want to get out lower my skis and assuming that I'm going to get to a number, either on the top line and the margin line with an unfair assumption about sales productivity. And I think we feel very comfortable with that. We look at tenure as well. We talk to our salespeople, we do look at some of the budgets. We'll look at pipeline, but it is a very limited value to us when you're looking that far out. and you're kind of sitting down and you're sanity checking it. And probably the last thing that we did this time, which was new was relates to the refresh. And I would not necessarily say that the refresh received a separate line in our 12% number. Rather, the refresh was more about, does it give us comfortable get it more comfort with the 12% number that we provided. And I think that's really how we viewed it at this stage. And part of that, as you go back to, we simply have not had this type of a refresh cycle spike previously. And again, I think we'd like to be a little bit cautious and play this out a little bit more about how we execute and how we deliver against this opportunity and how the upsells and the cross-sells factor into it.

Absolutely. To your point, just on profitability, I think one of the most surprising points over the last couple of quarters has been just better gross margin, right, particularly on the product line. As I think about it, it felt like some of the higher value that you've delivered in prior years, along with the supply chain-driven costs that have gone down, it sort of felt like those two things combined for that better product gross margin. Maybe -- first of all, is that the right way to think about it? And how do you think about product gross margins going forward as we get into the thick of that product refresh that you just talked about?

Yes. It's been a -- product gross margins has been a dynamic world for a couple of years. During the supply chain, we were experiencing expedite fees to some of the component providers and the chip companies, which were not insignificant by any stretch of the imagination. And at the same time, we were looking to accelerate delivery of our products from our contract manufacturers to us. And you saw a lot of our delivery shifting from ocean freight to -- promotion freight to airfreight. And we needed to go through that elevated cost structure that you saw in 2023. And then the third element was really some actions that we took during the supply chain to really provide larger purchase orders and inventory commitments to our contract manufacturers, part of that was to get us at the front of the line to make sure that we got deliveries. Part of that was to provide working capital to our contract manufacturers because it was a difficult time for them. But then as you saw that supply chain cycle changed and shift and moved down, I was in a position that I certainly had enough inventory, let's put it that way. And I had more inventory coming. And so you saw us taking fairly elevated charges related to inventory or in the cost of goods sold line. There was a few quarters there where -- that was running $40 million or $50 million a quarter and not insignificant. We told our Board at the beginning of this year that we thought we would be out of the woods by the end of the year. We are -- we probably got there a quarter earlier than we expected, and we also had a little bit of a one-off benefit in some of our negotiations with our contract manufacturers. But now I think you're -- what does that all mean, right? And I think that when you take the information we provided at the Analyst Day for total gross margin and we reverse engineer it, you're probably going to see normalized product gross margins stripping out all those onetime effects and that's 65% to 67% range. So not giving guidance, but I think that would be -- that's how I'm thinking about my business at the moment.

Yes. No, that's all that's a really helpful framework. Maybe, Michael, for you, I mean, as founder of the business, I mean, you've seen so many refresh cycles. What's different about this refresh cycle just from your perspective? Open ended question, out of curiosity.

I think it's -- in the long run, right, I mean a refresh happens as naturally it needs to occur. And then -- but at some point, it happens in the bulk than some other times. So I think on a long time you sort of [indiscernible] things out. But on the other hand, we have this unique technology built the ASIC for hardware appliances, and that's kind of like chunky like we don't turn out ASICs like every quarter or every year. But the cycle of that ASIC design is 3 to 5 years. And when it comes out, usually brings the performance to a much higher level in a similar or lower cost because the Morris law basically allow us to design these much more complicated ASICs over time. But I think on the one hand, it does address the market needs for higher speed. It's ever-increasing higher speed, but also the -- a lot more coverage because a lot of traditional stuff like for example like OT, they were -- basically, there was no protection at all. But today, because of the compliance and because the customer realized they were a real threat when these were attacked by like people out there. And then they are actually putting the protection around them. So I think that refresh helped both increase the coverage as well as keeping up the speed needs for the customer.

Yes. Yes, absolutely. Keith, maybe back to you from a margin perspective. You raised your long-term operating margin target to 30% plus, up from 25% plus prior. And you've seen some really impressive outperformance on margins this year, like in product gross margins, right, as we discussed. What's interesting is that your margins are actually higher than 30%, that 30% target right now. And so just maybe back to the question. How do you sort of think about the puts and takes to the 30% given need to invest. I mean, the channels that you've built and just the sheer scale of the business.

Yes. Obviously, there's a significant -- I mean the business model is very attractive, whether you look at margins or you look at free cash flow? I think that when I talk to my go-to-market leaders and when I talk to my R&D leaders, I think the message is very consistent that we have more to invest and we should. Now this normalize a little bit because we're looking at gross margins and operating margins in the fourth quarter, and that tends to be our best quarter each year. So -- but I was pretty open in terms of -- when we moved that number from 25% to 30%, and that I thought we had some room there to invest. And I'd like to see us take whatever our normal margin is for the fourth quarter, if you will. And I'd like to see us invest at least another point in go to market, and I would be liberal also in some of the investment opportunities, particularly as we look at the combination of the refresh cycle and now having the opportunity to sell products that we didn't have 5 years ago with products first sold, let's say, whether that's SASE or SecOps. I think there is a significant reason to make investments there. We also talked about the 230 basis points of headwind from the Lacework acquisition. That will normalize over time, as somebody said earlier today, as we fortify that company, and we bring their structure into. So I think there's some opportunities there for additional investments. We continue to for cost or performance or price for performance advantage, and I expect us to look to leverage that. And I think also as we look into certain segments of the market, the large enterprise, for example, we'd want to be able to make investments not only in our customers, so to speak, as we dislodge them from their incumbents but into our own sales team and also into our channel partners. So again, I think there's a pretty healthy list there of how I can spend money to not have margins to be too high. How is that?

Absolutely. Absolutely. I mean maybe the last question I'd like to end with here, right? We've been trying to ask all our management teams. It's a really broad and kind of open-ended question. But as you kind of get into planning for next year, what are you hearing from salespeople and internally to the extent you spend time with customers, how are people feeling about sort of their willingness to invest in security next year? How do you feel about that spending environment? Mike, why don't we start with you?

Yes. I think security is still among the top of the list for a lot of the enterprise customers. And then I think we see more interest also from the traditionally, I think, less interested parties like OT and these areas. They all see the needs for protection and in more use cases. So I think we're happy to see that awareness spreading.

Keith, anything you want to add to that?

Yes. I'm probably aligned with Michael. I think the threat environment is and remains so elevated. The the volume of resources and the type of resources, the threat actors, be they ransomware or be they nation, states or some other organization, at least from what I'm seeing and feeling, it seems there's so much more being invested targeting companies and going after their data. I think CIOs and CISOs are very, very much aware of that, and they're really looking for all the technologies they'll need to continue to protect themselves. The nation, states and threat actors aren't encumbered by things like QA and product release schedules and legal niceties and so forth. There's a lot of trial and errors out there. And I think it's really, really tough for CISOs and CIOs in this environment right now.

Absolutely. Well, Michael, Keith, thank you so much for the time. Very educational. I really appreciate it.

Thank you, Saket.

Thank you.

Thank you.