Fortinet, Inc. (FTNT) Earnings Call Transcript & Summary

Excellent. Thank you, everyone, for joining us. My name is Keith Weiss. I run the U.S. software equity research franchise here at Morgan Stanley. And very pleased to have with us from Fortinet, both Chairman and CEO and Founder, Ken Xie; as well as CFO, Keith Jensen. So gentlemen, thank you so much for joining us at the TMT conference.

Maybe to start out with, Ken, I'd love to get an update from you on like the platform story at Fortinet. From sort of the earliest days of Fortinet, we've been talking about the convergence of networking and security. Now that purview has opened up a lot. We're talking about SaaS here. We're talking about security operations and a lot more consolidation of that security footprint. How has the Fortinet story evolved to encompass that kind of broader purview?

Yes, it's a great question. Actually, I just feel I still play the same trick I played 25 years ago. It's because if you look at the network security, it's a lot different than the endpoint's [ some other ] because network security is in the middle of the wire, trying to stop the bad traffic. And then -- so that's where most of the companies only have one device instead of multiple device. So you see most point solution in the [ new ] secured space, all disappeared in the last 10, 20 years. At the same time, every year, there's a new function needed to add on the network security box there. So that's where you need to have a single box, single OS, try to handle as much function as possible. At the same time, the network speed also keeping go up. So how to solve this issue, also our kind of a trick is really 25 years ago when we created Fortinet, we do believe long term the network security will gradually take over the traditional networking, because network security give you the visibility on the application, the content of this device user behind compared with network can just connect all this traffic together. So that's where we start the company. We try to have a single OS handle as much function as possible, integrate altogether and the same time, using ASIC to accelerate all this function. So you can see from very early days, there's only 3, 4 functions from like a firewall, VPN, antivirus and then intrusion prevention. Now, you have all the other like all the SASE function or the SD-WAN function or the CASB all these DLP. So you see we have about 30 functions now running the same OS and 1/2 of these 30 functions, about 14, 15 are using ASIC to accelerate, but still in the same OS and then still keeping developed ASIC to accelerate more function and increase more speed and lower the power consumption and so that's the same trick keeping playing. As you can see, the market take-off like 5, 10 years ago, SD-WAN because we have SD-WAN in the same OS as a firewall. So most of firewall customer, I think right now, we say maybe almost 70% firewall customers started using our SD-WAN solution. So we become front leader in the firewall into a leader in the SD-WAN. Now about 2 years ago, we also launched our own SASE, which in the same OS and also some of the SASE function also using ASIC to accelerate. So that's also we see -- I think right now, probably only about 10% are still in our firewall user convert to SASE. We do see the convert rate very, very high. I mean, customer, are very, very interested to using our SASE function if they're already a firewall SD-WAN function customer there. So that's where we see the SASE at ramp-up very, very quick and actually, over 97% of current SASE customers come from the existing firewall SD-WAN customer. So that's making the customer adopt this SASE much quicker, sooner and more easier compared to where there's some other try to do the new SASE deployment. So it's kind of same trick. Keep adding new function and then same accelerate the existing function using ASIC and enable kind of more company power to help in the OS.

Okay. Got it. I want to dig into that answer in a couple of dimensions. Like one, in terms of the market's willingness to adopt these more consolidated solutions, to look more at a platform type of acquisition strategy, security has traditionally been very best-of-breed focused and a lot of customers have bought what they perceive as the best sort of product for each sort of channel, each potential vector. Do you see any shift in that buying pattern of that customers are more willing to buy a consolidated solution and try to consolidate the number of vendors that they're working with for security?

Yes, agreed. Traditionally, especially with big enterprise, they really have the best breed, always the kind of point solution because they have a different set of expertise to cover different areas. But now, with all this convergence and also not just on the cybersecurity but also with networking, the [ SASE ] can now also merge together. We do see the consolidation that is happening not just enterprise and some other SMB work from home has a similar sense there. So that's where we see the trend will keeping going. That's also especially in the network security, because endpoint, sometimes you can have a multiple endpoint software in the same PC, whatever, but network security, the cost of a multiple buy is definitely too high and also the cost of multiple solutions, if they're not integrated together, are also kind of high. Whether we can leverage all these different AI or kind of machine learning, helping lower all this kind of managed multiple function, once it's integrated in CMOS, you can see also can work together much better. So we do see the trend keeping going, both in enterprise and also SMB since that they're more consolidated together and try to manage together.

Right. And on the other side of the equation, the market seems to kind of be coming to Fortinet in terms of you guys have always had this kind of platform ingrained within your solutions. The FortiOS is common across kind of the solution portfolio. You leverage common chipsets, whether it's the content security processor within multiple solutions. How does that enable Fortinet to outperform, if you will, in terms of that consolidation? What is it about your architecture that enables you to well expand into these adjacent categories?

Yes, I think the ASIC is really we feel it's the one differentiates us from most other players because they do give us a lot of computing power, so you can enable more function in the same OS and also working together. But on the other side, ASIC definitely takes a long-time investment, big investment to make it happen there. So that's why so far, we don't see any other vendor to develop ASIC in this networking security area. So we do see there's a huge advantage for us. And now we already have about 55% market share globally on the unit shipment. So the economy of scale also starting working better because the ASIC chip, the trick really, if you have more quantity, the per chip cost can get lower. Because each time each new chip, you have a big initial investment and then also the unit cost depends on how many units you can ship in. So that's where we're starting to see the economy wise working us better now. So we make it very profitable business and even take a long-term investment. On the other side, security, definitely, we see also more and more content helping and power's also needed not just in the appliance, but also we're starting to see it in the cloud, in the infrastructure side. You also need a more secure computing power. Right now, secure computing power only count about 1% to 2% of the cloud computing, but we do see this growth rather faster. It's kind of exponential. And so once the more computing power needed in the cloud in all the different environment, we also see the benefit of using ASIC just like called the GPU, some other AI is also needed. So we feel it's still a lot of potential going forward.

Got it. Got it. And I want to touch base on the demand environment more broadly. One of the remarkable aspects of Fortinet is how globally diversified your business is. I think it's over 70% of your revenues come from outside of the U.S. and a broad diversity of countries that you sell into. There's also a broad diversity of sort of macro conditions out there. How are you guys feeling about the spending environment? And the degree to which security demand can sustain sort of well even in a more mixed macro environment?

Yes. I think we've gotten that question in different ways over the last several years. Usually, it's about the SMB starts off and for us, the SMB, maybe it's the sheer volume of the SMB, and we have 7,000 new logos in the quarter. And it's held up extremely well through the ups and downs of the economy over the last several years. The other place we get is Europe, a lot of questions about Europe. And those are fair questions. But the European business for us continues to be very, very strong. We are #1 in the market in Europe in terms of market share, and I think that provides a tailwind to our sales. And it also means that you're largely selling into or often selling into an installed base of the enterprise where some of the products and services that Ken talked about a moment ago in terms of the expansion of what's in the operating system continue to go deeper and deeper into that wallet. Yes, I think the first 2 months of the quarter, we kind of looked at that and where we want to be, I think, with that. I think we're starting to see the early signs of some possible disruption in the market, if you will, in terms of the stock market with -- in reaction to tariffs. So we'll get a little more information as we go on that.

Got it. And the other disruption people are worried about is DOGE. But if I recall correctly, I think it's low single-digit percentage of your business in the U.S. federal so not a lot of exposure there?

Yes. I think there is -- you're correct. It runs, in a given quarter, 1% to 3% of our business. And there's kind of 2 sides to it in terms of -- and you've heard others comment on this, will there be somebody there to sell to and to purchase? And the other side of it is, if they're bringing back the workforce in mass, there's an expectation that there's probably going to be a fair amount of upgrading of the cybersecurity systems inside of those organizations in order to support that workforce as it returns to work. We'll see how that plays out.

Got it. Got it. And when it comes to Fortinet in particular, I think one of the things investors are excited about is a product refresh coming up within your firewall base. I think you've talked about an unusually large kind of percentage of that base seeing end of life over the next year or so. Can you talk to us about the magnitude of that opportunity? And does that -- is that just a product revenue? Is that just a firewall opportunity? Or does that give you sort of more potential to go in and sell the broader solution? Is that an opportunity for SASE attach, if you will, on a go-forward basis?

Yes. And I think what -- well, really to your last comment, we're calling it the upgrade cycle, and it really -- and we'll come back to it, but that really is the opportunity to sell the full suite of products that we have into our installed base of SASE and SecOps solutions, and Ken will talk about that I think a little bit more. We presented a slide at the Analyst Day. We have an unusually large volume of units that are going end of support in 2026. It's roughly 10x more than our average in the prior 10 years. And that's followed in 2027 with another cohort that's about 1/2 that size. It's just unusual to see the grouping of that. I think it has some things to do with some decisions that we made 5 years ago or 4 years ago when we announced end the support related to new chips and some other supply chain considerations. So it's really creating the opportunity. What we don't want it to be is a simple unit swap. I don't want to see something just upgrading from unit to unit. These units that are out there installed, they're probably something on the order of 7 to 10 years old. They're operating on a different ASIC. They may not have the ability to support the operating system that we have today. And with this, the expanded operating system and the newer ASICs, it creates the opportunity now for that consolidation that you and Ken have been talking about.

Yes. The customer on average has the box on hand almost 10 years and not reach end of the service. And then we do see the opportunity compared to 10 years ago when they bought a box. First, the speed and then the function has a huge difference, probably average about 10 to 20x better speed. And then on the function, probably also 2, 3x more function than it previously had. And also the customers starting to deploy the network security differently than 10 years ago. So before, it was more like secure whatever the infrastructure border, all these kind of things, now they have to expand in to supporting work from home. They have to do internal like data center kind of east-west traffic security there, internal segmentation. So we do see this as like a big cooperate opportunity. So we do see the -- the customer so far we work with always kind of come back with much bigger plan infrastructure to upgrade than the previous, just replacing the old box.

Got it. Got it. And then, Keith, any help you can give us in terms of helping to sort of model investor expectations on how this is going to flow through your product revenues when we think about 2025 versus 2026? Just to make sure that we stay appropriately conservative, if you will.

Yes. I'm more comfortable talking about units than dollars in this particular context. But I think that the guidance we've given to people, things to consider, one is that we know that cohort that we talked about for '26, which is, call it, 650,000 units. One, 15% of those units are not pinging home anymore. And so they're probably end of life some place and doing something else perhaps. But also, we look at our customer base and our customer types and what our expectations are about when they're likely to start on this upgrade journey. When you look at a larger enterprise that has a more sophisticated IT organization and a more sophisticated purchasing organization and security organization, than say an SMB and they're larger upgrade cycles, we believe, and we saw some indications of this in the fourth quarter, that those larger enterprises will purchase and go through the upgrade cycle in a more methodical basis. It's simply too many units to take down all at once. And so while we got some tailwinds, we think, from the fourth quarter on some of our larger firewalls, we would expect those larger enterprises to continue that purchasing pattern as we get closer and closer to the end of service date. If you look at the SMBs, it's quite possible that they're more likely to wait until Sunday night to do their homework, shall we say. They may wait until closer and closer to the end of service date before they actually go through that change. And that cohort, that sub cohort could be more of a '26 event. You probably have another group of customers who are some place in between with the service providers, which oftentimes are selling to the SMBs. But again, they're more sophisticated in their buying behaviors, their security considerations. And they're more apt to start that planning and purchasing process earlier than the SMBs.

Got it. So as we go through this refresh opportunity, is there a particular playbook from Fortinet in terms of go-to-market to improve sort of the services attach on the refresh to make this more than just a box refresh? And if so, have you seen any early indications of how effective that's going to be on this refresh cycle?

Yes. I can talk about some of the numbers earlier. Well, first of all, keep in mind, our first sale is almost always a firewall. I mean that's where we are. The expansion sale -- 90%, 95% of my first sale is going to be a firewall. The expansion sale and the SASE group or the SecOp group, again, 90% of those are going to be to my installed base. Ken talked about the penetration rate, used the example of our larger enterprises, where 70% of our larger enterprises that have firewalls are also using our SD-WAN technology. And of that cohort, that 70%, with the SASE solution really being brought to market about 15 months ago, that penetration rate is already at about 10%. That's a very fast move in that cohort. So we're seeing success on it. Do I have examples of larger enterprises that got ahead of us a little bit, and started buying before I had a chance to go talk to them about SASE? Yes, there's some of those. But we're really working hard to make sure that the sales understand the expectation that it's not a simple unit swap. What we really want to do is offer more of a platform play for those customers.

Got it. You recently revamped the business model and the go-to-market strategy to capture more SASE and security operations deals. Can you talk more about the revamped strategy? And why is now the time to sort of undergo that transformation?

We do see, because of all this work from home and also some additional function like a DLP [ catch ] has built as needed in the enterprise. They are more interested in not just traditional network security, but also some other SASE functions. So that's where we see. Probably the advantage we have really is first, we are the only company to have all the SASE, SD-WAN in the same operation system. So that's where when customers which already have the firewall, which we have a majority market share, become more easily to turn on the SD-WAN, the SASE. That's very different than other SASE company that would pulled out different kind of [ pool ] concept installation of these things. So the switching cost is much lower. And the second also for SASE, we do have a SASE because in the same OS, we also can deploy whether we call the local or the private SASE or sovereign SASE. So they can deploy it locally with their own data center. So we have a lot of bigger customer, enterprises [ pressure ] finance service customer, they want to have their own kind of SASE infrastructure. So they don't feel comfortable to have the data go outside that'll be processed and send it back. So they would rather control the data themselves. So that's where the private or sovereign SASE is getting more and more important. We see a lot of new cases. And then the third one, we're also starting to invest in our own, we call the secure cloud infrastructure more than 10 years ago. So globally, we own about 4 million square feet building in data center office, all these things together. So none of the other SASE player has this infrastructure because when we own all this infrastructure, the cost is about like 1/5 or 1/10 that the cloud provider can offer and also probably 1/2 or 1/3 compared to co-lo company can offer. So that, you can see, for SASE, we have a lot of our price-competitive solution there. At the same time, our margin's also among the highest margin among the SASE player. So that all gives us kind of advantage. The single OS, the sovereign SASE or private SASE for customers themselves to deploy, our own kind of infrastructure with a cost advantage, which is also not just the data center but also with technology like a 40 stack, all this kind of software to match all this together. So that's what we do believe will be -- we're already #1 in the firewall, SD-WAN, we do believe we'll be the #1 in the SASE player because of all this differentiation we have.

Got it. And where are we in that build? I think you guys have talked about over 150 points of presence in terms of building out the cloud infrastructure for SASE solutions. How big does that have to get? How much further do you have to sort of expand that network on a go-forward basis?

We're kind of using this 70-30 rule. So we try to see 70% traffic still goes through kind of own infrastructure. Then the 30% probably still goes to cloud provider co-lo company. Because for us also, there's some remote location of certain areas, probably not quite for us to make any sense to invest in the data center ourselves. So we still want to partner with the cloud provider, partner with also co-lo company because the SASE's growing so quick. And newly build a data center, it probably takes 2 to 3 years and also a lot of location probably not make economic sense to build ourselves. Whereas the data center, you do need like 100 rack and all this kind of make it work and like probably every $10 million to $20 million investment to get all this up and running. So probably, that's probably working with them, harness still the best solutions for all these like 30%, 40% market share.

Got it. So is that where like the partnership with Google Cloud comes into play?

Yes, Google Cloud. Yes. Some other like a co-lo company and other cloud providers, same. Yes.

Got it. Got it. I want to talk about the security operations side of the equation. You have a portfolio that now goes into 40 XDR, 40 SIM, 40 EDR. And I think it was about 11% of billings in Q4. Why is this a natural extension for Fortinet? Like the movement to SASE makes sense; it's leveraging kind of the same network at the same equipment. Why is it as natural if an upsell for Fortinet to sell the security operations side of the equation?

That's kind of because like I said, there's so many different part of infrastructure, probably difficult to integrate the same OS. Like e-mail security were difficult to integrate with whatever the FortiGate or whatever, network security, the same as in web and all these other endpoints, the same store, all the other things. So that's where for the enterprise, the biggest cost's still the management cost. So how to make it working together. We usually call it the Fabric, make sure different part of the infrastructure security kind of working together. So that's where it's kind of important. We call this a secure operation, how to help in lower the security operation costs. So because we do apply a lot of AI technology in the secure operation area. One thing you probably noticed already, so we're not only the #1 patent over like -- probably like 1,500 patent in the cybersecurity, but AI patent is long, there's almost 500 AI patents in the last 20-some years. So we do spend a lot of time prioritize AI innovation into this secure operation. And that makes us the biggest AI patent company among the cybersecurity space there, and that give us huge potential going forward.

I mean can you give us some examples of how Fortinet is embedding AI? How that's improving sort of the solution? Are there any sort of use cases or sort of particular functionalities that you're seeing making a big difference for your customers?

Yes, we have almost like the full AI already apply almost 10 different products for the manager, for the [ analyzer ], for all these other things, you can see using AI. They can automate a lot of process instead of trying to see a human try to dig out oh what's happening now, there's like a security break-in and how this relates to the previous data and now this different other part of infrastructure tool. So that's what FortiAI we demonstrated in the last 2 years, that every year in this user conference, how AI can help you solve secure operation issue, the intelligence issue, or the customer support issue. One other potential big area also will be -- eventually, we also feel network security can also apply to home user consumer, which is not happening right now because the supporting cost is way too high. And the only way is really using AI to solve that, right? So if AI can solve like 90-some plus percent supporting. And then that's what the network security can expand into the consumer space, we should -- that's also the reason we acquired Linksys and then potentially can try to solve that issue there.

Got it. Got it. So I think from an investor perspective, I think a lot of us focus on the ability of AI to help solve the security analyst problem, if you will, like, the fact that there's not enough security analysts and that sounds like part of the equation. The part of the equation of the customer support, the complexity of -- for the home user to be able to actually do networking and do network security, well, I think that's gone under the radar, but that could be -- like how do you think about sizing that market opportunity on the consumer side?

Consumers are huge, not just people starting working for home, but a lot of home device connect online also needs some kind of security protection. Because a lot of these OT IoT device, most of the time, the only way to secure is really using network security because they are very difficult to load and the agent on the device itself. You have to depend on network security to secure it. So we do see it's a huge opportunity actually, not just the work-from-home consumer, but also a lot of like operation tech area, we see that's the fast-growing area for us, like whether the record device, all this kind of a utility manufacturer, all this smart city, all these things, we see huge -- and connected car is other example. It's a huge growing for us right now.

Got it. And you guys talked about OT security sales approaching $1 billion in 2024. It's been a big part of the Fortinet growth story for a while. I think one of the things that's made operational -- OT security difficult is the heterogeneity of what needs to be protected out there, especially when you go into manufacturing environments or factory floors and the likes. How does Fortinet deal with that? How does Fortinet take what is a very complex environment and find an appropriate route to market or an efficient route to market for OT security?

The OT security is kind of different than the traditional network securities really. They do need to invest in a lot of different technology, like whether it's a recognized environment or kind of an operation system more related to the real-time OT operation system to understand the protocol they have, but also, they have a long sales cycle. Much longer. Usually, the OT technology will probably take 1 to 2 years on the sales cycle to get in there, but also the tail went also much longer, but you really need a device to be there for 10, 20 years. So that's why you need to make sure it's very stable, long-term recognized device, but also can stay there for a long, long time in a rough environment. So that's for long-tail cycle but eventually, the tail also much longer.

Got it. Got it. Got it. I want to shift gears and talk a little bit about sort of the FY '25 guidance. Maybe to start out with, how do you guys think about balancing growth priorities between the traditional network security business? You have a refresh that you're taking care of but also making sure that there's the right amount of focus on some of those high-growth areas and the new emerging opportunities like SASE, like how do you guys think about managing that balance?

Yes. I think the business model itself puts out -- increase a lot of cash flow and increase a lot of margins. And with that, it gives us the opportunity to reinvest in the business. And the decision points really become back to how much of that gets reinvested back into the operating system, the ASIC, if you will, but also how much gets invested into SASE and SecOps. And as we look further out, what the consumer opportunity might be. I think that we feel very comfortable in terms of the opportunity to continue to balance growth and profitability. It is -- when you look at the revenue part of the business or the industry, it's still a fragmented industry. And with that, there continues to be the opportunity to take market share, particularly in the networking security, and we don't want to miss that. But at the same time, I think we've successfully demonstrated the ability to continue to make investments in both network security as well as SASE and SecOps and maintaining the margin and supporting growth.

Got it. So as we think about the dynamics of a sort of big product refresh coming on a go-forward basis, but still big opportunities when it comes to some of the newer growth subscriptions like SASE and SecOps, how should we think about the cadence of growth on the subscription and service side of the equation versus product revenues?

Yes. I think the part of the business and we kind of get a similar question about contract term and duration because you get a little bit of a difference there when you sell a SASE solution, the size of the network security, the firewall, the switches, the access points, it's still running about 65% of the business. And it's a very significant portion of the business. SASE and SecOps, making up the remainder of it. It's going to take a little bit of time for both the contract duration to shift from what we've shown historically at 27 to 28 months and that mix shift to come through the business. We expect that not the contract duration to be something you will see because of the size differential and what we're seeing from our SASE and SecOps solution customers is that they are buying oftentimes more than 1-year contracts. So you're kind of looking at that same dynamic between the two.

Got it. And if we think about demand drivers, I'm thinking back to kind of when we had all the SaaS transitions, we started using a lot more kind of external applications. It was a good tailwind for overall network security, a lot more network traffic going on. It feels like we're coming into a build-out cycle around generative AI, a lot of new applications, people want to build out utilizing that. Could that provide similar tailwinds to Fortinet in terms of more surface area to protect more network traffic that has to go through the boxes?

Yes. Whether the generative AI or some other AI like an MOE or certain AI model, we do see there's a lot of opportunity to apply into this cybersecurity area. Because like I said, the AI definitely helping lower a lot of management cost and also can respond much quicker and then they also open up a new opportunity like consumer market, depending on AI that handles them, supporting and then there's a lot of applied to OT/IoT and robot area that also needs kind of some kind of security to protect the data there. And even protect the AI Data center itself, we're starting to see some takeoff in that business there because people worry about what's the data you want to fit in the model, what output they may give you, whether it will be some kind of a data leakage prevention in there. So we see a lot of new opportunity come with the AI.

Got it. Got it. And then to touch on the margin side of the equation, Fortinet has always been a very efficient company. How much operating leverage is there left in the business? And how should we think about the balance, you started talking about this a little bit before, in terms of what can flow through to the bottom line for investors versus what you guys are going to take to kind of reinvest in the growth opportunities on a go-forward basis?

So we do upgrade from the Rule 40 a few years ago to Rule 45 last November. And that's the commitment we have to the investor, and we're hoping we're keeping improving going forward. But I think right now, we try to balance among the growth and the margin. So that's what we try to see the Rule 45 will be the model we can hold on it.

And I think within that Rule of 45 that we're modeling, we're very excited about it, I think we're very comfortable with the amounts that we have available to invest in growth, and that focus will continue.

Got it. Got it. And maybe just one last question to kind of wrap up the conversation. You guys have -- at the most recent Analyst Day, you guys talked about a 3- to 5-year CAGR of 12% plus on a go-forward basis. Can you give investors a framework of the equation, if you will, of how we should think about what drives that growth on a go-forward basis or your confidence in the durability of that growth on a go-forward basis for Fortinet?

Yes, fair question. I think we look at our -- the 3 pillars of our business that we've talked about, and we do -- one of the inputs of that would be what organizations like Gartner, et cetera, are showing for market growth over that period of time, whether it's in firewalls or switches or access points or SaaS solutions, SASE, SecOps, et cetera. And we do some weighting around that given our relative mix of business and where we might end up. I think we're also certainly very aware that we've shown consistently the ability to take market share. So whatever a third party may offer in terms of market growth dynamics, we have an internal expectation that we're going to outgrow those numbers because of the market share. And we also make sure that we have things like the sales capacity and the sales productivity that will support that number. And I think that, that put us in a very comfortable position in terms of what we provided at the Analyst Day in terms of midrange targets.

Got it. Unfortunately, that takes us to -- wait, wait, call it 6 seconds left there. But that takes us to the end of our allotted time frame. So Ken, Keith, thank you so much for joining us. I appreciate that time.