Okta, Inc. (OKTA) Earnings Call Transcript & Summary

All right. Good stuff. I think we can go ahead and kick it off. Good morning. Thanks so much for joining us. Day 2 of the Goldman Sachs Communacopia and Technology Conference. I'm Gabriela Borges. I cover security here at Goldman. I go to my colleagues to my right. Delighted to have on stage Eric Kelleher, President and CEO of Okta. Congratulations on your new role. It's really good to have you here.

Thank you. It doesn't feel new anymore, but it's great to be here. Thanks for inviting.

Well, Eric, I know there's a lot of excitement happening in the identity vertical right now. I wanted to ask you the question on where has Okta earned the right to win? I ask you what you think the company's core competencies are? And so maybe through that lens, what do you think is Okta's most central core competency or barrier to entry? And how do you then leverage that into deciding where you're going to participate in the broad identity?

I think identity itself is a -- it's a fairly broad functional space of problems to solve. But at its core, it starts with knowing who people are and knowing who machines are and knowing who agents are in the new world, we can talk about that. And then when someone takes an action, one of those things takes an action, being able to authenticate it is who it says it is or it is who he or she says they are. That authentication is kind of the beginning of the conversation. But what we've seen over the past -- Okta is now 17 years into this journey is our customers have really pulled us into more and more advanced use cases. What started -- there's been 3 waves for us that we've had to manage through. Wave 1 was the shift to cloud. And if you go back to when we were started 2009, 2010, the industry was going through a transformation where customers were going from managing all their systems in their on-prem data centers into managing a hybrid world that's both on-prem and cloud-based. And so as they're bringing in web-based services, one of the first fundamental challenges they needed to solve was that functional challenge of how do I authenticate users in a directory in both on-prem and in a hybrid world. And so Okta came in with Identity as a Service and providing core access management to solve that fundamental problem. And we've been very successful in that space. As that market matured, that then pulled us into additional areas like multifactor authentication and then Adaptive Multi-Factor Authentication. And what we saw along the way is Okta is really good at making the complex simple. It's really good at making products that are easy to administer and that are relatively straightforward to configure. And then relative to legacy providers it can be managed in a way that customers have confidence that it's deployed accurately and that it's deployed the way that they intended and that it is being managed the way that they intended. And so an Okta deployment is typically -- it's more straightforward to administer and less fragile than a lot of legacy vendors. And so that brought us a lot of credibility with our customers. And it caused them to ask us to help them solve additional use cases. So start with access management, great. So you can look at all the metrics you want about Okta's leadership in this space. Then you look at things like I mentioned multifactor and adaptive multifactor. Customers asked us for a way to automate the provisioning and deprovisioning of accounts. And so we created a product called Lifecycle Management. And that allowed for onboarding and offboarding. When somebody is hired, you create a user record for them, when they're terminated or they leave, you delete that user record. We then expanded that, and that worked great and customers needed us to help them solve more generic business rules. And so we brought our workflows product to market that lets you expand upon that. And then as the years progressed, people got -- kept pulling us into adjacent use cases. And one of the big ones for us right now, we talk about very publicly is identity governance. So Lifecycle Management is step one, provisioning, deprovisioning, workflows makes that more general. Identity governance starts to -- customers have a need to deploy business rules and logic and approvals and auditability in a way that allows them to report that they're managing their systems properly. And we've recently entered the governance space. We've -- we're very pleased with the performance of our Okta Identity Governance, our product in this space. We announced in Q4 a couple of quarters back that it crossed $100 million in ARR for us. We're really pleased with that. In this most recent quarter, we announced that new products in total anchored on governance continue to be a very healthy contributor to our bookings. So -- and then beyond governance, we look at privileged access. Now how do we take machine accounts and highly privileged accounts and manage them in a way that is vaulted and rotated and stored through privileged access. So those areas have been what's together. So to your question about how do we differentiate, the way that we differentiate is in conversations with CIOs, in conversations with CISOs, they have all these use cases that they need to solve. And historically, they've had to attack all these use cases by going off to a bunch of different point solutions and a bunch of different vendors. One of the things Okta has done really, really well is we've earned the trust of our customers. They trust our technology. They trust that when there is an issue, we help them resolve the issue. They trust that we're transparent. And so our customers have asked us to help solve more of their identity use cases. And so what we see right now is a very strong interest for CIOs and CISOs and this wave of vendor consolidation as everyone is trying to simplify, they want one identity partner. And they want one identity partner that can address all those use cases. And so what we provide is we describe as the identity security fabric. It's the combination of all of these technologies, the ones I've mentioned plus our Auth0 product for developers and our security products on top of this. So we provide things like posture management and threat protection, which is our ITDR product. All of these are woven together in what we call this identity security fabric. And so a core differentiator for us right now and what customers look for is they believe Okta is their one-stop partner as a neutral identity provider that can support all of their identity use cases.

Yes. Maybe let's stay on this idea of credibility and solving in adjacencies. Sometimes we hear industry concern or industry feedback that Okta is a great business enablement tool, but they're not really a security company. So maybe help us repeat that directly. Have you made progress with some of the security relationships? And how do you think about balancing across business enablement and security and essentially doing so?

Yes, that's been an evolution. So I mentioned the first wave for Okta, our first wave of growth back when we were founded 17 years ago was about the move to cloud. The second wave for us was a recognition and an acknowledgment and a mobilization within the industry that identity security. And so what started as a technical problem, how to allow people to move to the cloud has really become -- it's turned into also a very significant security challenge for people to manage. Depending upon what study you look at today, somewhere between 80% and 86% of security incidents start with some form of compromised credential, 80% to 86%. So if you can't secure identity, you can't be secure. And so what we've seen in the past several years and really pronounced in the past 2 years, our audience has shifted, whereas historically, it was predominantly COOs and developers. It is now very heavily weighted towards Chief Information Security Officers, who are recognizing the importance of securing identity at the beginning of their security architecture. We've convened a forum of CISOs, the CISO forum at Okta, where we have 60 of our top CISOs from our top customers that we meet with twice a year and monthly virtually and physically twice a year to talk through trends in identity security and to understand the threat actors that they're challenged with. We've also launched this year a thought leadership platform, Okta Threat Intelligence, where we publish what we see. So we manage today over 45 billion authentication events every month. And in that volume of data that we have, we see threat actor activity before any individual customer is going to see it. And so our threat intelligence thought leadership platform allows us to share that with CISOs. And so you asked about credibility and trust in what we build, we're very consciously investing and building our relationships with and the value that we provide to the security audience based on our unique position and what we can do. And so we're very pleased with that, and we don't see that abating. In fact, in the world of agentic as agents are coming in. The security challenges associated with identity get even more pronounced. So we're very confident this is a continued way for us to invest in.

Do you want to spend more time on a agentic, but before we do that. Okta, one of the more interesting product cycles that you're doing with PAM is bringing PAM to the mid-market. And we're hearing now from Palo Alto and CyberArk on their plans to democratize PAM as well. So maybe just compare and contrast the two approaches. PAM has historically been a really tough technology to do simply and cheaply. How are you progressing with that? And how does your approach compared to Palo Alto and CyberArk?

I think that the -- so we're newer into the privileged access space. That product is newer than our governance product that I talked about previously. I personally see a very similar path for our privileged access product as we continue to invest in that. We just announced with our Q2 earnings, we've acquired a company called Axiom. Axiom is an expert in this space. And we acquired it for two reasons. One, they have technology that adds some important capabilities to our existing privileged access product, in particular, connection with Kubernetes and connection with databases. That makes -- that technology will make our products able to solve more use cases for customers and makes it more of a viable product in mid-market and in the enterprise. And in addition, we acquired a number of really, really talented technologists that have been focused in the space exclusively for many, many years. And so that will accelerate our privileged access product. But to your question on, the path that we're on with this, most SaaS companies when they start, they start with smaller customers first. And when we started with single sign-on 17 years ago, our first customers were small companies that didn't have an identity provider and didn't have a single sign-on. But as the typical curve, which Okta has followed is as your product becomes more capable as you innovate over time and as your customers are successful, that success compounds and you earn your way up market. For Okta, our fastest-growing cohort has been in large customers for many, many quarters now. We announced in our Q2 now, customers spending more than $100,000 with us account for 80% of our ACV. We have almost 500 customers spending more than $1 million a year with us. And so, we've brought our products upmarket in a way where that's where we're seeing the greatest economic opportunity and the greatest return. And obviously, it's a very core focus area for us and will continue. With every incremental product we bring to market in governance and privileged access are in this market, there is a similar path. So our first governance -- launch of governance more than 2 years ago, initially was not well suited for Fortune 500 companies. It solved some basic use cases. It initially didn't have separation of duties, which is very important for large companies that have vulnerability requirements. But it's our basic provisioning and deprovisioning and smaller companies would buy it and deploy it and had great success with it. I mean we mentioned it's grown to over $100 million in ARR. We crossed 1,000 customers in our first 18 months. I think it took SailPoint like 20 years to get to -- or 18 years to get to the same number of customers. So we feel good about the trajectory and the relevance and we're earning the right to compete more upmarket. In Q1, we had 2 major functional releases, which make us more ready for upmarket. So to your question on privileged access, we see the same curve. So our early privileged access customers. We're not -- privileged access today is not a land product for Okta. We don't go compete head-to-head with CyberArk for a privileged access opportunity. And they're 20 years in this space on their capabilities and the depth of their product. We're not there in what we offer. What we do offer today is for companies that are Okta customers that -- where they're using us as an identity partner to solve the use cases. If they have needs that -- with privileged access, we have an offering that can help them with that. And so we're seeing some accounts where people are bringing in privileged access alongside a legacy privileged access provider. And we're seeing some where they don't yet have a legacy provider where they're getting started with us. But we're really confident over time as our product gets more and more capable, we'll be more directly competitive in the privileged access space than we are today.

So I think two things that investors have been debating pretty actively are both the timing of when agentic is going to start to matter for the identity space. So could you comment a little bit on just the maturity of those conversations right now? And then the second piece is when you look across the different pillars of identity with IAM, IGA, PAM, where do you see the most opportunity you'd say from an agentic standpoint?

From agentic, yes, everyone is trying to figure this out right now. And so all of you are as well, and all technologists are trying to figure it out as well. From an Okta standpoint, we're really excited by what agentic means for the world, both for what it means for our ability to innovate and our ability to be more productive, our ability to solve big problems faster from a securing identity perspective, so Okta secures identity. We need to secure agentic identity. And so what we see happening right now, and we've talked about this publicly as agents in general right now are in development and they're in prototype. And companies are excited by what the agents can do. As people move those agents from development and prototype into production systems, they're realizing that managing the identity of that agent is fundamentally important. And it's complicated because the way that agents are typically provisioned now is by a user giving it access. So for all of you, if you're using Google Gemini and your Google account, when you turn on Gemini, they'll ask you, do you give it access to your e-mail and you have to decide, yes, no, give access to my e-mail. Does it get access to your calendar? Yes, give it access to my calendar. Does they get access to my financial system? Yes. My travel system? Yes. So you go through this manual process of provisioning. And now there's an agent somewhere that you don't control, that's going to have updates and coding capabilities at it, that has perpetual access to all the things that you've given it access to. As companies start to realize the exposure with that, managing agentic identity is a core challenge that people need to manage. So for Okta, the way that we see helping this problem, it's first from a product standpoint. So our products are already ready to support agentic identity. So we have a universal directory product that manages the identities that we secure. Some of those are human identities, some are service accounts or nonhuman identities and it can also include agentic identities. So our directory product is ready for that. Our governance product, as I mentioned, one of the features of our governance product is business logic for when you provision and deprovision. So rather than an agent having perpetual standing access to all of your things you can use Okta Identity Governance with that identity to just-in-time provision it. When you need your agent to take action, turn it on. And when you're done with that action, you can turn off again. So the identity governance can really help contain that. And then from a functionality standpoint, what is your agent authorized to do? So it's one thing to know your agent is who it says it is, and it's not being a impersonated by a threat actor or a nation state. That's important. That's what we call authentication. Once you've authenticated, you then have the challenge of what is it authorized to do. So I was a user of [ vivo ] can't log into my Google Workspace. But when I click on a document, it checks to make sure I'm authorized to look at that particular document. The same distinction applies for agents. We need to authorize them. But then when it tries to take a specific action, it needs to be authorized to make sure it can do that. So our Auth0 platform for developers developing agents allows them to develop with fine-grained authorization so that developers can ensure these agents have access only to what they're supposed to. So authentication and authorization are even more important. And we're launching a product at Oktane in a couple of weeks called Auth0 for AI Agents, which is designed specifically to make that use case easier for developers to get right. And then, second -- I mentioned there's two things. The second conversation, which is important to this is not so much a product conversation as an industry standardization conversation. Right now, we have -- actually just this month, we have announced that we're advocating for a new standard with the Open Standards Committee called Cross App Access. And what Cross App Access will do, it's a protocol. And what it will do is, it will allow agents to share its identity with an IdP so that the agent can be managed just like a human identity or nonhuman identity. So if you're a developer and you build, you implement your agents to support Cross App Access, it can be -- that agent's identity can be put in a directory and it can be managed through authentication and it can be managed through authorization. We have a number of ISVs that are signed up to support and implement the protocol. I had the opportunity to interview this CEO of Ryder a couple of weeks back. Their framework for development and agents is very excited about what Cross App Access will do. But ultimately, as more and more companies -- more and more developers develop agents to support Cross App Access and more and more IdPs, including Okta support it from a management standpoint, what we do is we allow the industry to manage agents. And until we get that standard in place and implemented and supported, it's going to be an unmanaged landscape for a while. So we're doing -- we're taking our thought leadership position to help make that manageable for our customers.

And then I think one thing that people agree on is the way that employees interface with technology is probably going to look different 10 years from now. But there's a bunch of questions out there on what actually that looks like and the user interface that you think exist in 10 years. Given the lack of visibility, I'd say, into kind of what that looks like, how are you going to prepare Okta for any scenario?

I think from a user interface perspective, it's hard to know that what is our UI going to be in 10 years? Are we all wear Meta glasses? Are we all like, we don't know. But what I would say the way Okta views UI evolution is the core challenges of making sure a person or an entity or an agent is who it purports to be, it doesn't change. And the core issue of verifying that agent, that person, that machine is authorized to do the thing is doing doesn't change. So whatever user interface we put on top of this, the core business logic, the core technical problem, the core security problem still remains. And it's Okta's business to make sure we help people manage that, that we give them technology that works that is fast time to deploy, a quick return on investment and that helps them solve more and more of their adjacent use cases over time. And that's our brand promise to our customers.

And then Okta kind of in a unique position where you have a lot of visibility into the app ecosystem, and there's also a lot of visibility into kind of the newer entrants in the space, I would say. And so what's your kind of take on this depth of SaaS narrative and what Okta do?

Yes. It's a prominent narrative right now. What is the -- in the era of vibe coding, can someone like tell their computer to write Salesforce and then turn off their Salesforce. There will be evolution. And there will be enterprise SaaS companies that are -- whose business is impacted by the things that people can do with AI and AI development and not vibe coding, but coding in general with AI-assisted agents. It's hard to know exactly where it will play out and who are going to be the most impacted at one point in time. It's fair to say for the foreseeable future. Enterprise SaaS is really important. The world runs on enterprise SaaS. Hence, I don't see -- I don't fundamentally see any change overnight where any of these big technologies are significantly impacted. But all of them were thinking about how this evolution is going to impact their opportunity and how they -- if not pivot, how do they tweak their road map and their prioritization to ensure that they're embracing a world where we're surrounded by people that are AI empowered, both developers and business users and it will change what we do. We have -- I heard a comment recently, someone talked about how people go from doing the work to steering AI as AI is doing the work. And I think that shift in thought work between agents and humans. It's going to be exciting for us all to watch. But I don't see the death of SaaS to your question.

It leads nicely to a second derivative question, how you think about the pricing model because if you think about classic Okta workers, seat count based, are mostly tied to white collar workers. So I guess the question is, in the event that you see pressure on white collar seat count over the medium term. How do you think about evolving your pricing model? Are you already evolving your pricing model? And how do you monetize the agents such that you end up in a net positive price to negative...

Yes, that's a great question. It's early. It's early to know what exactly -- how do I personally feel about that? I think it is certainly a possibility that Okta historically, because we grew up, as I mentioned, managing human identities and specifically solving getting human identities into the cloud and then securing those identities. I talked about that. So it's reasonable to wonder in a world where maybe there are a few white collar workers with downward pressure does that piece in Okta. We're not seeing that, but it's reasonable to -- and that's a more macroeconomic conversation of how does the global workforce across all industries evolve and what might that do from Okta's human identity business. I think the reality for us is that's something that we have to be mindful of and look out for. We're not feeling it yet. But it's important to understand as well, our business is not just human identity anymore. So for many, many years, we've supported machine identities through Advanced Server Access and privileged access. We monitor through identity security posture management. So machine identities and service accounts and other token identities we've been managing for years and years. And depending upon what industry report you look at, there's ratios that typically, there's somewhere from 30 to 60x as many machine identities as there are human identities. So if there's downward pressure in human, what does that mean for machine identities. And then you can look at whatever number you want for agents, but agents are in order of magnitude more complicated and you'll see it. People are going to have thousands of agents per person or dozens or hundreds, that will pick your numbers. So for us, as we look at how do we evolve our business, we need to look at all of those trends and see what's real. And we don't worry -- in our minds, the evolution of AI and the importance of securing agentic identity and the potential for AI to take on more provides well more upside than exposure is how we're thinking about it.

Maybe not a forward-looking question then. When you look at your profile today or your customers profiles today between human identity and things like machine identity. How do you price the machine identity part? Is there any value creation data points you can share on how that's priced?

Yes. So users are in 1 of 2 buckets, so it's either a named license with an annual subscription or it is a monthly active user. So those are our user buckets. And then our machine buckets are typically by resource unit. So how many CPUs, how many boxes, and that's been effective for us today, and it will certainly need to evolve in a world where it's not just machines but also agents. And we haven't announced agentic pricing yet. But stay tuned for that. We have some exciting announcements coming up at Oktane.

Yes. Fantastic. Let's talk a little bit about the go-to-market changes that you made in 1Q of this year. So as you alluded to in the last 20, 30 minutes, there has been this evolution towards multiproduct and upmarket and so. So maybe give us the point in time update on how the realignment in 1Q is playing out relative to your expectations. How do you feel about things like productivity ramps for QBRs, percentage of QBRs achieving attainment kind of metrics, any color you can share.

Yes. I think, well beyond what we talked about in our Q1 and Q2 earnings is we feel -- after Q1, we said we thought we were on track. And after Q2, we said we had a strong quarter, and we feel highly confident in the path that we're on. So that's very true. The -- as you would hope, because we said it publicly to all of you. The -- this is our -- it's not our first time special. I think it's our third major wave of specialization. And what's underneath this year, for those of you that haven't been closely following, we made a significant change in our go-to-market organization, and it was to be more outside in and to focus on our buyer personas. And last year, 100% of our sales force was what we call generalists. Every salesperson sold every product to every audience and it required. If you're an account executive at Okta, it required you to understand how to sell to a developer who's building an app with Auth0 and the portfolio of products under the Auth0 platform. And if you were selling to a CIO, you needed to be able to sell the entire spectrum of Okta products. And you need to know what a CIO needed and cared about and what they were talking about and what their priorities were. And then I mentioned earlier, our conversations have really evolved. We spend a high percentage of our time now with Chief Information Security Officers who have a whole security conversation. And so we were asking our salespeople to understand security, to understand IT, to understand developers and to understand a really broad mix of products across 2 platforms and all of that. And what we realized is our -- we're asking too much of an individual salesperson. And we were -- we realized that we were highly confident we would be more productive from a sales standpoint if we focused on our buyer personas and our platforms. So now the majority of our salespeople this year effective February 1 are either selling to IT and security, a corporate sale or are they selling to developers, developers sale, an engineering sale. And they're selling either the Okta platform with our traditional identity security fabric, as I described, or they're selling the Auth0 platform to developers. And that model for us has allowed our buyers to focus to build deeper relationships -- or sorry, our sellers to focus on their buyers to develop deeper relationships, to earn more credibility and trust, the question you asked earlier. And it's helping them build pipeline in their territories in ways that we have. And so one of our data points we shared from Q2 is we generated a record amount of pipeline in Q2 for the company. In 17 years, we've never generated more pipe. Now this is 2 quarters into us getting more focus in our go-to-market organization. So we have XDRs, our folks who triage inbound leads and outbound prospect for leads. That group is now focused on either of the IT security buyer or the developer buyer, our salespeople, our presales engineers, and our technical account managers, all of our go-to-market teams are better in tune to the needs of the audience, and one output from that in Q2 was a record amount of pipeline that we generated. So we're highly confident in the path that we're on. We also shared that every year is back-end loaded. So we were on track in Q1. We had a solid Q2. We have a record pipe into Q2 carrying us into the second half of the year. So we're confident, and we have a lot of work to do. So Q3 is important quarter for us. Q4 is an important quarter for us, and we're our heads down, executing.

Maybe just benchmark this record pipeline comment because companies that grow generally every year, you see new records on pipeline. Is there something to read into the fact that you're seeing record pipeline in Q2, meaning you would normally see record pipeline later in the year? And I guess this is a long way of asking, we don't have Brett on stage to talk about cRPO. But as someone who is so focused on operations and go-to-market, how do you think about the scenarios for reacceleration as we go to the back half of the year?

Yes, I think that's a great question. I think for -- which is not to imply the previous questions weren't also great. The way that I think about the relevance and the importance of that milestone for us in Q2, it's related to your prior question about specialization, how specialization going. And what we've seen with specialization is it takes time to really -- there's a cost of change when you make a change and then that starts to pay off with productivity gains over time. So this is our third wave. Our first wave of a specialization many years ago was we created a public sector go-to-market team, that focuses on public sector customers and learning the needs of the public sector and the way that they contract and their specific technical needs and security needs. That team is -- we talk about it publicly, it's a high-performing team for us. And last quarter in Q2, we announced that half of our -- 5 of our top 10 deals were in the public sector. We announced that our largest deal in the quarter was a public sector deal. So that specialization really works, but it took time for it to be performing at the way it's performing right now. Last February -- almost 2 years ago, we announced a specialization on hunter-farmer where we took a team, we have brought so many -- so much new product to market that we saw our bookings mix had shifted away from new logo acquisition to cross-sell and upsell because we had more to sell to our customers. And so almost 2 years ago in February, we created a hunter-farmer model for our small business team in North America, where we had a team of [ AEs ] who will only compensate on a new logo acquisition. And we had a team that were compensated only on cross-sell and upsell. And that change took time. We had -- that group had a very strong Q2. We talked about that, and we're highly confident, but that's 18 months in. So when we look for this next current -- this current round of specialization of separating go-to-market into the 2 buyer personas and the 2 platforms, we look for leading indicators to tell us that it's working. And for us, being only in our second quarter and seeing pipeline get even farther than it's ever been before is a really encouraging indicator that the path that we're on is a productive path. So that's how those ideas tied together.

Yes. Great context. Questions from the audience? .

I can ask one on the go-to-market theme. A couple of months ago, you guys rolled out suites for workforce identity, could you talk a bit about feedback from your go-to-market team, feedback from customers and kind of anything you're noticing from changing in your deal cycles or anything like that as a result?

Yes. Suites were -- we launched suites, so you can think of them as bundles for the identity security fabric with the intent of allowing -- making it easier for people to buy. So rather than know specifically the nuances of every product and every license, they can buy the suite and then they can grow into the suite over time. That was the intent and the rationale behind the launch, it's early. Feedback from customers has been very positive. It makes it easier for them to just buy and go and plan. And feedback from sellers has been similar as well. We also have some anecdotal feedback from sellers that it's helping on the average sale price. But it's really, really early. So we haven't announced any specifics about that yet.

And then I'll go with one last one. We had a lot of discussion from companies and what they're seeing internally from AI productivity benefits. What are you guys seeing internally? What are you most excited about from like an operational standpoint?

We are -- I think everyone is asking themselves this question, and you've got prognosticators out there saying that they don't need employees anymore. We have some good early success in our support organization. We're really pleased we're turning around cases faster with higher CSAT. So we're really pleased with that ultimate opportunity. Our marketing organization is heavily leveraging AI tools for a lot of our creative work and our campaign work that's been very effective. We're piloting right now on our XDR for a lead prospecting, how it can help us be more productive there. And then functionally, I manage our IT organization we have a cross-functional team that is helping advocate for applications of AI in each of our functions, so G&A and legal and we're seeing opportunities everywhere. But we haven't published specific quantitative productivity metrics across those businesses, yet, but we'll get to the point when we do.

Fantastic. All right, thank you for your time. Please join me in thanking Okta.

Thank you.