Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Okay. Thank you. Welcome and good afternoon. I'm Jonathan Ruykhaver, responsible for security and infrastructure software coverage at Baird. Very pleased to introduce Palo Alto CEO, Nikesh Arora; and CFO, Kathy Bonanno. This is a fireside chat format. But before we get into the Q&A, Nikesh, congratulations on your 2-year anniversary with Palo Alto. I think that's coming up June 6.

Indeed.

Hard to believe it's been 2 years. But I was wondering if you could just share thoughts about the opportunities, the vision you had for the company back and how the experience has played out relative to those initial expectations where you've been surprised the most?

Yes, Jonathan, thank you very much for, first of all, having me, and hello to everyone. I have no idea how many people are watching, maybe no one. But 2 years ago, when I came to Palo Alto Networks, in our very first earnings call, we talked about the fact that the industry is fragmented, and we need to drive more integration. We talked about the fact that the transition to cloud is going to be happening soon and we need to be prepared from a security perspective. We talked about the need for automation and AI and machine learning to be able to solve security problems in the future. And we said about 2 years ago, reshaping our portfolio of products to make them more integrated, make them work much more seamlessly with each other. And we realized we had some product gaps. And I've learned this in security that you have to have the best product in the market, being second is not good enough. So we actually ended up acquiring a bunch of businesses, but we kept our focus on integration. So 2 years out, what's the report card? Our firewalls, we have reinitiated innovation. We've gone from 4 to 8 subscriptions in our firewalls. We hadn't build one in 7 years after the first 4. So we are reinitiating innovation there. We're about to go launch in the next few weeks of our next generation of software. On the cloud side, we now believe we have a portfolio of cloud secure -- sorry, a platform for cloud security products, where, as we said in our earnings call, 42 of the Fortune 100 have chosen us. And what's particularly gratifying about that is because every one of those people is an AWS, GCP or Azure customer, yet they chose Palo Alto Networks as the cross-platform, cross-cloud security solution. And that was the biggest question, why are you going to be better than the native cloud providers? And on the automation AI/ML side, we had a product many years ago called Traps, and we've been able to reengineer that, make it the leading product in the XDR category, now, which goes head-to-head with CrowdStrike, and we acquired Demisto, which is now the final core of what we believe is the future of SOC automations. So all in all, really excited about the products that we have been able to put together. We need to get traction on a go-to-market perspective. Of course, I didn't mention Prisma Access, which has been our star product in this sort of remote work -- secure work scenario. So all in all, really happy with the product evolution that we've had. I think you asked me what has surprised me. I think what has surprised me is that the amount of effort it takes to get 6 new product categories executed in the market from a go-to-market perspective. And that's still a lot of blocking and tackling, a lot of hard work. So I think the teams are busy doing that. And I think the debate which has been had in this industry, I suspect, from before I got in here, is, what is the future of firewalls? That continues to be the question. We're saying we're seeing transitions from hardware to software, and that's why we've been talking about firewall to platform. We're glad this quarter we grew that again at double digits, which really allows us to take share in the market. So all in all, happy about the progress in 2 years, still learning cybersecurity, still trying to constantly be paranoid about what trick we're missing as a company.

I appreciate that color, Nikesh. And a lot of what you just explained I think pertains to this next question as well. But it's our firm belief that COVID-19 is accelerating the migration to cloud and highlighting the limitations to the traditional castle-and-moat approach to security and benefits of zero-trust. So if you could talk about your views on that dynamic and how Palo Alto's positions specifically around zero-trust?

Yes. What's interesting is we were early in the process of sending our employees back home because you figured this trend was going to be here for a while, and that allowed us really to get ready for our customers expecting the transition to go home. We saw a tremendous amount of activity in the early days of people going to work from home, where we had to do a bunch of innovative offers in the market to allow our customers to have excess capacity, so because if you plan to remote work for 5%, 10%, 15% of employee base, and overnight, you've got to take 95% to 100% to get them to work from home. So that's a big, big ask to the IT team, the technology teams and our customers and we saw that across the board. I think the industry has seen that to be fair. You have seen that results of our peers in the industry and others, and we saw the same effects. But I do believe that because all of us had many offers out in the market, some customers didn't take the offers to just expanded capacity because they believe this is something they need to be ready for, for the longer term. Some customers using burst capacity, who are likely going to have to work to either a particular solution from the existing vendors or replace that with a much more robust scalable architecture. So I think we've seen that the early spurt. I think that is going to sustain for the next 6 to 9 months in the industry and step the process to about -- there will be 100 to 200 basis points of overall growth that the industry is seeing as a consequence of that. There are some puts and takes. A lot of our customers are hurting from an economic perspective because consumers have vanished and hopefully they come back soon, but it causes customers to take stock and pause. We have some customers who have come out and said, "Now the only part of our business that's working is online because our stores are shut down, so we need to double down on our online capability." So you've seen that on the positive side. On the flip side, there are customers who are saying , "Look, our revenues have vanished. We have tremendous amount of cost pressure. We're going to have to pause some of the new ideas we are exploring." So there's puts and takes. But I think from a long-term perspective, it is accelerating the IT spend that you're going to see from an enterprise perspective. The entire vectors are exploding because people are working from all kinds of remote locations. So security continues to be paramount. So I think in the long term, it's a positive for the sector. I think short term, you could see some lumpiness depending on how customers come back or don't come back in the short term.

I'm wondering, 3Q was a strong quarter for Palo Alto. But I'm wondering if you can talk about those trends around new customer acquisition, large deals, credit issues, billing terms? And how that dynamic has played out through May, if it's changed relative to what you saw through the end of 3Q?

Yes. Look, I mean, to be honest, Jonathan, there's nothing disproportionate in either direction to call out about May. I think May is following what a typical May for us looks like. In terms of trends we saw in April, and I'll ask Kathy to step in and talk about the customer behaviors and our payments and what we're doing to be ready for that kind of behavior, because clearly, there is a cost focus that's slowly creeping in the market across our customer base, and I'll have Kathy talk about that. In terms of large deals, look, our consolidation play is working. We've had a customer, large retailer in this environment, who's done an 8-figure deal with us every quarter for the last 3 quarters. That they have decided to -- they want to reduce their total cost of ownership. And the best way to do that is get your best-of-breed products from one vendor as much as possible. So we're seeing that kind of behavior. As you can imagine, we had a $1 billion-plus quarter. And to do $1 billion-plus on a quarter, you have to have a bunch of 8-figure deals, a lot of them. And so that's working, the big deal motion is working. I think in the margin because the customers are not in their offices, they're less willing to trial new ideas and new products. And that impacts smaller players disproportionately more than larger players in the industry, but we would all see that impact. That's what I meant by short -- going to have some amount of lumpiness depending on your customer profiles and customer takeup. We had a customer, great deal and they unfortunately had to reduce their workforce by 30%. The deal is going to go down 30%. They don't need remote access for people who are not there. So those kinds of things are happening on the margin. We've seen some positive effects, too. But Kathy, perhaps you can share some insights about customer behavior, payments and [ the benefits ] work that you're doing.

Yes. We talked on the earnings call about the fact that we had seen some customers -- we have seen some customers request extended payment terms. We saw a bit of that. You saw our DSO increase in the third quarter, driven by that type of behavior. And so obviously, we're helping our customers wherever we can. We've done a lot of -- we've taken a lot of initiatives to help our customers during this time. And one of the things that we sort of leaned into during this time was setting up Palo Alto Networks Financial Services, which will allow us to provide financing terms for our customers who would rather pay us on an annual basis. Now we're not doing that for every deal. We're being pretty selective about it. And we're stepping in when our other partners can't take on that level of financing themselves. And so it will be a small portion of our overall billings we anticipate. And like I said, we are being very selective about it. But we want to be able to -- for those bigger deals where the customer needs that kind of flexibility, be able to sort of be proactive with that customer and give our sales team a defined set of motions that they can take with that customer, and hopefully, as a result of that, get the margin back to Palo Alto Networks rather than going to a partner that would have had that margin for us in the past -- from us in the past. So yes, a lot of different behaviors. Nikesh and I talked about on the call being somewhat of a benefit to us in the third quarter, the sort of spurt of buying with COVID, but as Nikesh pointed out, we have good and bad in the quarter.

Thanks for the color. SASE. Nikesh, it's a hot topic. Maybe you can tell us how you define SASE, particularly around all the on-premise infrastructure that isn't going away. And how Palo Alto might be better positioned in pure cloud companies in that regard?

Yes. Look, it's an interesting thing. SASE, over time, has evolved, thanks to Gartner, into a category. And it's effectively -- I think the way to think about it is, as -- there was about $70 billion spent on AWS, GCP, Azure. About 2 years ago when I came, people said, "Oh, moving to the cloud means putting your applications in SAP, in Workday or in Salesforce and SaaS security is going to become important because that's cloud security." And then that transformed into [ cloud ] security where you can absolutely develop with your workloads and serverless capabilities in the container, and that's what we built Prisma Cloud around. As you see more and more of the enterprise infrastructure moving to cloud, we will have to do a fundamental re-architecture of the network topology, which means in the past, all traffic went back to the data center, you cleansed it, you shipped it out somewhere else. Now if half the traffic is going to the cloud, you can just go straight to the cloud. You don't have to go back to your data center. That requires you to change how you deliver both connectivity and security at your branches for your mobile users. And effectively, that SASE is basically, the way to think about it is taking your data center security capabilities and putting them on the edge, which requires you have to have DLP, data loss protection (sic) [ data loss prevention ]; we have to have least calls routing from a cloud perspective; we have to have firewalls in the cloud, full firewall capability in the cloud. So all that stuff, for us, is the combination of Prisma Access and our recent acquisition CloudGenix. So we think the trend is early. You're going to need a single pane of glass to manage the edge from a cloud security perspective. For us, that product will be Prisma SASE, which is a combination of Prisma Access and CloudGenix. If we look to the market, CloudGenix has the best cloud-based SD-WAN management capability. We think it is a natural fit for us to be able to integrate the capabilities with Prisma Access in there. Both the products are doing really well in this market in this time frame. And I think we're early in that trend. So yes, a lot of people out there have a version of the SASE solution, and I think time will tell as to who has the most robust set of capabilities. But obviously, talking our book, we think we have one of the leading capabilities in that space. But we'll see how that evolves.

All right. So that actually leads into SD-WAN pretty smoothly or easily. So the question is, we see organizations leveraging, as you define it, a heavy branch architecture which SD-WAN technology is deployed in a device that also has the security controls. And then the lightweight approach is being SD-WAN creating the local Internet breakout, the security control in the cloud.

Yes.

So can you talk about your positioning? Obviously, CloudGenix allows you to do both. But why do both? What is the preferred use case that you're seeing today? And does one become more frequent than other over time?

Yes. Look, that's good idea. It really depends on your architecture of your infrastructure in your company. It depends on what your utilization is across the entire topology that you have. We have the capability in our firewalls to be an SD-WAN capable. We have the cloud management capability in CloudGenix, which will be Prisma SASE. We also have the SD-WAN box from CloudGenix that allows you to deploy a box in your branch if you need to. So at the end of the day, most customers had some sort of diverse infrastructure out there. So we need our, call it, firewall to work seamlessly with an SD-WAN capability out there and you need something that stitches all together. You can do both using the 2 different capabilities that we have.

You don't see one use case over the other becoming the preferred motive deployment over time?

If you are going to do a full re-architecture and you're not worried about leaving any legacy infrastructure around, we would recommend you go down the cloud path. Because eventually, if you are putting all your applications to the cloud, why would you not want to put your security in the cloud and your routing in the cloud? You don't need to deploy a lot more on-prem stuff.

Is there something about data center applications, the elasticity of those applications that might drive certain organizations to maintain more of a footprint in their own on-premise data center, in the sense that heavyweight-type approach would be better than a Prisma Access with CloudGenix?

Jonathan, it's going to be very interesting to see, at least my experience in my short career in security, in enterprise, is that there are some very specific industry verticals which prefer the data-centric approach or data center approach people in your industry, financials like it, because they like to control a lot of the traffic and a lot of their destiny. There's a whole bunch of government use cases where they prefer their on-prem solutions. There are a few industries which like it. But I think for the most part, most other people are going to move their computing to the cloud, probably somewhere in 50% to 70%. So we see the cloud use case dominating. But again, we're agnostic to what architecture you choose. We have the ability to solve the problem for you in both generics.

Yes, offering the choice to the customer. That's obviously important. So this next question, it's been around a long time, the debate shifts. But best-of-breed mentality versus platform, and I think the issue in security is that the rapid changes in the current environment, the need for a new tool to deal with new threats has made it very hard to build a true platform. But that could be changing because of cloud and a lot of the -- capabilities you see within building applications today. So I'm just wondering how you see that argument changing over time. And can you build a true platform out of best-of-breed products?

Yes. I think that's -- I'm glad you said that in the end because look, there is no substitute in security for a bad product. Like, if you have a bad product, there's no way a customer is going to buy it because in the end, the whole purpose of security is to have the best security capability that you have, that's where you're spending money on. So we've taken a very, very deliberate approach in taking -- we acquired best-of-breed capability, but we've integrated it, so the customer doesn't have to do integration. My personal view is that the cost -- total cost of ownership for security ends up being 2 to 3x for our customers because of the fact that they have such a fragmented set of products, which they have to eventually stitch together, they have to, mediate, remediate, that has software analyst look at it and understand all different pieces of vendor infrastructure. So the more integration we can provide, the more automation we can provide, it definitely reduces the total cost of ownership. That's the argument in favor of the platform. But the platform requires you to buy an inferior security product, you've got a problem because that basically gives you exposure from a security perspective. So the place where most recently we launched, built and delivered a platform in cloud security, we bought the best workload security business out there called RedLock. We bought the best container security business out there called Twistlock. We bought the best serverless business out there called PureSec. We integrated that into a single pane of glass in 4 months. We provided a single agent -- we provided a single purchasing mechanism. We provided single way to control track our infrastructure. We're adding 4 more modules to it. It was fascinating. Jonathan, is we kept looking in the market to see if we needed to acquire anything else to give that capability of all the 7 modules we believe we need for our security. And we came with a solution that we've come to a point where our internal development is at par with whatever is best out there. So we believe we can deliver the best set of products and the best integration in the industry in our cloud security. So that's kind of the approach. And there are areas where we don't play. We don't play in identity. We don't play in e-mail security because we believe we don't have the capability. And we don't want to go acquire a second-in-class or third-in-class because the market is reasonably well sort of defined and there are industry leaders who are out there who are doing a good job with it.

Right. Yes. No, that makes sense. So the next question -- this question seemed to lead into each other. But the current environment seems to drive the need for more automation. And specifically, as it relates to Cortex, I'm wondering if you're seeing the resource-constrained environments out there, the lack of ability to be on-site really changing the game towards a -- that sounds like stand-alone orchestration product, but using it internally to really improve the mean time to resolution and automate the remediation.

Yes. And I think that's a great question, Jon. I think that the revolution has not fully arrived in the SOC. What I mean by that is, yes, you have the ability to automate using a SOAR product, whether it's Phantom or whether it's the Cortex XSOAR and we're seeing a lot of traction with our customers with XSOAR. Not just direct customers, there are many MSSPs or SIs who have deployed it to provide a multi-tenant solution for multiple customers that provide a managed service now. So that product is doing well for us. But look, the other problem we're trying to attack is the root cause of that. Why do I get 180,000 alerts in my SOC? Why do I have to spend hours automating those alerts and remediating them? And that kind of starts at source. Part of this is fragmentation because there's so many products that you've got to go make sense of 180,000 alerts automating them away. But the other part is, we also have to start integrating before in the data layer to see how many of them are duplicated. We've discovered that between endpoints and firewalls, you can get 50x more alerts than we need. So our product Cortex XDR, the reason it left off the charts recently is because we are able to reduce 50x the number of alerts that you would get from your firewalls and endpoints going into your SOC. Now that's a welcome relief for our customers. So all you're doing is basically improving the signal to noise that goes into your SOC. And you can automate the rest of the noise away, that leaves you with true incidents, which the mean time to result suddenly goes from 57 days to single-digit days because I only focus on the most important things in infrastructure. So that's the approach we're taking. We are seeing traction with Cortex XDR. To be honest, every time we have a head-to-head technical evaluation, we beat our competition. We just haven't scaled enough to be able to get out there and go to every customer. Because remember, we have a general sales force which sells multiple products, which has to compete today, especially to a sales force that only sells 1 product. So we're trying to strike the balance of making sure we have specialists to deliver the competitive answers to people out there. At the same time, we're also trying to make sure that we don't blow the bank.

There's a lot to manage. I mean, when I look at the story, I think it's all about the execution right now. You seem to have the right product portfolio. The challenge is, can you pull the right levers to make everything work when you need to? So you touched on this previously, Nikesh, it's about long-term pressure in the firewall market, but you did see some improvement in fiscal 3Q after several quarters of weakness. So I'm just wondering, if you look at that core firewall opportunity long term and you also look at the shift to VM-Series and Prisma Access offerings, how do you balance the business, given the tensions between not only the different types of financial models from a perpetual license to a subscription, but just the increasing market appetite for one other than the other?

Yes. Jonathan, if you think about it, as we go through this data center to cloud transition, you are going to want the same capabilities against your cloud infrastructure that you have in a data center. You'd want the same capabilities in your branches or even remote users. So the benefit we have is, we have a single code base that allows you to manage your firewalls, either against AWS, GCP, Azure or the data center or with Prisma Access in your branch situation or your remote user situation, which is, again, goes back to the notion of integration and true cost of ownership. And to be honest, as far as I'm personally concerned, I'm happy if the customer chooses a form factor they prefer and architecture they prefer. I prefer they undertake software because it's much easier to upgrade and update remotely because one of the risks you have in security is, customers have such strong rules about not updating software when something is deployed in the data center because it has a risk of impacting everything else that very often, you don't get security updates, which should be deployed in data center. So it takes that problem away. That's the benefit of the cloud, too. AWS, GCP, Azure don't call you and tell you, "I'm about to do a software upgrade in my cloud." They just do it. So I prefer customers take the software form factor. But because of historical reasons and P&L reasons, we like hardware because it's instant gratification. So we have started talking about Firewall as a Platform as a metric. And as long as I have a double-digit growth in my Firewall as a Platform metric, I know I'm taking share in the market because it's a combination of all form factors, which had really happened last quarter. We slipped, and we didn't have a double-digit growth rate in trials of platform. We've lost share in Q2. And that's why we all rallied -- and partly due to COVID, but still if we had to strip out the COVID impact, we still think we delivered double-digit growth rate in firewall platform, which for us means it is an industry growing at 6% to 8%, we're taking share. And I don't -- I prefer taking software share because I think that's more sustainable in the long term and much easier for me to manage and fits the customer's future topology. And competitively, that's good for us because most of our competition does not have all those 3 form factors.

Yes. When you look at the -- your turnaround quarter-to-quarter and firewall is platform of buildings, can you talk to the license portion of the business relative to Prisma Access? Because it did seem like there was somewhat of a lull in Prisma Access activity, maybe in 2Q, but obviously came back in 3Q?

Look, unfortunately, life doesn't fall neatly into quarters. So as long as we set out a plan for the year, I think our 3 quarters of delivery and the fourth quarter estimates from The Street perhaps give us indication that we're probably going to be close to our expected plan for the year, which in a COVID year is, for us, an amazing achievement. And some things get lumpy and some things do balance out in quarters, and some other things do better than in other quarters. So we actually met our bookings number every quarter. Last quarter, we were light in product. This quarter, we made product. So I'm not fussed about -- we had a problem last quarter on product, so that's why we focused on it. We don't think there's any issue with Prisma Access or Prisma Cloud or Cortex from an [ inherent ] or from a development perspective.

Okay. And as it relates to Prisma Access, there seems to be a lot of confusion around competition vis-à-vis Zscaler, and their multi-tenant approach versus the way you go about it. Can you just talk about scaling of large enterprises to, let's say, Office 365, which is an application that really drives a lot of multiple connection just for 1 e-mail and logs. But your ability to scale -- or how you think that matches relative to Zscaler when you're seeing some of those large enterprise competitive opportunities?

Well, let's see. If I can channel Nir, our founder. I would say that -- if you ask Office 365, they will recommend you shut down Zscaler while accessing Office 365. So it's the worst-kept secret in the industry, and Microsoft helps them sell a lot for Zscaler. They prefer Office 365, not because of Zscaler, because of proxy interference with Office 365. Having said that, the Prisma Access, there was a recent LinkedIn post by the CIO of PwC, who said that we were running 225,000 concurrent users for them in the midst of COVID. So if you have a scalability question, there's an ad on television where the Schlumberger CIO talks about how we're running 80,000 concurrent users for Schlumberger. So I don't -- I'm not worried about scalability. Guess what? We take your traffic, we put it on Google Cloud. Google Cloud has the best network underlying any cloud infrastructure out there. So we're not worried about the scalability and the latency issues. I think it takes 3x as much for data to get through a proxy then it takes on Google Cloud. So our scalability latency is low from a response time perspective. We provide a full software stack. We provide the same number of services and capabilities that we do in our million-dollar physical box that you put in your data center off your single-user purchase price for Prisma Access. So you get the same level of firewall security in Prisma Access than you get in your data center. So again, from a security perspective, we don't believe that's an issue. But Zscaler are successful in their own right. We can [ convince ] customers [ to be with us ], so that's the way to go. We didn't have a product 18 months ago. 18 months in, we believe we are winning head-to-head with Zscaler in many customer accounts as we scale it. I'm perfectly happy in any market where I can get to 30% or 40% market share. We have 2.5% share in the entire security industry. If I can get many products to 40% market share, I have a feeling that 2.5% will improve.

No, I hear you. It seems to me like when you were able to create that partnership with Google and broaden that footprint and the integration through GPC, that made a big difference in terms of scalability.

Yes. Look, I think in the next 5 years, any company which is trying to deliver a cloud-based risk is going to run into scalability issues if you have tremendous adoption. Because it's hard to build data centers in 75 countries out there and make sure you have low latency and make sure you can manage infrastructure and you can make sure that you can create scalability. It's just a hard problem to solve. It's been done before, but now you have a perfectly viable alternative provided by 5 different public cloud providers out there. If you can write your infrastructure that works on them, you go focus on the more important parts of your product and worry about latency and response rates.

Nikesh, I think I can squeeze in one final question. Maybe you have 2 minutes to answer it. But what are the -- when -- so looking at building a true platform, what I'm really curious about is, what are the product synergies you look at to measure your success around a platform?

Look, we have built -- in the last 18 months, we've had a platform called Our Firewall, where we have 4 subscriptions, and we used to look at the attach rate of our subscriptions to our firewalls, how many subscriptions do we attach to each firewall, how many do we sell? We -- the numbers -- Kathy can tell you -- what's the number we're tallying, Kathy, 2-something? Yes. So our attachment on the 4-sub is 2-point-some times that of a firewall sale. And well, we've delivered 4 more. So we have 8 services that we can deliver of a firewall. We're very excited about the one we're about to launch in a few weeks, it's called IoT. We believe that this is an underserved market. And if you have a lot of firewall, which 72,000 customers do, you can turn on IoT capability and it will give you the visibility of your IoT devices and infrastructure. You can segment them and shut them off if you need to or protect from stuff against that. So that's where we're looking at from a firewall perspective, how many times can we sell more capabilities on the firewall. On Prisma Cloud, we've started with one product called RedLock. We had Twistlock. When we combine the product, we saw a 20% uptick in either product or the other product, which is wonderful from a cost of sales and a deployment perspective because I'd rather not have to go sell each module individually. And our sales call and a commission call. I much rather create more consumption in my product because that makes it a much better AR-styled consumption-based business. And when I look at Cortex XSOAR, we are building more modules in XSOAR via SOC. So you'll see us do more and more, just like we did in firewalls, just like we did in Prisma Cloud, giving you more capability to deploy. I think I've tried -- 2 minutes.

Yes, that's helpful. Well, I think we have run out of time. But Nikesh, Kathy, thank you very much for presenting, and have fun in the breakouts.

Thank you, Jonathan.

Thank you, Jonathan. Bye.

Bye.