Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

All right. Great. Thank you. So we're continuing the session here today. I'm Walter Pritchard, software analyst here at Citi. And happy to have with us Nikesh Arora, who's the CEO of Palo Alto, and he's in the office there. And we're obviously going to go through some questions I prepared. And as I've said in past sessions, my e-mail should be at the bottom of the screen there. If you have any questions that come up during the session, you can send them to [email protected], and we'll incorporate them in. So Nikesh, thanks for joining us today.

My pleasure, Walter. Thank you for having me.

All right. Great. So I guess maybe we could start out just talking about what we're seeing here in the world like kind of real-time with COVID. There's -- you talked about on your earnings call not -- so not that distant past sort of what you were seeing. Maybe you could recap that and just help us understand sort of short-term impacts and then how you're thinking about the medium-term and long-term impact of this environment.

Great. Thank you, Walter. As we talked about in the earnings call or at that time, I mean, the COVID pandemic hit and everybody rushed to go work from home. I think it's fair to say that all of us saw a surge and a need to enable our customers to be able to work effectively from home, i.e. make security work. Many of our customers expanded their subscriptions of our GlobalProtect product. Many of our customers started doing trials of our Prisma Access product. We introduced a free surge capacity and capability over the next 3 months. At that point in time, we also introduced the ability to -- for people to try our Prisma Access product. And as we've said previously, we had 1,500 customers either take surge capacity or trial our remote secure work product across the globe. So clearly, that meant there was a lot of demand in that time frame. I think part of it was people who had it in play couldn't get purchase orders out fast enough to be able to use capacity, or people who thought the capacity was needed but it may not be need for more than 3, 4, 5 weeks. So that's kind of what happened at that point in time. I think as the quarter progressed and customers started thinking about the economic impact of the pandemic to their business, started looking at their IT spend, started looking at their security spend, and we saw a different impact. I mean depending on the customer if they were largely impacted, whether they're in travel, hospitality, they're rethinking their IT posture, their security posture and trying to figure out what they want to do next. Some of them are asking for bigger consolidation pitches, saying, how can I reduce my overall cost if I was to consolidate around certain fewer vendors. Some them are saying, "I'm thinking of accelerating my cloud posture. How do I get to the cloud faster? What do I need from -- for security in the cloud?" Some people are busy enabling their e-commerce engines faster. So you're seeing a lot of different activity from an IT perspective. But I'd say broadly speaking, Walter, the intensity has gone up, not gone down. I think we are going to see economic decisions come to the forefront more so as people look at their P&L and saying, "How do I make sure I can get all this done with the amount of budget I have or the pressure I have from the revenue side or cost side?" So we're seeing a lot of impacts, but I think it's generally good for technology in the medium to long term, and I think it's good for security as a consequence.

Got it. And sort of a cross-current on that, I mean, you as taking over CEO have made a lot of sort of evolutions or, I guess, some pretty big moves on the product side to get into new markets. How do you think about those moves? And what's happening with COVID in terms of bringing you into markets that you weren't able to access, say, a couple of years ago? And what are you seeing in terms of traction in some of those places?

Yes. Thanks, Walter. As I say, sometimes, we'd better be lucky than good. So I think some of the changes we made 2 years ago have really been helpful in the context of where we are and what the current need of the hour is. One of the big plays we made was consolidation and integration. We wanted to make sure that our products work better together and they were integrated so the customer didn't have to integrate. If I go to our 3 categories, our sort of firewall category, our cloud category and our SOC and automation category, in the firewall category, we've gone from 4 to 8 subscriptions most recently. We're about to announce IoT in the next few weeks, which will work off the firewalls. So we have 73,000 customers deploying our firewalls. We should be able to at least go to half of them and without them having to deploy any new infrastructure through a software upgrade or software capability. They should be able to deploy IoT security into the enterprise just off the cloud pane. So that's exciting because a lot of people feel the need to it, except the only other solutions today are only going to go deploy a whole net new set of sensors into your infrastructure so you can collect new data and go to deploy IoT. We're going to make that capability native to our firewall. So things like that, DLP, SD-WAN. So our idea of deploying more subscriptions from the firewalls, I guess, is a good idea in hindsight because we can do 8 different things with software without a hardware sort of role. In the category of cloud, we built a cloud security capability. And today, our cloud security capability is better stitched than even the native cloud security. You get AWS. You need 4 modules, but you have to stitch it together to provide security in AWS. And then getting to something different to GCP, something different for Azure. With us, you can deploy one platform. All those 4 modules work together in one stitched capability. On top of that, you can also make it work on-prem, AWS, Azure, GCP. So in our cloud business, our cloud security business, we have 43 of the Fortune 100 companies already deploying Prisma Cloud. We actually don't see much from an integrated competitive activity other than people who use the cloud-native security capabilities. On Prisma Access, which is our remote secure access product, which competes to Zscaler, we have seen phenomenal traction. Our product was ready. We're seeing the traction with COVID. We think this is early days for that capability. We think we're going to see more and more discussion around sustained remote secure access, sustained need for SD-WAN. So we acquired CloudGenix, which is going to get integrated -- first integration in the next few months with Prisma Access, and then subsequently by the end of the year. And in our automation and SOC capability, we took a product, which is called Traps. We merged it with behavior and analytic capabilities, which we had acquired a few weeks ago or a few months ago, just one of the best features vis--vis all end point products in by -- test run by MITRE. We beat CrowdStrike. We beat Symantec and McAfee, Carbon Black, Cylance, you name them. So that product is well situated. It's doing really well for us, and it integrates into our Cortex XSOAR product effectively, which is our SOC automation product. So sorry, Walter, for the long editorial, but a lot of our product strategies have fallen into place, and that allows us to, despite everything that is going on, stay confident in the target we set a year ago, that by the end of July, we should do over $810 million in bookings in our next-gen security product. We feel confident that we're going to do that.

And stepping back from there, as you think about how this year has progressed and you've very much deliberately driven the organization to embrace these next-gen security products, and as you pointed out, you've seen this -- it looks like you'll see the success that you were targeting to see. How do you think about sort of the sustained complexion of demand here between the core products, which are maybe never going away but aren't growing what they used to, and these next-gen products, which maybe grew faster than is sustainable given sort of the focus of the organization on those products over the last year?

So Walter, actually, we are having a conversation with our leaders this morning. And I don't think we've fully tapped all the demand that is out there for our next-generation products. So I don't think that we've seen -- I think our ability to grow that is constrained by our ability to get qualified people and get our processes right, get our scalability right. So we're going to -- we've done a lot of work on scalability. We continue to work on scalability. We think 2021 or next fiscal year is going to be the year where we do a lot more scalability across our next-generation security services, make them more simpler, faster to onboard because we have, in the last 2 years, proven that we have industry-leading products. They can get to the far right of every Gartner Magic Quadrant categories. You know that all of them have needed customer demand because we're seeing tremendous amounts of traction for the customers. The question is can we deploy them faster, and can we get them out there to a larger number of customers. So we're going to spend a lot of time trying to make sure our next-generation security products have tremendous scalability next year. Of course, we have to continue to drive our core business where we have doubled the number of subscriptions for the first time in 7 years in the last 12 to 6 -- 12 to 18 months.

Got it. So maybe I'm going to separate that out into 2 things. So one, on the next-gen side, you put in place very clear around sales incentives and even midyear sort of talked about how you would -- or I guess, beginning the year, how you maybe move too far down that road. How do you sort of think about aligning your sales resources to those products in order to sort of keep the focus on the future where things are going but not take your eye off the ball in terms of what's been a very strong legacy core for the company?

That's a great question, Walter. This was something we did about 1 year, 1.5 years ago. Actually 2 years ago, when I came, we had to -- we had -- nobody knew how to sell our next-generation security -- or a very small set of people. Nobody [ thought to ask them ], but I'd say 2%, 3% of our sales force was focused on the next-generation security capability, and 95-plus percent of the salespeople were focused on, say, our core business. We've made a conscious decision to create a large incentive for our firewall teams to learn how to sell next-generation security while we're building off our product capability. And to be honest, they did what we asked them to do. They drove our next-generation security business to over $415 million to $430 million in bookings in the last fiscal year, the whole purpose being let's try more capability and more security services. Now when that happened, because we didn't have enough resources in next-generation security, our core team took the eye off the ball to firewalls, and they didn't do a stronger pipeline, the impact of which we saw in Q1 and Q2 of this year, and it's coming back in Q3 as you saw. So over that time frame, we've hired a lot more next-generation security dedicated salespeople. I think we found the right balance between making sure our core team sells firewalls as well as sells our next-generation security products or acts as account management capability for the large accounts where they're bringing the specialist people in the next-generation security side. And I think we're going to have to invest more on specialists for the next-generation security side going into next fiscal year because we're seeing that model work. We're seeing large 7-, 8-figure deals for next-generation security, which honestly, is impressive in a time span of 2 years to be able to build a product category where we can do 7-, 8-figure deals in new products where we did acquire and built up. So we think we've struck the balance between our sales force in terms of how we get them to focus both on the core as well as our next-generation capability and also have specialists when we run to ultracompetitive situations that our specialists are able to do hand-to-hand combat with people in the same space.

So as you look at next year, is it more about -- it sounds like this year was very much about transition. Is it next year just more capacity? Or how would you sort of characterize any transitions that still are needed to come as you look at sort of how you want to be selling into the future?

So 1 or 2 years ago, if you had gone to see some CIO, we were a respected brand. We were something that they needed but they very much saw us in a firewall network security category. What has happened in the last 2 years is now we make the top 3, top 5 cybersecurity vendor consolidation list for most of our customers because they know we have cloud security capabilities. We have XDR capabilities. We have SOC automation capabilities. We have network security capabilities. We have firewalls in the cloud. So we made the transition effectively into being a larger part of our customers' potential infrastructure for security. That's a good thing. I think our opportunity this year is to cement that role, is to make sure we have both the consulting and the advisory capabilities to be able to work with our customers in a broader cybersecurity portfolio. I think from a -- where we focus, we have to keep growing our next-generation security capabilities, and we also have to make sure that we act as overall security partners for our customers. So give them the firewalls they need. Give them the subscription of the firewalls but also focus on giving them new capability, which is where a lot of cybersecurity action [ is to go ].

Got it. And just a couple of follow-ups on the core, and then I'll spend the rest of the time talking about the next-gen side. So you have -- I think you saw some disruptive demand and the demand has come back. I think there's a pretty healthy debate on the industry around is the firewall dead, is the firewall slowing, is the firewall the same as it's been historically. What sort of finer points would you put on investors looking at the firewall market, the appliance and maybe the virtual appliance market going forward? Are there parts of that market that you see as very, very long term, sustainable and parts of that market you see as more at risk? And how are you sort of positioning? I think you have a sales leader now that's focused on that business to go there. And I know part of the answer here is going to be on the subscription side. So I first wanted to just focus on sort of the capacity and sort of box deployments. How do we think about that? And then we'll transition and talk about the subscription attach.

Yes. Walter, I'm going to give you the same answer, which I might have given in the past. But the firewall functionality is not going away. Whether you're going to have network traffic, whether you have the network traffic in your data center, you have the network traffic to the edge with your employees working remotely, you have the network traffic to your branch or your retail store, you still have network traffic. All of your network traffic going to AWS so within the AWS across their app, you still have network traffic. It doesn't matter where your data center is. Is it remote? Is it to the edge? Is it on-prem? Is it in the cloud? So you still need the capacity to inspect data, in the least -- less traffic. Now in the past, because the technology architecture is all data center-centric, you put a hardware firewall in the data center and expect the traffic. Now the moment that traffic is originating in a branch, originating in a remote user, you need to either bring that traffic back to a data center or inspect it there through the cloud and let it go off either into the cloud or to the data center. So network architectures are changing. They will continue to change in the next 5 to 10 years. We're seeing that transition. Now there aren't multiple ways to solve that technology problem. You can put a box. You can put a box in a branch. You can put a box in my house. You can put a box in the data center. You can put a virtual firewall against AWS or you can deploy cloud firewalls. So to give you a case in point, a customer last quarter wanted to deploy remote users, more branches very, very quickly. The fastest way to deploy it is to deploy cloud-based firewalls. So we deployed Prisma Access to tens of thousands of customers. Now you can do that to a software, you can't do that with a box. And the only reason you care as an analyst or as a financial analyst, as investor is the way we treat boxes is upfront revenue. The way we treat software-based firewalls is ratable. Software-based firewalls get over 3 years. So I have to sell you guys as many firewalls as I did last year or more, except the ones I sold this year are more software. You can say, wait a minute, your product revenue is going down, but your long-term ARR is going up because you sold more software firewalls. For that reason, Walter, we have been talking about a metric from last 1 year called firewall-as-a-platform, where we take the billings of all 3 of our firewall categories, cloud-based, virtual, hardware, put them in one number and say, "Here's what this number is. You guys may want to do that." That number, as long as we grow it in double digits, tells us we're taking share in the market of firewalls. I'd rather take software share because it's easy to deploy, easy to renew, easy to upgrade, and the total cost of works for the customer is lower. I know financially, you prefer that I sold boxes because that shows up an instant gratification revenue. So that's where the debate ends up. The challenge we had in Q3, our firewall-as-a-platform -- in Q2, our firewall-as-a-platform grew less than double digits. We have it back, growing that in double digits this quarter, and we hope to be able to sustain the double-digit growth for a while. I don't think firewalls are dead. I think the functionality is still going to be required. You will see a shift from boxes to software and that transition is going to continue.

Got it. Got it. I agree. I think that would be a great metric to just keep focusing on because I agree it captures everything. On the -- so the other topic on the traditional side, I think when I started covering Palo Alto, I don't know, what, 6, 7 years ago, one of the key metrics in the model was attached to these subscriptions, right? And I could look at how many -- how much product you sold. I just sort of look at the attach in it. And I think you pointed out, it's been a while since you introduced a lot of new subscriptions. How should we think about -- you have IoT. You have DNS. There's a handful of new ones. How do we think about those new subscriptions? I mean I think some of the older subscription has been around for a while. I mean penetration has gone very, very high on those. What sort of penetration can you see on these? And is that still the right way to be thinking about the growth opportunity with those?

Yes. Look, I think that is the right thing. But if you take a look at IoT, right, it's our most recent subscription. It's going to be launched in a few weeks. It's going to be priced slightly differently than our past subscriptions. And on IoT, we are developing the capability of deploying that subscription not just over our firewalls but maybe deploy with XDR, right? So we're also trying to take our security services, see can we deploy them not just in the box, can we deploy them against a software form factor, can we deploy that against an end point form factor. So we are evolving our security services to be able to deploy them not just against hardware. So we have a higher potential for attach. We're also looking at in what cases do we deploy against other people's products, not just ours. So we are trying to look at our security service subscription business as a larger security services business as opposed to just attached to the firewall. Having said that, I'm sure you've noticed that, that growth continued as well because as we deploy more and more subscriptions, there's 2 numbers. As you said, one is what's the penetration of each sub from an attach perspective. It also has -- the other one is how many subs can we attach to the firewall. So there are 2 variables. Now we've doubled the number of subscription, the number of things you can attach. That should have an impact in addition to the fact that we should be able to penetrate some of our newer subscriptions into our base and into our new customers, either across software form factors or hardware form factors.

Got it. And I want to go back maybe later in the discussion, talk a little bit about the topic, but you did get a new sales leader to focus on Strata, which is the brand that you designed to the core firewall. What is that leader charged with doing? And how do you think we'll see the impact of that leader in sort of what we look at?

Well, we hired both a product leader from [ Jim Conner, Alan Doswell ] who runs our Strata firewall product and Prisma Access, and Andy Elder from Riverbed is now partnering with them to make sure that we're selling these things collectively. I think his job is to make sure that we continue to focus on our subscriptions. We continue to make sure we're selling our hardware to the customers that need it. He's working with Kumar, the CEO of CloudGenix, who's going to drive Prisma Access to make sure that we have a plan to keep driving Prisma Access into our customer base. He's making sure we have a plan for VM, which is our virtual firewall. So he's basically making sure we don't take the eye off the ball on our core business, while a lot of us -- a lot of our newer leaders are focused on next-generation security business. So just to make sure we don't miss that balance, which we missed 2 years ago.

So really, we should watch that firewall-as-a-platform metric as sort of the indicator of success, double that with...

Look, I think, one is the firewall-as-a-platform metric and one is the subscription growth metric because those are 2 metrics. As long as my subscriptions are not slowing down because my box is maybe shifting to virtual form factors, and as long as my firewall-as-a-platform continues to grow, it's going to show up in our revenue either ratably or in the current quarter.

Got it. I want to transition, talk a little bit more about the next-gen side. So you have put a lot of sales resource on there. You have leaders focused there. I think most of the competition you face is best-of-breed players, folks that -- some of which are small in revenue but maybe specialists on serverless security or whatever it might be, like SaaS...

Some of the larger -- I thought of this as smaller revenue, larger market cap, yes?

Sure. There's that too. I was thinking private, right? But you have the smaller, larger market cap. I agree. So how do you -- I guess security has traditionally been a best-of-breed market. It's amazed me that customers will take on a vendor to do like a little niche, but they do. So how do you -- given the evolutions you've made so far, how do you further the success you're having in those markets given you're up against folks that are even more specialized than you are, even though you've made big strides yourself in specialization?

Yes. I think look, if you look at our next-generation security services, there's Cortex with XDR and XSOAR, there is Prisma Cloud and there's Prisma Access. XSOAR was a company called Demisto. We acquired it. We have since added multiple modules to it. It's kept up the pace of innovation. We still believe it is best of breed in this category as a SOAR, and at least the customer demand, our sales and our competitive wins at least proven to us that it continues to be competitive from a best-of-breed capability in the SOAR category. On XDR, 2 years ago, we were not as competitive a product as it is today. To be fair to our team, we were the first to introduce XDR, which is the next evolution of EDR. I think Carbon Black, Cylance, CrowdStrike, or EDR vendors, [ high ] EDR vendors. We've taken network data, integrated that into the end point data and deployed XDR, which is now a new burgeoning category that we're talking about. And as I said, we have had a few wins recently because we've been able to demonstrate the MITRE results that we actually have better a product than them. So we believe that product works its own magic by being best of breed in the XDR category. On the Prisma Access front, which is a cloud-delivered firewall, we think it's technically superior compared to a proxy-based security solution. And if you guys have not seen the video, I'm sure Nir is on multiple places, talking about how proxies are not as good as what he built 15 years ago. And last but not least, the Prisma Cloud category, which is where I think you're referring to the smaller private companies, which is serverless, the containers. We have started off trying to build our own platform with multiple -- in multiple categories. And as we talk to customers who discover it, to your point, that they'd rather have best of breed in those categories and wait for Palo Alto Networks to build an integrated product, which is going to get there. So we acquired the best companies in that space. But we've put a lot of attention, a lot of time, a lot of focus on integrating them while we were making sure they will not lose their best-of-breed status. So from that perspective, we acquired RedLock, which had sub-$10 million of bookings that we already declared after 2 quarters of those things. Actually 25, and we obviously progressed there. We acquired Twistlock, which is a leading container security, which is 1 of 2 companies in the market that, we think, has beaten the other one far back. We integrated that effectively. Then we've acquired PureSec, which is serverless, which is the best of breed at that point in time, which is now also integrated as a capability. We acquired Aporeto that does microsegmentation. So we acquired 4 best-of-breed companies. We have them available, integrated. The first integration, good integration we launched with RedLock and Twistlock. Saw a 20% cross-sell. Our customers using RedLock started using container security from us. 20% of them. Then our customers in container security started using workload security, trying to start that with us, not having to do anything, just making it available in an integrated fashion in one pane of glass with a common contract or a common wave consuming that product. So we are seeing the benefits of integration, and we are integrating best-of-breed capabilities into a product.

Okay. Got it. That makes sense. And then one thing that came in just as we were talking here on sort of tying together the cloud piece with the firewall piece, have you seen any examples? Or is this something you're expecting of customers who choose you for cloud that may have multiple firewall vendors and actually helps you consolidate share in the firewall market? Or do you look at these buying decisions as pretty separate?

So where that does -- that does correlate, Walter, is in the virtual firewall, virtual form factor. If you are using Prisma Cloud security [ but not ] using our virtual form factor against your cloud instance because eventually, that has to correlate to what other policies you have and to your data center. So we are able to see a sell-through of our virtual form factor with our firewall customers that actually would like to use our virtual form factor because the policy engine is the same. We see a cross-sell with Prisma Access and our firewalls because the policy engine does the same. And we also see a correlation in Prisma Cloud and our virtual firewalls where, again, it's a product from the same company and it works better together.

Got it. Okay. Makes sense. And then another topic. You had talked about at an Analyst Day, I think back in September, some longer-term targets. You took those off the table last quarter. I think we're seeing lots of companies withdraw various forms of guidance. As we think about sort of what you're shooting for, I guess, one, what is it -- what would it take on your end or on Kathy's end to put back a sort of long-term target? And then, I guess, in the absence of those targets, how should investors sort of think about just what you're trying to accomplish, not necessarily being able to put numbers on it that we can hold you to at this point?

So Walter, we as a -- we took the target off the table, like most people did, but we left our Q4 targets on the table. We just want to make sure we give our investors visibility through the end of this year. And we are in the throes of looking at how we think about next year as we're beginning to see our team's capability and execution around the COVID times, how people execute. We are looking at how customer behaviors are changing, what customers are doing. And all that stuff, I'd say, is still in flux. I think the stock market is slightly disconnected to what's happening underlying in the economy. And hopefully, those things will flush themselves out in the next 3, 6, 9 months. But I think it's fair to say that we think our longer-term prospects have improved as a consequence of what we're going through because we've seen the execution. We've seen the preference to our products. I think even medium term has improved. I think it's just that 6 to 9-month period is harder to predict as to what's going to happen given the economic uncertainty that's around all of us. But we're working hard and hopefully, as we come to the end of our fiscal year, we will consider what we want to say about FY '21. So we may not have a 3-year outlook, but we should have a sense of how we believe the next 12 months would unfold.

Got it. And as you think about on your core business, when you think about investments in that business, investments that you've made in sales around the overall business, are you -- I guess, do you feel better about that business going into next year? And are you upticking investment? Or is this more of a kind of maintain the status quo? I guess the status quo this year has been fairly uneven. But I'm wondering how you're thinking about specifically investments in that core business.

You cannot not invest in cybersecurity. It's not like a switch that worked 2 years ago and will continue to work with the functionality the same. The attacks are constantly changing. The hackers are constantly inventing new ways of coming after you. So you've got to keep making sure your products are up to speed and you are protecting your customers against all new forms of tech. You have to do that. And when you say core, I think about our core as the firewall business, and the firewall business is, for us, Prisma Access as well as our virtual firewalls that go into the cloud. So there's no reason for us not to invest in all form factors of firewalls because they're all connected, and they're all part of the larger estate of our customers. They want the same capability across multiple use cases within their infrastructure. That's the benefit of them buying from us. So we have continued to invest in our core business from a product perspective and a go-to-market perspective. You've already heard, you've already seen we've built 4 new subscriptions in our core business. We hope to be able to up-sell those and cross-sell those to our customers because they are looking to see what other capabilities can we give them within the firewalls. It's going to go from 8 to more subscription. So we are investing there. At the same time, we continue to invest in our next-generation security capability because we see the traction there. We see the customer's appetite to buy things in the XDR category or buy things in the SOC automation space or to buy things in cloud security or in more secure work.

Got it. Okay. And then just as a follow-up to the question you mentioned -- or the question I asked you earlier around the long-term guide. As you think about -- I mean you've articulated a few examples of small wins to your business around remote access and so forth. Can you articulate what you're seeing today from a headwind perspective? What is hurting the business? And then how much of that is -- are things you're seeing today that are sort of impacting the business versus just you looking ahead and saying, "Hey, this economy is not healthy"? And as you mentioned, customers look at their own P&Ls, things may deteriorate from here. Just trying to sort of isolate what is already an issue versus what is just you being cautious around what may materialize.

Yes. So let me break that down into competitive pressures that we -- that might have changed and economic or customer pressures. From a competitive pressure perspective, I think we're better now than we were 3 months ago because we feel that our products have become more robust. Our customers are more focused on a consolidated play. Customers are paying attention to all of our different categories or best-of-breed capabilities in 5 different categories. Smaller companies are less likely to go hire in terms of salespeople and go create that opportunity for themselves. So competitively, I don't see the landscape causing us more stress on the system. I see more opportunity. I think from an economic perspective, it's still unknown out there how customers are going to -- how the interplay of I want to increase my investment adoption of tech versus I want to maintain my cost structures are going to interplay. You get more of the ones who want to invest versus the ones who want to watch their cost structures. We'll be fine. You get more of the ones who want to consolidate with you as one vendor versus ones who only want to cut costs. You're going to be fine. So the juxtaposition of the mix of these 4 different effects are -- the mix effect is not clear, and that's more of, I think, an IT industry set of challenges as opposed to, call it, specifics of the challenges I'm aware of.

Okay. Got it. And then just a final point there on the competitive comment you made. So your competitive position, I'm curious, you said you feel better about your competitive position. Is that both in the core firewall-as-a-platform as well as in the next-gen cloud side? Or is there one of those people that you feel like things have improved more substantially in the last 3 to 6 months?

Look, things continue to improve every quarter for us in next-generation security because, Walter, it sounds easy, but it's really hard to go from not having competitive products in multiple categories and build a large book along the pipeline in those categories and convince customers to deploy our product and do that successfully and effectively. So we feel stronger every quarter as we deliver more and more next-generation security. Competitively on the firewall side, we feel strong as well because we're about to launch our next generation of our firewall, and I think we'll launch next last week. Our teams will talk about all that has changed in the firewall category. And that's going to be very exciting. It's another industry first that you will see from us. So yes, maintaining the focus on those and the excitement of those.

Got it. One thing that I guess we -- hasn't come up as a specific discussion, but you talked about in the past year or 1.5 years you have this sort of speedboat sales sort of supplementation strategy. Can you talk about what that is -- maybe explain it a bit, talk about what it's accomplished and how you look at the role of that sort of strategy as you go into next year and beyond? How much of it was sort of a temporary strategy to establish some product footholds? And how much of that is a sort of permanent way of selling?

Well, it's not just a selling. It's also an organizational structure construct, Walter. What happens is when large companies with a large core business start to try and focus on newer, incubated, smaller, faster businesses, the risk is that the large business will overwhelm smaller ones if we don't give them breathing room. You don't take them away from the core, so they can actually hire. They can have business plans in. The team and I -- our management team and I have spent a lot of time incubating these businesses, whether they're acquired companies or they're homegrown businesses, and give them the oxygen, give them the resources they need to go out and be successful, give them the cover and go out and pitch those products to our customers, just like as we were a start-up. And that's what has allowed us to be successful with Prisma Cloud, Prisma Access, Cortex XDR, Cortex XSOAR. All these 4 are run as speedboats in the context of the company. They get reviewed every 2 weeks by me and my management team. The leaders of them get to bring any issues up to us, and we try and resolve them in 24 to 48 hours. So trying to maintain the speed and agility on these products because we're competing with pure-play people. Like you said, these are start-ups, which are really focused on this or smaller revenue, large market cap business. You also only need to focus on this. So we're trying to match their speed and agility by making sure we don't bolt them down with the large core team of the core business, which obviously also have to take part.

Got it. Okay. And then last product area question I had was just around SD-WAN. You made a more recent acquisition there. You've evolved your strategy a bit. How do you look at that landscape? You have the Ciscos of the world with a full network portfolio. You've got some specialists that you've acquired in areas you have. It's almost like a dozen players that have some foot in that market. How do you think about your competitive advantage in that space versus some of the other approaches?

Well, I think the SD-WAN market is still early. And the reason I say that is that if you -- look, I worked at Google for 10 years, and there was a huge conversation on Google Cloud. If you look at the cloud guys, AWS, Azure, Google, they sold about $70 billion last quarter. Now we have a customer of Google Cloud or a customer of Amazon, and what you notice is when you start those deals by moving to the cloud, it takes 6, 12, 18 months to fully ramp up your capability and move your applications away from a data center to the cloud. So we're seeing all of that happen. And what happens is as you're beginning to do that, you're going to want cloud security. And once you have that cloud deployed, you will realize that half of your traffic doesn't need to come back to data center anymore. You're better off sending all that traffic directly to the cloud. That means you can go -- we get rid a whole bunch of MPLS costs and IT infrastructure, which, by the way, is the biggest costs that are out there today which CIOs can target, especially in the given -- the current time that people have to be cautious of their P&L. So that trend is going to accelerate where people are going to say, take my MPLS out, put SD-WAN in place. So the moment we put SD-WAN in place to send the traffic directly to the cloud, you need firewall and capability because that's what you've been putting in the data center to protect that traffic. So we've made the acquisition with the intent of having an integrated SD-WAN and security product, where our customers don't have to put 2 appliances, worry about integrating security and SD-WAN. We've deployed Prisma Access across all these 10 or 12 SD-WAN vendors we've talked about, whether it's Cisco or Silver Peak or Versa or CloudGenix or VeloCloud. So we know the capabilities of all of them. And we felt CloudGenix have the best cloud-based native capability of managing SD-WAN. Coupled with our cloud-based capability in Prisma Access, we thought the integration will produce the right outcome for our customers. We've done the acquisition. First integration rolls out in a few weeks or months. Next integration by the end of the year. We also will sell it independently because we still want our Prisma Access product to work with anybody else's SD-WAN.

Got it. Okay. Makes sense. Then just maybe turning to some sort of business model questions and so forth. First one around M&A. I mean it's been a pretty big time for the company in the last 2 years, around -- 18, 24 months around doing acquisitions. Where are we in terms of the vision you have around building things out and buy versus build? Is there a substantial sort of work to do there on the buy side? And then I wanted to follow up related to that.

Well, we made 8 acquisitions in the last 2 years, and most of them were -- if you look at our product portfolio and see where could we develop more capability, a lot of them have been none -- sort of overlapping any categories. We've not had a product. We acquired a product. We integrated it to an existing product or an acquired product, and that's kind of worked out for us. In the cloud security category, for example, we believe we're at a place where there's no best-of-breed player out there that provides better capability than our cloud security suite. We looked at the next 3 things we want to build in cloud security. Unlike with container security or serverless, we realize that not many people are doing it at a scale, at a pace we want to do it at. So we've decided to fund those ourselves. So in cloud security now, we're at a place where we're funding capability as opposed to going and taking or acquiring more capability because we do believe we have a majority of the use cases covered, which was the cloud and the cost of integration is higher than the cost of developing it in the cloud capability ourselves. On the firewall side, we have made acquisitions. We acquired an IoT company. It's small and less than $100 million, and we are going to deploy that in the next few weeks, as I said, which should allow us to offer over half for our customers to build and do IoT native to the firewall. So generally speaking, we've used the M&A strategy to fill product gaps, but we've also kept a discipline wherein, under Nir, we doubled the business plan of the company we acquire. And our anticipation is to take that up to multiples over the next 24 to 36 months. And we've been able to demonstrate that pretty much for every acquisition that has lapped a year or is on course to do that or more. So we feel comfortable about what we're doing from an M&A perspective is the right ROI for our investors. In terms of going forward, we'll see. We'll see as the market provides opportunity from whether we believe in our product opportunities that are compelling out there. But we're going to apply a disciplined approach. It basically says like, if you're going to acquire, can you take that, make that 1 plus 1, make it 3 or 5 because it becomes a critical part of what the customer needs, and we have go-to-market sales force, which can actually amplify the business plan of the acquired entity.

You highlighted that you have -- the next 3 things you're trying to build in cloud are organic. How do you get comfortable given all the engineering folks you've brought in from all the different organizations that these people work for startups? They want to maybe go work at the next startup. How do you ensure that you have the sort of DNA on the engineering side? I mean you've done a lot of sales hiring, that's separate. But the DNA on the engineering side to continue to build these cloud-centric products versus being reliant on M&A and with potentially some of these folks leaving the company as that cycle proceeds.

What we do is when we acquire a company, we make sure that we kept the founders and the senior leaders to commit for a period of 2 to 3 years with us. Otherwise, we don't do an acquisition. And not only that, it's not just gold in them because we also make sure that we put the best person in that role, and you'll be -- our Prisma Cloud team is run by acquired company leadership. Our CloudGenix team is now running our Prisma SaaS capability. So we make sure if these are the right people, they get more responsibility at Palo Alto Networks and they have an economic incentive to stay here and work with us for the next 2 or 3 years. So both those effects. You've got to keep people happy, both economically and from a responsibility perspective, the fact they're making a difference. We haven't lost many of the acquired company founders at all. There's maybe 1 or 2 out of 14 who've left, and they've done it because they want to go do something else, and they were willing to forgo the economics because they want -- they had a different calling.

Got it. Okay. And then on the margin side, I mean you've absorbed quite a bit of margin headwind during the fiscal year '20 time frame. A lot of that related to M&A, even some of it last year related to M&A in 2019. And you haven't given guidance for next year. You don't have the long-term guidance out there. But how are you thinking about just margin and growing revenue faster than you're growing expenses? Is that something that's a firm commitment for the company? Is it something that you've made the investments now, so we should see going forward? Or just what sort of like qualitative expectation can you set around the way we should think about the profitability of the company going forward?

So look, if you look at our company, we did have -- we didn't do a lot of acquisitions as the margin got impacted. We also invested a lot in our next-generation security sales teams as well as development teams to make sure we had the ability to go build that business up. We feel delighted by the results that we have as a consequence of that investment. We had also said in our long-term guidance, which is still out there, that we expect over a 3-year period, we should be able to go back to the 20-plus range on operating margins as a company. We still feel we can get there. We have withdrawn that as part of our long-term guidance, but we feel we can still get there because we see leverage as we grow many of our next-generation security businesses and continue to grow our core. We see leverage in our go-to-market capability.

Got it. Got it. Makes sense. One last. I had one more question come in that I thought was interesting. I just wanted to pose it to you. So one, I think earlier in the year, you actually raised your prices on appliances. You bundled in some additional support and so forth. There was a question about just getting some feedback on how that's going on. Have you had customers -- especially given COVID and maybe some budget pressures, has there been a pushback on that at all?

We increased prices because of tariff reasons, and we introduced a new support capability, which has a faster response time and high reliability support category. We have seen some uptick of that support category. We always get pushed back on prices from our customers. That's the nature of enterprise. We haven't got any disproportionate pushbacks because of tariff increases. We obviously are getting pushed back because of COVID and we said that in our earnings call that we have pushback to [ exceptional ] people. Customers want different payment terms. Customers want to pay later. They obviously want better pricing. And we have made accommodations to some of our customers. We announced that we also have established Palo Alto Networks Financial Services as we get more push from our customers wanting longer time to pay or wanting some degree of credit from us for our products, but we intend to manage that and keep that to a small part of our business. But we still have to build that capability to allow the flexibility to make sure we don't lose the business.

Got it. And then the last question is somewhat tactical as well, but this came up, I think, at the Analyst Day that you had last year. You've done -- you do a lot of the standard terms in the spaces, buy 3 -- pay 3 years upfront. You do appliance purchase. You buy 3 years of subscription support. Some of these cloud products, you can buy in the app marketplace where you pay by the drink basically. How are you -- is there any change to how you're thinking about as we get long term, how -- especially we're in a more challenging economic environment, how do we think about sort of that payment model changing? And you started out in the beginning talking about just even the firewall products, how they could go those in 2 different ways. But I'm curious how much you've sort of adjusted or are willing to accommodate a pretty different sort of economic scenario but really comes out at the same point in the end.

Yes. I think, look, so far, the hardware business has been a money upfront business, and that's why we enjoy the cash flow profile as we do. And our teams have found a way of bundling and packaging a lot of our next-generation security in a similar duration time frame. So we get the cash upfront for those 2. But I think you're right. Look, on the margin, there are more products that can get consumed in marketplaces, which have shorter durations and a different payment model. You will see pressure in the market. So we had indicated a gradual erosion of duration in our numbers when we did our Analyst Day about a year ago. And we think that still stands. We will continue to see erosion of duration over time. But it's going to be a managed gradual erosion that happens because some of the new products have shorter durations of the existing firewall business. And the mix is going to cause that erosion to happen over time.

Got it. And related to that, how do you see the cloud providers themselves, the Googles and Amazons and Microsofts, in their store and otherwise being channels for your company? Is that something that is likely to be a pretty large channel over time? Or is this something that the buyers that want to buy that way will buy, but you don't really focus on it?

Well, we see some purchases of those marketplaces, whether they're in our virtual firewalls or they're in our Prisma Cloud product. But it still requires our sales teams to go work with the end customer and convince them what's the need of cloud security and how that should be deployed. And there's a bunch of deployment, a bunch of getting it up to speed that needs to happen. So they are channels. Of course, the cloud providers are channels, and they obviously -- as their corpus of consumption continues to increase, they also -- ours also increases consequently. So we are seeing that. But for now, it's a small part compared to our total business. Also it's not -- it's also a small part compared to our next-generation security business.

Got it. Okay. I think that I've exhausted the questions that have come in as well, and we're about out of time here. Nikesh, is there anything you wanted to close out, or anything -- any message you want to make sure folks took away other than what we've talked about here?

No. I think, Walter, the only part I -- where we have constant battle, what we have and the way we think about the company is that we have a solid cash-generating firewall business, which is the industry's best firewall. And the company has managed to sustain the growth and the capability of that firewall and added more innovation, more subscriptions to it. So we feel very excited about that. At the same time, we built an $810 million bookings of next-generation security in approximately 2-plus years, which is hard to do in the industry. Now that amount and that pace of growth rivals many of these newer upstart, which are out there with slightly less revenue than us. So we feel comfortable we built a great business in Palo Alto, in our core business. And I think sometimes, it becomes hard for investors to value those 2 streams together. They're saying, well, is Palo Alto a value business or is it a growth business? And this is a transition we are going through and feel that as we transition the company, we're going to come out way stronger in the long term with this model, which is a more comprehensive security model.

Got it. Makes sense to end at that point. I can see that. All right. Well, Nikesh, again, thanks a lot for joining us this afternoon. Appreciate the discussion. And I hope to see you in person here at some point in the not-too-distant future.

As it's getting virtual, [ I suggest ], Walter, I can move into a room and do this and go back and do something else. Maybe we'll be doing like this for a while. Thanks for your time.

Appreciate it.

Thank you, everybody, for dialing in.