Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Thanks, everyone, for joining us for our next session here at the 48th Annual Technology Media and Communications Conference here virtually and hopefully, next year, back in Boston. Fortunate to have with us Nikesh Arora, who's CEO of Palo Alto Networks joining us for the next session. Nikesh, thanks for joining me. I appreciate it.

Thank you for having me, Sterling.

All right. Let's just get kicked off at a high level. Can you give us a sense, how did the pandemic actually impact your business, both positively and negatively?

Well, Sterling, as you are aware, we had this conversation about a year ago where we talked about how every company had to figure out how to get this remote work thing going. And many of us, not just us, others in the industry, offered a series of free trials, expansion of capacity, more capability for our customers. And now we saw the early adoption in the first 3 to 6 months, we saw a lot of customers expand capacity, try and sort of Band-Aid a bunch of existing remote security solutions for their employees. And as you know, depending on how you've architected it, some things are available at home, some things are not available at home depending on whether you're using a proxy-based architecture, you're aligning access to all of your proprietary apps or not. What's happened is post those first 6 months, what you're seeing is you're beginning to see a ramp and adoption of people actually taking this remote work hybrid scenario as sort of here to stay. So you have to make sure that everything is accessible from everywhere, and I think we're about to get into a more interesting challenge where, in the past, it's either everybody's at work or everybody's at home. Now you've got to make sure how do you create that first-class citizen behavior for everyone wherever they work from, and that really requires one to dig deep and rearchitect our network stack to make sure that, that already is achieved. And it's a long way of saying, it's impacting our remote secure home business sort of very positively, obviously. What we've also seen as a consequence of the pandemic is the technology adoption curve has sort of accelerated because a lot of our colleagues, a lot of our companies out there relied on technology to make it work. Your physical revenues vanished in the first 3, 4 months, and the only way you supplemented anything was through the technology, sort of the online mechanism. And that's required people to increase capacity there, too. So I think all of those things have been net positive for the security industry, not to mention the recent cyberattacks that we've been witnessing. On the flip, I'd say that because people are not physically in the office, anything that requires a complicated deployment and complicated testing associated with large-scale sort of rip-and-replace is impacted because people don't want to go take that risk. On the other side, there are some companies who are saying, let's use this as an opportunity. So there's ins and outs across the board, but I'd say net positive for the industry.

Do you think that it created any tough compares on that kind of initial capacity spend that you worry about in the coming quarters?

Well, there's only one way to find out. But I think -- look, I think there's puts and takes. There's this secular trend and there's a cyclical trend. The cyclical trend, obviously, will create, on the margin a bump, but I think the secular trend will overweigh the cyclical trend.

Makes sense. All right. I want to dive both into the cloud business and the traditional on-premise business. Let's start with the cloud business. And I think investors sometimes get a little bit confused. You have next-generation security and you have ClaiSec, can you describe the difference between the 2? And is this something that you'll normalize the description maybe as you get into the next fiscal year?

You've put a lot of -- you've put a bunch of stuff in there, so let me go back to first principles. As companies move to the cloud, you're moving your applications to the cloud either on your own stack or you're moving some of them to SaaS applications, right? So what used to be in the data center as a proprietary app or on-prem is now either in the public cloud or in the SaaS applications. How you get there, how you get to your applications, is network security. And that to me is next-generation securities. How do I make sure that I can get to my cloud through a firewall stack with the Prisma Access in our case, or I can put a VM against that public cloud to make sure my traffic is protected. That to me is next-generation -- including our hardware business, that to me is next-generation security. And when you look at the cloud business, there is -- once I'm on the public cloud, how do I protect all the applications that are on the public cloud? So that to us is Prisma Cloud. And AI application is, to me, is a transformational SOCs. So in our business world, there's -- the network security stack is getting replaced, the clouds needs to be secured, and you need to make sure that you may -- that as the -- as security evolves, you get more and more immediate in the ability to remediate and detect what's going on in your infrastructure. So those are the 3 parts. We take the second 2 parts, the cloud and AI business, and collectively call it ClaiSec because that's kind of following a net new pattern, a net new rhythm is something new for us. The existing business of network security is going through its own transformation. As we highlighted, we have managed, during the last 3 years, convert 40% of our network security business software, which continues to grow over 20%.

That's great. And then maybe before we go deeper into ClaiSec, you have the target of the $1.15 billion in ARR from next-generation security for the fiscal year, what are the things that give you the confidence? And I know you're smiling because I think there was that concern coming into this quarter, right? Back-end loaded, the whole 9 yards.

Yes. Yes, yes, yes.

You reiterated the targets. You've got confidence that you're going to hit it. What are the elements that are driving that confidence?

Well, Sterling, we did $977 million plus -- $973 million plus $7 million , which we announced we did in the first day of this quarter, so we're at $980 million. We're $170 million away. Collectively, last quarter, we did about $140 million. So if you look, that we expect our Q4 billings to grow up by 28%, 30% from Q3, that $170 million, $140 million doesn't seem infeasible in the context of that compare. Having said that, more importantly, what's driving that ARR business, obviously, is our Prisma Access business, which is doing gangbusters from our perspective, the business we were not in 2 years ago. And partly luck, partly preparation has allowed our teams to be able to really build that business relative to all that's going on in the market, our virtual firewalls are the best in the industry that continue to drive growth, both on the cloud side and the data center use case side. We continue to see traction in the XDR space with -- we made it to the Forrester Wave faster than any products ever gone from a standing start and making this top right on the Forrester Wave report. We see -- continue see traction with all the cyber activity going on, our Expanse business we acquired. We're seeing a lot of interest in our Crypsis business and -- although not all that falls into ARR. So they've been cloud. If you add it all up, that is the next generation of cybersecurity. And so far, so good. And again, there's only one way to find out, but our teams are confident. They see the pipeline. They see the business upcoming, and we think we should be able to get us the target.

All right. Great. [Operator Instructions] So diving into ClaiSec, can you give us a sense what are the biggest contributors to that ClaiSec revenue?

Well, it's pretty simple. ClaiSec is driven by Prisma Cloud and Cortex, so it's Prisma Cloud, cloud security. It's kind of fascinating. 2.5 years ago when we acquired RedLock, the industry is like what is Palo Alto Networks doing in cloud security? What are we doing in RedLock, we already own Evident? And I can tell you, every day I wake up, there's another company that's getting funded at an absurd valuation. We crossed $250 million in ARR this past quarter in our cloud security business. I think that's about, on a conservative basis, 15 to 20x anybody -- our nearest competitor, who's a pure play cloud security player, not counting, obviously, whatever AWS, Azure or GCP selling the security business. But people have funded phenomenal -- at phenomenal valuations, so we feel we indicated in our strategy have Prisma Cloud. We are in our second and third version of the entire platform. We have an integrated strategy to container security, workload security. The fragmentation that existed in enterprise security is what we're trying to stop from happening in the cloud. If you see most of the attacks, I think the attacks will get faster. They'll get harder to remediate if you're not on top of it, and you've got to make sure this stuff works together. Now in a way, the cloud is a lot easier to secure than the enterprise. The enterprise has 60 or 70 vendors that you had to deploy. The largest customer I met had 110 vendors deployed, the smallest at 25. Now they're sort of downsizing, consolidating it down to 10 or 15 vendors, which is still a lot. So how do you make sure you don't make that same mistake in the public cloud because you're relying on one, AWS; or maybe two, AWS and Azure, AWS and GCP, you're relying on 1 or 2 public cloud providers. Can you put a security construct that sits on top, that doesn't require you to have 40 different security vendors trying to secure the cloud, because that's the kiss of death. It doesn't work together. So what we've tried to do for the last 2.5 years is build a platform that actually allows you to see what's happening in our workload, what's happening to containers. Are you doing micro-segmentation across the entire public cloud? Do you have a WAF RASP against it? Are you managing identity access across that stuff? So some of the public cloud mistakes today are still rudimentary. People are still making fundamental mistakes as they deploy to the cloud, and they don't realize they're leaving their crown jewels exposed on the Internet.

I was going to say, you touched upon -- because I fundamentally feel that investors are still lacking a good understanding of the key components that really make up a cloud security platform. And you touched upon a couple of them there in terms of identity, WAF, et cetera; how would you kind of complete that stack? And within that stack, what do you want to own?

Well, I think the way it works is the best way to think about it is when you go from your on-premise where you're using your own training application, you're using your own HR application, you're using any proprietary application, you want to lift and shift to the cloud. You don't lift to shift and re-architecture, obviously. Now when you design that new application, you have to make sure any call you made to Internet is restricted, it's protected. So it's not -- it's only available to sanctioned applications or sanctioned functions. So when you do that lift-and-shift process, you have hundreds of developers working in your company who are trying to build this application. First and foremost, you've got to make sure that as the developers are developing, they are constantly doing security checks. This is the acquisition we made recently called Bridgecrew. As you move that stuff into production, as you move that stuff into AWS or into GCP or into Azure, you want to make sure that, that transition allows you to scan everything you're doing, make sure there are no security vulnerabilities as you put that in production. Once in production, you want to make sure that nobody's left the door open to SD buckets. Nobody's not used encryption. People are making sure that there's not overprovisioning of IDs. So you literally have to look at the entire workflow from the left to the right, all the way from development to production, and make sure you're consistently securing all aspects of it. If you don't, then you're in trouble. And once you're there, you got to make sure that whatever is out there, databases, applications, they're all sort of secured in a way that you don't leave any vulnerabilities. Because today, I can easily rent public cloud and come looking for your vulnerabilities, that's how easy we made it. So you're going to wait in a SOC and try and take all that data and adjust it, figure out what the mistakes are, it's too late. So all those aspects go into going to making sure that you're secure going to the public cloud. So that's got nothing to do with how you get there. That's kind of 0 trust access or Prisma Access. All that stuff is just getting there. The question is once you're there, how are you being protected?

So again, within that, could you see Palo Alto playing in the identity portion, the web application firewall portion for...

We do. We already do, Sterling. There is a module we've launched last quarter called WAF RASP on Prisma Cloud. We have IAM with AWS and Azure going to GCP soon. So we already have those capabilities. We have 7 modules in cloud: portal protection, container security, IAM, WAF RASP, DLP, ship left, we have all of that already. That's why we get to turn $50 million in ARR.

But in terms -- I want to make sure because that may cause some confusion that -- wait a minute, IAM, am, are you going to go compete with Okta? So maybe draw that line.

Yes, yes, yes. So what happens is IAM in the organization is how you and I access 100 applications. IAM the context of cloud is what access, what control rights do I have with my AWS ID? Is it old provision? Does it have access to too many things? That's a security risk. So it's actually post entering into the cloud. Okta is kind of getting you to the cloud. We're taking it from there and saying, what rights do you have inside? And we're only doing that for the public cloud because that's where it makes sense for us from a cloud security perspective.

So if I put it simplistic, Okta proves that you're in a cache, Palo Alto controls, once you know it's the cache, what you can do?

That's right.

Okay. But which one...

That's right. There are APIs available, AWS, GCP, Azure. I just want to make sure that the developer has similar rights across the board, and he or she doesn't have excess rights compared to others in their same role.

Who do you see as your primary competition in the cloud space as you move forward?

Honestly, I think approximately 1/3 or so or maybe even 1/2 that market over the long term is going to be occupied for the cloud service provider, i.e., Amazon, Google, GCP, et cetera, because if you're going to be a single-cloud company, which I think is going to be hard anyway because people eventually end up in multiple clouds. But if you start with a single cloud, you don't need the tools of anybody else. You can just make it work with your own toolkit. And that -- I think that applies to the mid-market and the lower end of the market. As you get up to the stack towards the Global 2000. I don't think you can avoid an on-prem plus public cloud scenario. And the moment we get there, you need something that spans across both. I think, Sterling, one of the things that gets underappreciated, and I'm likely to say that because I run the company, but the only thing that does get underappreciated is every 1 of those 250 Prisma Cloud customers we sold to, we had an natural competitor in the CSP in their infrastructure, right? They bought AWS, GCP, Azure. We've got to go prove our capabilities to sit on top of that security stack. So something must be working.

Well, listen, I really appreciate -- all the companies that compete in some form or fashion in the cloud, we always ask them about competition with the underlying service providers. And usually, they're all saying why they're not. I really appreciate that you kind of quantify where you think they fit. So I think that's...

Sterling, it's a highly fragmented industry. If I can get close to 40%, 50% of any factor, I'm very happy.

Yes. How does the pricing work in this versus kind of the legacy parts of the business? I'm sorry, like the net...

You mean the enterprise security business. Soon, they'll be calling you and me legacy, Sterling, watch out.

That's a whole different discussion.

That's right. That's right. So in terms of how the pricing works, obviously, you buy hardware like you always have and you add subscriptions to it, which is how the traditional enterprise security business works. In our Prisma Access business, it's partially consumption-based and partially based the number of seats and number of branches. In the cloud business, we have tokenized the business, i.e. you buy tokens. It's not a Bitcoin, it's just tokens. It's Prisma Cloud tokens, and it's not going public. So you tokenize our cloud security consumption. And once you bought the tokens, then you can keep using as many modules from Palo Alto Networks as innate. Our intent is to create more consumption because once customers are consuming, we know that they're seeing value from our product. And as consumption rises, which I think it will, and think about it, there's $200-plus billion of public cloud being sold almost every quarter. All that needs to get deployed. I think we're 18 to 24 months on a lag cycle of sale to deployment in the public cloud. That lag cycle, as it covers the gap, it is going to start recording 2% to 5% net spend public cloud security. So we see, as we build a consumption model, our job is to get into as many customers out there to make sure they understand the value of our products. Once they do, as their public cloud deployment increases, our consumption should go up. That's how we've tokenized it. As we create more modules, consumption should go up. So we've got 2 vectors in consumption: one is more and more workloads deployed to the cloud; second, more and more modules consumed.

Got it. Got it. You touched upon this really quickly in your comment there. You mentioned in the quarter that you've decided not to create in equity around the ClaiSec part of the business. What kind of drove that decision?

When we started the conversation, we had a bit of, I suspect, cloud stock envy when we did that because we figured we would be locked out of the market. It is still true because lots of lots of companies are getting funding -- getting funded at absurd valuations. We don't want to take shareholder money at Palo Alto Network stock prices and go and trade that into very high valuation companies we need to acquire. So we said, maybe that's the reason to go think about it, which we did. And as we went through the preparatory work in the last 3 months, and as we showed a slide, which I think is very telling, 70% of our customers have bought 2 platforms from us between Prisma Cortex and Strata. 40% bought all 3. And eventually, in a deal-by-deal basis, Sterling, our accountants and legal teams start to say, okay, on every deal because you're going to be parking it at 2 different public entities, you're going to have a contractual discussion across every deal, 2 pieces of paper execution at the sales point, double your system. We went through that logistical complexity of executing that. We figured that it would create more friction and take it with the agility we have associated with being able to sell all of our platforms. And that's why we decided to put that on the shelf until we believe ClaiSec is truly a scale business, which starts to deserve its own sort of stack. It will be premature to go down that path.

Listen, I think the idea of power of one goes right to that. The efficiency that you keep by this format, I think, makes a ton of sense. A question from an investor, and it's a good segue into talking about NetSec, which is how would you say that your competitive position's changed over the last year versus Zscaler and the other kind of similar cloud vendors?

Well, 3 years ago, we were not in the Prisma Access business. We had a VPN product, which worked for a firewall stack. We have over 15,000 customers using our VPN. The last 3 years, we have become a contender in SASE, Secure Access Secure Edge, where we have -- we think we have the best SASE stack in the industry, and that's borne out by the fact that our largest deal last quarter was north of $20 million on SASE. We haven't done a $20 million firewall deal in a while. So you can see that's where the trend is remote security, and that's only half to deal. That's only for half the employees in the company. Once we deploy that, there's possibility of the second half showing up 6 to 9 months later. So I think from our perspective, we have become a player in SASE. We think it's relevant. We've deployed as large as 650,000 employees in a customer, 300,000 employees in a customer. We have a contract for 1 million employees in a customer. So That sort of validates and vindicates us that we are a big player in the SASE space, and we think that continues to grow. So we are competitive now to people who were claiming to be SASE players to the market, and we believe we have a better stack. On the XDR front, again, we were nonexistent 2.5 years ago. We launched a product, in fact, we the first company launched XDR. Prior to that, the industry was called EDR. Cortex XDR was the first XDR product to be launched. Now we have the privileged, thanks to our product team, to be in the top right corner in XDR. So we know there are players out there who are in the XDR space, but if you look at the latest MITRE results, we beat most of them hands down on the technical capabilities. You just have to go execute on the go-to-market capabilities to scale that out. XSOAR, we were irrelevant. Two years ago, we acquired Demisto. Today, Demisto is the choice. If you're not a Splunk customer, you end up in Demisto and something else. So across the board -- and Prisma Cloud. We were not existent in Prisma Cloud. There was no industry called cloud security. People confuse the cloud security industry with the secure access industry. Today, there is soon to be a fully developed cloud security capability industry, and we're -- we think there's nobody else in the market with the 7 modules we have. So from nowhere to relevance in Prisma Cloud; from nowhere to relevance in SASE with the acquisition of CloudGenix, that also puts us squarely with SD-WAN. They were already a leader there. From nowhere to relevance in XDR, nowhere to relevance in XSOAR and, to top it all of last week, we launched our next-generation refresh of our hardware and our software, we make that end-to-end 0 trust on our network stack. And we put out hardware that is internally called Palo Alto Security and Fortinet Enterprises.

That's great. That's great. So not to kick the hornets' nest and take us too far down the tech discussion, but proxy versus firewall, when we talk about Zscaler, do you think that this becomes irrelevant in terms of the discussion? What -- because I think your product has really evolved over the last 12 months in particular. But no, how do you see the market evolving along those lines?

Well, good news, Sterling, you haven't paid attention. We deployed onboarding proxies in Prisma Access, so that debate is over. So proxies can be used for 2 parts. One is for onboarding, which we already deployed as part of Prisma Access. The Prisma Access 2.0, which has touched all of our customers by this weekend. Has onboarding proxy capabilities, you don't have to worry about it. Proxy is not -- you should go talk to the IT team. They will not apply a proxy-based architecture to your proprietary trading app, so -- which means you can't use them on your home because nobody wants to send the proprietary app that can't go through a third-party IP server. So for that, you will have to drive it through a tunnel, into a firewall stack on the cloud. That's why we do well in the upper end of the enterprise stack. On the lower end of the stack, it doesn't matter because you're not using a lot of proprietary applications. You're using mostly SaaS applications, using cloud applications. So there, it's easier. But as you go up the complex stack, you need your own SD-WAN capability. You need your own firewall stack. So that debate is moot even though I'm sure you're getting ears of really excited about talking about proxies, but not me.

How has your partnerships in the service providers helped in that kind of go-to-market?

We -- Palo Alto Networks hasn't been strong in the service provider segment for a while, so it takes a while to go. I spent 13 years of my life on that side of the world, working for service providers or being on boards and they're amazing. But the onboarding ramp to become a service provider partner is long and fraught with lots of diligence and perspiration. So we are going through the diligence and perspiration phase, but there's no panacea. It's going to take us a while. We have had some success in partnership with AT&T, Verizon, Comcast and DISH, as you saw recently. So we are working at it, but it's a long game.

You talked about -- you alluded to, in one of your earlier questions, Firewall as a Platform. So basically, cloud-delivered or subscription-delivered firewall, where are we in that transition? How much of your installed base, do you think, ends up on that type of opportunity?

Look, I think if you play the 5- to 10-year view, I think most large companies barring, what I would say, high throughput applications. So if you're running transactions for a financial services company, yes, you'll have your data center. You're running tons of transactions, if you're an e-commerce company. You may have your data center, you may not. You may stay in the public cloud. Those applications lend themselves to having data centers and require you have your own hardware stack. A lot of the born-in-the-cloud companies are being born in the cloud. They're born in the public cloud. They don't put data centers together. All these tens of billions of dollars of spend you see in the public cloud must come from somewhere in the long term, right? So my personal view is you end up in a 50-50, 60-40 scenario, where 60-40 is 60% software, 40% is hardware or 70-30 as time evolves because I think once you're in the public cloud, you're going to need software-based stacks to protect you. Once you move your compute to the public cloud, you're going to start to rearchitect your network architecture. So if you do that, you're going to end up with a 60%, 70% form factor, which is cloud-based over time. You'll still have a reasonable number of companies with data centers, either for, excuse the word, legacy reasons because they were there and that's where they're going to stay, or for the fact that they have better throughput and better price performance in high throughput applications, which require hardware because hardware is cheaper on a throughput basis versus software. Software has its own benefits from a TCO perspective and in a security perspective, but hardware, from a throughput perspective, is cheaper. So I think to end up in that scenario, I think 40% in 3 years is a gigantic move for any company to be able to execute, and hopefully, we can keep going down that path over the next few years and get to that 60%, 70% number, which to be honest, is phenomenal from a resilience of our business perspective because software is more predictable, it's more ratable, obviously. And it's actually a lower TCO and leaves the customer more secure.

So when you look at the combination of the rapid growth of the software and the subscription component and then the impact that you have from the appliance side, when you roll it all together, what does that mean for that kind of net tech business as growth profile as you move into the future?

Well, I think if you look at the disclosure we did this quarter was we showed you that over the last 3 years, we have been able to transform from 0 to 40% pretty much or end 40%. And we've done that by sustaining operating margins over 25%, 28%. Our free cash flow margin of 42% of that business, were growing at 20-plus percent. I mean that's -- in my mind, it's a dream financial profile. If you can conduct an industry transition without burning that profitability, you are at scale.

So you -- but I think the component that myself and investors have focused on is that growth, that 20% growth, you think that 20% growth in that segment is sustainable?

Well, we've shown you that we have been able to generate between 13% to 20% growth in that space. We've always guided to 16% to 19% in [ FF ] in the past. And as you asked me, we're seeing positive sort of healthy growth vis-a-vis the 19% as well because of what's going on around us. But between double-digit, high double-digit growth in the teens over the long term, at least for the next few years is very rich in this part, in that segment.

Let's talk a little bit about the executive order that Biden's signed and some of the government spending. There are some particular areas that are called out. How do you think this benefits Palo Alto Networks? And when do you think it shows up in the results?

Well, I think the vetting and the lead times for the U.S. government are not inconsistent with the SP space, so it's going to take some time for this to show up in the numbers for everyone, not just for us. Like the recent attacks have shown us how woefully unprepared every company is and even various parts of our national critical infrastructure are from a cybersecurity perspective. What has happened is most technical infrastructure out there was never designed to be accessible with Internet. And over time, what we've done is patched on accessibility from the outside in from the Internet, and we have to be right 100% of the time of. The bad actors, they only need to be right once in a while. So all they got to do is go scan your business and recent attacks, which -- or a hacker's dream where you went after core critical supply chain elements. Like you took a piece of software that was used to manage my entire IT infrastructure and you hack that. When you hacked that, we had a SolarWinds server. We detected a zero-in attack, we blocked it. Had we not, we'd be running around trying to figure out how to go patch that and how to go make our customers happy. It's all in that process. So that's kind, like, been a wake-up call for a lot of companies and a lot of parts of the U.S. government and governments around the world to be fair. I think that transformation is going to take some time. But as I said, that secular trend is going to overwhelm any cyclical trend because now the conversation of security is happening in the boardrooms and in the White House, it's not just restricted to the IT department saying, hey, just make sure you get us secure because people are beginning to understand the costs of not having a secure infrastructure. We're handling 300 to 500 ransomware events a year now. That's 300 to 500 incidents.

It's a lot. It's a lot. A couple of questions here from investors. One, do you have to build out and own your own PoPs for Prisma Access? Or can it all be delivered in GCP and still scale margins?

The good news is we have -- honestly, I think it is one of our better moments to have decided to go down the using Google's premium network. It's not just GCP. They have an underlying premium network that allows you to move traffic at low latency. So -- and imagine if you go to a customer who wants to be deployed in 100 countries right off the bat, we don't have -- it's impossible for any company to go build 100 PoPs and have them ready and scale them appropriately. Or if you -- when you went from work from the office to work from home, the traffic increase was 150% or, like, literally, overnight, right, because everybody is certainly accessing from home. So all those capacity constraints get managed much better by somebody who's putting $30 million, $50 million to work in infrastructure ever year compared to us. We can't do, we cannot scale. I think that's what one has to fundamentally get right. The notion that a $1 billion company or $2 billion company is going to run its own data centers as efficiently as possible and have a cost advantage versus public cloud, I think, is insane in the long term because all you do is you'll feature -- you'll be feature constrained. And at some point in time, you'll have to pay that technical debt. I think companies that believe they're going to build their business on their own data center because they can run it, they know something everybody else doesn't, I think, is insane in the next 10 years.

That's fair. ClaiSec, nobody questions the impressive margins in NetSec and the traditional part of the enterprise security business. ClaiSec, I think there's some questions around how do you generate operating margin and scale there?

Yes. Look, I think the right way to think about our Cloud AI business is we're targeting $735 million ARR this year, and the margins are kind of consistent to where companies are 2, 3 years into their life cycle of trying to scale. And $735 million is, from a standing start 2 years ago, is not a bad outcome. It comes at a cost. Where we focus internally is, first, let's make sure the gross margins are trending in the right direction because we need to make sure that "The cost to produce the product are not out of whack with where you want them to be." And a significant part of that is our cloud hosting costs, to your point earlier, a significant part of that is customer success because you're supposed to onboard the customer when you acquire them, and that gets amortized or washed out over time because the customer is now ratably paying you over a span of the duration of the deal. So we feel very comfortable that where we are, from a gross market in progression perspective, we should end up at industry's standard gross margins at ClaiSec in the next 2, 3 years' time frame. And I think the operating margin purely is a consequence of how much you want to just invest and land versus expand. And I think 2,250 customers in Prisma Cloud is not enough, we need to get a lot more. I think as we said in XDR, we've got to go compete with people out there who've got way more coverage on the customer end. But honestly, that's a margin we manage, and it's managed against the opportunity that's out there. From a shareholder perspective, they should look at how much value we're creating' from an ARR perspective, a landing perspective and eventually, net retention rate perspective. And that in itself should give you a sense of how that business is progressing. I think measuring ClaiSec on margins traditionally would be a mistake.

With our last quick minute, now that's not going to have the tracking stock or spinning out ClaiSec, how do you think about capital structure moving forward?

Sterling, we -- hopefully, we've been good stewards of capital. We've gone on ahead and raised money when money was cheap. We've gone ahead and bought back stock in the last 3 years. We've bought back approximately 10 million shares, and we've diluted about 10 million shares. Net-net, our average entry price is the $200s, and our stock's at $360. So I think we've been watching our capital allocation very, very effectively and carefully. Going forward, we don't -- we haven't made any major moves in the market. So I'll leave it there.

Excellent. Nikesh, thank you. I really enjoyed this. I appreciate you being here. Thanks for joining us, and I look forward to talking to you soon.

Thanks for having me, Sterling.