Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Thank you for joining the Ignite '21 Investor Event. Joining me today are Lee Klarich, Executive Vice President and Chief Product Officer; and Zeynep Ozdemir, Senior Vice President and Chief Marketing Officer. Zeynep and Lee will kick off this approximately 45-minute event with product highlights from Ignite '21 and our virtual 3-day conference where we offer an exclusive opportunity to learn more about the innovations that will shape our digital future. Following the overview by Zeynep and Lee, we will open the floor for questions from our covering analysts. We welcome the investment community to join any of the Ignite presentations either live or on demand by going to our corporate website and registering for the event. Please note that during this meeting, we may make forward-looking statements and projections that involve risk and uncertainty that could cause actual results to differ materially from the forward-looking statements made in this presentation. These forward-looking statements are based on our current beliefs and information available to management as of today. Risks, uncertainties and other factors that could cause actual results to differ are identified in the safe harbor statements provided in the slide deck that accompanies this presentation. Palo Alto Networks assumes no obligation to update the information provided during today's event. And now I would like to turn it over to Zeynep and Lee.

Thank you so much, Clay, and thank you, everyone on the call, for joining us today to hear more about our product update. As Clay noted, today is day 1 of our global Ignite event, and we're thrilled to come together with cybersecurity professional once again virtually, to talk about innovations, challenges, opportunities in our field. We just wrapped up several keynote sessions this morning. We hosted Jen Easterly in our opening keynote with Nikesh. And if you missed it, Lee had a keynote session where he communicated a number of product announcements today, and we hope to, in this session, expand upon some of those product updates. Today and tomorrow, we're going to actually hear more from our customers and partners. So I highly encourage everyone to go look at our agenda and consume that content either live or on demand after the event.

So Lee, exciting day for all of us. I know you had product announcements across all of our platforms today, but I want to start with cloud security. You did announce Prisma Cloud 3.0 today and launching code security as one of our key pillars for the platform. Can you tell us a little bit about the significance of this announcement and how it fits in into our broader cloud security approach?

Yes. Absolutely, Zeynep. Really very excited about the cloud announcements. I mean, obviously, cloud is incredibly important as just about every business around the world has accelerated their adoption from an already accelerating pace. And the -- what we've really been focused on with Prisma Cloud is how do we stay at least 1, if not 2 steps ahead of what we believe our customers are going to need to really embrace cloud adoption, secure their cloud adoption. And what we announced today with Cloud Code Security is effectively, that next evolution of how securing the cloud is -- we believe is going to take place. So -- and what I mean by this is a lot of security has been focused on how do you identify and fix an issue after it's been deployed into the cloud in run time. And what we believe is a lot of those security checks actually should be and need to be done in the development process itself. So this is what the industry sometimes refers to as shift left. And Cloud Code Security is focused on like infrastructures code, vulnerability scanning, drift detection and how we actually take Prisma Cloud and the security capabilities we have and make them part of that development process, so the checks happen real time. And the graphic that you see here shows why this is so important. In the cloud, a lot of things happen once and get replicated multiple times. So what's called infrastructure is code template like a Terraform template or something like that might be developed once and then used thousands of times. Well, one mistake, one issue can -- that actually results in thousands of alerts. And so by using Infrastructure's code on your Cloud Code Security module, customers can actually detect it as it happens the one time, fix it, so then when it gets replicated, it already has passed all the security checks necessary. So what gets deployed in production has -- is already secure as opposed to [ think of security as ] after the fact. So this is going to be the way cloud security moves, is integrating with these development processes. And this, to me, is a very exciting step for the evolution of Prisma Cloud and sort of yet again us leading the way in how cloud security gets done.

In addition to code security, though, there were a couple of other announcements within the Prisma Cloud 3.0 scope. So do you want to talk a little bit about that?

Yes. A lot in cloud security happened today. We announced a number of other really important capabilities in Prisma Cloud. The first and foremost Prisma Cloud has a lot of different capabilities. And so one of the key things is this Adoption Advisor that really helps our customers go through that adoption cycle to fully utilize the capabilities we provide to them. Second, the agentless scanning. So this is a new capability that will complement what we already do with agent-based scanning and give our customers choice and flexibility to use that combination as best suits their needs. We'll be the only offering that's able to do both of those in the same platform. Third, we announced previously, but this week had the official shipping and release of the Google Cloud IDS product. This is powered by VM-Series to be able to do cloud network security in a cloud native form factor with them. So very excited about the availability of that. And last but certainly not least, in what we do around cloud identity, entitlement management, just a critical part of how you secure the cloud. We've proven out this capability on AWS. And today, we announced the availability of C-I-M or CIM for Azure. And general availability, super excited about expanding that, again multi-cloud being so important to our customers.

Yes. Definitely looking forward to how we take them to market. It's very interesting because when we talk about the move to the cloud, the industry always thinks about deploying -- developing and deploying applications in the public cloud. There's a huge move to the cloud in the sense of SaaS application consumption, obviously. I think also partially fueled by the pandemic, the world has been adopting SaaS applications in an explosive pace, particularly collaboration applications where we basically live and exchange data every single second. It's not clear if security has -- for SaaS applications has quite kept up with this rapid transformation. Is that why you built a next-generation CASB because -- what was the current generation not living up to?

It's clear to me. Look, I think a lot of the first-gen CASB was really focused more toward almost like a compliance use case. And as we look at the level of SaaS adoption, how SaaS applications have become really fundamental to how businesses run, it's very clear that in addition to the compliance capabilities, like true security capabilities become super important. And the way I sort of define this and think about it is, number one, the ability to apply enterprise-grade data protection across all core SaaS applications. And importantly, one of the categories of SaaS applications has sort of been left behind in this regard of the collaboration SaaS apps, like Slack and Microsoft Teams and Confluence and others. And these applications have become so critical in remote work, in hybrid work, and they need enterprise-grade protection. So first and foremost, that data protection applied to core SaaS. Second is there is a very broad universe of SaaS applications that's constantly changing and growing. And so they need to be able to identify and manage the usage of all SaaS applications, which requires a new approach. It requires an approach that leverages machine learning to understand the new apps as they come out, understand what control and security measures are needed. And then third, obviously, with this broader adoption, how do we apply protections against both known as well as unknown threats, which means that we have to be able to go really deep on securing SaaS applications, again, bringing to bear the best of our security capabilities and going well beyond sort of check box or compliance kind of approaches to this.

Right. Great. Just want to touch on WildFire a little bit. I know you announced today WildFire API is going to be available for third-party applications stand-alone. Could you help us understand the rationale behind this move?

Yes. WildFire has been just an amazing security service for us in terms of cloud-delivered, creating network effect from our customers such that everyone gets better protection from that. But up until this point, it's always been delivered as an integrated capability to our next-gen followers, delivered as an integrated capability to XDR, integrated with one of our products. And today, we announced that we are opening up a WildFire API that allows us to integrate it with third-party products, applications, et cetera. And interestingly, one of the early use cases that drove this for us is we have customers that are building their own applications. These aren't security vendors. These -- they're businesses that are -- in serving their customers, they collect and analyze a lot of data, but they want to make sure that data is safe. And so connecting those applications to WildFire via API, providing that added layer of security. We're pretty excited about it. Now it's the first time we're doing this. And so I -- it'll be interesting to see how it evolves, but it's exciting to be able to take our security capabilities and integrate them with other companies' products.

Right, right. Speaking of integrations, I know there are a number of integrations that are ongoing within the Cortex portfolio of products as well. In fact, when I was listening to you, I think one of the interesting pieces of your keynote today is you shared some data points and stats from the Palo Alto Network SOC. And I think you had shared them also in our most recent Analyst Day as well. I always look at those numbers, and I'm very excited about them because it kind of helps us recognize that it is indeed possible to detect incidents and threats within seconds. And it is indeed possible to respond to them within a minute. When does this become the norm in the industry? And how do some of the integrations within this portfolio help?

Yes. This is an area that is -- it's not easy to solve, but it's really important to solve. And we've been laying the groundwork, as you see with this visual here, with Cortex XDR, how we ingest data from multiple sources, remove the silos, stitch it together, apply AI, ML against that combined integrated data set, which allows us to be much more intelligent in how we approach it, apply it, but also then allows us to actually show a complete story of how an attack happens and not be limited by the data source. The -- with Expanse being able to then not only look at internal data, but to be able to look at the attack surface from the outside and bring those data sources together to really help understand the entirety of what an enterprise data set looks like. And then, of course, with XSOAR, it's -- there's just no way around it. We have to leverage increasing levels of automation in the enterprises. There's so much work to be done that -- and a lot of it is manual repetitive work. We have to automate that so that the people in security actually can focus on the things that we need people to do. And so we've been laying the groundwork for doing this. And the stats that you showed is the result of us being able to operationalize our products to their fullest extent. Part of our road mapping strategy within Cortex, though, is how do we start to bring those integrations together in a more native fashion. And one of the things that we announced today in this regard was being able to connect XDR with Expanse in order to enable Expanse to do remote workforce visibility. To be able to understand the expanded enterprise attack surface and not -- into, I think, quite frankly, the remote workforce, which has become a big part of the enterprise network with hybrid and remote work. And so it's -- it shines a light on an area that has just long been misunderstood or not even understood at all, made possible by this native kind of integration, similar to what we did with XSOAR and Expanse, similar to what we've done with XDR and XSOAR. So you're seeing us natively bring these integrations to bear, making it a lot easier for our customers to then to consume and get the full value.

Sure. Right. I think we have some questions coming up. I'm going to hand it over to Clay for the first question. Clay, do you want to take it over?

Yes. Thank you, Zeynep and Lee. [Operator Instructions] The first question will be from Jonathan Ho of William Blair.

Really appreciate the opportunity to meet you as well, Zeynep. Just wanted to maybe start out with a question around sort of this WildFire API. Is this potentially a security control that helps address concerns over supply chain as an attack vector?

Jonathan, thank you for the question. The -- I think it will have a lot of application, and we will -- quite frankly, we'll be learning about how our customers and partners are able to use it. I think to your point, yes, it has the potential to help with that. The -- one of the use cases is -- like I said, there's a lot of these applications that pull in and consume data as part of how the application works, but these -- the companies delivering these products aren't necessarily security companies. And this allows them -- this integration allows them to scan every file, every piece of data that's coming into their application, making sure it's clean and safe before it's potentially shared with other customers that they have. And for those other customers, that becomes part of their supply chain, to your point. And I think that part of what this does is it helps open up the ability for more and more product developers to be able to use the security capabilities we have, but to integrate them natively into their workflows, which again makes it easier and more consumable for them to operationalize that within their business.

Our next question comes from Michael Turits of KeyBanc.

Lee and Zeynep. Lee, I'd like to ask you about Cloud Code Security and the shift left that you had talked about. So there are people coming at this from a lot of different angles. There are people focused on application security coming at it. There are people who are develop -- who are focused on development tools, focused on this part -- security issues around in the development stage. So where do you feel like you guys fit in? And how do you see this focus evolving across the industry?

Yes. Thank you, Michael. Good question. The -- you're absolutely right, there's certainly been a number of companies that have focused on, I don't want to say purely the developer. But in some cases, I would suggest maybe not having the breadth of security capability. There's -- and then there's other tools that have been very focused on very specific aspects of code security, things like SaaS, DaaS, et cetera, which we're happy to let them focus on and it's not going to be the area that we're going to focus on. We're -- where we're looking at this is, for example, one of the key elements of this came in through the Bridgecrew acquisition, that's infrastructure as code, an area that is, very specifically ties the development workflow with what in cloud security is typically called CSPM. So it's integrating effectively those capabilities together, drift detection, which basically then looks at how does it change over time when something is deployed. But we've also brought into this construct the -- what we do from a cloud workload protection, which is vulnerability scanning and how do we -- which already has been part of a shift left element of Prisma Cloud for giving it a sort of a home to live in within the product as a broader set of capabilities. So our approach is going to be, focus on the things that we are really good at where we can demonstrate differentiation, and then we will partner or integrate with other capabilities where we're not going to be as focused on it, but others have.

Great. And I've got an electronic question that came to me that may be for you, Zeynep. You have also launched XMDR Specialization yesterday at your partner event. Where do you see partners participating here? And how does that tie into the company's strategy?

Sure. I'll take that. So I think its -- partners play a very important role in our go-to-market strategy for next-gen security products. So we definitely want to be positioning our products in key areas where customers need a trusted partner. We launched XMDR because we truly believe that we can take managed detection and response services to the next level with cutting-edge XDR technology, coupled with rigorous enablement and certification. So we're really excited about it because this kind of builds upon our most recent product release with XDR 3.0. And I think it will be very rewarding for our partners, and we already have about 15 partners who have achieved XMDR status, and their end customers in terms of having access to the most advanced technology with the most advanced sort of capabilities on the people side.

And our next question comes from Keith Weiss of Morgan Stanley.

Super interesting firm from our side of the equation. Kind of a high-level question. The solution portfolio at Palo Alto Networks has definitely expanded out greatly over the past couple of years, but the way that you guys talk about the business, I think it's very rational in terms of, hey, listen, we're trying to provide best-of-breed functionality. We're going to work with other vendors who also provide best-of-breed functionality to get the end customer the best solution. But I think investors want to see like, who's going to take kind of the strategic high ground, who's going to be kind of the coordinator of all that functionality? The story kind of reminds me a little bit of Atlassian trying to sort of be the organizer on confederating a lot of functionality going on within the AppDev scenario. And they have Jira, their workflow management, that's kind of the organizing principle. What would be the organizing principle in security? What enables Palo Alto Networks to really be in the more strategic positioning within this of that? Yes, you're not going to have all the solution, but you're going to be the main provider for your end customers, coordinating their activities amongst a bunch of different vendors and solutions?

Yes. Keith, thank you for the question. Yes. I think what you've seen us do over the last few years, besides just broaden what we're focused on is, I think you've also seen us solidify, in effect, 3 core platforms in which we deliver our capabilities: network security platform, cloud security platform and security operations platform. And the -- that is how we are taking our best-in-class, best-of-breed capabilities, integrating them together and being able to offer that to our customers in a sort of pre-integrated fashion to solve some of these sort of big fundamental challenges that come with trying to have 50, 75, 100 different point products that just is not operable and is not going to work, right? And I think what that allows us then is to have enough of that sort of center of gravity to then be that point of integration for many of the other products out there that are not what we do. They complement what we do, and they're important to our end customer. And if you look at network security, and I realize this isn't exactly network security, but how we integrate with identity providers is super critical to actually accomplishing the network security outcomes and very important to how we accomplish and enable our customers to achieve 0 trust architectures. And so we've actually formed a number of very deep strategic partnerships -- technical level partnerships in order to make that as seamless for our customers as possible. We talked about this in cloud. And we're not going to do everything in cloud, but we're going to take on a lot of the core security functions. And then where we recognize that we're not going to be the best, it's not useful for us to be mediocre at something. It's a lot better for our customers, if we're not going to be the best at it, to actually integrate with someone who is spending the time. And I think you're seeing us sort of -- we're in the midst of doing that, quite frankly, right now with Cortex. We're not quite there yet, but that's what we're starting to pull together with Cortex. And obviously, I think both XDR from a data perspective and XSOAR from an automation perspective give us really good fundamental technology capabilities for being that connection point for enabling our customers to, first and foremost, adopt our value proposition, but then to connect it with other key products where we are an enabler for the adoption. We're not necessarily providing it directly ourselves. So I hope that makes sense, but it's the -- there's actually a lot of thought that goes into how we do this at a product and a technical level to make sure that it's not just us integrating, consolidating specific functions that we do. We are always looking at how we also integrate with other third parties out there to make sure that the complete solution to our customer achieves the outcomes they're looking for.

And our next question comes from Gray Powell of BTIG.

Yes. I think you kind of hit on that or my question with the last one. But I know that Palo Alto technically doesn't have a full-blown SIM solution. But with Cortex, XDR and SOAR gaining traction, plus you have the data lake. Do you see those products sort of tapping into SIM budget dollars? Or is that a direction that Palo Alto should be moving over time?

Interesting question. The -- there's an evolution in -- from both directions that we've seen play out over the last, I'd say, 1 year, 1.5 years, whether that's XDR taking on more and more of the analytics side of what a SIM does or XSOAR taking on more and more of the sort of response side of what a SIM traditionally has done, and that absolutely results in a, first and foremost, a shift in where the SOC analysts actually spend their time, increasingly spend their time either in XDR or in XSOAR. And not, I wouldn't say, yet have we really seen a transfer of budget, but the -- that opportunity certainly is out there as customers look to how do they really rationalize the amount of money spent on collecting data if it's not feeding into the analytics that are needed to really produce the outcomes. And so we're seeing more and more of that on the XDR side. As Zeynep mentioned, XDR 3.0. We added identity and cloud. And so obviously, we're adding more and more data sources. But as we do so, we're adding the analytics to go with it. So we actually drive the value. In the [ XSOAR ] side, we're now, we're at close to 800 partner integrations and content packs that we can automate out of -- from the platform directly in addition to enabling customers. So you're seeing us come at it from both of those directions. And the customers, like you see the stats as Zeynep showed, those are tremendous statistics on what can be accomplished when we use this AI, ML, analytics, automation approach to the SOC versus the traditional approach.

And our next question comes from Matt Hedberg of RBC.

Lee, I wanted to ask -- you mentioned cloud -- I think you just mentioned it a second [ ago ] cloud identity and entitlement. I'm just wondering, how far can you take that initiative? I mean I think I've asked you historically, how do you think about the broader identity space? And I think it's been an area historically you've shied away from. I'm wondering with a focus on cloud identity and entitlement, though, it feels like that could be a natural progression to other aspects of functionality just kind of given the importance of, obviously cloud workload, but obviously then employees or devices connecting to said applications.

Yes. And just to be clear, with cloud infrastructure entitlement management, the -- we integrate with the identity providers. We integrate with Okta, with Azure ID, with others. We -- and then we -- what we're doing is we're taking that information, coupling it with an understanding of what roles have been provisioned in the cloud and then mapping the roles to what infrastructure has actually been provisioned and what roles have been enabled. So we're -- the uniqueness of what we're doing is we are integrating those, what normally are independent data sources. We're effectively integrating them together to understand, all the way from a cloud service to identity, what is actually provisioned from an entitlement perspective. Now I assume that when I say that, it sounds relatively simplistic, you say, well, can't anything do that? For whatever reason, it just turns out to be really complicated because of -- there's just no place that a cloud security specialist can go to actually see this if they don't have a product like what we're doing with CIDM. It's really hard to connect all those dots and understand nested permissions and roles mapping to users and credentials. That's the hard problem that we've solved. And so I don't think of it as how do we integrate with the identity providers to make the, more secure and better utilized, as opposed to, we're not replacing any of them in these tools.

Next, we have Keith Bachman of BMO.

I wanted to jump back to XDR for a second, if I could. And just more broadly, where do you think you are in the competitive landscape? And in particular, what are the distinguishing attributes that you think at this juncture position you well for the market? And/or where are some other areas that you think in order to be competitive that you have some either internal, external activities that you need to pursue in order to shore up your position?

Yes. And maybe I'll start and maybe Zeynep, you could add. I think fundamentally, the shift from EDR to XDR was about going from single data source analytics to multi-data source analytics. And the first step was combining endpoint data with network data in order to have a clear picture of a -- of an enterprise environment, how to be able to detect attacks and respond to them. We added identity. We've added cloud. There are other data sources that will be meaningful in terms of stitching data sources together, driving better analytics, which means better and more accurate detection, but also simplifying the response that a SOC analyst then has to actually walk through. I don't know, Zeynep, if you want to...

Yes. And I think one of the really important things that ties into the other question is it's really important, as you said, for us to be able to essentially cut through the noise and really communicate the benefits and customer benefits of what XDR does and what's fact and what's fiction. That's why we're heavily engaged in really trying to push the industry to have the right third-party evaluations and testing for this type of technology. Because obviously, there's other types of technology where there's clear evaluations in place. And that's actually happening right now. So we're able to see where XDR makes a mark, makes a difference, and then how different vendors are able to sort of compare with each other in terms of security efficacy.

All right. Great. Well, I've got a question here electronically that looks like it might be for you, Zeynep, on customer strategy. Given the breadth of your product portfolio, how do you ensure that your new and existing customers remain knowledgeable about innovations and product offerings Palo Alto Networks can offer to them?

Sure, I'll start, and I think I'm sure Lee will have something to say here as well. I think as you note -- as the question notes, it is incredibly important for us to keep our customers up to date with our growing portfolio. So that's a fact. And I think one of the helpful trends there is that we are having more and more conversations across the portfolio as opposed to, as Lee was mentioning just a moment ago, kind of more of a point product by point product conversations. Which helps in terms of bringing up the capabilities in an integrated fashion and bringing up the ability to address security -- multiple security needs at once. So that's a helpful trend. But that means we actually have to do a lot to make sure and enable our sellers as well as our partners to have those conversations. So that's a big priority for us in terms of how we communicate to our customers. And then part of it is also what I just mentioned in the previous question, which is how do we provide clarity in a very complex landscape by first-party information as well as third-party information to make -- to help our customers and everybody in the industry to make the right decisions with their portfolio. Anything you want to add there?

Since you took my answer, I'll take your answer and say they can show up to Ignite and [ we provide ] 3 days' worth of amazing content to learn what we're doing and...

Thank you. Maybe we should switch roles.

All right. Very good. So back to the live questions, we've got Gregg Moskowitz of Mizuho Securities.

So within Prisma Cloud, you mentioned, Lee, that you're adding agentless scanning to complement your agent-based approach and that you're the only company to offer both. So agentless scanning is -- it's faster, right? But can you walk through which type [ of channels ], images, et cetera, are ideally suited for agentless versus agent-based? And then also, how much do you think this flexibility can help the typical enterprise customer?

Yes. Thank you for the question. The reality is when we look at agent-based and agentless scanning, there are pros and cons to both. And agentless scanning, the obvious advantage to it is simplicity. The downside is, and I won't go through all of the technical details as to why this is, but you can't do it on a continuous basis. It's much too heavyweight of a process to do it this way. And so typical scans are every 12 hours, every 24 hours. And so this is most applicable to sort of dev and QA environments and sort of basically nonproduct kind of environments, is what we would generally recommend. The agent-based scanning, and we've put tremendous amounts of work into this already in terms of how do we make it super lightweight, super easy, can be completely automated and all of that, but it does still require this very lightweight agent to be deployed with the workload, which provides multiple levels of protection, including run time protection, which we think is very important, particularly in production environments. And it also then provides near-continuous scanning capability. So those are sort of the -- how we think of it, which is why you can see, I think, pretty clearly how a customer might combine those together, depending on the type of environment they're protecting in order to leverage the best of both worlds for the outcomes they need.

And our last question today will come from Adam Borg of Stifel.

Just on Prisma Cloud, it was really nice to see all the new announcements today. And as we kind of take a step back with the 3.0 release, how complete of a solution is it? And maybe said differently and even building off some of the prior questions, where are the boundaries of cloud security that you may not look to enter, versus where are the areas that it can further be built out?

Yes. Good question. Look, I think everything that we do in Prisma Cloud and, quite frankly, everything we do across the product set, like our goal is we either feel like we have to be the best-in-class today or we're on a very clear path to getting there soon. Like if we're not in one of those 2 categories of capability, it just doesn't really make sense to me to invest in it. So everything we talk about in Prisma Cloud that's on this list is in one of those 2 categories. And obviously, a lot more is actually in the already -- in best-of-class state from my perspective. The -- as we've often said with Prisma Cloud, we -- our goal is to stay a step ahead of what our customers need because we understand how quickly this space is evolving. And that's what we are doing with the introduction of Cloud Code Security as the fifth pillar. That's what we're doing with a number of the capabilities we talked about today. And we're constantly looking and evaluating what the next evolution of cloud security will be. And we've even said before, we think there are certain things that probably haven't even been invented yet that we'll be working on. So it's just an incredible space to be in, quite frankly, just by nature of how fast it is moving. It feels almost like 10 years of digital transformation has been squished into the last 2 years, and I think that's kind of the pace that it's going to continue at for the next few years as well.

Great. Well, thank you all for joining us today. Please note that our Q1 '22 earnings call is scheduled for this Thursday, November 18, at 1:30 p.m. Pacific Time. With that, we will conclude the meeting.