Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

All right. Well, good morning, everybody. Thank you for coming. It's great to be back in person. For those of you who may not know me, my name is Hamza Fodderwala, I'm the cybersecurity analyst here at Morgan Stanley. And this morning, I have the pleasure of speaking with Nikesh Arora, CEO of Palo Alto Networks. Before I begin, just a brief programming note. For important disclosures, please see the Morgan Stanley disclosure website, www.morganstanley/researchdisclosures. And with that, Nikesh, thank you so much for joining us this morning.

Thank you for having me.

All right. I wanted to start the conversation around company evolution. So you joined about 4 years ago as CEO, you've driven some pretty significant change. Can you walk us through where you are in that process, that evolution? And how would you describe the evolution over the next several years for Palo Alto Networks?

Yes. So I guess, it must have been 3.5 years ago, I was sitting up here with Keith Weiss, and we're talking about what cybersecurity needs to do. And many investors had a question, no cybersecurity company has actually run the full course. You see companies come. They run the playbook. They have their swim lane. They get to a certain market cap. And then there's the next -- sort of flavor of the next generation shows up. So we sat down and try to figure out, where is the puck going? And in terms of that, cybersecurity is driven by the evolution of technology. So you have to see where is technology going accordingly, you've got to make sure it's secure. And we made a big bet that the cloud is going to be big. It wasn't kind of hard. It was kind of like the plastic moment. We said we're going to reorient the company towards building cloud security. We also said as a consequence of the cloud being big, you would have to fundamentally redo your network architecture. All network architectures are back to the company data center and back to the user. We said you're going to get a more distributed network architecture. And last but not the least, that doesn't seem a pretty sign, like AI and machine learning are going to have a big impact on how security needs to happen. So with that in mind, we set about 3 years ago. And we reoriented our portfolio in the process, we had a lot of technical debt to pay. We bought about 17 companies in 3.5 years. We paid $3.5 billion to do that. But we got to a point where we felt now we're technologically at the leading edge and in some cases, perhaps the bleeding edge as far as cybersecurity is concerned. And in that context, there's this wonderful thing I've learned in enterprise called Magic Quadrants and these beautiful 2x2 graphs. You've got to be in the far right corner. When I came, we were in 1. Today, we crossed 10 in the top right corner in being the leader in 10 different categories in security. So that tells us that we did manage to get through the technological transformation. So that's where we are. Should I keep going?

No, no, that's perfect. Can you talk about how buyer behavior has changed since you joined? So obviously, cybersecurity is the forefront of mind for many companies. And how do you think buyer behavior going to change going forward that?

There's no secret that the awareness of cybersecurity is high. This morning, I was watching CNBC, and they asked the President of the New York Stock Exchange, how are they thinking about cybersecurity, they asked the CEO of PG&E or PSG, something like that. And everybody now suddenly has to answer a question on cybersecurity. I can't imagine 5 years ago, you'd be asking the CEO, how secure is your infrastructure? And are you worried about the risk of cyber attacks? So today, with there's a heightened degree of awareness. That awareness forces CEOs to pay attention to the topic, forces boards to pay attention to the topic, which means there is more of a focus on getting security right than there ever was. So you're seeing the pressure come from the top in terms of making sure the infrastructure is secure. And it's important because any financial services company, if the infrastructure gets breached, they'll be shut down in 3days. I think as generally speaking, we're woefully ill-prepared for what could happen to the technology infrastructure in this country around the world.

Yes. And that's a good segue to the next question. So it really does seem like the demand environment security is stronger than it has been in several years. And now you have, obviously, the Russia-Ukraine tensions. There's risk of cyber warfare being a potential major theater in this conflict. What have you heard from some of the largest organizations, both public and private that you work with? Are people worried about this? What's the, I guess, the temperature in the room, if you will?

People are worried about it, but it's yet another risk and people are worried about a lot of risks. I think the debate has gone from not whether I'm susceptible or whether I could be hacked. The debate is, if I did get hacked, how am I going to get back up again and up and running. So there's a lot of focus on the world, this new practice called cyber resilience. Like if I get impacted, how do I stand up and get better again. Look, technology buying cycles are 3 to 7 year cycles. You bought something, sometimes it doesn't come up with refresh for 5 years or 7 years. So the fact that we started talking about cybersecurity last year doesn't mean the demand is sustained for 1 year. It means the next 7 years, people have to get through the old infrastructure, replace it because nobody is going in, tripling or quadrupling their cybersecurity IT budgets. So you will see that there's a 5- to 7-year cycle it's going to take, if you get it right. If you get your cybersecurity right, you still have to spend money for the next 5 to 7 years. This is not a 6-month demand cycle or war-inspired or stimulated demand cycle. This is a -- I think it's a secular change over time. That's going to happen because people get more and more fixated on fixing their cybersecurity.

Yes. And on that secular change, going back to demand environment, again, it's been really strong. What do you think you would attribute that to? Do you think there's been a expansion in the attack surface area from more distributed workforces and obviously more remote computing?

Well, we are going through, I think, one of the biggest tech spending cycles ever in history. And cybersecurity, as I said, it's driven by tech spending. Not only are we going through a big tech spending cycle, we're going through a sort of technological transformation in the midst of it. You're seeing people go to the cloud, shutting down data centers. You're seeing people rearchitect networks, that require you go create the security infrastructure needed to support that. So I think that's part of it. I think the volumes of post pandemic are still higher than the pandemic volume. So people thought we were seeing tech volumes go up or transaction volumes go up because we're in the midst of the pandemic. Now people got to go outside and volumes will fall. That's what's happening. The volumes are going up, which means suddenly people who would sort of hope that this would be a spurt in tech spend, and it's going to normalize, it's not normalized yet. I mean, add all of those things and go back to what I said earlier about the heightened awareness of cybersecurity. Thank you. The demand is here to stay for a while.

Yes. So Palo Alto is one of the few cybersecurity vendors that really addresses pretty much all the vectors within the organization from your network, cloud, endpoint. And you talked about how you're consolidating more of the security budget. At the same time, it seems like a broader security market is still as fragmented as it's ever been. You have a lot of smaller companies that have been seeing some pretty prolific fundraising. I'm just curious like where do you see customers' willingness to consolidate these days? And do you think that's going to change? And kind of what's your general strategy around here?

So 3.5 years ago, when you asked people, why do people not consolidate around a single cybersecurity solution, the challenge was there was not many people out there who offered you a single type of security solution. And even then, people wanted to get best of breed. So how do you create a solution where you have best-of-breed solutions as well as the fact that they work better together? So the last 3.5 years, we're getting closer to that. It's a fragmented market, I'd say it's about $160 billion market. We used to have 2% of share or we probably have 3.5% share. There's a lot of room. And when you can showcase that 10 of your products are industry-leading in the segment, then you start to see some degree of consolidation begin to happen. Over the weekend, I was spending time with some enterprise CEOs. And we were joking because I said, you knew nothing about enterprise because I still don't. I said the only math problem I was trying to solve was if you want to double revenue, we either have to double the number of customers and sell them the same thing or you're going to sell twice as much to the same number of customers. So when I came to Palo Alto 3 years ago, our largest deal was $28 million over 5 years. Last quarter, 2 quarters ago, we did $100 million over 5 years. So we've been able to 4x what 1 customer can spend with us. And now if you could take that and double that, that allows us the opportunity to go to our existing customer base and give them more and more security solutions because we're still only 10% or 15% of anybody's cybersecurity spend.

That's super helpful. So when you break down the Palo Alto business, you've got 2 elements. You've got the network security business -- or 3 elements. But the way that we think about it, you've got the firewall business and the attached services, that's about, let's say, roughly 2/3 of the business were a little over that, growing 20%-ish. And then you've got the next-gen security business, which is a lot of your cloud security solutions. That's about 30%, growing roughly 70% or so. And it seems like these are kind of separate businesses, but they also work together and you're really sort of attacking the cyber strategy. So maybe just to start off on the network security side. A lot of that is still driven by the product. And people probably ask you about the product refresh, how long do you think that lasts? Where would you say you are within your customer base as far as refreshing that? Because I think people got confused when you made that comment about 65% of security portfolio being refreshed, but it wasn't anywhere near your customer base.

Yes. So our business, as you said, there is a -- I've been trying to say that for 3.5 years, and hopefully, 1 day people believe it. There is a network security element to our business, which is a composition of hardware and software. In the last 3 years, we have transformed that business from 100% hardware to 60% hardware. 40% of that business is now software. Now of that business, 80% across the whole business is software subscriptions. So 60-40 in hardware software and then 80% of the president's subscriptions is within the network security area. And we're going to keep driving that hardware to software change. And there are 2 elements of that. One is fundamentally, software solved security is much more secure. Like if I had to go put a hardware box in this hotel and you have 500 hotels, it's going to take you 1 year to go around every hotel and put a hardware box. We can light up all these hotels in under a month and solve the problem with software. So I think security over time is going to migrate towards software-delivered security. If you -- so from that perspective, that business, the hardware part of that business also is a steady business, keep -- continues to grow. The hardware parts business, we have refreshed less than 5% of our installed base with our new hardware solutions we've launched in the last 6 months. Typical hardware cycles run from 18 to 24 months, sometimes 36. So our hardware hasn't been refreshed in our base. Additionally, 3 years ago, we had 4 software subscriptions. Every time we sell a box, we offer 4 different capabilities, which you can buy with the box. We have taken that from 4 to 10 in terms of things we can give you with the hardware box. So not only do we sell a box of hardware, now we can attach 10 different solutions to that. So we're going to see a natural evolution of, as we get through our base and refresh them in better hardware, we can attach more software. So I think that's kind of our strategy to drive sustained growth on our network security business. On the other side, our cloud and endpoint business, as you said, is growing about 70%. And I think we're very, very early in the cloud security space. It's not inconceivable that anybody who's going to GCP, Azure, AWS or IBM or Alibaba Cloud is probably going to have to spend $10 million to $20 million a year in cloud security.

All right. What's the attach rate as far as like subscriptions per box today? You said 4.

Robust.

Robust. And it's been growing? Is that fair to say?

Yes. It's been growing. You go from 4 to 10.

Okay. Maybe just a high-level question. Like when you talk about the shift from hardware to software, where do you think we are in sort of the pace of change?

Smart people are very quick to rationalize stuff away. There are still people who still use hard disk drives somewhere in a data center. So I think for the next 10 years, you're going to still see hardware being purchased in the market because a lot of companies will still own data centers. Moving to the cloud is 20% to 30% more expensive. So you will see companies who will not move to the cloud and hang on to the data center. So I think the hardware demand sustains for that period of time. From a change perspective, as we start to see these big network security rearchitectures, you're going to see more and more software come in. You're going to see more and more software get attached. But I think the market will still grow in the mid-single digits on network security.

On networks or just firewalls?

On network security.

Okay. Got it. Got it. Just a question on supply chain. Why has Palo Alto been able to manage the supply chain issues better than some of your peers?

I think everybody is hustling, trying to make sure that we get supply chain sorted. 9 months ago, every ship vendor canceled every order and said, "We're not sure what we can give you." About 3 months ago, they started giving you some visibility what you can have. You still don't get everything that you need. But remember, it's a -- I can't remember what the numbers are, but it's a multi-hundred billion dollar chip industry. We need $100-odd million of chips. So it's not a very, very small part of the overall chip industry. So as long as we have enough supply as long as there's stuff out on the market, we can get it. I don't think it's going to get easier for the next 6 months. We're going to keep having to hustle trying to find the chips. But our hardware revenues grew about 20% quarter-to-quarter, which is on the higher side for us as a company. And we still weren't able to satisfy all the orders that we had. So we ended up building backlog because we couldn't get -- and we planned for 20% and our average growth used to be high single digits. So we plan to have enough supply for 20%. We got the stuff, but we had to ship at all. We still have unmet demand. So I've never had as much visibility in the last 3.5 years into my hardware pipeline that I have today. Like I kind of stopped shipping 6 weeks before the quarter end. Anything you order in the last 6 weeks, I have to wait to get the stuff to ship it.

Yes. The visibility point is really interesting.

That's true probably in the industry.

Yes. You did mention that you don't see things getting easier. But like from a lead time perspective, would you say those have been fairly stable on the product side?

It's a problem is like -- there's 300 pieces that go into building a box. In 1 quarter, it's 10 pieces from 1 supplier and the other quarter is 10 pieces from the other supplier. It's not consistently 1 particular supplier. So Dipak and his team, our CFO, they do a phenomenal job of bringing all the stuff together and getting it out there. The lead times, we know what are going to get in the next 6 months.

Yes. Okay. On the margins within that network security business, they're really high already, I think, 40% the last time you disclosed it. Do you think there's room for that to move up as you start attaching more subscriptions and sell the premium maintenance, for example?

Yes, the network security business, the margin components are obviously our hardware margins, which are impacted because of supply chain, and those should ease over time. There's the software-solve, our product, Prisma SASE which competes in the SASE space. As we scale that, and we're seeing phenomenal growth there. As we keep scaling it, our cloud costs, which are the biggest cost in our customers' -- deployment cost is the biggest cost, over time start to amortize. So you have a mathematical effect of those things beginning to give you more margin. And last but not the least, as you attach more and more software subscriptions because that's a typically higher-margin product. So I think the network security margins in the long term sustain and get better.

Speaking on the component cost, you also did some price increases, I think, late last year or earlier this year. Do you think these price increases are going to be durable as we think about next year or the year after? Or do you think eventually they will just get eaten up by distributor discounts?

The price increases you're seeing in the market, they're very leaky because a lot of them to get negotiated away. So we are in a competitive market, price gets negotiated away. The yield is very low. It's typically the smaller end customer that gets the biggest brunt of price increases when other large enterprise customers get impacted that much by a price increase. So we actively chosen not to drive price increases out of our portfolio. We've done 1, 1.5, maybe, and we've seen people do 2 or 3, probably makes us more price competitive. But I think some people have to cut prices again. The supply chain is not going to suddenly ease up and not shut -- at least I'm sure somebody is going to be left with a lot of boxes or something after supply chain receipts. It can't be that you've got that figured out perfectly. So prices will come down for some people.

Yes. That makes a lot of sense. So maybe shifting to the next gen side, again, roughly 1/3 of the billings now growing in the 70s. The way that we think about it, so that you've got this next gen business at $1.5 billion run rate in billings. Roughly maybe a little less than 2/3 of that is coming from the SaaS and the SD-WAN side.

About 1/3.

About -- okay. You've seen some pretty significant growth on the SASE side. Can you just talk a little bit about your differentiation versus other players in the SASE market like a Zscaler, for example?

Just example, yes?

An example. Yes.

Most of you must have heard that there's a huge thrust towards doing Zero Trust and Zero Trust is concept where you don't trust anything that comes into your technology infrastructure, you have to -- it has to validate its credentials. Like that's why we all carry badges when we go to work, even if the security guard identifies and says, "Hello, Mr. Fodderwala, how are you? Just please swipe your badge, because we don't know if we got -- we still employ you or not. That's called Zero Trust. I know you, but I still don't trust you." That's kind of how Zero Trust works and has been working in security for a very long time. Zero Trust means that you have to make sure you're treating everything consistently. So our differentiator is people use our firewalls in the data center, they deploy security policies. Now when I work from home and I log in, I'm not in the office. So the security policies being applied to me are different. They have to be consistent for you to deploy Zero Trust. If I'm running a workload in GCP, the same policies need to apply. So we're the only cybersecurity company, which can deploy the same security policies in your public cloud and your remote use case or in the data center. Nobody else can do that because nobody provides all those 3 solutions. So where we're seeing our growth is our existing very large enterprise customers want to be consistent in how they deploy Zero Trust. And we take the traffic, we offload to Google Cloud. It runs as fast it can, Google Cloud and gets dropped off the other place, deploying the same security policies up in their cloud infrastructure. That's our differentiated Zero Trust. We have -- and we do better in the large enterprise use cases. So we have done the last few quarters, we've done companies with employee size of between 100,000 to 650,000 to 1 million. So that's where it works really well. 2.5 years ago, we were not in the business. We did not have a SASE product. Today, I think we see 5 out of 10 deals in the market. Hopefully, we'll see 10 out of 10 deals in short order. I think we win a bunch of them, and our win rates are improving. SASE is going to be big. This is a very early part of SASE. And the good news is that even if I don't win it today, it comes up for renewal 2 years from now, I can go win it tomorrow. In firewalls, you've got to wait 7 years. If somebody doesn't buy my firewalls, I've got to wait for 7 years for the next set of firewalls to be refreshed. In SASE, you can -- this perversity in our industry called -- people like ARR, I like DCV, like ARR means you do 1 of your deals. I like my competitors doing 1 of your deals because it mean the deal is up for renewal. And a year from now, I'd like to go ahead and be able to replace them. So we do 3-year deals on average across our customer base and SASE is big.

When you think about SASE, how do you think about balancing the growth between selling into your existing customer base versus net new? Because there are some use cases as you overlap with the traditional firewall business. So when you talk to customers, is it like either or, like I just want to go SASE or just go firewall? Or is it kind of a combination of both? And how do you like to balance the growth there?

Customers come in all flavors and types and they have their own strategies. But most customers want to deploy a consistent security protocol across, everything, across their data center, public cloud and their remote or branch use case, which is 3 use cases in this space. We sell approximately 75% of our SASE into our existing base. Remember, we have 57,000 active network security customers. So that's a lot of customers. We cover north of 1,700 of the Global 2000, which means we cover most companies that are out there. So we sell 75% there. The interesting fact is though, the 25% of net new customers are Palo Alto. And typically, they are customers who will take our SASE solutions, who will have other firewalls. In which case, the conversation is perhaps when their firewalls come up for renewals, they can then go reverse into Zero Trust by buying firewall-to-firewall. So I think our SASE business also is a lead generator for our firewall business, which we haven't had for a very long time because customers now get comfortable with our security policy to say, "It's working. Maybe I can buy some hardware next time."

Yes. That's a really important point. And I think you mentioned you have about 2,000 customers on the SASE side and out of the 67,000 firewall base.

57,000.

57,000, excuse me. What is the uplift that you get when a customer moves to SASE over a period of time?

Yes. We did this about 1.5 years ago, we shared, I think the SASE customer is both more valuable and more profitable for us in the longer term. I think the number is about 2x, give or take because we sell a firewall with a 6- to 7-year duration, our SASE solutions get renewed after 3 years. And I think the contract values on SASE typically end up being higher because it's a combination of both network -- both network and network security and the 10 subscriptions I told you about on the hardware, almost all of their work on the software-solved is on SASE. So over time, you can attach more capability in them.

So I want to switch to Prisma Cloud. So I guess if SASE is securing access to the cloud, prisma Cloud is actually securing actually the workloads in the cloud. I think this is about a $300 million run rate business now, growing triple digits. So Palo Alto was pretty early to the cloud security market. You bought RedLock, I think, back in 2018. Back then, nobody knew what CSPM or cloud security posture management was.

Most people still don't.

Yes, I know. How do you think this area has evolved from just like a feature like CSPM to a broader cloud security platform when you think about Prisma Cloud as a whole?

Yes. So when I came about, we had a company called Evident, which used to protect workloads on AWS. And we made a bet that people will be on multiple clouds. And most of our larger customers now are on multiple clouds. So we bought RedLock, which did cloud CSPM across multiple clouds. And we try to go out and sell RedLock to our customers who did, and say, "Well, we're building container security." They're like, "Don't worry about it if there's a company out there called Twistlock, which is the best of container security, it's going to take you 4 years." So we bought Twistlock. And so we do serverless software, now as we buy a company called PureSec. So we took them. We merged them. We shut down their individual capabilities and merged them into 1 platform as we've had it for 3 years. We've built 4 more capabilities on top of that. We've built net application firewalls. We built identity access management, we built data loss prevention, about to come to the apparatus with the microsegmentation. So we have now 7 modules in our Prisma Cloud platform. And the way we sold it was we would sell credits upfront. So you buy a bunch of credit. And then when we launch the product, you start using up the credit as the new module show up. So we're seeing adoption across our 7 modules because of the way we sold it to people. And the consequence is the customers who consume it, their renewals come up faster because they end up consuming more because they are deploying more modules. We're the only company, we don't see competition in this space. We see it in 2 ways. One, there will be smaller start-ups who will provide a sliver of capability and company will say, "We're not ready to go the whole hog, we want to go solve this problem," or we see a bunch of DIY. People will spin up their own. And when we're lucky we've noticed that people who said we don't buy a platform 2 years ago, bought their own solutions, are now migrating because as the cloud gets bigger and bigger for people. I'll give you an example of a customer who bought $2 million of credits in the first year. 18 months later, they've upped that to $8 million of credits. And I think they could probably a $50 million customer from a lifetime value perspective because they're barely 3% deployed in the public cloud, and they have stated an intention going 100% public cloud. That's -- I'll give you an example. This is a customer you would think is a S&P 500 company. It's not a Dow company or Fortune 50 companies. So if you can think there are probably 500 companies out there who are going to end up spending $10 million to $15 million of public cloud a year. I think public cloud security is very early. That's why you're seeing a bunch of these private valuations for these companies. We're about 2.5 years ahead of anybody out in the cloud security space.

When you think about the size and the opportunity here, I mean, it could potentially be big. I mean there's probably going to be billions of workloads in the cloud at some point.

They'd better be. People paid for them. I don't know what the accumulated DCP at Azure -- is it $200 billion a quarter, something like that? $180 billion a quarter?

But I mean you've got certain workloads that are more addressable than others. There's lots that are just ephemeral, right? So how do you think about the actual addressable opportunity for Palo Alto Networks?

Like a simple rule of thumb, 2% to 5% of whatever Google, Amazon, Microsoft book as they're booking sort of cloud workloads should be security spend. Now half of that will go to them because they have tools that people will use on these single short customers. But I think the other half is open TAM for third-party vendors like ourselves. So you do the math. If you start selling $70 billion, $100 billion worth of public cloud, that in itself is a reasonably large market. $8 billion? $8 billion to $10 billion a year TAM, a $300 million ARR? The market's there.

Yes. And that $8 billion to $10 billion, obviously growing with workload growth essentially...

Yes.

Got it. I wanted to dig a little bit on Cloud code security or some of the DevSecOps functionality. So Pawel just talked a lot about bringing security or shifting security left into the development life cycle. Can you talk a little bit about some of your initiatives there? And again, how do you think about that opportunity?

So you guys are seeing like, look, there's a huge movement out of this whole -- the GitLabs, HashiCorp, Atlassian world where it's kind of developer led. Developers pick up tools that make stuff up happen. Now there's this fallacy that security should work like that, too, and it doesn't work like that. That's why we don't have 4,000 police forces in every state because you can't -- you need 1 consistent way of doing security. If you don't do it, it doesn't work. And so there's a company, which built an open source tool for security. Now developers prefer that because then they can just look at it, use it and then ship their code for production. So what we did was we bought a company called Bridgecrew. What -- developers can use that as part of their open source tool kit, but it checks everything you're doing against the enterprise version of Prisma Cloud. So you deploy your tools, we check it beforehand. So when you submit it to CI or CECL, it's passed all the security test otherwise it would have told you that. We bought that company about 1.5 year, a year ago, almost now. We've integrated it into our Prisma Cloud platform. We launched it about, I want to say 2 months ago, and we're seeing really good adoption of that tool kit amongst the Prisma Cloud customer base. And we're also seeing independent customers come in because of that capability. I think it's very early days. It's kind of akin to what Snyk does, which is a separate private company doing the same thing, but then they don't have the other enterprise capabilities. We do. So I think, again, it's part of filling out the entire platform to do cybersecurity. I think we're very, very early in the whole cloud security space. And I don't think there's enough companies out there who are building a platform.

Got it. I want to shift to the Cortex side, kind of what you're doing on the -- a little bit on the endpoint protection, security analytics. I think another roughly $300 million run rate business, plus or minus?

Hopefully, plus.

Yes. Hopefully plus that. So Palo Alto has been talking about XDR extension detection response for quite some time. I remember you used to sell Traps for endpoint protection. And I think like 3 years ago, you said, "Okay, we're going to kind of give that away so we can get the telemetry and go after the bigger XDR opportunity." How would you think about your capability relative to some of the other next-gen EDR vendors who are trying to go after it? Is this an area where you want to be a serious player? Or is this another thing to sell within your installed base?

Look, if our XDR business was an independent company, it will be valued somewhere in the vicinity of Central 1, just by itself, right? Because we have -- we started roughly at the same time, we have similar kind of customer behavior and growth. Our technical capabilities are at par or better than all the vendors out there. It's a crowded marketplace. I think the more interesting opportunity is 0goes back to what we started off by saying that AI and machine learning needs to be applied. Look, 3.5 years ago, the mean time to remediate a cyber attack was 27 to 50 days. So when you find out that you've been breached, it took 27 days to find out what actually happened. That kind of doesn't work. So today, that mean time to respond is coming down. In 3.5 years, at Palo Alto, our mean time response is in the same vicinity. So it's kind of hard to be a cybersecurity company and do that because you would know for 27 days they were breached or what actually happened. You know you were breached, but you have to go back and analyze everything to figure out what happened. We spent 3.5 years, our mean time to remediate is under 1 minute. In our company, we can find out and remediate under 1 minute. We used to get 67,000 alerts a week. We've analyzed them, cross-correlated them, eliminated them, automated all the responses. We see about 56 events a week, give or take. Those 56 events are manually analyzed and remediated in under a minute. The industry time is still in the 20-day range. And if we don't do that for cybersecurity, every company will get breached, you would know. I mean I remember reading newspapers about hacks, where large amounts of data have been extracted. The companies took 1 year to tell us that they've been hacked data has been extracted. So the industry has to go to this world where you are remediating on the fly. Now what does it take to remediate on the fly? It takes an analysis of data in real time. Now on average, every company has about 30 to 40 cybersecurity vendors and none of us talk to each other. They actually can't cross-correlate data across 40 companies because we all have our own mechanisms for doing security. So you can't normalize data. You take all of that data, you dump it into a large data lake, you can call it whatever you want. There's a bunch of companies out there who do that. You ingest all of the data, put it in a large data lake and then humans go in and analyze that data because there's no technology that analyzes this data. There is this work called UEBA, User Behavior Analysis, which basically tells you how to understand the data, but that's still helping you do it manually. So we've taken all of that and says, we're going to use a single source of truth. We will take our data. We extract. We take 150 megabytes of data per endpoint in a company, analyze that data, use that as a single source of truth and cross-correlate everything against that. That's how you get to a 1-minute response time. So that's what we just launched called XSIAM, which is -- we're working with now 9 companies. We're going to work with them to replicate what we did amongst our own stack using a combination of XDR, combination of all of our analytical tools. If we can do that for those 9 companies or when we can do that, we're going to launch that product in July for all of our customers out there. I think that's how we transform the whole security and analytics space. That's how we transform the space, which I think is a 15-year-old space where we were ingesting a lot of data, which is the SIEM space. You can go look at the Gartner Magic Quadrant and see who's going to get displaced. So that's the opportunity. The opportunity in XDR is yet another sliver product that solves a certain problem. It makes a little easier, but doesn't solve the whole problem.

Yes. I want to dig into SIEM a little bit, but just that broader data advantage you're talking about, we're going to take all the extra telemetry. How does that feed into other parts of the business? Because I think in the past, you've had cybersecurity solutions that have been focused on securing a particular vector. And eventually, cybercriminals will catch up. So how does this really help your solution get better over time so that we start to see more of a steady compounder within cybersecurity, which quite frankly, in the past we haven't seen.

Look, I'll give you a thought experiment. All of you can go back to your organizations and just for fun, ask your CIO or CECL, "How many agents do we have in our on our endpoints?" I did that 3 years ago, the answer was for financial services, between 5 to 11. What does that mean? That means there are 5 different companies who would sell your IT team a solution, which is going to your laptop, and they would extract a little bit of data and analyze that data and solve the problem. We're like, "Why don't you deploy 5 things on my laptop? Why can't I just deploy 1 thing, it collects all the data because everything is analyzed in the cloud now?" That's what we're doing. We're reshaping how this world of data analytics needs to happen.

So on the XSIAM front, I thought it was interesting talking to Lee, your Chief Product Officer after the call. And I was like, why are you trying to, I guess, effectively replace the SIEM, right? At least the traditional SIEM as it's constructed, has been inefficient.

That's like saying why you're trying to replace a chariot with a car.

Right. Okay. That's a good point. Okay. Fair enough. But I guess what is your thinking behind it? And like how do you think Palo Alto is going to be better in terms of efficacy and in relative to your -- yes?

The other's tools? Yes. Look, the way we think about it is this. I'm never used to sitting for an hour and talking about this stuff. Okay. Look, our current business, the network security business, which is where 80% of the business is, we think the world is going through a huge network transformation. So we think both our innovation and hardware and attached subscriptions is going to drive sustained growth in network security with SASE. The world is going to the cloud. I think we have everything we need on the cloud portfolio and whatever we don't, we will either build or buy, smaller companies, more product-oriented, nothing big. And we're going to stay competitive and not let anybody else into that space where we are 2.5 years ahead. The whole world of analytics and replacing the SIEM or the chariots for us is where we're going to find growth at 18 months, 24 months from now because I think that market gets transformed. So my job is to look for revenue today, tomorrow and 2 years from now. I think for the next 2 years, we'll get a great trial in network security. We're going to get a great run for 5 to 7 years of cloud security and thereafter as XSIAM starts to work, we're going to see a great proof of that for the next 7 or 10 years.

Thank you for holding my hand through that. On the go-to-market front, so you guys have done a really good job of enabling your channel partners to sell some of these next-gen security solutions. And quite frankly, when you started to do that, it wasn't really in their incentive or at least that's what it felt like, especially some of the traditional VARs were used to selling boxes. Can you talk about the shift in mindset among your partners and how they're starting to see more benefit by selling the broader Palo Alto platform as well?

So look, there's a big reshuffle going on in the distribution rollout out there. Majority of distribution used to be hardware oriented in the past, and you're seeing a software distribution start to build. So whether it's the systems integrators, the Accentures, Deloittes, the PWCs of the world, whether it's the MSSPs, or every telecom company now has a star large enterprise sales team in every country. It's them, what is the cloud providers? Google, Amazon, Microsoft, they all have marketplaces to buy stuff. So suddenly, all these guys are becoming very good at value-added reselling, which is not what they were doing 5 years ago. So a lot of our newer NGS sales are happening in partnership with many of these folks. At the same time, the traditional large resellers are building software teams because they understand where the market is going, and they're building software capability in the mid- to low segment of the market saying, "Okay, we'll go deploy Palo Alto products for you, monitor them for you because they can work for you." So you are seeing a reshaping happening out there in the industry. And I think there'll be a lot of winners and losers in that space.

Yes. You also brought in some new sales leadership in the past several months, BJ Jenkins from Barracuda. You also have Rick Congdon, who's running the sales organization. How are these seasoned sort of veterans within security? How are they complementing some of the -- your strengths or weaknesses -- that kind of go-to market SIEM?

One of the people I was with on the weekend with, I think he's probably the people who has made an art out of selling enterprise solutions to the world, and we're chatting about this. But enterprise sales is 99% perspiration and 1% inspiration. You've got to cover as much ground as you can, the more ground you cover, the more customers you can touch, the more customers you touch, the more likely to buy. Now I have -- we just -- you didn't mention Helmut Reisinger, Helmut is from Orange Business Services in Europe -- for Orange, he now runs Palo Alto Networks, Europe, Middle East, Africa and Latin America. BJ Jenkins, our President, used to be CEO of Barracuda and now runs all of our go-to-market efforts, Amit Singh, who is our Product President is still there. He's focused on the very large deals of the company. Rick's focused on selling a lot of stuff. So between all of us, again, I keep harking back to 3 years ago because that's when I joined, like we didn't meet many CIOs as a company. We used to sell firewalls. As I said last quarter, I've seen more CIOs in the last 12 months than Palo Networks has seen in 5 years, right? And when you see them, you need more spread or more coverage amongst our leadership team. So we've taken ten of our leaders. We've passed the whole large count based across the 10 of us, and we track how many CIOs we meet on a weekly basis or on a basis because that's where we have those Zero Trust conversations, that's where we build the plan. That's how you get somebody to spend $100 million. And even they trust that not only is your current portfolio useful, but where you're going for the next 5 years is what they want to be following you or working with you on.

Yes. I want to shift to -- on the federal side. So I think Palo Alto has one of the higher FedRAMP certifications, if not the highest. And you also got FedRAMP search for some of your cloud security products, I think last year or a year ago. How is the pipeline trending in federal? And are you seeing any incremental traction after the Zero Trust mandate that was rolled out by OMB recently?

The federal government is very thoughtful. They take a lot of time validating their decisions. As you can imagine, we're still waiting for them to deploy the public cloud after, I think, 4 years of analyzing, bidding, rebidding and trying to deploy it. So until -- so let's just say they're slow to show up in vendors' numbers, that's the point. But there's never been a time where they've been more focused on fixing cyber security than now between Jen Easterly and Neuberger, Chris, all these guys are very focused on trying to get that stuff supported. I think the first 6 to 12 months of any new administration, it's very hard for them to get their stuff together because there's a whole cast of character that changes, and they've got to figure out the new working rhythm. So we are hopeful about good stuff to come from them in year 2 and year 3. But all the signs point to more focus and more availability of resources for them to go deploy solutions. And the time is our friend. The more time they take, the longer it takes, our products get better and better, more adapted to the federal government as well.

Yes. Just on the organization and the culture, it sounds like you came in 4 years ago, you had this narrow window to buy a bunch of great technologies, maybe some things got disrupted earlier on. When you look at the culture now, especially given the really competitive labor market, how has Palo Alto been attracting talent? And how do you see your potential for attracting talent relative to back then?

Look, we've been very lucky because the 17 companies we bought we've retained north of 80% of the founders of these companies. They still at Palo Alto networks. They still work there, they're still excited. Many of them are actually driving the efforts. So there were 3 principles we deployed when we did M&A. One, we were going to buy the best in the market. The reason they're successful because is they beat us with less number of people and lower amount of money. So we're going to buy whatever is best out there because our customers are not going to buy something that is not best of breed. So we bought the best companies, is one. Two, we make them responsible for our efforts, not our team is responsible for their efforts because they beat us. So we had a lot of change in our leadership as a consequence, acquiring all these companies. And the third principle was we've forced integration. We forced tough technical decisions. In fact, when we buy companies, we don't sign the deal until we have an integration plan between the two of us from a product perspective because we need to get all the emotions out of the system. So we do that. And as a consequence, a lot of -- all of our products are now integrated. From a cultural perspective, we've been lucky because -- lucky and lucky, suddenly Palo Alto Networks has become a place where people want to draw talent from. So we see a lot of people trying to hire people from Palo Alto because -- even early in many spaces. On the flip side, we've just run a campaign, for those of you who are frequent LinkedIn, we ran a campaign called Welcome Home because many of our employees who left for other cybersecurity companies have seen their personal net worth get destroyed or depleted given the current markets and we've offered to reinstate them back in the number of shares they had at Palo Alto and they're looking at the math saying, holy s***, I should have stayed. And we're seeing a lot of success and people wanting to come back. We've been running a program called FLEXWORK in the midst of pandemic, which we started with Zoom, Splunk, Box and Uber. And now we have 300 companies that are part of the FLEXWORK coalition who are deploying flexible workplace policies, and we were sort of early in that space. Our Head of HR drove a lot of the efforts. So culturally, I think it's the best cybersecurity company I'd like to work for, you want to work for. But we see churn like most people in the industry.

Maybe shifting to the margin side. So you talked about how operating margins will start to expand beyond this fiscal year. So we all know the core sort of the firewall and next tech business is very profitable, over 40% free cash flow margin, and that's funding what you're doing on the next-gen side. At what point do you see that next-gen business becoming breakeven or profitable on its own and sort of sustaining itself?

Look -- make sure I say it right. You guys are all public investors and whatever I say then you go and suddenly you see it happen in the stock. So we're seeing way better growth than we expected when we started our year. And we're trying to make sure we manage the operating margin in the context of what we promised The Street. And we will do so over a 3-year plan. At the same time, we have more opportunity to invest than we have time and resources. So we're going to be balancing our resources to live up both to our commitment, at the same time to keep investing for growth because there are very few cybersecurity companies growing. There aren't any cybersecurity companies growing at 30% in the current market, deploying across multiple categories. So we will keep investing, but we'll balance the amount of investment against the promises we've made to The Street.

Yes. Makes sense. Just last question for me. I want to open it up to the audience. M&A. You talked about less frequent M&A, I think Q4 last year and you reiterated on the September Analyst Day. Just curious on your strategy going forward. How do you make sure you're not missing out on anything by doing less free M&A?

So we don't do M&A to do M&A. We do M&A to complement our product strategy. We're not going to miss out on our product strategy. If there are opportunities that we believe we should participate in, it's an area we missed, we're going to go build. Remember, 3.5 years ago, we were not in the SOC transformation business. We were not in the SASE business. We were not in the cloud security business. We were not in the incident response business. So these are net new businesses. We could acquire companies, integrate them and go do what we need to do. Today, anything that's out there typically is an incremental feature to what we already do or anything that's out there is already a space we play in. So it's very hard for -- I don't want to buy stuff and have 2 companies in the same space. I don't want 2 SD-WAN businesses, 2 endpoint businesses. We're happy with the ones we have. So actually, the target opportunity set is a lot smaller. There are opportunities in cloud security because there's -- I still think there's a whole bunch of products that haven't been built. So we -- Walter and his team track -- I don't want to say, 50 to 100 companies a month. We visit with them. We see what's going on. We see if it's interesting or not. If it's interesting, we'll acquire. But I don't think we're going to miss out on the opportunity to acquire. But if you look, we've only acquired product. We don't believe there's a value to acquiring customers or revenue and paying multiples that we have to go back and then earn for the investors. So on a product basis, I don't think M&A is going to be meaningful to our financial profile over the next few years.

Walter seems like a busy man. He's great.

He still has to work at some point in time.

I just want to make sure there's no questions in the audience. If anyone has a question, feel free to raise your hand. I think we got one right here. You had to wait for the mic, sir. Sorry.

There is an increasing need to protect against sophisticated delicious governmental actors around the world. Some have advocated a united front made up of various companies as the first defense that can these attacks. Former Chief Cyber Command, Keith Alexander, for example, is such 1 person. My question for you is, what is your thoughts on having a united front? You can say malicious, very sophisticated attacks from other governments in North Korea for example, or Russia, attacking companies like Sony, for example. Your thoughts on this please?

So look, there is a -- there are various groups in this country and other countries, I'm sure, where there's a lot of threat sharing that goes on. So we see something, if you see a sustained attack of certain kind, there are protocols we follow to make sure those -- that information is shared aggressively with both cybersecurity companies in the private markets as well as the federal government as and when required. And that kind of becomes the way to protect against a concerted attack. But given -- you need to know what the attack is first. Whether you take an example of SolarWinds, I take example of Log4j. When these things happen -- there's currently an attack underway called Viper, which has been -- malware being sent around try and wipe out your data, so you don't have any ability to respond both from a critical infrastructure perspective or from a military perspective. So when you know what the nature of the attack is, then you can rally together and figure out what the threat vectors and what the IOCs are and go and perpetuate them through the entire infrastructure. The challenge is, as we said, it's not like every company has its own proprietary infrastructure. It's not like Palo Alto can provide the solution to everyone because how -- are not our customers. So we have to work as a collective between public and private to make sure that we understand the IOC. We make it available to each of the practitioners and the individual companies can then deploy them based on what their proprietary infrastructure is.

Do you foresee a need for a governmental or a non-public non-private sector? Or public sector an organization that actually serves as a united first defense front against these governmental...

Yes. Those are in place. Those things are in place today, whether it's CISA with Jen Easterly, whether it's the NSA. They have...

This, the private companies. So for example, when Sony was hacked, I mean, they were hacked by actually North Korea. They didn't have the sophistication to actually prevent these types of attacks. My question is, do you think there's a need for a sector and organization that actually protects these private companies early on really quickly?

There is an industry out there. There is -- between the combination of us, Mandiant, CrowdStrike, we have enough resources that get deployed. The problem is they were hacked. So once they're hacked, you can't unhack them. You just have to go figure out, pick up the pieces. So everything you and I read was a consequence of the hack. But once they were hacked, I think they didn't take too long to plug the hole. But when the data is gone, the data is gone.

Anybody else have a question? Okay. Maybe I'll throw one in there. So you talked about the capital allocation being skewed a bit more towards share buyback. We saw that, I think this most recent quarter, you bought back, I think, $150 million in shares. How do you think about your share buyback strategy? Is it more opportunistic? Or should we expect more like a regular cadence per quarter?

We usually get an approval for a $1 billion share buyback every year, which kind of roughly equates to our dilution from our stock-based comp, give or take. And we don't get paid to time the market. So we will just have some sort of regular cadence, depending on what's going on in the company where we have information or private NMPI, where we can't trade, but it's going to be somewhat more on a cadence relative to the markets, but I don't get paid to buy it at very cheap prices and not by that.

Yes. Yes. And you talked a little bit last quarter about your focus on becoming GAAP profitable, I think, in the next year or so. So is that part of it, just driving down that dilution with the share buyback or?

But that doesn't impact it. So I didn't say next year, by the way. I said we will talk at the end of this fiscal year and share the plan would be in terms of how our numbers transform to get us to GAAP profitable. But look, the difference between us being GAAP profitable or not right now is the overhang from the M&A we did in the stock, we reinvested for the founders of the companies we bought. Once that wears off of our GAAP P&L, we will end up becoming GAAP profitable. So it's not hard to compute mathematically when that wears off, given when we stopped acquiring companies, and it also helps if you're growing revenue at 30% and holding margins because then that also washes out some of that. So it's not a hard math problem.

Yes. I know we've got a few minutes left, but anything that we didn't talk about or asked or any closing remarks that you wanted to touch on?

No, look, I think you've said it, there is a very large sector, which is growing in high single digits, possibly north of that. There are not many players who are consolidators of that sector. It's still -- I think the 3.5% was still the largest market share, depending on how you count Microsoft Security's revenue. And our anticipation is that if we continue on the path that we've laid out for ourselves, you'll see the first $100 billion cyber security company in the world.

Okay. We still have a few minutes left.

Don't sell out the close. We're done, buddy.

Exactly. I read the clock wrong. So you made a point at the Analyst Day where you talked about partnering more with the cloud service providers. Just how do you think about the competitive threat from the CSPs in particular and like versus partnering with them?

Look, there are a certain set of customers where they're better suited using the native tools of the cloud service providers. And a lot of them, as their environment gets more complex and there are multiple clouds, are better suited with us. I don't think there is a challenge. I'm very happy with 50% of the cloud security market share.

Just on -- going back to the margin front. So I think you -- oh, sorry, we have a question over here. Sorry about that.

All right, I was just going to say, you warned us not to conflate the current geopolitical events in Russia with the CapEx cycle that's going on. But I do want to ask if you're seeing incoming right now, what the nature of it is whether this is raising awareness by companies about things they need to do differently?

Look, as you can expect, given the current circumstances we're in, a lot of the critical infrastructure companies on alert because they have to be because right now, there's not as much cyber -- as many cyber attacks going on right now in the direction of the U.S. or the West, as you would expect because I think it's quite concentrated where everything is happening. But who's to say that in a few days or a few weeks, when things get more desperate for certain people, that because they're not going to get pointed -- cyber guns are not going to get pointed in different directors. So I'd say, generally, there's a heightened state of alert across the board, both in critical infrastructure companies or companies where their getting impacted could create chaos on some way, shape or form. So I'd say everybody is watching carefully. And the challenge is like you can't fix it. If you didn't fix it 1 year ago, you can't suddenly call me and say, "You know what, can you come protect me?" Of course, I'll say, yes. I'll charge you a lot of money, but I'm not going to be as effective. So it's a bad strategy for companies to call and say fix it in 24 hours. But again, as I said, they just -- this is like -- this is why we still take off our shoes when you go through DFA. So now people are going to be aware of this. And for the next 5 years, we're going to make sure that security is covered.

Yes. As you mentioned your broad capabilities you have, there's this discussion in the industry, best-of-breed versus people like Palo Alto with the broad capabilities. And I wonder on the really enterprise level, if you talk about Fortune 2000, et cetera, why do you believe an integrated platform will win versus best of breed where people like CrowdStrike, Zscaler work together versus you offering a broader solution and integrated platform?

So you said a few things. First of all, I agree with you that our customers want best-of-breed. So we don't sell just an integrated platform. We sell an integrated platform, which is comprised of best-of-breed. We have 10 solutions we can sell you independently, which will meet or beat any public vendor out there in the same space or you can have them from us, and they will also work together better. And so that's one part. The other part is I don't think the loose affiliations of my product is integrated with somebody else's product works. I mean, I don't buy any of these industry partnerships is that our product is integrated with this other third-party product because we have a lot of security products, it's very hard to integrate your product without sharing security protocols and nobody does that. So it's -- they're in 2 different spaces, and therefore, they can work together because they don't have overlapping capabilities.

All right. I think with that, we'll end it here. Sorry for the false...

Can I say the $100 billion thing one more time? No.

Thank you so much, Nikesh. Really appreciate it.