Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Good. So I'm very pleased to host, Nikesh Arora, the CEO of Palo Alto. As you know, I'm asking questions. I have a whole list of questions for the whole 40 minutes. But if you have a question -- let's make it a little bit dynamic, if you have any questions, just raise your hand. There is a mic in the back. We'll make sure that you'll get it at the right time, okay? So I'm not going to pause at the end for questions. We'll just wait for you to raise your hand if you have anything.

Nikesh, I really don't even know where to start with this conversation because there are so many topics to talk about, and I want to start from the last results. And the last results were phenomenal, similar to previous results, billings up 40%; NGS ARR, up 65%. I want to start from the big picture, start -- for those that are kind of following it a little bit from distance, not for those like us that follow it day-to-day, what is the main improvement in the business, the main growth driver in the business you want to highlight over the next few years that drove the excellent results we've seen in the last 4 quarters or in the last few quarters? What are the things that you have done in the last few years that is actually the result of it is what we are seeing today?

Tal, as you know, it is my fourth year anniversary actually today or yesterday. And the one thing which you learn in tech is that if your products don't work over time, if they start deprecating, eventually your business is going to suffer. And that's true in security more than anywhere else. So we spent a lot of time in the early part of Palo Alto over the last 4 years, the first 2 years and really going in validating ourselves in multiple product categories. So this is, I've said it before, but repetition does not spoil the prayers, so I'll say it again. We were in 2 magic quadrants or leadership quadrants in enterprise security. Today, we're in 15. There is no other company in the history of security that's done that. Second to us is Microsoft. Just to give you a scale and scope of what that happened, which means we are comfortable in our product portfolio. Having said that, we're not stopping here when we keep looking at the market and see what else we need. Now what that does is when we go to a customer and the customer is up to here in firewalls, we can talk to them about SASE. When they're up to here in SASE, we can talk to them about cloud security. If they are up to here and something else, we talk about XDR, we can talk to them about SOC automation. So we have 15 different products that are best of breed that we can sell them. And of course, over time, once they like one of our products, we can give them more because they like 1 product and it shows them the integrated benefits of deploying product 2 or product 3 or product 4. So from that perspective, we've done the product-to-market fit. We've done the product part. And honestly, this past 4 quarters, and hopefully the next 2, 3 years are going to be about scaling our go-to-market execution capability. We're going big in Europe. We hired Helmet, CEO of Orange. We're continuing to expand, we've hired William Jenkins, CEO of Barracuda to drive our global sales business. So we're actually focused very, very much on continued go-to-market excellence because our largest deal in a quarter can get to close to between $50 million to $100 million, right? That's the collective ARR or revenue of the 2 lines who were sitting up here before. That's one deal. This is how math works. Yes, not that I'm envious about. And I wish I had a $50 million, our business with $1 billion market cap.

When we ask our competitors, so for example...

We have so many.

But -- right, no. But with -- and just Orca to say, yes, but they had an agent approach, we have agentless. You ask CrowdStrike, yes, but they have -- they don't have a true cloud security, we have.

They are just trying to confuse you.

Right. So most of the competitors are saying on a -- if you look at the advanced solutions in the market, Palo Alto doesn't have the latest and greatest. On the other hand, your numbers don't suggest it. Your numbers -- so what is driving the success?

I was listening to George this morning because people are seeing the CEOs having stocks of 5%, but then competitive. So i went back and listened to him, he was talking about the rule of 70 or 90 or something. And we still did as much an incremental revenue last quarter which he did in total for the quarter. So yes, I get it. The fact that we grow our NGS ARR 65% tells you that somebody is buying this stuff, yes. So somebody must know the difference. I'd tell you, if you really want to get technical, agentless, you do updates twice a day, but that agent will do real-time updates. So yes, is it simple to check twice a day? Yes. So it's like security, I had the risk [indiscernible] showing at 7:00 in the morning and noon, and I say everything is secure. And you have between 7 and noon to do whatever you want. So you need an agent to go to real-time security. I get the agentless approach. It's a vulnerability scanning approach, which is done on a periodic basis. You can do that. It's easier, it's cheaper.

Got it. You...

And by the way, CrowdStrike is not into [indiscernible].

Yes. You invested in software. You invested other factors. What are the components of your success in the sense that when you consider the fact that you moved from not legacy, I mean, it wasn't legacy, but you moved from appliances...

We are legacy. You and I. Anything with white is legacy, but go on.

You said that you celebrated 4 years. I celebrated 25 years here. I'm legacy.

Yes. Yes. Hopefully, the next guys will be smarter than us. But yes.

So when you -- again, I'm still at the high level, still trying to understand the components of your success, migration to software, migration to services, tell us what did you do in order to take a company from appliances to where you are today. And what do you plan on keep doing for the next few years? And where do you see yourself 5 years from now, for example?

Let me answer the question differently because I don't want to fall in your trap of appliances and legacy and all that stuff. If you look 4 years ago, there was less awareness of cybersecurity, 4 years since, there's more awareness of cybersecurity. I get calls from CEOs who are undergoing ransomware, threats or attacks. I get asked by security committees not come and tell them about the secure or not. So let's just believe there is awareness in cybersecurity. Security is growing faster than technology from an industry high level perspective. So the growth rate of the industry on security is higher than IT growth. We're in the high single-digit ITs and low single digit, right? So more awareness, higher growth rate. Now I'll use the word legacy. There's a lot of legacy IT infrastructure and security infrastructure that's out there that needs to get upgraded, do better secured. Let's establish that. If you look at the largest category of spend, forget legacy, nonlegacy, you can tell me CVS, Walmart, Lowes, Home Depot, all the legacy companies. Guess what? They spend a lot of money. So they're just spending a lot of money on legacy and stuff, which is called boxes in their infrastructure. That's why Cisco has a $200 billion market cap and Oracle has a large market cap, too. So there's a bunch of legacy out there that needs to be protected. If you look at what's happening in security, the 3 major categories. The #1 category, you've got to defend your network. Network is the way you access your company's resources, your customers' access, your company's resources. That's protecting your network. All the way from your laptop, my laptop as a customer, your laptop as an employee. From that point into your network, you have to protect it. The way you protect it is you put firewalls in your data center. There's no other way to do it. No software will do it because you need to buy them. You do it by putting a software firewall in your public cloud deployment. Don't forget, only 10% of the world is on the public cloud right now. 90% is in legacy, right? That needs to be protected. That's the reason you guys all miss Dell, but not all of you, but many of us miss Dell because we thought it was over. So you got to protect your data center. You got to protect your public cloud instance. And you've got to protect your remote access, but the pandemic has brought out in space. In that network security stack, the biggest move is going to be a $20 billion to $30 billion TAM is being created as we speak around SASE, which is where we are 1 of 2.5 players. There's us, Zscaler and Netscope. Nobody else do never SASE. We built the best firewalls in the world. We're the only people with the largest software firewall business. So in the network security stack, we believe we are #1. We believe it will continue to be #1. We're growing that at north of 20%. Our firewall-to-platform business, an industry that's growing at 6% to 8%. That's network security. That's a $4 billion-plus business for us. That's bigger than any cybersecurity companies revenue out there. Just the network of it. On cloud security, you saw Wiz, you saw Orca. When I started Palo Alto, we bought a company called Evident, which did AWS security. We bought RedLock. RedLock was the first semblance of a cloud workload security company. We look at the market, there was 2 container security companies, Twistlock and Orca. We bought Twistlock. Twistlock had 460 customers, Orca had 250 customers. We bought the one with the larger number of customers, because we thought we would build them faster. Then we bought Aporeto, then we bought Bridgecrew. We bought a whole bunch of it. We have 9 modules on our cloud platform. Our largest cloud deal is north of $10 million. None of the guys who are sitting here have a $10 million deal, and they will won't see one for another year, right? Our cloud security. Cloud security is purely -- ask the company next time you call Cloudstrike or Zscaler. If my company, CVS or Walgreens or Walmart is moving to GCP, AWS, Azure, do you protect my application development in there? Do you? If they say yes, that's cloud security. If they say no, they are helping you do secure access to the cloud. Two different businesses. We all call it cloud security because who wouldn't call it cloud security, nobody in cloud security. The only real cloud security are Wiz, Orca, Prisma Cloud, AWS, GCP and Azure. That business for us is not a $5 million ARR. If it was 3 months ago, we had raised money at $40 billion for that compared to these guys multiples, but unfortunately, not 3 months ago, and thankfully, we're not dealing with that. Third business, which is still interesting is this whole confluence of endpoints and SOC automation. That is going to be a $30 billion or $40 billion TAM in the next 5 to 10 years. That is the next big thing that's going to get the dilution. This is where people ike IBM, LEED, Algorithm, ArcSight, West Point lives, where Exabeam lives, where Sumo Logic lives. That world is going to get preengineered. Again, we have the second best -- second largest XDR business in the world after CrowdStrike. We're bigger than SentinelOne, we're bigger than Carbon Black, we're bigger than Cybereason. Nobody knows that. Cortex XDR is bigger than [indiscernible]. And we just launched a product called XSIAM, which is in beta with 8 customers, which, hopefully, by the end of next calendar fiscal year, we'll have north of 100 customers. These are all Splunk replacement candidates. So the future is bright, got a legacy company.

Firewall as a Platform is a big business for you. You grew 25% last quarter. How do you make it? I mean, I see -- what you don't see, I talk to Check Point all the time. They are trying so hard...

You talk to a lot of people.

They're trying so hard, and they don't get 1/3 of your growth. How do you make it? Why are you successful in areas that both Cisco and Check Point are failing?

I don't know how to comment on other people's failures.

So talk about your success here.

Thank you. I appreciate that. I don't know why they're not doing it. So if you look at the firewall market, 90% of the firewall market is a replacement or upgrade or enhancement market, which are existing customers who want to buy more firewalls. 10% is a replacement market every quarter. The 2 Cs lose share, the F&P take share. That's what's going on to the market. Fortinet also has the best firewalls in the market. They take share. They're price-sensitive. They win when there is a throughput bandwidth argument as a cheaper level 4 firewall. We win when it's a more security awareness conversation with a level 7 firewall. We take share from Cisco and Check Point. I think Cisco has a combined -- I said I wasn't going to say, but I'll say it anyway, I've heard that the supply chain requires about 52 weeks or it's still around 12 weeks. 52 weeks is a long time, it's 1 full year.

Yes. Do you think this business will remain a big business for you also 5 years and 10 years from now? What's the future for the firewall market?

I don't know what's going to happen in 10 years. But it doesn't -- let me say it differently. If the world becomes network-less, all bets are off. I don't think we're going there. I think you will all be accessing the Internet in some way, shape or form. So somewhere, we need some sort of device even if it's your watch or a pair VR glasses or your antiquated laptops and iPads in 10 years, I suspect. We [indiscernible] VR. We won't need anything, we'll just be visualizing everything. You'll still need connectivity in the network. Every time you have that, you need to protect it. Now the funny part, which people don't seem to understand is, the amount of network traffic is growing at 10x on an annual basis. So guess what? The firewall capacity is not growing at 10x every year. You don't need more firewalls to watch that traffic. So this is the funny part. The reason firewall is growing is the traffic throughput is growing faster than the amount of firewall capacity. Physics. So firewalls will be around. They may be in software form factors, whether you're not worried about latency and bandwidth. They will be in hardware form factors. I don't think most financial institutions are going to move to the cloud because they don't need a high amount of throughput to move transactions back and forth. These are the crypto guys in the cloud, they're going to put firewalls against their data centers. Do you think laptop is going to go away in 10 years?

No. I'm going to have laptop until I die probably.

You're going to have a firewall until you die. So now you can decide the 10-year question, whether you're planning to.

We talk a lot about Zero Trust. Every company defines it differently.

Yes, it's like love.

Yes. I want to...

We have our own definition, all of us, which is preferential to us.

I want to ask you what, first of all, the way you see it, what...

Sorry, man, maybe I had 3 cups of coffee this morning. It's my sixth meeting, so I apologize if I'm being pesky or cheeky, but you guys want some entertainment thing, right?

I'll try to keep you...

You are keeping me very, very excited. Don't worry. So the same legacy once in a while. That's my trigger word.

What does it mean? What does it mean Zero Trust? What does it mean for you and how do you participate in it? And what do you think -- what kind of changes will dictate in the organization, your product portfolio in order to benefit from the trend?

Okay. Do you have a badge when you go to work, like one of those things?

Yes, yes, I do.

That's called Zero Trust. Even if you walk in and the guy knows you, he makes you -- want you to swipe the badge because between the time he saw you and somebody might have turned your access up because you no longer work there. Zero Trust is validating you every time irrespective of any other signal you send. That's what Zero Trust is about. Every time we try and access the corporate resource, I'm going to validate if you are who you are and you have the right thing to do what you do. That's what Zero Trust means actually. This is not hard to understand Zero Trust, right? You can be validated every time. Now, yes, every product out there in security, for the most part, is Zero Trust. It has to be. Because we're validating you every time, whether it's a firewall or it's an XDR agent or it's a remote agent or it's Zscaler, or it's Okta [indiscernible] doing Zero Trust, because we don't trust you, we're inspecting you all the time, that's called Zero Trust. The question is, well, have we Zero Trust, then what's the problem? The problem is, is your company, is Bank of America implemented in a way that you have Zero Trust across the organization? Well, if you have 6 different vendors doing network security, you are doing it 6 different ways. So you're not a Zero Trust because somebody does it differently from the other guy. And some of the products out there, not all of them, are like kind of your badge. Once you use, swipe your badge and you walk into Bank of America, maybe not Bank of America, but you have access to everything. The only thing probably you don't have access to the server room or Brian's office, maybe there, right? So...

No, I don't.

You don't. Okay. So then there is some degree of Zero Trust there. It's applied to very selective assets. But the more stringent you make it, that your badge only unlocks certain doors and even when you unlock them, I'm watching you wherever you go, that's true Zero Trust, right? So we watch applications, we watch user IDs, we watch your devices at Palo Alto. So we deem ourselves more Zero Trust than the others. But everybody's got Zero Trust. The question is, if you buy a Check Point firewall, you buy Zscaler for remote access and you buy an AWS firewall for your public cloud instance, there are 3 different sets of security policies being deployed. Is that better? Or is it better to deploy Palo Alto's policies by using our hardware firewall, which is consistent with our remote access product, which is consistent of our cloud firewall. The answer is, I'd rather have one set of security policies across all 3. So we go and fix the Zero Trust enterprise compared to others, which is Zero Trust for a specific application.

Big part of Zero Trust is identity.

Not really.

[indiscernible] on it.

No. Identity is a hygiene factor, it's about security. It just validates who you are and as I have conversation, talks, like when you log in, this is not a [indiscernible] Okta is a great company. They're going to be around for a long time. They need identity, they have the largest number of innovation, and that's not the question. You need identity to get it somewhere. You need your badge to get it somewhere. What do you do after that? You're doing anomalous behavior, you're being consistent, is your application working the way it's supposed to? All that stuff needs to be inspected. So yes, identity is a key input into validating that it's Tal who we are watching throughout this process. But you are an indicator or you're an identity. Yes, I need identity. It doesn't mean I can't use an API with Okta, SailPoint or Ping and see who you are and then track you to [indiscernible] and go back and say, shut Tal's access down. So it is an important part of identity. So there's -- every other is a Zero Trust product.

Got it. I want to talk about Prisma Access or Prisma. I want to talk about cloud security.

Yes. Let's be clear. I just told you our cloud security. Cloud security is protecting the applications to the cloud. Prisma Access is securely accessing the cloud.

I know. That's why I's have to go back.

You do. Yes. Which one do you want talk about?

Yes. I want to talk about cloud security. And the question is, how big is the opportunity, in your view, not from a numbers perspective, but from kind of your discussions with customers, et cetera? And do you see the appetite of companies, big companies, smaller companies to actually go after and do the right thing? Or are they -- for the meantime, are they going to say, okay, I'm going to use whatever, Microsoft, GCP is offering me or Microsoft Azure is offering me, et cetera.

I'm going to give you numbers answer.

[ Thank you, don't worry. ] We want it.

Okay. All right. Roughly $200 billion of public cloud is sold every year between GCP, AWS and Azure, give or take, if you look at the numbers, they are booking. That should have between a 2% to 5% of that spend should be cloud security. It's 8% to 10% on your boxes and everything else. But because Google, Amazon, Microsoft take care of data center security, it should be at 2% to 5% of the total number. So give or take, $4 million to $10 million. That's just what is sold this past year, right? You add it up over time, it was a $1 trillion spend. There should be $20 billion to $50 billion market for cloud security. I think half of that market will belong to the cloud providers because of the single tenant customers, smaller companies, they'll just take whatever they get as part of the license from Google, Microsoft, Amazon, and they will be fine. That leaves you with $10 billion to $25 billion over $1 trillion cloud spend, which is up for grabs, right? The market is not that big right now. The market is close to about $1 billion right now. So there is a 10 to 25x opportunity in there. I think customers will have no choice. They're going to have to use cloud security to make that happen. I think 60% to 70% of the products have been built, 30% haven't been built. Wiz didn't exist 3 years ago, right? Orca didn't -- Orca existed 5 years, but they're kind of -- they're less exciting than Wiz is. There's -- if you walk around the floor, half the companies have got some variant or some version cloud security. It's great. So it's going to happen.

And what makes you in a good position to go after the opportunity?

Remember, we have 2,200-odd customers in Prisma Cloud. And all of our customers, by definition, have to be GCP, Azure or AWS customers, otherwise you get nothing to protect, which means they have chosen us overusing the cloud providers' security. Most of these 2,000 customers are the larger enterprises in the world because they are the ones with complex multi-cloud establishments. I think just their natural growth should be 20% to 40% a year, right? Because most of this $1 trillion of cloud, which we're going to see, has not been deployed yet. I don't know, Bank of America has got a few hundred workloads in the cloud. i can tell you so now, you guys will be in the cloud. Well, you don't spend nothing on cloud security today, right? You should be spending $12 million a year on cloud security. Somebody is going to have to drive that capability.

By the way, the question I even don't know the answer I'm asking you to, the fact you are in the data center or in the campus environment and you have your own solutions for firewall and network security, et cetera, does it make you -- is there any synergy between that position in cloud security? Or are these 2 isolated completely?

No, they are not isolated. There are multiple points of synergy and overlap, both technical and relationship. Look, if I have a happy customer, they like Palo Alto's products, it's worked for them in multiple instances, they're more likely to buy my product because I'm a reliable provider. If they believe I'm as innovative as I'm hoping to be and continue to be, then they believe that I'll have their back. There's enough CIOs and CEOs who are loathed to put their eggs in a startup basket because if you look at it, after all the excitement, 2% of the startups go public, 98% are going to shut down or gets sold to somebody else. And if you're unlucky, you get sold to BlackBerry, then you basically have to go find a different solution. I don't know what that company they bought. There's an endpoint -- Silence.

Silence.

Maybe there was something in the name Silence. That's what we hear from. So sorry, so I was little punchy this morning. So we don't see them, but Silence...

I'm going to serve you coffee on the way in.

More coffee. The next guy is going to be unhappy. So no, but look about it, when I joined Palo Alto, first, it was a Morgan Stanley conference and I was in somewhere in Utah, and I met both CloudStrike and Silence. And they are both neck-to-neck at that point in time, then Silence got bought by Blackberry, they're in the market and CloudStrike went ahead and charted their own patent. [indiscernible] phenomenally well for himself because of the company and for the industry. So...

Got it. So we spoke about cloud security. And I want to talk about another successful area for you, Cortex. What makes you successful in the space?

Cortex ends up being a bit of a perspiration business for us because CloudStrike is doing so well. They add about 2,000 customers a quarter. We had about 400, 500, which is not a bad thing. But we're focused on really trying to penetrate Cortex XDR into our installed base because we get tremendous amount of leverage by cross [indiscernible] their firewall data with our endpoint data, which becomes our competitive advantage to compare it to everybody else because we can actually improve their life in the SOC thereafter. And we have north of 3,000 customers in XDR, again, at the top end of the market, which is where we actually do better in the market. And the long-term play there is to convert all of them into large SOC automation customers. And the prerequisite for that is they got to have Palo Alto firewall, they're going to have an endpoint from Palo Alto. So we're very happy with the fact that we're seeding these customers with XDR. We're not trying to go get 2,000 customers, because beyond a certain size of customer, it's unprofitable to go try and sell this to those people. I think the depth of enterprise is when you're selling $50,000 ACV deals in an efficient sales model.

So we spoke about products, we're going to talk about additional products. But I want to just take a step back for a second and say, these are very different businesses from the businesses that you inherited when you started. How did you adapt the sales channel? The motion of salespeople and selling organization to go after the new opportunities. What did you have to do in order to make sure that, okay, you have the R&D developing solutions that go after opportunities, but you can also have another organization that can fill them.

Yes. Well, 80% of repeats and above at Palo Alto are new in the last 4 years. 80%. So we had to reshape the entire leadership team because it's too old, I'm too old to change people's religion. So we just get people who have religion. They understand cloud, you bring them; they understand XDR, you bring them. So 80% of our leadership is new. A majority of our hired people who are dedicated cloud salespeople, SASE salespeople, XDR salespeople. And something we're very proud of because we have changed the perception of Palo Alto in the employment market. People want to come work for us. We are seen as one of the best places to work in cybersecurity. People like the breadth of the portfolio because, when if I'm a salesperson, I've been selling for 20 years, and I have my patch in Michigan, and I have 10 really good customers that are doing really well. Well, I sold every one of them every XDR possibly from a CloudStrike or if I'm a Zscaler, sold in SASE. But if I come to Palo Alto, I have 15 products to choose from. So I can go back to buy relationships and go sell them into a much better cybersecurity post. So we see a lot of people who want a more impactful, more expansive role come back to us.

Got it. And what about the channel? Did you have to make changes also to the channels, not just the sales organization?

I think the channel is changing itself. If you see even in the last 4 years, the people who are emerging in the channel are more like the Accentures, Deloittes, British Telecom, AT&T, Verizon, Infosys, HCL, Wipro, these guys are all turning into security managed services businesses or security implementation businesses. So when we tell sell SASE, we sell it as part of the large network transformation. There's typically a services partner involved. And in the past, when you sold boxes, you sold it through a box mover, which is more lower on the service, and now there's a big architectural company and services company. So the market is shifting there. These people are building large security practices, which is better because we have better relationships. And they prefer -- because they're getting into the game, they prefer larger relationships with fewer security partners than trying to go partner with 2,000 security companies.

You spoke about SASE, and I want to go back to SASE. We used to talk about technical differences, proxy approach, nonproxy approach. We don't talk about it anymore.

It's all normalized. Eventually, you take the objection away by us having the capability.

Right. And the question I have is what makes you -- first of all, if you can, for those who don't know, if you can discuss your portfolio in SASE. And then what makes you successful?

So SASE is the new architecture for the network. So a little history lesson. If you were running 1,000 stores, when you have 50,000 employees, every employee love using laptop, using VPN, back into your data center, you dial it back into your firewalls, in your data center, that's how your VPNs work. You connect it to your data center, that's how the production is done on security and then you get your data and whatever you want. If you are a store, you are a big Tier 1 line from your stores, if you are a Walmart, CVS, CAR-T, whoever you are, a big team online bought from AT&T or Verizon, which runs back into your data center. Now with the availability of Internet access at 10 gigabytes, you don't need dedicated lines anymore. So almost every large legacy company is going through an MPLS replacement cycle, where they're going to replace those big pipes that they spend $400, $100 a year, and they are going to replace them with Internet access and use SD-WAN. So that's kind of one trend on one end. The other trend is everybody moves 50% of the applications to the cloud. The question becomes, why do I need to go back to my data center, half the stuff is in the cloud? Why don't I just go straight from my laptop into the cloud? If you're accessing your Gmail or accessing your Salesforce, why do you need to go to your data center because from your laptop, you can go there. So those are 2 big changes going on in the world in IT architectures. The way to solve for that is to deploy SASE, which means your laptop logs in, you run a firewall in the cloud, you run the permissions right, closest to where you are in your pop, from there, you can either go to SFD Salesforce, you can go to Workday, you can go to your own applications in GCP, and you never see your data center. Now that requires both security capabilities in the cloud, as well as SD-WAN or fastest evaluating capability in the cloud and requires endpoint monitoring to see if something breaks, how that takes it. That's SASE. The way you deploy that is using SASE. The reason we are successful is, in the past, the proxy-based architects were a better way of doing VPNs. You didn't do VPNs, you didn't dial in data center, you took all your proxable traffic and took it out whatever is not proxy, you build an exceptional one there. Today, as the world is moving towards the architecture of defining, people are demanding more from their security and require a full set of security stack, going back to the definition of Zero Trust, why can't you run everything you run in the data center in my cloud? Why do I get a different security stack in the cloud and a different stack in the data center? So for us, we can run the same security stack that we run your data center in the public cloud. So you run all the rules that you're in a data center, you can run on the public cloud, so you have a consistent security posture irrespective -- we don't need new security rules. We just replicate the rules and run them off on security cost. That's how we're successful. We have 2 SD-WAN capability with CloudGenix, what these kind of [indiscernible], for example, we partner with everybody else as well. We can do data loss prevention. We can do IoT, we can a whole bunch of stuff. I said this publicly, we were nowhere 2.5 years ago. Last published quarter for them and us, we are 40% to 50% of that business in a quarter. We think that number will keep rising. And we hope to be in the next 2 years at a place where we're doing as much SASE business every quarter that they do.

[ Sorry? ]

If you can build a business, that's -- I just want to have like 200x my ARR and cloud. I want my Zscaler multiple from my SASE business, my Check Point multiple for my operating margin, Fortinet multiple. I don't know have a 45% operating margin. Fortinet is bringing their operating margins down to us so we will be fine.

You spoke about CloudGenix and you spoke about SD-WAN, it's a big business for Fortinet.

Not really, but...

Discuss your position. I'm not going to ask you about your competitors.

Look, the 2 SD-WAN players are actually not Fortinet or Palo Alto. The 2 SD-WAN players are telcos, AT&Ts, Verizons, are the largest SD-WAN businesses. And that's fine. That's an SD-WAN business. I think the difference is we are -- we don't want to be in the SD-WAN business. We want to be in the SASE business. If somebody wants remote security. So SD-WAN is effectively a way of creating some reliability on your internet access so that you have a more -- like this kind of the lightweight version of having an MPLS line, having some degree of consistency. What we have learned is SD-WAN has a huge interplay with security. We can do it with the APIs or we can do it integrated. So we integrate SD-WAN into our security capabilities. We're seeing the next iteration of SD-WAN will be with security, which is where there are very few players. I think there's only one called Silver Peak that does this. VeloCloud doesn't do it. Well, who knows what's going to happen to VeloCloud under the new management. But most of the SD-WAN capabilities are some are legacy, like Viptela and Meraki. We think they won't make -- or the transfer when we start doing synthetic routing with SD-WAN. So I think it's early days, but SD-WAN, in my mind, plays into that whole MPLS trend, the remote security trend, the pandemic is unveiling and it is going to become a key requirement of a SASE strategy. Everything else we sell SD-WAN or firewall is to [indiscernible] Fortinet but that's more as a component part, not as a design element.

CloudGenix was different, though. CloudGenix was very application-centric, unlike the others. Didthey help you to -- in any way to grow the business more than...

Yes. CloudGenix stack is more compatible with our SASE stack, because it's in the public cloud, because it does a bunch of synthetic low-cost routing, which is consistent with our SASE strategy. So it was more aligned to our product architecture, that's why.

Got it. Okay. Before we run out of time, I want to talk to you about numbers a little bit. Number one is SBC. One of the biggest criticisms that I'm getting is nowadays for...

You mean, discussion.

Right. The biggest points of discussion is SBC is a big part of your revenues. What are...

You mean it's a big percent of my revenues.

Right. Big percent of the revenues, that's what I mean. For those that doesn't follow you day-to-day, can you explain the background? Why is it such a big number? Number two, what's the outlook?

So it's kind of like this. This is -- when you get guys who have never been in the public market, the CEO that makes silly things happen. But I just blame that guy. But me, my predecessor. We bought $3.5 billion of companies, which are mostly startup. We paid the founders in stock, but we made them revest and earn it over the next 3 years. So a lot of our acquisition price that I put it in the acquisition cost would have filtered through dilution and not shown up as SBC. So north of $1.5 billion that showed up as SBC, so which inflated our already reasonably high SBC numbers in the company. So SBC started going to 15%, 16%, 18%. The good news is those acquisitions we haven't done one in about almost a year, that scale and size, and we've got to understand now the better way to do it. So it's going to wash out as the investing periods expire. You'll see a natural decline from the high teens or to a mid-teen, low-teen number and then wash it out. On top of that, we put a whole bunch of processes in place to reduce our stock allocation in our hiring. And thirdly, because as a percent of revenue, if you grow revenue 30% a year, you don't go SBC at 30% a year, there is some sort of mathematical thing that happened.

Got it. your free cash flow, we're focusing now more on free cash flow. Free cash flow last quarter was about 25% of revenues. You...

Adjusting for seasonal, we guide to 32% and we're very comfortable with 33% for the year.

Got it. Okay. So the question is what's the target? What's the target for free cash flow? And what are the drivers for free cash flow going forward?

Look, we have guided to 32%. That's a target. 32% is a good number. And especially if it's 32% of a large number, $5.6 billion of revenue, 33%, some $1 billion here, $1 billion there, as soon as we have money.

Got it. Nikesh, we're almost running out of time. I want to ask you the one question I'm asking all the CEOs. Do you think there is going to be any sensitivity of your business to economic cycle? Meaning if we're going to recession, inflation going up, are you expecting or planning to see any decline in the demand environment?

I don't plan declines. They unfortunately happen if the market goes there. Look, I can't predict what's going to happen in the economic cycle. If you tell me a scenario, I'll tell you what could happen. But if it's going to be a soft landing or a slow decline, I think we'll be fine. If it's a harsh lending, then all bets are off for everyone. I'd say security is somewhat more resilient than technology, and technology is somewhat more resilient than some other things. I was -- 2 years ago, the same conversation happened when the pandemic hit. And think about that moment for a second. There were weeks when the oil price was close to zero. The entire oil industry was sitting there and say, "I don't want to spend money on tech. I want to spend money on anything. I need to preserve cash flow, I need to stop spending money. I need to push out receivable." You had companies, retailers who suddenly vanished. Their stores were shut down for 3 months, and they had no idea. Nike, Target, every one of these guys had no stores, they all had to run online, right? Nike, I talk to them, don't know how at that point in time, they got $8 billion of inventory stuck in stores, you can't sell. It's stuck, locked in stores in city centers. So I think that was a more radical economic hit and somehow we survived that economic hit because things start to come back and people start to get comfortable online. So I don't expect any major outcomes in this process. Will there be sectors of the economy which will get impacted? For sure. Because the flip side, commodities are Exxon is $450 million market cap. They didn't have that last time around. So I think Exxon is going to be spending money. So I think it depends on how the economic impact manifests itself. And I think the bigger question is supply chain challenge as opposed to the economic impact as I think supply chain is not going to abate anytime soon. It's going to run through a cycle. A better question for semiconductor companies, but it has an impact on all -- anybody who's got any chips that the need, [indiscernible] as cars or appliances.

But how come...

You have a question...

Sorry.

That's a great question. So we've underperformed internationally, and I was very public about that 2 or 3 quarters ago. And it wasn't -- it is more because I want to make sure the product portfolio is right, and we have traction in the market where we have a lot of relationships. We're really focusing hard on driving more growth internationally. So I think -- us, specifically, we'll get a slight benefit from matching our underperformance of what we believe our real performance should be. So hopefully, that buffets us for a little bit of time. Internationally, also, they are way more reliant on third parties for outsourcing and system integrators and service providers, less so in the U.S. So I think we're going to see that happen. But I'd also say internationally, and I don't want to make more generalizations, but internationally, companies are a little less ahead of the technology curve than we have in the U.S. And there's a bit of catching up they have to do. And we're seeing that happen. Like [indiscernible] did a $3.5 billion outsourcing deal for tech. They've given it to a third-party company to manage and we're working with them to go build a new security reference architecture. And we're seeing that bend pick up internationally. So I think, again, it really depends on how severe the economic impact is and how long it lasts. If you tell me, you're going to be down 10% over the last 2 years, all that's a [ rout ]. You're going to tell me, there will be 2 quarters of a dip or will come back in low single-digit percentages, I think, we can all weather that storm.

Nikesh, we ran out of time. Thank you very much.

Thank you for having me.

That is always fun. Thank you.