Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

[Audio Gap] sake of time, and everyone knows Nikesh. So that's -- we start high this time. I want to start with a question that everyone has on its mind when it comes to the sector, not specifically to Palo Alto. We have companies who are doing great, like our company. We have companies who are doing poorly. Even CrowdStrike that had good results, had some negatives in SentinelOne. We've seen what happened, forget the accounting, the underlying market, how is...

So we can forget accounting?

Yes, forget accounting. Forget accounting -- how is the market itself, how is demand? How is the business environment in general?

First of all, thank you for having me here. And apologies for being a few minutes late. But for the last 3 quarters, we've been saying it, we've been hearing in the market. I suspect you're hearing from every enterprise company. We have an aggressive Fed who's driving interest rates up. I've called it to revenge of the CFO. My CFO has never been happier. People are talking to him, paying attention to him. He's been ignored for many years, when interest rates were zero. So every CFO in the world is getting the attention. I mean imagine enterprise often does 3-year TCV deals, cost of money zero, the customer writes you a check for 3 years saying this is sitting in the bank, not giving me a lot of money. Now you can make 5.5%, 6% interest. He's not going to grade me a check for 3 years upfront without having a long conversation about what's in it for them. So I think the interest rate, purely macro changing, has caused the CFOs to get more involved. They're paying attention to how much cash is in the books. Even companies that are doing great out there are watching their dollars. Now what is -- so let's put that on 1 side. So I think there's no debate that people are watching their dollars and paying more attention to how they spend their money, whether their macroeconomic environment is impacting their demand or they're just being conscious of the cost of money. If you think on the other side, cybersecurity. In the last 9 months, no customers said to me, this is really nice. I like it, but I'll buy it another 6 months later because I don't need new security. Anybody who's been going down our security project is continuing to do their security projects. Are they looking at their security budget and saying, how can I optimize it, yes, right? Like every team, they're being asked, the cybersecurity services do not have a blank checkbook compared to any other team in the company. They're being asked to optimize their spending, which on the margin is good for us. While we're optimizing spending, what typically goes first is a small $100,000 ACV tool or $200,000 ACV tool. They don't shut down their firewalls. They don't cut off their transformation projects. The transformation projects were being questioned in the beginning of the pandemic. My revenue is vanished, how am I going to afford this? I have no money left, I'm not going to be able to do anything. But nobody is questioning a transformation project in the current environment, right? Everybody is hurting a little bit, but nobody is hurting so bad that things are going away. So the demand is there. Customer behavior is changing. Buying behavior is changing. I don't want to buy all the 3 years upfront. Can I do something, how I pay for it? Or can we phase this out into Phase I, Phase II, Phase III? Or what if I bought 20,000 seats first? And then I bought the next 20,000 next year. So you're seeing a phasing of projects, people resizing projects, rescoping. So I think you have to be conscious of how we think about the demand environment and how we see it translate into the results of cybersecurity company. So I think the demand environment is strong. Customer behavior is changing perhaps some of the results, which gives you a head fake. There is a certain segment of the market, which might be hurting more. And the way I described it, there are 2 things that happen. One is the SMB or the low end of the market does tend to push or postpone. I won't buy another firewall for another 1 year. Let me push. So you'll find that on the lower end of the market because the macroeconomic environment has a bigger impact or more pronounced impact there, they might postpone a little bit. Fortunately, for us, that is not a -- this is not a budget to feature. We were never very good at that end of the market, and it looks good for us that we were not very good at that market. The other place you'll see it is -- because of every company, I think, in the world, enterprise company has told you, sales cycles are elongating. Now sale cycles that are elongating, I want to say, in any quarter, about 15% to 20% of our business is net new business, the rest of the existing customers or existing business. The more new business you have, the more volatile your results are going to be because you've got to drag every deal across the transcend before the end of the quarter.

Okay. Make sense. Okay. All right.

I don't know the answers to any other companies, I really don't want for now, so...

Follow-up question. Is there a difference in the willingness of customers to spend whether it's a SaaS model or whether it's an appliance that they have to pay upfront. Is there a difference between willingness to spend on OpEx versus CapEx?

No. I mean they will translate it to whatever -- no. The short answer is no. It's not like they'll buy a software product from me more than a hardware product, no. There was a supply chain impact, which encouraged a lot of customers to think hard about solving the problem of software, right? I'm sitting down, I need 5,000 firewalls, then say, could I design a hybrid architecture, which is 2,000 software firewalls, 3,000 hardware firewalls. Yes, a lot of that has been tried or all of that has been thought through, so they won't get caught in the post-pandemic supply chain crisis. So we have seen an accelerated shift towards software in the last few quarters.

Got it. And the last question is, is there an impact on pricing in -- do you see like, for example, other vendors being more aggressive, so it forces you to also be aggressive?

The enterprise business is a highly negotiated business. And depending on the product category you talk about, you will see negotiation all the time. On the margin, I think generally, most of you guys have not incorporated the impact of the cost of money to enterprise businesses. I've never heard the sell-side or buy-side investors having to talk about the fact that giving you money 3 years up front. That's stupid. That costs them 12% now. It never costed them 12% 3 years ago. Why they're still doing it? Not every CFO is asking the question. So now we're okay. But they're all getting there. That's why I said, in our quarterly call, that the behavior change is more widespread and more persistent. Now in the end, left pocket, right pocket, do I have to get a bigger discount?

Got it. Okay. I want to maybe move on to your NGS business, the most successful part of your business. And there are many parts to NGS. Last quarter, you grew 60% more than we expected. Is -- can you break it down for us to the components and talk about the growth you're seeing in each 1 of the kind of big buckets within NGS?

Yes. I think the way to think about our NGS business is in the last 5 years, we've transformed into effectively 3 platforms. We have a network security platform, where we sell hardware, software and SASE as a combined. You can buy each piece or you can buy a combined as a Zero Trust architecture. And there are a lot of software delivered capabilities there. So our SASE product is part of next-generation security. We do a whole bunch of in-line protection using software in our network security business that all goes into NGS. So that is driven by the robust renewal of firewalls and cloud delivered capabilities and the SASE transformation. So I think the prior quarter, we declared that we've done $1 billion worth of bookings on SASE. Remember, we didn't play in the SASE space 3 years ago. It was 1 player, which took away all the SASE business. We've done $1 billion. We think we're growing faster than most other players in the space. We see a robust pipeline. Software firewalls are doing really well, given where the market was 1 year ago where people started evaluating software in light of the supply chain crisis. That's the network security platform. This is a cloud security platform. This is all the applications people are writing. So I'm sure all of you pay attention, Google, Microsoft, AWS, Oracle, Alibaba, et cetera, have gone and done a really good job selling the public cloud to people. Well, they have to use it. And the way they use it is we move applications to the public cloud. You don't use your Salesforce there or Workday. You take your own homegrown company applications move there, either lift and shift or you rewrite them. As you move the applications, you have to make sure they're secure. They have a product that secures your application development life cycle and how you run it, it's got Prisma Cloud. That's the second category, which is doing really well because more and more people move to the cloud, and it's somewhat different from [indiscernible] cloud spending is going down. Well, cloud commitments are going down. Cloud spending is fine. People are moving more and more workloads to the cloud. In the last category, which is the category where 5 years ago, we had identified that AI was going to have a significant impact to cybersecurity is our Cortex set of products where we announced that we hit $1 billion in bookings. Again, this was the area we did not play in. This includes the endpoint detection using AI. This includes the attack surface management, work that we're using AI and it includes automation playbooks and our most recently launched product called XSIAM. So that's kind of the 3 buckets. On a 12-month basis, they're all doing really well. Every quarter, 1 cousin does better than the other, but that's part of the running the portfolio.

So what I'll do now, I'll just ask you questions about each 1 of them because they're each -- each 1 of them is very interesting on its own. Starting with the SASE and securing basically access to the cloud, how -- we've seen Zscaler having some issues. Then, they came out and said things are coming better. Have you seen any ebbs and flows in this business of demand going up and down? How is the acceptance of this service by customers and specifically about you, how is the competition in the market?

So remember the old ad -- is we try harder?

Yes.

So because we're the newer player and we're trying to grow bigger, we try harder. So are there ebbs and flows? The -- I think you're conflating ebbs and flows and deal closure or demand. The demand is strong. It's our biggest pipeline. SASE transformation. I remember, what is the SASE transformation. The customer comes to you and say, "I have 1,000 stores around the world. I have a large team on lines. I bought from the telecom companies. And I need to replace all those lines. I need to put SD-WAN box and to reroute traffic. This is a 9- to 12-month implementation of a network strategy where we're reading your network. Nobody does this likely. Nobody does this without doing tremendous amounts of testing in their own network because they're about to get away from AT&T or Verizon and go to the open Internet and use whatever Internet access there is. And we did announce this last quarter, 1 of our larger deals. We've a large beverage company that I think it's a household name around the world. It's going to take them 9 months to implement the project. They took 9 months to decide that they want to do it. They took 6 months to decide to actually close the deal. They took a 15-month sales cycle, which happened to close magically 2 days before the end of our quarter. So typically, a lot of magic happens in the last 4 days of the quarter because customers have learned for the last 50 years, taught by the large enterprise, [ Baymont ] that if you drag it to the end of the quarter, these guys are going to probably give you a better deal. So they tried 3 quarters in a row. We didn't. They finally closed the deal at a price we offered them 9 months ago. So this is good news. But there is long lead times in the SASE business. But once it's there, it's a sticky business because you're deploying us on 100,000, 300,000 employee laptops around the world, it's a hard problem to go rip that out. It takes 6 months and probably makes a lot of people unhappy if you say, give me your laptop, I need to redo the security software on it. So it's a strong business. It's going to be a robust business. There used to be 1 player. I joke, there are 2.5 players in the market. And I don't see that SASE transformations are going to slow down. If you pay attention to the Federal registers, the U.S. government is going to go Zero Trust in SASE over the next few years. So far, there's 1 approved vendor for SASE for DoD.

Yes. Do you envision -- it's a big market. You're certainly 1 of the leaders in the space. Do you envision new players coming in?

It's a tough business. It's a very tough business because -- and I think most people don't understand, we and anybody who wants to join this business is going from a seller product and go away to run a service business. So in the case of firewalls, we would sell you a firewall, your engineers would go deploy it, that's up to you. In the case of SASE, we take it over. So when you log in from a laptop or iPad, Palo Alto Networks is running that traffic on the Internet, dropping it and delivering security. So I'm actually running an operating service. If I go down, your company is going to be pausing operations. We've done some airlines around the world. We bought some many. We run banks. We run consulting companies on our operating software. So we take the traffic moving on to Google Cloud. If Google Cloud goes down, we switch you to AWS. So now you're running a 99.999% operating company. This is not a start-up opportunity. I think people are kidding themselves as they think that startup is going to come disrupt the SASE business because the first thing that they were asked is how do you deliver Five9 in my -- on my service. Five9 is a large operating event. So could an AT&T do it possibly? Could a large company do it possibly? But there's a lot of tech needed. It's taken us 3 years of building it and 14 years before that of having the capabilities on our firewalls. So I don't think it's an easy market to see new players in. I think it's an established market for 1 player. But what's also changed is that the established market used to -- traditionally, we -- take me to the Internet market. Take me to Salesforce. Take me to Workday. When I -- on my laptop, take my Internet traffic this way. Nowadays, I've moved to Google Cloud, take me to my application. That is a whole different security question and take me to Workday, right? And again, most people have not understood. That's what the difference between the ZIA and ZPA type product.

So now the question is, so when we -- in a second, we'll talk about your Prisma Cloud. Prisma Cloud, you made a lot of acquisitions. You always add more and more features. I'm guessing it's -- you're not done with adding more features. What about Prisma Access. Is this a set product that do you see it growing the scope? Or is it more just about replacing a lot of the legacy, the VPN, the CASB, replacing a lot of the legacy with Prisma Access?

It's a full product. I mean we -- It's a full product. Nobody is going to give me $25 million to go take their entire business and have their employees on me or -- nobody's -- allow the aircraft manufacture. We're not going to have more than 0.5 million employees around the world, running my system saying, "Yes, we trust you, you'll build the rest of it later." No, it is a full product. It works. People use it. We don't need to go do anything. We have to keep evolving it in a positive way, not with -- and I'm sure we'll talk about this if you want to, the whole new world about AI and generative AI and how does that evolve any product. So we'll keep evolving it, but it's not something we need to go, got to plug a whole bunch of stuff.

So switching to Prisma Cloud, you are the largest company in the space. By the way, I'm hosting a panel on this later. I don't remember if it's there tomorrow, but it's 1 of the fastest-growing markets, you have the most complete portfolio with pluses and minuses. So first, let's talk about the pluses. How do you see this market evolving? I'm not asking about the number, just asking about to understand the size of it, to understand the scope of it and what is your next big hurdle, meaning you are already now the leader, what do you have to accomplish over the next 3 to 5 years in order to establish yourself as a leader and so we don't see these small startups that are coming, taking some of the market share away from you?

You should not confuse small events in life. When I started the Prisma Cloud product, there was a company called Dome9. We don't see them anymore. They got acquired. There's a company called [ DB Cloud ]. We don't see them anymore. They got acquired. There is a company called Orca. We don't see them as much anymore. There were still. We have seen many startups in this journey. I think the way to understand the cloud security market is people go make a commitment and move to Google, to AWS, to Microsoft. And over time, what has happened is they've ended up in more than 1 cloud. I think the Fortune 100, there's very few single cloud customers. They're probably all of them on more than 2 clouds or on 2 clouds. Now if you were -- and the whole process is, I'm moving an application. It's a trading application. It's a back of the office -- back of the house application and moving it, rewriting it in Google Cloud. Now when you rewrite it, and runs over there, it's your job to make sure that run securely. For example, what does that mean? I've got an application where you upload your resume into my app, which I've written in GCP. I'm a petroleum company. Well, you're going to make sure that app is secure because if I upload the resume and you've left a security breach in there, I can go steal all the data of all the applicants. So the person who writes the application has to make sure it's secure and it runs securely all the time. What we do is we help people in the process of writing the app, all the way till it is deployed and monitored in deployment and tell you what the security vulnerabilities are and track it for breaches. Now the way the industry has evolved in the last 3, 4 years, is as people have moved there, still they have had a small problem. "Oh, I need to figure out how to make sure that when I'm writing the code, there are no security breaches," so they go by IAC and they say, "Oh, I have to make sure I'm deploying it on Google Cloud or AWS that I'm deploying it right. I'm not leaving any deployment holes and I'm deploying it. And say, oh, when I'm running it, I don't need to watch it." So what has happened in the last 3 to 5 years is people have bought some solutions to understand this problem. What we have done is we have stitched the entire process. Because if you find a problem in production, when something is running, so my god, it's a security breach, you've got to fix it there, you can block it there, but you have to fix it back where you wrote the code and you have to have a stitch between what code was written, who wrote it, how do I fix it, so it never happens again. All point products and industries do not deliver this code to cloud integration. And that's what we've done in buying these 7 companies that we've integrated. What we do need to make this more and more prevalent, we need to make sure more and more customers deploy it. I'm -- I don't want to say I'm sanguine. I'm like, I'm calm about it, but we're working really hard to make sure that this happens across the board. So far, we don't think that the long term is threatened by all the stuff that's going on in the market. It doesn't mean they have to stay on our tools and work really hard. But again, this is not a flash in the pan opportunity that you come in and say, "I did this, I use this and if it was so easy to build 7 modules, I would not have bought 7 companies. I'd have build them as fast as I could. So some of the [ acquisitions ] I have done, A, and I can do the other 6 in the next 6 months, then I'd like to [indiscernible] work for us perhaps.

And do you work now on integrating it into -- so 1 of the innovations that we see other companies, they can compete with you on features, so they compete on presentation. They presented nicely and things like that. Where -- by the way...

That sounds like a long-term competitive moat.

I know. However, when they go to customers, they tell them, we are inherently integrated while Palo Alto is a series of acquisitions. And the question -- and there's some truth in the fact that when you acquire many...

I joined 5 years ago. Today actually is June 6. I joined on June 6, 5 years ago. And I've heard this story for the last 5 years. Palo Alto is a collection of too many acquisitions. You guys have an acquisition story. We still showed how to do $2.7 billion in next-generation security with 17 acquisitions. So I think at some point, I'm just going to give it a rest.

Got it.

It works. It's integrated. It works to make it happen. Yes, we understand the presentation challenge. And I think the way I would describe that is we have a lot of hard core security researchers who are -- live their lives trying to build security products. They don't spend time thinking about pretty things. So we're working on that. We're trying to get less security people, get more pretty people as people care about pretty presentations, but we've got to be careful, right? We can't just be all looks and no substance. So right now they're all substance, little low in the looks category. I'll let things like...

Cortex. Another leg of your NGS growth. There are many products inside and I'm trying -- first, at a high level to understand, what's the difference between Palo Alto Cortex and between those endpoint companies like CrowdStrike or Sentinel that are bringing to the market an endpoint platform, and then they try to go elsewhere?

So -- and the best way to describe it. For us, the endpoint is a means to an end. What I mean by that is when I came to Palo Alto, we have a SOC and the SOC was designed to ingest data from a lot of security vendors and whenever there's a security breach, security issue, our researchers are going there, figure out tools that would prioritize and tell you want to go pay attention to. I was horrified to learn that it took us days to figure out what the issue was because there's a lot of data, a lot of vendors. Having spent deliver time in your side of the house, I had learned that if your financial services enterprise is down for 3 days, you get shut down by the regulators. It is taking more than 3 days to figure out what the security issue was and being a security company, I'm pretty sure our customers will leave us if for 3 or 4 days if I have a breach, I don't know what happened. So long story short, in 5 years, we've got it down to under 1 minute. We can identify a security issue at Palo Alto and resolve it under 1 minute. It took us 5 years, a lot of technology, collecting a lot of data and redesigning the endpoint strategy. So our endpoint XDR competes technically with every endpoint product in the market. It's better or as good. But the magic [indiscernible] when we take all of that data, put it into our new product launch, XSIAM, cross correlate all the data and are able to resolve security incidents for customers in under 1 minute if they have the right tooling. We're -- right now, we're working on getting them from days to hours. And I think the way to think about our Cortex strategy is the sum total integration of SOC capabilities, endpoint capability, attack surface management, automation capabilities. Because at the end, my -- I have 2 thesis. One thesis was people don't buy platforms because there were no good security platforms that existed. I didn't buy the story that they only want to buy best of breed. Before Salesforce came around, before Workday came around, everybody had their own tools to do Salesforce capabilities or HR capabilities. I work for a company. We wrote applications. I wrote applications to financially -- that time, there was no Salesforce, no Oracle financials. I think the same problem existed in security. There were no platforms. So we are slowly seeing the shift to platforms. I think that was 1 part of the thesis. The other part of the thesis is that the reason we end up in RFPs and people say, here's 200 things you have to do is because we don't sell outcomes. If I walk -- now I walk up to Chief Security Officer and say, listen, I can take your response time down from days to hours to possibly minutes. They become less entrenched in what exactly my features are? They want the outcome. So for the first time in Cortex, in the last 4 months, we have built a product that delivers an outcome. And I will say this, I have not, in the last 5 years, when we've been [indiscernible]. I have not seen a security product build the pipeline faster than XSIAM in the history of security.

Got it. Okay. One last question.

[indiscernible] doesn't mean translation...

I understand. One last question because people need to go to their next meeting. And the question that is on everyone's mind, how AI and generative AI impact your business, good or better?

I think it's great. I think it's great because I've never seen my team so excited about doing cool stuff with generative AI. I could talk about that for the next 30 minutes, but I have 1 minute. I would say in 1 minute, let's not overestimate the short-term and underestimate the long term. I think in the 3- to 5-year time frame, this thing is going to change pretty much how every product in the world interacts with consumers, whether it's enterprise products or consumer products. I also believe the resulting tooling that is already happening in the AI, and you can see glimpses of it, is going to make our workers extremely productive around the world, but they will require to be upskilled and we learn things, and there will be new platforms that will have to be deployed in companies.

Got it. Great. I think we need to stop here.

All right. Thank you for having me.

Thank you.