Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

All right. We will get started. Thank you all for being here at the UBS Tech Conference. I'm Roger Boyd. I cover cybersecurity for UBS here. Very happy for this next session, to be hosting Nikesh Arora, CEO of Palo Alto Networks. Nikesh, thanks for being here.

Thank you for having me.

For all of you in the audience, we're going to do a quick fireside. You can submit questions through the Q&A app, and I'll be happy to forward them on in a cash. But maybe just to start, I want to touch on the threat environment. A couple of weeks ago in the earnings call, you pointed out that there's just a never-ending supply of threats. And I think point in case, we're seeing ransomware evolve from an encryption to double extortion to they're going to now file SEC complaints for you. We're seeing what's happening with SolarWinds. We're seeing attacks that are costing hundreds of million dollars in lost revenue. Just how do you think about that contributing to the demand environment security, which I think you would argue still strong?

Well, first of all, thank you for having me, and thank you for being here. I think in the last 12 months, what has begun to happen, and you saw signs of this earlier, if you go back 4 or 5 years ago, the cyber attacks were -- you equated to cyber attack with some kid sitting in the basement on a computer and trying to get into the NSA or the FBI and say, I'm so cool, right? That's like you get cool credit by doing a cyber attack. Then sort of nation states got into it, they started to trying to figure out how to do cyber attacks and build offensive capability. And then you saw a switch and the switch was I said, why are we wasting our time going after one person at a time. Let's go crack the code on some piece of software that everybody's got. Many years ago, I used to work for a large tech company. And we saw that they were trying to get into the back end of Gmail, right? That way they could go find anybody they wanted. And so that became a theme. [indiscernible] see SolarWinds, you look at some of the CVs that have been exploited from Microsoft or some of the stuff from many tech vendors. Because once you get into the back end of a software supplier, then you can go to all their customers that hack them. So that trend began to happen. Coupled with that, this notion of this wonderful thing called crypto, which we figured out is a way of collecting money. And if you look back, does anybody here know how many people have been convicted for cyber attacks in the last 12 months? Less than 10. Does anyone know how much money has been paid in ransomware in the last 12 months? Billions of dollars. This is the best ROI, bad thing in the world. You don't get arrested, if you don't get caught, you collect a lot of money. So that's what caused this huge amount of activity out there. There's people out there. There's -- you mentioned this, I think I found this was the funniest thing that ever happened. This group -- this company was hacked. They didn't respond to the ransomware e-mails. 4 days later, the ransomware actors filed an SEC complaint, saying these guys have not disclosed the fact that they've been hacked. So that's what's going on out there. It's not getting -- it's not slowing down. It's getting bigger and the dollar amounts are being asked are getting bigger, yes.

Do you think that the buy-in from the C level, the board level of companies is getting there? I mean there's a lot of talk about the new SEC regulations and the increased oversight that they want on board in reports and filings. Do you think we're getting there? Is that meaningful?

Look, the way we parse it, and I think you'll hear that from every cybersecurity company, not just us, there is no lack of attention to cybersecurity as an issue at C levels or boards around the world. Pick your company, they're opening internship. How does that translate for into money? How does that translate into business? The way it translate into business is, cyber security budgets do not get cut, right? You see your Chief Security Officer shows and says, I'd like to do this. The CEO doesn't say, oh, you can't do this, do it next year, because now they're petrified that if they're the ones who say don't do that project, they take responsibility for postponing the project. And then CSO says, okay, you said, I can't do it. I don't have the money [indiscernible] get a better deal, try and break it down in a milestone, try and phase it out. So you see those things, which means it's one of the most robust tech spending sectors because the budgets aren't getting cut. The more hacks, more attacks that happen, more people need to go upgrade their infrastructure and the more awareness there is. So I think all of the stuff we've talked about, whether it's the threat actors or whether it's the C-level attention or the SEC attention, it just tells you that the demand environment does not have any systemic issues. Now will they negotiate? Yes, they'll negotiate. Will there be payment duration changes? Yes, there'll be payment changes. But it's hard to find an industry or tech subsector, where you can say, other than possibly AI chips though, that the demand factor is not tugged in the macro.

What do you think the answer is here? I mean, there's a lot of talk about generative AI, and I think you've been pretty clear with some skepticism around what we're seeing in the security operations around generative AI being meaningful in detecting attacks. I think you made the comment that you don't want that ChatGPT driving your car and similar...

I don't want ChatGPT driving my car.

I think generative AI...

There's a way more stuck on the way. If you just -- as I just drove up here and there's a car stuck in the corner. There's nobody in there. It's just stuck. It's kind of pointing towards the hedge, but -- I did go out and look at it.

I think one thing that the copilot error is shedding more light on is all the investments that cybersecurity vendors, like yourselves, have been making for years that are on machine learning detection, algorithms like, one, can you talk about the data scale that Palo has, what that means to drive machine learning through that side of it? And then again, with generative AI, how meaningful do you really think that will be to secure your operations?

So let's do the quick 2-minute version of AI, right? Good news is with all this ChatGPT and all this AI conversation, suddenly everybody is focused on AI. This is a good thing, right, because people are paying attention to that. The way we see it there's -- on one side, this world of precision AI where you need to be right. You need to know this is a hedge not, the road, otherwise, you'll get stuck there, in your car. So you don't want precision AI to hallucinate. Cybersecurity uses precision AI. Most car driving algorithms will use [ dual ] networks and machine learning and reinforcement learning. So there's a category of learning that uses precision AI. You need a lot of data to get it right because you need to know where every tree, every bush every -- you need to know all normal behavior to figure out the anomalous behavior, right? That's how we work in security. When do we see anomalous behavior, we need to know what normal looks like. We need to watch everything to be able to find what's anomalous, right? You can't look at it a little bit and say, a little bit tells me the answer, the answer is I got to look at everything. As a consequence, we have, on a daily basis, we ingest 5 petabytes of data. We have 1 exabyte of security data stored in Google Cloud. We are the largest storers, if that's a word, of security data in the world. Not only that, we're the largest storage in Google Cloud of any company in the world after Google. And we only have 35 customers running our [ XSIAM ] product so far. We want to have hundreds of them getting there. So just imagine the amount of data we're going to have. What do we do with that data? It belongs to every company. We look at all the normal to look for the abnormal and then identify the abnormal and try and stop it mid-flight, right? So security is interesting. It's only done in 2 ways. Either you know some -- known bad, you stop it. You see a bad URL, a bad IP address, you stop it. If it's a suspicious thing, you send an alert. Well, we got to get better at looking at suspicious things and having a point of using this is bad and stop it. And that's what you need a lot of data for. So there's the world of precision AI. Then there is this world called generative AI, which is beautiful because there -- the way I describe it, it's a phenomenal tool. When many good answers are possible, you don't have to be right. So you can go to a mid-journey, runway and say, show me a bird with a blue background, show me a white bird with a blue background. It will show you 17 white birds with blue backgrounds. You may like one, you may like the other and she may like another one. That's fine. There's no wrong answer. It's an ugly answer, but it's not a wrong answer. And you can see that's going to write me a rap song about the warriors, my 8-year boy does that because he writes me a rap song about the warriors in Shakespeare style and pops up something, it's pretty crappy, but it's not a wrong answer. It's just a bad answer. So that's where generative AI is very interesting. And it has 3 values. One, it can let you talk a natural language. Two, it can summarize large amounts of data statistically and give you the better answer. And three, over time, it can give you insights from this organized data as if I took all my customer calls and put them in a large database and ran and [ LLM ] against it, it might come back and give me insights I didn't know I had. So from that perspective I think generative AI is going to be hugely transformative in how we conduct our business, how we deliver, I said word, copilot, how we deliver assistance to our customers who are [indiscernible]. So I think every cybersecurity company is working on some version of a copilot, which the purpose of copilot is going to be to make your products easier to use, not solve security problems.

Do you see that becoming table stakes? Or do you think it can be a differentiator? And you've done some unique names and you've introduced...

Look, I think it's going to become table stakes in the next 12 to 18 months. I spent 6 hours doing an AI review yesterday across all of our products. The 2 biggest challenges are latency and hallucination, right? And the problem is, I know when I look at the answers it's giving that 1 out of 7 times, 1 out of 10 times, it's hallucinating. You don't know. You can't figure out which one of those 10 is wrong. So you have to decide which 1 is wrong. Would you want a product where you -- when I tell you, listen, it's like playing, what is that game people play, you put a bullet to your head and roll the thing, there's 1 bullet and keep shooting and one of them is going to kill you. You could get one wrong answer in security, you use it, you say, oh, this is a great question, reboot your firewall. You reboot your firewall and poof goes the magic dragon. So we're still waiting for the hallucinations to minimize, latency to get better. But I think 12 to 18 months we will see copilots in most products. I think the question will become, how do I deal with so many copilot because you have 40 security vendors, you have 40 security copilots now. I'd deal with them. So then that goes back and reinforces the theme of consolidation, platformization. And then the question is, can every small start-up afford to build a security product and a copilot next to it.

Makes sense. I wanted to shift to XSIAM. I think it's what you would call a huge opportunity over the next couple of years. And XSIAM is really aiming to solve pain points that have existed in security for years. Can you just talk to those pain points and improvements you've seen with your own deployment of the technology and what you're seeing from the initial customers that have picked it up?

Yes. So let me give you a little bit of background around why we think it's interesting. If you look, security has big streams or big categories and then smaller categories. There's a big category of firewalls or firewalling, big category of identity, big category of endpoint protection, big category of SOC management, now big category developing cloud security. So there's 4 or 5 big categories out there, we play in 4 out of the 5. You don't play an identity. Now if you look historically in security, every one of those categories has hit an inflection point at some point in time. Firewalls hit an inflection point. There used to be Juniper, a bunch of other companies, I don't even know I was there. And then suddenly, Palo Alto came out with next generation firewall. That was an inflection point. People wanted the next generation firewall. It was good enough for them to rip out what they had. If you look at the endpoint business, there's McAfee and Symantec. When you found an inflection point called EDR, you saw the likes of CrowdStrike and Cylance and all these others show up. And McAfee and Symantec had to take a back seat. You take a look at what happened in the world of SASE, Zscaler came out, did a great job, they built, and now every one of us is chasing SASE. So there are inflection points in the industry. And those come when technology changes. There's 10- to 12-year-old software in that category. There's not a lot of innovation that's happened and somebody built something so amazing that it's worth ripping out the old stuff. I think that inflection point is now coming to SOC management, right? Where there's 12- to 15-year-old technology in the whole SIEM category, in the SIEM space, which was designed to be reactive security. Now we need real-time security. To do real-time security, you have to look at data very differently, right? You just can't take data used to store last year and run AI against it. As most people will tell you who are here or over here that the biggest problem with AI is, we don't have good data. So we're all busy cleaning up data. Well, 4, 5 years ago, we said, an inflection point will arrive in SOC management that will require better data. So we went and instead of buying many of the options that were out there, and the one thing got sold recently, we went and said, we're going to build it from scratch. That is how we're able to ingest and store 1 exabyte of data in GCP and run AI against the machine learning against to go make that happen. So early days. I don't want to get out of my skids, but really good promising outcomes. We are able to bring down the mean time to remediate a security incident from 5 to 6 days to on average 1 to 3 hours. Now that dovetails the SEC requirement. You have to report within 4 days when you get breached. So everybody is looking and saying, I'd like to get my security issues resolved much sooner because I don't want to be telling the SEC I've been breached and, oh my God, I haven't solved the problem yet. So it's promising. We've had a few really big deployments recently, which have gone very successfully. There's a lot of customer interest. So we're building capacity, we building capability, and we're working with third-party partners. And you'll hear more about it from us in the coming months that we're creating other people who are going to deploy this for us because we think this is a huge opportunity. And I think most inflection points last 2, 3 years, then everybody starts to flood in there with their own versions of products and start getting [ fund ]. So we think we have an 18- to 24-month window and it boils down how quickly and welcome the executed [indiscernible].

Okay. I mean you've talked about this $1 billion pipeline in less than a year of launching, it's really impressive. I think you just talked about 18 to 24 months, but how do you think about the customers you're going after? You have 5,300 Cortex customers that I think would be kind of logical first step. But how do you think about it? I mean you talked about this being a transformational shift in SOC technology. How do you think about that being -- something that brings customers to Palo Alto?

Yes. So there's 3 categories. One category of customers that already deployed our XDR product, which is somewhat a prerequisite for us to deliver the AI capabilities of XSIAM. So those become much easier conversations because an upsell. You say you already have the hard work is done, let me sit on top and show you all the beauty of analytics that I can do and replace all bunch of stuff. And in the meantime, I'm building more capability every day on XSIAM so I can create more outcomes from my customers. That's one stream. And we know those customers, they're fully deployed, they're happy. Another stream is people who are going through as part of the regular process this year, we're going to redo our SIEM or SOC. It's coming up for renewal in 12 months. It's too expensive. We don't like the current solution. We have to reevaluate what's going on in the market. So there we show up and say, look, please consider us. We have this very cool product. It's new, it's amazing, please try. So it's kind of another opportunity, right? And the third opportunity is where we're working with third parties like SIs, people who advise people to redo their cyber security architecture. We're trying to get ahead of that and say, listen, bake us in, into the thought process as you go create this new architecture. So they all have sort of differing life cycle in terms of what they're going to get done, but like it's early days. So you see 3 to 5 years we're sitting here, hopefully, and turn around and say this is the fastest-growing security category and product that we saw in the industry.

You just talked about XDR being a prerequisite. And you've been building credibility in the EDR XSIAM market for some time. You have -- it's not the Traps product anymore. You've got credibility from MITRE and third-party valuations. Any color you're willing to provide on where you think you are in terms of market share, kind of growth there and customer awareness?

Look, the XDR product or it just started off as a replacement to the endpoint. The whole -- the last version of endpoints was I pushed a lot of signatures to your endpoint, checked at the door. If it's a bad thing, I told it's a bad thing and I stopped it. And the world figured out, well, latency is gone, you can send stuff to the cloud process and send the signal quickly back. So we came over the EDR, where you collect the data of the endpoint, you ship in the cloud, you analyze it, and you stop things mid-flight, much better because it's more real-time and you can do all kinds of wonderful AI stuff. So we're taking it one step up. So they can now collect more data from there, send to the SOC and use that as a basis of cross-correlating and across multiple security categories. So yes, XDR is a prerequisite to doing better SOC management. It also is a category in itself. But I think over time, it's going to blend into this category of redoing SOC, especially AI is going to be relevant. So if you think about it, 5 years ago, there were north of 10 players in the endpoint space. Some of them are sort of naturally attriting, some of them are up for sale, some of them being shut down. So there's a lot of movement. I think we're down to 4 or 5 real contenders in that space. I think we probably end up with 2 or 3 as it starts to consolidate around AI plus SOC management plus sort of the endpoint capability. It's not hard to figure out who those 3 are likely to be.

Do you think the power needs to be more aggressive in that space in particular? Or do you think that kind of to your point, as people look at SOC modernization that kind of just pulls along that category?

Look, I don't know what's so aggressive, more aggressive means. I mean, look, we're not aggressive when it comes, we don't say, oh, you take this one, I'll take the next one. We don't do that. We fight every one of them like everybody else. So we do have a broader portfolio. It's kind of -- I guess the question becomes there are 2 or 3 ways you can think about business, right? One way is that I want every customer, every small medium-size customer gives me $5,000, $2,000, and I need [ $1 million ] of those, and I'll make a lot of money. Now that's great if you have a self-sign-up product and you don't have to have a truck drive and do a sales call, you don't have to have customer support that works beautifully in products which are sort of developer-led or user-led. It's harder in complicated security products, where we actually -- they want to talk to and they want to deploy it, and say it's a really important product. So there's theories out there. If you can sell one customer a lot of things, your cost of sales goes down, right? I think the hard known understanding of the enterprise is that the largest enterprise companies in the world that are out there, their cost of sales is about 30%. So if you look on my P&L, the biggest cost is cost of sales and marketing even today. If you look across enterprise, R&D is 10% to 15%, pick your favorite tech company, north of $5 billion to $10 billion. That's roughly where it is 8% to 15%. 8% will be struggling in the year and a few years, 15% is probably where they're doing lots of innovation. Look at G&A, it's between 4% to 8%. If you [indiscernible], probably lot less, but whatever right? 4% to 8%. So majority of your difference between operating margin and your sort of revenue is cost of sales. So enterprise CEO should pay attention how do I minimize my cost of sales in the long term as I scale my business. That's the way to get cost -- operating margin expansion. The only way to do that is to sell more things to the same customer. So we're trying to make sure that we can sell more things to the same customer, which is good for them, by the way, because it gives them consolidation from a platform perspective. We'll give them a better security outcome. It's a better business for us. So from that perspective, I don't look at these things as individual streams that I got to go sell individually, a lot of them. I look at collectively how can I give a platform to a customer, which gets them to a better security outcome, and they make Palo Alto a big trusted partner. I think there's tons of room out there in the market to do that.

Makes sense. Maybe shifting to firewall. You've been very candid about your expectation that, that market should slow down to kind of a low single-digit pace for a couple of quarters now, that the last 2 years have been maybe abnormally strong period of demand for a number of factors. And then within your medium-term guidance is an expectation that the hardware side of product kind of grows at the low end of that. How should investors think about the software piece of firewall? You've been kind of a leader on the software form factors. How should we think about growth of that, especially as you push into areas like Firewall as a Service and Prisma Cloud?

So let's go back to basics. What are firewalls? They inspect traffic. When there's traffic, you got to look at the traffic to see they've got bad IPs, that Internet, bad DNS [indiscernible], is there bad stuff floating in your network. Let's just say the amount of traffic in the world continues to double every 3 to 5 years, generally speaking. And each one of those bits has to be inspected, right? There's no like pre-traffic. You have to decrypt it, inspect it and recrypt it. Some people don't encrypt it, don't look at encrypted traffic, and that's kind of one part of it. But -- so a, volume is continuing to double. This is like whatever the right version of Moore's law for traffic is, it's happening, and it's not going to stop. It doesn't stop, right? More internet ship, more videos, more everything, more Zoom, there's more and more traffic in the world. So the act of inspecting traffic is not going to go away. Historically, the active inspecting traffic will happen in the data center or large volumes came in and you had a big box of firewall, which is hardware. Now hardware by the way, is the most efficient way to inspect because hardware is generally cheaper than software, right? What happened, though, is that people said, wait a minute, now I need to inspect traffic when everybody is working remotely, traffic is getting distributed. I don't need a big box, I can have small box. And if you say you don't need a small box, you just spin up a piece of software that does that for you. So what has happened is the form factor is changing, but the demand is not going away. Now some companies are very over-indexed on hardware. So they don't have a lot of software form factor, they don't SASE, they don't have software firewalls. Some companies like us have hardware, software and SASE, right? In the last 5.5 years, I'd say, we've shifted 50 -- 30%, 40% of our demand to software. And we know that. We can somewhat control. You go to a customer and say, hey, give me a solution to inspect this traffic. I'm like, you can have the small box or I can run a VM. I think technically, VM is much better. I can upgrade it much easier, you don't have to have somebody go upgrade the firewall if it goes down. I can remotely upgrade and I can remotely upgrade all the software. That's a good idea. We'll take the software one. Now if you only have hardware, you can't sell them the software one. So we've done a lot better. We have north of 50% market share in software firewalls. We have SASE, which we think we have 50%, 60% of Zscaler's business, give or take. So we've been shifting there. We see what's happening in hardware, right? The only problem is for investors, hardware is recognized as instant revenue, software becomes ratable, so it gets confusing, right? You took a $1 of hardware, you recognize the revenue, took a $1 of software, you recognize 1/3, 1/3, 1/3. S***, now what do I do? So all you're seeing is you're seeing dollar transitions happening on our P&L. The volume is not going, the demand is not going. Yes, hardware is constrained because software is winning compared to hardware in the firewall space for lower sort of traffic volume use cases.

On SASE, I think including power, there's maybe 3 or 4 vendors with, call it, 15...

I said 2.5, but okay...

3, 2.5...

Maybe 4, 5 now, yes.

With maybe 15,000 customers total. And it's been a huge growth area for Palo at 60% growth over the past couple of years, but it still feels very early in the adoption curve. And I'd love to get your perspective on if you think we're going to start to see SASE become more mainstream. I mean there's a reason why...

I heard people here on the stage say firewall is going to go away, and it's all going to be SASE. So it's great. We're in the SASE business too, I like that.

Yes.

Look I think the more simplistic way of thinking about SASE is like this. But everything was going back to the data center, you had a big box there. Now everything is distributed between public cloud, between remote access from home between the data centers. So you have a new network topology. It used to be one topology going back. Now it's a distributed topology. Rearchitecting your network security on the distributed topology can be called SASE. The right way to do it is to have some hardware for data centers, still cheaper to do that way, have some VMs for your certain use cases and have remote access for certain use cases. So that sort of hybrid architecture is what is the Zero Trust ACI architecture. I think the whole world is going there. So you will see in the next 5 to 10 years that SASE, as we know it, is going to become bigger and bigger because hardware, as we know, is going to become smaller and smaller and more software firewalls will kick in because as said the traffic continues to increase. So there is a natural demand of traffic, which is causing the drive in SASE, and there's a shift from hardware to software going on. So I don't think it's a category. That's why in the early years, we used to have this thing called Firewall as a Platform, and that thing is still growing at double digits, right? It's still growing to 15%, 20% range, has been consistently. So we think the market is growing at 15% to 20%, and there's a from factor shift happening in the middle of it, yes. So SASE is going to be a very large category, will continue to be a large category. Now it's got sort of bringing in SD-WAN into it as well.

Yes. A lot of talk about all the entrants into that market, some of your direct competitors ramping up investments there. Microsoft wants to be in the conversation. How do you think about the competitive environment? And how important is it to customers to have that track record of I think having the solution in the market for 4, 5 years?

It's very funny. I was on holiday last week and some other security companies were going to report this week. And my wife said to me, she was like, what do you think is going to happen? I said I like all of them to do well, which means the market is strong and demand is strong. And they all did. The way I think about competition, remember, 5 years ago, we had 1.5% market share of $180 billion market. We're probably at 3.5% now, which means 96% of the time, somebody else has got the business. This -- I live happily with competition. It's great. It's wonderful, drives more innovation. Our platformization continues to get us more and more share. The more people that are in the market, the more innovation there is, the more they could tell customers and saying, listen, you should move to SASE. You know what happens when a customer has told you to move to SASE. So let's do an RFP and see what Palo Alto has. So I'm happy that people out there telling them that SASE is important and they should go deploy SASE because then it allows us to go participate in that market. So I think right now, we can all grow without trying to steal from each other.

Yes. Fair enough. Maybe last question on cloud security. You recently disclosed some pretty impressive module adoption stats. I think the pushback I get from investors, maybe that's not directly translate into ARR growth, but it's still a very early market. Architectural decisions are still being made. How do you think cloud security evolves from here? Are we at a point where we're moving past the visibility as the main pain point, some of the vendors that have done very well, solving that use case into a place where detection response and code to cloud are becoming more important and driving more?

It's a great question. Look, I think we all get confused because with these large numbers from the hyperscalers that come out and they did so many billions of dollars of business. If you look at the world of actual deployment on the other side, I'd say there's 3 sets of companies. There's the cloud SaaS companies, you take the Workdays and the ServiceNows and all these people deliver SaaS products. They have to have good cloud security. Those guys are busy buying platforms. They're not buying point solutions because they know their entire business depends on making sure they can keep those customers' data secure. So most SaaS companies are moving to platforms already out there. Then there's a bunch of people who are sort of early in their deployment life cycle of public cloud. If you go ask your traditional company and say how much your mission-critical applications are in the public cloud? The answer is not many, okay, 10%, 15%. But they haven't moved their mission-critical stuff there. The moment they move their mission-critical stuff there, they're going to get more serious about cloud security. And the third ones are people still dabbling around, still doing development, looking at point solutions. So I think you're right, it is an early market. There's no doubt in our minds that's going to be a large market. It's going through its paces and slowly growing. We track consumption. Our consumption shows that 30% to 40% growth is consistent over the last few years. We think that stays at those levels over the next 5 to 10 years. And if something is consumed on a consistent basis at 30% to 40% a year, I think revenues follows that consumption track, and we're very happy that we keep building the platform in the process. We need growth levers in the future. Otherwise, you guys don't like us.

Right on time. Thank you so much for your insightful discussion. Thank you all for being here.

Thank you for having me.

Thank you, guys.