Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Good morning, everybody. I'd like to welcome you all today one of Citi's Global TMT Conference. I'm Fatima Boolani. I jointly head up the software research team here, and I am absolutely delighted to be able to host the CEO of Palo Alto Networks, Nikesh Arora. Thank you so much for being here.

Thank you for having me.

Well, I'm very excited to dig right into the discussion here. I want to start off with a very stratospheric-level question for you. 6.5 years ago, you joined Palo Alto, and you came into the industry proper with a fresh set of eyes and clean sheet of paper. What are the biggest attitudinal shifts and changes you've witnessed in the market from a behavior, procurement, CIO pain point standpoint? And the flip side of that, what has remained stubbornly unchanged?

Good morning, Fatima. Lovely to see you as well.

It's getting heavy.

I understand that. You chose the best ballroom in New York, the best lighting. So we can get started. Look, in the last 5 or 6 years, if you've looked around, because of the scale and the, let's say, impact of cyber attacks, cyber has gone from being something you did to something that Boards and CEOs have to pay attention to. If you look at the last 3 months, you've seen a bunch of health care attacks, you've seen a bunch of attacks across the industry. And these end up being substantive, we have to report them to the SEC. So it's -- and if you -- we all do enterprise risk management [ in ] our Boards, and suddenly cyber has made it in the top-right category in terms of something that is important. So there's more focus on it across the board, one. Two, I think people have come to the conclusion that the old approaches of having 30 or 40 vendors in infrastructure and hoping you're safe isn't working because all these breaches are happening despite deploying that strategy. So there's a lot of people saying something has to change. And what's fascinating is, the moment there is a breach, the remediation is to rip out all the gunk and replace it with solid cybersecurity vendors and platforms. So the question is, why doesn't that happen before? Why do we have to wait for some sort of forcing function to happen? And you're seeing more and more of that as we go through technology cycles. The amount of time it used to take to fix the security problem, it used to be 4 to 7 days. Now people are demanding hours. So there's an attitudinal shift in the way CIOs, [ CISOs ] see this, where they think they need to just get ahead of this problem, they solve it faster. And it's kind of interesting, you see one breach in health care, every other health care CIO, [ CISO ] wants to pick up the phone to doctor saying, how do we fix it? What do I need to do to get ahead of this? So I think you're seeing more growing recognition that's kind of happening. I think in terms of what is stubbornly still staying the same is there still some -- there's a faction of the levers of things the right answer is still keep going the way you used to do it and solve it one point solution [ to time ], which is what we finally call the best-of-breed strategy. And that's still prevalent in some cases and people are still doing that. But I think it's a matter of like it's the sales forces, the workdays, the service out [ of the world ], 10 or 15 years to replace the stitching of multiple tools and moving into platforms, and I think you're going to see a similar cycle in the cybersecurity space.

Now I'm going to ask you the obligatory macro question. And you are going to have to see this because you have a really interesting vantage point in terms of the types of pernicious problems and very real problems that you're solving for a lot of organizations across broad swaths of the economy, right? So you have CIOs, CTOs, [ CISOs ] coming through your offices, quarterly business reviews with your customers. So again, just from your vantage point, the macroeconomic conditions have both been favorable to you from the consolidation argument standpoint. But also, it's tough, budgets are tough to come by. We've all become armchair macro economists in the course of the last 12 to 18 months, right? So from your standpoint, how is macro weighing or maybe even helping some of your customer dialogues in terms of budgetary allocation and budgetary growth?

This might be slightly orthogonal from what you're hearing from other people, I haven't met a CIO or a [ CISO ] who says, "I'd love to do this, but I don't have the money," because generally, CFO is telling you that you can't fix something in cybersecurity. Nobody wants to take the responsibility to say, "Oh, we're going to do this next year. Until the next [ year ], just keep doing what you're doing. And if there's a breach or a bad thing happens, don't worry about it. I got your back." So the conversation never is that I don't have the budget. The conversation usually is, "I have a budget. I can only buy so much because that's all my appetite is or that's all I have resources to go execute. So I can't do the whole thing at the same time. I have [ phased ] ideas about I want to do this, this year and this next year." That's fine. I think what's different is, this is something we've talked about, you and I; in the last 12 to 18 months, while you've been to armchair macro thing you were just talking about, the CFOs are paying more attention. CFOs are saying, "Give me value for money. What are you spending so on? Why are we spending this? Why am I getting the right deal or not?" So I just joke about it in this call in event the CFOs, the interest rates brought them back. Otherwise, our CFO, Dipak who you know, we [ were ] talking to him, and I was like, "it's costing 6%, why would I do this?" So I think you are seeing more financial discipline creep in from a budgetary perspective, and some people are misinterpreting that to be macroeconomic issues with technology spending. I haven't seen macroeconomic issues around technology spending across the board. And nobody is saying, "I'm going to slow down my cloud transformation. Oh, I'm not going to deploy AI because I don't have the budget," because everybody believes it's existential.

I want to go back to an earlier comment you made around, "Hey, there's this paradigm shift on a recognition from the technical C-Suite." Recognizing that a best-of-breed strategy obviously has limitations, right, so I also want to say you single-handedly added the term platformization to the investor vernacular, right? So on that point, there have been elements of platformization that you've been working on for a number of years, just kind of given how expansive your portfolio is. But a circa 7 months ago, there was definitely more of a concerted shift and effort towards this notion of platformization, right? So from a standpoint of what you saw in the market and economy, what was it in the evolution of the customer behavior that prompted you to say, let's make a more deliberate move and have a more institutionalized set of approaches on this notion of platformization? And I think for the uninitiated, you can tell us what platformization is.

Sure. Well, in short, platformization, instead of deploying 4 different products and trying to get one to talk to the other and then talk to the other one and talk the other one, you can have one platform that the products talk to each other so you can sort of input here and output there the other end of the fourth product as opposed to -- I'm trying to find the right portfolio management analysis, but I can't come up with it, right? So if you had 4 different screens [ of Bloomberg ], which are 4 different products, you can understand the difference, right? So the question on what drove the impetus to platformization, the boss that I used to have with Google, Eric, was asked on a podcast, what would you have changed historically, if you could go back, into something different? He said that I'd execute on my good ideas faster. So I wish we had done platformization faster. And maybe it is the right time for us to do it because our 4 products that connect into one platform are more ready to talk -- are more ready today than they were 1 year ago. But I think the other part of the realization was that this is something we have that most others don't, right? I can give you a SOC management platform with XSIAM and XDR and ITDR, and these are all 3- or 4-letter acronyms we create in our industry to protect our jobs, so please don't get confused; but it's a platform that basically helps you manage your security operations center. And most security operations centers have anywhere from 5 to 15 different tools. And we've bought 6 or 7 of the big ones together, and we're going to keep adding to it, and that's sort of you don't have to go buy 15 and stitch them and run from screen to screen, you can do it to one place. And connecting them together, they're not just about making the user [ base ] work, it's also connecting the data in the back, so you don't have to deal with managing data. And to give you a sense, we ingest 76 terabytes a day of data [ just at R-SOC ]. So there's no way possible that you can have 17 tools analyze 76 terabytes of data. You have to have one thing that does it. This all goes to Google Cloud, it goes to [ BigQuery ], it could go to Snowflake. So that's the kind of scale I am talking about it with one SOC, right? And we've sold about 130 of them. We've deployed 50. We're already passed 7.6 petabytes a day. This is not a human problem anymore. So I think what drove us to go faster on it is the realization that something we have, others don't and kind of right place, right time, CFOs are looking for consolidated spend where they get more value for money. So that allows us to drive that even faster.

On paper, there's so much of a compelling value from exactly what you said, right, immediate ROI, better outcomes, a lower administrative and operational overhead for an industry that is notorious for having...

[ Come on a ] sales calls with me. That's really good.

Available after -- so when you think about the opportunities for your go-to-market organization to come up with these wealth of data points that are very compelling for your customers, what has changed culturally from a go-to-market perspective from your standpoint to help you drive towards more and more customers in your installed base that are platformized, right? I think you've talked about, "Hey, there is a cohort of 5,000 customers that are most eligible who see the most amount of success from platformization." But you have 65,000 customers, right? So what is the eligibility criteria that "hey, these are the 5,000?" And how should we think about that long tail of the remaining 60-plus thousand?

I think it's important to understand, we have 62,000 customers of all shapes and sizes. We didn't say these are 5,000 that qualified. We said our top 5,000 customers -- and we have [ 3 ] platforms. So eligible, so there would be 15,000 platformization deals, right? If even we got to 25% penetration in that 15,000 opportunities, we hit [ $15 billion ] in ARR. That's the math we did. And you could be customer 6,000 and make your way up to 5,000, you want to spend more money with us. So it's not like we chose 5,000, everybody else to ignore. We're just saying, give you the math, we just need 5,000 great customers who will do at least 1 platformization or 0.6 platformization with us to get us to our number. And yes, so that's the math.

So related to that, I mean we kind of meander through this topic around, "Hey, platformization is allowing you to have very real conversations on dollars and cents with CFOs and even from an architectural and technology consolidation standpoint." So clearly, good traction here. I think we're getting a good sense of what the killer advantages are for moving down the platformization curve or moving up rather. But these are inherently large-deal tickets, right? So in...

It's a good thing.

It's a good thing. So I want to get your sense from, "Hey, you're doing more than $2 million on average in terms of ARR per platform customer, right?" That's big. But even if we take a step back, that's not as big in the grand scheme of things when maybe we compare your business to a ServiceNow. I think their ACVs with their customers are mid-, high single-digit millions, right? So how do you get to a point where you continue to drive monetization from already very-satisfied customers, right? Are you a victim of your own success in your ability to take that $2 million of ARR and continue to march it higher?

So let's step back. What is the status for -- stratospheric question? Roughly 6% to 10% of a company's technology budget is cybersecurity, right? If you look at JPMorgan, I read somewhere, they spend $18 billion or something in technology. I may be off by a few billion dollars. 10% is $2 billion, right? We have 4% to 5% share of the market. So $2 million is a good number, but our largest customer does $25 million in ARR per year, okay? So that's the [ art of the ] possible. It's a Fortune 50-year company, right? That's the [ art of the ] possible. 2, it's better than $500,000. $500,000 is better than $200,000. So 6 years ago, when we started, we did $2 billion of revenue. Our largest deal was [ $5 million ] ARR per year. Now it's [ $25 million ], right? So is there a path I can see for a few thousand customers keep marching from [ 2 ] up? Yes, there is. But that requires consolidation, that requires them to focus on taking a platform. You asked me earlier, what is the big change that has happened is a lot of these platformization deals or these re-architectural deals in cybersecurity are driven by system integrators, people like Accenture, like Wipro, like IBM, like PriceWaterhouse, et cetera. So also, what has also changed for us in the last few years is they want to deal with less vendors. You don't -- they've [ hard ] enough understanding what they do for a living and then to understand 50 security vendors and say, "I need to understand all your portfolio so I can design that architecture." Now given our scale, which is still small, given our scale and our breadth of our portfolio, they'd rather talk to us so we can give them 3 platforms than go to 3 of us and talk about one platform each or perhaps even 5 of us to stitch a platform together. So from that perspective also, I think it's [indiscernible].

I want to sort of moonwalk into the next area of conversation that ties to platformization, but it's around your next-generation security franchise. This was essentially a nonexistent business when you got here 6 years ago. You're now clocking in at a $4 billion franchise. So the first question, how do you see all of your efforts around platformization contributing to what are implicitly pretty high growth rates in a business of that size as you pave the path towards $15 billion of NGS ARR over the course of the next 6 years?

Now look, 6 years ago, when we started this journey, we were a hardware company that sort of firewalls when we had a bunch of software capabilities that we had, which -- and my Board says to me, "Hey, why don't you figure out how we [ turn ] this company into a SaaS business and make it an ARR company?" Sounds great. How do I do that? I think part of what we did in the last 6 years is we spent $4.5 billion, bought a bunch of companies, stitched them together into a platform, there are a lot of innovation at home. And it got to a point where majority of the $4 billion is net new business that we generated. So we took our go-to-market engine, applied that to these capabilities or north of $4 billion. At the same time, we also transformed our existing business towards this. We think in the next 5 years, we can get 80% to 90% of our business in a SaaS mode where it's all recurring revenue to get to [ $15 billion ]. We see a part of it. What was your question?

Just that path towards naturally, you're going to have more and more customers with more and more pillars. But even if you can tie it back to that aspirational -- if every single one of your customers is paying you $25 million in ARR, that's an excellent out...

It's a lot better than $2 million. Yes.

There you go.

We don't -- our expectations are not there. Our expectations are we need to be able to drive value for all of our customers. So the way we mapped it out is that we're $4 billion, we have an aspiration to get to 15 by 2030. We know what each platform delivers in ARR. We did 91 last quarter. We did 65, 70 a quarter before we started tracking it. If you stay in the 60 to 90 range for the next 24 quarters...

On platformization...

On platformization, we get to $15 billion. And in terms of opportunity, that's only 2,500 platformization across 15,000 opportunities, around [ 5000 ] customers. That's the math, right? And the thing which we said last quarter, which was interesting for us, is as we traverse the [ last ] 12 months, our average ARR per platformization went up, which one would expect a scale -- if you do more, your average goes down. Actually, it was interesting; actually, it went up. It may be purely because of the size of deals, and it may go back and be where it is. But it did go down, which -- because we hoped that our target of [ 3,500 ] will get us to $15 billion in ARR. Now it's a matter of keeping your head down and executing. The good news is, as I said, when we started this journey 12 months ago, it was as important to tell the market that that's the way we're going as it was to tell our own people. Now, everyone of our salespeople wants to do platform deals. Every one of our partners wants to come to us and say, "Let's go help you do a platformization."

Biggest surprises and maybe some of the key challenges that you've encountered in, like I said, scaling what was essentially a nonexistent franchise 6 years ago, right? I mean certainly, the past, it seems linear. But in retrospect, there was probably a lot of twists and turns. So anything you look back on in terms of getting from 0 to 4 getting from 4 to 15, how you're going to circumnavigate some of those things that you learned from the first wave?

Yes. Look, some things that we've been spending a lot of time on recently and we still have to continue spending time on, when you're a hardware business, you sell a firewall, the customer deploys it. If they don't use it, they have it for 6 years. They paid for, it's theirs. In the SaaS business, if you do sell it, they don't deploy it, when it comes time for renewal, you don't get a renewal because customer is not using it. So there's been a huge focus in [ factor fear ] we've staffed all of our sales engineers to also have a consumption target to make sure that everything you sold is actually getting consumed. And the good news is we see consumption. Consumption is at a good place across our products because in 1 year, 18 months from now, a lot of consumption is going to turn into renewals. Now, the good news is different platforms have different consumption metrics and network security has less consumption metrics because you buy hardware firewalls, software firewalls. And SASE, we see reasonably high consumption there. We have lots of opportunity to upsell our customers in cloud. We only sold by credit, so we see consumption. And XSIAM, we actually see consumption rising, it's actually beating what we sold. XSIAM's early franchise [ is less than ] 18 months in. We've sold, as I said, 130 of them. We've deployed 50. Our top 10, 20 customers have $1 million in ARR. But we've only seen 3 or 4 customers come back and say, "I'd like to buy" more because we charge them for data ingestion. So it's good. So that's kind of the big shift, is we have to become a SaaS consumption business. I think what gets lost in this is that in the last 6 years, we've converted more than 50% of our business into ARR, right? It's [ close ] to 50% more. And we've done it quietly under the radar, we've transformed the hardware business into a software business and think that journey continues till 2030.

Now NGS ARR, as I think most people are familiar, it's a multidimensional franchise, right? So you've got SASE, you've got Cortex, you've got Cloud. At the highest level, when you think about the arc of the next 6 years, amongst those pillars, where are you the most bullish in terms of market share capture, monetization potential?

I think for us...

I know you love all the pillars equally. I just want to say that.

You know that when you have more than one child -- more than one, so they're all good. But I am excited about XSIAM because I've discovered in cybersecurity, you can replace existing TAM much faster than you can create one. If you go back, historically look, there should be Symantec, McAfee, it got replaced by the EDR wave, a lot of new XDR, EDR companies came by. Customers had a budget. They had a product that was far superior, you say I'm going to replace it. It's much hard to come to, "You need cloud security. What does that do? Like we use AI security? What does that do? Let me take a look at it? How does it work? I don't have the budget." So it's a lot harder building a new market than it is to take a market and replace it. Historically, you'd replaced the endpoint security market with EDR, XDR. We've replaced the old firewall market with next-generation firewalls. And I think you're seeing that in SOC. That's why we did the IBM do. We just announced it, disclosed it this morning. It's great. It's a [ $20 billion ] TAM. And I think we have the most advanced technology from a pure-play cybersecurity vendor out of the market, I think we're about 18 to 24 months ahead of anybody else out there. I always believe that if there's economic profit to be made, everybody is going to chase you down. This is not forever/so that's why we're putting on turbocharge. What it also does for the first time in security, it's an outcome-based technology. I go to people and say, "I can take your time to fix your security issues from 4 days to -- or we are at 1 minute, our first customers are at 9 minutes. They can solve the security issue in 9 minutes. Industry averages 4 to 7 days. When I go make that pitch and I can convince customers, I'm way ahead of everybody else. But when they get an outcome-based thing going, I can slowly work my way into getting to absorb more and more capability into the platform as well as I keep building capability in the platform. So I think 5 years from now, hopefully, if you're sitting here talking about this, you'll say, "Oh my God, you've got 2,000 XSIAM customers, and they've got everything in your platform because you worked your way from there all the way back because the other things become less relevant, because they're more interested in the outcome." So I'm really excited about that. There's a lot of focus across our company in terms of trying to make that real and execute on it. If you said to me 18 months ago, will you get close to [ 700 ] in TCV in 18 months, that's never been done in cybersecurity before.

So you talked about this. So we will stick to Cortex just because that seems to have so much more promise. You alluded to the fact that there has been major market shakeups here. I mean you actually were part of shaking up the market with the AV IBM QRadar. So I wanted to talk about the whole QRadar transaction as it seems like a pretty big strategic coup for you. The calculus there, I think it's apparent why you did it, but I'd love to kind of hear it in your perspective. Why them? Because there are other assets in the space. And then just relatedly, from a incremental product and go-to-market strategy perspective, how are you positioning yourself to be in the pole position for when SOC architectures and entire SOCs are modernized? Because I think we are on the cusp of a major technological upgrade of most SOCs over the course of the next 5 years, 7 years.

Yes. No, no, I think that's what I said. It's a $20 billion market which will get replaced. You will see it end up like the endpoint market was, where the existing players are going to have to give up share to newer players in the market. Now, the -- now understanding cybersecurity as well, I'm a huge student of M&A. And a lot of M&A transactions fail because you got them extremely complicated to execute and implement. When you end up having to maintain existing customer base, existing code, your new code, new customer base, and it's very problematic. And there are companies out there which have 4 solutions in the same space because they got 4 different companies they were never able to integrate. So our deal with IBM is unique, where when Arvind and I first talked about it about 2 years ago, and we [ were sure ] what we're working on, he wasn't was sure. But as we got to a point where you saw the benefits of XSIAM, he's like "I see it, I see this is what's going to disrupt what we have." And we got ahead of it. And he's focusing more on DevOps and lot of the AI stuff. And we said, look, let us be your cybersecurity partner. Now the deal is unique because we didn't buy any assets, except for IP and their customer base. So we have our own product, our own code, we don't test the code. In fact, as of this morning, all the few [ ROC ] customers who secured our SaaS version [ are ] our customers, but I've been running it for us. We actually have given an outsourcing contract to run that business for us, which means for the customer, nothing changed. They still [ deal ] the same people at IBM, but IBM's running it for us. Anytime the customer wants to renew the deal, they have to come to us. And we say, "Don't renew QRadar because it's ours, we're going to move you to XSIAM." So literally, we're going customer by customer and transitioning them to Palo Alto, but we're not touching any code or any of their people in the process, which is a very unique arrangement because it helps us avoid a lot of the pitfalls you will run into in an M&A transaction, right? So every new customer is onboard onto my systems, I have no IT integration. There's no finance issues, no sales force issues. It's just I'm running my business, I'm [ drawing ] them into my business, and they have an incentive to migrate every customer to me, both QRadar [ SaaS ] as well as the on-prem customers. So that's kind of like interesting for us.

We were talking about this offline, but I think it's a really helpful line of conversation. Just as it relates to incentives and incentive structures around IBM and Palo Alto, so Palo Alto-badged account executives versus IBM-badged services and systems integrators, how is that economic and incentive relationship working? I mean what's the alignment looking like? You said the alignment is there, but can you put some...

Look, our people continue to get paid for what they get book to Palo Alto. And every time [ is the next time we need to be had ], our sales rep will go, they'll get paid on booking that deal with us. IBM has tremendous amounts of incentive to migrate those customers to us, both economically because we're paying them and also, for them, they want their customers off of QRadar because that's not something they're investing in. So they want their customers to get seamlessly migrated by Alto. So they're paying their salespeople. And jointly, we're funding the migration for the customer. So I mean listen, your migration from QRadar to XSIAM was funded by Palo Alto and IBM together. And so the customer gets a free migration, the sales rep from IBM gets paid, and they can decide at any point in time to bring in their friend from Palo Alto, who's also going to get paid, so they have to work together. I've never seen such good alignment with the partner in a while.

Now I'd be remiss if I didn't ask you about the NetSec SASE business.

Sure.

You had this be your dominant bread-and-butter franchise, but it's had a renaissance over the course of the last 4 years, right? So as you think about the scope of the SASE footprint and the market opportunity against what has been very much evolving market demand, what does the next 5 years of opportunity look like within the SASE franchise? And how are you focusing and prioritizing innovation in the SASE franchise just from a product development standpoint? And look, I think the genesis of the question is there's going to be hardware exposure in your business for a long time to come. And I think there is maybe a perception or a misperception that other parts of the business with much sexier growth trajectories are going to get a lot more love from an R&D allocation standpoint. So what is the product strategy vision around SASE? And how you continue to be dominant in the SASE arena, which has historically been where you've been very dominant?

Yes. Look, we've been the customer's choice as we're not dominant. Customers have chosen our firewalls in the hardware space. And by the way, hardware is not bad. I heard Michael Dell is here. He's got a good hardware business and really has a hardware business. These are not bad businesses, FYI. So hardware as a good business is going to be around for a while because hardware is still the lowest cost per throughput. You want to pump a lot of bits and bites, the fast, the cheapest thing is to put hardware in place. Software is more expensive to run because it requires -- eventually has to run on somebody's hardware. So it still has the lowest throughput. So I think the hardware business is going to be around. It's just that the proportion of our software business continues to increase. It's just not. Now, the big shift that's happening is as people move to the cloud, they're moving all their applications in the data centers to the cloud, the way we access the -- [ those ] applications is changing as employees or users. And that access mechanism is what we call SASE. 5 years ago, there was one major player in the space because they got there early. Today, there's 7 of us trying to chase that market down. We're the second largest SASE player in the market, I think, by now. We were not a player 4 years ago. And that's because we come from the roots of our hardware business, where we were able to pivot and bring all the capabilities on the software side. But the big difference in SASE that happens is in hardware, we sold the hardware of the customer. In SASE, we run the service. So when you log in from your laptop, you're running in Palo Alto's bits and bites to access your trading app or your portfolio optimization app in the back. That's a big change in the industry, and it takes time to sink in, right? So we have north of 15 million to 20 million users who are actually running on our pipes. So a large component of company is like IBM just bought that product. So we're going to power IBM 250,000 employees accessing all their applications using our SASE product. Now, if that's the way your employees access your applications, the question becomes in innovation, what's going to change in that mechanism? What are they going to be doing? What's going to be different? One, architecturally, we're different because we decided not to build our own data centers. They're two ways to it. You can build your own data center in 150 countries. We're not a data center company. I cannot run 150 data centers at 99.9% availability. That's a different set of business that do that. So we decided to ride on Google Cloud and AWS and Oracle pipes. So they run that 99.9% availability business. We run on them. And we switch between them depending on which customer wants what, whether we're seeing availability [ while as to others ]. It's one big difference, structurally. A second big difference is, we think as technology evolves, a lot of our employees and your employees are going to be using AI. So it becomes even more important to see how do you govern that usage. And now that we're in the 15 million to 20 million laptops, that's growing as the SASE business, lots and lots of innovation is going to depend on how do you look at what people do, how do you do data loss prevention and if I'm using an AI app and I'm uploading my company on jewels in there, I need to be able to block that. How do you block that if you're not in the path of how an employee accesses that application. So that's a lot of where the innovation is going to be. We made a bet about a year ago on the enterprise browser. We said that having VPN agents in your laptops is not the right way in the long term because we need to be able to see what you're typing so we can -- not we, your employers need to see to make sure you're not shipping to the wrong [ data ] there. So I think enterprise browser is going to be a renaissance in the SASE space. We're the only player with an integrated enterprise browser now, [ offer a ] channel acquisition. There's not many options in the market. We think AI governance is going to become important in SASE. These are both products we've launched already in the last few months so...

$200 million in ARR.

Sorry, what?

AI products are about $200 million in ARR?

Yes, that's as good XSIAM plus AI Access in there.

Okay. Just to round out the...

I think that the significance of that is historically -- back to the stratospheric point, historically, our customers were always in the midst of replacing some security technology that have become obsolete. If you look at every [ CISO ], they've got some projects on -- ripping this out because it's -- that company is no longer there or they haven't kept at innovation. Our aspiration in addition to platformization is we want to make sure that you never have to report our product. We don't want to be that endpoint product that you [ replace ] with XDR. We don't want to be that SOC that you replace in the future. So part of the paranoia you see in us is that we're also looking at where technology is evolving. So instead of us getting replaced by a start-up from Israel perhaps giving you an AI firewall , we launched a fully functional AI firewall 2 weeks ago, right? So you don't have to replace Palo Alto. You can take our virtual firewalls, which are embedded in Google Cloud, AWS, Azure, Oracle, IBM and deploy in the AI firewall right there. So part of the paranoia we have is that we need to stay ahead of this product development curve, not just in SaaS, but in every category we play in. So that way, we're the ones that are replacing other people and are not the ones getting replaced.

I wouldn't be a card-carrying software analyst if I didn't ask you about generative AI. So I appreciate you saying that. It sounds like a lot of infusion of those capabilities across the portfolio, but more specifically around the governance of AI is kind of the opportunity you're tackling. So I appreciate you kind of [ fragmenting ] that. Just around out the NGS ARR conversation, Prisma Cloud, it's been an arm's race here. How are you ensuring that there's franchise growth durability here outside of your fortunes being [ covered ] to general hyperscaler adoption trends historically? I know there's been a lag impact, right? But how are you kind of thinking about the durability of that franchise? And just from a market structure perspective, very different than it was 2 years ago, 5 years ago. Pricing dynamics have also changed. I think maybe you'd argue there's a little bit of an oligopolistic behavior in the market structure, but you can tell...

It's like we're in kindergarten. Kindergarten kids don't understand oligopolis.

I love it. Okay. Okay. What's the calling card here for you to take disproportionate share with Prisma Cloud?

Look, cloud security has gone through its own evolution. As I said, it's hard to make a market and tell customers this is the right way it's going to evolve, and you have to watch it carefully. I'd say 3, 4 years ago, we were here, we'll be talking about hygiene in cloud security. It's all about misconfiguration. "Oh, my god, I set up my AWS wrong," you can have a breach; or "I wrote the code wrong," you can have a breach. As people have moved to applications to the public cloud, what happened is you have live applications running in public cloud. It's no long about what mistake could I have made that's going to cause to say, "Oh, my God, there's somebody going after my stuff." So what's happening in cloud is the focus is shifting from, I'll call it, CNAPP or -- which is basically a 5-letter word for all the configuration mistakes you can make in setting up your public cloud to run-time security. It's like don't worry about how I configured it, worry about if somebody is actually attacking me, right? Because when I tell you, you misconfigured this, you could be -- it like getting a sort of a nutrition lecture from your partner, "You didn't eat right, you didn't do this -- yes, I know if I fix all of that stuff, I'll be amazing.

6 pack.

Yes, exactly. But think about what's wrong going to be right now, let's go to emergency. So things are going to shift from -- that's a good analogy to some in the morning, but [ they'll ] go from CNAPP to run-time security.

Right.

That's what's shifting in cloud. So you're seeing the focus back where CDR agents like we have with XDR, some of the companies to do real-time cloud security becoming more and more relevant, and pricing is collapsing on the CNAPP side because it's sort of the table stays, right? And we've seen that in the market. Even now, we have a $700 million ARR franchise, which still makes us the largest independent cloud security player. As an independent company, you guys will be chasing it with even a better valuation than perhaps I heard in the market for somebody else in the space, which is CNAPP only. So I think it's still an evolving market. We have seen many companies come and go in this space in the last 5 years because they haven't been able to get traction. And again, it's nontrivial to build a [ 14 ] module platform that does a lot of these things and connect the dots. So this is not going away anytime soon. I just think you guys get a little impatient sometimes in these spaces.

The growth objective, crystal clear. But I think the unenviable task is you've got, again, very wide portfolio around innovation, innovation priorities. How are you thinking about R&D prioritization, right? But also related to that, kind of running and driving more and more efficiency as a business, right? You're a big company now. You've grown up, right? So there's some of these priorities around here, some of us want to see margin expansion and free cash flow growth and all those [ finicky ] things, right? So how are you thinking about the overall aggregate investment envelope and operating expense prioritization?

Look, I don't think we're too big. We're an $8 billion revenue business last year. I think, we're in the sweet spot, honestly, of size of companies, 15,000 employees. If you're too small, $1 billion in revenue and you have 3,000 employees, you actually can't do any efficiency. You can't go invest $10 million to see "Can I get coding faster and save myself 1,000 engineers?" Or you can't deploy it against customer support and say "Can I reduce my customer support headcount by 30%, can I invest $20 million?" Because you are $1 billion revenue business. At $8 billion, we can. So there are a lot of initiatives right now to see how does AI help us from a productivity perspective. And we've discovered, it requires us to rethink our processes and do a bunch of stuff. A very simple example, we have -- like we had internal employee tickets of 250,000 employed tickets being 15,000 employees. We deployed generative AI. We had a bunch of work going on with automation. We've been able to take 75% of those heads out. We took out 150 people in internal ticketing, which is an internal project. We did that. We deployed generative AI. So there are ways to go drive efficiency at this size. I think it's hard to do it to against 30,000 employees because it's more complex. And it's uneconomical do it if you have 2,000 employees because you should be going out and chasing growth. So we like the size we're at. We think we can balance the investment needs and keep our operating margins consistent with where they are, which I think for our scale and our industry, they're in a better spot than most other people. I think there's room for them to go better.

Last to questions for you to wrap what's been a fantastic discussion. M&A, you've got your fingers very much on the pulse on the market. You've been very active in the space. [ Operations ] on dislocations or lack thereof in the private markets, where are we in the cycle of rationalization and innovation and intrigue? And then my final question for you is the last 6 years were so much fun for you at Palo Alto, you signed up for another 5 years to run the company. So I wanted to ask you for your policy agenda in the way we end our conversation for the next [ 5 years ].

So quickly on the M&A front, I think look, we had technical debt to pay. We were perhaps the most active cybersecurity M&A buyer in the market, about 19-odd companies in the last 5.5, 6 years. But as now we're in front of the big swim lanes of cybersecurity, we always have to make a decision, can we build this ourselves or is the innovation so great that we have to go acquire? So we did the enterprise browser. The integration was not complex, we got it done in 6 months. But some things have become overlapping, become complex, which is something I don't like. We'd have to shut down a bunch of stuff, which is too complicated to do from an engineering perspective. That's how you end up with technical debt. So I think the M&A environment is cooling off, to be honest. I think there's still a dislocation in price versus value in the expectations of startups. And I think that will fix itself. If there are no buyers, eventually, you set your expectations right. There are companies that were hot 5 years ago. They're still around. They haven't crossed $20 [ million ] in ARR, $30 [ million ] in ARR, [ now who's ] going to pay for them? So I think the private market is cooling off and will continue to cool up. I think the consolidation market will be the next market in play. You will find that company in the $1 billion to $5 billion, $7 billion, $10 billion range are going to be looked at by a lot of players to say, "Can I get heft to catch up with Palo Alto or not?" And that's going to be an interesting play. And that's where I think a lot of mistakes will be made, but it will be interesting to see. And the policy, what was the policy question?

Next 5 years, what would be you policy agenda?

I think the most dangerous thing is to believe that you can rest on your laurels for the last 5 years and say, "I've got this figured out" because that's when all the bad things happen. So the idea is to keep staying paranoid, keep seeing where the market is coming at you. It doesn't mean that there won't be a great company that will be born somewhere that we have to take a look at hard to see do we innovate or do we buy. We got to keep that going. We've got to keep our heads down and execute. There is a lot of -- enterprise is a lot about perspiration. You still going to get those [ 3,500 ] platformization done. But a lot of the plumbing, [ picking ], getting our s*** ready has been done in the last 5 years. So hopefully, we have a smoother ride on the execution side. But as you said to me earlier, the bar is higher, so you got to execute more flawlessly, more times than we have had to in the past. So there is a constant growing up. That's why I said kindergarten versus [indiscernible]. But lots of good stuff ahead.

Fantastic. Thank you so much for such a candid discussion.

Thank you for having me.