Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

All right. Can you hear me okay? Awesome. We'll get started. I'm Roger Boyd, I'm the cybersecurity analyst here. It's my pleasure to introduce Nikesh Arora, Chairman and CEO of Palo Alto Networks. Yes, thanks for being here. Before we get started, we're going to have a 30-minute Q&A -- fireside chat. If you want to submit a question, you can use the app. There's a QR code on the tables that will allow you to submit, and I'll do my best to weave it in the conversation. But with that, thanks, again, for being here.

Thank you.

Awesome. Maybe just to start high level, coming off 1Q, there's a lot of topics to get into, but high level, how are you thinking about the macro demand backdrop today? And as we entered 2025, how are you thinking about cybersecurity as a budget priority?

Look, first of all, thank you for having me here. I think the biggest change we have seen so far in terms of any overall macro thesis is that AI continues to become a bigger and bigger topic across the place. So it seems to be that AI funding will continue, whether it is those in these large hyperscalers or perhaps enterprises trying to figure out, there's a lot out there. Nobody wants to be left behind. So they don't want to find out that their competitors got AI right, either if you're an AI provider or an app provider or perhaps an enterprise who didn't adopt it. So that's kind of like one interesting new data point. And the other interesting data point is we're all cautious about what the new administration is going to bring in terms of all the big changes we're seeing. But there seems definitely to be some degree of technology focus, given Elon Musk is camped right by our incoming president. So you'd expect there'll be a difference in the rhythm or investment focus or perhaps the decluttering of regulation going towards technology. So generally, I feel more optimistic about technology spending today than I possibly felt 3 months ago. Against that backdrop, we've always maintained that the cybersecurity debt has not been paid yet. And if you look at the amount of time and effort spent by bad actors to create economic outcomes for themselves, whether it's against individual consumers or against enterprises, that doesn't seem to have abated. So that activity is on, investment is going to be positive, which means there's a little more room and budgets for enterprises. And then hopefully, in that -- against that backdrop, we particularly hope to take more market share over time. So I feel good about it.

Okay. I want to touch on the regulatory backdrop. But before that, you mentioned AI. And we sat here last year, we talked about kind of the impacts of GenAI and cybersecurity, and it felt like a lot of the concerns over what GenAI could mean from an attacker perspective were pretty vastly outweighing the near-term potential benefit for the vendors. And I think broadly as an industry, we're talking about operationalizing Generative AI into 2025. But do you feel like from your business, what you're doing with some of your co-pilot offerings that next year, we can start to level the playing field? Or do you think that kind of unbalanced way that attackers leverage new technology persist? Does that make sense?

Yes, it makes sense. I think if you step back, I think we're all -- we're all getting too caught up in the short-term impact of AI. And I think you just step back and look at what's happened in the last 12 months, 18 months is that think about it, we're building a smarter and smarter brain. If you look at all these new models, whether it's BOT3 or ChatGPT or Gemini or their next model, Llama or their next model, you're seeing these models are getting smarter and smarter so better and better over time. I think the tipping point is going to be inferencing is how do you reason, can these models reason? Can they figure out answers to questions, which they've not seen before. Today, they're pretty good at answering questions that they have seen before and getting better and better at it and we're all training around them. Now if they start inferencing stuff or figuring stuff out, perhaps like you're literally driving in, there's a Waymo with nobody in it, right? So you got a car which is driving itself. And 10 years ago it sounded like science fiction. If you imagine yourself 10 years out, and think about what the world would look like from that perspective, we would give up a lot of autonomy to AI, just like the car or the driver. Let's step back. I think every company is going to have to give autonomy to some version of computing. If that happens, what is your control system? Where is your kill switch? How do you stop rogue actors from getting their hands on this stuff. Just the way you need petabytes and petabytes of data to figure out whether the car should take the risk and drive across traffic and take the turn, you need petabytes of petabytes of data to understand how to block bad things from happening. So I think if you look back and people say, well, why is it does Waymo have an edge? Or does Tesla have an edge? They both have a lot of data. Waymo is collecting a lot of data, Tesla is collecting a lot of data. Let's transfer that to cybersecurity, who has a lot of data, incumbents. I can start a company today and say I'm going to go collect 20 petabytes of data on cyber activity and go build an antidote to AI. I think from that perspective, if you think slightly longer term, AI will be relevant and prevalent in most enterprises in many, many, many incarnations, in many shapes or forms. And have -- I got a 3D image made on my arteries using an AI product because it had analyzed 250,000 MRIs. You can't do it without that data. So if you believe that's going to happen, then the question is how do you control for that. And that control is going to require AI applied to cybersecurity as well, which means advantage incumbents. Now a bad actor is going to tactically in the short term trying to impersonate you and me, of course, they already are because they see an economic opportunity. But I think that's the wrong end of the spectrum. The bigger question is, are we going to get out of this business of trying to solve most slivers of cybersecurity by funding 2,000 startups a year? The answer is yes.

Got it. Okay. Maybe just one more on the regulatory environment. I think you rightfully pointed out that the focus on automation potentially creates opportunities with you for the federal customers. How do you think about a more deregulatory environment broadly as a demand driver for cybersecurity? And I think you maybe agree that there's been an element of cybersecurity demand fueled by regulation. And I think that's probably faded a little bit as the attack environment has gotten worse, but do you see that as a potential headwind at all?

Well, look, there's 2 versions of the regulation. One regulation towards all of us as companies. The other regulation as it relates to the federal government. Let's start with the federal government for a second, right? 80% of the federal government cybersecurity budget is a services budget, not a product budget. What that means is they would rather hire people than buy products because it takes 5 years to certify or 3 to 5 years to certify a cybersecurity product to the entire procedures to get to say. So by the time you're certified, you're 5 years old from a technological perspective. That sounds cool. It took them more than 5 years to agree to have a cloud provider in the federal government and not fully deploy it. So if you believe that, that any regulation is going to make it easier to adopt technology in the government, how do you drive efficiency without automation, without technology, I don't know. So from that perspective, any regulation that makes the adoption of technology faster in the federal government is good for technology business. Once it's out there, it's good for us. It's good for every technology company out there. If you take a look at how does regulation change or apply to companies out there, enterprises out there, I think there's too much how-to regulation out there. You should do this this way, you deploy Zero Trust, you should be secure. I think the -- what needs to be more focused on, which is, what's the outcome? If you get breached, you better have your stuff together. So I think I'm hoping that regulation shifts towards outcomes as it relates to companies and say, "You have to stay secure and the way to stay secure is to understand how quickly you redeem yourself, how quickly you fix yourself." Hopefully, that will be more where things go in the future.

Yes. Got it. Okay. On platformization, you ended Q1 with I think 1,100. You put this target out of getting to 2,500 to 3,500 by fiscal '30. Now that we're a couple of quarters into this kind of push, how do you think about that sales motion? Is it becoming more repeatable? Have you been able to leverage the channel to the extent you wanted to? And how should we think about the trajectory of those platformization we get towards that target?

Sure. So I think it's important to abstract us for a second. So look, the cybersecurity industry has -- every company, every one of our customers has anywhere from 20 to 70 cybersecurity vendors protecting them, which is bizarre because that means our customers have to understand 70 products and be able to figure out real time how stuff is happening in their enterprise across 70 products, which is technically infeasible, it's just impossible. We barely understand our products well enough that some customers understand 70 products is just hard to imagine. But okay, they do. If you look at every subsector of technology, some element of -- and I'll call it platformization because platformization means that things have gotten integrated the customers don't have to do the work, whether you look at the biggest SaaS companies out there, why do they exist, whether it's a Salesforce, Workday, ServiceNow, Adobe, what do these things do? They take 10, 15, 20 solutions, make them work together. So you don't have to buy 15 of them to make them work together yourself. At a most fundamental level, that's what we mean by platformization. Now 6.5 years ago when I started, we were one of those 20 vendors or 40 vendors. Today, I can consolidate 60% to 70% of my customers' estate by saying, you don't need 15, 20 extra vendors. I'll give you one solution that works together across this. Now it's an early step. This is something you've got to persevere and grind because the more you persevere and grind, we know 2 things are going to happen. One, customers are not going to go back. Nobody is sitting in their company saying, let's replace our CRM system called Oracle or Microsoft Dynamics or Salesforce. Let's go back to the old time when you have 18 collabs that we used to stitch together. Nobody is doing that. So if I can get customers to go from 40 to 15 vendors from 70 to 25, I have a reasonably large share of what remains. That's a good thing. And that sets us on a path, which means better profitability in the future, better outcomes to the customer. So we've done that about 1,100 times. We couldn't have done it 6 years ago because we didn't have the portfolio. Today, we have the portfolio. So we think if we can take that number and roughly triple it in the next 5.5 years, that allows us to get to about $15 billion in ARR, which makes it a real company.

Got you. I want to talk about this end market and XSIAM. I think that's one of the bigger opportunities out there. If you look at all the vendors that are targeting next-gen SIEM, I think the commonality is some level of integrating SIEM more tightly with endpoint or in some cases, cloud security. How important do you think that is? And just what's your high-level view on how the next-gen SIEM market kind of plays out from here?

Great. The way you should think about cybersecurity is that for the -- in the past, everybody had a swim lane and just swam in that line, which is identity management, endpoint security, stock management, network security. And we all stayed in our swim lanes and played in our swim lanes. But what happens is every 10, 15 years, a big revolutionary change happens that swim lane gets disrupted and new set of vendors are born. Palo Alto was one of those vendors who was born in something of the next-generation firewall came about. Before that, people were buying all kinds of different stuff. So we started to play and win in that space. Zscaler came back, They did SSE or ZIA at that point in time, so they started trying to play in the network security space. And the network security swim lane has evolved, where we now command the lion's share in that space because of the evolution we've had to our company. But then there's the end point swim lane that got disrupted and Symantec, McAfee and the others took a backseat. You saw the CrowdStrikes and the SentinelOnes and the Cylances, Carbon Blacks take up, we started to play in that space too. I think the same inflection has now come to SIEM. In this inflection, the old guard of QRadar, DaaS, TiVo, Splunk all these people are getting challenged by the new vendors. I think this is a $20 billion to $40 billion market in the next 7 years, I guess, fundamentally disrupted. We think we should be one of the top 3 players in this market in the next 24 months and sustain that lead, which allows us a bite at a larger TAM over time. So that's kind of the overarching picture. To accelerate that, we made an acquisition, which we closed in August, which was we bought IBM's QRadar SIEM business or QROC SIEM business to be precise because they're SaaS offering, and we're working with IBM to see how many of the on-prem customers can be migrated to Palo Alto. That allows us to cement our strategy to be one of the top 3 players in the next 24 months. And that helped us cross $1 billion in ARR in that space, which is the fastest $1 billion ARR of any new swim lane that has been created. Yes.

I think -- feel free to push back on this, but relative to some of the other vendors in the space, it feels like Palo is aiming for more of a SOC transformation. And I think it kind of goes back to everything you've talked about so far. But maybe relative to other vendors in the space, it's a potentially heavier lift and feel free to push back, but you've got about...

Allows you to push back 3 times, go on.

You've already added about, I think, 150 XSIAM customers. You've got 500 or so QROC customers and I think double that or additional $500 million that's on the on-prem installed base. How do you think about kind of the S-curve adoption of XSIAM from here?

Is a heavier lift a bad thing or -- is a heavier lift a good thing or a bad thing?

Well, I think it's potentially better longer term because you're aiming for more of a SOC transformation where maybe some of the other vendors are pitching a kind of like-for-like Splunk replacement.

Yes. Like when I worked at Google, Larry used to tell us that 10x is better than 10%. So if you aim for something big, you aim for 10x, you get to 3 or 5, that's a better outcome than aiming for 10% and getting 7%. So I'm all in for the heavy lift. The heavy lift allows us to go to customers and say you get a real outcome. Of the -- we sold 150 of these in the last 20 months. We've deployed north of 60 of these. 50% of them have a median time to remediate a security incident under 10 minutes, which means under 10 minutes, we find out at a customer that something bad is happening in their security infrastructure across any vendor, and we can help them fix it. That's a good outcome. The current standard in the United States is 4 days. Well, yes, it's a heavy lift. It takes 4 months to get that from current 4 days to 10 minutes. Would you rather have 10 minutes or replace your 4 days with cheaper technology? Yes, I'm all in.

Well, to be fair, I mean, of the 150, I think you've talked about 40 that are spending $1 million plus per year. So it's...

The good news is the replacement TAM. People already spend the money. We go and tell them, you're already spending the money. We can give you a better outcome from 4 days to somewhere under an hour. And if you get there, this is net positive because we get -- you can't get to a minute, which is where we are, if you don't get to under an hour from 4 days. And AI is going to be -- at some point in time, it's real time, right? There are some products that work real time. You try and attack somebody, we can stop you real time. You try and go to a bad Internet address, which is going to be spammy or has phishing attacks on, we will stop it instantaneously. You can't wait 4 days to stop that stuff.

I think you debated on the earnings call, whether the QRadar Talon deal was one of the best acquisitions you've made as a company. But just to shift to SASE with Talon, you've talked about pretty impressive adoption. How do you think about the use case for that within the SASE broader universe? And just how do you think about enterprise browser adoption? There's been some chatter about what happens with Google. Any impacts to how you're thinking about that space?

So again, if you step back and think about it, all of you are in your devices, some of you are on iPads, Apple phones. All of you are trying to access some application in your company, hopefully, not watching Instagram, but that's fine too. When you access the application in your company, you have to go through some sort of security protocols, right? When you go through a VPN client, there's a bunch of security protocols that's going to your firewall. You have Zscaler or Palo Alto, which is going to a SaaS application, we're running some security on your endpoint. Now in many cases, it's hard to see what you're doing because some of the applications encrypt the data and don't let us in, which is fine. And it gets decrypted at the other end, giving you a secure tunnel. Enterprise browser, which is like using your Safari or Chrome or Microsoft Internet Explorer browser, you can use those where we can see everything. As you get towards an AI world where you want to watch what people are doing because they're going to be putting company-specific information up in the cloud, visibility of that data is more important. And as the world gets to more and more cloud applications, you don't need fat pipes running back to your data center. So we have a different technological view of the world. If you look at all the consumers, 90% of what consumers do on their laptops is through a browser. Think about your significant others or your kids, 90% of what they're doing is in the browser. I have young kids. They're in the browser. They're doing Zoom on the browser, doing teaching -- learning apps on the browser. If you believe that's the consumer use case, 90%, that use case will prevail in the enterprise as well in the next 3 to 5 years. If 90% of what you do is going to be in a browser, browser takes on an even very, very important role in how we secure everything that happens in the company. So that's our bet. We sold 1 million endpoints. We've got 115 customers in the first 6 months after closing a deal. This is the beginning. And again, it's very important, at least in my perspective, for companies like us, look, in Silicon Valley, tech companies die if you don't focus on product and technology changes. You look at the history of companies that have -- the graveyard of technology companies when companies lost focus on where technology was going, what the product was. We don't intend that to happen to us. We want to be the first evergreen cybersecurity company. From that perspective, we're constantly watching technological trends and making bets. Some are going to work, some are not going to work, which is fine, our portfolio theory. Our bet is that browser is going to be big in the world, which means that security through the browser is going to be a very, very important topic. So we pivoted our SASE strategy saying clients are important, VPNs are important, but browsers are very important. So we made an acquisition. We've taken their browser capability, connected to all of our security capability, and we'll see.

High level on SASE, we've talked about kind of the endpoint market and the SIEM market, maybe narrowing down to 3 or 4 big vendors. you think that plays out in the SASE space? And I think right now, it's probably a story about 3 or 4 or 5 vendors depending on who you ask, but you've got potentially 7 or 8 total that are looking to enter the space. And I think part of that speaks to where we are in the overall SASE adoption cycle, but how do you think about SASE as kind of a critical area being satisfied by a few vendors?

SASE, for those of you who are not fully initiated is a market where we all provide access capabilities to your devices, to your companies back. Every employee needs that access, everybody is going to have it. 70%, 80% of the market is still legacy. It's still sitting on old technology, old techniques. And as the world goes more towards the cloud, whether it's SaaS applications or Google, Microsoft, AWS, public cloud outcomes because AI will drive us there faster, hopefully, on the endpoint. As that happens, most companies will have SASE-ification that will happen. There are more SASE projects out there than any other projects, but they just take longer because companies need to rearchitect their network. And so I think it's a big market. It takes time. Like there will always be 7 to 10 vendors. In the end, if you're not in the top 2, it doesn't matter, maximum 3 if you have a way of getting other stuff. So any vendor who is 4 and below, it's just like one of these days will get bought by somebody in the industry who likes to buy those companies and cut off their fourth market share position as you've seen in certain categories.

Fair enough. In the past, you've talked about firewall being a single-digit growth area. It felt to me like on the last earnings call, you were maybe warming up to a view that hardware could better support your growth across the board over the next few years. Can you just put a little more context behind that? And I think a lot of investors are aware of one of your competitors talking about a firewall side.

I love it. I'm glad they have 25% coming up for renewal. We'd love to get a share of that. But that notwithstanding, a firewall -- step back. I think you all believe that the traffic in the world is compounding every few years, right? The amount of Internet traffic that we're sending back and forth is compounding. Just that Waymo out there is sending tons and tons of data through the Internet somewhere. And if there's 1 million of those floating outdoors, there's more data. If every train is sending data, every lamp post is sending data, there's more data in the world, right? We all believe data is not slowing down. Any security that needs to be applied, you have to inspect every bit. Inspecting bits is an overhead. It's like you're taking off your shoes at the airport. It's overhead. It costs money, somebody else just slows you down. Security works the same way in the Internet. So our job is to create low latency, do it as fast as we can without being painful to the process of inspection. That's inspection. That inspection is done by a firewall. Firewall comes in 3 varieties. They come in hardware, they come in software and they come on your endpoint as SASE. That's the 3 products that universally work in the firewall. Hardware is still the fastest inspection at the lowest cost. Software is next. SASE is more expensive because I got to every laptop, put it on the laptop and it's more expensive to deploy and maintain because of the spread of it. So if you believe that, there are still many use cases where hardware is the best way to solve the problem. And that's not slowing down. Now because a lot of the world is going to the cloud, you don't see it, but Google builds -- buys some hardware from vendors and Amazon builds its own and Microsoft is a bit of mix in that. So as you move to the cloud, the data centers are going, the hardware is moving from the data center to the cloud. Some people buy hardware, some people don't. But the amount of inspection need is not stopping. So there is going to be a steady growth rate of the hardware business. I've always said for the last 6.5 years in the 0% to 10% range. Some years it's 0% to 3%, some years it's 8% to 10%. The pandemic supply chain caused a bunch of fluctuations, but I see it coming back to normalcy. It's in the 5% range. What -- the real value is when you deploy hardware, can you put more software on top of it? I think what's changing is we're adding more and more software capabilities because the hardware box is an amazing piece of compute and throughput sitting in the customer's infrastructure. Once we get there and we have 60,000 customers using it, we can do a whole bunch of stuff on top of it.

Got you. So I want to talk about free cash flow, and I want to ask you about billings.

What is that?

Anyways, if you look at last quarter, I mean, pretty impressive free cash flow results. The billings result was, I think, below where people had expected. Again, you're not guiding to it.

You shouldn't expect something I don't pay attention to.

Fair enough. Fair enough. Can you just talk about -- as investors look to get comfortable with the free cash flow guide, what other levers you have to control free cash flow? And I think investors recognize the $1 billion plus you have in short-term backlog and short-term finance receivables, but anything else you can provide around color around some of the operational and working capital benefits?

I possibly -- a colleague of mine used to say repetition does not spoil the prayer. So I will repeat. Billings is the worst metric to measure software companies on. If you measure companies on billings, it means you need to understand the dynamics of our businesses because billings is fundamentally driven by what payment terms customers accept. Traditionally, customers are willing to pay you upfront for 3 years. Now there's a model which is closer to 1 year. And depending on what proportion of your business is 3 year versus 1 year and where you land in the spectrum is what billings is for that quarter. If you can predict it, I got a job for you because it's a very hard number to predict if you don't understand payment terms you're taking every contract. And it creates way tons of friction in our businesses when we're trying to beat a billings number because we're trying to get more 3-year deals because we're trying to get a better billings. The longer the tenure of the deal, the better the billings number fundamentally. So which fights in the face of SaaS business of 1-year deals. So looking at companies and billings is a bad idea. Even bill, I say that your first 2 paragraphs of your research last quarter were dedicated to billings. I don't know why, but some of these things are convincing. But the numbers to look at is how much business do we book? What is our remaining performance obligation, what is my deferred revenue and what is my revenue for the year? My revenue for the year pays my bills. My deferred revenue or RPO tells you how much business I've contracted. There's nothing to hide. So that's why we pivoted to that. That's where we want to live. That's where we're going to live and die by. Billings, I don't understand anymore.

Got it. Okay.

On free cash flow, so the only thing going oh my God, if you're doing more 1-year deals, you're not collecting as much money upfront. 50% of our business comes as upfront business, below $1 million deals. They just come and give the check. The channel collects the check gives it to us. So 50% of my free cash flow is not perturbed by any change in duration on my deals. Of the remaining business, half of my business has already gone to an annual payment term. That's derisked. I collect every year I bill, which means I have other collections I can have, which are still not collected from past years. The remaining half of that is set in a normal decay over the next many years because when I joined Palo Alto, it used to be 5% of our business. Now it's 25% of our business in annual billings, 50% has stayed constant. It's decayed 5%, 3% to 4% a year. If it decays at that point, we maintain mid- to high 30s in free cash flow. If it decays at that rate, we expect we'll be able to maintain that. That's not a bad place to live.

Got it. I'll ask one question from the audience. The question is whether diversification of solutions is preferred in cybersecurity? And you spoke a little earlier about how it's physically not possible for companies to manage 50, 70, 100 different solutions. But any change you perceived in the market around risk diversification following the CrowdStrike incident? Has that materialized at all?

No, I think it's a fallacy to believe that having 40 vendors allows you diversification. I think the benefit is of consolidating into single stacks where things will move fast. Like imagine, if you -- like it's a crass example. But between the time you log into your laptop, by the time that connection hits your data center and hits AWS, you run through 7 cybersecurity vendors. Somebody's got to figure out across these 7 vendors, what happens and how to protect. I don't think any company out there is going to have the resident skills to integrate our products at scale, speed and to deliver the outcomes as quickly as they're needed. So eventually, you will see this world of platformization that's going to emerge, and you will see that smaller vendors are going to be by the wayside because I think that strategy hasn't worked. It hasn't worked. Like we have history to prove. There's $12 billion in ransomware that's been paid. But if it was working so well, that sounds like a lot of money that shouldn't have had to be spent. So that strategy hasn't worked. And the fact that we've been able to convince 1,100 instances where people want to consolidate vendors, we consolidated on average 5 to 8 vendors every time we do one of these.

Cool. I think we'll end it there. So thank you very much for joining. It's a great chat, and thank you all for participating.

Thank you for time. Appreciate it.

Thank you, everyone.