Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Good day, everyone, and thank you for joining us today to discuss our announcement of Palo Alto Networks' agreement to acquire CyberArk. I am Hamza Fodderwala, Senior Vice President of Investor Relations and Strategic Finance at Palo Alto Networks. Please note that this call is being recorded today, Wednesday, July 30, 2025, at 6:30 a.m. Pacific Time. With me on today's call to discuss the announcement are Nikesh Arora, Chairman and CEO of Palo Alto Networks; Dipak Golechha, CFO of Palo Alto Networks; and Matt Cohen, CEO of CyberArk. Following our prepared remarks, we will conduct a short Q&A session. You can find the press release, shareholder letter and investor presentation on our Investor Relations website at investors.paloaltonetworks.com. While there, please click on the links for Events and Presentations to find the aforementioned items. During the course of today's call, we will be making forward-looking statements regarding the proposed acquisition of CyberArk. These statements made today are subject to a number of risks and uncertainties that could cause the actual results of the proposed transaction to differ from these forward-looking statements. Please review our press release and recent SEC filings for a description of these risks and uncertainties. We assume no obligation to update any forward-looking statements made in the presentation today. This presentation is not intended as an offer to buy or sell any securities. In connection with the proposed transaction, Palo Alto Networks intends to file with the SEC a registration statement on Form S-4, which will include a proxy statement of CyberArk that also constitutes a prospectus of Palo Alto Networks common shares to be offered in the proposed transaction. Investors are urged to read the registration statement on Form S-4 when it becomes available as it will contain important information about the proposed transaction. For more information, please see the investor presentation and the legends contained therein. With that, I will turn it over to Nikesh.

Thank you, Hamza. Good morning, everyone, and thank you for joining us today at such short notice. As you can see by our announcement, this is an exciting day for Palo Alto Networks. Earlier this morning, we announced our intent to acquire CyberArk. This established our entry into the identity security space. Over the last 7 years, I've always been asked at different points, what is our view on identity? And I've always given the same answer that every time there is an inflection in a cybersecurity swim lane, we look at the inflection possibility and decide and evaluate the market to see if this is the right time to enter it. We've done that successfully in the SASE space, where we believe we're #2 in the market currently. We've done that successfully in the XDR and security operations space with XDR and XSIAM. Most recently, we acquired the browser, and now you can see the number of people trying to build browsers in the new Agentic AI world. I think the same opportunity has now come upon us with the identity space. In identity, we believe that the emergence of agents is going to create a huge inflection point where they will have to be protected just like machines are. At the same time, given the amount of Ransomware attacks you're seeing where 88% of the Ransomware attacks are driven by credentials theft, which reminds you that identity is an unsolved problem. From that perspective, we also believe we have to stop talking about identity management and start talking about identity security. And from our vantage point, CyberArk is the only and largest player in the identity security space and hence, it allows us the opportunity to enter the identity security space. This will allow us to accelerate our platformization by adding a net new platform for identity security. Not just that, it allows us to cover a larger TAM of about $29 billion, again, allowing us to be the cybersecurity company that provides the most comprehensive set of platforms across the industry that deliver against the customers' need of security. Financially, this deal is going to be accretive on the date of close from a revenue and gross margin perspective and also will allow us to be accretive in free cash flow margins by FY '28. Not just that, this does not include any revenue synergy potentials and TAM expansion potential that we believe that this deal is going to offer. So from our perspective, this is the point in time where we can execute against this strategy. It has been working. We are a leader in over 20 cybersecurity categories today, and we are seeing tremendous uptake and excitement about our platform strategy. So from that perspective, the next chapter of our multi-platform journey is going to be identity security. I think that's a very large TAM, it's a large opportunity. And as agents and Agentic AI continues to evolve, we're going to see the opportunity in that direction. Going back to the space of identity. Identity has historically been separated in multiple categories. It's a very fragmented market. You have privileged access, you have identity security, identity management, you have identity governance, you have Agentic AI, you have machine identity. So from all these perspectives, there's about 100 vendors in the space. Again, we've seen this movie before. We've seen that movie in network security. We've seen that movie in security operations and SOC. Both of those have now been platformized over time. We believe the platformization opportunity has to arrive in the identity space. There's a fundamental difference in the way we've done acquisitions in the past. We believe that new vendors are going to come into place and replace existing legacy players. But in the identity space, what is interesting to watch that this is not going to be a new vendor space. We believe the current players in identity have tremendous technology, have tremendous assets and identity is something that customers are unlikely to change in short order. It's more than likely that an existing vendor who can deliver best-of-breed and world-class capabilities is going to have the opportunity to expand in their customer bases. So from that perspective, we believe the 70,000 customers that we bring, the 8,000-plus customers that CyberArk brings provide a phenomenal playing field and opportunity for us to integrate these security capabilities, deliver an identity security platform, both as CyberArk in the future and with the combination of XSIAM from Palo Alto Networks, which allows actually both of us to go address this space with a novel set of solutions once this deal is closed and actually finally solve the identity security market and deliver the much-needed platformization that is going to be required in this space. The one unknown, as we all know, is the world of AI. Two years ago, we were not talking about AI. We saw the emergence of ChatGPT. We saw people getting excited about LLMs and generative AI. That has changed. We started talking about Agentic AI, MCP servers and the fact that agents are going to work in the background and make things happen. Well, guess what? All these agents are going to need permissions and access to deliver these capabilities. For them to have permissions and access, we have to envisage a future world where agents are acting like humans or acting like machines and with permissiveness are going to execute tasks on our behalf. Well, we need to manage these agents just the way you have managed identities for machines or humans. But what's important is every one of these agents is going to be unsupervised. Unsupervision creates the opportunity for security challenges. In that context, every one of these agents must be treated like a privileged agent or a privileged user. Hence, we believe that CyberArk is well positioned to expand into the opportunity that is going to be presented by Agentic AI and the fact that each of these agents will be treated like a privileged user or a privileged agent or unsupervised agent, you can pick, take your pick. In that context, again, CyberArk allows us the opportunity to go ahead and plant a flag in the future market of Agentic AI. So we're really excited about the fact that they have a phenomenal privileged access solution, not just that, they are playing sort of a leadership role in the machine identity space, coupled together, positions them really well from an Agentic AI space. With that, that allows us to cover the majority of the TAMs in cybersecurity. Again, we started our journey at a $40 billion addressability from a TAM perspective. Today, we believe we can cover all major swim lanes of cybersecurity. Now going forward is for us to put these together in amazing platforms, deliver the capabilities our customers have are beginning to build credibility with us, we're building credibility with our customers in delivering the platforms around network security, around SASE, around cloud security and around security operations. We believe that gives us the right to work with CyberArk and deliver an identity platform and hence, provide the 5 major platforms that are required in the cybersecurity industry as a one-stop shop partner, vendor that allows our customers to go ahead and execute consistently towards their business objectives and their strategies in this constantly evolving world of AI. So with that, I couldn't be more excited to welcome and introduce Matt, who's the CEO of CyberArk, who's going to tell us more from a CyberArk perspective.

It's really, really amazing to be here this morning, and it's good to see all of you here. We're just so incredibly excited about the announcement. This combination represents a unique opportunity to accelerate everything we've been building here at CyberArk and to do it with like the scale, the reach and the resources with one of the most respected names in cybersecurity. Together with Palo Alto Networks, we will bring our vision for identity security to the world faster. We will bring it at greater scale, and we'll do it better than we could have done on our own. Today, every organization is navigating a surge of identities, human machine and increasingly, AI. And we believe every one of those identities must be secured with the right level of privileged controls at all times and across all environments. With Palo Alto Networks, we'll be able to innovate faster, we'll reach more customers and we'll solve their toughest identity security challenges even more effectively. What probably excites me most about this, though, is how our technologies will work together post closing. CyberArk brings deep identity intelligence. We bring context and privilege awareness across every type of identity. That context is strengthened by what Palo Alto Networks already discovers around powerful real-time security enforcement and an operations platform. Together, we'll create a virtuous security cycle where identity insights improve enforcement and enforcement reinforces identity posture. We're also incredibly aligned on where the world is headed next, and that's Agentic AI. Autonomous agents are by nature privileged actors. They need to be governed and secured like every other identity, only in this case, more dynamically. That's where we come in. Together, we're uniquely positioned to secure the next wave of innovation. In closing, I just want to say how proud I am of the CyberArk team and what we have done together. We've always believed in building for the long term. And this is the next chapter in that journey. I'm personally energized, excited and ready to take this forward together with Palo Alto Networks. With that, I'll turn the call back to Nikesh.

Dipak, do you want to say a few words?

Sure. Thank you. Thank you, Matt. Thank you, Nikesh. I, too, couldn't be more excited for the CyberArk team to join forces with Palo Alto Networks after closing. We firmly believe that today's threat landscape requires a platform approach, combining CyberArk's leading identity security platform with our leading multi-platform strategy will enable customers to respond to threats in near real time. Following the close of the transaction, we look forward to welcoming the CyberArk employees, the shareholders and the customers to a better together combined company. We've reached an agreement to acquire CyberArk for $45 per share in cash and 2.2005 shares of Palo Alto Networks common stock for each CyberArk share, which represents a 26% premium to CyberArk's share price and total equity value of approximately $25 billion. The transaction was unanimously approved by the Board of Directors of both Palo Alto Networks and CyberArk. It is expected to close in the second half of Palo Alto Networks fiscal year 2026, ending on July 31, 2026, subject to the approval of CyberArk shareholders and subject to the satisfaction of customary closing conditions, including applicable regulatory approvals. Post closing, we expect CyberArk to be immediately accretive to Palo Alto Networks revenue growth and gross margin. Furthermore, we expect the transaction will be accretive to free cash flow per share in fiscal year 2028, following the first full year of realization of synergies. We will update our guidance for Palo Alto Networks with CyberArk only after the transaction has closed. At this time, we are reiterating our stand-alone fiscal fourth quarter and fiscal year 2025 guidance, which we initially shared in our fiscal third quarter earnings call on May 20, 2025. You can find the details of this guidance on our Investor Relations website. Also, Palo Alto Networks will be hosting its fiscal fourth quarter 2025 earnings call on Monday, August 18, 2025, at 1:30 p.m. We look forward to discussing our results as well as additional details of this announcement at that time. With that, I'll pass it back to Hamza for any Q&A.

Thank you, Dipak. To allow for broader participation we ask that each analyst ask one question. We will take questions only on today's announcement, but we will not be addressing any questions regarding our fiscal Q4 results or CyberArk's fiscal Q2 results. With that, we'll take the first question from Saket Kalia from Barclays, followed by Jonathan Ho from William Blair.

Okay. Great. And let me just start by saying congrats to both companies here on the announcement. I think a lot of us will agree there's clear industrial logic here, uniting 2 leading platforms. So congrats to Nikesh, Matt and the whole -- both combined teams. Nikesh, maybe for you. Palo Alto Networks has driven revenue synergies from prior deals, just given the exceptional customer reach. And I'd imagine that's going to be the case here as well as we talked about in the prepared remarks. But you said something really interesting, which is about moving from identity management to identity security. And I think CyberArk has been a big part of that. Maybe the question is, how do you think about that shift and how that can contribute to revenue synergies longer term?

Saket, thank you for the setup. Look, I think when the idea of identity management and security was conceived about 20 years ago, I carry a badge, which allows me to enter my office and come in. The badge doesn't know what I'm doing once I'm inside the office. It's kind of like what identity management does. It authenticates you at the entry, but has no idea what you did once you got in the systems, as you move laterally, where you got into, which systems you went into thereafter. I think that's kind of why 88% of cyber attacks or ransomware attacks are through credentials theft, despite having a flourishing identity management market in the world. Now the only place we've deployed privileged access is in the case of crown jewels, which is where CyberArk has 8 million users. The question I asked myself, why can't 100 million users have privileged access? What stops us at 8 million? And the answer lies in the fact that 20 years ago, the cost to deliver the privileged access was much higher than the cost to deliver identity security. Today, technology has enabled us to deliver that at a much cheaper cost. The question is, how do I work with my friend, Matt and Udi, to make sure that we can deliver privileged access to every user at a lower price. If I can unlock that, it doesn't matter what we paid. What it does is it takes the 8 million user TAM and turns that into hundreds of millions of user TAM in the future. So really, the question is, how do we move from identity management to treating every user as a privileged user, not just that, to treat every agent as a privileged user. So I think that's the inflection point in identity. And we can forget about all the other 22 various swim lanes in identity. The biggest shift is going to happen in the 2 major swim lanes of identity going from identity management to privileged access management.

Our next question will come from Jonathan Ho from William Blair, followed by Keith Weiss from Morgan Stanley.

Let me echo my congratulations as well. First off, can you talk a bit about the customer overlap between Palo Alto and CyberArk and where maybe you see the most opportunity to drive that platform vision, particularly as CyberArk and Palo Alto together create this combined broader AI platform that clearly has an AI play. So I just want to understand a bit more where those synergies can show up and -- particularly on the customer overlap side.

Thanks, Jonathan. So like, Jonathan, there are 3 vectors, right? Vector #1 is how does CyberArk work with us to innovate fast and expand within their own customer base. They spent a lot of time, a lot of effort getting in. The average number of users per customer anywhere from 500 to 2,000 on an employee base of tens of thousands. So why can't they deliver the capability not just for 500 or 1,000 users, why can't we expand the capability to 20,000 users in an enterprise. So that's kind of Matt and me working together with this product team to make sure we can create that expansion capability. The second vector is how can I convince the platformized Palo Alto customers to say, listen, I have this great identity platform, work with me, it integrates loosely with our other platforms. It provides a comprehensive security capability and you have one throat to choke. So from that perspective, it's how can I take that from a go-to-market perspective and expand that into my customer base and allow us to give identity security capabilities. And geographically, we're way bigger in Europe and Asia Pacific than CyberArk. So there's obvious go-to-market capabilities that can bring to bear. I think the third vector is really over time, how can we build an identity platform as part of XSIAM to go ahead and change the narrative around this stuff. How can we do that for AI security, sort of the future growth vector, if you will, for the 72,000 customers that we have and introduce them to idea of Agentic AI and machine identity and the future of identity security.

Our next question will be Keith Weiss from Morgan Stanley, followed by Rob Owens from Piper Sandler.

So congratulations on the transaction. I think it is a bold strategic move, but one that makes a ton of sense. And I think most investors are optimistic and agree with you on the increasing strategic nature of identity security. So it makes a lot of sense on that side of the equation. We all like CyberArk and you can tell by the valuation and the valuation you have to pay to get it over the line. But the stock is down right now because people are probably apprehensive about the size of the acquisition and the execution risk. So you came into Palo Alto Networks. And at the time, investors didn't like any M&A within security. There wasn't a good track record. And you showed a really good track record of buying small technology start-ups, like going where the puck is going or sort of buying where the puck is going rather than buying existing technologies or existing companies. This feels a little bit different. CyberArk is definitely an existing company. It's a large-scale company. How do you take your learnings from sort of the initial tranche of acquisitions that you've done and help us get comfort that you can execute to this large acquisition that large acquisitions of companies make as much sense as those smaller acquisitions of the speedboats that you talked about earlier made sense and the execution will be as solid going forward.

Thank you, Keith. Very comprehensive question. I appreciate you articulating the concern. I think let's start at the top, where you said everybody believes identity security makes sense is something we have to have. Now I think it goes -- it's important to go back and reflect on what I said from an inflection point. I believe identity is inflecting in the next 2 to 3 years. If you believe that, we're on the same page. Now the question is, in the inflection moment, who wins? If you look at the inflection in endpoint, we saw a whole cost of characters go away and a new cost of characters come. And I know that even firewalls, we saw that happen. Now you're seeing that happen in the SIEM space. So the question is, why doesn't the market belong to future identity vendors in the identity space where it belongs to newer vendors in the existing space. There's one very important reason. If you ask a customer, which part of the infrastructure are they comfortable overhauling and revamping, they're petrified of taking the identity infrastructure and replacing it because they don't know what's connected to what. They don't know what is going to shut down. They don't know what's going to stop working because it's connected to legacy systems are connected to SaaS systems, it's connected to futuristic systems. So if an existing cybersecurity vendor can provide the glide path to make that transition to new technologies, innovation and the new Agentic AI threats out there, customers are more than likely to work with them than replace the entire stack. We've discovered that in the SIEM space, where we've been able to make a big technological leap and make that happen. So if you believe, one, identity security is inflecting. Two, this market is going to be different. Existing good players are going to be able to travel the journey with their customers as opposed to new players. And the question becomes great. Now Palo Alto, how are you going to take care of 3 things, which is your point about integration. One, how are you going to keep the pace of innovation? Well, guess what? 7 years ago when I came to Palo Alto, we had to accelerate innovation. I've had long conversations with Udi and Matt. We agree that they have to accelerate the pace of innovation, and that we know how to do. We can work with them to accelerate the pace of innovation. It is nonoverlapping with our product portfolio. It is noncontentious. We work with them to get them to move on identity faster. That's the first question. So that's not going to create stress in our system. The second question becomes, great, you've done that. Two, how do you create the integration points at scale because this is a larger company, both on the operating side and on the go-to-market side. Those are 2 different parts. Now remember, we have been actually internally over the last 7 years, taking speedboats, scaling them and merging them into our go-to-market infrastructure. Three years ago, we had a separate sales team for SASE. Today, our SASE sales team is our core sales team, right? Last year, we had a separate team for security operations management. We're in the process of integrating that into our core team because we need to go target $10 billion, $20 billion of TAM. Guess what? Identity is a scale team at CyberArk. Our job is to see how do we deploy the same techniques to go integrate that into our core team once we close this deal, so where identity becomes front and center as one more platform. Guess what? Our teams have learned how to sell 3. Going from 3 to 4 is a lot easier than going from 1 to 2. So we believe we understand how the go-to-market motion needs to be executed from a scale perspective. At the same time, we also work with our customers to understand how to do a platform buy with Palo Alto. So good news is we work with the customers, we work with our teams to make that go-to-market transition happen. We'll do that, too. In terms of the organizational synergy, which is the third pillar, is how do we make sure that we can run that business much more efficiently over time. I have no question that my team in the IT side, my team on the finance side and operational side is going to be able to make that happen. To be honest, that is not time critical. That is not in a short fuse. We can run that business. Our first job is to drive innovation, drive capability at the customer end. Our next job is to make sure that we can expand the capability from a go-to-market perspective. And thirdly, over time, make sure the back-end integration happens so that we can run this more effectively and more smoothly. And sorry, Keith, the last thing is like 7 years ago, I don't know how to -- anything about cybersecurity. So let alone integrating small acquisitions. I don't know how to -- the industry works. So in 7 years, hopefully, we've built the credibility and credit with our investors that we know how to do this, we've learned, and we'll get this next one done, too.

Definitely shown the track record of success. So congratulations.

Our next question will be Rob Owens from Piper Sandler. And we'll wrap up with Shaul Eyal from Cowen.

Nikesh, I'm impressed you got Hamza to put a sport coat on, first of all. So congrats.

We had to subsidize it.

Congrats on the transaction. I think we can obviously see the distribution synergies. But in Matt's prepared comments, he talked about being excited when the technologies work together. Now you said XSIAM could be the glue here. So I'm just curious, how much heavy lifting from an integration perspective because obviously, the portfolios really don't overlap, number one. And can you give us a sense of the more holistic view around Agentic protection and what this looks like in the future?

So Rob, great question. Look, first and foremost, we have to drive innovation just in the category of identity security and work with them to turn that current set of products into a platform. We've done that with network security on our side. I've had preliminary conversations with Udi and Matt. They're working on it, and I think we'll get there collectively because just the way we have done the other 20-plus acquisitions, we have spent inordinate amounts of time ensuring our product visions are aligned. I do not make an acquisition unless the incoming management team is willing to lead on a consistent joint product vision. I'm delighted to say that Matt, Udi, the entire product team at CyberArk is well aligned with our point of view. Obviously, they're the domain experts, but they understand our feedback and they're willing to accept it and work on a joint strategy. So why do we have to do that? I think the point of integration with XSIAM is that over time, I think security is going to break down into sensors, enforcement points on sensors and a large security data lake. With XSIAM, we have proven that we have a lot of security data lake capability across hundreds of customers so far, which continue to grow. We think over time, connecting those to sensors and enforcement points only the way security is going to get done. We worked that with our SASE. We work that with our XDR capabilities. We will do the same thing with identity. But that doesn't mean like every other platform of Palo Alto, you don't have to buy XSIAM to get identity security. It works better with XSIAM. It works equally well as identity security on its own. So our job again here is to make that platform work and make sure we can show to our customers the benefit of better together, where as and when they are fully deployed in XSIAM, if they involve the identity platform, they will get a better set of security outcomes.

Okay. Great. And we'll take our last question from Shaul Eyal from Cowen.

Thank you for that, Hamza. Nikesh, Dipak, Matt, Udi as well, congrats to all of you. Can you maybe just a comment building on Keith Weiss's prior point. Actually, we have been posing the same question to Matt Cohen back in May '24 when he acquired Venafi, which at the time marked the largest acquisition CyberArk has done at the time. So probably he has some inputs as to how a company migrates from a path of tuck-ins into much bigger transactions. My question is about the acquisition. So the way I look at it, absolutely offensive rather than defensive move, highly positive. We're still, Nikesh, waiting the Google, Wiz acquisition to close. Do you see Google, Wiz longer term once and if it closes as going after the identity arena? Is that something that comes to mind on your end?

So look, I can't comment on which party other people are going to go to. So I'll let them decide which party they want to go to. But I will sort of repeat what I said, I'm going to ask Matt to see if he has a perspective on this. I think identity is sticky. I think trying to overhaul your identity infrastructure in a company is trying to change the wheels on a flying airplane. And I don't know why you'd want to do that, but it's like that. So I think it's a lot easier if your identity vendor is showing you the right strategy, the right products and the right execution in new and emerging categories, it's a lot easier to make it happen. And I think the challenge is, over time, it will be impossible to separate agents from humans and from machines and in your infrastructure. So anybody who's going to protect agents has to protect users and machines because they'll be interoperable. What's the difference between me doing a task and an agent doing a task? It's one entity doing a task. The question is, can you manage permissions across those entities. Today, those permissions are being managed on machines. They're being managed on users on the Privileged Access case by CyberArk. There's no reason why the same consistent approach cannot be deployed to agents. You have to have the same control pane, you have to have the same permission controls. You have to have the same visibility, the same trackability that you need from a machine and from a user perspective. But this is me, this is my short-term learning on identity. Matt, did you want to add something to this?

Yes. Thanks. So in short term, it's still pretty accurate, which is the special sauce here in identity is the ability to be able to both secure all of these identities and to be able to not only see and visualize these identities, the risk, the posture, but also be able to slap on the controls, dynamically control those identities themselves. So when you think about what, Shaul, where you started with some of the competitors out there, they're living only in the discovery layer, only in the ability to be able to visualize and they have no ability to be able to control and they certainly don't have the ability, as Nikesh said, to be able to move across all identities within Agentic AI and a machine-first kind of strategy. And so our ability to be able to do that, to do what Nikesh has been describing today is special in the market. And when you combine that then into all of the data sources that sit within Palo Alto as a whole, we can do things on a dynamic nature that no one else will ever be able to do.

Well, I guess with that, I want to thank all of you for joining us on such short notice. I appreciate all the kind words and support. And both me and the management team have spent a lot of time ideating and understanding if this is something we could take on and execute on. We feel confident that this is the right strategy for Palo Alto at this moment. This is the right answer for our customers from an industry perspective in terms of what we want to deliver from a multi-platform comprehensive security perspective. I think what Matt and Udi have built is spectacular. We have seen tremendous amounts of candor, resonance and the right cultural fit and values on the CyberArk front. And we think that if anybody can get this done right, hopefully, it's the 2 teams at Palo Alto and CyberArk. With that, thank you to all of you, and thank you to all of our collective employees. We're going to make sure we make them all proud.