SSH Communications Security Oyj ($SSH1V)

Welcome to SSH Communications Security's Q1 2026 Investor Call. My name is Aino Virolainen. I am a part of the SSH finance team, and I will be hosting the call. The results will be presented by our CEO, Rami Raulas; and our CFO, Michael Kommonen. After their presentations, we will have a Q&A session, and you can ask questions during the call by writing in the chat. The call is being recorded, and we will share the recording as well as the presentation material on our Investor pages. And now we are ready to start with the presentation. So Rami, the floor is yours.

Thank you, Aino, and welcome. Q1 was a little bit, should I say, dualistic. So we had areas with very good progress and then some struggles in a few places. First of all, let me just go through a few things on the financials. Michael will go through a bit more of them. So in our main market, Europe, by the way, which is really heavily now influenced by European sovereignty theme, which is a good benefit for us. The EMEA market, which is more than half of our business as well, grew 8%. And our main product, PrivX, Privileged Access Management solution, grew 20%. So that's a very solid progress. In the U.S., measured in USD, we grew a little bit, but since our business is invoiced in dollars, U.S. dollars then outside of Europe business did not grow because of the value of the dollar. So overall, very kind of imbalanced in a way, if you wish. Invoicing grew 7%. And with the investments that we have made now for the growth, we recorded a bit negative EBITDA as well in this quarter. We have invested a lot in building more capabilities into PrivX, of course. In the modern environments for Privileged Access Management solution is always integrated with very advanced environments, private cloud, cloud, high-performance computing, AI computing with topics like Terraform and Ansible and other integrations. And we've put quite a bit of effort and investment into that development in Q1 and have come out with some of them. And actually, we won a few deals on the back of having those integrations implemented as well. We also invested in sales and marketing, also made an organizational change on that. Of course, certainly, one of our challenges has been that we don't have enough demand or awareness, and we are going to put more effort on that. Last year, we spent a lot of -- still in Q1, spent a lot of effort in going into events, meeting people face-to-face, which works. We gain a lot of traction and get good opportunities from there. But we need to get more, obviously, kind of inbound traffic. And that's why we also launched our new website, new digital face. You may have seen that, and we'll start to promote that in digital marketing and messaging much more moving forward. We broadened our opportunities for the NQX Quantum Safe Encryption markets. I'll talk a little bit more about that, and there was indeed a new area with a satellite operator manufacturer that decided to choose PrivX for secure communications between land sites, not between satellites yet, but land sites. And then we had very good progress with Leonardo. We are now tightly integrated or embedded into Leonardo's Zero Trust Solution Suite. And there are some really cool customer cases being worked on at the moment. In Q1, only a handful -- only a few deals with Leonardo came through. Some of these deals are with public administration or critical infrastructure vendors. So they have a long buying cycle, but we've gone through a lot of validations and bidding and tendering, which is all looking very positive. And then to balance that out, we also have, of course, markets and areas where Leonardo is not that active. So we onboarded also new partnerships, Intragen for the European sovereignty for identity and access management, especially in Northern Europe, but across Europe and then in other markets in Vietnam and Taiwan as well, new partners. And last but maybe not least, so also decided to change the organizational model. I mean, not only just a few years ago, 2 years ago, we moved to 3 business units and 3 regions. Now the decision was to move to more functional leadership or capability leadership. So we established a new role for a CPO, Chief Product Officer, for product strategy, product management, and product marketing and the execution of go-to-market with the regions. So Harri Pendolin was appointed in February and joined us. Miikka, who is our CTO, got the whole engineering and the whole product portfolio responsibility for engineering and development. And then David Wishart, our VP of EMEA, was appointed to the Board as well. And then later on in Q3, we'll have also a new CFO joining us. And I'll hand over, Michael, to you for the numbers in a bit more detail.

Okay. Thanks, Rami. So if we look at the numbers, the financials in a bit more detail, in the first quarter, our sales declined by 1.6% and EBITDA was negative EUR 0.6 million. So the overall sales were EUR 5.3 million. We had a subscription ARR growth of 3.5% and PrivX overall sales growth was 19.7% in the first quarter. The EBITDA development was driven by continued investment in sales and marketing globally and also we did more R&D work on PrivX integrations, in particular, that drove the cost increases in those areas. Outside of Europe, in the Americas and Asia Pacific, our sales performance was negatively affected by the weak USD. So also in APAC, nearly all of our sales is invoiced in U.S. dollar. On the balance sheet side, we, on March 16, announced a voluntary tender offer for the hybrid loan. And we received tenders of 92.5% of the outstanding amount of hybrid loan. And we -- in the beginning of the second quarter, on April 8, we announced the outcome where we accepted all these offers. And after this transaction and some more -- a few more minor transactions, our outstanding value of the hybrid loan today is below EUR 0.5 million of the original EUR 12 million of hybrid loan. So there's not much remaining there. A few more numbers. Subscription sales growth was 3.9% in the first quarter. Deferred revenues increased to EUR 14 million, reflecting several multi-year invoices during the quarter compared to the previous year. EBITDA was, as mentioned, negative minus EUR 0.6 million and EBIT was negative EUR 1.4 million. In the comparison period 1 year ago, we had a write-down in the secure communications secure mail product, which affected the EBIT number a year ago. Cash flow from operations was -- sorry, EUR 2.1 million, positive in the first quarter. So with that, I'll hand back over to Rami.

Thank you, Michael. So I just wanted to say a few more words about PrivX, the growth engine. It's one of the largest markets in cybersecurity, healthy growth, a lot of competition there for sure as well, but very few modern players. Most of the players there are 20, 25-year-old legacy suppliers and customers are changing their environment. The Zero Trust transition has already started to take big effect. And people have been modernizing their infrastructures, moving to cloud, doing automated environments and the legacy platforms don't really suit well to that. So we are very well poised there. And here are some examples. You'll see in the coming days a bit more about those, but a couple of customer cases that we were able to win in the first quarter and now in April as well. So maybe the beginning, January, February were a bit slow, but now in March and April, we've certainly seen much more pickup on new deals and new customer selections of our solution for their environments. As an example here, telecom organization, airport facility, so public safety, managed service provider, IT service provider, a couple of other in the government area as well, another big finance company, which we just closed. And what I think is interesting is that there were 2 cases of deals where customers chose PrivX as an access control to their high-performance computing environment. Now what is high-performance computing environment? It is a supercomputer combined with AI GPUs, graphic processing units. Most of them -- most of you know NVIDIA as a provider for that. And some customers, some partners have invested heavily. For instance, Leonardo has a DaVinci supercomputer in Italy, have invested in that to bring their own AI capabilities for quant trading in the finance sector or security and safety, like in the Leonardo case. Maybe this is a trend. We see more customers investing more in AI computational capability because it's not any more readily available from the big cloud vendors and the prices are hiking up very rapidly there. So we are very well positioned if that -- if and when that trend picks up more. The other developments that I briefly mentioned earlier on PrivX was that we -- I mean, if you think about our product solution offering, starting from SSH, the Secure Shell foundation to begin with, it's always been a lot between machines, machine-to-machine connectivities or machine identities. Now they got a new name a few years ago called nonhuman identities. And the biggest influencer moving forward for nonhuman identities is AI, Agentic AI and AI agents, which will be sprawling everywhere, and they will have a lot of autonomy to work. They're also not deterministic, so dangerous in that way. And there's a lot of concern now that by releasing these Agentic AI, so AI agents all over the place, you don't -- you can't control specifically what actions they take when they access the API-driven architectures that customers nowadays have. So we introduced already the AI controls and more nonhuman identity controls into PrivX. I demonstrated personally to about a couple of thousand people at the Gartner event in London in early March, and we got really good response on that. So everybody are talking about it, very few are showing it. We also did a really cool thing of integrating AI capability together with Leonardo's Global Cybersecurity Center, which is all about this kind of identifying, protecting, detecting, responding, and recovering from malware attacks or mishaps in critical IT environments. And what we've been building there is that the global GCC using AI and using that HPC computing capability pulls or monitors data and actions and connections from PrivX. If there are any anomalies or dangerous risks, it will tell PrivX to not keep going on those connections. And vice versa, if in the environment, there are vulnerabilities like there have been like Fortinet operating system was hacked, Cisco management system was weak. So then we would get the information, PrivX or customers using PrivX would get the information from a global cybersecurity center operation saying, ho-ho-ho, there's a risk here. Let's block the access until it's been patched and updated to be secure again. So very modern. This is, by the way, one of the trends that, for instance, Gartner, the leading market analyst is saying that AI integration with SOC and NOC or global cybersecurity centers is one of the key trends on the market. So we are very well positioned together with Leonardo on that. And then we introduced more functionalities into PrivX itself as well. I mentioned a few of the analyst views. So here are some of the themes that I see personally as very strong, favorable for us. So first of all, I think we have a great product portfolio, really well suited on the current market trends. Customers are happy about the products. They continue to buy more. They give very favorable peer recommendations, 93% of our customers are willing to recommend. We get 4.5 out of 5 scores, which is right on the top of the industry. We have received in the past 8 months and now, again, now I'll show you one, in Q1, very favorable analyst reports on our solutions, PrivX and OT security. We have continued the integration of our solutions. And especially between PrivX and Key Manager and then PrivX and NQX. And the European sovereignty, European for Europeans, organizations, governments looking at how much do we dare to rely on American infrastructure and cloud services, how much of the data and identities should we handle in our own domains with our own security controls. And I'll talk a bit later about one great example of that in Italy. But I mentioned analyst reports. So let's have a look at the most recent one from Q1, which is from the Gartner Group as well for market guide for CPS, which is about OT security. And in that we are a listed vendor amongst 14, 14 vendors, out of which 4 are from Europe, Finland, Denmark, and France. The rest are from Israel or America. And as you can see there, very, very good summary of the capabilities of PrivX Secure Remote Access or PrivX OT, hiding the access consoles, which are passwords. The attackers don't hack in, they authenticate in. So they have your secrets and passwords and they get in. So malware and hacks are not the way to enter nowadays. It's about getting the identity from someone else or something else. And in addition to this positive, we already have earlier from the end of last year, similar reports on OT security, operational technology security, from KuppingerCole and from Industrial Cyber as well. So now 3 very good validations. We are going to use much more now these industry analyst validations for our marketing and awareness development as well. We didn't have this capability. We didn't have this a year ago. Now we have them. And then there will be one more coming up very soon. So keep an eye open. KuppingerCole will be releasing Privileged Access Management or PAM Leadership Compass in just a few weeks' time, and you will find us very favorable there as well. So about the portfolio then. So we continue with 3 main pillars: PrivX, Zero Trust Privileged Access Management in the center, which is the main growth product and main focus for our marketing, and customer acquisition as well. Network security and data transfer security with NQX and communications, secure mail, secure messaging, secure sharing. On the networking side with NQX, in Q1, we made progress now for -- in different areas. So we've got export -- this is a dual-use product because it's also used in defense. So we got export license and cases open now in Singapore, Malaysia, and Vietnam, hence the new partner as well. And then we are now final stages or advanced stages of certification and qualifications for NQX in Italy for NATO and the European markets as well. On the secure collaboration side, we did win some interesting customer, a few customer cases for the secure messaging, which is still a new solution, this matrix-based SalaX Messaging. That platform seems to be working really well because most of the government and health care organizations in Europe have chosen that platform, which we have built our SalaX upon in Austria, in Germany, in the U.K. for sure and in France, in particular. Also in Sweden, it's a preferred platform. So we're now going after those opportunities. And then finally, PrivX with its access controls and secret management controls and the automation into modern environments. So -- but let's see how this portfolio focus now, kind of translates into priorities, which we started to implement already in Q1 and now moving forward, certainly, we'll put more effort in this priority list. So it's about with PrivX going after those companies that are most ideal for our technology stack. And those are kind of mid to mid-large technology-driven companies. I'll come to that in a second. Secure remote access for OT, and we indeed got a new customer, for instance, in the U.S. as well, just very -- a few weeks back. That was back to the validation story that I mentioned earlier. There is an interesting development. We have a lot of the big banks and finance customers as our key manager customers. But there's a quick transition happening now in those banks into replacing the method of renewing secret keys like SSH keys and automating it so that the platform, which in this case is PrivX, will just generate short-lived certificates. So there are no keys anymore hanging around. Why this is now picking up and accelerating, is that the organizations have realized that the Agentic AIs are actually a risk for this as well, of course, they can go around sniffing and finding these kind of keys and doing God knows what with them. So people want to tighten their controls and have less and less passwords, encryption keys lying around in the infrastructure and replacing them with short-lived certificates and tokens, which is the whole concept of our PrivX solution. And you'll see some announcements of that in the coming weeks and months as well. And then with NQX, we -- it's ideally suited for large critical infrastructure networks, whether it's defense or energy networks, energy production or energy distribution, gridding, or transportation environments like railway systems and so forth. But also for critical communications and the new area, there is satellite for operators. And then SalaX Secure Messaging. So a couple of examples here. So here are some of the markets -- target markets that we're going after with the kind of what I would call ideal market for PrivX. It's about fintech, modern finance companies, not the legacy banks, modern hedge funds or high-tech or AI-driven hedge funds, e-tailers, e-marketplaces, online and iGaming, modern health tech, digital media streaming companies and then, of course, tech and AI and deep tech companies. So we've started now focusing more on our marketing on that. We'll throughout Q2 focus much more on that. But that's where we see sweet spot and that's where we see some of the recent wins being much more painless and easier for us against competition. We don't even see in many of these customers, we don't even see the legacy players as a competition or market-leading legacy players even as a competition because these guys want more modern architecture and more lean and more easy to deploy and better cost of ownership solution, which is what we can offer. Here's an example of that quant trading, the world's fifth largest quant trading or hedge fund who chose our architecture. Didn't even look at, they had one competition who was another modern solution, didn't even look at the legacy ones like CyberArk or BeyondTrust. And what is interesting there is that they decided to build their own HPC AI data center in Iceland and now actually expanded by building another one for getting more AI computational power for themselves and for their operations. For the OT market, here's an example, which we have maybe spoken about earlier as well, but to give you an idea of kind of a highly automated systems integrator for robotics, for logistics, and manufacturing environments and to have gained control so that the robots are actually working the way that they should and you control them remotely. Now what is interesting is that this is a control of physical robots. And now the whole talk is about a agentic robots, AI robots, and that's where we are heading more and have capabilities to deliver a solution for that as well. So both physical and software agents. An example of the NQX post-quantum encryption network connection and data transfer connection is a new win for us for a satellite manufacturer. So like I said earlier, it's not yet between encrypting the connection from satellites to ground, but it's once the reconnaissance data or other sensitive data from the satellite imaging is down, how do we then communicate that within the network and between customers as well. And finally, on these use cases, SalaX Secure Messaging. So we just closed the deal for -- in Central Europe for a healthcare organization for hundreds and hundreds of users for critical communications for patient and medical data. So -- but I wanted to talk a little bit more about the progress with Leonardo as a partner, amongst others, but as a really strategic partner and, of course, the largest owner with their investment in here as well. So what we've been doing, and I think I spoke about this already a few months back, is that we are now tightly integrated or embedded into the overall cybersecurity offering of Leonardo, whether it's identity or access or data sovereignty or data security or network security or the governance of security with the global cybersecurity center operations. So right in the middle there with cybersecurity and resilience. Here's a really interesting example. Maybe you wouldn't believe it, but in Europe, we now talk about sovereignty and how much do we -- should we have private clouds or national infrastructure to support identities and data without passing it all over to global players like Microsoft and Google and so on. In Italy, there's been a project now for 3 to 5 years. It's called PSN, Polo Strategico Nazionale, which is all about transition of the public sector, public organizations and healthcare into digitalized environment. Here in Finland, that's no news to us. We've been digitalizing our society already much earlier. But it's a massive move. It's about 3.6 billion investment over a few years' time, covering more than 500 entities in Italy, already 250-plus have migrated into it. And now we get our solution, PrivX, as a governance model into that environment. And that is really, I would say, even a model citizen example for other European countries, how to deal with cloud security when you use public clouds like AWS, Azure, Google, Oracle, and then private data centers or private clouds in this case, of course, in Italy by Telecom Italia and how you connect those and how you do the classification of what data can be where and how do you govern the security and security keys into the access of those environments and data, very advanced environment and solution. And then there are more cases. I think I mentioned earlier that we have about 40 cases. We are introducing new cases together with Leonardo with an embedded solution offering now all the time. But you can see some interesting customers of Leonardo where we are now going after together, whether they are in the defense space or space or public infrastructure, critical infrastructure. You can see a few names there for space agencies or police or railways or many, many infrastructure. So this is the area where we are working and not only in Italy, in Europe, in Middle East, in Asia, where Leonardo started the new cybersecurity center in Malaysia. And then, of course, in the U.S. and U.K. to be exact even more so. All right. That kind of concludes my summary of our activities, and maybe Michael can join me here. And maybe I'll just say that we are not changing our outlook. Our outlook still says that we expect net sales to grow throughout the whole year and to have positive EBITDA cash flow from operating activities. We're not changing that guidance right at this moment moving forward. And I think, Aino, we now can move to some questions maybe from the audience.

Yes. We will first start with opening the floor to our analysts, and I think I saw Jacob already raised his hand. So please go ahead.

Good day, Rami and Michael. Can you hear me?

Yes, perfect. Loud and clear.

Perfect. Okay. So a couple of questions from me. Starting with the cost base. It seems to increase somewhat quarter-over-quarter here due to the investment into PrivX integrations and sales and marketing, I believe you said.

Yes.

Should we expect this cost base to like continue in the rest of the year as you continue to invest? Or is it more of a one-off?

No, I think we will -- this is the kind of investment in the resources that we need to speed up some of the development efforts and to enhance our marketing. So this is more or less going to continue on that level.

Yes. I fully understand that. And speaking of organization then, I mean, this change in organization that you have announced, moving away from business units per region and instead centralizing the functions. Like can you give a comment, what do you hope to see as the clearest outcome of this transition here in the future?

Yes. It's really much about, like I said in the presentation, it's about focus so that we can, as a whole organization, focus on the highest growth opportunities. So by combining, for instance, all R&D and engineering together, we have more flexibility to guide our development resources into, for instance, for PrivX development and have a sharper focus on that. And in the marketing side, by establishing a Chief Product Officer role and enhancing, it's about enhancement of product marketing and go-to-market, which was kind of divided between the different business units earlier. So now we get a much better competence development and competence centralizing, if you wish, for go-to-market.

Okay. That seems like a reasonable move. And final question for me then is, I think you mentioned in the last report and also in this conference call as well, the 40 opportunities with Leonardo since the start of the partnership. First of all, is it still 40 opportunities? And the second part of the question is, is your focus on adding more and more opportunities or processing the ones you already have with Leonardo?

Yes. Both, I mean, some opportunities have gone away already. A few have been won already. A few more are in the pipeline. For sure, we also -- so we are continuing to work on those opportunities that have been established. Some of them have longer lead times. Some will have to even probably go to public tendering as well. And then, for sure, we have also been adding a handful of cases, actually, pretty large cases. As an example, we just had a training for 60 salespeople at Leonardo for NQX network security and concluded that, hey, with that sales force, we need to find, for each salesperson, we need to find a few cases with their customer base. So we're now going much more actively and even, I would say, aggressively after the customer base and prospect base of Leonard, our solution suite is integrated into the Zero Trust solution offering. So certainly, certainly. Of course, the main focus now is in bringing home some of those opportunities that we've been working on, and I think it looks very promising. Timing is maybe the question, how quickly can some of them come through. But for sure, there will be new opportunities moving forward as well.

Then we have a couple of questions in the chat from our invest analyst, Roni Peuranheimo. So first of all, does the USD weakening affect mostly maintenance revenue or also subscription revenue?

It affects both, but the maintenance revenue, a larger share of that is in USD. So it has more impact on the maintenance revenue than on the subscription revenue.

And then a second question is, PrivX is growing nicely, but can you open up development of other products?

Yes. We are continuing to develop other products as well. So for instance, for the Key Manager solution, we added now Gen AI-based enhancements to the product, mainly for finding the key environment and reporting on that for the transit trust. So we've been using AI very heavily in development for sure as well. For NQX, we just released or releasing 3.2 version of that, which has many enhancements. And so there are -- the road map on NQX is also very strong. And then for SalaX Secure Messaging, we have brought out in the Q1, 2 different variants and versions or enhancements to that solution and also integrations to other communication networks like TETRA Networks, the government networks here in Finland.

Then can you comment what's the average deal value of Leonard deal pipeline or range?

Ranges from 50,000 to millions. But these are typically larger deals for sure. But maybe an addition to that is that the customer behavior has also changed. So I mean, 5 years ago, 10 years ago, you made a big deal for the whole infrastructure and paid upfront. Customers are now more in the kind of pay-as-you-go, pay-per-use model. So many of the cases, I estimate will start a bit smaller. You start with one use case or one entity or one segment of the network, and then it will expand over a couple of years' time.

Has the win rate of Leonardo pipeline been what you originally expected?

Yes.

Okay. I don't see any more questions in the chat. So I think we will thank our analysts for the questions, and thank you, Rami and Michael, for the presentations. Our next investor call is on July 17. So thank you again for joining us today, and we will see you in July.