Synopsys, Inc. (SNPS) Earnings Call Transcript & Summary

Our next presentation comes from Synopsys. They are the leader in EDA software. Synopsys describes itself as working across the entire Silicon-to-Software spectrum and bringing products to life. As part of that spectrum, you're going to need tools for the software developers to ensure that there's security and quality in their code. And with that in mind, I'm very pleased to have with us today Jason Schmitt. He's General Manager of the Software Integrity Group at Synopsys. And then in the audience, we have Lisa Ewbank, the Vice President of Finance and Investor Relations. This is going to be a fireside chat format, but I thought just to open things up, I'll turn it back to Jason for kind of an introduction to the company.

Yes, sure. Thanks for having us, first of all. For those of you that aren't familiar with Synopsys, we're really 3 core businesses. You mentioned EDA, so electronic design automation for designing semiconductors. The second core business is our semiconductor IP, which you can think of as off-the-shelf design, circuit designs that can bootstrap the development of the semiconductor. And then the third part is software security business, which is about essentially ensuring quality and security of software as it's developed, any sort of software, and that's the business that I'm responsible for. And all that business together is a highly recurring business that is representing now around $7.3 billion in uncancelable backlog. And recently, we were able to raise guidance for the rest of this year and give a perspective that all 3 of those business areas are operating well. So we have projected that by end of year, 20% revenue growth year-over-year. That gets us past $5 billion in revenue with more than 25% earnings growth as well and strong free cash flow as well. So that gives you a perspective across those business lines.

Before you joined Synopsys, there was talk that the company was looking for a new leader of this division, and I remember when the press release hit announcing your arrival, your resume, I was thinking, "Wow, this guy knows his stuff. He knows what he's doing." What was it about Synopsys from kind of your background, what you have been doing? You just read a start-up that was acquired by Palo Alto. When Synopsys rings you, what kind of intrigued you about this being your next step?

The first thing is, this particular space, software security and cyber security in general, I've been in it for a long time. So it's something I have a passion for. There's a sense of mission in security that's really interesting and different than the rest of things in IT or actually protecting against bad guys. So that's really compelling to me. But then the Synopsys opportunity in general, most of the really strong assets that make up this business, I knew from the outside, either had known the company or partnered with them. So I knew they were really strong assets. But once I got to know Synopsys and the performance track record that the company has really laid down over the last many years, it was a really compelling opportunity to take some really strong assets in a market that I love that's fast growing with operational excellence that Synopsys has proven in the semiconductor space and apply that kind of operational excellence into the security area, which was still very fragmented. So it's an opportunity and a platform to kind of transform a space is what I saw.

Just on the point of track record, maybe just level set in terms of financials and what this business has been doing. So Synopsys has talked about, all in as a company, double-digit annual growth. This particular business, 15% to 20% type growth. How does that kind of compare to the underlying market? Is that category-like growth or are you picking up share? Are you in categories that are growing faster? Just how would you relate that?

It's actually a pretty simple formula. Sometimes I tell our team that simple strategies are better. And that is grow faster than market by operationally executing better than the other guys that have a strong portfolio. So it's a combination of strong underlying growth within the segment, but also the portfolio and execution on top of that to take share.

Okay. I have to ask an obligatory macro question. So in a world where things start to moderate and IT budgets come under more scrutiny, is this the type of essential tool where you tend to see budgets preserved? Or is there going to be kind of moderation on the margin?

The benefit of the flip side of security breaches being top of headlines more and more and the damages and reputational and financial risk increasing from those has made this area of cyber security, I would say, much less discretionary than it was 15 years ago. It's much more an essential part of any software development or software procurement. So it's not just tied to IT, that's a major driver, but also any product company, any industrial manufacturer, anything that's software-intensive, the security risk doesn't go down in a recession. And so the share of IT budget spent towards this is preserved better than other things, would see. So in that respect, it's a nice place to be in an area like that.

Okay, okay. And then maybe one last introductory question and that would be on just competitive landscape. Who do you view as kind of your closest peers?

A lot of our closest peers are, I would call, point tool providers that make up one area of our software security business. And they're all either venture-backed or a private equity-owned private company. It's really narrowly focused on 1 area of those. Some examples would be Veracode, WhiteSource. Nick might know as a highly valued unicorn in the space. So each of them typically approaching it from one of the core areas of the portfolio.

You've mentioned a couple of times now that there's certain discrete capabilities when you think of a tool here, a tool here. Maybe you we can just walk through, in practice, when you hear dynamic testing, static testing, open source compliance, what are these trying to do? And then holistically, Synopsys can bring this into a platform, why a platform would be a good approach to this?

Sure. To boil it down, what we're all about is as software is being developed or downloaded or purchased, find and fix the security vulnerabilities before you ship the ultimate product. So within our business, static application security testing is one of the stronger businesses we have within the group. And that essentially is about analyzing source code as it's written to do exactly that, help the developer and security teams find and fix those problems. On the opposite end of the life cycle, once an app is completed and running, the websites powering this conference and the hotel and all of that, there's a need to constantly and continuously security test those, penetration testing, if you will. So dynamic application security testing gives the ability that once something has shipped, to still kind of scrutinize it, looking for exploits that might compromise the site. And so the technologies are about automating those testing approaches so that you have an end-to-end view of software risk no matter where the software comes from.

Early on when this division was coming together and there were a handful of acquisitions that kind of got the ball rolling, Synopsys made a comment that half of the customer base was still semiconductor-related. So ultimately, it was a maybe different side, but still an organization that Synopsys knew well. How much does the Synopsys brand transfer over when you're now engaging with that type of customer?

It certainly is a strong point. It helps us. I would say anything kind of embedded hardware consumer device or software ISP, the brand as an innovator and a trusted partner certainly gives us a leg up in terms of relationship stature within those customers. That being said, the tools still have to perform. And ultimately, our space is about finding the risk and eliminating it as fast as possible without slowing down development, so we still have to be able to do that. The relationship and innovation, connection or connotation of Synopsys helps us with that sort of leading-edge technology mindset and then prove that the products and solutions work on the backside of that, that is definitely a strong point for us.

Is 50% semiconductor exposure, is that even the right kind of end market overlap anymore? Or maybe we can just talk about what the customer mix more typically looks like.

Sure. I would think not just semiconductor, think any high tech inclusive of software ISVs, and that's less than 50% of us now because the opportunity and generic enterprise, let's call it, anything non-high tech that has software in the organization is very fast-growing for us. And that's where maybe 4 or 5 years ago, 50%-plus was the right side of saying high tech grows at what high tech grows up. But the enterprise security spend grows substantially faster. And there's, in a way, a lot more kind of new entrants into software-oriented business there where risk is higher and the risk of breach is even more substantial and exponential. So we see fast growth in enterprise because of that.

This is a bit of a current events topic, but with Log4j happening late last year, and maybe we can talk about what that means exactly, but I imagine that's an event where Black Duck, which is a business that was acquired, really kind of springs to action. Is it true that, I guess, it's always on the minds of organizations at this point? So maybe an event like that doesn't drive an immediate lift in spend? But maybe we can talk about whether it does, I don't know, but then specifically on open source vulnerability is the type of thing Synopsys can offer.

Sure. To the first part of that question, I would say events like that absolutely do drive spend in late adopters. So what I mean by that is -- so he mentioned Log4j. That's probably all of us seen in the paper in the last few months. But this is a, I want to say, 15-year-old open-source component that's in literally every Java program on the planet because this was very pervasive. But the way open source is governed is obviously that's a crowd sourced, kind of network-driven, curated software, which in general, is more secure, honestly than proprietary software, but the exposure is very, very vast when you have millions of organizations adopting. So that means more progressive organizations that think about software security in a programmatic, systematic way, already have approaches and technologies like Black Duck to identify essentially what open source is throughout all my software and what risk does it present, if any? And that might be license risk, meaning I'm using an embedded technology that I haven't properly licensed or security risk, meaning this component version has security vulnerabilities that the severity [indiscernible] So those that operationalize that approach already, like they do with us with Black Duck, they expect to have, more or less, instant recognition of a new vulnerability like this. So the -- I would say that presents a strength for us because there's a high barrier to entry to have the kind of visibility across all open source software on the planet essentially, and the ability to categorize the relative risk of [Indiscernible] various components. So they have to be able to find and fix those issues as fast as possible, and that's where operationalizing Black Duck gives you a programmatic way of doing that, so that when there is a crisis, you can react fast. Now back to the late adopters. That's when they learn that nothing motivates security spending like a breach, we all know, or the risk of a breach that's very substantial. And that Log4j, in particular, was a very easily exploitable, severe vulnerability. So that motivated people who had not yet taken that programmatic approach to think more strategically about it. Okay, this is a serious problem to pay attention.

Is there a common landing points within software integrity for a new customer?

It's typically driven by, often, 2 things. One is a breach within the organization or a peer or compliance. So regulatory compliance, essentially whatever business you're operating in, not just financials, but many others, there's often a functional safety standard, security requirements to do business with the government. And compliance-driven programs dictate as part of someone delivering software, that they have to provably secure it. So usually, a strong entry point is a program around some new entrant, new product or new clients regulation that a company is subject to. And that happens very, very frequently. So that's usually a project-based entry point where we can also lead with a strong strategic services, consulting capability that we have, to really kind of take those late adopters, as I call them, and develop a strategy from early maturity on to a more programmatic approach. So those entry points are kind of a client's project that's an acute [Indiscernible] that leads to that longer-standing stickier relationship on the services and product side.

And is there any particular product within kind of a project-oriented scope that tends to be adopted first?

Yes, it's usually the static analysis that I talked about, which is code security because that's a fairly well-penetrated technology in terms of maturity, but not well penetrated in terms of usage across all IT. So that's a very common entry point. And then our services capability, where we can come in and assess any software, any application in a short time and tell you where the risk is.

Is it possible to characterize how much ACV upside there is? And I guess it depends on the size of the customer. But if you think about that initial land with static tools to maybe this will lead into a conversation on Polaris, but how much incrementally, or do you have a sense of like net revenue retention, just to frame what the land and expand ultimately can mean?

There's not a real consistent multiple, I would give you, except the land and expand is absolutely the typical motion for us, starting with that project basis, either with a tool or a services engagement, which is usually a team project or business unit, and then kind of the lateral expansion throughout the organization. And I would say 5 to 10x the initial deal is what you get to an ACV once you get to a more full-scale deployment. And so the -- what that translates into net retention is hard to say. But what I would say is, we focused a lot in the last kind of 18 months in the business on gross retention and the strength necessary for protecting the revenue base, which is a big contributor to our recent kind of improved growth.

Okay, okay. Do you have an enterprise customer that has achieved that maximum potential?

Absolutely. And we've seen initial deals in the 6 figures and then we expanded upwards of the 8 with enterprise customers that go from a project-based over a multiyear period to enterprise-wide. So the enterprise-wide is the -- usually the ultimate destination for how these programs evolve.

Okay. Going back to something you said earlier just on competitive dynamics. So it very much has been kind of a point-by-point approach to individual tasks. A lot of vendors have gone through this. And as maturation tends to happen, then you see platforms come into play. And Synopsys has their platform. Some of your peers have platforms that they're now marketing. Where do you think we are as an industry in terms of buying into the virtues of a platform versus, "No, my purchasing paradigm is, I give my developers the tools they want and I'm just going to leave it at that."?

Yes. It's -- we are essentially well on the journey, but not all the way there, where people go platform-first. Because there's 2 trends there that are important. One that you mentioned is that within our space, the developer matters a lot in terms of their productivity. I often say that what's the first thing that people do when security becomes inconvenient? Turn it off, because it's slowing down. And so the corollary to software development is slow down development. They're not going to buy in, they're not going to use the tools and it won't be effective. And so no matter what your approach is, you have to satisfy the kind of velocity requirements of the business around software, whether it's an IT system or a product you're shipping. That being said, there's been a strong consolidation of vendor within cyber security. The CISO budget wants to have less dependence on lots of small companies when it comes to cyber security. They want a trusted partner and consolidate vendors with more strategic relationships, but they're still not willing to compromise on the efficacy and efficiency of the tools themselves, so you still have to have both in a way. So the platform really allows you to kind of take advantage of the fact that vendor consolidation and strategic relationship is kind of empowered by a platform, but you can't compromise how good the underlying pools are processed. So we're still at the stage where it requires both.

Recently, you announced the acquisition of WhiteHat Security. In the history of software integrity, I think Coverity was $350 million. Black Duck was $550 million. This one was $330 million, so kind of sizable relative to the other brands that I think a lot of investors have come to appreciate. Maybe we can just start on what WhiteHat brings that you did not already have in place.

Sure. One thing I mentioned on -- once web apps or mobile applications or any sort of web-oriented application is live out there, the ability to continuously test it in an automated way is what WhiteHat security pioneered. And WhiteHat has always been a SaaS-based company as well, so they created and pioneered the ability to continuously test any web application through a SaaS application. So a company of any size, and they have a very diverse customer base as well, and essentially subscribe to have all of your web assets continuously tested. So that's quite unique in the sense of the continuous testing of production live applications without damaging them, let's say, and also delivering it through Software-as-a-Service. While SaaS was an area that we were organically investing in and is high growth for us already, that's an accelerant to our kind of SaaS build-out of that platform we're talking about. So the SaaS heritage and the continuous testing of live web apps is really what was attractive for us.

Do you have a sense of what that mix of SaaS adoption is for maybe the industry overall?

It's particularly on the enterprise side, which I talked about being the high growth, much larger segment overall is where SaaS has been within the application security testing market in general. It's in the order of 15% to 20% SaaS-oriented and growing faster than the software side as well.

Okay. In the past, and this stat is a few years old now, but there is talk that the serviceable market was about $2 billion to $2.5 billion. When you add WhiteHat and dynamic capabilities, do you have a sense of what kind of you can now address?

For us, that's a component of that TAM that you're familiar with, that dynamic app security testing component, but was something that we were only addressing with consulting essentially in managed services. So it gives us a much higher margin approach to that servicing the TAM that it represents.

Okay. Software integrity went through a stretch of time where it was not growing as quickly as I think many investors had come to expect, and Synopsys was open about kind of stepping back, assessing what needed to change. Of course, you came into the picture, but there were a lot of other activities around products, go-to-market, channel partnerships. And then more recently, I think the business has not only accelerated earlier than was the expectation, but now the business is sustaining a faster rate of growth. What would you kind of point to in the last, what's probably 18 months now, that has driven, from the outside looking in, it seems like a pretty quick turnaround?

Yes. Many of the things that you mentioned, I will kind of lump together into go-to-market fundamentals. So at the very beginning of our last fiscal year, so this was Q1 2021, we really took the prior quarter, which was when I arrived, so 8 quarters ago, I think, and looked at how do we play to win more or less. We have a very strong portfolio that's underperforming in the go-to-market execution, I would say. But we look at the fundamentals of building out a channel program so that we get leverage from indirect sales. That's been a major contributor to our growth. Really focusing our direct selling on markets and categories and products where we know we win more often than not, and not be distracted by things that don't represent strengths to us, so play to our advantages and where we sell and the customers try to go after. So the go-to-market side, the channel program and just much stronger fundamental execution in the direct selling was a big part of the go-to market turnaround, which we saw. I mentioned retention is another 1 that by really emphasizing and focusing on a global customer success view of retaining customer revenue, had a very significant improvement year-over-year in gross retention, as I mentioned. So protecting the revenue while the other team goes find new revenue, essentially how we looked at it, all while investing on the platform side of making sure those strong independent assets on the product side become a cohesive integrated platform that in and of itself delivers value to the customer. And so that's -- that necessarily has a longer tail and it's just now starting to contribute. The new growth and the last component we didn't really talk about in that context is wrapping all of that with strategic services where we can be the trusted adviser to a customer and guide them down that maturity journey rather than just try to sell them a tool. So it really was firing on all of those initiatives at the beginning of last year that set us on a much more stable foundation momentum.

Do you think the top line piece of the equation is in a better spot such that now margin expansion becomes more of a focus for you?

It definitely does over a multiyear period. We have a plan to get back to what you would see as the Synopsys company average in our gross margins, but not compromising the growth that we're building within the software security business. And again, it's, I'll say, a platform of the little P, a platform effect of a leverage go-to-market that has a strong channel component for leverage, a strong geographic presence in every region. So that anything we develop organically or acquire, we can plug into that distribution engine and sell it effectively. And so each net new product doesn't require super-intensive go-to-market investment. Now we can get leverage from that foundation. Same thing applies on the product side.

And so this can be a 30% adjusted margin business?

Absolutely.

In the little time we have left, I'm going to ask some EDA questions. So it's obviously been an incredibly strong period for the industry, and then I think it's fair to say Synopsys is growing even faster than the industry. Are there particular things you would call out as kind of enabling this what has been a pretty big inflection in rates of growth?

I would say some of it is similar to what I've talked about. Some of it is kind of intangibles that I see since I've been a part of the company. And that is a deep technology innovation culture, but an entrepreneurial mindset that continues to press the bar on delivering new innovation, is something that allows us to have a portfolio of significant competitiveness and breadth than any customer in EDA. So that, along with the operational execution, that's been fantastic. You layer that on top of strong market, then we can grow with the market and take share at the same time. So it's the portfolio and execution, and I would say that mindset of kind of never resting on strong products, but always look for the new things to go, be on the -- stay on the bleeding edge and ahead of the customer.

And to the point about innovation, so one of the things Aart has really been emphasizing on the quarterly calls is the new wave of AI-driven design tools, and so DSO.ai on the EDA side of the business. I would imagine the same AI-driven design even though that's a buzzword. But it would seem to be applicable to some of the things you're doing too. Maybe how real is this sort of technology? What is actually being unlocked when you're employing machine learning in EDA flow?

The thing that fascinates me about the technology and what it actually really does is optimize across systemic complexity that human operators can't possibly do fast enough. And so in the sense of EDA, optimizing a chip design for power in a way that kind of codifies the collective learning of an entire organization over many decades is something that humans just can't do. And that approach has applied to even my core business and security problems and other things has a lot of promise because it finds blind spots through data essentially to optimize for the thing that matters most, which is a chip design, might be power or space and security, it's buying the most severe problem quickly. So that ability to optimize across massive amounts of information is something that DSO.ai as just one example of what's possible that human operators with tools can't necessarily do, given any amount of time.

That's great. I see we are out of time, so please join me in thanking Jason.