Varonis Systems, Inc. (VRNS) Earnings Call Transcript & Summary

Good morning, everyone. Welcome to the Varonis Investor Day. We've got a lot planned for you today. We've got presentations from our CEO, Yaki Faitelson; and Field CTO, Brian Vecci. Then we'll have a short break, followed by a session from our CFO and COO, Guy Melamed, and then we'll wrap up with a Q&A session after that. Before we kind of jump into everything, I've got to read a couple of disclosures. During this presentation, we may make statements related to our business that will be considered forward-looking statements. And due to a number of factors, actual results may differ materially from those set forth in such statements. The factors are set forth in our earnings press releases and our risk factors, which are described in our reports filed with the SEC. We encourage all investors to read our SEC filings. These statements reflect our views only as of today and should not be relied upon as representing our views as of any subsequent date. Varonis expressly disclaims any obligation or undertaking to release publicly any updates or revisions to any forward-looking statements made. Additionally, non-GAAP financial measures will be presented. And reconciliations to the most directly comparable GAAP financial measures will be provided in this presentation as appropriate. And now I'd like to show a short video from our SVP of Strategic Programs, David Gibson. [Presentation]

Hi, everyone. I'm very excited to talk about the SaaS and thank you so much for taking the time to be here today. So SaaS is really, for us, is as big as the first version of DatAdvantage that essentially was the beginning of the company. The SaaS transition is in order of magnitude bigger than the transition to subscription. Subscription essentially enabled our customers to buy more licenses. SaaS is changing completely the way they get value from the licenses and the overall platform. And the other thing that is critical to understand, and I hope that I will be able to explain it, we got it in the right way. We built our SaaS platform in the right way. So with your permission, I will state the obvious. We are in a world with a lot of uncertainty. We have the war in the Ukraine. We have unprecedented amount of debt and stubborn inflation. But it's really one certainty in the world, and this certainty is pushing very hard the business case for Varonis. Whatever will happen, people will eat, sleep and create data. The world is completely dependent on data. Data is precious. But if you have critical data, someone wants it. Peiter Zatko, the CISO, the former CISO of Twitter, when he -- as a whistleblower, when he talked to Congress, he did the best pitch for Varonis. In one sentence, what he said is that data is completely out of control. But to quote him word for word, he said, "First, they don't know what data they have, where it leaves or where it came from and so unsurprisingly, they can't protect it. That leads to a second problem. Employee needs too much access to too much data on too many systems." When we started, people didn't know that they can solve this problem, and the problem was a small fraction of what it is today. Today, manually, you can't solve the data protection problem. It's just impossible. I don't know if there is any force -- anything that is growing so much as data and our dependency on data and data stores. So the hybrid world, this is how it works today on-prem and in the cloud is very chaotic and really growing at a staggering pace. What is beautiful for us for Varonis, the data is growing relentlessly on massive data stores in the cloud and on-premises. And the flows between them are very complex, especially when users are involved. So you have users that are sharing a lot of data. If you can't share data, there is no value. Whatever data you will create today, that is relevant for Varonis. You go e-mail, in file shares, this is the product of this. So this -- it's extremely important to understand that data is going, and we need to share -- users are sharing it, application is sharing, and this is how you extract value from a data product. The other thing that is critical to understand, some things after COVID. Transitory, some things are stationary, the architecture of how people are using data is here to stay. So what's happening with work from home that endpoints became access points. And most of the organizational data is stored in central repositories on-prem and in the cloud, and this is how people are consuming data. It's fairly easy to go today to any modern organization and understand in which data stores you have your critical data. And we have every year more and more data stores that are integrated and infrastructure that is very close to these data stores. So what happens is that you have so many systems, accounts and people that create massive attack surface. You just need to compromise one user or one machine. This is an attack surface. There's never-ending supplies of entry points, but any software has a lot of -- have a lot of vulnerabilities. So this is usually the ratio. If you have one user, there is usually between 5 to 6 ways to get in. So 10,000 users, 50,000 to 60,000 ways to get in, through the VPN, your phone, your laptop, your desktop, VDI. It's critical to understand, okay? The other thing that is happening, there will always be a system or a rogue employee, and you only need one. So most of -- not most, but a lot of warfare today is happening in the cyber space. And really, a lot of these efforts, state actors are showing the way of how to do sophisticated attacks and cybercrimes. So we see more and more sophisticated advanced persistent threats, APTs. The other thing that is happening because of cryptocurrency, it's very easy to monetize cybercrime, and the biggest risk of all are insiders. Let's just -- let's think about the data breaches that changed the course of history. Wikileaks, Snowden, the Panama file, insider with too much access that's accessing critical data. So this is the reality of the situation. The means always change, but data is always the objective. The objective of most breaches is data. So this is the reality. You don't know from where and from whom an attack will come. But you always know that it's going in one direction, and the direction is towards the data. This is why it makes sense to protect the data. If the data is protected and you have many mistakes in the outer level, think about it as an onion, nothing happened. But if you touch the data, this is where you have lasting damage. You can't unbreach data. You can get a new endpoint. You can rebuild an infrastructure, but you can't unbreach data. If you will take any CISO today, and he will tell what is your main objective? Why are you here? What do you need to do? They will tell you that the lion's share, really the top priority of the mission is to protect data. This is the top priority. Obviously, you need infrastructure availability and everything else. But this is the main, main objective. So almost all efforts in order to protect data, and if bad actors can't touch data, there is no lasting damage. You don't have lasting damage if they didn't touch data. And if the data is in the wrong hands, it is all over. This is what makes data protection one of the most important problems to solve, but also one of the hardest problems to solve. But it's also what creates a massive opportunity for Varonis. Opportunity is bigger than ever. So data protection is hard, but if you can solve it automatically with no friction, most probably a lot of security budgets will go to the data security platform that can solve the problem. So historically, our approach, we call it the data-first approach, worked very well for all critical data. It starts with revealing who has access to data, who is accessing it. Too much data is critical. In 2019, we went to subscription. And subscription enabled our customers to buy more licenses, they got more coverage, more automation and more enrichment, that gave very good visibility who can access data, a lot of coverage and make sure that we -- that customers can buy more licenses, they cover more data stores and use our stores. And we provided a lot of functionality to solve the problem. And our customers achieve great outcomes. They can visualize the potential of access. They can reduce the blast radius, which this is really the holy grail of data protection that only the right people can access the right data. They get high fidelity alerts. If you think about the breaches that you saw, and you come into all of these breaches and you see people had everything, endpoint protection, anything and everything, million alerts. And the attacks still happen because the attack was never on the right data streams. We give high-quality, data-oriented alerts that works extremely well. And compliance become very simpler. When I can tell you who can access the data, who is touching it and what data is critical, I can adhere to almost any compliance requirement. But also the reality that with the self-hosted platform, it's -- these -- to get these outcomes, it took effort, time to deploy and maintain, time to configure, time to remediate and time to respond. But also you have friction with the interaction with the customer in order to extract value from the platform. And this friction and the time create bottleneck. One, there is just -- there is never enough time. And the other thing I also believe that this is a massive secular trend for all security companies, there is a real shortage of technical skills and people. People are stretched too thin, it's very hard to get just the people that will do the work. So with our SaaS platform, we changed the game completely. We started to develop the SaaS around 5 years ago. We started very small, and we wanted to make sure that we are doing it in the right way. And for us, the most important thing was to make sure that our customers, they invest fraction of the effort and get significantly more value. And we measured everything. The North Star for everything we do was effortless value, and we measured everything with a stopwatch: time to installation, time to visualization, time to remediation and proactive incident response. Everything we just thought about it almost like robotic value to make sure with complete automation, we can reduce everything, and we maniacally measured every phase of the value proposition. And with the SaaS, the outcomes are frictionless. Many times, we reduced friction drastically. Many times, we don't need any customer involvement. We are now in the business of automated outcomes. Automated outcomes is everything for us. And when a customer pay, they get the 3 outcomes with minimum or no effort at all. They can visualize and reduce the blast radius. They can detect attacks early in the kill chain and any abnormal behavior towards the data, even if it's a very stealthy behavior, which, this is key, and compliance gets easier. So I want to tell you a story. I saw a customer towards the end of Q4. And we're discussing an expansion and he said, "Yaki, I want to tell you about my reality." I spend a lot of time with our customers and he said, "Throughout COVID, I lost my team twice" he said, in terms of the turnover of his team. He said, "Your platform, your -- the self-hosted platform, give me great value but constantly need the engineering to make sure that it's working. Every time a new person is coming, we need to teach them how to use this solution. You just -- it's -- I need to know that I'm getting value. And it's just -- it's hard for me because there is a lot of friction. When everything is up and running and I have the people and we have the time and the infrastructure group, the engineering group is helping me, it's great. But I don't have these resources." And this is what I told him. With our SaaS, it was 365 and on-prem Azure AD and Edge. We said except of the on-prem Collector, you don't need to do anything. We will come and classify the data completely automatically for you, and we're also going to label it. We will reduce the blast radius. We will -- you will just come in the morning, you will see a widget. This is the oversharing that David just show you brilliantly. And this is how the robot is going to remove anything without breaking any business process. And if we will see any abnormal behavior, we will tell you about it or any posture problem, most of the time, we'll eliminate the risk without you -- without any need from your end to do anything. Like this is the key. I told him the only thing that you need sometimes, and this is also sometimes is just someone in a heartbeat that will pick up the phone and will tell us if the behavior that we detected is malicious or not. And he told me, if you can do that, you are my #1 priority. And this is the difference between huge success and potential. And this was the key for us with everything we have done. So I know many of you, and I know that you -- we have many people that understand enterprise software very well and following up technology for a long time. Transitions are hard. Many times, the companies that need to do transitions are not doing it right. And we are good students of the history of enterprise software and how to build software in the right way. And in terms of the engineering effort, we crossed -- I'm sorry, we crossed a real ocean. So we did it in the right way. Many people are not doing it right. Many people what they are doing when they are going to SaaS, they're doing this lift and shift, not doing the right architecture. When we started small, we took every component of every code and said, how we are going to repurpose it in the right way in the cloud. And second, I also will talk about the other productivity, is the Varonis productivity from us delivering more innovation in what we need to do for our customers. This was the first thing. The second thing is how to choose the right technologies in the SaaS to build the right multi-tenant to make sure that it's very secure and highly scalable. After we understood everything, it was 20%, 30% of engineering, 2.5 years ago, a bit more, we just went all in. And the lion's share of the engineering resources was in building this SaaS infrastructure. I can tell you that we have a world-class SaaS asset with every KPI that you need to measure a SaaS product. And this is the foundation to build much more. And also we build the foundation for a lot of automation for Varonis, our ability to innovate, our ability to fix problem. And also, if you are a security analyst or a support person or a partner with a professional services that you can -- that you'll have so much automation that you can support 3, 4x more ARR from the SaaS platform itself. Like we really thought about everything and also made sure that we can iterate very fast on a highly scalable SaaS infrastructure. So what is in our SaaS today? We have already covered the most important stuff from the self-hosted. But we leapfrogged the self-hosted in terms of automated remediation and proactive incident response. I will talk about both of them. If you are a new customer, it's just a no-brainer, you will choose the Varonis SaaS. And there is just so much more ahead of us. It's not just the data is growing, growing in more data stores. There is flow and integration between them. You saw there is APIs that are accessing, users that are accessing integration between this data and the user repositories. And in the heart of everything is more automation and more coverage. But from the data that we have, we also get a lot of force multiplier for usable classification, for incident response, for general analysis. We really opened the floodgate for innovation, and there is much more on the way. Brian is going to show you a product tool, and you will understand how more is more. So the pace of innovation is constantly going to accelerate. Recently in Q1, we went wider with support of Azure Blob. Azure Blob is the object storage for Azure. And we went deeper with classification with GitHub and Salesforce for both files and field. The other thing we have done, we are classifying very well secrets and tokens, credentials. You know that if you want to get access, this is the first thing that bad actors are doing. And the other thing we went very deep with automated remediation for Salesforce, Box and Google Drive. I want to talk for a second about remediation. At the end of the day, we need to fix problems. What you're starting to see is that visibility itself is not enough, and finding fatigue is very real. What is happening when you provide only visibility, so each finding represents a lot of work. If you don't automate the remediation and know how to prioritize them, you're just drowning in many, many things that you don't know what to do with. And it's only getting worse with this explosion of data stores and configuration. And we are in the business of automated outcomes. And we're really building these remediation policies, engines that can reduce -- that can make sure that they can solve the problem without breaking business process. So one thing is to be in the business of automated remediation. But one of the biggest issues with security is to manage the tension between security and productivity. If no one can access any data, we don't have security issues. But the key is how in this environment that you collaborate and everybody is sharing data all the time and critical data, and this is what is driving every business, how you can do this automated remediation. You will have this intelligent robot that look at everything and can do remediation and make sure that you are secure without breaking any business process. A few years ago, around 3.5, 4 years ago, we introduced the incident response. It started with ransomware. We saw that a lot of our customers have this ransomware attack, and we detect them. And after that, we come in. So how the ransomware came in, this is what happened, and it worked extremely well. Almost every customer that's using the IR renew and buy more. Proactive incident response, proactive IR, it's a natural extension of the IR service. The same analyst can be far more productive, and there is no need for customer effort. It's complete a reduction of friction. I want to explain for a second. So today, if I'm -- we have this self-hosted system. We have some KPIs, but something happens or not happening, we just -- every week, I want to do a session with Brian. I need to call Brian. We need to schedule, then we need to do a Zoom, and I need to go on the system. I need to tune the alert to understand what is happening, if there is any issue, that something is down. And we need to understand what's going on. Today, everything is happening from SaaS. You don't need to do anything. We see all the alerts. We turn them. We see if there is any abnormal behavior. We can run playbook to stop a user. And we just call you, and you will hear from our customers and tell you that something happened. Now you need to understand, this is from the data out, okay? We are very close with the signal to noise on Azure AD, active directory, Okta. We can see any abnormal behavior before you read the data. But if any stealthy attack is just touching the data, we tell you what happened. And if something happen, we are coming in, and the time to resolution is superfast. So think about it. Just think about all the coordination, all the work that I just said. Everything is happening automatically from our cloud. And then if we see any issue, and we need to do -- we need to update any threat model, we just do it in the cloud, and it's going to all the customer population. The reality is that companies with the right data set, usually in technology, they reap big rewards. Hands down, we have the most important meta data for data security. Think about what we can see across thousands of customers. Once this meta data is in the cloud, it's in orders of magnitude more valuable for analysis, okay? So we have really a bird's eye view on everything that is data-centric and all the behaviors that are going across the customer environments. Essentially, when we have enough customers, we see millions of users and data profiles and services across all critical data repositories and user repositories. Like this is the best data set for data-centric, threat detection and response for analysis like the -- and with everything that we are doing for analysis, it just -- it's night and day. So we will help customers to see new threats more quickly, even threats that are very subtle, sometimes if it's an insider or an APT or just an orchestrated attack, we see many of those. You're talking about something that it can be like a state actor level, and you see today a lot in the commercial space, as I said, because of crypto. We have critical data. I want it. We will put effort, and I know how to get paid. So this is something that is very important. We see everything from the cloud and really the signal-to-noise ratio work extremely well. We can see every stealthy attack without customer involvement. And the best way to understand it is following. When the SolarWinds attack started, we saw it. We saw the signal in individual customers. We're going to every customer. We see a service that is doing the SolarWinds service. They're doing something that is fishy. With SaaS, we would have seen it across all the customers and stopped it immediately. Like no 2 ways about it. We would have seen it immediately, 10 customers, same service attacks, same attack, kill this service, done. If you understand, we've been going to thousands of customers, one by one, calling them and then for one click from the cloud. This is a threat model, boom, kill it, done. No attack if you have Varonis. Think about it for a second. Everything gets faster and more powerful. So alerting is faster. New threat models and techniques are faster. We create new threat models almost immediately. So with the self-hosted, usually what -- and also the way that we architected the SaaS, this is what I told you regarding building everything fast. We're making sure that the analysts, you don't need to go to engineering, you can build the threat models very fast. So what took us 3 to 6 months, take us now 2 days. And we can do -- and in 2 days, we can update the whole customer environment. We enable them, obviously, automatically. We enrich everything with new threat intelligence. And threats are detected and stopped with no customer effort. With the self-hosted platform, customers got a lot of value. Actually, when they bought more, they got more value with less effort, but there was correlation between effort and value. You need to put effort in order to get a lot of value. We totally changed the game with the SaaS platform, and the key was to change the equation. So much more value with significantly less friction. And many times, no effort at all. Complete reverse correlation between effort and value. As you add more coverage, you get less effort, you gain -- you need to invest less effort, and you get more value. Brian will show you how everything works in the product tool. But I hope that I did a decent job, and you will remember 3 things from my presentation. One, most of the security efforts are to protect data. So let's make sure to put the effort where the data is. We are in the business of automated outcomes. A lot of you ask me how it works and what it does. You need to understand today, we are gaining -- we analyzed very well our customers, what they need to do, the most complex data environment in the world and the coming ground between them, how can we go and solve the problems automatically. And in places that we can solve it completely automatically, how we can augment it with our services, with our partner services, those customers will need to do very little, only to pay. And the other thing that we build a tremendous SaaS asset. First, it is the right architecture to make sure that we can reduce the friction, build all the automation and the outcome and also the ability to create new functionalities very fast, to make sure that the economics of the cloud works very well. So when you are doing a transition like that, you're not a start-up that it's very important that the economics will work well, and it will be highly scalable. So I know that everybody are busy, and the weather is not so good. I'm grateful that you took the time. I'm really grateful for your interest. And with that, let's hear from our customers. [Presentation]

Hi, everybody. My name is Brian Vecci. I'm our Field CTO. I've been at Varonis now for about 13 years. And Yaki has said that the launch of SaaS is kind of the biggest -- it's the biggest thing we've done from a technology perspective since the launch of DatAdvantage or the filing of the company. And I agree. I've met many of you before. For some of you, it's new or I'm new, so thank you for coming today. I'm as excited about our launch of SaaS as I have been about literally any other product or a feature functionality launch since I've been at Varonis in 2010. And what I want to do today is explain to you why, show you how this works, what's changed, where and how we fit in the security and technology landscape, give you an understanding of what makes Varonis unique and why nobody else does what we do in the way that we do it, and give you context about especially how our customers reach these outcomes. How does this work, and how do they get value? How are all the customers you just saw, what do they actually see, and how do they use this? The core problem we've been stating over and over and over today is that data is the most valuable digital asset that a company has. Nobody breaks into a bank to steal the pens, somebody breaks into a bank to steal money. If I get access to a device or an account or an application, if I phish one of your users, if I'm an insider, the target is always data. We have more of it on premises and in the cloud. We have applications that are connected together, creating and using data. We have users collaborating inside and outside, and security teams are stretched thin. There is no enterprise with enough people and time to go fix every problem, to understand all of the data that they have and where and how it's exposed and how it's being used. And you put all this together, the blast radius of a potential attack or an incident or a mistake is massive. The number of shared links, the number of files, the amount of sensitive data in all of the places that it lives means that if something goes wrong, if a single account is compromised, if a user breaks bad, the blast radius is huge. And threat actors, whether it's an insider or an outside attack, a cybercriminal group, an APT, they go after data. Data is the target, and we're the only ones that protect data in the way that we do. We see this everywhere. You've heard us talk a lot about risk assessments. And I want to show you today what that risk assessment actually looks like. But to give you a sense, whenever we go into a new customer, a new enterprise or with an existing customer on a new data store, like they've got us for on-premises file systems, and now we want to look at 365, we always see the same thing. Organizations have data that they didn't know about that's highly sensitive, exposed to people and applications that they didn't know about, configurations that are broken that can expose things, being used in ways they didn't expect. It happens everywhere. We know categorically when we go into a new data store or a new enterprise, this is what we're going to find. Data in places it's not supposed to be, accessible by people and applications that shouldn't have any access, being used in ways that it probably shouldn't. And the trick is who is actually going to go and fix all of these problems? The outcome is that you want data to be protected. You want to quickly detect and respond to threats. But if you don't have enough time and people to go look at the hundreds of thousands or millions of files that have sensitive information that are exposed to people who don't need it, how are you actually going to fix these problems? If you want to protect an asset, you need to understand it. One of the ways to think about this is if you were to buy a company, what would you need to know about that company in order to make an intelligent decision? Well, you need to know the company's assets and liabilities. You need to understand how it makes money, and what it spends money on. You need to understand its operations. The same thing is true with data. If you want to protect data, you need to really understand it. And what does it mean to understand data? Well, you need to know whether it's important or not or sensitive or regulated or valuable. You need to know whether data is somebody's vacation photos on their laptop or whether it's PII or customer information or health information or intellectual property. But sensitivity is just 1 lens that you would look at that data through. You'd also need to understand how it's being used, right? Who's actually creating and using and collaborating, so that you could potentially catch a threat? You also need to understand the risk. Something that's locked down to just 2 people and doesn't have anything sensitive is a completely different level of risk than something that's highly sensitive, that's open to everybody in the company, or these days, everybody in the world. I can right click on a file, create a link that anybody in the world can use to access potentially sensitive information. There is no CISO, there's no analyst, there's no engineer. There's nobody that we would talk to and say, is any of this not important? Everybody says yes. But the trick is, if you don't have all of this information, you can't actually get to the outcome that we're talking about. If all you know is what data is sensitive, you've gone out and you classified everything, you haven't actually solved the problem. The problem you maybe solved is now I know what sensitive data you have. But in fact, all you've done is create hundreds of thousands or millions of new problems, because what do you do about it? If all you know is how data is being used, if all you have are logs, well, you can't prioritize risk. What do you do with that? You don't have any context about how people are using data and why they're accessing it, what they're actually doing with it. And if all you have is information about identities and permissions, well, again, you can't prioritize risk. You don't know what's important, and you can't fix anything, because you don't know what's going to happen when you do. You can't fix anything if you don't know what's going to break. So if you're -- if you don't have all of these, the sensitivity, the permissions, the configurations and the activity, you can't get to these outcomes. Varonis protects data where it lives. We are the only technology that is this close to the data. And we've followed the data since the founding of the company. We started with on-premises file systems, big NAS platforms like Isilons and NetApps and Windows clusters. And then we moved into where people were collaborating, Microsoft 365, OneDrive and SharePoint Online and Teams, and Azure Active Directory. We moved into other SaaS applications and file stores like G-Drive and Box, Salesforce and GitHub, Object Storage and Amazon S3. So we follow the data and relevant behaviors wherever the biggest risks have been. And what we do is, in all of these data stores and applications, we look at the data and related behaviors through those lenses. What's sensitive, and what's important? Where is it? Where is it at risk? How is it at risk? And how is it being used? And then we fix the problems that we find automatically. So what we do is go out to data stores, find sensitive data, figure out what's important, map all of the configurations and identities and permissions and links that get people access and expose data, and we monitor how it's used. And then we build automation on top of all of that. So when we talk about outcomes, when I say our customers get valuable outcomes, what we mean is that when you have Varonis, you have visibility. You know what you have and where it is and how it's being used and where it's at risk. But as Yaki said, I couldn't agree more. Finding's fatigue is a real thing. Just showing you findings doesn't fix a problem. It's what am I going to do with this? So we build automation on top of all of this analysis and intelligence, and we can automatically reduce the blast radius. We help ensure that only the right people have access to just what they're supposed to have access to, especially as things change. And just because I'm supposed to have access to something doesn't mean that what I'm doing with it is safe. Maybe my account got phished, maybe I have an insider breaking bad. So we monitor the data, we monitor the target, we monitor what's important. So we know really quickly when something goes wrong. So we reduce the time it takes to detect and respond to threats. And when you do all of that well, when you find sensitive information and map risk, when you monitor behavior, when you make sure that there is -- we can call it least privilege, we can call it zero trust, we can call it privacy by design. There's lots of ways to talk about this, but the idea is everything is locked down. And you're monitoring it effectively. Compliance and privacy becomes easy, becomes simple. It becomes a byproduct of everything else that you doing. Everything that we do gets better and faster now that we're a SaaS platform. I cannot understate this. We could spend -- many of you've talked to me about this, but I could spend hours talking about all of the benefits, but I want to sum things up to give you a sense of why this is so important. With the self-hosted solution, if we wanted to do a risk assessment or we wanted to expand to a new data store, we -- a customer needs to provide a fair amount of infrastructure. They need you to provide servers and database licenses, all that goes away. One minimal collector that has a lot of benefits on its own, but one collector, we handle everything else. The deployment happens in minutes, and you see value right away. It's also easier for us to ensure that a customer's environment is working properly. We see the issues before they do, and we can fix them without the member needing to give us a call. Previously, if there was an environmental issue, maybe our customers knew about it, maybe they didn't. When they saw an error, they would call us up. We had to dial in, get on a Zoom, start fixing things and diagnosing them. Now everything is in our tenant. Everything is in our SaaS. We see it before they do, and we can fix it. And everything is so much more scalable, we don't really run into sizing problems anymore. We can develop new classification policies to find more types of sensitive data more accurately and more threat models to detect and respond to especially advanced threats. We can develop them faster, days instead of weeks or months. And we pushed them out to all of our customers. They don't have to go through an upgrade. We see a new threat vector, we see a new attack, the next Log4j, the next SolarWinds. We can develop a threat model, all of our customers get it, they don't even know that they have it. We were able now to build more automation into what we do. There's automation in our SaaS platform that never even existed in the self-hosted solution, and not only do we have better and we can deliver threat models more quickly, now we can be proactive about incident response. We can reach out to you when we see a threat before you even know that it's there. And all of this is predicated on the fact that we can now build and release new features and functionality much, much more quickly and deliver them all to our customers effortlessly. Yaki has said, we've had more press releases for new features and functionality in the last 3 months than we've had in the last 3 years. We're able to innovate much more effectively now. So I want to take you through what this actually looks like. The goal is to automate data security. If you don't automate it, there's a really good chance that you're not going to do it. So we want to make sure that these outcomes are as effortless as possible. The less effort a customer needs to put in, in order to get value out of what we do, the better off they are. So that perhaps that Yaki showed you, less effort, more value. I want to show you what this actually looks like. I want to put this into context, tell some stories, give you a sense of what our customers see, and how they use it. It starts with visibility. You can't fix something that you don't know about. One of the biggest issues that every enterprise faces is that they don't even know where they're at risk. They don't know what's broken. You heard those -- the customer testimonials. We found hundreds of thousands of sensitive files in OneDrive. They didn't even know that they were there. The number of hospitals that I talked to, there's a CISO at a medical center down in Florida. And what they said before they did a risk assessment with us is we don't have any patient records on our file systems. I said, well, do the risk assessment with us, just to be sure. We'll just verify that for you. We'll do it at no cost. It will take a couple of weeks at most. It's no effort on your end. We'll do all of the work. We'll find all the sensitive -- we'll classify -- configure the classification and we'll set this up. You don't have to worry about anything. At the end of a couple of weeks, we'll verify that there are no patient records on your file systems. What we find? Millions of patient records all over the place. So you can't fix things if you don't know that they're there. So here's what we mean by visibility. The first thing is I've talked a lot about sensitive data, finding sensitive information. A couple of things to note here. There are other ways -- there's other technologies to go out and find sensitive data, right? The advantages that we have is, first of all, it's a single set of policies, single set of rules to go find sensitive information wherever we look, whether it's an on-premises file system or OneDrive and SharePoint and Teams and 365 or in Salesforce or in GitHub to look for things like digital secrets and passwords and tokens that people might be looking for. It's a single engine. It works out of the box. It's highly configurable, which is really important because every enterprise is a little bit different. And if the classification is noisy, if I do a scan and suddenly tell you, you know what, 99% of your data is highly sensitive, that's not very helpful, right? It doesn't help you prioritize anything. In fact, it could make things worse, and I'll explain why. So we make it really easy to ensure that this is accurate. We even have a team. Every 1 of our customers, when they deploy this, we come in and we make sure this is accurate. We verify with their legal and compliance team. We found PII, we found PHI, we found HIPAA data, we found PCI data, credit cards and other financial information. Is this right? Let's verify it. Great. But finding sensitive data, even if you did that accurately, doesn't actually solve a problem because by itself, what do you do with this? All you've done is say, "Yes, I've got lots of sensitive information." So this is 1 key piece of visibility, but it's not where we stop. We go to every application, Azure Active Directory and Active Directory, Salesforce, GitHub, Okta, Zoom, Slack, and we map all of the configurations. These are the settings that could expose things. In David's video, you saw the biggest data breach in Australia's history was based on 1 misconfigured API. We map all of that, show you the stuff that needs to be fixed. We look at the permissions. This is something nobody else does. We go down to every file, every folder, every SharePoint site, every team site, every Salesforce record, every GitHub repository, every S3 bucket, all of the places that we're looking at data. We go down to a very granular level, and we figure out all the different ways that all the -- these people and applications could get access to data. So we help you understand not just where it is and what it is, but where it's at risk and where it's exposed. And that means we can put all of this together to show you your data security posture. Where do you have lots of sensitive information that's exposed to lots of people however it's exposed, whether it's through a shared link or configuration or a misconfigured folder permission. These being KRIs, key risk indicators, for your data security program. And we also monitor every single data touch. Every open and create and move and modify and delete, every link creation. Every time someone changes a permission or creates a user or changes a setting, we record all of it. So without doing anything with just turning us on and with SaaS that takes a few minutes, now you know so much more about your data, about the most valuable digital asset that you have. But visibility is just step 1. I can give you findings, but what do you do with it? You can't fix what you don't know about, but what do we do once we have visibility? And the key here is automation. If we required that you needed somebody's time, an engineer's, an analyst's time, and these are not cheap roles to fill, to go and fix every 1 of those hundreds of thousands or millions of risks that we found, you are never going to do it. Sure. You've shown me that I've got millions of files that are open to everybody in the company, but what am I supposed to do about it? I can't delete it, and I can't just lock everything down because if I do that, what's going to happen? Everything is going to break, and I can't do that. We used to hear 10 years ago, we would come in and before we did a risk assessment, a CISO might say, "You know what? You're going to do this, and you're going to -- I know probably what you're going to find. You're going to find lots of data that's wide open. You're going to find lots of sensitive data. And then I'm going to have to fix it, and I don't have the time. I don't have the people. I don't want to do this." We don't really hear that anymore, because we don't live in a world where you can bury your head in the sand. But if the outcome is that everything is locked down, we need to do it automatically. I want to show you an example of why automation is so critical. I'm going to show you a few examples as we go through this that are slides from customer risk assessments. We didn't create these for this presentation. I just went into customer risk assessments in QBRs, and I'll talk about that process, where we review their metrics. And I just copied and pasted them, and put them in this deck, because I want you to see something real. This came from a risk assessment that we started in December, they are now a customer, and we're about to go through the automation process. But I want to show you the before to give you a sense of scale about why automation is so critical. So we went and scanned on-premises file systems. This is at a medium-sized enterprise. And the way we broke this out is we're looking at all of their shared data. This is the data that gets locked down when you get hit with ransomware. And here's what we found. 8 million folders that not only can be read and stolen by any single employee, this company when they have a new employee start on Monday morning, that employee opens their laptop and logs in. They haven't asked for access to anything yet. All they've done is log into the network. They have access to 8.8 million folders, which is absurd. Imagine if you allowed every employee access to all of the money in your financial accounts. The other thing that I want to highlight here is we started in December, and now we're about ready to start the automation process. So it's been a couple of months. The problem is big, and the problem is growing fast. This doesn't go away on its own. Now in order to fix this problem in theory, if you've never heard of Varonis, you'd have to go to 8.8 million different places and try to figure out, okay, who's supposed to have access to this? Is it just the people in the marketing department? Is it just this finance team? Is it just this engineering team? Who's actually going to make all those decisions? The answer is nobody. The other option is you delete all of this data, but that breaks things. This is a huge amount of really valuable information that people are using every single day. If you delete it all, well, you break everything. The reason that this problem never gets fixed is that nobody knows what's going to happen when you try to fix it. So this is why you need automation. Nobody's got enough time to go look at 8.8 million different folders. So here's how our automation works. I'm going to break this out into the ingredients that go into how we provide this automation, because what's really key here is each one of these is unique to us, let alone when you put them all together. The first is obviously, the classification. This helps for prioritization. Where do I start? What's the biggest problem? What do I need to fix right now because it's a massive compliance thing or this is the data that's going to get lost or stolen or misused that might put us out of business? So we do that across on-premises and file stores -- on-premises and cloud, data stores, single engine. We make sure that it's accurate. You don't have to do any work to get that. It's all automatic. The next is the visibility of every single account and all of the ways they can access all of this data. That's how I can get that number of 8.8 million, and I can break that down at a highly granular level. So we know where all of these accounts combined with the groups and the entitlements and the links to get people access to data and to expose it. And we record every single data touch by every single user in every single application and all the object and configuration changes over a long period of time. Now here's what really makes us unique. You put all of that together, and now I can go back in time. I can say, you know what, if I were to take access away from 1 of those 8.8 million folders, who would be affected? What would break? And then you can use automation to make sure that it doesn't break. So now you can use the classification, the visibility, the auditing, the analytics that are based on all of that. And you can build automation in the change engine to go fix the problems without any effort. Here's what it actually looks like. We start with -- and again, this is another customer environment. We start with here is where you're at risk, here is exactly what we need to do to fix that risk. We make it easy to, right out of the box, just turn on automation. I want to remove shared length at exposed data, I want to get rid of global access on my file systems, I want to make sure that these configurations don't expose us. It's as easy as turning on a piece of automation, deciding where you want to run it, when you want to run it and then click and go. Your environment basically becomes self-healing. We make it easy to get to this outcome. Here is what this actually looks like when we do this. I'm going to show you examples from 3 different customers. Again, these are slides out of customer decks. Some of them they used to present to their Board. But this is how we measure success. Here's what -- when I say the outcome of your data is protected, here's what it actually looks like. I showed you an example of a before. Here's an example of after. This is a slide from what we call a customer QBR or quarterly business value review. This is when we sit down every single quarter with all of our customers and show them here is what you cared about. Here's why you cared about it. Here's what we've done, and here's how you've measured success. I'm going to make this easier for you to read. I want to focus on 1 very specific thing. So this is a manufacturing company in the U.K. They had 700,000, 698,000 folders that were open to every single person in the company. This was a massive problem. Most of this data was highly sensitive. There was lots of GDPR data. They had to implement privacy by design. They had absolutely no way to do it. So in December of 2021, they started. By March, it was down to basically 0. The reason that number is not 0 is it's a lot like mowing your lawn. You cut the grass, and things start coming back. It starts growing again. What was interesting about this particular customer and the reason I stole this slide is that it was a really fun story. This was -- I was in the QBR, and the CISO was presenting to the CIO, the results of their data protection program. And the CIO said something that I'll never forget. We were looking at these numbers and the CIO said, "I don't believe you." He said that to the CISO. "I don't believe you. I've done automation like this in the past. There is no way you're telling me that you made almost 700,000 changes and nothing broke. I don't believe you." What the CISO said was, "Yes, we actually got a helpdesk call." CIO said, "Got you." He said, "Well, here's what happened. We got a helpdesk call, a woman came in and was unable to run a report. She got an access-denied error. She called up our helpdesk. We gave her access back, and we actually started to panic, because we thought this was going to be -- like a dam was about to break. We -- everything was going to blow up. We had broken everything. That's what we were worried about, but nothing else happened." They gave her access back. She was able to run a report, no disruption. It was no problem. And then they did an analysis. Why did this happen? So the way this automation works is, remember, we're looking at how data is being accessed by all of these people and applications. And what Varonis does, is we go back in time for every 1 of those 698,000 folders, we go back in time. And this particular company decided that their policy was you know what, we don't want data open to everybody, but if you haven't touched it in the last 4 months, we're going to take it away, because you probably have no reason to access it. That was the policy that they decided. When they did this analysis, they found that this woman had been on maternity leave for 5 months, hadn't touched any data, came back in. And what the CISO said was that it proved Varonis did what it said on the [ tin. ] It worked exactly as it was designed. This was the exception that proves the rule. We show you another example. This was from another customer that went through this process. And I just want to show you just how dramatic the reduction of risk is. What you're looking at are 2 different graphs of the amount of data that is open to everybody. On the left, it's everything. On the right, it's just sensitive information, which is often really useful to prioritize. And what you see here is that there is a ton of data and a ton of sensitive data that was open to everybody, and it was growing over time. We're looking at a graph that goes from -- what is it, July of 2021 right till October, but you can see over the course of a couple of days in October when they started the automation process. This illustrates how dramatic and fast the reduction of risk is, and nothing breaks. There is no other way to do this, period. You can go out. You can find sensitive data. You can aggregate logs. You can look at identities. There is no other way to get this level of reduction of risk. The last example that I want to show you is from a retailer out in California. They had to present to their Board, what are the results of our data protection program? And this was the 1 slide that they used. They went out and they used Varonis to find lots of different kinds of sensitive data. You can see there's HIPAA data and PII and PCI data, which is totally normal. They're a retailer. They have employees. They have lots of highly sensitive information. That middle one, they have lots of clear text passwords that people were storing. The Excel spreadsheet is the new Post-It note, I guess. People just store their passwords online, which is really useful if you're a threat actor. They also had a lot of California consumer information, CCPA data. This was the reason that they had a data protection program. What they were able to prove is not only did they know about it, but that none of it was exposed to people who didn't need to have access. This is what this outcome actually looks like. We're able to implement this to get a customer to an outcome with almost no effort at all. You turn us on, let us run, the automation is automatic. It's out of the box. We make sure that it works, and we come in every single quarter to show you that it's working. We're able to do things that would take years or decades to do. This is a regional health care company. By their math, they thought if they were to try to do this on their own, it would take 3.5 years. I think that number's soft. It probably would have taken them a lot longer. And that's assuming nobody created any new data while they were doing it. There was another bank on Wall Street. They had petabytes of data open to everybody. They hired a team of 40 people and said, "Your job is to lock down open shares." They estimated the project would take 18 months. After 4 years, they had gotten through 1.5% of their data. And in fact, they've broken more things than they fixed. This is an impossible problem to solve. We do it automatically. Now a lot of data protection conversations these days focus on data loss prevention or labeling. If you're using 365, what Microsoft will tell you is, here is how you can protect your data. In theory, we're going to apply a sensitivity label. This is what we mean by a label to a file. This file has got a lot of information in it. We're going to mark it as highly confidential. This file has a lot of financial information. I'm going to mark it as highly confidential, right? I'm going to apply a label to the file. You can do this manually. You can do this automatically. Then you create what we call policies. You can do this in Azure. That will prevent things from happening to that file. You can prevent the wrong people from accessing it or you can block it from being e-mailed or sent or shared, or you could do things like block it from being printed. You can make sure that it's encrypted, so that if it does get stolen, somebody can't have access to it. So you mark the file, you create the policies. And then DLP, Microsoft purview information protection or Azure information protection or Microsoft information protection, whatever they're calling it this week, all these policies just work. It's like magic. It's great. So what's the problem? Why doesn't this solve the problems that we're talking about? Why doesn't this protect data? Well, the first and biggest problem is that most of your data doesn't have a label on it, and who's going to put it there? If you use classification that's noisy, for instance, there's a major utility in the Tri-State area here who tried to do this. And what they found was using the built-in classification that they had access to, it marked 99% of their data as sensitive. When you do that, suddenly, all these policies are blocking everybody from working, or you've got petabytes of data on-premises and tons and tons of information in the cloud that doesn't have a label on it, and you don't have enough people to go mark all of this stuff. So the files either have the wrong label or really frequently don't have a label on it. If the label isn't there or if the wrong label is on it, none of the controls I just talked about work. Everything breaks. You get in people's way, or all of this data starts slipping through. And even if you wave a magic wand, snap your fingers and all of this data is accurately labeled, this is just 1 preventive control. It still doesn't solve the insider threat problem. It still didn't solve your threat detection problem. It's useful, but it doesn't solve the data protection problems that we're talking about. Varonis makes DLP work. So what we do is when we go out and do all this classification, we identify all the files that are sensitive that don't have a label on it. This is a great reason that a lot of our customers these days are doing risk assessments. They have a labeling and data protection program. They want to make sure that the labels are accurate, and spoiler alert, they never are. So we go out, and we automatically identify all the files that are sensitive that don't have a label, but then we take it a step further. We then identify files that are either mislabeled or missing labels and we either fix the label or apply it. We don't replace what happens by the user. If the user wants to mark it as highly sensitive, that's great. We don't get in their way. What we do is make DLP actually work. I'll tell you a story, there's a global casino. You would recognize the name if you've ever been to Las Vegas or Macau. They had a massive labeling project because, as you can imagine, they have a lot of very, very sensitive data. They have a lot of highly confidential financial information about some very, very wealthy people. And what they found was 2 things. One, most of their data didn't have a label on it, so they couldn't actually implement these policies. And two, their users were actively mislabeling documents, because when a document is marked as sensitive, suddenly, they were getting dialogues that say you can't e-mail this, you can't print this. So their users were trying to find ways around it. The other thing that they realized is that the same person would label the exact same document differently depending on the time of day because if you've had lunch, you're more likely to think critically about what you're looking at. So they used Varonis to automatically apply all of these labels. They said, without us, they would have absolutely no way to operationalize this. This program has been a massive success. So we help put good, what we call, preventive controls in place. We make sure that data is locked down. We make sure that it's not exposed. We do that automatically. We make sure that the DLP controls to do things like blocking are accurate and applied. Those are preventive controls, but what's also critical are detective controls. To put this into context, you're a credit card company, all of us here have a credit card. Your credit card company is very, very, very good at detecting financial fraud because they watch every single penny that goes out of every single account. They also know who you are and where you live and what you shop for and where you're traveling. So when something goes wrong, they know about it quickly. If you've ever had an issue with a credit card or a debit card, you know you get a text and a phone call and an e-mail within seconds. Well, that's because they watch the money, and they have other context about how that money is being used. If you want to catch a threat to data, and that's the whole point. Every security initiative is about protecting data. You want to catch the threat to data, you watch the data. I could go through a detailed example of any recent breach, whether we talk about SolarWinds or Log4j or even WikiLeaks and Snowden and all these other insider breaches. The tools and the techniques constantly change. There are always new threat vectors. There are always new exploits that you can take advantage of, but the goal is always data. Going back to the first thing that I told you when I got up here, nobody breaks into a bank to steal the pens, they're after data. If I, as a threat actor, get access to an account, if I phish one of your users or I break into a device or I get access to an application, I crack one of your APIs, I'm going after data. That's the whole point. Ransomware goes after data. Every data breach is after data. We monitor the data. We monitor every single data touch from the moment you turn us on. We also monitor the ways that you get access to data, the -- all the authentication traffic and the object and configurations. We record every single event. Varonis is not a SIEM. We're not something like Microsoft Sentinel or Splunk or QRadar. Valuable technologies, we do something completely different. What we do is we monitor all of this behavior and every single event that we collect, and for some of our customers, you're talking about billions of events a week. Every single event gets cleaned up. Instead of looking at something that's -- this inscrutable text file, we make it really easy to understand. Amy here is accessing this spreadsheet that lives in this place from these IP addresses at this time. So we make it human readable. This also means that we can store billions of events. This is critical. We need to have a long-term record of event activity. And part of what we're doing when we're collecting all this information is making it easier for us to process and store. But we take it a step further. One of the things -- the thing that only Varonis does is monitor the data and then add more information into every single event, so billions of times a day for some of our customers. Every event that gets collected, we add more information to it. So we classify every single account. We know the users that are administrators. We know your executive team. We know which accounts are what we call service accounts. These are application accounts. So we add that into the event. Now we know that this event is by Amy, who is also an executive. We've already scanned every single file. We know that this document that she's touching contains sensitive data. We know if it's got PCI data or GDPR data or intellectual property, what have you. So we add that into the event. So now we know Amy, who is an executive, is touching a file that is sensitive. We can look up her device name. So we know that Amy is using this laptop. We even know where she's coming from. So we add all of that into the event. So what's happening here is Varonis is creating a record kind of like a bank statement that has been -- is really easy to understand, where we can store lots and lots of information. And we've added more information into the event that didn't exist in the original event. Nobody else does that. So now we've got billions of events that have been cleaned up with all this additional information in it, so now you know what's normal. We know that Amy here is an executive. We know which device she uses. We know where she comes from. We know she's got access to a ton of data, because we mapped all those permissions. We know that she has access to a lot of really sensitive information, doesn't usually touch it, sometimes she does. We know who her peers are. We know what times of day she normally works. So now alert fatigue is a real thing. If I generated an alert, if Varonis generated an alert every time Amy logged in from some place new, we call that a [ geo hopper ] or an [ impossible ] travel. Well, she's an executive. She's traveling constantly. Of course, she's logging in from someplace new. If I chased every alert by every user that logged in from someplace new, that's all I would be doing. I'd be chasing ghosts. Similarly, if I got an alert every time Amy used a new device, well, maybe she got a new phone today or maybe she dropped her laptop, and IT just replaced it. I'd also be chasing ghosts. Or if I get an alert every time Amy touched something sensitive and I shut down her account, that'd be catastrophic. I'd prevent her from working. I'd probably get fired if I did that. But if I've got an alert that Amy is using somebody else's device, in fact, it belongs to 1 of our engineers and she's logging in from a place that she's never been, and she is accessing a bunch of sensitive information that she's never looked at, you put all of those things together. This is real. This is important. This is something I want my security team to go look at. And that's how when we say Varonis generates a really small number of high fidelity alerts, that's what we mean. We don't generate noise. We generate alerts that are really useful, and they're useful because they're about the data, and they give context about the user and the device that she's using and where she's coming from and what she's touching and why it's strange. That's how we reduce how long it takes to detect a threat. We're not generating noise. We're generating really useful alerts about the target. We also generate alerts earlier in what we call the kill chain. We light up really quickly because we see that the SolarWinds service account is now accessing systems that it's never looked at before. That's how we catch those kinds of things. And then we make it very easy to come to a conclusion about what happened, time to response, time to recovery. We make it really easy, not only to see that something happened, but to know, you know what, Amy's account and this device was accessing data not just in OneDrive, but also on our file system. And she accessed Salesforce, and something weird happened in Zoom. We connect all of those dots together really quickly. The whole reason that we can offer incident response services at no additional cost is because of this, because our IR team doesn't need to spend hours or days or weeks trying to figure out what happened. During SolarWinds, during Sunburst, during that period, as Yaki said, we had a lot of customers that were getting alerts about their -- about what was happening about Sunburst. We didn't know Sunburst then, but we saw these SolarWinds service accounts. And we would get on these calls, and I was on one of them. And another incident response company was also on this call. They've been contracted in to help with the recovery and response for this breach. And he said something really interesting. He said, it's funny. We get called in. And the first question we always get asked is what data was touched. Everything else, you can rebuild and recover. You can rebuild the application. You can restore back up. You can get everything back up and running. What you can't do, you can't recover data that was stolen. So we always get asked what data was touched. And what he said and it stuck with me was I always answer, do you have Varonis? Because if you do, just ask their guys, they'll show you. It will take a couple of minutes. If they don't have Varonis, we're there for weeks. Maybe we can tell them that this account authenticated to this network or accessed this server, but we can never actually tell you what data was touched. We're the ones watching the data. I want you to hear from our customer that has gotten some value out of Varonis incident response. And what I want to highlight here is now with SaaS because we see our customers' data and we don't need to dial in or get on a Zoom to investigate things or to tune things, we do it for them. So now our incident responders are dramatically more effective, and we can be proactive. We see something before you even see it, we'll call you. Our proactive incident response means you'll get an analyst, you deploy Varonis, you have somebody that's looking at your data and looking at your alerts, and we look at them every day. If we see something -- and we're experts. We'll know this isn't important. It's a real alert, but it's probably not something you need to worry about. When we see something that you do need to worry about -- there's a hospital down in North Carolina. And they got an alert, and they thought it was noisy. But we reached out and we said, "You know what, this looks like it might be real. One of your administrators has been resetting passwords of user accounts, and then those user accounts are accessing HR data." And what they found was when we did the escalation, we reached out, we did the escalation, what they found was one of their administrators was going into HR folders using other people's accounts to look at employee salary information and then using that as part of their annual review. It was a really effective strategy to get bigger raises until we caught them. This is the kind of thing that happens all the time. And now our customers don't even need to do the work themselves. When we see something, we'll reach out. Here's a customer that's had some experience with this. [Presentation]

That's changed the game for us. We don't need our customers to give -- to provide really any effort, and they're getting these outcomes. We're able to detect things that nobody else can. We're able to reduce the time it takes to detect a threat, respond to it. We lock everything down, and make it much less likely that a threat actor and insider or outside attacker will even get to things. They have to jump through so many more hoops, which makes it much likely -- much more likely that you're going to catch them. I want to address the competitive landscape. I get asked by all of you every time we meet, what's the competitive landscape? Who do you compete with? So I want to put some of this into context, because I've tried to illustrate as we go through this, all of the unique things that only Varonis does. When you put everything together, there is no other vendor that does what we do in the places that we do it. Outcomes are what's important. Data is protected, the time to detection and the time to threat is reduced, and compliance becomes easy. Nobody else can do that in the places that we do it. That said, we are solving the biggest problem in security. Of course, there are other vendors and technologies that try to address this problem. The way to think about this is there are point tools that will do single-use cases on single platforms. For instance, there are other ways to go out and find sensitive data. But once you found it, what do you? There are other ways to log access. They're, of course, SIEM vendors, and I'll talk about those in a moment, too. But if all you have is logging, where you're at risk, what's important and how do you fix anything? There are also reporting tools that will look at, for instance, identities or group membership. But that does not give you the depth of visibility, and it doesn't help you solve the problems even if you happen to find them. Even if I had a tool that could tell me that 8 million folders are open to everybody, what do I do next? I've got findings. Great. I don't have the people to solve it, so I'm going to shove it in door and not worry about it and hope that nothing happens. There are also, of course, adjacent product categories that generally we're complementary with. I talked a lot about DLP and purview information protection, because that's a great alignment. We make it work. Similarly with CASB, CASB is DLP for the cloud. It doesn't solve these problems. SIEM, it's a log aggregator. We send our alerts to the SIEM. We make your SIEM implementation much more valuable because now you're getting a small number of alerts that have all this context, and you can use your SIEM for further correlation and the things that Varonis doesn't look at, like network activity and things like that. Identity management doesn't solve the problem of data, because there's no connection between identity management and data. It's really about governing access and controlling access to applications, which is fine. It doesn't solve the same problem. Similarly, with SaaS posture management, it looks at surface level configurations, but it doesn't solve the problem of data. This is how organizations are trying to address this problem. But the reason we do a risk assessment is that we know whether they've got some or, in many cases, these days, all of these technologies that are not solving the problem that Varonis solves. And here's how we make it easy. We go out, and we do a risk assessment. I'll get in front of a CISO, and I'll describe what it is that we do and how we do it. And I'll say, "Great. You can either verify that all of our controllers are good, or you can show us where you're at risk and put together a plan for solving it." This is so much easier now that we are a SaaS versus self-hosted. We can do a risk assessment with 0 database licenses and absolutely minimal infrastructure. It's up in minutes. We're collecting data. And what we can do now is in the past, in a self-hosted risk assessment, if I wanted to do some analysis to show you where you're at risk and start putting together what we call an operational plan, how you're going to get value and how you're going to measure success, I needed to get on a Zoom with you and get into your environment and have you run reports that I would then correlate. All that goes away. I can do it now without any intervention from you. So the first time you see Varonis running, I already know here's where you're at risk, here's what we're going to solve. So we start with assessment. It's easy to run. Everything is delivered as a SaaS these days and all of the applications that we look at, it takes a couple of weeks and minimal effort. We're talking about an hour or 2 from a customer in order to get value out of it. We've also made our licensing much, much simpler. In the past, it was broken out by module by module by module. And customers often sometimes didn't know exactly what did what, why they needed different licenses. The subscription transition was huge because it allowed customers to consume more licenses upfront, and we know more is more. The more you have of our platform, the more valuable it is, the more automation you get, the more value you get right away and over time, with the least amount of effort. With SaaS, we simplify things. It's Varonis. Where do you want Varonis? Do you want Varonis on your on-premises file systems? Great. You want Varonis for 365? Great. You want Varonis for Salesforce? You want Varonis for GitHub? You want Varonis for Okta? You want Varonis for Slack? You want Varonis for Zoom? You want Varonis for a hybrid environment? That's it. That's all you need to worry about. And you get all of the relevant functionality, so we can ensure that our customers have what they need to get value quickly. I need to go back now. So now I hope that gave you some context about how our customers use this and what they get out of it. We're going to take a 10-minute break now. I'm looking at Tim. 10-minute breaks, we can all go use the bathroom. And then you'll get to hear from Guy, which is why you're all here. Thanks. [Break]

I think this is the part I just stand here and wait for the doors to come down, so you can't leave. So we'll let that. It was a sensitive time, so. Ready to start. First of all, thanks, everyone, for joining us today and thank all the people that have joined through the webcast. We're very excited to be here, New York City, Times Square, 4 Times Square is the address. And going back 17 years is when Yaki came into this building and sold to 1 of our first customers, a deal that was $100,000 at the time. And it's very fitting and symbolic that we're here today talking about our plan to get to $1 billion. So it's kind of closing everything together. I want to go back to February 11, 2019. We just announced our move from perpetual to on-prem subscription. And when we spoke to many of you and many of the people that are listening on the webcast, we got a lot of reference to go talk the company X, company Y, company Z in order to make sure that we know what we're doing in order to transition in the right way. The answer we had at the time was that, a, we spoke to most of them as part of the preparation to make that move. And the second thing that we said is that we really want to get to a point when we finish that transition, we will be that company X,Y and Z that you guys referenced. And that actually happened. We've received so many calls since then on companies that announced the transition. But one of the lessons learned from making that transition was communication. We had thousands of conversations with analysts and investors throughout that time. And we tried to be as transparent as we could, but this transition is different, much more complex, not at the same pace. And it's much more complex for us, but it's definitely much more complex to all of you. And that's why we decided to have an Investor Day and kind of lay the ground. What are the important metrics? How do we see success? How long is it going to take? In the next 45 minutes, I'm going to try and cover all of those. At the end of the day, Yaki and Brian kind of lay the ground in terms of the technology. In my presentation, I want to go through the whole financial perspective and tie it all together. This is really the next stage for our company. The plan was always part of a much longer -- much bigger strategic plan. The move from on-prem -- from perpetual to on-prem subscription and now the move to SaaS was very clear with a defined strategy really trying to make sure that we take advantage of the opportunity. We are a pioneer in data security and analytics. There's a culture of innovation at the company. We invested heavily in our technology. We're a leader in data security. There's a tremendous greenfield opportunity that we're trying to capture. And on top of that, we have an existing customer base with a lot of opportunity to expand with. The story of moving from perpetual to on-prem subscription was always about the customer. We wanted to have a lower entry point, allow our customers to consume more of the product. And with that, they would come back and buy more. With our move to on-prem subscription, we strengthened our business model and got to a point where we have close to 100% recurring revenue. This move to SaaS eliminates 2 main objections that we have been receiving. Objection number one, we don't have the hardware. Objection #2, we don't have the people and/or the time. All of these moves, the move from perpetual to on-prem subscription and the move now from on-prem subscription to SaaS is about our customers, providing them value, giving them automation, and allowing them to be better protected. You've heard Yaki and Brian. This transition is as big as the company founding. Now I know we're in March, so this is pretty early, but the feedback so far about the SaaS transition has been very positive, both from our customers and our sales force. This transition won't be perfectly linear. And most of the friction will take place in the first 6 months of this year. I'll go through that in a second. But as we go and exit this transition, we have a clear path to drive strong top line growth, generate more meaningful cash flow and demonstrate continued operating leverage. So exactly 9 years plus 2 weeks ago, in this building, 10 floors down, we went public. And in 2014, we had about 10 licenses to sell. So having a perpetual model made a lot of sense. We would sell 1, 2 or 3 licenses, show value, and we have customers that come back and buy more. Then between 2015 and 2018, we had approximately additional 15 licenses. Many of them were geared towards automation. So now it became more challenging for those customers to consume more of the product upfront. They want it to be protected quicker. And that's why, in 2019, we announced the transition to on-prem subscription. It was driven by the customers who wanted to consume more of the product, get more automation and be better protected. Then between 2020 and 2022, we came out with additional licenses. Now we had more than 40 , and we started to think about how to consolidate that. We started to think about outcomes. How do we simplify the conversation to both our sales reps and our customers. And that's why in 2022, we introduced the bundles. We have silver, gold and platinum bundles where we sell the outcomes with 1 SKU. In 2023, we announced the Varonis SaaS transition, and we're doubling down on those bundles. And I'll talk about that later. Clear growth algorithm. The bread and butter for us and one of the things that we know we have to do on an ongoing basis is have strong renewal rates, which is what we have. We've had consistently over 90% renewal rates. And by the way, we believe that with SaaS, they can actually increase, and I'll talk about that more in a second. But before I talk about the 3 growth drivers, new logos, expansion within existing customers and the SaaS transition uplift, there's something that is really clear to us that I want to make sure is really clear to you. We don't perceive ourselves as a low double-digit growth company. A lot of management has been here for a long, long time. Everyone within us understands the opportunity. We understand what we could achieve and all of us is working really hard in order to achieve that. The first phone call Yaki and I have on a daily basis is usually in that 6 a.m. range, 6, 7 a.m. range. And the last call is usually at 10, 11 p.m. We enjoy it. We see the opportunity, but we're not working as hard as we are to be a low double-digit growth type of company. So what basically happened when we gave guidance for 2023? Well, there were 2 factors that impacted, the number. We finished 2022 with ARR of 24% on a constant currency basis and excluding Russia. But then we gave color on 2023. And we baked in 2 things. 2 factors that impacted that. Factor #1 was the SaaS transition. Basically, the assumption was that there will be most of that friction happening in the first 6 months. Why? Well, first of all, many of our reps are fully on board on making this transition. They understand the value to the customer, they understand the value to the company. But like every organization, you always have people that have more problem with change. So lessons learned from the previous transition is that some of them will leave. We bake that in. The second reason for that friction in the first 6 months of the year and probably not less important is just having reps that see the value, see how less friction you have as part of the risk assessment, see how less -- how the outcomes are much, much better, they will try and take deals in flight and move them to SaaS. So when our sales cycles are mostly between 3 to 9 months, and on the larger deals, up to 12 months, the majority of that friction, the majority of that pipeline will have to be cleared in the first 6 months of the year. The second factor that was impacting our ARR number was the macroeconomic environment. We obviously assumed longer sales cycles. We started seeing that in Q2 of 2022 in Europe. That increased in Q3, and we gave some color on that spilling over towards North America in Q4 of 2022. We baked in those 2 factors. The macroeconomic challenges and the SaaS transition as part of our 2023 numbers. But as we move past the initial stage of the transition, and the challenging macroeconomic environment, we see our top line growth moving towards healthy levels we've seen historically. In the years ahead, we see our growth being driven by 3 pillars: new logos, there's a tremendous greenfield opportunity for us. And SaaS actually increases that opportunity because it allows us to go to new markets and new customers that we can cater to before. The second pillar is expansion within our existing customers. The average number of licenses that an existing customer has today with Varonis is 6. Think about it, if we protect Windows and our customer wants to protect Office 365, that will more than double the number of licenses that they have. Our ability to increase our ARR through that expansion is significant. And the third pillar is the SaaS transition uplift. We are baking price list increase of 25% to 30% for any SaaS deal versus the on-prem subscription. The overall opportunity is tremendous, and we want to make sure that we take advantage of it. So let me start with the top line growth. Not only is this the first Investor Day we have ever had, we're also providing, for the first time, a time line for our $1 billion ARR. We're really happy that we can share this time line with you. We had this plan internally for a very long time. But in the last transition, we didn't have all the cards out there because we knew that there was another transition to SaaS. So we couldn't share that time line with you, and we're happy that we can provide a 5-year outlook currently. What are the assumptions for that $1 billion ARR? Assumption number one, this is happening organically without any M&A. Now an M&A might happen and it would probably be a technological tuck-in, but we don't feel that we need necessarily to acquire anyone in order to get to that target. Assumption number two, we're assuming zero conversion of maintenance of perpetual. We can get there without converting any customer, and I want to talk about that subject in more detail shortly. And the third component, the third assumption is that the macroeconomic uncertainty persists for the next 24 months? We're extremely excited to put a target that we feel is achievable out here today. Go-to-market strategy. So for all of you who have never heard the Varonis story before, we sell through the channel. The channel helps us get the deal, meet the person and they help us close. But we have an outside sales team that does all of the heavy lifting. Our outside sales team is the one that does the risk assessment. And the selling process is very visual. You heard Brian talk about the examples. The jaw-dropping moment happens when people see sensitive data that they can recognize and relate to open to everyone in the company. If I told all of you that your company has millions of files open to everyone in the company, you'd probably shake your head, go make coffee. And rightly so. But if I was able through a risk assessment to show you an Excel file that you have worked on for 6 to 12 months with the best stock picks for 2023 and the best short ideas that is open to everyone in the company and not only everyone in the company, but any visitor that logs to the company's WiFi that can access that file, if you have the authority to execute on a Varonis PO, you would. And that's why the risk assessment is so critical for us. The risk assessment is basically the blessing and the curse. We have to make sure that we get in front of our customers and do that visual process. We're not Check Point or Palo Alto, click and hire 1 rep from the other and get a rep fully productive to do that risk assessment. Our ramp-up time of reps in the past used to be up to 18 months. With the market moving in our direction, that has actually come down significantly. And now it takes us up to 12 months to get a rep fully productive. But at the end of the day, there's a lot of education that gets involved. You have to make sure that they understand the positioning and what are the right use cases and how to do the risk assessment. It's a bit of a different type of sale. And what we need to make sure is that we get the right people with the right DNA that can do that risk assessment in order to have good outcomes and high conversions. Finding the right sales rep and building them with the Varonis DNA is still our largest bottleneck for achieving faster growth. The second bottleneck is some of the friction that we have seen as part of the risk assessment with the on-prem subscription that we're taking care of. So how are we addressing the DNA. We've always had a Varonis Academy. And in that Varonis Academy, we were adding sales capacity through people that started as cold callers. They go through a process where they work for 9 to 15 months. The good ones move to an inside sales role. In that inside sales role, they try and sell to companies with less than 500 employees. That takes another 9 to 15 months. What we look for in the people that we hire is that they would be coachable, that they can deal with pressure and that they have some ego. They have a competitive edge. We've done that for a lot of years now. But over the last year plus, we increased those investments significantly. And with our announcement of the move to SaaS, we're actually increasing what the inside sales team are dealing with. And now they're not just selling to companies with less than 500 employees, but they're going upmarket and selling to companies with less than 750 employees. The balance between new logos and upsells. The trend really continues. We're trying to balance both selling to new customers and expanding within our existing customer base. Our NRR at the end of 2022 on a constant currency basis was 117%. With the new packaging that we're introducing, we expect larger customer lifetime value. And while we see great opportunity to expand within our existing customers, we have always and continue to view new customers as a critical building block to driving durable growth in the years ahead. High-quality subscription customers. This is the right focus for us, the way we measure customers. And this is how we think you should, too. Apple stopped measuring iPod users, but does measure iPhone users. The customers that we don't count here are customers that bought perpetual license, most of them before 2016, many of them have 1, 2 or 3 licenses only. They don't know the level of automation that we provide. They are older customers that bought us for a different reason than what we have become over time. We must approach them, and we will approach them. But sometimes it's easier to sell -- sometimes it's easier to sell to new customers than upsell to those existing customers. In 2018, we had 38 subscription customers. All of them came from the pilot program that we did at the time in order to sell on-prem subscription. In 2019, we had 1,338 customers. 2021, we had 3,623 customers. And at the end of 2022, we had 4,361 subscription customers. This will help you judge our success in adding new customers, and we will provide this metric on an annual basis going forward. This is one of my favorite slides. It demonstrates the transformation, strength and the potential of the business. This company completely changed when we moved from perpetual to on-prem subscription in 2019. You can see how customers spending $100,000 ARR went from $39 million in 2018 to $335 million in 2022, a 9x increase. You can also see customers spending more than $1 million of ARR going from $2 million in 2018 to $70 million in 2022, a 33x increase. The announcement of the SaaS transition is another transformation, and we expect customer lifetime value to continue to increase with the new offering. Okay. This might be a bit painful, but it's important. Being an accountant and working in public accounting, it's definitely -- revenue is absolutely important. However, during the transition, sticking to this metric will generate noise, ARR and free cash flow are the north stars of this transition. So I want you to stay strong just for a bit. I know this brings back memories for some of you from Accounting 101 in college. And I know there's a lot of happy events in life, but 606 is not one of them. The Accountant Self-employment Act generated a lot of revenue for accountants, but a lot of confusion for tech companies. And that's why we have 4 slides on this subject. I'm going to take 3 examples of the $100,000, $100,000 deal on-prem subscription and SaaS sold at 3 different points throughout the year. First example, first day of the year. Second example, midyear. Third example, last day of the year. And we will walk through the headwind that each timing generates. Now I know, I know some of you are saying, -- then you say that when you sell SaaS, you're expected to have a 25% to 30% uplift. Let's take it one concept at a time. And once we nail this, we'll move to the second concept and talk about the uplift. So let's talk about example #1. January 1, $100,000 deal. On-prem subscription, Q1, $85,000 recognized versus $25,000 recognized in SaaS. So the headwind versus on-prem subscription is 70%. Full year on-prem subscription and SaaS are the same at $100,000, zero headwind. That is why ARR and free cash flow are the north stars of this transition. Example number two, June 30, the same $100,000 deal sold midyear, June 30. On-prem subscription Q2 $80,000 versus less than $100,000 in SaaS. So headwind versus on-prem subscription is almost 100%. Full year on-prem subscription recognizes $90,000 versus $50,000 of SaaS. So headwind versus on-prem subscription is 45%. That is why ARR and free cash flow are the north stars of this transition. Example number three, second is strong. One more to go. Okay. Last day of the year, same $100,000 deal, Q4 on-prem subscription, $80,000 versus less than $100,000 in SaaS. So headwind versus on-prem subscription is almost 100%. Full year on-prem subscription, again, recognizes $80,000, less than $100,000 of SaaS. So again, the headwind is almost 100%. That is why ARR and free cash flow are the north stars of this transition, exactly. Now let's move to the exciting stuff. I'd like to spend some time discussing the opportunity that we have with our SaaS transition. We have proven success in navigating previous model transition. The move to on-prem subscription was a very different transition. We fully understand that. That was a financial exercise. This one has more operational components, which is why we're taking a more measured approach. Our goal over the next couple of years is to be able to add an S to the end of this title. Proven success navigating previous model transitions. Now when we moved from perpetual to on-prem subscription and started that in Q1 of 2019, we basically moved from less than 40% of recurring revenue in Q4 2018 to 95% recurring revenue in 5 quarters alone. That, by the way, was around the time we started working on our SaaS offering, just to give you context of timing. Now like I said before, our last transition was very different. But there were many, many lessons that we took from that transition, and we are trying to apply that to this transition. Basically, there are 3 pillars that are critical in order to make sure that we move the right way. Pillar number one, technology. If you don't have a product that works better and where you're trying to get to, it won't work. We've invested more than $100 million in R&D over the last 2-plus years plus another 15 years of experience in order to have a product that works the way it will. Second pillar, comp plan. You can have the best technology, but if you don't compensate your reps in order to make them change their behavior, it won't work. In 2023, we have built a comp plan that fits with the company's strategy, which is selling SaaS to new customers. So those are the first 2 pillars. Pillar number three, management buying, you can have that technology, and you can have the comp plan, but if management is not fully onboard and being committed to the transition, it won't work. I can tell you that we are fully committed to making this transition a success. SaaS, a compelling offering. So there's been a lot of talk about DA Cloud and Varonis SaaS, and I just wanted to spend 2 seconds on explaining what each one is. Varonis SaaS is what we invested over $100 million over the last 2 years on top of those 15-year plus of learning on how to transform features of on-prem subscription into cloud-native SaaS offering. DatAdvantage Cloud was the first SaaS offering that we had introduced in 2021 following our acquisition. And that covers SaaS application and cloud data storage, we have never covered before. Over the last couple of quarters -- over the last couple of months, one of the most common questions I got from analysts and investors was why did DA Cloud perform below expectations. The answer I gave everyone was that there's a natural evolution of licenses at Varonis. It takes time for the reps to feel comfortable in selling the product. And we have seen that in the past with some of the other licenses. So I want to support that with some data. When we started selling Automation Engine and Office 365, in the first year that we introduced that license we sold approximately $200,000. 5 years later, the ARR was significantly larger, real material contribution from both. $18.8 million and $26.4 million for Automation Engine and Office 365, respectively. DA Cloud, in its first year, sold approximately $3.5 million. So it was one of the best-performing new products launched in recent years. And we believe the opportunity we have with the DatAdvantage Cloud is significant. We can cover applications that we never covered before. And as reps feel more comfortable in selling that, we will see more meaningful contribution over the next couple of years. But here's another question I got a lot. If you sold only $3.5 million of DatAdvantage Cloud, can you support cloud applications. And we have a strong cloud history with a long runway ahead. Microsoft 365 has reached $95 million of ARR as of the end of Q4 2022. We've been covering important cloud assets for a very long time. But here's another interesting aspect to this. When we took the aggregate number of users that Microsoft covers today and compare that to how penetrated we are, the opportunity is tremendous. We only cover approximately 1%. The opportunity is huge. We haven't scratched the surface yet. You've heard both Yaki and Brian talk about why a customer would buy -- would pay 25% to 30% more for SaaS. I want to talk about the benefits for Varonis. I want to look at it from the other side. The overall arching theme is that there's quicker time to value and improved customer satisfaction which would lead to greater customer lifetime value and higher renewal rates. How would we get there? First of all, shorter sales cycles. Many of you have asked me if we can support with data, having shorter sales cycles, all the beauty of statistics is that every deal we closed to date has a shorter sales cycle. But as we gain more data, we will provide more clarity. But the expectation that we have is that the SaaS deals will actually take less time because it's easier deployment and because of the simpler pricing and packaging model. Larger lands with our platform selling and with a price list that is 25% to 30% higher, we expect larger lands. The overall total customer payment will be lower. Total cost of ownership would be less because they don't have to pay for hardware and because they don't have to pay for people, and it takes less time. A very important point is the margin component. Margins should significantly benefit us on some of the other departments that are R&D, sales and marketing, and support PS. And I want to walk you through some of that in the next couple of minutes. When we think about the R&D department, today, not only do they cover 2 types of code, the on-prem subscription and SaaS. But within the on-prem subscription offering, we have different customers that have different versions. So as we go over time towards 1 type of code, there will be additional benefits, additional leverage in the model. Support, customer success, PS, all of that becomes significantly easier with the SaaS offering. Here's an example. Log4j, all of you heard about that. When Log4j happened and with our on-prem subscription offering and the R&D had the fix that we had to share with our customers, we had to call every single customer and make sure that not only they got the e-mail, but they downloaded it and installed it. With SaaS, all of that happens way quicker. All of this higher customer satisfaction, less friction should generate higher customer lifetime value with increased renewal rates outcomes. The SaaS platform pricing. This slide is already what's aligned and how the sales force is selling our products today. As I said before, we're doubling down on the packaging, on the bundling. It simplifies the conversation for both the customer and our sales force. And the biggest change here versus the gold, silver and platinum bundle that we offered under the on-prem subscription offering, is that we're not allowing customers or our reps to sell individual SKUs. They're selling the package. So if you're buying SaaS for Windows, those 6 SKUs that you had to buy under the on-prem subscription are now 1 SKU, and you don't have the option to buy any of the SKUs individually. Same with the Office 365. If you wanted to buy it in on-prem subscription, you had the option to buy it individually. Under SaaS, that's not an option. That allows customers to utilize automation and see value within the product. SaaS metrics and how to measure success. 5 quarters ago, I started talking about ARR as the leading indicator. And yes, the previous transition was a financial transition. This is more of a business transition. But based on that third accounting example, that deal on the last day of the quarter, you can see that revenue will just be very noisy. And as we start converting our existing customers, we might see even more headwind on the revenue side. The pace of the transition will impact the way the revenue is treated in the short term. Now in Phase I, and I'll talk about that in a second, we're not targeting converting our existing customers. But if a customer wants to come and switch to SaaS, we will work with them. So the quicker the transition, the deeper the dip that you will see. That is why ARR and free cash flow are the north stars of this transition. But we want to add 1 additional one. When you think about the accounting slides, we had to introduce 1 more metric to judge our success. ARR contribution margin, which is ARR minus total non-GAAP expenses. We have been committed to our margin improvements. And the only way to judge our success and our commitment is through the ARR contribution margin. And that's why throughout this transition, we will provide this number annually. So let's talk about the new SaaS transitions KPIs. We're committed to transparency, and we're committed to walking you through this transition. We understand the puts and takes. We understand the complexity. We understand the fact that we're moving in a second time within less than 5 years. We understand all of that. We're here to walk you through that. We understand the complexity, and that's why we're going to provide SaaS mix on a quarterly and annual basis, ARR contribution margin on an annual basis. We'll provide color on the conversion progress on a quarterly and annual basis and we'll provide the subscription customer count on an annual basis. Timeline for the SaaS transition. Phase 1 should take anywhere between 1 to 2 years. Again, no forced conversion with our existing customers, but if any of them want to switch, we will work with them. Phase 2, between 3 to 4 years, targeting existing customers, starting that towards the end of Phase I. Now 1 important assumption that we have built in is that Phase 2 will have linear conversion of our existing customers throughout the period. Completing a transition for us is having anywhere between 70% to 90% of ARR coming from SaaS -- our base case scenario that we're modeling right now is 5 years. How to think about the ARR conversion uplift. So as I spoke about this before, ARR uplift for the on-prem subscription is 25% to 30% at list price. On the perpetual of maintenance, as I said, it's a different beast. We're not factoring any of that uplift into our model and plan to get to $1 billion of ARR. The price list uplift is 2.5x to 3x. Capital allocation and long-term financial model. Now that I covered how we should look at the SaaS transition and how it impacts the business from a financial perspective, I'd like to spend some time on how we think about the capital allocation and how the financial profile of the company should look exiting the transition. So I'm sure all of you, for those who haven't been here on this planet, over the last week, this won't be relevant for all the rest. We don't have an SVB bank account, Signature Bank account and First Republic Bank account. And I hope that's where that list ends. In terms of cash, we have approximately $730 million of cash on the balance sheet and our free cash flow expectation for 2023 is $20 million to $25 million. In terms of capital allocation, we're planning to reinvest in the business through R&D and other organic initiatives to deepen our competitive moat and grow our market. In terms of acquisitions, as I said before, M&A is not part of a necessary requirement in order to get to that $1 billion target. But if we see an opportunity, it would probably be on the technological side as a tuck-in acquisition. We constantly evaluate the build versus buy. Other capital allocation, share repurchase. We just announced in Q4 a $100 million share repurchase, and we repurchased 56 million shares at an average price -- $56 million at an average price of $19 a share. The other capital allocation is debt reduction, which we constantly evaluate. And this is the slide you've all been waiting for. We're targeting the Rule of 40 as we exit the transition. Now the Rule of 40 for us is defined as ARR and ARR contribution margin. So as you can see, ARR growth will be at the -- as we exit the transition in 2027 in the midpoint, 20%. Gross margin will come down in line with other SaaS companies because of the compute cost, but we will gain significant efficiencies with some of the other departments, the support, the R&D, customer success, sales and marketing. By the way, the gross margins are expected to come down in a very linear way. We don't see a significant dip and then margins coming up. We just see it constantly coming slightly down to those levels. R&D, we expect to go from 27% as we finish 2022 out of ARR to high teens 18% to 20% as we exit the transition. And that should come from moving gradually to that 1 code that I talked about before. It will still be elevated in the first part of the transition. But as we come towards the end of the transition, we expect that to come down. Sales and marketing, we see that coming down from 47% to 34%, 35% of ARR and we see that improved leverage coming from efficiencies in the selling process, shorter sales cycles, higher productivity of our sales force. G&A, we see that coming down from 9% on to 6% to 7% because the growth in G&A is obviously in smaller rate than the top line. The overall ARR contribution margin will be higher in the midpoint being at 20%. And as I mentioned previously, that's driven by scale, productivity and efficiency. In summary, the SaaS transition is expected to be transformational for this company. We've invested heavily in that technology in order to provide automated outcomes for our customers. Our building blocks for growth are market expansion, which should come through new logos in existing markets and greenfield opportunities that opens up with our SaaS offering. We have another growth factor, which is expansion within our existing customer base. And our SaaS transition provides an uplift within our installed base. We're extremely excited to announce a date 2027 for our $1 billion ARR. All that we have done over the last couple of years, the 2019 transition and the 2023 SaaS transition, all of that has 1 purpose, providing value to our customers and we want to get through that. to our $1 billion target in 2027. Thanks very much. I hope this has provided some better understanding for all of you of how we look at this transition. We're going to set up a Q&A in the next couple of minutes, and we'll be happy to take your questions. I'm just going to go through the slide on the appendix so everyone can see that as well. That's for you, Doug.

All right. And now we'll take some questions from the audience.

Hamza Fodderwala of Morgan Stanley. Guy, I had a couple of questions for you. One is, why not assume any conversion from the existing maintenance base, I think that would add about $150 million to $200 million of ARR. And then secondly, assuming the transition does occur in that 5-year time frame from 2027. At what point will we see revenue growth reaccelerate? And when would we see the margin leverage really start to come through?

So 2 very good questions. In terms of the first question, why wouldn't we bake in any maintenance of perpetual into this model, those customers are very different. Many of them bought Varonis prior to 2016 when we came out with so many of the automated licenses and many of them have 1, 2 or 3 licenses, and that's it. One of the things that we have analyzed is that it's easier to take a customer from 5, 6 licenses to double-digit number of licenses, then get a customer from 1 or 2 to 5. And the reason for that is because they don't know what we are doing. They bought Varonis for a very different reason in the past before we provided the automation. So we wanted to make sure that we take kind of a responsible approach as we think about it. some of them, I'm sure we'll be able to convert, but some we might just have to leave as is. So we wanted to make sure that we bake that in. We don't have to convert them in order to get to that $1 billion ARR target and get to that 70% to 90% of SaaS that we're expecting. And that's why those were the assumptions that we baked in when we did that. Second question, remind me?

When will we see the revenue growth.

Revenue. Okay. So the highlight sentence is ARR and free cash flow are the north stars of this transition. And revenue will be very noisy. Now it really depends on the pace of the transition. The quicker the transition the more headwind you'll see on the revenue. And the pace of the conversion of existing customers will also impact the revenue number. So when you think about Phase 1 and Phase 2 revenue will have the majority of the headwind at the first year of Phase 1 and then at the first year of Phase 2 but that could change if the percentage of conversion moves. So if Phase 2 isn't linear, but it's more weighted to 1 year versus the other, you'll get more headwinds. And that's why it becomes extremely complex. You wanted to keep it very simple and clear. And that's why ARR, it won't matter how we convert our existing customers or how we sell how -- what's the percentage of new customers that we sell SaaS to. ARR will still hopefully continue to increase over time and won't be impacted. I hope that answers the question.

Great. Thanks. Saket Kalia at Barclays. Thanks as well for hosting this session. Very helpful. Guy, maybe staying with you. Converting the existing term customer base, I think, is 1 aspect of this transition. Can you just talk about some of the levers that you have to encourage that transition while also still capturing that uplift? And then relatedly, can you just talk about the pace of those conversions as you look at Phase 2?

So I'll start with the second part of the question. The pace that we see Phase 2 occurring is just linear throughout that period. The ability and the customers would want to consume the SaaS offering because they get automation. They get the outcomes in a much simpler way. And Yaki and Brian can talk more about the elements of the SaaS offering and how beneficial it is for our customers. But overall, we believe that we will be able to address that when we get to Phase 2. This year, we're focused on Phase 1. We've already seen customers that ask us, existing customers that ask us about the SaaS offering. We're not targeting that conversion, but any customer that once that conversion, we will work with them, we won't delay that.

The testimony that you saw in Brian's presentation from the customer from AVX, he was an OPS customer that we transitioned to SaaS. But we'll talk more about it when we start to do it. We build the machinery around the overall transition. But in the heart of everything, it's just the value proposition for customers. once they use it, it's just -- it's a no-brainer for them. But there is just a lot of operations that are going on around it. But in terms of the value, the overall value proposition, it's just 19 days, something that is completely different from the time in story, the value that you need, the effort that you need to put in. But like everything, we'll start. We know how we execute, to make sure that we understand how everything works. We build machinery around it. and we go all in.

Great. Alex Henderson at Needham. And congratulations to your stock legs. You're saying it's up 8% this morning. So somebody is enjoying it. I was hoping you could talk a little bit about the model transition in terms of the mix between new customers and existing customers. It seems pretty clear that what you're saying about the SaaS cloud is that it's targeting a higher rate of new customer wins. And conversely, does that negatively impact the net retention numbers over the short term as the focus is more on new customers? And then second, if you could talk a little bit about what you think the conversion rate long term of your existing customer base will look like and the degree to which you're supporting that existing customer base with any new features over the next 4, 5 years or whether you're back only are spending on the cloud functionality as opposed to the existing on-prem functionality.

Most of the advancements will definitely -- will happen in the cloud. New customers are always a focus for us. It's also need to be the right customers. You know that really the most of the focus on the 1000-plus customers, and it works very well for us. I think in terms of the overall value proposition for most customers, it's just a no-brainer that they move to the SaaS, but it is a gradual process. And it's always our customer success, the company is intensely focused on the customer to make sure that the current customers with the on-prem, it works very well for them. Most of the new customers, over time, it needs to be the SaaS platform. But we are definitely here in order to make sure that we are building SaaS company. Like this is the direction. This is where we're going.

And I want to address the expansion within the existing customer base. The average number of licenses that we have today for Varonis customers is 6. And one of the things that we have said for a long, long time is that more is more. The more licenses you buy, the more automation you get, the higher the customer satisfaction, the higher your desire to come back and buy more. So when you take those 6 licenses and just assume that they're covering Windows under SaaS. And now they want to cover Office 365, they will get to that double-digit number of licenses by double -- almost doubling their ARR. So there's a tremendous opportunity for us even with larger lands to be able to extract more meat on the bone that we have with our existing customers.

And this is also before you take out of consideration, everything that related to DA Cloud, if you see the coverage there, almost every Varonis customer is between 3 to 8 platforms that we can cover, and this is starting to be part of the sales motion, and we believe that it will go very well.

Roger Boyd with UBS. Just thinking about the customer addressable market. I mean -- you noted the 3 equations -- or 3 parts of the growth algorithm. Just how do you think about new logo growth in the context of that, thinking about the last semi disclosed customer count was around 7,000 in 2019. You're now talking about 4,000-plus high-quality customers. How do you think about what that could grow to over the next 5 years?

The customers as we count them today are subscription customers because they're getting that automation component, and we see how they can extract value with our platform. When you think about kind of the TAM, the total addressable market, this is a problem that every organization needs to take care of. So there's a lot of things that keep me up at night. What doesn't keep me up at night is this opportunity in the TAM. We can address so much greenfield opportunity with customers that we haven't touched before. SaaS opens up a tremendous opportunity to address that with a new offering because it eliminates 2 of the biggest items that we will get pushed back on. Item number 1 is we don't have hardware or we don't want to deal with hardware. And item number 2 is we don't have the people and/or the time. So with the SaaS offering, we expect to be able to target more of that greenfield opportunity over time.

But also with the coverage, there are just so many ways to get in. Just think about sheer size of salesforce.com. -- the object store, just Azure and F3. And I would just say that these are massive data lakes. And if you look at big breaches and big exposure, this is where they are happening. So we know how to deal with these massive data sets and really fix the problem completely. Once you can show that it's frictional, you provide visibility and fix the problems. And the other thing that is beautiful about it is what we said. It's -- we really want this 1,000-plus customers, but relatively, enterprises that are not big with 2,000, 3,000 users can spend a lot of money with us now, which -- this is also -- it has a lot of potential.

Joe Gallo from Jefferies. Really appreciate the question. And I appreciate the Microsoft 365 disclosure. If I can dare ask for more, how should we think about the growth rate of that versus the rest of the business and what the eventual penetration for that can be?

It's -- the Office 365, it is just -- everybody using it and it gears toward collaboration. It's great for collaboration, but it generates tremendous risk. Like what is -- when you are using Teams, what just team does, it's crazy because it's an obstruction layer that changes OneDrive and SharePoint and Azure AD and a lot of critical data goes in the channel. We just think that with the automation and a lot of the automation we provided, the robotics are on 365. And there you can really do it with because you don't have application and stuff like that completely automatically. This is really the biggest attack surface that matter the most. So I really -- virtually, I don't see 365 account that will not need it. But there is the sales motion and everything, but it works very well. We make everything the practical to practical labeling, and we just works very well and in my opinion, add tremendous value in this ecosystem.

This is [indiscernible] from RBC. So when thinking about the long-term operating model, you talked about 24 months of macro uncertainty initially. How should we think about the pace of recovery baked into the $1 billion target beyond that 24-month time frame? And then geographically, what assumptions have you baked into the guide in terms of the pace of recovery in the different regions?

So when you think about kind of the color we gave for 2023, that's out there. And kind of just to reiterate what we already said in our previous earnings call, for 2023, we baked in some assumptions on deteriorating macro conditions. Longer period in Europe versus what we saw in 2022, we saw that baked also kind of seeing some of that macroeconomic challenges moving to North America. All of that is baked into our 2023 numbers. We baked in a lot of things that could go wrong. Hopefully, not all of them do go wrong. And then in 2024, we kind of assumed the same continuation for 2023. Now we've given a 5-year model. So there's a lot of things that can happen in 5 years. But where we sit today, we felt that the right thing to do with everything that's happening in the world is assumed 2 years of macroeconomic challenges. And then gradually, things become better. The pace of that and the exact timing are yet to be determined, but we feel very confident with the numbers that we put out there.

It's hard to predict the overall economic future. We are not economists. But what we do know is that this whole modern economy is completely driven by data and almost regardless of what will happen for modern organization to survive and thrive, you need to protect your data. We essentially became each other information banks, and we just saw last week what happened when we don't have trust. And in order for organization to really function in the digital world, you need to protect data. And for us, we are intensely focused on the most efficient way to do it. And the other thing we want to make sure that our customers as much as possible, this is the north star, we'll be able to do it without effort. And this is changing the game completely. What we have done is we just took everything that we learned and when we went the subscription, we build all these customer success functionality that works extremely well. They think very high renewal rate for an on-prem platform. We make sure -- and we're really designing it and we said, how our customers can achieve tremendous goals without any friction. I believe if we will be able to do it relatively to other things, we can do very well in a hard environment because whatever will happen, I just don't see an environment that people -- regardless of what we'll have economically, geopolitically, that you don't need to protect your critical data, and you constantly will not have this tension between productivity and security. The main thing is to do it with complete automation. If you will do that, I also believe that it will be much easier for organization, also in hard times to allocate a lot of -- just a lot of funding for this kind of solution.

Got it. And then how are you thinking about the federal vertical? And then how -- what are the assumptions around that when you think about the $1 billion target?

The assumption is that it will be the same size of business that it is now for us, the federal government has a lot of critical data and trust me. Many people want it. So I think that it's a big opportunity for us.

Erik Suppiger, JMP Securities. One, I guess, for Brian, just -- where is your SaaS cloud? Is it in your own data centers? Or how have you looked at it in terms of using the public cloud? And what is the build out of that? What -- how much further building do you need? Or are you at capacity at this point?

Capacity is the wrong way to think about it. So it's split between Azure and AWS. Where we've got an Azure, we're using Azure in North America and now Western Europe, and we'll expand to other geos as we expand other customer bases in those regions who have requirements to have their infrastructure and specific geolocation requirements. But it's not about capacity. We're built out. We're ready to support our customers.

Okay. And then maybe for either of you. the sales force turnover is a little bit of a surprise, just given that it's hard for me to imagine today that a salesperson wants to stay with an on-prem subscription versus selling a SaaS. So I'm curious how much turnover are you assuming in your sales organization? And what have you seen at this point? Because we're a quarter in almost, what kind of turnover have you seen so far?

So you're absolutely right. I think that when you think about how better the product is and how much value we can provide our customers through the SaaS offering, it is a no-brainer. But you could say the same thing moving from perpetual to on-prem subscription, and we still saw elevated turnover. I think it doesn't necessarily have to do with the technology. It just has to do with some people within the organization that are more resistant to change. But I can say that overall, the majority of our reps are fully onboard, fully understand the benefits of this to our customers. and for us as an organization. When we analyzed kind of lessons learned from the previous transition, we saw that elevated turnover happened in the first 6 months of the year. So it wasn't necessarily concentrated in January or February, but it was more in that first 6-month period. And when we try to bake in kind of assumptions, we wanted to take those lessons and implement that I don't know if it happens, but we wanted to factor that in. As we move through the year, we'll provide color on what we see, but we wanted to put that as part of the assumptions.

Do you think that's conservative? Are you being particularly conservative. What's your assumptions?

I think that in the assumptions that we took, there were a lot of things that could go wrong. Not all of them will go wrong, but I do want to emphasize that the first 6 months are the period that would have the most friction. So H1 of 2023 is where you'll see that friction. And it's not just the turnover. It's also the fact that reps will want to go back to their customers that had a sales conversation already and try and convert them to SaaS. It's better for the customer and it's better for us. And every time you introduce a new concept to a deal in flight, you're adding turbulence. And we wanted to assume that -- and by the way, we saw that as well when we moved from perpetual to on-prem subscription. So we wanted to take the same assumption and implement that.

Forget when we moved to SaaS, these are different contracts and you need to change it, you need to explain how it works and you have a security assessment. So it's always -- and it's much better for the customers and it's much better for us. So it makes sense to take some friction and just to make sure that it's working. And you have -- we are doing everything with these POCs. You have so much pipeline. So it just...

Yes. Yes. The deals [indiscernible] I was more thinking about the sales force.

It's another risk factor that we don't know if we'll have it, but we took under consideration to make sure we are guiding in a responsible way.

Brian Essex from JPMorgan. And I think a lot of the stuff that you've kind of laid out here makes a lot of sense, and we've seen it proven across many different vendors, the benefits of the SaaS delivery model for both vendor and the customers. I guess the question is, if we think about existing customers currently on term license agreements, what kind of consideration did you make for customers that may want to move. And particularly in this environment where we have a lot of macro issues, and it is easier to sell into existing customers. Is there a way to maybe incentivize existing customers maybe from a credit-based program, so it's not economically more challenging to migrate to SaaS in a, I guess, more expeditious manner than waiting a couple of years before you kind of incentivize it. Just want to understand kind of the potential there for maybe pivoting to your installed base and accelerating that conversion process?

So we'll discuss more Phase 2 when we'll do it in a more systematic way. Now it's the focus is more on new customers. But overall, the total cost of ownership in the SaaS is a no brainer. So you're going to a customer, we have this calculator, you just plug in and it's very credible and you see how much it costs them in terms of hardware, software people versus the cloud, it's a no-brainer for them. We definitely can use the cloud providers also a credit system to make sure that it's easier for the customers to buy. So they are just a lot of incentive from all over -- from the value proposition itself, the total cost of ownership and the ability to use Azure and AWS credits.

I just want to add 1 more thing. When we laid out kind of the time line, we talked about Phase 1 being 1 to 2 years and then Phase 2 kind of starting towards the end of Phase 1 and kind of lasting for 3 to 4 years. Some of the logic behind that is that when we sell on-prem subscription, we sell a 3-year deal. And if in 2023, you have a customer that bought or renewed or even upsell, the first time legally from a contractual perspective, you can reach out and talk about that conversion is 2026. So that's also baked in as part of our Phase 2 assumptions. However, there could be situations where a customer says, "We don't want to wait. We want to move quicker." And we know how to do that and work with the customer in order to make sure that they're happy and it makes sense economically.

Andy Nowinski with Wells Fargo. Maybe just to start with a clarification. So I think you said the completion of the transition is when total ARR reaches 70% to 90% or SaaS is 70%, 90% of that? Or is that net new ARR?

No, no. We took a base case of completing this transition within 5 years and completion of a transition for us is having 70% to 90% of total ARR being -- coming from SaaS.

Yes, that's all right. Okay. And then I also wanted to ask about -- you said ARR and free cash flow are the north stars of the transition. So I guess why not -- when you measure that in terms of the Rule of 40, why not use the standard calculation with free cash flow margin as part of it.

It's a very good question. So when we wanted to show kind of our commitment in managing expenses, -- we used ARR contribution margin because the only difference between the free cash flow and the ARR contribution margin, the biggest factor is taxes. And when you think about the 174 tax section that is coming into place, we just wanted to make sure that everyone is kind of apples-to-apples and you see what the commitment of the organization is to improving the leverage. That was probably the only reason we didn't use the free cash flow.

Hugh Cunningham with TD Cowen. First question is regarding the group of customers that are only purchasing 1 to 3 solutions. Why isn't that compelling argument that you made for the cloud working on them? What's the difference there?

So I didn't say it's not a compelling argument. I said that the customers that purchased mostly 1, 2 or 3 licenses. Our customers that purchased Varonis prior to 2016 before we came out with the significant number of licenses that were geared towards automation, and most of them, and they're all maintenance of perpetual customers. So they bought us for a specific use case. It could be as an auditing tool, and they don't fully understand how Varonis has evolved. We're still going to target them, but we're targeting them as new customers that we need to show value. And when we add them in, they will be part of our subscription customers that we talk about.

Okay. And then in terms of growth, as we look forward. So we should see another sort of -- when Phase 2 kicks in, should we see another deceleration in revenue growth just because of the shift from existing customers?

So there's a lot of moving parts and revenue will be very noisy throughout this transition, really dependent on what is the pace of the transition. And I want to be very careful with defining an exact percentage of revenue just because there's so many moving parts. That's why we're trying to simplify things and talking about ARR because if you sell on-prem subscription or SaaS, ARR is the same number. And that's why it's very, very clear that ARR is the leading indicator throughout this transition. Revenue will get noisy. We'll obviously give color on the conversion on a quarterly and annual basis. So investors and analysts can understand how things would have looked otherwise. But conceptually, ARR is the way to go as a leading indicator throughout this transition.

Do you have that a little bit delay on the cash flow side when you switch from?

So that's a very good question, and I want to clarify that. When we sell on-prem subscription today, we collect the deals annually in advance. And as we sell it as SaaS, it will be the exact same collection method. So that's why ARR and free cash flow are the leading indicators and the north stars of this transition.

Right. One last confirmation. You're still looking for 15% mix of SaaS for '23? Is that the number correct?

Correct.

[ Mattel Mohalik ] here from William Blair. Just wondering, as you work through the SaaS transition, how do you see the competitive landscape changing at all?

It's exactly as Brian said. I think that at this point, we are the only complete data protection platform in the market that does these 3 things. But there are people that try to do some kind of classification and logging and reports, but in order to remediate to do automated remediation, usable, very accurate classification at scale and this proactive threat detection and response, which is the holy grail that is data-oriented. At this point, we are the only solution in the marketplace.

It's also important to note, our technical moat was huge beforehand. You asked specifically about the SaaS transition because we can innovate so much more quickly now and because there's so much less friction with customers to actually using all that innovation and getting value more quickly. Our technical moat is just going to accelerate. So we don't have any direct competition now and it's less likely to change.

As we said before, we have a real treasure with the metadata. The metadata for analysis, you know how it is in tech. You have the right data and if you can analyze it in the right way and mine it, you get tremendous results. And this is what we have thousands of customers and all this metadata that is going to the cloud in terms of threat detection, it's just, it's second to none.

All right. Thank you all for coming today. I appreciate your interest in Varonis.

Thank you so much.

Thank you.

Thank you.