Varonis Systems, Inc. (VRNS) Earnings Call Transcript & Summary

All right. Good afternoon, everybody. Thank you so much for being here this afternoon. I'm delighted to have the team from Varonis here. We have Guy Melamed, and Brian Vecci. Guy, obviously, the COO and CFO of Varonis; and Brian being the Field CTO. Brian, Guy, thank you so much for being here.

Thanks for having us.

Thank you.

And as a brief programming note before I begin, for important disclosures, please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/researchdisclosures.

And with that, I thought I would just start off, level set, we might have some new faces in the audience, Brian, maybe if you can give us an overview of Varonis. You guys are unique in the cybersecurity space in that you sit at the intersection of data and security. So maybe just walk us through kind of -- yes.

Sure. So for those that are new, we're a security software company. Our software protects data. If you think about cybersecurity as layers of an onion, there's perimeters, there's devices, there's identity, we sit at the data. We help our organizations know what data they have and what's important and where it is. These days, you've got data on-premises, you've got data in the cloud. We monitor it, and we protect it automatically by making sure that data is not exposed to people and applications that don't need it. And if something ever does happen, you know about it quickly and can respond to it quickly.

Great. Very clear. Guy, maybe talk a little bit about the last few quarters. You obviously had a really strong Q4 to cap off the year. Can you go through some of the things that drove the strength that you saw and just the prioritization level towards data security?

I think in order to kind of understand where we are and even talk about Q4, just to point out that at the beginning of 2023, we announced the transition to SaaS in which we're providing the offering through a SaaS solution, which is a much better product. And it's actually evolving much quicker than we initially thought. The progression of the transition is happening quicker. We are seeing new customers adopting this, but also existing customers are embracing this and asking to convert to switch from the on-prem subscription offering to the SaaS offering, and that's happening in a natural way. We can talk more about that. I think in Q4, we saw very good adoption of both new and existing customers. I think what's exciting about where we are today is the -- there are a lot of tailwinds that are working in our favor, and we can talk about that as well. It's the SEC cybersecurity regulation that was recently introduced. We're talking about Copilot with the risks that, that is generating to companies that are trying to kind of move in that direction, and we are there to help. And also, a new offering that we came out with that we're now charging money for, we actually did that in 2023 with an incident response team. And now there is an MDDR offering, managed data and detection -- managed data detection and response team, where we're actually charging customers for the fact that we will alert them if anything abnormal is happening. So they can save on kind of the headcount that they need from their security team and reallocate those resources. And we're in a very unique position. I think a lot of things are working in our favor, and we're going to try and capitalize on that.

Got it. Yes, a lot of tailwinds, and I definitely want to dig into this. Brian, did you have something to say? I'm sorry.

No, no.

Okay. So maybe just before I go into that, last year -- at the beginning of last year, the macro was still a bit challenging. You talked about stabilization in the back half. What are you seeing so far in 2024? And kind of what's factored in your guidance from a broader macro perspective?

So we saw in the second part of 2023 the headline that we put to the macro environment with stabilization. We're seeing that -- we haven't seen the macro worsen. We haven't seen it improve. We're still seeing longer sales cycles and more deal scrutiny on every purchase. I don't think it relates to security per se. I think any software purchase requires additional signatures to put pen to paper. But I think in where we are in the environment that's surrounding kind of with the hacking being more challenging, significant increase in the number of hackings going on and also the risk of having insiders be exposed to sensitive information that they shouldn't have access to is allowing us to benefit from the justification for the purchase. And I think what we have done is simplify the conversation with customers. Not only have we moved in the direction of consolidation of SKUs, where you don't have to go line by line on purchasing, but we're talking about outcomes. You need to buy this package in order to protect your organization, and that's working really well. And on top of that, when you think about kind of the MDDR offering and the fact that we are moving towards automation and simplification with the customer where all they need to do is pay, and we will let them know if anything abnormal is happening. It's very similar going back to kind of the way Brian described us. What we're trying to do, and I think what we're doing very well, is alerting customers. Just like credit card companies, we'll send you a text whenever there's an abnormal purchase, and all you need to do is click yes or no whether it's you or not. We do the exact same thing, but we do it with data. And the reason we can do it with data is because we can identify who is opening files, who's touching files, who's deleting files. And when you enter someone's taking over an account and logs in at 2:00 a.m. with a laptop that the organization doesn't recognize, with an IP that's associated with a nation that shouldn't have access to that account, and they're opening 10,000 files when they usually open 100 files, and those files that they are opening are the most sensitive files that the organization has, that gives full visibility that something abnormal is happening. And that's why I think we have the capability to provide so much value to our customers in protecting data.

Definitely a lot of secular tailwinds there. I think the thing that we're -- many of us are probably most excited about is around generative AI. So Brian, I'll shift the question to you. I cannot have a conversation with the CIO or CSO about GenAI without talking about data security and governance. How do you protect these models? How do you deploy them in a secure way? Can you talk a little bit about, number one, where does Varonis fit within that AI landscape as far as whether it's getting your data ready or post-deployment? And what are you seeing today from a pipeline perspective? And maybe I'll shift to you, Guy, here, around some of these GenAI deployments as it relates to your business.

It's a big set of questions. And you kind of set it up really well in that any conversation about GenAI or LLMs or productivity tools like Copilot is a conversation about data, right? That's -- that is what all of this technology is built on. So when you're -- when an organization is either planning to build internal LLMs to train data, they are worried about the protection of that data, the security of it. They want to make sure that only the right data is in those corpuses and in those training sets. They want to make sure that only the right people and especially applications have access to it. They want to monitor it to make sure that nothing inappropriate is happening with that data. I've just described everything that Varonis does to protect that data. Similarly, lots of enterprises are exploring productivity tools like Microsoft Copilot or Salesforce Einstein GPT, which can make their knowledge workers dramatically more productive but exploit all of the open access and sensitive data being available to people who don't need it and in the wrong place that we know every organization faces. These Copilots and other productivity tools that are based on LLMs can really create a massive amount of risk very, very quickly, and we help solve that problem quickly as well.

So just to touch -- you want to touch on the -- on how that's baked into guidance, and I think it also ties to your previous question on macro and guidance. So we talked a lot about the tailwinds that we're seeing, whether it's, I mentioned before, the SEC cybersecurity regulation, MDDR, Copilot. All of those are tailwinds that we've really never seen before. From a guidance perspective, because all of those are very new, we haven't baked in any positivity as part of our guidance. We want to see how this translates into data that we track. And then, obviously, we'll be happy to update things throughout the year as we see them progress. From a macro perspective, to tie back to the previous question, we kind of assume the stabilization continues throughout 2024. So I think from a guidance perspective, we kept the same philosophy that we've had in previous year, where we don't bake in any positivity before we see it translate into the numbers for us.

Just to put a cap on that, any company exploring generative AI needs to protect their data. There is no way to protect data at scale like using Varonis. Any company that's looking at AI needs us.

And I'll reemphasize that. Every company needs to protect data, whether they're using AI or not. Using AI actually puts a huge projector on the risks that they have. Because one of the things that we've seen is that people now put in the whole -- into the text box who received the salary increase in 2023, and they'll get the list immediately, which is scary from an organization's perspective. And we saw traders on the floor that actually clicked into the Copilot the list of all the 401(k)s of the entire employee organization, and they got that list immediately. So the risks, when you think about it, are huge. And Copilot just makes it scarier in seconds for the organizations, and they need to ensure that they're thinking about data before they actually roll it out.

Yes. It goes to my next question. When you think about the ramp of this, right, obviously, it's still early days of sales cycles, everything. You guys have a big marketing initiative kind of centered around is your organization Copilot-ready. So is this going to be something that is going to happen pre-deployment of Copilot and these GenAI tools? Or do you think it's going to happen more after the fact when customers do have that, "Oh, dang," moment, "My data is exposed?"

It's probably going to be a combination of both, but the #1 reason that companies aren't widely deploying Copilot is because of privacy and security, and they don't have a way to solve the problem. With us, in a month, you're ready to go. Everything is locked down. It's automatic. We have MDDR watching your data, looking at the Copilot prompts, making sure that you're properly protected. So I think thoughtful organizations, the ones that put security at the top of their list, are going to be using Varonis before they deploy Copilot. That said, there's always going to be situations where a company gets burned, and then they're going to come back later to try to fix the problems that we knew were probably there.

And just to add to that, one of the things that we're seeing is that the Copilot is definitely coming up in conversations with customers and -- but we haven't seen it deployed in mass scale. And that's definitely something that we're closely monitoring. I think eventually, it happens. It's just -- I think organizations want to make sure that they understand the consequences of how their data looks before they do it.

Got it. A couple of more AI questions, and then I kind of want to open up to the audience because it's such a big topic. You announced a partnership with -- or you expanded your partnership with Microsoft around securing Copilot. Can you, one, go into a little bit more detail there, Guy? What are sort of the high-level economics of that? What are you helping to solve?

So we've had a long-lasting partnership with Microsoft for many years now. But I think when you look at kind of the Copilot initiative that's happening as we speak, we've actually strengthened our partnership with Microsoft. They actually -- we've come out with a press release where Microsoft is quoted talking about kind of the risks of implementing Copilot without taking care of their data, and they actually mentioned that Varonis is a way to solve that. And I think it speaks volumes in terms of the partnership there. There's also a lot of marketing initiatives together that we do with them. But I think when you look at kind of the opportunity, it's not just with a Copilot. It's just the environment itself that's becoming riskier and riskier for customers, and we want to try and capitalize on that.

And then, Brian, why would a customer want a third-party independent data security vendor versus maybe going to the LLM provider or Microsoft to do the security for you?

Because there's nothing that does what we do. That's the simple answer. There's no way to get to the outcomes where data is not available to people who don't need it, that sensitive data is properly protected, that you minimize the time to detection and time to response for a threat, and that you can prove that you're compliant and that all your data is properly labeled to DLP works. There is no platform provider. There's no built-in tool that will solve those problems. That's why they come to us.

I know there's probably questions from the audience. So wait for a mic. Oh, we got a question in the corner here. Wait for the microphone.

[indiscernible] that is the most unique about what Varonis does. Is it the heterogeneity of the data sources? Is it the response time, the fact that you encapsulate data versus individual apps? I mean, which -- could you go into that a layer deeper just to make sure we understand?

Sure. I think the right way to think about what makes Varonis unique is that we're the only way to not only identify where there is sensitive data, to your point, across a variety of data sources and applications on-premises and in the cloud. We're the only way to do that at scale. Then, we're the only way to lock things down. So what we find, whenever we look at data and whether it's in Microsoft 365 or on a file system or in an application like Salesforce or GitHub or in cloud infrastructure like Amazon or Azure, we find data in places that it's not supposed to be, but it's accessible to people and applications that aren't supposed to have access to it. 40% of the data inside a company is open to literally every single employee. There's no way to solve that problem. So when I talk about outcomes, what we mean is, you deploy Varonis, not only do you know where you have problems, but we fix them automatically. And all the while, to use Guy's analogy, we're like the credit card company watching your statements. We're looking at every data touch, every time someone accesses something or creates it or shares it, anytime someone uses Copilot and creates a prompt that might be risky. And our team at MDDR is looking at all of those behaviors and all of those alerts. So when something goes wrong, we call you. There's no other way to do that. And when you think about how critical it is to make sure that your data is secure in a world where you're using generative AI-based tools and building LLMs that are presumably extremely valuable to you, if you don't get to those outcomes, if you don't secure your data and you don't reduce the time it takes to detect and respond to a threat, the company is at far greater risk than probably you'd even realize.

Got it. And also just a quick follow-up, I was curious how often, at least, to date, it gets more complicated with GenAI, but how often the external threats look like Guy's example, meaning somebody from another country at 2 in the morning accessing in tens of thousands of files, whatever the case is? I mean just how often is that the case versus something more [ than you want ]?

Probably more often than you realize. But it's not just external nation state actors. It's internal threats. There was a hospital system in North Carolina, we called them to let them know that a person on their IT team was looking at salary data in their HR directories before going into their annual reviews. We found a major U.S. city where their water system was currently under attack by a ransomware group, trying to lock it down so that they would get paid. It's cyber criminals, it's insider threats, it's nation state actors, also just people making mistakes. And with generative AI, you have more data than you ever had before. It's more valuable. And the tools for both insider threats and outside threat actors are more powerful than they've ever been. So the answer is probably more than you'd realize.

We've got one more question here.

So from the demand side, as you guys said, right, when it comes to GenAI and Copilot, it's coming up in every conversation, the need for security. On the supply side, you guys, as you said, Brian, sort of the only game in town. The question is like what opens up that floodgate, right? Like in terms of why -- when do we see that step function up where -- or what breaks? What are the catalysts that breaks that inertia in getting CIOs to just start deploying some of these tools?

So I think when you look at the guidance, and I'm going back to the guidance, we didn't bake in any of that inflection point happening within the year. Obviously, if we see things progress in that direction, we'll update throughout the year, but that's been our philosophy. I think when you look at the Copilot and it's not just Microsoft, I think that's an important emphasis as well, everyone is going in the direction of improving productivity. And when they -- when you look at kind of the big organizations, whether it's Salesforce that's coming out with Einstein or Google or even some of the other big companies that I don't think will leave this field untouched, it puts that emphasis and the risk on data being exposed. And that's why we've kind of -- we want to be there. And I think MDDR, with the simplicity that it provides customers and the value that it can provide them with securing data and alerting them if anything abnormal is happening is a big change in the way we talk to customers. The conversation is much simpler. The value that we can provide them is much greater. And that's all we've been trying to do for the last couple of years, focus on automation, consolidation in terms of providing them outcomes and not necessarily different separate SKUs. And that's just part of what we've been trying to do for quite some time.

[indiscernible] do you think that deployment time line, whether it's Microsoft Copilot or Einstein or whatever -- would you be disappointed if that was not a 2024 event? Or do you think that's kind of more like '25 event when we see that industry deployment happen?

So there's a lot of tailwinds that are working in our favor. And therefore, I'm not putting all of the eggs in one component, whether it's Copilot. I think the MDDR and the ability to go to customers and provide them that automated component of the software is a big deal that's in our control. I think the Copilot, if I had to be a betting man, would drive -- it will get to a point where there is mass distribution because it's Microsoft, and I think they -- there's a lot of value in the productivity gains that it provides employees. But like everything, you want to see it happen first and then you make the adjustments. We're ready for it to start now. But if it takes longer, we're there. We're not going anywhere.

Maybe let's talk about some of the other many tailwinds in your business beyond GenAI. MDDR, you mentioned that a few times. One, maybe just high level, what is that? What drew you to introduce that offering?

So it's something we've been doing for quite some time with our SaaS offering. We had a Proactive Incident Response team who would go to customers and have conversations with them about trying to analyze whenever something is happening that's abnormal. What we're doing right now is, just for that same service, trying to charge money and extract more dollars from customers, but we're doing it with a signed SLA that has a 30-minute ransomware alert. So obviously, it's a win-win for the customers as well because they get that SLA in place. When you think about 30 minutes, it's best-in-class in the industry. So it's definitely something that we're happy to provide customers. But I think it changes kind of the whole way the security team has to deal with the Varonis product because now, they can put resources into other focus areas, and all they need to do is pick up the phone when we call them if there's any abnormal behavior. And in a way, it's just -- it's a no-brainer for new customers, but it's also value that we can provide our existing customers when they convert from on-prem subscription to SaaS. And we have it as a bundle, where we either extract dollars by selling MDDR separately or it's part of a bundle, where if you buy additional licenses, you'll get MDDR at a reduced price. Either way, we don't care. As long as we can extract more dollars from the customers and provide them the value that I think we do with the MDDR, it's a win-win for everyone.

And then when you think about packaging the service, roughly, what kind of uplift could this be to existing deal size?

So it's very early on. We just introduced it a couple of months ago. So it's still early for me to put a number there. But as I said in my previous answer, we're trying to extract more dollars either through sales of additional licenses or by selling the MDDR at a higher price. The one important thing is that MDDR, we're not trying to be a service-type company. This is very much driven by automation in the software, where the alerting and the capabilities allow us. And kind of the goal of where we see this happening is that MDDR service will be software-type like margins. I think we can do that with the capabilities of the software. That's where we've kind of had the focus and really just switching the Proactive Incident Response team that did that in 2023 to the MDDR service in 2024, where we can charge for it and give those customers the SLA with a 30-minute ransomware. That's really the biggest difference.

Is a way to think about -- is it almost like a retainer within a subscription contract, where a portion of that contract will be ascribed to MDDR?

So we're selling it as a package. You need the software in order to get that service. You're not going to get that service without buying the licenses. And the licenses is what a lot of the automation within the license is what gives you the capabilities to do this. But now we would just call you up if we see anything abnormal and make sure that you take care of it.

It's important for everybody to realize that there's no MDDR without Varonis SaaS. We couldn't have done this in a self-hosted model, and you can't -- we couldn't -- we can't offer this service unless a customer has Varonis deployed. And the more Varonis they have deployed, the more valuable the MDDR is. Because you've got us looking at Windows data, and you got us looking at 365, why wouldn't you want us to call you if something happened inside Salesforce or inside Amazon or inside Azure, inside Google? So the more data you have, the more applications you have, the more valuable the MDDR is, the more opportunity we have to deploy Varonis in those places.

Got it. And that's a good segue to talking about the SaaS transition a little bit. So Varonis has been around for a while. Congratulations on 10 years as a public company recently.

Thank you.

So the SaaS product, you spent a couple of years developing and you're very thoughtful about it. I think over $100 million were spent to develop the product, and you really started to sell it early last year, a little bit late '22 as well. Can you talk about the benefits of SaaS, Brian, around you being able to cover more data sources, you being able to offer more services like MDDR? What is sort of the benefit from a product standpoint, from a functionality standpoint to Varonis?

If you think about the self-hosted model, the old -- kind of the old model, if we wanted to develop either support for a new data store, an application, even a new NaaS platform, or we wanted to offer more functionality like new automation or even new classification patterns or threat models, we would have to package that up and get it out to our customers. They'd have to install it, upgrade their environment, we'd have to go through testing, we'd have to go through rings of customers as we deploy this. A single feature or a single new data store that we supported might take months or up to a year or more for us to get to all of our customers. In the SaaS world, all that goes away. We develop something new. We push it to all of our customers immediately as soon as it's ready. We can have development teams working in parallel, so we can have multiple innovations going on at the same time. Our customers don't have to -- we don't have to worry about the sizing of their environment, the databases and the infrastructure. All that goes away because we're handling that on the SaaS side. So all of the friction for innovation, all of the friction for our customers getting value goes away for the most part, and that's why it's a better product. We had 15 major press releases last year for new features and functionality, major features and functionality, which is more than in the 10 years and in the years prior combined. It's a complete game changer for us from a technology standpoint.

And let's talk about the SaaS benefits from the company's perspective. There's a lot of productivity that we can generate through the SaaS offering. There's a lot of leverage in there. We expect sales cycles to be shorter through the SaaS offering, just by the introduction to customers and kind of the whole risk assessment process is much simpler. We expect renewal rates to be higher and better. And I think MDDR can actually help that as well because it makes the product stickier, not that -- our renewal rate's over 90%, but I think even if we can get increased percentage points there is beneficial. And obviously, when you think about kind of the benefits from a modeling perspective in kind of the P&L, we've been managing 2 types of codes: the on-prem subscription and the investments that we've done with SaaS. Look a couple of years ahead, and we're not talking about 2024 or 2025, but a couple of years ahead, we'll get to a point where you don't make the same investments in the on-prem subscription and maybe all your focus is on the SaaS. You get significant gains from an R&D perspective by managing one type of code only. So from a customer success perspective, PS support, the number of tickets with the SaaS -- customers that have SaaS has gone down significantly compared to customers that have on-prem subscription. Because we can fix things automatically through SaaS, and we don't have to go to every -- each individual customer and do it separately. So there's a ton of benefits for the organization in the SaaS selling. So it works well. The customers get a much better product, and we have the benefits in the financial model and the leverage going ahead.

Yes. And as far as the ROI delivered to the customer, Brian, walk us through sort of the infrastructure and headcount savings they may have when they move to SaaS product.

The infrastructure for the most part, goes away. You don't have to worry about databases. You don't have to worry about analysis servers. You don't have to worry about hardware. That's true for the risk assessments. We can get in faster. We can deliver value much faster. Because we've been able to innovate so much more quickly in SaaS, there's automation in the SaaS platform that never existed and will never exist in the self-hosted platform. That's how we can get you safe and ready to deploy Microsoft Copilot in a matter of weeks. That would be impossible in the old world. So from a customer perspective, they spend less time deploying it. They spend less money on the infrastructure. They spend less time operating it, a 90% reduction in support tickets. They get more automation. So they're able to get to these outcomes faster with less effort. They get MDDR and proactive incident response. It's a massive amount of value. One way to think about it is our customers are getting 10x the value with 10% of the effort.

Yes. And that, Guy, puts the uplift that you spoke about, about 20% to 30%, I believe, ASP uplift when you move to SaaS. It seems like that's more than justified by the cost savings. So is there a potential to get maybe more uplift? Or are you trying to incentivize the customer to buy more products?

There's two things to address with that question. I think, first of all, when we talk about apples-to-apples, the same number of licenses on on-prem to SaaS, it's that 25%, 30% uplift. But we have seen customers when they convert -- when they move from on-prem to SaaS, they actually are moving to a much larger platform purchase. So the actual uplift is higher than that 25% to 30% uplift. That's one component. The other component is that it's very important to note that even with that uplift that customers are paying, the total cost of ownership for them is lower. So they're saving money. Now do you make that uplift higher with -- from a price list perspective? Probably not because there's so much more for us to sell that you can extract more dollars by additional platform protection that you provide. And I think we've done that very well in the past. With the MDDR, I think we can increase the additional dollars we get from customers as well. So there's a lot of ways to extract more from customers. We're just trying to tie it together with additional value we provide them.

Yes. And the SaaS transition has been progressing, I think, much better than you thought. It's around 20% of total ARR now, I believe.

23%, yes.

23%, sorry. And talk to us why that was -- why you saw success maybe exceed beyond your expectations? And how are you thinking about now going after the existing customer base, not just the new? Is that starting to also convert as well?

Number one reason it's moving quicker is because it's a better product. That's first and foremost. I don't think we'd be able to move as quickly as we have if customers wouldn't understand the benefits of it, see the power that it has, and then see our existing customer base request to move to SaaS because they see the value. So we got to 23% at the end of 2023 because a large portion in dollar terms actually asked to convert to SaaS, which wasn't really part of our plan when we introduced kind of the SaaS offering. In our Investor Day in March of 2023, we talked about 2 phases. Phase #1 would be focusing on new customers, and then Phase 2 would be kind of focusing on the existing customers and asking them to convert to SaaS. We actually saw that happen throughout the year in a very natural way. We didn't put the focus on it. We saw customers come and ask to move, and we saw reps that would benefit from the uplift, they retired quota on anything that was on top of the renewal. So if we sold $100,000 of on-prem subscription and now they converted a customer and now they bought at $130,000, the $30,000 went towards that quota. So this kind of evolution that happened in a very natural way was beneficial for both our customers and both for us. And that's how we got to 23%. When we're talking about Phase 2 and the focus on converting customers, we just, in the last earning call, reduced the period of kind of the time that we would transition from 5 years to 4 years. We see that happening quicker because of all the things I've mentioned. And focusing on Phase 2 will happen throughout this year, probably more of a focus towards the second part of this year, but then we see acceleration, not only within the year, but within every single year going forward. So we expect 2025 conversions to be at a much higher number than 2024, and then 2026, higher than 2025. And I think that kind of as we look at that focus, we want to get -- we kind of define the transition being complete when we get between 70% to 90% of our ARR coming from SaaS. I think we have the ability to provide value to customers and get them to convert to SaaS, which would be beneficial from us from a financial perspective as well. So I think it's all working kind of in the right direction.

And do you foresee maybe considering any additional incentivization to convert that existing base? Or is it just happening more naturally, you let it slide?

So this was kind of a question that we contemplated throughout the year. I'll say that initially in 2023, when we just introduced the transition, the thought process was that we would put additional incentives in order to make reps focus on the conversion. But because we saw it happen in a natural way throughout the year, it didn't make sense to "throw money" in places that are happening naturally. And we wanted to make sure that we use our resources in the right way. So the reps are definitely benefiting from the conversions because they get the uplift towards their quota. There are carrots and sticks in the commission plan that would allow us to drive that behavior. If we see it continue to happen in kind of the natural way that we've seen, then there would be no need to make any adjustments. But if we do need to make adjustments, we will. So, so far, I think the focus and the benefits are clear, and it's happening in a natural way.

Got it. A couple of questions on profitability, and I'll open it up to the audience again. But what I've been surprised by is the margin leverage in the last couple of quarters, despite the fact that you have some headwinds on reported revenue because of the SaaS transition. Can you talk a little bit about what's driving that? And then when you're looking at assessing efficiency and margin progression during a SaaS transition, what are some of the metrics that, as investors, we should be looking at?

When we did the Investor Day, we talked about 3 North Stars, ARR, ARR contribution margin and free cash flow. Those, for us, are the most important metrics in order to gauge the health of the business. Revenue for the next couple of years would be nonsignificant in identifying the strength of the business just because of the way the revenue recognition is recognized with on-prem subscription versus SaaS. So ARR, ARR contribution margin and free cash flow. I think one of the things that I'm most proud of that we've done as an organization is increase our free cash flow so significantly even during the first year of a transition because obviously, there is additional investments that you have to put into play when you make a transition of this sort. Our free cash flow ended at roughly $54 million for 2024, and our guidance for -- in 2023, and the guidance for 2024 is to be between $70 million to $75 million free cash flow where in 2022, it was roughly breakeven. So I think one of the -- one of our philosophical ways of running the business was always to try and grow it, top line ARR improvement, but at the same time, bring some of it to the bottom line. And I think the ARR contribution margin has shown significant improvement and on top of that, start generating cash in a more meaningful way. The margins of the SaaS offering are very, very healthy, actually better than we initially expected. That's helping to drive some of the free cash flow that we're seeing there and the ARR contribution margin. It gives us a lot of room to make investments in other places that are very beneficial. When we look at the opportunity today and where we sit today compared to previous years, I think the long-term opportunity actually increased, which is part of the reason we're putting money to work in terms of our guidance when you look at the expense side for 2024. But the highlight is we want to grow, bring some of it to the bottom line and improve cash generation.

Any other questions from the audience?

What informs your view that the natural trajectory of uptake you're seeing is an ongoing phenomenon versus early adopters? And also, I'd just ask, what are the penalties in the event you don't meet the SLAs? And have you embedded that into your outlook?

So when you look at kind of the progression of the existing customers moving to SaaS, the one thing to keep in mind is that we have incentivized reps to sell on-prem subscription with a 3-year deal. And when you do that, not all of the customers can -- would convert prior to the renewal coming to an end. And therefore, from conversations that we have with customers, even ones that are locked in, in kind of the renewal period, many of them, and I'd say this, it's a natural transition to move to SaaS. I'd say the only customers that aren't moving to SaaS are state and government right now because they're waiting for the FedRAMP certification, which we're putting a lot of time and money and effort to try and get that. Apart from that, the customers want the better product. So that gives us the confidence that we can get there. It's just the conversations that we have. In terms of the SLA, obviously, there are legal items within the contract that give us the protection. But we understand that we're putting out a period there. 30 minutes is very short. I think it's a testament of how we feel about our product and the value that it can provide customers, but we do have the language in place for protection.

All right. Well, thank you, everyone, for joining us. Really exciting days ahead for Varonis. And thank you, Guy and Brian and everybody, for coming.

Thank you.

Thank you very much.

All right.