Varonis Systems, Inc. (VRNS) Earnings Call Transcript & Summary

All right. We will get going here. Thank you all for joining. I'm Roger Boyd. I cover cybersecurity here at UBS. Very happy to have the team from Varonis here, Guy Melamed, CFO and COO; and Brian Vecci, who's Field CTO. So thank you guys for being here.

Thank you.

Cool. We're going to do some fireside chat. I've got the iPad here. So if you have questions, feel free to submit them, and we'll try to weave them in. But maybe to get started, I know many people are familiar with the story, but a broader audience here. For the investors who are less familiar, can you maybe start with a quick overview of the platform, history of the company and kind of the use cases you've addressed and the ones you've expanded to address?

Sure. So Varonis is founded because enterprises of all kinds, public, private, big, small and every vertical struggle to protect data. They struggle to understand what data they have and where it is and what the risk is associated with it, who and what's got access to it? How is it being used? Where is sensitive data living in places it's not supposed to be. So we started 20 years ago because answering any of those questions, let alone doing anything about it was basically impossible on even small data sets in the enterprise. And over the years, we've expanded our coverage to cover everything from databases and SaaS applications to file systems and collaborative platforms. We reinvented our platform as a SaaS-first solution a few years ago. And so now Varonis is a SaaS company. And use cases are really visibility, understanding what data is where, reducing risk automatically and then minimizing how long it takes to detect and respond to threats. So catching threats quickly and minimizing any damage.

I think if I try and bring it home to the nontechnical folks, what we're trying to do is what the credit card companies did the fraud detection. Obviously, when people travel and they have a transaction that is abnormal, they get a text message. Is this you, yes or no? And the accuracy levels of those credit card companies is pretty amazing. The reason those credit card companies can identify if this is an abnormal transaction is because they track every single purchase that you have. They know where you buy, where you travel, who you're eating within the restaurant. And based on kind of putting all those pieces together, they can identify what's abnormal. We do the exact same thing with data because we see who touches files, who opens files, who deletes files and what files are sensitive, we can identify if someone touches a file that they usually never touch from a laptop that is unidentifiable to the organization, from an IP that usually doesn't get accessed at a time that is abnormal. When you put all these pieces together, we can identify if something abnormal is happening. So that's what we are trying to do.

Cool. Well, we'll come back to the bigger picture, but I wanted to jump in and tackle 3Q. You guys announced the change of the subscription transition, what you're doing with the on-prem customer base. Can you kind of just remind us what's going on there? And what you've seen from that kind of on-prem customer base since kind of that announcement last month?

So we'll start with our announcement to move to SaaS. That was at the beginning of 2023. We talked about -- initially, we talked about a 5-year plan on getting over and completing the transition, and we defined the transition to be complete when we get anywhere between 70% to 90% of ARR coming from SaaS. I can say that the first part of the transition went really, really well. We lowered the period from 5 years to 4 years. And then when we gave guidance for this year, we kind of lowered it to 3 years. So transition was progressing really well. In Q3, our on-prem subscription renewal rate didn't behave in the same fashion that we've seen. Historically, our renewal rates have been consistently over 90%. I will say that in Q1 and Q2 of this year, our renewal rates actually improved, which I think kind of threw us off. And what we actually saw is that in the last 2 weeks of the quarter in Q3, we started to see a lot of those customers that decided not to renew. We are in conversations with many of them. I think we can get some of them over to SaaS. But when we looked at what happened, there were basically 3 key elements that contributed to the underperformance on the on-prem subscription renewal rate. One of them had to do with customers that were single threaded, meaning they bought us initially for a specific use case, an auditing tool. They didn't get the full value of the platform. And then if they don't renew, nothing really bad happens the next day. And that was something that we identified as an element that impacted Q3. I do want to note that when we looked at Q1 and Q2, those single-threaded customers did convert and renew. So this was something that we didn't see coming, and it had an impact in Q3. The second element was sales execution. We did see some of the sales team that kind of reverted away from our game plan, including having QBRs with customers, making sure that they see the value, understanding what the benefits of SaaS are and what's the next step for them in their kind of journey with Varonis. And I think that in neglecting that -- those conversations with some of the on-prem subscription customers, it kind of generated additional friction that impacted those renewal rates. And the third element that we saw was additional deal scrutiny in the last 2 weeks when you kind of just look at the environment. I don't know if we can distinguish this from a macro perspective or anything else, but it was definitely something that we saw and we wanted to call it out. Sitting here today, looking at those 3 elements, they still are there. We haven't seen anything different in terms of the analysis that we have done, and we spent a lot of time in analyzing everything. One of the things that we did do is call the end of life of the on-prem subscription. We can talk more about that later. But we did that as an attempt. We only kind of pulled it up by 1 quarter. The plan was to announce it anyways at the beginning of 2026 during our SKO. But when we saw kind of the underperformance on the on-prem subscription renewal rate, we decided that we want to put it out there because obviously, investors would like to know what is the expectation for conversions in 2026. And I think it would be irresponsible to give them a number and announce the end of life at the same time and then have an additional point that can have an impact. So we felt that if we are going to give a number and kind of some sort of expectation for 2026, then we have to do it where everything is out there and all the data is known, and we can see the behavior in Q4, which is a large denominator and then kind of have a much better understanding of how things could look next year.

Yes. Makes sense. I appreciate the color there. I want to go back to the time line, and we did this the other week. But when you go back to what you guys talked about in 2023 when you first laid out the transition, you were kind of projecting around $200 million in ARR from SaaS by 2025. And today, you're closer to $600 million. And obviously, transitions have been a big part of that. But I wonder if you could talk a little bit about what you've seen in the SaaS business ex conversions. I think it's kind of gotten lost in the debate over 3Q, but I think it has outperformed your expectations. But if you could give any color there.

So I'll start by saying that it definitely outperformed our expectations. Our ability to shorten the transition period from 5 years to 4 years and then from 4 years to 3 years is a testament to how well the transition was going. And I absolutely agree with you that the on-prem subscription renewal rate kind of put a cloud on a business that is performing really well. The SaaS business is really hitting on all cylinders, and we feel very good about that business, which kind of brings the point that we understand that in 2026, we need to ensure that investors see the strength of the business through the SaaS and not have any of the on-prem subscription renewal rate overshadow our performance. So I think the focus in 2026 is going to be on providing the metrics to investors that allow them to see how the business is performing, how the business that is going forward is performing, not the one that's in the rearview mirror. And the rearview mirror is going to be done anyways by the end of 2026 because by December 31, 2026, we're going to have 0 non-SaaS ARR. So whatever impact we have on conversions, it's going to be short-lived. And we believe that we can drive this business on the SaaS front in a very healthy way.

Just to touch on that. You've talked about a SaaS net retention rate and the new logo growth, which is now almost all SaaS. Are there other metrics you're thinking about to help kind of frame the strength of this new business or...

So we're definitely playing around with what would make the most sense in providing color to investors. One idea that I think would make a lot of sense is just breaking out what is the SaaS number in each quarter, excluding conversions and then just putting that on top. And I think that would provide a lot of comfort to investors because I know in many cases, they wanted to know how the business is performing. This puts kind of the spotlight on the SaaS front, excluding conversions. And at the end of the day, when we have roughly $175 million of non-SaaS ARR with about 1/3 of it coming up for renewal in Q4, I think by the end of the year, we'll have a much better understanding of how 2026 is going to behave on that front, but that's not the focus. The focus is -- obviously, we're going to try and get everyone over, but the focus is to continue to drive a healthy SaaS business that can continue to grow and provide value to customers, and that's really at the forefront of everything.

Perfect. Cool. I want to get back to the bigger picture and get Brian back in the conversation. But a high-level question, how do you think about the demand level for data security? And there's a separate question here on AI. But even going back a couple of years ago, it really felt like you guys had to evangelize the space, and I think that's changed a lot. So can you just talk about what you've seen from a customer perspective, like the definition of data security budgets?

Well, the short answer is budgets are going up in data security. If it's not at the top of a CIO and a CISO's list of priorities, I would question why not. That's what an attacker is after. When we talk about insider threats, insider threats are after data. Data is where the damage is done. So that's where security priorities have aligned over the last few years, which is exactly what we've been predicting for a long time. The advent of Generative AI has only accelerated that. Generative AI is all based on data. It's based on learning from lots of data to build useful models that you can monetize. It's also based on giving people productivity tools like Microsoft Copilot that allow them to better use all of the data that they have access to. But if you're going to deploy those kinds of tools you better make sure that your data is secure. I've told the story a number of times, but one of the banks that we work with found that as soon as they gave Microsoft Copilot to one of their traders, the trader asked the question, what stocks do our employees invest in? And instead of getting a couple of paragraph summary like you'd expect from ChatGPT, got thousands of lines of names and social security numbers and positions of employee 401(k)s. That's exactly what companies want to avoid. They want to reap the benefits of all of this technology, the benefits of generative AI. They want their employees to be more productive. They want to monetize these data sets. But unless your data is secure, you're introducing far more risk than you can control. You can't get the benefits of AI without data security, which means data security is not the top of everybody's list.

Yes. Makes sense. I think what else got kind of lost last quarter was just the strength that you've had across the broader portfolio. And so features like AI security, MDDR, you launched a Copilot SKU a couple of quarters ago. What's the update on those? I mean, those sound like they're doing well. And again, kind of lost in the shuffle of last quarter's earnings. But what can you give us there?

Yes. I mean we didn't have to talk too much about them because SaaS is doing so well and the innovation, both through the acquisitions of Cyral, which adds database activity monitoring, gets us visibility and observability in places that we didn't have before. The acquisition of SlashNext get us next-generation modern email security and show me a data breach that doesn't involve an e-mail somewhere. Fishing is still in spear fishing, especially in the advent of ChatGPT and Microsoft copilot is still the primary threat vector. The right way to think about this is our product platform is going as far wide as we can. If you've got data and you've got infrastructure. We want to cover it. We want to give you visibility there. We also want to build useful automation. That means not just having coverage but also the right telemetry and automation to get these outcomes to make sure that data is protected. That you minimize threats without having to do a lot of work because the other key theme from every one of our customers is that they don't have the people to go and implement lots of new complicated technology. It needs to be automatic. So the various pieces of our platform that we've been adding and building are allowing more of our customers to do more of that with a lot less effort, and it's all going really well.

Cool. Just to touch on database activity monitoring and e-mail security. How do you frame like the near-term versus longer-term opportunities there? It sounds like DAM might be a little longer life, e-mail security contribute earlier. Is that the right way to think about it? And how do you think about sales enablement around those products? You're obviously growing the platform quite a bit.

I'll take the last part of that first. Sales enablement has been relatively straightforward with these additions to our platform because our reps and our team to get it. We're protecting data. This is all in service of protecting data. All of our customers have e-mail. All of our customers have e-mail security budgets. Now we can attach to those and do a risk assessment just on e-mail before expanding into a broader security platform. All of our customers that use us to protect their file systems on-premises and in the cloud, they all get databases too, and they've been asking us for coverage in databases. So database activity monitoring is another natural addition. So the sales enablement piece has not been -- I mean, it's always a priority, but it hasn't been a challenge. It hasn't been a roadblock. The reason that e-mail will probably contribute more quickly is only that it was a more mature product. whereas database activity monitoring, we are folding into our platform. That said, DAM is a -- for those that don't know, DAM is Database Activity Monitoring, DAM. That's how many billions of dollars of business that we can go attack and it's -- there are legacy players there that customers are ready to move on from. So it is a market that is ripe. And then with e-mails, again, everybody's got e-mail, everybody got an e-mail security budget. It allows us to do risk assessments in places that we didn't before more easily with less friction, while also allowing us not just to get to new logos, but then to expand our broader offering.

I want to talk about the e-mail security offering because I think it has to be seen in the context of MDDR. We are not going into the e-mail security as a stand-alone product. This is not kind of the direction we're going is just protecting e-mail. And I want to probably touch on how we got to the thinking of acquiring something that's related to e-mail security. So it really stems from the MDDR offering. When we analyze and we track this. And the MDDR offering is really when you think about it, it only started to be offered at the beginning of 2024, and it's been so well adopted. Obviously, with almost all of the new customers and definitely by many of the existing customers, we're not anywhere close to 100%, which we believe is the right number. We think every single customer should have the MDDR offering. And the MDDR offering is when you buy the platform, the alerts that are provided are analyzed by our engineers that know how to analyze those and make sure that the right alerts are being handled by the customer. So in a way, it helps the customer in a tremendous way where Brian talked about this before, they don't have the right increase in head count to deal with the sophistication of attacks. And also the alerts and the hackers are getting more sophisticated by the day. So this really helps in making sure that customers are better protected. When you see that so many of those attacks, attacks are coming from e-mail, by having an e-mail platform, you're providing way more value to your customer because you're not just protecting them, you're also showing them where it's initiated from and you can protect them one step quicker than what you would do otherwise. So I think the important emphasis I have here is that the e-mail security acquisition was done in the context of MDDRs and not as a stand-alone.

Yes. Makes sense. Cool. I wanted to press on DAM for a second longer. Can you talk about what makes that market so interesting to go out go at right now? And you mentioned there's some vendors in that space that you feel like aren't working for customers. But what does it take from your end? Do you have the suite today? I know you've expanded coverage to Snowflake and Databricks and Oracle and SQL. Like what else do you need to do on your end to be a competitor there?

I think it's -- we have the technology. It's integrating the acquisition of Cyral, which is database activity monitoring for on-premises, legacy databases, SQLs and Oracles and Postgres and MySQLs of the world. We have all of the coverage that we need both now and our near-term road map. What this allows us to do is not just replace the Da.m. tools that enterprises are currently using. They require a lot of OpEx. They don't -- customers generally don't use them to cover all of their databases. So it's a technology that is ripe for disruption. However, we're not just replacing DAM. Much like how Guy talked about us going into the e-mail space, it is valuable by itself but also in the context of our broader offering and especially with MDDR. Now we're monitoring databases, which allows us to perform behavior analytics on databases that we couldn't before, which allows us to also build automation for automatic risk reduction in addition to data classification. So what this does is it really expands the Varonis value proposition into new places. Our goal is, if you've got data, I don't care if it's in a file or a database or an application. I don't care if it's on-premises or in the cloud. I don't care if it's in a hyperscaler in your data center, we want to be able to protect it. And DAM is both a product category that we can disrupt while also giving us coverage and visibility where we need to have it.

I want to touch on U.S. federal. I think it came up a little bit short in 3Q, and you had some pretty specific comments about some of the issues that you saw there. Can you kind of rehash what happened? I know part of it was that you got FedRAMP earlier this year and maybe that introduced a little confusion to the buying process. But how do you think about the federal agencies as a vertical market going forward?

We believe there were 3 components that contributed to the shortfall in the federal business. One of them Dodge, I don't know how much of an impact that was. It probably wasn't the largest contributor to the shortfall, but it definitely didn't help. So that was one element. The second element was similar sales execution that we saw with some of the enterprise business sales teams that we saw in the federal, where they didn't have the same conversations with customers as they should have. But I think the third component, which probably had the largest impact was the timing of the FedRAMP certification. We got a moderate FedRAMP certification really at the beginning of Q2. And one of the things that is important to note is that sales cycles for the federal business are much longer. I think it probably generated more chaos in the sales campaign because now can you switch it to SaaS on time? And if you are trying to switch it, does it generate more turbulence within the deal? So I think the timing of it definitely didn't help us. We absolutely believe in the vertical, we think we can solve a lot of problems there. But to be fair, we have been underperforming in that vertical for a couple of years now. So what we decided to do is reduce some of the team and make sure that we can see productivity levels go back to kind of numbers that we expect to see and make sure that we put additional investments at the right place. But I think that the FedRAMP was the right thing to do because not only does it help you with the federal business, it also gives a lot of comfort to a lot of the enterprise customers that ask for the FedRAMP certification. So definitely was the right thing to do, but probably didn't help us in the Q3 sales cycle for that vertical.

Yes. Okay. I wanted to touch on competition. I get asked by investors all the time about competition for data security. For a while, it's very hard to kind of line up a truly competitive platform. I'd argue maybe that's changed a little bit in the last few years. You have some competitors in the private market are pretty vocal. How do you see competition? Has it changed at all? And conversely, has some of the new entrants in the space created a bigger kind of demand pull for you? And have there been deals where maybe others have initiated that you've come in and won?

Yes, that's happened a number of times, and it's great that other people are spending money on marketing for us at this point. Yes, there is a lot more investment in the space. And there's been a lot of acquisitions. What's happened -- there's a couple of things that have happened. So there are more players. We believe really strongly in our ability to execute outcomes matter in security. I don't really care when anybody says they can do. I care a lot more about what they prove that they can do, which is why we do our sales motion, our sales execution is actually running a real data risk assessment. Let's prove that we can scale. Let's prove that things are accurate. Let's prove that we deploy incredibly quickly without a lot of noise. That's why we -- that's why that's our motion. But what has changed in addition to lots of other players because it's data security is at the top of everybody's priority stack is Varonis now covers files and e-mails and databases. We cover the hyperscalers. We cover on-premises data. We cover cloud data, we cover SaaS applications. No one can touch us in coverage, which means if you're an enterprise and you have a project for DSPM or for compliance or privacy or for AI deployments or AI security, and you put it on an RFP, we're in those. We're in every fight now. We're not getting boxed out like we were a few years ago because we didn't cover databases, and we didn't cover some SaaS applications. Now because nobody can touch us in coverage and nobody deploys faster than us, and nobody is as accurate as we are. We need to be in every fight, and we are in every fight. And that's why sales execution is so important for us. We need to not only be in the RFP, we need to deploy and run a real risk assessment and prove that all of the capabilities that we offer that no other product offers, the automatic remediation, MDDR, in addition to the coverage we have. We have to prove -- we have to show a customer just how valuable that is and how quickly they realize that value. Just how much -- how quickly they can get to these outcomes without a lot of effort, it's so important for us to do that, and we can. And so our win rates haven't changed. You're probably right now that there's absolutely more competitive products, but there's still nothing that does what we do everywhere that we do it. And so the technical moat that we've built around us is big and continues to get bigger because there's more innovation in front of us than behind us.

I'm going to weave in a question from the audience just because I think it fits well. But how do you think about competition from the data resiliency backup vendors. And conversely, how do you think about that as part of a broader kind of data security platform, the data backup service?

I would never tell a CIO that they don't need backup, but I would also tell them backup is not security, just like Discovery is not security. So we haven't seen any of those players be credible competition for us. And many of our customers use backup and cyber resiliency providers and are very happy with those capabilities, but are still Varonis customers because, again, resiliency backup, that's not security.

Okay. Cool. Guy, you mentioned this before, but some of the customers that didn't close in 3Q are still in the pipeline. Can you just talk about kind of what the game plan is from here? Any -- have you seen any customers come back thus far in 4Q? And when you think about different verticals, federal, like are there anything to note there?

So we definitely saw some of the customers that actually did convert post Q3. And we're in conversations with -- still with many of those customers to find a path to get them over to SaaS. Obviously, we understand that not all of them are going to move. But I think that when we look at the behavior, we're definitely in conversations with a good chunk of those to get them over. I think the understanding for us that we are, by the end of next year, 100% SaaS business, hitting on the strength of the business and making sure that kind of what happened in the last 2 weeks of Q3 doesn't overshadow where we're planning to go. I think that was an important realization for us post kind of the unfortunate event of Q3. I think with that said, obviously, we just want to make sure that it doesn't overshadow the strength that we see in the business. In the past, we talked about a price uplift on getting customers over from on-prem to SaaS. I can tell you that we will do everything we can to get customers over to SaaS as quickly as possible. But obviously, without having any customer abuse on the situation, but at the end of the day, we just want to get them over, show them the value that they see with the SaaS platform. And then we can go back to them and show them additional platforms that they can come and purchase.

Cool. Maybe to close, you've talked about this goal of 20% growth, 20% ARR growth in the past. How, if all, has 3Q kind of changed that goal? And if it still stands, what does the path look like going forward? What needs to go right to hit that target?

So obviously, the on-prem subscription renewal rate was a bit of a curve ball for us in the last 2 weeks. But we wanted to see if this was a change in trend or if this was a one-off and that's why we said let's see how Q4 behaves. And then we can give more color on how 2026 will look like. I do want to note that obviously, we're going line by line, we're going with every single customer and having discussion on whether they will move or not. Some of them we understand they're not going to move to SaaS. And I think that's -- there's a lot of financial benefits for the organization of being fully SaaS at the end of 2026, whether it's less tickets on the support side, whether it's managing -- not having to manage 2 types of code. So there are -- it's not just the fact that the SaaS offering is significantly superior than the on-prem subscription and the value that we can provide customers is much more significant. It's also the financial benefit of not having the on-prem to manage and also the time cannibalization. You have to deal with way more issues with the on-prem subscription with your customers. And we want to make sure that we focus on what's right longer term.

Cool. Well, we'll wrap it there. Thank you all for attending. Thank you, Guy and Brian, for being here.

Thak you.

Thank you.