Venafi, Inc. (CYBR) Earnings Call Transcript & Summary

Good day. My name is Ellie, and I will be your conference operator for today. At this time, I would like to welcome everyone to the CyberArk signs definitive agreement to acquire Venafi conference call. [Operator Instructions] I'd now like to hand over the call to Shri Anantha, VP, Investor Relations. You may now begin the call.

Thank you, operator. Good morning. Thank you for joining us today to discuss the acquisition of Venafi. We are very excited about this announcement and looking forward to sharing the details with you. With me on the call today are Matt Cohen, our Chief Executive Officer; and Josh Siegel, our Chief Financial Officer. After prepared remarks, we will open up the call to a question-and-answer session. Before we begin, let me remind you that certain statements made on the call today may be considered forward-looking statements, which reflect management's best judgment based on currently available information. I refer specifically to the discussion of our expectations and beliefs regarding our proposed acquisition of Venafi and our actual results may differ materially from those discussed in these forward-looking statements. I also direct your attention to the risk factors referenced in today's press release and those contained in the company's annual report on Form 20-F filed with the U.S. Securities and Exchange Commission, both as posted on CyberArk's website. CyberArk expressly disclaims any application or undertaking to release publicly any updates or revisions to any forward-looking statements made herein. For this call, we will also be making references to an updated investor presentation about Venafi acquisition and acts as a guide to the discussion on today's call. You can find the investor presentation on the IR section of our website as well as webcast of today's call. With that, I would like to turn the call over to our CEO, Matt Cohen.

Thanks, Shri, and thanks, everyone, for joining the call today. We just announced the exciting news that we have entered into a definitive agreement to acquire Venafi, a leader in Machine Identity Management. This acquisition marks a significant milestone for CyberArk, enabling us to further our vision to secure every identity, human and machine, with the right level of privileged controls. Our combined solutions and expertise will uniquely address the growing identity security needs of global enterprises to secure the explosive growth of machine identities. These identities are increasingly leveraged in sophisticated cyber attacks. This acquisition is directly aligned to our mission of securing the world against cyber threats. But together, we can move fearlessly forward. By bringing together Venafi's market-leading capabilities in Machine Identity Management with CyberArk's secrets management solutions, we will deliver an end-to-end machine identity security platform at enterprise scale. We are confident this acquisition will help us set a new standard for machine identity security. It will also expand our total addressable market by 20% to approximately $60 billion. We have talked to you for a while about the explosion of machine identities. We have pointed to the increase in cloud computing and now the rise of AI as drivers of an exponential increase in the number of machines, such as workloads, applications, APIs, containers, bots and IoT devices. The number of machine-to-machine communications runs in the billions and easily outnumbers human communications by many orders of magnitude. To mitigate security risks, all machine identities needs to be first discovered, then secured and then managed while seamlessly automating their life cycle. This is the only way to keep their connections and communication safe and all of this needs to be done at enterprise scale. At RSA, just a couple of weeks ago, our leadership team and I, met with hundreds of customers and partners over the course of the week. Securing machine identities came up time and time again in our discussions. Customers know that machine identities need to be secured to reduce risk and now with Venafi we can better address these growing customer requirements by providing a holistic approach to machine identity security when we combine CyberArk's and Venafi's best-in-class capabilities. Venafi is expected to bring approximately $150 million in ARR to CyberArk. They are a fully recurring revenue company. The SaaS component of their business, while newer is about 10% of their ARR and is growing faster than 100%. They also deliver strong profitability and cash flow. As you know, culture is important to CyberArk and Venafi is a strong fit. They bring world-class talent who shares CyberArk's customer-centric, people first culture and security-first mindset. The total transaction consideration is approximately $1.54 billion with a mix of cash in CyberArk stock. The deal is expected to close in the second half of 2024. Importantly, we expect the transaction to be accretive to margins immediately with significant revenue synergies through upsell, cross-sell and geographic expansion. Given the massive opportunity, our strong sales engine and the extensive machine identity use cases we will address, we believe that Venafi will grow its top line with or faster than CyberArk. Before Josh talks to you about the transaction details, I want to dive just a little bit deeper into the value proposition and the opportunity itself. Venafi is the category creator of machine identity management and is the at-scale leader in the market. Over the last few years, Venafi has developed a purpose-built cloud-native SaaS platform with broad capabilities to secure and manage modern machine identities. They are trusted broadly by more than 550 customers, including the world's largest banks, insurers, retailers, airlines and consumer goods businesses. Venafi has built deep relationships with CISOs and CIOs within these organizations, which aligns perfectly with CyberArk's go-to-market motion and should help drive meaningful growth opportunities. Over the last few quarters, you've heard me talk about the fact that every organization today has a spectrum of identities, from the workforce to core IT to developers to machines. Access for each of these identities has its own unique level of risk and complexity, requiring different levels of controls. Our differentiation comes from our deep domain expertise and privileged access and how we are able to tailor privileged controls for each identity group to mitigate risk, doing all this for on-prem, hybrid and multi-cloud environments. The identity group, however, that is proliferating at the fastest rate and brings with it the most complexity is machines. Today, we are the leader in discovering and securing and managing the secret that these machines use to access data, infrastructure and systems. We do this at enterprise scale, bringing the security team and developer team together to provide a security-first solution that does not interfere with developer productivity. That said, as important as secrets are, they are just one component of the machine identity landscape. Venafi significantly extends our capabilities across more use cases beyond secrets management through certificate life cycle management, private public key infrastructure, IoT identity management and cryptographic code signing. Totally complementary, the combination allows the opportunity to bring to market a comprehensive security-first, developer-friendly machine identity platform. Let's go one step deeper into the complementary nature of our capabilities and the power of the combined solutions. Today, using CyberArk's secrets management solutions, Conjur and Secrets Hub, customers can secure the secrets used by machine identities. Our secrets management capabilities enable organizations to avoid the need to store secrets with an application and instead allows them to easily and securely access the required credentials from a centralized vault without disrupting developer workflows. When desired, we can even allow developers to use native secret stores and still get all the advantage of our centralized solution. This gives security teams the visibility and control they need by storing secrets natively in the cloud platform while not interfering with developer speed. However, securing and managing machine-to-machine communications requires different types of methods depending on the use case. For example, while secrets can be used for -- by target system for gaining secure access to resources, certificates on the other hand, can be used for encrypting communications in flight, signing documents and code and authenticating machines. And SSH Keys can be used in human to machine and machine-to-machine communications. Whether we are talking about secrets, certificates or SSH Keys, all need to be discovered, secured and managed. With this acquisition, we're bringing together Venafi's capabilities that span a broad spectrum of machine identity use cases with our core competency in secrets management to address the full spectrum of the machine identity security market. Throughout this session so far, I continually refer to the proliferation of machine identities and the complexity of discover and securing and managing them. I want to briefly discuss in more detail a few of the trends that are driving this reality. Cloud computing has expanded the attack surface, increasing the connectivity between humans and machines in a [indiscernible] world. Every workload, API, application container and IoT device is now connected and each connection point creates a potential vulnerability. As technology evolves, we have also seen a big increase in developer velocity as organizations leverage software like AI to remain competitive. The result is that machine identities outnumber human identities by more than 40 to 1. Given this backdrop, securing and managing machine identities at scale is a challenging task, especially in today's complex IT environments. As just one example, Google's proposal to reduce the validity of the average life cycle of TLS certificates from today's average of 398 days to a 90-day goal will put pressure on enterprise security teams to adopt modern solutions. Importantly, the shorter lifespan of certifications and increased regulatory frameworks means managing them in siloed systems or through manual processes no longer suffice today. Legacy approaches like manual spreadsheets, disparate open source tools and native platform tools leave organizations with insufficient visibility, context and automation to scale for the modern enterprise. In fact, many organizations can't see who's using keys and certificates, where or if any of the machine identities are nearing expiration. Outages caused by mismanaged or untracked identities, often lead to expensive downtime, ongoing customer dissatisfaction and increased cyber risk. Another way to describe all this, is that in a world of machine identity security, the world of machine identity security is at a breaking point. The risks are exponentially increasing and organizations must do things differently. There needs to be a paradigm shift. When you combine this market inflection with CyberArk's reach and scale, the opportunity to drive accelerated penetration into enterprise accounts is enormous. This is easily highlighted in the analysis of the TAM for this space. The machine identity management market, excluding secrets management, is estimated to be approximately $10 billion today. One of the exciting components of this market is the significant greenfield opportunity, both within the enterprise and small enterprise segments. We estimate more than 60% of the addressable market is untapped with many customers relying on spreadsheets, prior discontinued solutions or point solutions with limited functionality. Importantly, these solutions do not scale and become cost prohibitive with increasing volume and complexity of machine identities. Securing and managing machines fit squarely in our identity security framework. We have identified key opportunities to accelerate growth and capture this market opportunity. Venafi just like CyberArk has built deep relationships and has demonstrated its ability to sell into the office of the CISO. We have an extensive global channel that is ready and committed to CyberArk. These partners understand the market need for robust machine identity security solutions. And our global sales engine can help Venafi swiftly and effectively expand its reach beyond its current markets. We have a base of more than 8,800 customers who want to leverage our platform and extend their relationship with CyberArk and the vast majority of them are not using enterprise machine identity management today. Since 2021 our innovation engine and successful M&A strategy has tripled our addressable market opportunity from an estimated $20 billion to more than $60 billion today. You heard me mention that Venafi has great customers. So let's just walk through just a few examples of how Venafi has been able to solve machine identity security complexities. BP, a multinational oil and gas company, needed to move on from manual processes in order to scale and secure its digital business. With Venafi, they managed TLS and code signing certificates to stop unauthorized code across its global operations, reducing outages and freeing up resources as a result. Diebold Nixdorf, a global banking and retail technology solutions provider, had a problem protecting digital transactions. Venafi replaced legacy PKI with modern SaaS, giving customers one control plane across its teams and regions, all on a secure and efficient platform. These customers are just a few examples of how Venafi helps its customer base to lower risk by preventing security breaches and avoiding outages, drive efficiency through automation, remain compliant with an ever-evolving regulatory environment and future-proof their organization for a post-quantum world. Now on to my favorite part of this combination. Those of you who know CyberArk know that we place great emphasis on our culture and being the best security partner for our customers and partners. We also take pride in our track record as having pioneered the privileged access management space, which has become a critical layer of security and identity security today. When we first started talking with Venafi, the similarities between our companies became clear immediately. As the pioneer in machine identity management, Venafi also created a market. Venafi shares an unwavering commitment to delivering customers an outstanding customer experience. Their culture of innovation has driven them to deliver the first true multi-tenant machine identity management platform to the market. They are also always thinking ahead and have recognized the need customers have to be ready with the seismic shift that will be caused in the post-quantum world. Venafi has built amazing relationships with the CISO and security teams while delivering solutions that remain developer-friendly and empower, not inhibit, the value developers bring to their organization. Together, we share a security-first approach with a deep rooted focus on delivering solutions with powerful, best-in-class security and controls. Most importantly, the customer is at the center of everything Venafi does which aligns directly to our core value of customer first. While the deal is not closed, I want to welcome the Venafi team to CyberArk. This acquisition is just as much about the people as it is about the technology and we're looking forward to having Venafi join the CyberArk team. With that, I'll hand the call over to Josh to discuss the acquisition in a bit more detail.

Thanks, Matt. I couldn't agree more and really share your excitement to have the Venafi team join us. Under the terms of the definitive agreement, CyberArk will acquire Venafi for approximately $1.54 billion, comprised of $1 billion in cash and the remainder in CyberArk shares. We expect the acquisition to close in the second half of 2024. The closing and signing -- the closing and timing are still subject to required regulatory approvals and some standard closing conditions. In addition to the strategic technology and culture fit that Matt talked about, we are also excited by the strong growth potential, their durable recurring revenue business model and their profitability and cash flow profile. Post closing, we expect Venafi to be accretive immediately to margins, including gross margin, operating margin and cash flow margins. We will update our 2024 guidance for Venafi only after the transaction closes later this year. In the meantime, we remain confident in our full year guidance on a stand-alone basis that we provided earlier this month on May 2. We did want to provide some context on Venafi's business at a few modeling points. Venafi has approximately $150 million in annual recurring revenue with more than 550 customers. This ARR is comprised of self-hosted subscription customers and SaaS. It is important to note that Venafi launched their SaaS platform last year and the SaaS portion of their ARR already represents more than 10% of their total ARR and is showing strong momentum, growing faster than 100% year-on-year. Venafi has a very strong retention rates and they sell into large enterprises, as Matt mentioned. In fact, they have approximately 340 customers with over $100,000 in ARR and about 90 customers who pay them over $500,000 in annual recurring revenue. Like CyberArk, approximately 95% of Venafi's revenue is recurring, adding to our durable subscription revenue model. As you can see, Venafi adds further scale to our recurring revenue business and another engine to expand our margins. We expect to see meaningful revenue synergies by cross-selling complementary solutions to our existing customer base and acquiring new logos. Matt already mentioned Venafi and CyberArk both have deep relationship with CISOs in large enterprise organizations, which gives us a clear line of sight to deliver against these synergies. With the amazing platform selling motion, we have built driving land -- we have built driving land and expand across our solutions, we believe we are strongly positioned to leverage our quota carriers, our channel and our marketing engine to cross-sell their solutions and land new logos. Lastly, 40% of CyberArk's business is outside the Americas. That's compared with Venafi's 25%, which provides us a great opportunity to drive growth also geographically. We also wanted to talk a bit about our strong track record of integrating acquisitions and driving value to shareholders. The 3 guiding principles of our M&A have always been: strategy, technology and culture. We pursue high-quality technology in terms of code and architecture and strong teams with cultural alignment. Strategically, we are laser-focused on expanding our leadership position in identity security and any acquisition has to fit within our vision. As Matt just talked about, Venafi checks all the boxes. They are an amazing fit. We wanted to highlight Idaptive, for an example, which we acquired in May of 2020 as a great example of how we pursue and execute M&A. As a growing leader in the access management space, Idaptive was known prior to its acquisition for developing successful single sign-on, multifactor authentication and other tools to effectively manage workforce, consumer and machine identities comprehensively. The transaction effectively served as the launch point of our identity security strategy. Importantly, it was also a strategic enabler for our SaaS and subscription transition, bringing critical mass, know-how and momentum. In terms of tangible value creation, our workforce identity pillar is now about 15% of our subscription ARR and has one of the fastest growing rates. Clearly, it is hard to overstate the importance of our Idaptive acquisition as the foundation for how we are reimagining workforce identity today. Even keeping that in mind though, we see even more upside with Venafi, combining our capabilities with Venafi positions us to scale machine identity security; and b, the runaway leader in that market. As I summarize the Venafi deal, I want to reiterate 3 key takeaways from my discussion. First, Venafi brings scale with $150 million in ARR and a strong base of recurring revenue. We also see the potential for great top line synergies with our go-to-market engine and platform selling motion. Second, Venafi is aligned with our vision of delivering profitable growth as we expect it to be accretive to margins and cash flow immediately. And third, Venafi expands our total addressable market by $10 billion to $60 billion, which is triple from what it was just 3 years ago. We are only just getting started and have a long runway for growth. With that, I want to hand the call over back to the operator for Q&A. Operator?

[Operator Instructions] Our first question comes from Saket Kalia from Barclays.

Congrats on the deal. Matt, I'd love to start with you and just to dig a little deeper into the potential revenue synergies here. Can you just maybe touch on -- I mean you talked about some great customer logos there with Venafi. Can you talk about any customer overlap, if any? And then also related to that, you talked about the channel opportunity. Can you just talk through that sort of what Venafi brings, of course, what CyberArk brings? And how you envision those 2 kind of coming together for something even more?

Yes. Great question. And it's actually the thing I'm most excited about here from the perspective of the revenue synergy and the opportunity for growth here. Clearly, they offer us a great bottom line and really strong profit margin and cash flow from day 1. But for me, when I looked at the strategic opportunity here, it really was this inflection point first on the -- on the machine identity landscape. So we see this moment in time as a particularly important point inflection in what it means to secure machine identities as we hit on -- as machine identities proliferate at the rate they do, we need to swoop in and help enterprises secure. Now Venafi has done a really nice job, and they've built up a strong business, $150 million of ARR. But the reach of the CyberArk go-to-market team is one of the big leverage points that we have here, the relationships that we have. So we mentioned they have 550 customers. There's a couple hundred of those that are overlapped. So there's a couple of hundred today that own both our solutions. Now think about the 8,800 customers that we have and our ability to be able to bring this solution into that customer base. When we went off and analyzed that customer base, we were a little surprised to find that so many of them did not have an enterprise machine identity management tool. In fact, over 60% of them were still doing things the old way, spreadsheets, point solutions. And so the big [indiscernible] and let them go to market, let them bring an industry-leading tool to market from day 1. And we see this as a big driver of our growth opportunity going forward. To your second part, Venafi, again, as strong as they are, has not had a large contribution from the channel. They've been doing most of it direct. Our channel partners, as you know, are very committed to their CyberArk business, and we believe that actually giving us into the bag of the sellers from the channel as well will have an equal effect in terms of driving exponential growth for us. So the possibilities here really are remarkable, and that's what got us so excited to be able to bring Venafi's offerings into the CyberArk team.

Got it. That makes a ton of sense, and that's some really interesting sort of open space in your customer base. Josh, maybe for the other side of that coin, just on expense synergies, it seems like Venafi is bringing some really solid margins just off the bat. And of course, it's still early as we wait for the deal close. But how do you sort of broad brush, think about any sort of opportunities for expense or margin synergies here as well?

Yes. Thanks, Saket. And actually, as you said, on day 1, we expect it to be accretive, and they've actually built a really nice business model around the $150 million ARR. And we're going to really focus on what Matt just talked about on really driving the synergies on the revenue side, and we see that that's the greenfield opportunity, and that's -- and that's the growth opportunity. And we'll think about expenses after they're on board, and we see what's going on. But for the first part, we're going to be focused on those revenue synergies because that we see is going to happen right off the bat.

Next question comes from Jonathan Ho from William Blair.

Let me echo the congratulations on the acquisition. From a platform perspective, how does Venafi maybe help you to become more strategic to your customers? And how do you think about the ability to drive that broader platform just as a starting point?

Jonathan, thanks. So listen, I think what we've been pushing, as you know and really seeing market momentum around is our overall identity security vision. And we've always talked to customers at the C-suite level about the need to secure both human and machine. And I think we -- you've seen us really expand across the human remit or the spectrum of identities well over the last couple of years when we move from securing IT over to the workforce, with the Idaptive acquisition and then over to developer communities on the human side with our Secure Cloud Access. So I think customers have really started to trust us in our identity security platform vision. What this allows us to do is really build out the machine side of that identity spectrum and make sure that we're not just approaching one very critical and important area, which is secret, but actually can offer for them an end-to-end machine identity security platform. And as we build that out and be able to off that in the market, I think we're even more credible in our talk track around human and machine and really being the provider of choice as they consolidate down for their identity security footprint. And we talked a lot about in the past, this idea of consolidation of trust. Our customers trust us. And we believe that with Venafi, that will just add into our ability to be able to win the battles of consolidation.

Perfect. Perfect. And then just for Josh. In terms of the SaaS versus the term-based license revenue, you've given us sort of the growth rate on the SaaS side, and I'm sure you'll provide more detail in terms of the modeling, but just wanted to understand what the dynamics are there? Are you seeing term license customers convert to SaaS? Are you seeing sort of the new logos mainly signed are SaaS? Just trying to understand how to think about that going forward.

Yes. So as we talked about already, first of all, the SaaS is the fast-growing part of the business growing at -- currently at over 100%. But they are also still growing their installed base on the subscription piece -- on the [indiscernible] subscription piece. I think going forward, as we certainly will be following kind of the same strategy as we're doing with CyberArk, which will be lead with SaaS and expect the majority of new logos to be -- to go into our SaaS environment. As Matt talked about in his prepared remarks, one of the things that we're super excited about is their multi-tenant, very modern release platform for their managing the machine identities, which really puts us ahead of the market in this area. So we do see that being the fastest-growing piece. But at the same time, we'll see a long tail and a continued existence of their subscription platform.

Maybe just one add for me on top of that. I think as Josh said, there is this really strong base of customers. And similar to the CyberArk story, we started to see when we dug in that those customers were purchasing new modules from the SaaS platform. And I think that's what maybe something we should describe a little bit further around the Venafi platform story itself. One aspect of it is their modernization from the ground up, purpose-built SaaS version of their TLS Protect product. That's their traditional certificate life cycle management product. But they've also invested in new modules for managing the life cycle and certificates around Kubernetes environment around the modern cloud workloads. And so they have a follow-on or add-on sales that are SaaS only, similar again to the CyberArk approach. So we see this in a playing out in a similar manner to how CyberArk has kind of played out. We'll look to convert customers over time. We won't force the conversion because we still see them as a prime opportunity to sell our solutions into.

Our next question comes from Shaul Eyal from TD Cowen.

Congrats guys on the transaction. Two quick questions on my end. Matt, just curious if the acquisition was approved unanimously by both boards? And maybe one for Josh, any impact to the timing of the SaaS model transition or pretty much intact?

So from a Board perspective, yes. I mean, I spent a lot of time with my Board, obviously, directly, and they couldn't be more behind the acquisition and I think both sides are fully supportive here. We had a great diligence process actually where we got to know each other from both sides, and we feel really well, really strongly about the support we got from both sides. And then Josh?

Yes, I think so. On the SaaS transition, I think it's kind of what Matt was -- just mentioned. This is going to be very much in line with how CyberArk has been moving and being SaaS-first on its transition, and we expect this to really, in a lot of ways, accelerate our SaaS -- our opportunities for selling SaaS into the identity security marketplace. So I think this is all good news for CyberArk.

Question comes from Fatima Boolani from Citi.

Matt, I wanted to talk to you about the evangelical nature of this market. You gave a lot of examples with regards to the conversations you're having with customers around how critical this end-to-end management of machine identities are from providence to deployment. And so in the context of Venafi being $150 million in ARR, I wanted to better understand what you're going to be bringing to the table to really take that evangelical or educational [indiscernible]. And I think you gave a couple of examples with regards to your go-to-market engine. But if you could just spend a little bit more time on that, just kind of given the scale of the business and the enormity of the problem seems a little bit disconnected. And then a quick follow-up for Josh, if I may.

Yes, sure. No, it's a really good question, and it's one that we've studied deeply. And that's why I keep using this term inflection point in machine identity security. I think there has been, in the past, the need to try to convince people that this was a problem. And a lot of times security had abdicated that problem, and they've left it to the developer -- DevOps groups to kind of make decisions on their own. I think a couple of things have happened over the last 2, 3 years that have started to accelerate the time line. At one level, the threat landscape has increased at such a quick vector where machine identity are actually a target in the attack landscape, actually, a significant target and a cause of several of the most recent, most prominent breaches. So I think that starts to wake security up, if you will, to the idea that they need to get involved. I think the second thing is the thing we've been hitting around, the regulatory and kind of overall controls environment. When you -- I brought up the example of the certificate life cycle management time line, not because necessarily it's the most important one, but it's an easy one to grasp. It used to be that you could put out your certificates and they could have a time line of not months or days, but years. And they just would kind of go out there and you manage them through spreadsheets and you rotate them when a need arose. And right now, under this regulatory environment and under the need to actually secure with these protocols, again, Google is trying to drive that down to a 90-day cycle. How in the world if you have hundreds of thousands of certificates, could you manage them through, for example, spreadsheets or a manual process when you're trying to monitor or manage something that big. And a lot of times, organizations don't even know how many machine identities are out there, which brings up the importance of discovery as part of the life cycle here. So I'm trying to paint a picture here that I think we are at a moment that actually is this inflection point. It's brought on by these forces that are around us. And I'll tell you that it's validated day in and day out when we meet with customers. It used to be that I start the meeting with customers, and I go through everything [ I said ], I want to talk to you about our machine identity security vision. And now the customers are leading it with us, the security teams are saying, tell us about your machine identity security vision. Tell us what you can do for us. And frankly, they've been asking us to do more than just secrets. And this brings together the ability then for us to look out, find Venafi, be so impressed with what we found and make the acquisition we made today.

I appreciate that, Matt. Josh, very quickly for you. When I look at the financial targets that you've put out vis-a-vis annual recurring revenue for CyberArk stand-alone, CyberArk proper at $1.1 billion plus in 2025 and $1.6 billion plus by 2027, how should we think directionally about Venafi's folding into the model? Should we think of this as being entirely additive to that, i.e., were these existing targets sort of organic and this will be additive on top of that? Or was this considered?

Yes, absolutely, Fatima, thanks for that question. And absolutely, we view this as incremental and one of the things we really tried to talk about earlier is that this is completely complementary to CyberArk's current market, adding another $10 million to our existing $50 billion market. And we view the existing ARR and the growth that we expect to get from them as additive and incremental to our own stand-alone model.

And I think you know we've said this and I think every call, we'll say it again. That stand-alone model, we remain strongly confident in that $1.1 billion plus in 2025 and the $1.6 billion plus in 2027. We feel very strong about that model stand-alone. And as Josh just said, this is truly incremental to that.

Our next question comes from Rob Owens from Piper Sandler.

This is Ethan on for Rob this morning. Matt, I want to ask, do you think this acquisition fully builds out your machine identity capabilities? Or is there more functionality in use cases that you'll need to develop over time to fully capture this $10 billion opportunity you spoke to earlier?

Yes, great question. Listen, I think this gives us the leading position. Clearly, the biggest business, when you combine the 2 together, a real anchor or a foundation point for us in the market. I think this is an area where it is continuing to innovate, and we're going to need to continue to innovate, and we're excited about that. I think there's areas here around preparation and really, what do you do in a post-quantum world that we continue to invest in. And Venafi has actually been investing in their innovation engine. I think there's areas around workload identity and some of the emerging space there, where, again, Venafi has been investing and thinking about, and we think we can develop -- continue to develop, augment or complement to the solutions we have. So I don't think this is the end point for us. I mean, I think we will continue to innovate here, of course. But this gives us the biggest reach to get started and a place where our customers can trust us that we can be their machine identity security provider of choice for years to come.

Our next question comes from John DiFucci from Guggenheim Securities.

And it's sort of a, I don't know, a big picture question. And well, listen, I've always thought really highly of Venafi's opportunity but it never really seemed to fulfill its promise in terms of overall growth. And everything you guys have said makes a lot of sense as far as having greater go-to-market scale. But I'm just curious, as you've probably thought about this when you were thinking about acquiring Venafi, was there something else? Was the market just not ready now or it's -- now it is or now it's closed, which is I think, Matt, what you said in response to Fatima's question, or is it rather that Venafi from a product perspective, just wasn't a company. I mean and listen, they've accomplished a lot of $150 million in ARR, that's great. But obviously, they're selling. So they think they're going to be better off with you than independents. So is Venafi more a component of a platform, and that's why this makes even more sense?

Yes, it's -- Listen, I think Venafi has been really strong in creating the market, and they did a great job of kind of pioneering the path forward. I think there are 3 things that have occurred that make us optimistic that this is the point of scale. One is, as I mentioned, the dynamics in the market itself around machine identity, the proliferation, the complexity, the need to do something different. I think the second thing is the SaaS platform and the evolution of the capability that they've been able to innovate on over the last couple of years. When we dug into it, we were so impressed by what they had done in terms of rebuilding from scratch their SaaS offering and SaaS platform. And then the third thing is they didn't quite have the scale to be able to capture the market opportunity. We bring 10x the number of sellers into the market when it goes into the CyberArk bag. We bring exponential increase in channel partner participation. And then maybe, as you said, more importantly, we bring it linked to an identity security platform and directly linked to a secrets management solution that actually allows customers to understand the possibilities of what they can do with CyberArk. So I think your question is spot on. I absolutely think your conclusion at the end is the most important piece, which is bringing it forth as one integrated platform in a market that is inflecting with a better go-to-market engine and sales engine or a figure, I should say, go-to-market and sales engine and a more modern SaaS platform. We just believe we can blow it out. And this is the time where this market can really take off. And it's good for Venafi because they've invested a lot of sweat and tears into this market, and it's really good for us.

That all makes sense, Matt. But the second point you made there, the SaaS platform, that's really interesting, and that's great to hear. But do we -- should we expect that this is going to be one integrated platform over time because, obviously, it's not right now?

Yes. I think you should expect that our -- in the short term, our machine identity kind of convergence will happen with our secret solution and the machine identity management solution from Venafi, and absolutely, we will continue to work to bring these solutions together to make sure we can solve all the use cases, as I always describe from a centralized platform. So it takes time to build things out over time. But for sure, we think that their solutions and that's the way they built their SaaS is future-proofed and ready to go.

Our next question comes from Adam Borg.

Awesome. Maybe for Matt, what I found interesting was the press release and even the call talked about post-quantum security, something I really haven't heard CyberArk talk much about in the past. So maybe you could talk more about that and how Venafi help in this regard.

Yes. Listen, I think there's very complex ways of describing it that have been described to me and then there's pretty simple ones. And I think one simple way to think about it is that in a post-quantum world, certificates themselves will be decrypted pretty easily, pretty fast. And in that world, you, a, need to be able to have a better and better approach, but you also need to be able to rotate immediately upon any type of interference or breach. And so as the attack vector changes, like we keep talking about, and quantum comes to play for the bad actors, for the bad guys, we need to be able to respond. One way we respond is by knowing every certificate that's out there and that we can quickly manage them, rotate them, reissue them and make sure that we're protecting the entire organization. We could talk post quantum for probably a lot longer off the call, but that's kind of a short answer there.

Thanks so much. Looking forward to catching up tomorrow.

Our next question comes from Eric Heath from KeyBanc Capital Markets.

So one for Matt, one for Josh. So Matt, so understand Venafi of course, leader in the certificate life cycle management market, but there are other vendors out there that are much smaller. So curious, if you considered some of the smaller vendors and what ultimately led you to go with Venafi? And then if I could, for Josh, just curious if you can give us some insight into what's been the trajectory of Venafi's growth. I would have thought it would have been a little bit larger than the $150 million you're noting today? And just any context we can get on how we should think about ARR exiting 2024? I know you're not changing your guidance, but maybe what the current plan is for Venafi stand-alone?

Sure. So listen, we obviously looked at everybody in the market to try to understand the landscape. We looked at -- people have been there for a while. We looked at startups in the space. And as I kind of mentioned, we came away tremendously impressed by Venafi's offering. Now you add to that, Venafi's culture, they're a market-leading position, the ability to be able to put it in our bags from day 1. Those are all great things. But if you just go into a technology compare situation, we found their SaaS platform and their SaaS offering to be native, to be built from the ground up, to be multi-tenant to be scalable and expandable. And we just -- we were really impressed with what they've done for their core life cycle management offering and then also how they were innovating in new areas around Kubernetes and around modern workloads and modern -- and modern cloud environments. So I would tell you that we strongly believe that it is the market leader from yesterday and tomorrow and that we think it's the best thing to bring to market. We also were excited by the scale. It's not often that you can acquire the market leader from a technology perspective and also have the scale that Venafi has, not only on size but particularly on profitability and cash flow. And to be able to be accretive from day 1, even after contemplating investment in to drive growth. So this is really a unique situation that we found ourselves in to be able to see a company that really hit ticked, as Josh said, all the boxes. I think from a growth perspective here, Venafi has consistently been growing in the 20% range from an ARR perspective. I think like most small tech companies, cybersecurity companies, the macros hit them a little harder last year. Prior to that, it's certainly 20% growth for most years on out. And as Josh said, we expect to grow this with or beyond CyberArk's growth rates. So you know what we've put out there for 2025 and 2027, and we're fully expecting it to help support that model and not be a drag in any way.

Our next question comes from Joshua Tilton from Wolfe Research.

My first one, kind of the dream the dream scenario, but I'm sitting here staring at Microsoft's page for authenticating autonomous agent Copilots. And there's tons of talk about having to secure secrets and certificates. And I'm just trying to understand, is this Copilot opportunity part of this opportunity that you're talking to today? Is it going to be viewed as a machine identity or human identity? Just maybe any thoughts there in terms of the dream the dream scenario that might come before quantum computing?

Yes, absolutely. We consider the kind of rise of Copilot, the rise of bots, the rise of the AI technology as one of the exploding factors on the machine identity front. And so whether you're talking about Copilot, whether you're talking about applications built through AI, whether you're talking about some of the code that comes out of the AI engines, all of that needs to be secured. And so Josh, you're exactly on a money point there, which is this is another area that now we can go address with a more holistic full solution. And just like the other waves that we've talked about around machine identity, AI and the securing of AI will be a big opportunity for CyberArk going forward, and this really helps with that. So yes, a great thesis and one I'm excited about.

Super helpful. And then just more of a clarification on the question before me. Did you say a fair assumption is that total ARR was growing 20%, but you guys expect to grow this in line or ahead of CyberArk's ARR growth rate? And then just a follow-up on that one, will you still be able to accelerate growth and keep the Venafi business margin accretive at the same time?

Yes and yes, very simply. That's what you heard around the growth rate. And then absolutely, we see the margin profile here as a strong margin profile that we can commit to being accretive to CyberArk's overall margins.

Our next question comes from [ Angie Sam ] from Morgan Stanley.

Congratulations on the deal. So I understand that you guys are currently targeting close in the second half of 2024. Just curious, how long does the management team anticipate that the duration process will take?

I think we said Q3 is anticipated close in that time frame. We don't expect any regulatory issues. But of course, we always have to wait and pending what -- how it goes through that process. But that's what we're anticipating at the moment.

Our next question comes from Brian Essex from JPMorgan.

Congrats on the transaction. Just a quick question on the balance sheet. It looks like that -- given the dynamics that you've announced for the deal and the cash that you have on the balance sheet with, I believe, it convert maturing later this year, maybe, Josh, can you talk about how tight this -- I guess, your comfort level with the cash situation on the balance sheet is and how you plan to manage it? And that's my only question.

Yes. Brian, thanks. So yes, we anticipate using the cash from the balance sheet. As you said, we have it going to the end of the year, but we're well into the money and expect to convert with shares. And as you also know, we've been cash flow positive this year and have guided on a stand-alone basis to be very cash flow positive through December, in fact, raised our guidance on the cash flow. So we're comfortable of being able to secure this transaction with the cash on our balance sheet.

Our next question comes from Andrew Nowinski from Wells Fargo.

Congrats on the acquisition. I just had one question also. I think you talked about how machine identities out numbers human identities, that I think, a 10:1 ratio. But what is the pricing ratio of machine identities relative to human identities? Meaning, are you pricing human identities 10x the price of 1 machine identity? Or how are you thinking about that?

Yes. Sure. Thanks. So first of all, the stat we gave out is 40:1. That's what we've kind of been talking about in the market. And I think that just continues to exponentially increase, especially with some of the factors we talked about today like AI and cloud computing and other areas. From a pricing model, it's a little bit different how the different component parts of machine identity price. Sometimes you're pricing based upon applications, sometimes you're pricing based upon component parts of the data center, containers, areas there. Sometimes you're pricing based upon the sheer number of certificates. So I think we'll come back to you a little bit with how this washes out from a common price prospective. But a way to think about it is, obviously, it's a lower price per unit than you would, for example, on a -- on a PAM fee for securing IT. So lower price per unit. But overall deal sizes here, you've heard us talk about this before, our 1.5x to 2x the size of, for example, a PAM deal, similar and a little bit bigger than the size of a workforce deal. And that should give some context around the opportunity per customer. I think Josh highlighted that Venafi even in the size they were, the number of greater than 500,000 ARR accounts that they had, which I think was 90. So they're able to drive up a pretty nice relationship with customers, just on the piece of the portfolio that they were selling. And so I think it speaks to the opportunity we have within our base to be able to drive that number up further.

Our next question comes from Rudy Kessinger from D.A. Davidson.

Maybe another kind of revenue synergies question. I know last year, at IMPACT at the investor session, you said 31% of your customers, 31% penetration rate with sequence management. And based on what you just said, Josh, 1.5 to 2x deal size is PAM. It would seem to suggest that your existing footprints with those existing customers and secrets is relatively small. And so with this deal, with the incremental capabilities from Venafi, what's the plan of attack, I guess, with the existing customers where you already have a small footprint on secrets to get it more broadly rolled out across their business.

Thanks, Rudy. I think we have seen and even in the last couple of quarters, and you've kind of heard me talk about this independent at Venafi that the secrets management business has started to take off. And it generally is a cross-sell into our base or a co-sell alongside of a new PAMC. And what we see is that more and more security teams are participating in the buying decision on the secret side. Now the interesting comparison here between secrets and Venafi and the certificate life cycle management is in the secret side, it was for many years, a decision that was being made by developers and DevOps. They might have used some open source vaults or native vaults. And we've had to bring security into the conversation as part of the buying decision. In the Venafi world, the security team has always been part of the buying decision. So the CISO, the CIO, it's part of their remit to understand what to do around certificate life cycle management and even PKI in other areas. And so we -- the Venafi team actually has a deeper foothold in the accounts they are in around the relationship with the CISO and the CIO around machine identities. So that brings it all back to the question, our opportunity to cross-sell not only the Venafi solutions to our base, but to combine the Venafi solutions with the secrets solution and sell it together now as a compelling combined offering really, really is an opportunity for us. It's an extra layer of revenue synergies that we see. And again, you can hear it in my voice, why I'm so confident in the growth potential of Venafi as a part of the CyberArk engine.

Got it. Great. That's it for me. Congrats again on the deal.

We have reached the end of our Q&A session. I'd now like to hand over the call to Matt Cohen, CEO. Thank you.

Thanks, everybody, for joining the call and joining the call on very short notice. With this acquisition, our customers will be able to vastly improve machine identity security. They'll be able to prevent misuse and compromise the machine identities and stop costly outages. Venafi has done an amazing job delivering value to its customers. Together, we are well positioned to address a broad spectrum of mission-critical security requirements and more use cases. I want to welcome the Venafi team to the CyberArk team, and we look forward to talking with all of you soon, including at my keynote session tomorrow morning. Take care.

Thank you for attending today's call. We hope you have a wonderful day. You may now disconnect.