CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

Well, good morning, everybody. Thank you for joining us on our second day at Morgan Stanley TMT Conference. My name is Hamza, and with me, I have the pleasure of having the team from CyberArk. We've got Matt Cohen, CEO of CyberArk as well as Erica Smith, the CFO. Before we begin, just a brief disclosure on my end. For important disclosures, please see the Morgan Stanley research disclosures website at www.morganstanley.com/researchdisclosures. With that, Matt, Erica, thank you so much for joining us.

Thanks for having us.

Thanks, Hamza.

Great. Matt, I'll start off with you. Identity security seems like it's never been more important. 80% of breaches occur because of mismanaged credentials. Just give us a sense of the priority level on identity security broadly -- and then we can maybe go into some other topics.

Sure. I mean I think you gave that statistic. It hammers home the point that whether it's nation states, attackers, whether it's the cyber-criminal syndicates. Ultimately, when they're going into organizations, the place they're trying to find their way to is an identity. You can go through the firewalls, you can go through the perimeter and ultimately, you get to an identity. And it's the identity itself and these kind of proliferating credentials that are out there that ultimately hands over the access to infrastructure, data systems of an organization, which allows them to execute ransomware, which allows them to be able to exfiltrate data. And so identity is at the center of the attack vector at the moment and that's juxtaposed with the idea that the identities themselves are proliferating, not only the sheer number of human identities in our digital credentials, secrets and passwords, but also the sheer number of machine identities that are out there, whether it be devices or bots or workloads or other areas I'm sure we'll talk about. So when you combine this kind of threat landscape where they're going after identities with the sheer number, it becomes a core problem that cybersecurity teams need to solve, and it's at the forefront of how teams are spending their money today, which is a testament to the opportunity we have.

Yes. And it really feels like we're reaching a tipping point in the market, particularly as it relates to machine identities or nonhuman identities that sometimes they're referred to as well. You were pretty early on making an investment in the machine identity space with Venafi. But maybe talk a little bit about why you think machine identity has become an important topic and how that relates to AI?

Sure. So for a long time, machine identities were kind of seen as the afterthought, but let's get control over our human identities. That's where the risk is. And we'll let machine identities kind of play out within the environment that they're used to. For example, developers as they develop new applications and new pieces of code, we'll let the developers figure out how to secure that maybe with local vaults or local secret stores. What's happened is as the sheer number of machines has kind of taken off as cloud computing actually changed the game in terms of how easy it was to create applications. As IoT devices and OT environments took off and you had just a sheer exponential number of overall devices and infrastructure. What's happened is that machine landscape has been a primary target of these threat actors of these adversaries that I was talking about and security is finding out all of a sudden that they have no controls in place. So while they spent decades putting in place controls for the human population, they've allowed the machine space to kind of be the Wild West. And now they're trying to jump in and figure out what to do. And in that machine space where there's all these different variety of machines, there's also different ways that those machines authenticate. It can be a certificate. It can be a key. It can be a secret and they need to get control across all of that. And that brings an opportunity for the CISO and security teams to meet the developers where they are and help create a generalized enterprise security strategy. That's where CyberArk comes in. Now that amplifies in the age of AI because AI: one, makes developers more productive, thus creating more cloud workloads, thus creating more machine identities, thus creating more security risk. And then the AI agents themselves or copilot accounts, custom GPTs, they need to be secured as identities in and of themselves, which just creates a huge opportunity in the machine identity space, the nonhuman identity space whatever you want to call it, for an enterprise security platform, which is what CyberArk offers.

Yes. And I think it's also appropriate today because we were seeing this reduction in seats in general, and there's a lot of concerns around that in enterprise software. This gives you another vector, if you will, in terms of monetization. I think recently, you've been quoted saying machine identity could be even a bigger opportunity than human identity. And so what's kind of driving that?

Yes. Think about it for a second here. On the human side, we actually can count the humans. We know how many people work at an enterprise. Actually, some of the risk case areas in third parties or in vendor relationships where we can't count them as easily. And ultimately, it becomes a strategy on the human side of understanding entitlements, risk, privilege and putting controls in place. On the machine side, the first step actually is just discovering what machine identities are out there. And that's an actual massive problem for organizations as they try to understand this landscape of, as I said, different machine identities. Once they find those machine identities, they now have to put in place security controls. And those security controls need to be as varied as the machines themselves. The whole point here is where the human world is somewhat constrained, constrained by employee accounts, constrained by entitlements against those employee accounts, the machine world is completely unconstrained and it's exploding. And as it explodes, the security needs also explode. And so even if an organization is reducing workforce, taking down the number of humans, in turn, exponential number of machine identities are going to rise up and need to be secured, which again makes the opportunity even greater. So we do think that down the road, not today, but down the road, the ability to be able to secure machine identities just because of the sheer volume will actually be a bigger piece of the pie.

And just one more follow-up to that and then I would love to bring Erica into the conversation. But so 2025 it seems like the year of AI agents. And if you just think about it conceptually, every agent should have an identity and that's going to require security, which is where CyberArk comes in. I guess the question really is an AI agent, is it a machine? Is it more like a human because it can kind of behave in nondeterministic ways. And why is CyberArk best positioned to protect that?

It's a great question. And actually, in the question is a little bit of the answer as to the why CyberArk. So when you think about an AI agent, they're going to operate at the scale of machines, meaning there's going to be thousands, millions, eventually billions of agents running around. And in order to be able to understand how to discover and secure them, you need to understand the machine world, the machine scope, the exponential nature, the need to be able to automate life cycle and controls, the need to be able to automate the access and the granting of privileges. So there's a machine identity problem under the covers of AI agents. But ultimately, what are those AI agents doing if they're operating the way we envision the way a lot of the vendors here at the conference are talking about it, they're operating on behalf of or instead of humans. And so you need to be able to secure their access as if they're humans, they're going to be accessing critical data infrastructure and systems. They're going to be wanting to grant themselves more privileges. Have you ever met a human who didn't want more access? The agents are going to want more access, and you're going to have to be monitoring and watching their sessions in an even more structured way than you do with the humans. So the solution for securing agents is both a machine scale problem and a human use case problem and the platform needs to be able to provide both in order to be able to actually enterprise-level scale for these agents. And so this opportunity is just getting started. When we talk about the CyberArk opportunity, which I'm sure you're going to talk about, we haven't built it into our guide or into our outlook. But I think you're going to see this population of identities become a primary population and one that can only be solved with a true identity security platform like CyberArk.

Maybe to ask a question on the platform. So going back to identity security. You could argue it's probably going to be the largest market in cybersecurity in a few years. Today, you've got pretty large companies, platform companies in network and endpoint that are $50 billion to $100 billion in market cap. In identity today, you don't have that. It seems like CyberArk is really aiming for that. There's been different swim lanes in the identity market, Privileged Access Management, which is where you started and then now identity governance and workforce, which are areas that you're present in as well. One of the things that's really stood out to me since you joined as CEO, is really accelerating the vision towards actually becoming this platform. So maybe walk me through your vision for CyberArk as becoming the Identity platform and where you kind of see that going?

Sure. I mean our vision starts with a very simple concept. It's our vision statement, which is every identity human and machine secured with the right level of privilege controls. That's our vision. Like the end state where every identity in an organization is secured with the right level of privileged controls, and it's the right level that actually is the call for a platform. In the old world, in the legacy IT environment, you had kind of set number of users that had privileges, normally IT admins, and you had a set number of applications, long-lived systems that sit behind the firewall that needed access protection. In the modern environment of SAP apps of cloud environments of AI agents, everything is incredibly dynamic, and you need to be able to understand what is an identity trying to do, what level of access is required, granting at the least level of privileges dynamically and removing those privileges the minute they stop accessing. In order to solve that problem, you need to be in discovery. You need to be in life cycle management. You need to be in automation, you need to be in governance. You need to be in access and you need to be in PAM. So it's not that we think the swim lane should come together just because we're a good vendor or we have a good platform. The use case that needs to be solved in a modern world is a use case that combines identity governance and administration, IGA, access, it combines PAM, by the way, it combines machine identity management and machine identity security because you can't solve the problems if it's not integrated into an integral platform.

And imagine having the trust of the CISO as a PAM provider also gives you a good sort of offboard.

Yes, I mean we're very proud of that. Like when you think about PAM, which at one point, everyone thought it was like this niche area of security, but it was the most secure area of security. And that teaches us how to have a security-first DNA from day 1, from the moment Udi founded the company, day 1, security was everything. Now bring that mindset, that DNA to solve the world's security problems. It's a more effective way to build trust with our customers than other vendors that are coming at it from more an efficiency play, trying to prove that now they're a security company.

Erica. So you recently had an Analyst Day last week. Sorry, I couldn't be there. You gave a target of $2.3 billion in ARR by 2028. So I think it was just under 20% ARR CAGR. Walk me through your thinking around giving that target because you do guide conservative historically. And when we think about the composition of that $2.3 billion of ARR, what does that look like between PAM versus non-PAM?

Yes. So it's a great question. And I think when we approach the guidance, I think what you see in that guidance is a lot of the enthusiasm you just heard Matt talk about, but it also incorporates the fact that we still believe there's a long runway for growth on that human identity side as well. So it's -- while we're incredibly excited about machines, we also have the PAM use cases, which sit in that IT in the developer persona we talk a lot about and then the workforce side, where we're truly differentiated. And so when you look at our composition of that net new ARR, we're assuming a roughly 10% growth of net new ARR, which is a bit of a departure from our traditional guidance that where we've guided for flat net new ARR, but it really does exemplify the fact that we are incredibly enthusiastic about both the human and the nonhuman growth that we believe we're going to be able to accomplish. And when you think about the composition of that $2.3 billion, it is just under half that we expect to be coming from the IT and developer persona. And then roughly almost equally split, machines will be a bit bigger on that other 50%. And then the workforce side, which is a combination of both Single Sign-On and MFA as well as our Endpoint Privilege Manager solution. So just to kind of put a wrapper around what that workforce persona looks like. But what that implies is that you've got the IT and developer continuing to grow at very healthy growth rates, which, again, are those PAM use cases. But an acceleration in growth on the machine identity side, which will be faster as well as the workforce side.

Got it. Got it. And then I think on the workforce side, so your Single Sign-On MFA, that recently surpassed $100 million in ARR. Just how do you -- to double-click on what you mentioned, how do you differentiate versus some of the other stand-alone MFAs SSO providers out there?

So listen, I think -- I say it a lot, like multi-factor authentication and Single Sign-On are good basic security controls and they're complete commodity in the market today. So if you want to just implement multifactor authentication and Single Sign-On independently, you get that from Microsoft, and you can get it generally bundled in, and it's fine. What needs to happen on the workforce side, though, is a reimagining of what it means to secure the workforce because, generally speaking, the workforce is now morphing into privileged users. When a workforce user is accessing Workday or Salesforce and they're an admin in that account or maybe they are elevated privilege in that account, they are a privileged user. And we need to make sure that we're securing the general workforce with a lighter form of privileged controls. So it's behind the scenes. So the user still clicks on a Single Sign-On tile to get to their SaaS application, but behind the scenes, we can monitor the session, isolate the session, do things like what's called step-up authentication or session termination. And these are things that actually kind of the providers of normal access management don't provide in their solutions. So we go out and we compete with a more reimagined way of securing the workforce. And we say, if you want just Single Sign-On MFA, you can stay with whatever provider you want. But if you want to wrap on top of that, real security for the workforce. By the way, that also includes Endpoint Privilege Management, which is the idea of removing admin rights and implementing least privilege on your desktop or your endpoint. If you want all of that in a bundle in the package, by the way, for about the same price, as what those others are charging for SSO, MFA, we can bring you on to our platform, and we can secure the workforce. That's what's driven the kind of expansive growth that we've seen on the workforce side is the differentiation versus the competition, not just competing head to head.

Got it. One of the big drivers as well of the longer-term targets is the integration of Venafi, the machine identity provider that you acquired last year. Just curious, how has that integration been going? I think they had a fraction of the go-to-market resources that you did. So just...

Yes. So I mean, Venafi is obviously critical to this vision we have for machine identity as a whole. But it also is an entity that we believe was suboptimized in its ability to be able to capture market share and go out and compete effectively, has amazing technology, like really, really strong native SaaS built layer of solutions around what we call certificate life cycle management or machine identity management. When you combine that into our overall vision for machine identity security, our secrets management solution, our ability to be able to approach in the future of Gen AI, we become the only enterprise scale platform for machine identities overall. Now Venafi itself, as Hamza said, had 20-something sales professionals. We're a factor of 10x more than that at CyberArk. They had a limited investment and really the ability to be able to go outside of their base. They kind of really sold into existing accounts. They weren't that well penetrated because they didn't have that many channel partners, marketing resources to go and grab new logos. So when you bring that great technology and the inflection point that we were talking about around machine identities, into our go-to-market engine, we start to see kind of exponential growth and exponential pipeline build out of the gate. The first 2 quarters have gone really well in terms of building pipeline. It is a 6- to 9-month sales cycle. So you start to see those deals will close end of Q2, Q3, Q4 of our year and really drive into the growth vector that will come up in FY '26. But everything that we went into Venafi hoping we had acquired has kind of proven out to be true or even better. And at the same time, just to talk a little bit about the opportunity itself, the regulations around machines are changing. So when you start to think about this idea of a Google mandate, that certificates have to be rotated every 90 days. And then Apple came out with a mandate of 45 days. Certificates generally were being rotated every 1 or 2 years. So if you have an exponential number of machines and they need to actually rotate credentials on those machines at a fraction of the time, then it becomes an enterprise-grade problem that introduces a huge security challenge for CISOs and CIOs. This becomes the reason of the why now we can go attack it with our go-to-market engine.

And I think one of the things that is underappreciated from an investor perspective is exactly what Matt just said is that we are actually selling in with Venafi to the same buyer. So it is a CIO and CISO purchase. So it's a very familiar sales motion from a CyberArk perspective. We can go into those exact customer and oftentimes, it's the same named person and actually cross-sell Venafi. So there's more synergies there that I'm not sure appreciated between the human side and the Venafi side from a sales motion perspective.

Yes. I mean that sort of answers the next question, but I think one of the things you did early on with the transaction was, look, it's going to be accretive within the first year from a bottom line perspective. But we have historically seen larger acquisitions in cybersecurity and perhaps enterprise software in general had a mixed track record. So in addition to perhaps going after a similar buyer, what other feedback or things that you're seeing gives you comfortability around this integration being successful longer term?

So I think the other thing I would point to in addition to the same buyer is also the ability for us to continue to expand into other geographies, right? So they had a very limited presence when you think about the EMEA and the APJ markets. And so we're also going to be able to consistently sell into those markets because we have a robust engine that's there. And then the thing that Matt mentioned to begin with was the partner ecosystem. We've really done a nice job within CyberArk of building out those partner relationships, and that was something that Venafi hadn't done. And so we're going to be able to leverage that channel sales motion to a much greater degree than they were going to be able to do on their own. It was actually very evident even the first day that we announced the deal. We had a lot of inbounds from our channel partners in the SI say they were incredibly excited about the opportunity to dig deeper into machine identities with the Venafi offering. And so I think that gives us a tremendous amount of confidence as well.

Got it. Got it. So that CyberArk is a dominant player in Privileged Access Management. You built a $100 million plus ARR business in workforce with MFA and SSO. And more recently, you made an acquisition in the identity governance space that you alluded to earlier called Zilla Security, which was interestingly timed, but I thought it was -- yes. But one of the things you talked about was the need for a modern identity governance platform. The identity governance market, something that's been around for a long time. 2/3 of the market, give or take, is still legacy providers. So just curious why you think the combination of Zilla and CyberArk is going to be disruptive to this space?

Sure, sure. Yes. Listen, I think the dominant player in kind of traditional or legacy IGA is SailPoint. And they do a really strong job -- I didn't mention them as legacy by the way, the 2/3 is not SailPoint. Yes, we'll make jokes back and forth. So like they do a really nice job of managing a really, really complex problem, which is how in the world you govern access and entitlements around legacy infrastructure that sits on-prem. It is incredibly hard. Think of the heterogeneous environments that most IT organizations are trying to figure out who has access to, what access do they do? And how do they then report on that from an audit perspective, from a compliance perspective, from a regulatory environment. These projects are really hard, and SailPoint has done a phenomenal job actually working with customers to kind of take control of those environments. Those projects are still ongoing. They kind of keep going because of the complexity. In the meantime, organizations have invested lots of time, lots of effort in building up their modern infrastructure around SaaS applications, around cloud environments. And these SaaS apps, for example, have workforce users who are accessing them, like I talked about earlier, in more and more entitled to privileged ways. And how do we actually get control quickly of those modern environments it needs a little bit of a different approach. It needs to be rapid, quick. We need to be able to get access in, get data out. And then we need to build that in, in an integrated fashion or an integral fashion to the just-in-time access requirements, meaning not just know who has access to what, but actually broker and grant that access. So combine those 2 things together. And what Zilla offered us and why we were so impressed with them is a modern stack, a SaaS-first application or solution that allows you to be able to do user access reviews and provisioning for the modern environment for SaaS apps or cloud environment and for a few essential on-prem core components of the IT stack. And then we can build that together with our just-in-time access with our zero standing privilege approach to make sure that in these modern areas, we not only know who has access to what, but we're brokering and granting that access in the right way, in a least privileged way. It's a Boston-based company. It's local to where we are. The founder of the company was actually the kind of founder of the IGA space many years ago. So he understands the unsolved problems, Deepak. And so we think the combination together allows us to build another element into our platform. We are not going to go in and rip and replace a bunch of really highly useful SailPoint implementations at enterprise customers. But we believe that we can live side-by-side with them and some customers, and as you move down market, where people want to start with the problem of the modern estate, the modern infrastructure, we can get started with our Zilla Security solution.

Looking forward to the traction there. Maybe just one question, then I'd love to open up to the audience for Q&A. There was recently a security incident with one of your larger competitors in the Privileged Access Management space, the U.S. Treasury Department was the entity that was hacked. Just curious what type of pipeline you've been seeing as a result of that?

Like these hacks in general, equal conversations, they equal awareness, they equal a building, as you said, of overtime strategies to replace for -- to augment what's being done. So first of all, like they don't equal deals in a quarter, they don't equal deals right away. What we are seeing is that companies are looking for a more comprehensive robust solution to solve the whole identity security problem. There are 2 issues with what happened in the recent Treasury hack. One is, it was an API key that was leveraged and used. And API key, by the way, is another type of machine identity. That's why we say there's so many of them. So they're looking for a platform that actually can secure that API key. And then obviously, they're looking for a vendor they can trust to not put an API key in harm's way the way it was put into play. So between those 2 factors, it enters into an area where we can have competitive conversations about what we would have done differently and how we can be the full stop identity security provider. It's a nice builder of pipeline. And over time, we believe that we were on the path to win those deals anyways.

Got it. Any questions from the audience? Just raise your hand, mic will come to you. All right. Maybe sticking on the federal side. Obviously, a lot of changes with this new administration, curious at high level, what is CyberArk exposure to U.S. Federal to the extent that you can share? And if you've seen any changes regarding buyer behavior and pipeline?

So I can start with the composition of our ARR. So roughly 10% of our ARR comes from global government, which also includes EMEA, a lot of the markets in APJ, like Australia and Singapore. When you break that down, it's less than 5% of our ARR comes out of U.S. federal. It's always been a nice contributor to our business. A lot of that comes on the commercial agency side or the -- where we've got a broad diversification of the agencies. So we're not very concentrated within any one agency. So that 5% is pretty broadly dispersed. And when we look at the renewal base that's coming up for renewals, within that. We haven't seen any change in the renewal behavior to date given what we've seen with DOGE. Like if you think about most of the business that we have there comes from privileged access and even when you're going into or you're laying off or you may be reducing your headcount, your IT professionals and those professionals that have the most privileged access tend to be the last in any organization, whether it be a federal agency or a company with which we happen to be selling into, would be the last that would be let go. And so we haven't seen any change in the renewal behavior, and we haven't seen any change in the pipeline build from the federal government perspective. So not sure if there's anything you want to add.

No.

All right. Maybe a profitability question for you, Erica. CyberArk has always been a very profitable business. You have well over 20% free cash flow margins. When you think about balance the business for durable growth versus finding those incremental areas of leverage, how are you thinking about that over the next 3 to 5 years?

Yes, it's always one of those things because we see such a tremendous opportunity in front of us with all the things we've talked about today about the broader platform expansion, our ability to secure and go after the machine identity solutions as well as the human side. So there's a natural tension for us around balancing that level of investment we want to do within the organization and driving that top line growth. I think for us, we found that sweet spot where our expectations are is that we will continue to expand our margins at a pace that we think is appropriate, which leads us to those long-term targets that we outlined just last week because that will be able to continue to drive that top line growth. And the way we're going to be able to do that is really by focusing a lot of our investments when we think about that go-to-market engine on that channel expansion, where we think we can really drive more value, but also get further feet on the street to extend our reach in a more meaningful way that will drive up productivity. And then when you think about the R&D investments, we've been very much focused on leveraging that R&D investment line because we've been making more and more investments in those shared services in our platform, which will allow us to leverage those R&D investments more effectively. So as we are thinking about that margin expansion, you should expect us to see that steady expansion of our margins, but that should also be able to drive that top line growth.

And I think, ultimately, when we look at balancing the investments for the company, it's why we -- at our Investor Day, we put out this kind of, hey, we're committed to the Rule of 45 moving forward. And that kind of becomes the table stakes, if you will, that helps us set, all right, where do we want to inflect. Do we think we're going to grow faster. Okay, then maybe free cash flow margins stay at 25%. Or we think we can grow a little bit less, or free cash flow margins can be driven up more. So I think the Rule of 45 for us, we're using that vernacular for a second becomes the baseline, and then we will flex up or down based upon the opportunity that we see. Any time we see an opportunity to be able to go after more growth, we're going to go after more growth, but we don't think that it would ever have to sit below 25% free cash flow margins in order to be able to pursue that.

Got it. Any other -- any questions in the audience? Oh, we've got one here. Maybe while the mic goes there. One last question from my end. Just as you think about -- we're already there, never mind.

You still have a good chunk of maintenance ARR. What would kind of allow you to accelerate the transition to SaaS above that like mid-single digit you guys have pointed to and to what extent could that be machines?

Yes. I mean I talk a lot about this in terms of like carrot versus stick and how do we approach it? We still see really strong upsell and kind of multiples when people convert. So even for like-to-like when they move from on-prem to SaaS, we see 2 to 3x. And generally, at that moment in time, they're also upgrading and buying more. So those deals are even bigger. So we like the idea of a natural progression of those deals converting versus kind of coming in with a big stick, and forcing the issue and all of a sudden, we'll get a big actually incremental boost in 1 year or 2 years but we'll be giving up long-term opportunity for growth because maybe we only get a 1x or 1.5x multiple. So I think what you're seeing in the market is more and more customers are starting their path to understand how they take a very on-prem centered vault concept around PAM and move it to the cloud. We see customers and financial services, banks start to convert. So I think as that kind of picks up and we see some of the, let's say, hesitant industries, move on their own, we'll see it all start to take off. But I think it still plays out over the next 3, 4, 5 years as we see it kind of as a healthy tailwind to the business, but never inflecting to such a level that it's a one-and-done kind of approach.

Okay. So we'll end it there. Matt, Erica, thank you so much for joining us. It's always a privilege having you at our conference and congrats on all your success, Matt, over the last couple of years as CEO, and I wish you continued success.

Thank you for having us.

Thanks, Hamza.