CyberArk Software Ltd. (CYBR) Earnings Call Transcript & Summary

Thanks for joining us today. For those of you who don't know me, my name is Madeline, I work with Tal doing cybersecurity research and networking, but you've seen me probably more on the cyber side. I'm so excited today to host CyberArk and more importantly, to host Clarence who -- if you haven't had the chance to interact with him before he does all of the strategy for CyberArk. And it's been a very busy year for you, for the company, definitely for you in your role and especially over the last few years as CyberArk has really evolved more from just traditional PAM, but you guys have really kind of captured these tailwinds in Identity Security market and evolved into so much more. So excited to host you today and thanks all for attending.

Happy to be here. Thanks for having me.

So with that, we'll get right into it. First, just to get this question out of the way. I know it's been obviously a tumultuous last couple of months. So just how are you seeing the market right now, especially in identity security and maybe more recent trends in kind of customer appetite as we're exiting first quarter?

Absolutely. So if I start with the broader macro, like for Identity Security, we're all familiar with the tailwinds. I mean it's just become so clear that the identity is the #1 defense factor because this is where all the adversaries are going to attack. And that's really what dictates it. So in all identity types, SSO human, the most privileged onto the workforce, et cetera, then you're starting to see more and more attacks based on the machine and nonhuman identity. So that's the backdrop and there's a lot of urgency there on the customer side, which ties into more of the macro question, which is so how are customers seeing. We talked about this during Q1 earnings, I mean, it's still -- it's a serious problem, it's pressing. And so even though there's some noise around with tariffs and all that we talked about in Q1. It's like demand is still there, still robust, not really seeing anything there. This isn't something that you can really put off. The stakes are too high really. And that's what we're seeing again, we're remaining -- we're paying close attention to how things evolve. We know that our customers have to take that all into account, but we're well positioned there, given what we do.

And then maybe just starting with kind of core PAM, and then we'll expand out from there. But can you give us your view on the core PAM landscape right now? How is growth in those core products? And where do you see that market evolving over the next few years?

Yes. So when you think about PAM and that goes back to more of the traditional vault and rotation, et cetera, even on to the modern use cases. From a solutions standpoint, that's where we talk about IT, again, with the core IT traditional PAM users to cloud operators and engineering even on to developer thus this whole continuum of traditional privileged access management controls onto the modern. We think that, first and foremost, it remains critically important to secure that type of access. And there's still a significant amount of runway there in terms of the number of highly privileged users that are not fully secured, that are not protected by either traditional or modern privileged control. So that remains a very, very vibrant market for us, is a growth market for us when you look at it in aggregate. And as we've talked about it's -- roughly half of our subscription ARR is between the IT and the developer solutions to cover this whole continuing from traditional PAM over to modern PAM. So it's a very, very important market space for us. And again, there's expand opportunities, their modernization opportunities. And there's also new land opportunities. There's still greenfield out there even on some of the larger enterprises.

Can you maybe refresh us all to when you land a traditional -- a customer who's really interested in the traditional PAM, right? That's not just a day 1, everyone's on the platform. Can you talk about the tail that you have? Because that's a big driver of your continued growth in the market, too, right, the tail in each of your customers to add new PAM users onto your platform?

Yes. That's absolutely right. When you think about the initial land and even if it's PAM focused now, I will say that now the majority of our new logos land with typically PAM and something else, whether that's endpoint or workforce or something. So we're seeing more of that multi-product, multi-solution land. But when that happens, they focus on high-priority areas. They're focused on specific teams, specific systems. And so it's rarely everything covered at once. So from the time you land, you have this natural ongoing expansion motion some time period to come, even just in PAM. And so you go from that to you introduce more modern privileged controls and you're able to get more and more of the, call it, the cloud side of IT on to the developer side, that's more expansion opportunity. And then you think about what we have workforce side with not just classic SSO and MFA but it's on to our privileged controls for the workforce, those secure web sessions. You throw endpoint protection into that mix, the browser, et cetera. And then you keep on going on to machine identity. We just see very, very strong cross-sell opportunities. And really, with our most strategic customers, we have established multiyear road maps with them like how we're going to roll out these various solutions across our organizations. And many times, it's not just solution all at once across the entire organization, you may have to go division by division. They may have acquired other companies, and we have to go into those operations and modernize there as well. So they're just many ways we're able to grow both within the core traditional and modern PAM and also cross-selling all of our newer solutions. It's just a very exciting opportunity.

You brought up an interesting point, right, of doing endpoint and workforce. And I think we heard from Nikesh earlier today that security has really evolved in the last few years where companies aren't necessarily just staying in their lane but looking to really move out, expand their platforms. And for identity specifically, there's been a couple of different themes, and we'll get to why there's no larger or identity platform in a minute, but something that's been kind of prevalent is really just-in-time access and who owns just-in-time access, right? CrowdStrike is coming out with their identity product that they say, just-in-time access is going to be run through them. A lot of other vendors are starting to do this as well. So where do you see yourself sitting in that landscape and kind of those competitors to maybe once we're on the outskirts of identity security now kind of putting pressure and coming inwards.

Yes. I think on 1 level, just seeing the interest in identity from nonidentity players, it just speaks to the importance of this as an attack and defense vector. So I'll put that out there first and foremost. But their market differences in how we approach it as an Identity Security leader versus some of the others. I mean, we're very much -- we start from a preventative controls standpoint. And we're very much deterministic in terms of making sure that the right protections are in place and making sure that we shut down the attacks when they do occur across all the identity types. If you flip over to the other side and what you'll see for a number of these other players, they come in from more of the SOC standpoint. And so it's more signals and it's more probabilistic. It's just -- it's a very different approach. And it's just basically taking what you may do in EDR and XDR and just applying more of an identity flavor to it, which is reasonable given the importance of identity. But make no mistake about it, but when you're looking at putting real identity security controls in place, that's where we live, and these other vendors really do not is a very, very separate type of motion and value prop.

And do customers need both, meaning will you sit -- will CyberArk sit next to CrowdStrike's just-in-time product as well?

Yes. I think it's a very different thing. When you -- again, when you're thinking about actually applying preventative deterministic controls, that is where we're super, super strong. I think if you're looking for other flavors of other things to add into more of a SOC-type solution, all that's fine. And oftentimes it's different users, different buyers, et cetera. I just view it as more of a -- it's more relevant for what they're already doing is not particularly related to what we do in terms of the controls we provide in terms of the real -- I mean just think about what we do for all identity types. So it starts with the discovery and onboarding to protect with the right lower privileged control. So that's whatever the actual credential is securing them, you secure the access to it, you ensure proper authentication and then you have session management and control. Then you have the life cycle that goes around all of that, the supports audit, that's a lot that we're doing, right? And you have to have real identity security controls to do that. That's not something you can do with a more probabilistic model that's more focused on the SOC. It's just a very, very different value prop.

Got it. So switching and expanding out a little bit, identity security platform. It's -- Identity Security hasn't seen as much platformization as other areas of security. Why is that? And what is CyberArk's opportunity here to kind of be that player that comes out on top.

Yes. So first, just to start with what we have seen in the market. I mean I think you've seen our customers out there who have offerings from 70, 80, 100 different discrete cybersecurity vendors and now you have Gen AI and agentic AI security looming, and so you'll need more security. The last thing we want to do is add on another dozen, a couple of dozen security vendors. So there's this overall movement towards vendors that are trusted by the customers. And that's why we talk about it in [indiscernible] talk is this consolidation of trust. And trust is based not just on your current portfolio, but it's on the belief your customers have you'll stay out in front of the attackers and the threats and you'll be able to secure them over the long term. So you're just seeing that in general, and that's the interesting part of consolidation, less about the financial aspects of it, whether that be packaging that vendors may do or whether it's PEs going out and assembling things. That's not the interesting part of consolidation. It's really this consolidation of trust. And so you flip that over to what we were talking about before with Identity really emerging as a primary attack vendor by the adversaries and therefore, must be a primary defense vendor -- a vector you have a consolidation of trust that's centered on Identity Security. That's where we're living. And to make this work as effectively as possible for our customers, of course, you delivered on a platform. You have a unified user experience unified in that for a specific role -- for a specific identity type, they have everything in front of them that they need to be effective. And on the back end, you have the appropriate level of shared services across the entirety of your offering so that helps the deployment with management, with innovation, with scale, et cetera. So that's what we really see coming together is those things. And we feel like we're very, very well positioned as that all transpires.

And maybe before diving into the different pillars of your platform, competition, Microsoft, specifically, if they look at their security portfolio, their strength lies in Identity Security, you have other companies at the top end of the market as well, right? So how do you view the competitive landscape? How is it changing? And where do you believe CyberArk is positioned today?

Absolutely. So if you start with more of our -- on the traditional PAM side, we know who the vendors are there, they are all PE-backed and kind of still in this more of a fast follower type strategy. We see them in deals. We feel very good about how we're able to compete and provide more value and leadership there for our customers. You move more into the workforce space. And that's where we see our innovation and differentiation really being on these advanced security controls that are born from our experience in PAM. So SSO, MFA, yes, they're vendors everywhere who do that. But when you talk about applying secure web sessions, you talk about incorporating industrial strength, workforce password management and other innovations that will continue to come down the line. That's really where we're differentiated, and we're looking for those various security-focused customers that want to provide high-end security for the entirety of their workforce, that's where we're strong. And that's how we differentiate. And again, yes, it can be crowded in there, but it's not crowded for customers that are really focused on that security value problem. When you go further out on to the machine side, you start with Secrets. And we've had strong performance there. You combine it now with what we're doing with Venafi, more of the core certificate life cycle management that then going into workloads identity security management, and that all continues to bleed over into AI. In that area, I mean you have Hashi, IBM on the secret side. We are competing very, very well there even before the acquisition. There are just a couple of competitors out there on the Venafi side. It's really you're competing against spreadsheets is the #1 competitor there. And on the AI side, it's a bit -- it's still wide open and it's to be determined, but we feel very good about the collection of personnel IP and technology that we have to develop leading solutions in that market as that matures.

And maybe on the machine identity side to such an exciting part of your portfolio, and I know Venafi must be near and dear to you given your role. But first off, the market, are we there for market awareness with your customers? Or is it still market education. Can you talk a little bit about how you've seen the trend of adoption for machine identity?

Of course. So I'll start with the end answer. Yes, there's -- I mean, there's excitement, there's understanding, and we feel like we're hitting this market at a very, very good time. What I'd say is historically, it was viewed as more of an operational value prop, whereas you have an outage, you have expired certificates, you have real cost that hit the company. And there's also a security component. I think that's switched over to where that's still true. And it becomes even more true when you reduce the timing from the life cycle from 400 days to 47 days, but we're seeing an increased focus on the security importance of that. And that's, quite frankly, why you're seeing those times reduced because there's a broad recognition that this is a security problem. There's a vast attack surface that exists if you have these certificates that can live for 400 days. So we're seeing this convergence of the operational benefits and also the security benefits of providing a solution like this. And then you go back to what we're talking about in terms of consolidation of trust. There is a conversation that our customers want to have with us. It's difficult to have it for some of these other companies because they're thinking, wow, I have so many vendors already. And is this another conversation that I want to have? Do you know them? Do you know who's good, I don't know. But they trust us. And so that's why when you have this announcement comes out with the shift to 47 days, our customers are rushing to us to say, okay, we need to talk. Let's see what we can do about this. Let's start to think through the road map and what that could look like.

And who should own machine identity, should it be PAM -- core PAM or IGA vendors or are there other types of security vendors that offer machine identity security that are better positioned. I mean, what's like the -- when you talk to customers, what's the right place for them to land in terms of getting that initial machine identity footprint?

Yes. I think that part of this goes back to what we were discussing before in terms of just the consolidation, the platform, identity, all that coming together. Our customers made it clear they want to have a leading vendor they, can go to for all of their Identity Security needs. And machine identities are super important, and they oftentimes want to think about them in the same way that they think about their human identities even though the dynamics of how you secure them are quite different. Again, you go through those controls I listed. It's the exact same things you have to do for humans and humans of all types and for machines and machines of all types. The technology you deploy may be different, but it's the same thing. And so they want somebody who understands the process, the mechanisms extremely well and who can leverage co-processes best practices across all of that, where necessarily appropriate. But most importantly, they actually can solve the problem. So to finally answer your question, I mean, our customers made it loud and clear, they want to talk to the leading IT and security vendor when it comes to that. It was very difficult to have any kind of a point product conversation. It just -- it would get lost. It would fall through the cracks.

And maybe talking about AI, with machine identity as well, how are you securing AI and identities in a really interesting place in the security stack because are you treating AI and especially LLMs and just the different applications you're seeing in enterprises as those human users more? Or how do you think about securing AI from an identity perspective.

Yes. So I mean, AI, it touches everything and we're still just getting started. So the very first thing -- when we very -- first started thinking about this is protection from, protection of, protection with. Protection from is, okay, the adversary is typically an early adopter of any new technology. So they come out, how do we protect ourselves from these new AI-enhanced attacks. It turns out, you basically have phishing based and all that, that's just -- reaches such a high level of execution that it puts all the traditional controls you have in place even more to the test. So the really protection from became more of deploy more fully -- deployed -- we had everything you need from a vendor perspective, but working with our customers to make sure you close these gaps given how effective these attacks were. So that was that. When you think about protection with, it's very important for us to really incorporate AI into our solutions in a way that meaningfully increases the productivity and effectiveness of the end users and the admins at our customer site. So that's how we're thinking about that aspect of it. That's what we're building into our road maps. You've heard that with our core announcements and more to go. Now protection of, you have the classic LLM aspect of it. For us, and when we talk to our customers, is really much more about how do you protect -- how do you ensure that the right people are accessing the LLMs and they are only doing things that we want them to do in terms of. So that's really focused the -- our protection of initially. But now when you start to flip it over to agentic AI, well, now you have these bot agents that have both machine and human characteristics. And this is where we feel very, very well positioned given what we have, given not just the current portfolio, but the portfolio, the technology and the road map that we have with Venafi, where we already have with secret and that everything we have in terms of human controls, that's the only way to effectively secure agentic AI. And we're working now to -- we've talked about it at our customer event, but we're working now to pull together the solutions that will protect and provide agentic AI level security. So that is a different scale, different solution, but it's a -- it will require many of the capabilities we have now.

And maybe a similar question to machine identity, but now to AI, right? Do your customers realize that AI is an identity security problem? Or are they looking for just companies that are purely focused from starting from that AI lens?

They definitely realize that AI presents a unique and complicated identity security problem. Now there are other elements of it. When you think about protecting the models themselves, where there is some different technology that is not necessarily identity based. When you literally think about locking down the models. That is a little bit different. But when you're thinking about AI, particularly AI agents, our customers fully understand that, that is an identity-centered security concern. And we're already having those conversations with them about how to protect and what they're worried about in terms of permissions access in terms of what happens if agents are corrupted and then turn against all the things that you see now is just that they're multiplied in terms of when you think about flipping access or corrupting access of associated with an agent versus just a credential or a certificate. It's a much more powerful thing.

And maybe moving to talk about the other exciting piece of CyberArk more recently is the acquisition of Zilla, right, and moving more into that IGA space. Can you talk around how you see IGAs being complementary to PAM? What was really the decision for CyberArk to enter this market, especially we just spent 20 minutes talking about core PAM and how important it is and all the growth drivers you have there. So why enter this market? And why now is Zilla?

Yes. When you think about the IGA concern, it's really become a central thread for identity-related security in just Identity Security overall. What I mean by that is you protect the access and you ensure the right levels of authorization, but you have to close a loop in terms of making sure that identities of all types of provisioned with the right access. It changes dynamically over time depending on the circumstance situation, join, move, leave, et cetera. And that's a thread that you really need to close the loop across all of your Identity Security solutions. But is no longer a management concern is now central to security. That's why for us it was important for us to investigate and understand what was needed by our customers. And what I can tell you is that with traditional IGA, more on-premise, it's just, everybody knows, it's an expensive endeavor in terms of deploying and maintaining the solutions. It takes a long time to stand up applications. So when you're thinking about months and years to stand up a few applications and now we're in the world of SaaS applications and cloud, you can't -- customers can't wait for that. So they needed something better to reduce their attack surface. Again, it's a security concern. So that's why for us, it was very important for us to how and whether we could push us in a different way. And so when we found and we discovered the Zilla team and Deepak and Nitin, we just saw something special there in terms of the people, the capabilities, the approach. There was a differentiated way to really deliver IGA, a modern approach to IGA that was lighter weight, quicker time to value, already leveraging AI to take some of the manual steps out and make it so you could cover more of your estate and reduce the attack surface fairly quickly. And so we have multiple threats here where there's a kind of a stand-alone motion of customers need this. Customers need modern IGA solutions, all up and down the stack of sizes, and we have tremendous interest from our customers there. There's that. And there are also horizontal capabilities that are relevant everywhere. They're relevant IT workforce, even a machine identity. Now there may not be the same code as something we'll work through, but we have a strong team and talent, technology capabilities and know-how they can really strengthen our -- the IGA-related aspects of machine identity as well. So that was a lot, but we're very, very excited about it. It was just -- it was a very, very key element of our overall Identity Security story and kind of an open problem for many of our customers.

And when you think about where Zilla sits, I mean, is Zilla replacing other IGA vendors? Is Zilla complementary to other IGA vendors? Kind of what is the opportunity there?

When you think about this because it takes so long to deploy traditional IGA. What you're seeing is this covering what the teams haven't been able to get to yet. And so this is a way to more rapidly, more expeditiously provide this level of governance to your longer tail applications, SaaS and even select our on-prem applications quite frankly. So that's really what we see now, whether other solutions are deployed. Sometimes yes, sometimes no, but there's a tremendously large greenfield opportunity here in this market. But even when there are incumbent solutions, there's plenty of space for this to work alongside. And alongside, it doesn't necessarily mean you're right beside, it could mean different departments, different users, different applications. So there's just a tremendous amount of upside and opportunity here.

And maybe in the last couple of minutes or 2, I know we didn't go through your whole portfolio, but if you could kind of touch on to some of your other products outside machine, outside IGA and outside of core PAM, where are the opportunities there? And then for anyone who does have a question, we'll save 1 or 2 minutes as well for that.

One thing that's extremely important that I just want to reiterate is if you go back to this PAM to modern PAM is where a lot of the innovation is happening and thus, with this movement from the IT solution with the more classic PAM type users, the domain admins and others to the cloud engineers, cloud ops over to the developer. That's where we just see a tremendous amount of opportunity for us to deliver real robust modern privileged controls to those new users and new use cases. And so as we have secure cloud access, secure infrastructure access, it's like all this just-in-time highly secured access to cloud consoles and infrastructure. That's very, very important, especially when you think about getting into the longer tail of uncovered highly privileged identity. So that's something we're very excited about, and we're spending a lot of our time and energy continuing to invest and modernize there. So that's the one thing we want to make sure that we had. And again, even on the workforce side, just adding those layers of security control beyond the more -- the highly competitive classic SSO and MFA but adding the additional layers of security controls. That's very, very important because you still see that's the most significant area of a tax service on the human side of this long tail of general workforce where the adversaries know how to elevate the access move ladder and then get to the privileged users that they really want.

Maybe I'll see if anyone has a question. Otherwise, I'll ask -- wrap up.

[indiscernible].

As I was saying before, this is -- you really see that as more of something that complements what they're already doing, more endpoint and SOC-based and if nothing else, it brings more attention to the importance of securing identities, but it's not -- it's just not at all related to what we do in terms of the proactive nature of our controls and they're very deterministic nature of our controls. It's a different thing that I think is just more -- I view it as much more as a complement to EDR, XDR, and different SOC solutions than anything directly mimic in what we do at all in the classic Identity Security control side.

We don't see many new competitors in the privileged access market. Does it mean that it's difficult to do? Or does it mean that it's not attractive enough to enter the market.

On the classic side of it, I think that it is difficult to do. What you see or you see some start-ups coming more on the modern controls where they're trying to address very specific slices of it. And you see there are plenty of companies shown up there. It's just -- it's a difficult entry point, especially when you go back to never mind wanting vendor to come in and solve your highly privileged access product. You want 1 vendor to come in and solve the vast majority of your holistic Identity Security problem. So they're there. It's just difficult to gain traction given the dynamics in the market. And given is that really where a customer wants to add another couple of vendors to the roster is tricky for them.

I guess on the last couple of seconds here. One question for you is from your seat Clarence, do you think there's anything that investors are underappreciating about your story right now or anything that you'd like to end on from that perspective?

And I won't go into underappreciated. And just 1 thing I just want to make sure I highlight is that across the spectrum of what we're doing, there continues to be upside opportunity. There's still -- even though there's a relatively higher penetration of the more privileged identities, there's still so many that are protected. So we have the upside opportunity there. And then as we go further and further to the right, there's an extraordinarily long tail of unsecured machine identities of the types we know about before you even get into the future with agentic AI. So there's just a massive, massive opportunity. For us, what we view it as a massive. There's a lot of ground we have to cover to effectively secure our customers. And so we're excited by that. But from an investor standpoint, a massive, massive upside opportunity, lots of open space in terms of both going deeper, further adoption and going broader with the adoption of our newer solutions.

Perfect. Great. Well, thank you all. And thank you, Clarence.

All right. Thanks so much.