Palo Alto Networks (TICKER: PANW) Palo Alto Networks Inc Panw Presents Bank Of America 2023 Global Technology Conference

By /
Palo Alto Networks, Inc. (NASDAQ:PANW) Bank of America 2023 Global Technology Conference June 6, 2023 11:40 AM ET Company Participants Nikesh Arora - Chairman and CEO Conference Call Participants Tal Liani - Bank of America Tal Liani [Call Starts Abruptly] time, and everyone knows Nikesh. So that's -- we start high this time. I want to start with a question that everyone has on its mind when it comes to the sector, not specifically to Palo Alto. We have companies who are doing great, like our company, we have companies who are doing poorly. Even CrowdStrike that had good results, had some negatives in SentinelOne. We've seen what happened. Forget get the accounting, the underlying market, how is... Nikesh Arora So, we can forget accounting today? Question-and-Answer Session Q - Tal Liani Yes, forget accounting. Forget accounting. How is the market itself, how is demand? How is the business environment in general? Nikesh Arora First of all, thank you for having me here. And apologies for being a few minutes late. For the last three quarters, we've been saying it, we've been hearing it in the market, I suspect you're hearing from every enterprise company, we have an aggressive Fed who's driving interest rates up. I called it the revenge of the CFO. My CFO has never been happier. People are talking to him, paying attention to him. He's been ignored for many years, when interest rates were zero. So every CFO in the world is getting the attention. I mean, imagine enterprise often does three-year TCV deals, cost of money zero, the customer writes you a check for three years, saying this is sitting in the bank, not giving me a lot of money. Now you can make 5.5%, 6% interest. He's not going to go write me a check for three years upfront without having a long conversation about what's in it for them. So, I think the interest rate purely macro changing has the CFOs to get more involved. They're paying attention to how much cash is in the books. Even companies that are doing great out there are watching their dollars. Now, what is -- so let's put that on one side. So I think there's no debate that people are watching their dollars and paying more attention to how they spend their money, whether macroeconomic environment is impacting their demand or they're just being conscious of the cost of money. If you think on the other side, cybersecurity. In the last nine months, no customers said to me, this is really nice, I like it, but I'll buy it another six months later because I don't need new security. Anybody who's been going down a security project is continuing to do their security projects. Are they looking at their security budget and saying how can I optimize it, yes, right? Like every team, they're being asked, the cybersecurity -- do not have a blank checkbook compared to any other team in the company. They're being asked to optimize their spending, which on the margin is good for us. When you're optimizing spending, what typically goes first is a small $100,000 ACV tool or $200,000 ACV tool, they don't shut down their firewalls. They don't cut off their transformation projects. The transformation projects were being questioned in the beginning of the pandemic. My revenue is vanished, how am I going to afford this? I have no money left, I'm not going to be able to do anything. But nobody is questioning a transformation project in the current environment, right? Everybody is hurting a little bit, but nobody is hurting so bad that things are going away. So the demand is there. Customer behavior is changing, buying behavior is changing. I don't want to buy all the three years upfront. Can I do something, how I pay for it? Or can we phase this out Phase I, Phase II, Phase III? Or what if I bought 20,000 seats first, and then I bought the next 20,000 next year? So you're seeing a phasing of projects, people resizing projects, rescoping. So, I think you have to be conscious of how we think about the demand environment and how we see it translate into the results of cybersecurity companies. So, I think the demand environment is strong. Customer behavior is changing perhaps some of the results, which gives you a head fake. There is a certain segment of the market, which might be hurting more. And the way I described it, there are two things that happen. One is the SMB or the low end of the market does tend to push or postpone. I won't buy other firewall for another one year. Let me push. So you'll find that on the lower end of the market because the macroeconomic environment has a bigger impact or more pronounced impact there, they might postpone a little bit. Fortunately, for us, that is not a -- this is not a bug, it's a feature. We were never very good at that end of the market, and now it's good for us that we were not very good at that market. The other place you'll see it is -- because of every company, I think, in the world, enterprise company has told you, sales cycles are elongating. Now, sale cycles that are elongating, I want to say, in any quarter, about 15% to 20% of our business is net new business, the rest is the existing customers or existing business. The more new business you have, the more volatile your results are going to be because you've got to drag every deal across the trend before the end of the quarter. Tal Liani Okay. Makes sense. Okay. All right. Nikesh Arora I don't know the answers to any other companies... Tal Liani Follow-up question. Is there a difference in the willingness of customers to spend, whether it's a SaaS model or whether it's an appliance that they have to pay upfront? Is there a difference between willingness to spend on OpEx versus CapEx? Nikesh Arora No. I mean, they will translate it to whatever -- no. The short answer is no. It's not like they'll buy a software product from me more than a hardware product. Now, there was a supply chain impact, which encouraged a lot of customers that think hard about solving the problem at software, right? I'm sitting down, I need 5,000 firewalls, then say, could I design a hybrid architecture, which is 2,000 software firewalls, 3,000 hardware firewalls? Yes, a lot of that has been tried or all of that has been thought through, so they don't get caught in the post-pandemic supply chain crisis. So, we have seen an accelerated shift towards software for the last few quarters. Tal Liani Got it. And the last question is, is there an impact on pricing in -- do you see like for example other vendors being more aggressive, so it forces you to also be aggressive? Nikesh Arora The enterprise business is a highly negotiated business. And depending on the product category you talk about, you will see negotiation all the time. On the margin, I think, generally, most of you guys have not incorporated the impact of the cost of money to enterprise businesses. I've never heard the sell-side or buy-side investors talk about the fact that giving you money three years up front. That's stupid. That cost them 12% now. It never cost them 12% three years ago. Why they're still doing it? Not every CFO is asking the question, for now, we're okay. But they're all getting there. That's why I said in our quarterly call that the behavior changes more widespread and more persistent. Now, in the end, left pocket, right pocket, do I have to get a bigger discount? Tal Liani Got it. Okay. I want to maybe move on to your NGS business, the most successful part of your business. And there are many parts to NGS. Last quarter, you grew 60%, more than we expected. Can you break it down for us to the components and talk about the growth you're seeing in each one of the kind of big buckets within NGS? Nikesh Arora Yes. I think the way to think about our NGS business is in the last five years, we've transformed into effectively three platforms. We have a network security platform, where we sell hardware, software and SASE as a combined -- you can buy each piece or you can buy a combined as a Zero Trust architecture. And there are a lot of software delivered capabilities there. So, our SASE product is part of next-generation security. We do a whole bunch of in line protection using software in our network security business that all goes into NGS. So, that is driven by the robust renewal of firewalls and cloud delivered capabilities and the SASE transformation. So, I think the prior quarter, we declared that we've got $1 billion worth of bookings on SASE. Remember, we didn't play in the SASE space three years ago. It was one player, which took away all the SASE business. We've done $1 billion. So, we think we're growing faster than most other players in the space. We see a robust pipeline. Software firewalls are doing really well, given where the market was one year ago where people started evaluating software in light of the supply chain crisis. That's the network security platform. There's a cloud security platform. This is all the applications people are writing, says I'm sure all of you pay attention, Google, Microsoft, AWS, Oracle, Alibaba, et cetera, have gone and done a really good job selling the public cloud to people. Well, they have to use it. The way use it is we move applications to the public cloud. You don't use your sales force there or work there. You take your own homegrown company applications, move there, either lift and shift or you rewrite them. As you move the applications, you have to make sure they're secure. They have a product that secures your application development life cycle and how you run it, it's got Prisma Cloud. That's the second category, which is doing really well because more and more people move to the cloud. And it's somewhat different from -- our cloud spending is going down. Well, cloud commitments are going down. Cloud spending is fine, people are moving more and more workloads to the cloud. And the last category, which is the category where five years ago we had identified that AI was going to have a significant impact to cybersecurity is our Cortex set of products where we announced that we hit $1 billion in bookings. Again, this was the area we did not play in. This includes the endpoint detection using AI. This includes the attack surface management work that we're using AI and it includes automation playbooks and our most recently launched product called XSIAM. So that's kind of the three buckets. On a 12-month basis, they're all doing really well. Every quarter, one cousin does there than the other, but that's part of the running the portfolio. Tal Liani So, what I'll do now, I'll just ask you questions about each one of them because they're each -- each one of them is very interesting on its own. Starting with the SASE and securing basically access to the cloud, how -- we've seen Zscaler having some issues then they came out and said things are coming better. Have you seen any ebbs and flows in this business of demand going up and down? How is the acceptance of this service by customers and specifically about you, how is the competition in the market? Nikesh Arora So remember, the old ad from Avis, We Try Harder? Tal Liani Yes. Nikesh Arora So because we're the newer player and we're trying to grow bigger, we try harder. So, are there ebbs and flows? The -- I think you're conflating ebbs and flows and deal closure with demand. The demand is strong. It's our biggest pipeline, SASE transformation. And remember, what is the SASE transformation? The customer comes to you and say, I have 1,000 stores around the world. I have a large lines, I bought from the telecom companies. And I need to replace all those lines, I need to put -- box and to read our traffic. This is a 9- to 12-month implementation of a network strategy reading your network. Nobody does this lightly. Nobody does this without doing tremendous amounts of testing in their own network because they're about to get away from AT&T or Verizon and go to the open internet and use whatever internet access there is. And we did announce this last quarter, one of our larger deals, or a large beverage company that I think is a household name around the world. It's going to take them nine months to implement the project. They took nine months to decide that they want to do it. They took six months to decide to actually close the deal. They took a 15-month sales cycle, which happened to close magically two days before the end of our quarter. So typically, a lot of magic happens in the last four days of the quarter because customers have learned for the last 50 years taught by the large enterprise behemoths that if you drag it to the end of the quarter, these guys are going to probably give you a better deal. They tried three quarters a row, we didn't, they finally close the deal at a price we offered them nine months ago. So, this is good news. But there is long lead times in the SASE business. But once it's there, it's a sticky business because you're deploying us on 100,000, 300,000 employee laptops around the world, it's a hard problem to go rip that out. It takes six months and probably makes a lot of people unhappy if you say, give me your laptop, I need to redo the security software on it. So, it's a strong business. It's going to be a robust business. There used to be one player. I joke there are 2.5 players in the market. And I don't see that SASE transformations are going to slow down. You pay attention to the Federal registers, the U.S. government is going to go Zero Trust and SASE over the next few years. So far, there's one approved vendor for SASE for DoD. Tal Liani Yes. Do you envision -- it's a big market. You're certainly one of the leaders in the space. Do you envision new players coming in? Nikesh Arora It's a tough business. It's a very tough business because -- and I think most people don't understand. We -- and anybody who wants to join this business is going from a seller product and go away to run a service business. So, in the case of firewalls, we would sell your firewall, your engineers would go deploy it. That's up to you. In the case of SASE, we take it over. So, when you log in from a laptop or iPad, Palo Alto Networks is running that traffic on the internet, dropping it and delivering security. So, I'm actually running an operating service. If I go down, your company is going to be pausing operations. We run some airlines around the world, we -- not some, many. We run banks. We run consulting companies on our operating software. So, we take the traffic, move it on to Google Cloud. If Google Cloud goes down, we switch you to AWS. So now, you're running a 99.999% operating company. This is not a start-up opportunity. I think people are kidding themselves as they think that startup is going to come disrupt the SASE business because the first thing that they were asked is how do they deliver five 9s in on my own my service. Five 9s is a large operating event. So, -- yes, could an AT&T do it? Possibly. Could a large company do it? Possibly. But -- there's a lot of tech needed. It's taken us three years of building it and 14 years before that of having the capabilities on our firewalls. So, I don't think it's an easy market to see new players in. I think -- it's an established market for one player. But what's also changed is that the established market used to -- traditionally, we had take me to the internet market, take me to Salesforce, take me to Workday. When I own my laptop, take my internet traffic this way. Nowadays, I've moved to Google Cloud, take me to my application. That is a whole different security question, and take me to Workday. And again, most people have not understood, that's what the difference between the ZIA and ZPA type product. Tal Liani So now the question is, so when we -- in a second, we'll talk about your Prisma Cloud. Prisma Cloud, you made a lot of acquisitions. You always add more and more features. I'm guessing it's -- you're not done with adding more features. What about Prisma Access? Is this a set product that -- do you see it growing the scope, or is it more just about replacing a lot of the legacy, the VPN, the CASB, replacing a lot of the legacy with Prisma Access. Nikesh Arora It's a full product. I mean we -- It's a full product. Nobody is going to give me $25 million to go take their entire business and have their employees on me, nobody's allowed aircraft manufacturer, not going to have me have more than 0.5 million employees around the world running on my system saying, yes, we trust you, build the rest of it later. No. It is a full product. It works. People use it. We don't need to go do anything. We have to keep evolving it in a positive way. And I'm sure we'll talk about this if you want to, the whole new world about AI and generative AI and how does that evolve any product. So, we'll keep evolving it, but it's not something we need to go plug a whole bunch of stuff. Tal Liani So switching to Prisma Cloud, you are the largest company in the space. By the way, I'm hosting a panel on this later. I don't remember if it's there tomorrow, but it's one of the fastest-growing markets. You have the most complete portfolio with pluses and minuses. So first, let's talk about the pluses. How do you see this market evolving? I'm not asking about the number, just asking about to understand the size of it, to understand the scope of it. And what is your next big hurdle? Meaning, you are already now the leader, what do you have to accomplish over the next 3 to 5 years in order to establish yourself as a leader, and so, we don't see these small start-ups that are coming, taking some of the market share away from you? Nikesh Arora You should not confuse small events in life. When I started the Prisma Cloud product, there was a company called Dome9. We don't see them anymore. They got acquired. There's a company called dvCloud. [Ph] We don't see them anymore. They got acquired. There's a company called Orca, we don't see them as much anymore. There were -- so we have seen many startups in this journey. I think the way to understand the cloud security market is, people go make a commitment and move to Google, to AWS, to Microsoft. And over time, what has happened is they've ended up in more than one cloud. I think the Fortune 100, there's very few single cloud customers. They're probably all of them on more than 2 clouds or on 2 clouds. Now, if you were -- and the whole process is, I'm moving an application. It's a trading application. It's a back of the office -- back of the house application, and moving it, rewriting it in Google Cloud. Now when you rewrite it and runs over there, it's your job to make sure that it runs securely. For example, what does that mean? I've
Scroll to Top