This conference call transcript was computer generated and almost certianly contains errors. This transcript is provided for information purposes only.EarningsCall, LLC makes no representation about the accuracy of the aforementioned transcript, and you are cautioned not to place undue reliance on the information provided by the transcript.
CyberArk Software Ltd.
11/2/2023
Thank you for joining us today to review CyberArk's third quarter 2023 financial results. With me on the call today are Matt Cohen, our Chief Executive Officer, and Josh Siegel, our Chief Financial Officer. After prepared remarks, we will open the call up to a question and answer session. Before we begin, let me remind you that certain statements made on the call today may be considered forward-thinking statements, which reflect management's best judgment based on currently available information. I refer specifically to the discussion of our expectations and beliefs regarding our projected results of operations for the fourth quarter, full year 2023, and beyond. Our actual results might differ materially from those projected in these forward-looking statements. I direct your attention to the risk factors contained in the company's annual report on Form 20F filed with the U.S. Securities and Exchange Commission and those referenced in today's press release that are posted to CyberArk's website. CyberWorks expressly disclaims any application or undertaking to release publicly, any updates or revisions to any forward-looking statements made today. Additionally, non-GAAP financial measures will be discussed on this conference call. Reconciliations to the most directly comparable GAAP financial measures are also available in today's press release, as well as in an updated investor presentation that outlines the financial discussion in today's call. A webcast of today's call is available on our website in the investor relations section. With that, I'd like to turn the call over to our CEO, Matt Cohen. Matt.
Thanks, Erica. And thanks everyone for joining the call today. I want to start off by saying our hearts go out to Israel and the global Israeli community as they navigate through this incredibly difficult time. The atrocities committed by Hamas in Israel are horrific, and as an organization, we condemn these barbaric acts. The health and safety of our team continues to be our top priority. We are providing all of our employees with the flexibility required to care for their wellbeing, for their families, and for their communities. The resiliency and spirit of our team has been nothing short of remarkable. The outreach and support from our customers, our partners, and the Wall Street community has helped us all through the last few weeks, and we greatly appreciate it. Moving into the quarter, we had one of the best quarters in the company's history. We saw a significant step up in demand for our platform. Our go-to-market teams continue to deliver, and identity security remains a top priority for global CISOs. In the third quarter, our bookings growth accelerated, and total bookings significantly outpaced our guidance framework. Demand surged across our platform, resulting in stellar results that beat our guidance across the board. Subscription ARR reached 504 million, growing 68% year over year. Total ARR reached 705 million, growing 38%. We added a robust $52 million in net new ARR, and we exceeded our guidance range across revenue, operating income, and EPS, with total revenue accelerating to 25% growth, reaching $191 million. Non-GAAP operating income came in at approximately $17 million, and we generated non-GAAP earnings per share of $0.42. Throughout the year, our team has personified excellence in execution, and we have navigated the macroeconomic landscape exceptionally well. While uncertainty persisted in the third quarter, we experienced a firming of the macro environment compared to the last few quarters. Our execution was even stronger in Q3, as seen in our meaningful top and bottom line outperformance, and the significant step up in our ARR guidance for the full year 2023. Our close rates improved, and we had strong conversion of our record pipeline. While we didn't see any outsides sealed in the third quarter, there was a healthy increase in seven-figure ACV contracts, as customers are more than willing to allocate significant portions of their cybersecurity budgets to our mission-critical solutions. In addition to strong execution across our go-to-market and product development teams, we continue to benefit from robust secular tailwinds that are becoming even stronger. The exponential growth of identities, cloud migration, and the elevated threat landscape are all contributing to the momentum in our business. One thing remains constant in cybersecurity incidents. All roads in the attack chain lead to identity. The MGM incident is one of the most recent examples of identity and privilege access being leveraged to move laterally, regardless of environment, and how attackers can inflict devastating damage, including a complete shutdown of an organization. As identities across the enterprise become more powerful, cybersecurity leaders recognize that to be secure, all identities need the right level of privilege controls. Organizations are also grappling with how to assign privileges and provision access to provide each identity with the right level of security at the right time. We are the only company with an identity security platform that can offer our customers the flexibility to provide standing access, just-in-time access, or zero standing privileges, depending on the type of identity and the nature of the target they need to access. What differentiates our platform even further is that we can do this across hybrid and cloud native environments. Based on our truly differentiated capabilities, our platform selling motion continues to gain traction and all our solutions are being adopted by customers at an accelerated pace, driving strong growth. This includes PAM, which despite having a much bigger base, is still one of our fastest growing areas. Equally exciting, Customers today understand that EDR is not enough, and they need endpoint privilege manager to lock down every endpoint with the least privileged approach. Our access solutions remain both an expansion and landing opportunity. Conjure Cloud and Secrets Hub are leading a SaaS-first strategy for our secrets management business. And equally exciting, the early momentum we are seeing with secure cloud access remains very strong and opens up an entirely new group of identities for CyberArk within the developer community. We have an all-star lineup making up our portfolio. We are empowering our customers throughout their digital transformation journeys by securing access to their cloud environments and protecting their developer communities and the applications they are building, all without getting in the way of innovation. Ensuring every identity across the workforce is truly secure sets us apart and is helping us achieve these strong results. Digging into some of the key deals in the quarter, the threat landscape is driving customers to adopt our robust identity security platform and has pushed CyberArk into the top competitive position. We had a strong new business quarter and signed about 230 new logos, with customers increasingly landing with two or more solutions. A few great wins from the quarter included ProDesp, an international government agency recognizing the mission-critical nature of identity security, and went deep with CyberArk from the start, landing with PAM, EPM, Access, and Secrets in a seven-figure deal. A manufacturing company landed with PAM, Vendor PAM, and Access. Our platform capabilities were a key differentiator over competing identity vendors. Influence from both an advisory firm and a channel partner demonstrates the powerful combination of our platform and partner network in this great new logo win. Glasgow Caledonian University was looking for a modernization and upgrade of their identity stack, driven by a need for stronger security controls. Recognizing the need to look at identities holistically, they brought CyberArk Security First Mindset on board broadly. adopting Privileged Cloud, Identity, Workforce Password Manager, and secure web sessions. The velocity of our business is picking up as customers achieve faster time to value with our SaaS solutions. One thing I want to drive home is that our expansion business is coming both from our new solutions as well as expanding PAM within our existing customers. The land and expand motion is built into our model, and its success is represented by the 33% increase in customers with more than 100,000 in annual recurring revenue to 1,585 customers at the end of Q3. We're seeing even faster growth in the larger cohort of customers with over 500,000 ARR. A few examples of expansion deals include a long-term CyberArk PAM customer in financial services needed an additional layer of security for its broader workforce. This quarter, they added CyberArk Identity, Secure Web Sessions, and Workforce Password Manager, taking the first step into our SaaS capabilities with discussions already underway to go deeper across the platform. We had a great quarter for our secrets management business. In a seven-figure ACV deal, a Fortune 500 financial services company who added secrets management for the first time for a subsidiary in the end of 2022 is now deploying CyberArk as the de facto provider for all its data centers globally. This is another example of CyberArk serving as the secrets backbone for the enterprise. With the recent uptick in high-profile breach activity, EPM remains a must-have. Adding to its existing CyberArk portfolio in a seven-figure ACV add-on deal, this Fortune 100 retailer was looking to deploy EPM across all its workstations and servers, allowing consistent policy adoption. Removing local admin rights and running in least privilege at the endpoint delivered measurable risk reduction across the enterprise. We continue to see great alignment and momentum in other channel partners and partnerships providing new valuable routes to market that allow us to extend our footprint even more effectively and reach new customer segments. The number of certifications and unique certified partners continue to show healthy growth across PAM, Access, and Secrets Management. The partner community is a big part of our growth, and we are thrilled with the depth of our relationships. And while MSPs are still a small percentage of our business today, momentum is continuing to pick up. Our MSPs deals are on average about 50% larger in size than traditional channel deals with a faster sales cycle. In the third quarter, a Nordic MSP doubled the number of PAM and workforce password manager users after initial purchase in March. Their managed service operations have expanded significantly as they build out their identity security offering. Results like this are becoming commonplace, and our MSP pipeline continues to see strong growth. Moving on to innovation. In early September, we launched our Artificial Intelligence Center of Excellence. The center builds on our long track record of using artificial intelligence and machine learning to fortify and expand generative AI and ML capabilities across our identity security platform. We are harnessing these capabilities to drive risk analysis and risk reduction, threat detection, to simplify the user experience through automation, and optimize policy to be more effective and boost productivity. AI is also being weaponized by attackers, which is increasing the severity of the threat landscape. The CyberArk Labs team was founded on the principle of thinking like an attacker. and is providing ongoing research on how generative AI is driving attacker innovation. The labs team is working closely with the Center of Excellence, and together they are fighting attacker innovation with innovation of our own to more effectively secure our global customers. In early October, we announced new risk-based controls for identities in the cloud, strengthening our secure cloud access solution. These enhanced capabilities enable just-in-time access with zero standing privilege to a diverse set of cloud services that sit behind the cloud management consoles for all cloud service providers. These services run in multi-cloud environments with no added friction to the user experience. While many other vendors focus on visibility in the cloud, no other vendor can bring privileged controls to the cloud like CyberArk can. We were excited, once again, to be named a leader for PAM by two major industry analysts, including in the Forrester Wave for Privileged Identity Management. Our identity security platform received a top score in the current offering category and the highest possible score in 16 criteria, including least privilege access, just-in-time access, development and DevOps support, threat detection and response, innovation, and partner ecosystem. As you have heard from us for a while now, the investment in our identity security platform has dramatically increased our ability to innovate and bring new integrated services to market at an even faster rate while driving down our overall cost of development. The threat landscape is evolving quickly, but we are well positioned to live our mission of securing our customers around the world against cyber threats with constant innovation and security-first solutions. Switching gears to profitability, the effects of our subscription transition are entering its final phase. Our top line growth is accelerating and our outperformance in Q3 shows the inherent operating leverage in our business. We are marching towards our goal of returning to a rule of 40 company or even beyond. We are striking the right balance between investing in growth and innovation and driving profitability. In addition, The final piece of the transition is cash flow, which we expect to expand in 2024. With our stellar performance in the quarter, I remain very confident in the long-term targets we outlined earlier in the year. To sum up my discussion today, we posted a stellar quarter with our business accelerating. Our industry-leading platform drove strong new and add-on business. We offer a must-have layer of security that is truly differentiated in the market. Our competitive position has never been stronger, and you are seeing the momentum in our business. We are the only vendor in the market today who has a full identity security platform, one that can apply the right level of controls over any identity, regardless of environment. I'll now turn the call over to Josh, who will discuss our outperformance in more detail, and how the significant increase in our full-year revenue operating income, and ARR guidance demonstrates the confidence in our execution and the durability of the Devan environment. Josh?
Thanks, Matt. We posted outstanding results in the third quarter and beat our guidance across all metrics. Our bookings outperformance compared to our guidance framework for the third quarter resulted in top-line revenue growth accelerating to 25%, coming in at a record $191.2 million. We were particularly pleased with our results because of our subscription bookings mix in the third quarter was 97%. That's higher than our guidance framework of 95% evidence that the booking strength was even more impressive than the top line outperformance. Our business continues to be driven by upsell, cross-sell, and new logos landing with a bigger piece of our identity security platform. ARR demonstrates the momentum in our business and reached $705 million at September 30, growing 38%. The subscription portion increased 68% and reached $504 million. The strong $53 million in net new subscription ARR shows the step up in demand for our identity security platform as customers increasingly move to protect all identities with intelligent privilege controls. The maintenance portion of ARR was just over $200 million at September 30th. Strong renewal rates persisted in the third quarter, and we were able to capture price increases resulting in a relatively flat maintenance ARR compared to the second quarter. Like for like, conversion activity still only represents a single digit percent of our year-on-year ARR growth. Moving into the details of the revenue lines for the third quarter, subscription revenue reached $122.9 million, with growth accelerating to 65% year-on-year and representing 64% of total revenue in the third quarter. Perpetual license revenue came in at $4.1 million. Our maintenance and professional services revenue was $64.3 million. Of that, $51.5 million came from recurring maintenance. The consistent maintenance revenue is because of our strong renewal rates and the uplift in prices we are capturing for our mission, critical software, professional services, and professional services revenue was $12.8 million in the third quarter. Recurring revenue reached $174.4 million and is now 91% of total revenue, compared to 84% in the third quarter last year, demonstrating the subscription engine we have built. Recurring revenue growth accelerated to 36% year-on-year. Geographically, the business continues to be well diversified. The Americas revenue reached $112.4 million, growing 20% year-on-year. APJ grew by 21% to $18.7 million, and EMEA grew by 38% year-on-year to $60.1 million in revenue. One thing to note is that every one of our major territories had a subscription mix of over 94%. All line items of the P&L will be discussed on a non-GAAP basis. Please see the full GAAP to non-GAAP reconciliation in the tables of our press release. Our third quarter gross profit was $158.2 million, or an 83% gross margin, consistent with the third quarter last year. Our operating income of $16.9 million far exceeded the top end of our guidance. We are pleased that our commitment to the profitability and leverage is now paying off. Sequentially, our operating expenses declined from the second quarter of 2023, primarily because of our impact customer conference. As a reminder, in 2022, we hosted our impact customer event in the third quarter, and it fell in the second quarter this year. That's affecting the year-on-year comparison in addition to the sequential. Net income came in at $19.6 million, or 42 cents per diluted share, also significantly outperforming our guidance. For the first nine months of 2023, free cash flow was $5.1 million, or 1% free cash flow margin. We ended September with approximately 3,000 employees worldwide, including 1,320 in sales and marketing. Turning to our guidance. For the fourth quarter and the full year 2023, our guidance reflects our strong execution and durable demand while still balanced against the continued uncertainty in the broader environment. For the fourth quarter of 2023, we expect total revenue of $206.5 to $211.5 million, which represents 24% year-on-year growth at the midpoint. We expect the subscription mix to be about 95%, and we expect non-GAAP operating income in the range of $19 to $23 million for the fourth quarter, and we expect our non-GAAP EPS to range from 41 cents to 50 cents per diluted share. Our guidance also assumes 47.1 million weighted average diluted shares and about $11.6 million in taxes. For the full year of 2023, We are raising our guidance for total revenue to be in the range of $735 to $740 million. That's representing 25% growth year on year at the midpoint of the range and an acceleration from the 18% in 2022. We are significantly raising our profitability outlook and now expect our full year operating income to be in the range of $17.7 million to $21.7 million. We expect our EPS range to be $0.72 to $0.80 per diluted share, and we expect about 46.5 million weighted average diluted shares and about $32 million in taxes for the full year of 2023. Now that we are in the fourth quarter, we wanted to frame up the cash flow guardrails, which translate to a range of $33 million to $38 million for the full year of 2023. We are also significantly raising our guidance for the annual recurring revenue by about $15 million to now be between $758 million and $768 million at the December 31, 2023, or about 34% year-on-year growth at the midpoint of the range. Overall, we were thrilled with another quarter of strong execution and see a step up in momentum and demand for our solutions and platforms. Recurring revenue is now the lion's share of our business, and its acceleration this quarter demonstrates that demand for our platform is building. At the same time, we are driving leverage in our model, resulting in our significantly improved profitability and cash flow. Now, I want to take a moment and echo Matt's sentiment in that we are fully supporting everyone affected by the horrific attacks on Israel. We are grateful for those bravely serving Israel and our thoughts and prayers are with them. Before moving on to the QA, I also wanted to address some of the questions we have been getting about our operations in Israel and the employees who are being called to military duty. Organizationally, about 1,000 employees or 30% of our total team is based in Israel. with the biggest group being in R&D and product management, and then HR, finance, IT, and legal teams. At this time, just under 3% of our global employees have been called up into the reserves. As a global company, business continuity has always been foundational to our strategy, and we are moving the business forward even in these unprecedented times. We remain confident in our ability to hit our short and long-term goals. Our team has been incredible. and I'm proud of what they are accomplishing together as we navigate this challenging time. We all stand united in support of our Israeli employees around the world, and we will emerge stronger as an organization and a community. I will now turn the call over to the operator for Q&A. Operator?
Thank you. If you have a question, please press star 1 on your telephone keypad. If you wish to remove yourself from queue, simply press star 1 again. One moment for your first question. Your first question comes from the line of Seket Kelia of Barclays. Your line is open.
Okay, great. Hey, Matt. Hey, Josh. Thanks for taking my questions here. Great to see the momentum and also wanted to echo those thoughts there, Josh, to all your employees in Israel as well.
Thank you, Seket. Thank you.
Thank you. For sure. Matt, maybe just to start with you, a lot of great stuff to talk about, but maybe we can touch on maybe some of the recent events in the identity space broadly. Specifically, I'd love to touch on whether you think the MGM Caesars breach is driving maybe additional interest in PAM broadly, and whether you think some of the vulnerabilities for other identity players are maybe driving interest in CyberArk's broader identity platform.
Does that make sense? It does, and I think it's a key element, actually, of our continued performance and our continued results. When we think about the threat landscape today, and we'll talk generally to begin with, we said it in the prepared remarks, all roads lead towards identity. When you start to digest or dissect some of these breaches themselves, you start to see that they all start kind of with a profiling and understanding, a phishing attack that goes after, you know, weakness in an employee. Maybe it's MFA fatigue. Maybe it's tricking a help desk. And ultimately, organizations see quite quickly that MFA, multi-factor authentication, is not enough. When you track the pathways that then are occurring in these breaches, Ultimately, you see the lateral movement to a privileged account and then the privileged account being exploited, which allows the data infiltration and the ability to be able to recap it within an organization. This is actually not new news. When you track any major breach of the last decade, it comes back to the need to be able to protect every identity within an organization, human or non-human, and apply the right level of privileged controls. And organizations that just stop at basic security controls are not really secure in this day and age. And so I think when you look at our results, you see CISOs who have understood this not because of a recent breach, but understood it for years, getting more support from their C-suite, from their boards, as they understand the dire consequences of not implementing a broader identity security strategy. Now, we see it, obviously, in customer breaches. We see it in breaches that have occurred throughout the industry, the identity industry. They all actually have the similar foundation, which is we need to make sure that the privilege controls are placed against all identities. And I think our customers understand that we're the only company out there that's able to bring a security-first identity security story that they can trust and trust to be able to consolidate their offerings onto the CyberArk platform.
Got it. That makes a lot of sense. Josh, maybe if I follow up for you, it's great to see the maintenance ARR hold in with what you called out strong retention and price increases as well. The question is, how do you think about maintenance ARR going forward, just tactically, but also strategically? When do you think these customers maybe start to convert to subscription or SaaS in a bigger way?
Yeah, thanks, Saket. So, you know, when we think about Q4, I mean, we think about a decline in the maintenance ARR probably in the mid single digits going, and that would kind of give us about, you know, just over a $10 million type of a decline in the last, for the 12-month period. And, you know, I think as we see it kind of playing out into 2024, you know, I think that we'll probably see as, You know, right now we're above the, and already Q3 we're at 98%. We're looking at kind of just in the 95 plus range for the full year this year in terms of SaaS and subscription. So already next year it'll be above that. So really the perpetual business is really evaporating for next year. So we should expect to see, I would call a larger decline compared to the, you know, compared to the low double digits this year. But not a fall off, just kind of continuing to increase the number. And I think the strategy is we're really focused on doing what's right for the customer and what's best for the customer. And so clearly as customers are part of the cloud journey for moving their PAM and their identity security to the cloud, we are absolutely part of that program and And then we also are, you know, as the customer wants to upgrade or update their current, you know, hosted environment, we're there. But we're not necessarily forcing a change to move it. But we do anticipate it growing because the perpetual business is evaporating. And over time, more and more customers will be moving to the SaaS environment, and we'll be there for that.
Thank you. Your next question comes from the line of Rob Owens of Piper Sandler. Your line is open.
Thank you, guys, and we'd like to echo our thoughts relative to your employees and the people of Israel. Tough situation. Wanted to drill down, Josh, a little bit in just one question from me into the free cash flow guide. Realized that there was puts and takes with previous guide around duration of maintenance contracts, but it looks like some of that previous guidance of that net income margin spread relative to free cash flow aren't necessarily going to hold. So can you unpack that for us and help us get to an understanding of, A, free cash flow for this year and where it's coming in, and then any thoughts relative to how that might accelerate next year in terms of that spread?
Yeah, thanks, Rob. So actually, I think when we looked at the third quarter, free cash flow was in line with our expectations. And, you know, we basically, and Matt alluded to it in his prepared remarks, when we think about cash flow, it's kind of the last piece of the transition coming out of going from Perpetual Assassin subscription. We really hit first on the revenue acceleration in the transition, and then it moved, as you started to see during this year, into the operating income, and we'll see more of that expansion, you know, going into next year. And when we think about cash flow, it's the third piece of the puzzle. And it's really because when we're thinking about that transition, we're dropping down from a perpetual sell, which also comes with maintenance one or multiple year contract that's all paid up front now going to either a SAS or subscription contract which is being typically paid in a one-year contract up front so we are starting to we started to see the the beginning pieces of it this year but we see the real inflection as we go through the full renewals and and we and we are able to enjoy The SAS and subscription play, instead of without the perpetual, we'll start to see the compare really go strong in next year and 24 and 25 and confident about the numbers that we've set out in our long-term targets.
And then just to add, you know, just to emphasize, you know, I think we set out guardrails that came in and basically our guidance, which is, you know, cash flow in line with our net income margin is where we see it kind of playing out. So on the lower end of the guardrails, but within those guardrails for the rest of this year. And then I just want to reiterate what Josh said, which is we see an inflection point going into next year And we're extremely confident in the cash flow targets that we put out there for the long-range model for 2025 and 2027. Nothing's changed there.
All right. Thank you. Your next question comes from the line of Roger Boyd of UBS. Your line is open.
Great. Congrats on the quarter, and again, echo thoughts on your employees and everybody in Israel. I wonder if you could talk about new logos. I think, apologies if I missed, I don't think I heard a new logo disclosure, but I think for the past few quarters, you've talked about the fact that it's a tougher environment for that, but that the customer you are landing are landing bigger with the platform. It clearly sounded like that was the case in 3Q, but love any thoughts on how you're thinking about new logo contribution as maybe around the corner into next year.
Yeah, sure. So I think we did mention it, but I'll mention it again, which is we did about 230 new logos in the quarter. That is basically flat year over year. And as we've talked about, I think we're pretty actually excited by that number. We're continuing to be able to land new customers. Remember, we're primarily serving either the enterprise or the upper end customers. of the mid-market, and we've been able to successfully continue to land customers with PAM, increasingly with more than one product, two or more. We've landed customers this quarter with EPM and with Access. And we see that business for us as really a great feeder system for our future growth, giving our land an expand motion. I will also emphasize, and I think you hinted at it in the call, we continue to see that the deal size of our new logos is increasing dramatically. And we actually are up well above our growth rate in terms of the overall size of the contribution of those new logos from a booking perspective. So, we think this is a healthy new logo quarter in this environment. Certainly, it does have a little bit of a slower close rate because of the macros, but we're excited by the performance in the queue.
Your next question comes from the line of Hamza Fadawalla of Morgan Stanley. Your line is open.
Hey, everyone. Good morning. And I also want to extend my support to all your families, friends in Israel. Josh, I'll hope to see you there next year.
Look forward to it.
Yeah. Matt, let me have a question for you on a more high level. You know, CISOs are dealing with a lot, you know, going into next year. You've got rising threat environment. You've got these new SEC rules. Now they can be held personally liable for breaches. I'm curious, as customers think about their budgets for next year, what are you hearing for them? What is the priority level? And, you know, what are the main concerns from CISOs right now, whether it be related to identity security or just, you know, more broadly?
Yeah, Hamza, I think you capture it well. The job of a CISO is not an easy job. You know, I spend a lot of my time with them. And, you know, they're stressed, impressed, beyond belief. as they try to figure out how to counter all of the factors that you described, both from the threat environment and from the regulations. I think when we talk and we're having, you know, again, really genuine, transparent conversations, they're trying to understand, as always, what are the priorities that are going to have the most amount of impact on risk? And they could do 800 things. They could do everything that you could imagine. But they have to boil it down to the programs and projects that are going to make sure that they can answer to their board why they're more risk reduced this year than the year before and so on. And when they look at that, they really do inherently understand this concept that all roads lead to identity. And so everything they're thinking about is about locking down their overall posture around identity, identity security. Now, you can do EDR on the endpoint to make sure that you're able to detect and respond to things that are coming in from the outside, and that's still a priority for our CISOs and for our customers. But when they're thinking about what can have the biggest impact impact, what can reduce risk the most. It's really their identity projects, which is why we see ourselves be prioritized. And why, as CECLs look towards their next year's budgets, and we have those budget conversations obviously already started, they're prioritizing our spend into their overall budget plan. And we're talking with them about their roadmap, not just for the quarter we're in, but for the year or two years ahead. And it is a journey to lock down identities and cover all identities, human and non-human, to cover both on-prem and in the cloud. And so we see a roadmap that materializes over an 18-, 24-month period that allows us to continually work with these customers to help protect them and secure them. And so it is actually a great bidirectional conversation that we're having, and we feel like we're at the top of the list.
Your next question comes from the line of Itai Kidron of Oppenheimer. Your line is open.
Thanks, and I echo everyone's comments. Our thoughts are with you. Matt, Josh had a couple of questions. Matt, to you, on the go-to-market side, where is your priority right now? Expansion with existing customers, given the massive growth in the portfolio and what you have to offer? or going after new customers. Clearly, everyone would want to have another 100 salespeople running around. But given what you have, how are you reorienting your salesforce right now? What is the priority? And for you, Josh, on the financial side, I want to go back to Saket's comments. Clearly, you've done a very good job in keeping up maintenance, and the price increases are clearly helping. But we're now getting into, right, the three-year mark of the real big shift in subscription. So I'm kind of wondering if there's a cohort of large customers that were on three or perhaps even five-year contracts with you that are now coming for renewal. Is there a risk that they – not a risk, but is there a possibility that they shifted to cloud in a way that creates significant step-downs in maintenance as they – shift from one tool to another help me understand that transition why should we keep thinking that maintenance will just keep on slowly gliding down rather than have big step downs sorry for the long question no no it's good good questions and again thanks for the support on the go-to-market side i
I think the answer is both. And let me now dig into that a little bit. So we believe that the sales team is incredibly well equipped to do the upsell and cross-sell motion. We have deep relationships with our customers. We have the conversations that I was describing in the prior answer. And so our sales team is really empowered to focus most of their feet on the street motion to the cross-sell and upsell motion. At the same time, we've invested heavily in our marketing organization in both demand gen programs, the brand campaigns, the ability to be able to ramp up more SDRs as sales development reps who are doing some of the cold calling and outbound calling. All of that allows us to use the marketing engine to actually go generate the new logos and actually set up the meetings, get them qualified before we hand them over to the sales force. Then we get a sales team involved and obviously they can help participate in moving it through the pipe. So we've kind of set up this really strong engine where everybody knows their role. Marketing is primarily focused on making sure we drive new logos, building the pipeline for the future, making sure 2024 and 2025 are going to be incredibly successful. And the sales team is out there leveraging their relationships to drive upsell and cross-sell. And then there's a third dynamic here on the go-to-market perspective, which is our partner organization, which mirrors us in that respect. And so by driving up our relationships with the advisory firms, with the MSP providers, with our traditional reselling partners. They're out there in the market helping to push not only PAM, which is what we would have said two years ago, but the entire identity security story. And by that, we get exponential feet on the street who can drive our go-to-market motion. And so all of that together is really how we're focused. We continue to layer in capacity to make sure we have enough direct sales capacity. We continue to layer in investment in certification and ramping up partners. And we spend money in marketing, and together that's what's driving our go-to-market engine itself.
And, Itay, as it relates again to the maintenance, so absolutely, you know, we believe 2024 will be a larger number than what we've seen in reduction in 2023. But, you know, we think it's not going to be like a huge step down. And we're seeing that because we're You know, conversions still today are only, as we talked about earlier in the prepared remarks, are still only a single-digit percentage of our ARR growth. We also have, obviously, good view in our pipeline for where conversions are going, and certainly for the next two to three quarters. And we feel that, yes, we are going to have more conversions, and we have less perpetual, so that's why it's – it's going to increase over 2023. But the good news about CyberArk, and you've been following us for a long time, is that we actually are not a large deal dependent type company. We have a lot of large transactions, but we're very diversified across the world, across verticals, across deal sizes. And so we don't see necessarily the floor dropping off on maintenance. And by the way, to the extent that it's as a result of moving to SAS, that's actually still good for the business. So SAS dollars and SAS deployments would be excellent for the business, even as it moves more and more in that direction. So I think overall, we'll come back in February with maybe a tighter view on where we see 2024. But at this point, we're kind of seeing it along the lines of what we've seen in 2023 with a continued increase on an annual basis for 2024.
And just one add for me on top of what Josh said, which was strong and accurate, is this idea of what are we actually going to do with this base of maintenance paying customers you know and and josh mentioned it which is you know when we convert them great we get this really nice uplift you know 3x uplift and they're expanding their footprint and they're buying more stuff so i don't really want to force them through a forced migration if they're not ready because i don't want to really miss out on that uplift but a second really important point is that those customers who are still sitting on you know perpetual assets for their pam solution are buying our newer solutions in a SaaS motion. So it's not stopping those customers from expanding their footprint with CyberArk with SaaS solutions. Probably if that wasn't the case, we'd push them a little bit harder. But since the cross-sell and up-sell can still happen into that base with our greatest SaaS products, I'm happy to leave them there until they're ready to move.
Your next question comes from the line of Brian Essex of JP Morgan. Your line is open.
Hi, good morning, and thank you for taking the question, and I'd also like to echo my support for your friends and colleagues in Israel. You know, it's great to see the strong net new ARR growth as well as a large deal of momentum, but maybe to follow up on the question that was just asked, could you touch a bit on the mix of term and SAS in subscription ARR, and then strategically as we track your progress towards your calendar 27 goals, Are you seeing traction and opportunity down market as SaaS continues to gain traction on your platform? Or is SaaS going to continue to be more of a, I guess, larger enterprise opportunity with the ability to drive easier and more cost-effective adoption?
Yeah, thanks, Brian. Thanks for the support. I think when we think about the SAS term-based license or subscription mix, it continues to be about two-thirds, one-third. That's kind of held up throughout the transition. So I don't think we see a major shift in that at the moment. Obviously, as more and more of the pure new product sell, the SAS number will tick up. But it's two-thirds, one-third is good for remodeling purposes. In terms of our ability to go down market, it's very clear when we go down market that it's a SaaS sell. In fact, the SaaS mix there would be, you know, well over 80% on SaaS offering, actually probably a little higher than that when we're selling down market. So we lead with SaaS. You know, customers only want SaaS when we're going down into what we call our corporate market, which is customers that are about $500 million to $1.5 billion in annual revenue. That's our down market. And for that market, they're adopting SaaS solutions. And we love it because it's a quick adoption and then a quick ability to be able to expand them over time.
Your next question comes from the line of John DeFucci of Guggenheim. Your line is open.
I'm sorry. Thank you. This is John Tafuji for Ray McDonough. Matt and Josh, I don't normally try to repeat what everyone else is saying, but it's important to just express our thoughts and prayers with your employees and the people of Israel. Guys, you continue to put up impressive top-line momentum in an environment when, frankly, most aren't, even in the security segment. And we really appreciate the bottom-line discipline that But I have a question sort of following up Etai's question on go-to-market, and it's something you might not have much control over. Are there any general trends worth noting for the second half of this year? For instance, we're generally hearing about exhausted security budgets coming into the end of 23. Is there a good reason? Because people have spent a lot on security throughout 23. I guess, are you hearing this at all? And if so, Are you seeing any deals that might be getting pushed out into 24 at the end of the year, or is budget getting pulled into 23 from 24 to satisfy current security needs? Thanks.
Thanks. And again, thanks for the support. We really do appreciate it. So listen, I think when we look at our go-to-market environment, we continue to see actually strengthening. And we've talked about a strong environment for us to be able to execute, our ability to execute throughout the whole year. And you heard me mention that in Q3 we saw it become even better for us. I think we talk about it in two lights. One is better for us in terms of the customers are more willing to spend their budgets. And better for us in terms of the team is executing even more efficiently, more effectively with our customers. I would actually say we see a little bit of the opposite of what you're describing. We see budgets kind of firming up. We have good line of sight to those budgets, which goes into how we look at the year and, frankly, how we think about next year. We also see deal sizes increasing, not going down. We saw close rates going up, not even staying flat, but going up. So our overall productivity goes up. We saw, again, another quarter of amazing pipeline build. You know, a lot of that pipeline will come to realization in 2024, might not be in Q4 here, but so I think when we look at the environment, we talk to stressed out, see so-so stressed is the right word, but we see the fact that what we're working with them around is not a budget-optional decision. It's where you want to spend money if you have any money at all. And I think that is what's driving our success, and it drives our outlook going forward, and it drives our confidence in the overall market that we're playing in, in this identity security market itself.
Your next question comes from the line of Fatima Boulani of Citi. Your line is open.
Hey, good morning. Thank you for taking my questions and sending my well wishes to you and the entire CyberArk family. Either for Matt or Josh, feel free to jump all this one. I wanted to get a sense of sales cycle trends within the new logo and expansion activity that you're very strongly executing on. And really the spirit of the question is, you've got a much more expanded portfolio. So how are you you know, managing the extension of sales cycles that typically come with the sale of a broader portfolio.
Yeah, thank you and thanks for the support. I think we always have had enterprise-grade, is how I describe it, sales cycles. You know, we've always had to sell over multiple quarters. even when we were just selling PAM because it was a big program and it was a significant sale. And so I think we're pretty used to longer sales cycles as we've moved to a platform selling motion, broader portfolio. We haven't seen any real elongation in our overall sales cycle. On the flip side, we haven't seen it kind of really dramatically come down. in its timelines either, even though we've moved to a SaaS sale, which traditionally might bring some of those sales cycles in. So I think we're operating consistently with what we've always done, which is expansion sales cycles are shorter, New logo sales cycles take a little bit more time. In the early part of the year, especially in the Q1, as we talked about, sales cycles for new logos were a little bit longer. We've continued to see our ability to firm that up over time here. And so I think when we look at the Q3 performance as a whole, it's consistent with a firming up environment. And again, I know I say this a lot, but they're near and dear to my heart. Our go-to-market team continues to execute at just phenomenal rates to be able to make sure that they bring the deals in when they say they're going to bring the deals in.
Your next question comes from the line of Junaid Siddiqui of Truist Securities. Your line is open.
Great. Thank you for taking my question. Matt, you highlighted secure cloud access that you just launched recently. I was just curious about some of the other new products that you launched at Impact, like Secure Browser. What's been a positive surprise to you in terms of how quickly they're being adopted by customers and contributing to growth?
Sure. So on secure browser, you know, we have not released that for general availability yet. That will come out towards the end of this year here. We continue to have really, really strong conversations with customers about it, both as a more secure way of browsing and also as a front-end user interface for the identity security platform that we offer out into the market. And by the way, we see, and you see it in some of the recent breaches, that the notion of session hijacking is one of the most risky new attack methods that's accelerating in the market. And our secure browser, which allows for cookie-less browsing, really protects against session hijacking. But I would say, you know, on the browser front, way too early to comment in terms of it's not even out in the main market yet. As we talk about secure cloud access, you know, I get kind of unbridled enthusiasm here. And why is that? Because it's bringing the best of PAM, the best of the idea of privilege controls, session management, session isolation, session recording. It's bringing that to a brand new population. And what we need to understand about the cloud security market overall that everybody's talking about is most of what's being done in the cloud security market is around posture management. It's around discovery. It's around visibility. It's because over time as these developers have gotten so many extra privileges, people want to understand what's going on. It's the wild west. And that's a good first step. And there's a lot of really, really strong companies that are focusing in that area. We're unique in the cloud space in that we're not all that concerned about visibility and about discovery. Other people can do that. What we want to be able to do is lock down control in the cloud. We want to take all of these thousands of developers who have unfettered access to the AWS or Microsoft cloud services, the platform itself, And we want to make sure that those users can still innovate, they can still build, they can still troubleshoot, but they have privilege controls applied when they're doing it. And we do it uniquely with this idea of zero standing privilege so that the actual account of the developer, their account, a federated account, has no privileges, for example, in the AWS console. So when it's sitting there on the side, it's secure. When they go to log into the console, that's when the privileges are applied just in time. They're able to execute their work, and then it's removed immediately as soon as they log out, and it's controlled with workflows with time-bound access. Now, I went a little deeper there on that because I love the question, but I also went a little deeper there for people to understand the opportunity that arises for us, as everybody thinks about cloud security, for us to bring what we do best, which is privilege controls, locking down access to this entire population that needs to be secured. And so that's really an exciting motion for us. We had some great wins actually in the quarter. Still very tiny business. It's only, you know, one or two quarters in. But you can hear the optimism for me around this piece of our business as I'm describing our unique approach.
Your next question comes from the line of Adam Borg of Stifel. Your line is open.
Awesome. Thanks for taking the question. And again, I'll echo my thoughts about the entire Israeli team and the community of Israel more broadly. Real quickly on the government opportunity. So it was 8% mix of ARR in the quarter. Maybe just talk a little bit more about how federal played out in the quarter and how you think about government more broadly over the next 12 months. Thanks.
Thanks, Adam, and thanks for the support, Adam. Listen, I think when we – and we've been talking about this for a little while here, right? We're very happy with our position within federal government here in the U.S., the global government where we see a lot of momentum, even in the state and local government that falls up into our sled business. What we see across the board is, whereas in the past, a lot of the budget purchases were at the point of kind of year-end budget flush, because of the criticality of identity security, that the actual purchases are much more spread out throughout the year. And they're coming in conjunction with need and actual deployment plans to get them into place. That actually is a much more exciting place for us to be in. It allows us to be able to have a thriving and healthy global government business all year round. And it allows us to be able to invest in the ability to bring new solutions to that customer population, including our investment in getting our EPM and identity and PrivCloud into the FedRAMP process. Over time here, it's our ability to be able to actually expand beyond our strong PAM footprint in a lot of these agencies and accounts. And so, when we look at government, in fact, we highlighted a government account in the script that actually is outside of the U.S., but when we look at government, we see the threat landscape actually expanding on them exponentially, even more than some of the private sector. And their recognition of the need for proper identity security solutions continues on. So we think there's a long runway of growth within the government sector. And we're really happy with our results from that perspective.
Your next question comes from the line of Brian Colley of Stevens. Your line is open.
Hey, guys. Thanks for taking my question here. I'd certainly like to echo my support as well for the team in Israel and the people in Israel more broadly. I'm curious if you saw any divergence in demand trends this quarter between the enterprise and mid-market segments of your business. We've heard some other cybersecurity companies say they started seeing some softness in the third quarter in the mid-market. I'm wondering if that's something you saw materialize in any way.
So, we didn't see any change in that environment. I think we talked about the idea that the mid-market is more affected by macros than the enterprise space, but we haven't seen any real change or diversion, any change from that perspective. I think one of the things that we have to keep reminding everybody around, and it's different than some of our other cybersecurity peers, is that we're really not playing in the low end of the mid-market. And I know I said it a couple minutes ago, but I'll say it again. You know, our mid-market, which we call corporate, customers are $500 million to $1.5 billion. You know, CyberArk would be a quote-unquote mid-market account for CyberArk. And so, you know, I think those organizations, especially the ones on the upper end there, kind of mirror in their behaviors what we're seeing in the enterprise space. And that continues on in the third quarter.
Your next question comes from the line of Alex Henderson of Needham. Your line is open.
Great. I rarely hear somebody talk about, quote, an amazing pipeline build, and I was hoping you could talk a little bit about the composite of that. How much of that is driven off of just simply the broader adoption of the platform, existing customers and the like, and how much of that is driven off of the – the recent new product and technologies that were announced and the reaction from your trade show midsummer. And the reason I ask the question is obviously with a six-month plus sell cycle, I assume that that midsummer build might be helping visibility. Thanks.
Sure, sure. So listen, I think when we think about our pipeline, it's a little bit of check, check, check, all of the above. We see our pipeline being affected by the ability to be able to sell a much broader portfolio. And in fact, while the PAM pipeline continues to grow in a really nice way, and you saw that in our results this quarter, we see the solutions outside of PAM you know, growing at a faster rate. We see our access business continue to grow, our secrets business continue to grow. As I mentioned, you know, we see some nice pipeline build around our secure cloud access. EPM continues to be a bright spot for us. So we definitely see the kind of mix of the portfolio coming to play to help build the year-over-year growth rate in pipeline. And whenever I'm talking about pipeline, I'm always talking about year-over-year growth, not just an absolute number. Now, in addition to all of that, we also see the way the pipeline getting built to be in a much more healthy manner, meaning if you rewind a couple of years ago, all pipeline came from sales. And now we start to see actually that our routes of pipeline build, what's marketing-generated pipe, what's channel-generated pipe, we see those starting to kick into high gear, and that broadens our ability to have a better go-to-market engine. And so when you combine a broader portfolio that seems to resonate with customers with broader routes to market that actually can build pipeline, that's how you end up in the situation that we've been in for several quarters where we've talked about Our pipeline kind of building at a really strong rate. The events that we put on are wonderful. And we didn't just do, by the way, the event in last spring. We've been doing a world tour at, you know, 15, 17, whatever it is, countries around the world. I can't keep track because we've been traveling so much. And each one helps us to tell the story and help customers understand why identity security is so important and why CyberArk is who they should choose. And that all goes together to put us in a healthy position as a company where we had a really great quarter that we could talk to. We were able to guide forward with the guidance we put out there. And we look towards next year with optimism. And for sure, we look towards our 2025 and 2027 targets with a strong degree of confidence in our ability to be able to go ahead.
We've run out of time for questions, so we'll now turn the call over to CEO Matt Cohen for closing remarks.
Thanks, everybody, and thanks again for everybody's support to us personally. It means the world. I want to finish where I started by saying our number one priority is our employees, their health, their well-being. They've done such a tremendous job of working under these challenging conditions, and I'm really proud, proud to be part of this company and work with such amazing people. We continue together to make sure we focus all together on our customers and securing them against the cyber threats that are out there. Thanks and talk soon.
This concludes today's conference call. You may now disconnect.