This conference call transcript was computer generated and almost certianly contains errors. This transcript is provided for information purposes only.EarningsCall, LLC makes no representation about the accuracy of the aforementioned transcript, and you are cautioned not to place undue reliance on the information provided by the transcript.
spk02: Good morning. My name is Dennis, and I will be your conference operator today. At this time, I would like to welcome everyone to the CyberArk Software fourth quarter and full year 2023 earnings conference call. All lines have been placed on mute to prevent any background noise. After the speaker's remarks, there will be a question and answer session. If you would like to ask a question during this time, simply press star, then the number one on your telephone keypad. To withdraw your question, press star one again. I would now like to turn the conference over to Erica Smith, Senior Vice President, Finance and Investor Relations. Please go ahead.
spk08: Thank you, Dennis. Good morning. Thank you for joining us today to review CyberArk Strong fourth quarter and full year 2023 financial results. With me on the call today are Matt Cohen, our Chief Executive Officer, and Josh Spiegel, our Chief Financial Officer. After prepared remarks, we will open the call up to a question and answer session. Before we begin, let me remind you that certain statements made on the call today may be considered forward-looking statements, which reflect management's best judgment based on currently available information. I refer specifically to the discussion of our expectations and beliefs regarding our projected results of operations for the first quarter, for year 2024, and beyond. Our actual results might differ materially from those projected in these forward-looking statements. I direct your attention to the risk factors contained in the company's annual report on Form 20F filed with the U.S. Securities and Exchange Commission and those referenced in today's press release that are posted to our website. CyberArk expressly disclaims any application or undertaking to release publicly any updates or revisions to any forward-looking statements made today. Additionally, non-GAAP financial measures will be discussed on this conference call. Reconciliations to the most directly comparable GAAP financial measures are also available in today's press release as well as in an updated investor presentation that outlines the financial discussion in today's call. A webcast of today's call is also available on our website in the IR section. With that, I'd like to turn the call over to our CEO, Matt Cohen. Matt?
spk11: Thanks, Erica. And thanks, everyone, for joining the call today. We had an amazing fourth quarter to round out a momentous year for CyberArk. Early in the year, We were nimble and adjusted our selling motion in light of the macroeconomic backdrop. And in the fourth quarter, it continued to pay off, resulting in another great growth quarter. We entered 2024 a fully recurring revenue company with over 95% of our bookings coming from subscription. Demand for our identity security platform accelerated in 2023, and we end the year having solidified our leadership position in the market. We delivered a record-breaking fourth quarter, beating our guidance across all metrics. Subscription ARR reached 582 million, growing 60% year over year. Total ARR reached 774 million, growing 36% year over year. We were thrilled to add record sequential net new subscription and total ARR, and we exceeded our guidance range across revenue, operating income, and EPS. Total revenue growth accelerated to 32 percent, reaching $223 million. Non-GAAP operating income came in at approximately $35 million, and we generated non-GAAP earnings per share of 81 cents. We also consistently outperformed throughout the year and delivered total revenue of $752 million with growth accelerating to 27 percent Non-GAAP operating income of approximately $33 million, or a 4% operating margin, well above the break-even we guided for at the beginning of 2023. Non-GAAP earnings per share of $1.12, and while we did not guide for cash flow, we were thrilled to generate $51 million in free cash flow, or a 7% margin for the full year 2023. Our performance speaks volumes about our execution. We fine-tuned our go-to-market motion, including platform selling, channel strategy, and customer success. We improved the alignment between sales and marketing, generating record, high-quality pipeline across all our solutions. And lastly, R&D delivered against our mission to secure all identities with the right level of privilege controls through our groundbreaking identity security platform. In addition to strong execution, we're benefiting from durable demand trends driven by the proliferation of new identities, new environments, and new attack methods. Throughout 2023, organizations were reminded yet again that there is one constant in cyber attacks. All roads lead to identity. In the context of these urgent trends, the mission-critical nature of our platform becomes apparent. CyberArk is the only vendor with a platform that can effectively and securely address the new world security requirements which center on controls. Given our groundbreaking innovation and the changes in our business over the last few years, I'm going to break from our typical quarterly call cadence to outline how our identity security solutions are helping customers solve these challenges, which also speaks to the massive growth for CyberArk. Every organization today has a spectrum of identities, from core IT to developers to machines and across the entire workforce. And the number of identities is increasing at an exponential rate. Access for each of these identities has its own unique level of risk and complexity, requiring different levels of controls. Let me take you through this spectrum of identities and what we are seeing from customers and how that has expanded our addressable market. A CyberR customer typically starts with core privilege access management, and it's focused on securing standing access for IT users who have high levels of privileges, like a database or application administrator or maybe a cloud operations team. As they deploy, they follow a roadmap that brings a growing number of users within central IT but also third-party vendors and even shadow IT organizations under PAM security controls. As a result, there's a continuous expansion of the number of users leveraging PAM. Adoption begins to accelerate when PAM is delivered as a service, giving an easier adoption path and lower cost of ownership. It accelerates even further when we help customers tackle new use cases through revolutionary new access methods like just-in-time or dynamic access. Just-in-time access cuts the adoption curve down even further by allowing federated access to databases, cloud workloads, and other modern targets, while also increasing the security controls by assigning entitlements dynamically at the time of access. The modern PAM program has evolved dramatically in the last few years and has opened up a significant expansion opportunity for CyberArk, even within the extended IT organization. You see this in our healthy PAM ARR growth rates that have continued to persist. But moving beyond IT for a second, one of the fastest growing areas for human identities is the expanding developer community. Our secure cloud access solution brings privileged controls to the cloud and has meaningfully expanded our TAM to include developers as well as engineering teams and data scientists. We provide native access for developers with a zero-standing privilege approach. This innovative solution greatly and measurably reduces risk, and organizations can quickly go from dabbling in discovery to actual control of developers as they access their cloud environments. Always-on entitlements to cloud environments are a security nightmare, yet innovation speed is the true promise of modern cloud programs. Secure cloud access, or SEA, ensures that our customers never have to choose between security and innovation speed. While SDA is one of our newest offerings, we had a strong quarter in Q4, and pipeline continues to build. This is one of the areas we are most excited about as we enter 2024. But as these developers work in the cloud, they are focused on creating or extending applications, workloads, and APIs that need access to critical data infrastructure and other cloud workloads. This results in the rise of machine identities. Machine identities represent one of the riskiest and most complex components of the modern enterprise. To protect these machines and the secrets that they use, customers turn to our secrets management solution. Our secrets management solution securely and centrally manages secrets at enterprise scale, all while avoiding vault sprawl. It satisfies the CISO's requirements while never impeding the developer's workflows. Machine identities are exploding, and our ability to bring together human and machine elevates the conversations with our customers. As we think about our fourth quarter results, Secrets Manager was included in six of our top 10 deals, and we are pleased with the early success of Conjure Cloud. We have covered IT, we've covered developers and machines, but now I want to move on to the part of the enterprise that is in need of an entirely new approach to identity security, securing workforce identities. Legacy approaches of MFA and SSO are workforce requirements, but on their own, they provide limited security. evidence time and time again in major breaches. Any identity can become privileged, causing CISOs to reconsider the way they secure the workforce. Leveraging intelligent privilege controls, CyberArk has reinvented workforce identity by building on top of traditional MFA and SSO with market leading innovations like secure web sessions, workforce password manager, and CyberArk secure browser. When combined with MFA and SSO into one unified solution, we have created a more holistic and comprehensive approach to securing the workforce, where intelligent privilege controls once again are making the enterprise more secure. This approach is paying off, and we had a record fourth quarter for our workforce solutions. It's worth pausing for a moment to discuss our CyberArk secure browser. Our secure browser is built with native integrations to all of our workforce capabilities and will help customers protect against one of the fastest rising attack methods, which is cookie harvesting and browser-based attacks. It's also built to be the gateway to all our solutions, allowing easy access to all enterprise targets and providing a seamless user experience to our entire identity security platform. Our workforce solutions, however, do not stop there. The modern workforce logs into desktops, laptops, and servers every day as part of their regular workflow. These endpoints need their own form of intelligent privilege controls. Endpoint Privilege Manager, or EPM, is seamlessly integrated with our workforce solutions and our browser as well. We are doing this to implement least privilege and secure the endpoint. Least privilege access is a foundational security control. Every endpoint needs EPM to be truly secured. Despite the great growth over the last few years, we still have a tremendous opportunity within our install base to further cross-sell EPM. And we also see EPM as a strong landing spot for new logos. As we kick off 2024, I wanted to make sure our investors understood how we are setting the pace of innovation, how our solutions work together, and how our identity security platform delivers value by dynamically adjusting the level of controls based upon complexity and risk. We are delivering a game changer in the market. We are driving operational efficiency and at the same time focusing on privileged controls that help customers to stay safe from cyber threats and move their business forward. If we move back into the fourth quarter for a second, on the new business side, we signed about 340 new logos in the fourth quarter. As customers prioritize in-depth security controls in this severe threat landscape, new logos are increasingly landed with two or more solutions. In fact, in Q4, a number of our largest new customers landed with five or more solutions. contributing to the significant increase in new business deal sizes. A few of the new logo highlights in the quarter include, as the education sector continues to be targeted by bad actors, evolving practices to align with industry-leading security controls are top of mind. This quarter, the London School of Economics, a leading business school globally, was looking to significantly and measurably improve its security posture. In this new logo win, they went broad across the platform with PAM, EPM, and Secrets Management. In an example of the power of our ecosystem, a partner introduced a Fortune 100 financial services customer to CyberArk. This all-SAS, seven-figure ACV deal was closed through the AWS marketplace. We are thrilled to see this customer applying a CyberArk Everywhere approach out of the gate. securing privileged access, secrets, endpoint, third-party vendors, and workforce identities. Our focus on moving from land into expand motion is built into our platform strategy and is contributing to our outperformance. A few examples of expansion deals from the quarter include A government agency that landed with CyberArk last quarter returned this quarter for more users and more products across our platform, buying PAM, EPM, secrets, identity flows, identity compliance, secure web sessions, and a seven-figure ACV deal. A major Fortune 100 U.S. retailer chose CyberArk as their trusted strategic advisor in 2020. Looking for defense in depth, they are consolidating spend with CyberArk and in another seven-figure ACV deal, extended their protection with more privileged users, secrets management, workforce and customer identity, remote access, and secure cloud access. To summarize, all the land and expand deals demonstrate that every vertical, every business across all sizes have identity security challenges that our platform can help address. Touching briefly on profitability, Throughout the year, we demonstrated leverage in our business with each operating expense line improving as a percent of revenue. For the year, we grew revenue over 27 percent, while our non-GAAP operating expenses grew just over 15 percent. We are striking the right balance between investing in growth and innovation and driving profitability and cash flow. With our stellar performance in 2023 and the strong guidance you will hear from Josh in just a few minutes, I remain very confident in the long-term targets we have set. As we look ahead, our top priorities for 2024 are expanding our leadership position in driving identity security growth, delivering cutting-edge innovation and strengthening our industry-leading platform, leveraging data analytics to scale our business, including the use of artificial intelligence and machine learning, and delivering outstanding customer experience and value across the customer journey. I'm also very excited to welcome Eduardo Camacho as our Chief Operating Officer. I have worked closely with her for more than 20 years and have tremendous respect for her and her ability to drive customer outcomes and to lead our go-to-market strategy and field execution. I also want to thank Chris Kelly for his contribution to CyberArk. He'll stay with CyberArk through the end of March to ensure a seamless transition, and we wish him well for the future. We are in a position of strength as the leader in identity security, and our competitive position is incredibly strong. We are addressing a critical customer need with our platform, and the threat landscape is keeping identity security a top priority at our customers. As I reflect on our accomplishments in 2023, I am even more enthusiastic about CyberArk's future coming into 2024. I did want to pause here to talk about October 7th and how we responded. I am so very proud of our global team and how they came together after the October 7th Moss attack. As families, friends, colleagues, and entire communities continue to navigate through great tragedy, loss, and increased stress, our culture and team are what drive our success. I will now turn the call over to Josh, who will discuss our record financial results and provide you with our outlook for 2024 in more detail.
spk06: Thanks, Matt. We posted outstanding results in the fourth quarter and beat our guidance across all metrics. Total revenue growth accelerated again this quarter to 32 percent, coming in at a record $223.1 million and significantly exceeding our guidance. Our identity security platform continues to drive momentum of upsell, cross-sell, and new logos. This allowed us to meet the strategic financial objectives we set for ourselves at the beginning of the year, durable top line growth, improved operating leverage, and strong free cash flow generation. Demonstrating the continued momentum in our business, ARR reached $774 million at year end, growing 36% year on year and coming in above the high end of our guidance range. The subscription portion increased 60% and reached $582 million and is now 75% of total ARR. We added a record $78 million in net new subscription ARR as customers are consolidating on CyberArk and continue to land and expand with more of our platform. In addition, we had a record quarter for SaaS bookings, both in absolute dollars and mix of our bookings. Compared to year end 2022, we added an impressive $218 million of net new subscription ARR, also a record. The maintenance portion of annual recurring revenue declined slightly to $192 million at December 31, which was in line with our expectations. we continue to see strong renewal rates and like-for-like conversion activities still only represents a single digit percent of our year-on-year ARR growth. Our strong execution is also demonstrated by the 30% increase in customers with more than $100,000 in annual recurring revenue to over $1,700 at the end of the fourth quarter. The cohort of customers with more than $500,000 in ARR also grew over 45% to now being nearly 300 customers. The biggest driver of this cohort is the upsell of additional users and cross-sell of new solutions across the platform. Matt touched upon our strong execution, and I wanted to briefly touch on the macro. Our solutions continue to be prioritized and budgets allocated, close rates remain strong, productivity improved, and deals progressed nicely as we converted our pipeline, including several seven-figure ACV deals. We continued as well to build a strong new pipeline to support our future growth. Moving into the details of the revenue lines for the fourth quarter, recurring revenue reached $201.5 million, again, making up 90% of total revenue. That's compared to 84% in the fourth quarter last year. Recurring revenue growth accelerated to 41% year on year, showing the momentum in our SaaS portfolio continues to gain steam. With total subscription bookings mix of 95% per year and our recurring revenue reaching 90% of the total in each of the quarters of 2023, it is safe to say we are now a fully recurring revenue company. Digging into the specifics, our subscription revenue line reached $150.3 million with growth accelerating to 70% year-on-year and representing 67% of total revenue in the fourth quarter. Our maintenance and professional services revenue was $64.8 million. Of that, $51.2 million coming from recurring maintenance and with professional services revenue at $13.6 million for the quarter. Geographically, each of our major territories grew revenue faster than 30% in the fourth quarter. The Americas revenue was $130.3 million. That's growing 31% year-on-year, and the Americas had a record with SAS reaching over 70% of bookings in the quarter. EMEA grew by 33% year-on-year to $68.7 million in revenue, and APJ grew by 35% to $24.1 million in revenue. Diversification has always been a foundation of our strategy, and it is great to see the strength across all of our geographies in the fourth quarter. We also see that universal strength reflected in the full year, with the Americas, EMEA, and APJ each growing 27% year on year. All line items of the P&L now will be discussed on a non-GAAP basis. Please see the full GAAP to non-GAAP reconciliation in the tables of our press release. Our fourth quarter gross profit was $189.7 million. That's an 85% gross margin compared to the 83% in the fourth quarter last year. The expansion of our gross margin is due to revenue outperformance and tight management of our cloud costs. Our operating income of $34.7 million significantly exceeded the top end of our guidance. Our operating leverage was driven by disciplined investments and our revenue outperformance. Net income came in at $38.1 million. That's 81 cents per diluted share, also significantly outperforming our guidance. Moving on to review the full year 2023. We began the year expecting 29% growth in ARR, 23% revenue growth, and hitting break-even operating margins. We finished a great year. ARR grew 36%. Revenue came in at $752 million, with growth accelerating now to 27%. And we returned to meaningful profitability, delivering non-GAAP operating income of $33.5 million, or about 4% operating margin for the full year. And we continue to march towards Rule of 40. Our EPS came in at $1.12 per diluted share. We ended December with approximately 3,000 employees worldwide, including over 1,320 in sales and marketing. For the full year of 2023, free cash flow was $51.3 million, or 7% free cash flow margin, As a reminder, we still consider free cash flow to be the last piece of our model to inflect after the subscription transition, and we are confident that we are just at the beginning of this expansion with our 2023 results. Turning to our guidance, for the first quarter and the full year of 2024, our guidance reflects the momentum we're seeing in the business combined with our confidence to meet the 2024 priorities that Matt outlined earlier. For the first quarter of 2024, we expect total revenue of $209 to $215 million, which represents 31% year-on-year growth at the midpoint, and we expect non-GAAP operating income in the range of $7.5 to $12.5 million for the first quarter. We expect our non-GAAP EPS to range from $0.21 to $0.31 per diluted share. Our guidance assumes 47.8 million weighted average diluted shares and about $10.5 million in taxes. For the full year 2024, we expect total revenue in a range of $920 to $930 million, representing 23 percent growth year-on-year at the midpoint of the range. Reflecting our continued commitment to operating leverage, we expect our full-year operating income now to be in the range of $75.5 million to $84.5 million. We expect our EPS to be between $1.63 to $1.81 per diluted share. We expect about 48 million weighted average diluted shares and about $46.5 million in taxes for the full year 2024. We expect annual recurring revenue to be between $968 million and $983 million at December 31, 2024, or about 26% year-on-year growth at the midpoint. We are also issuing guidance for free cash flow for the first time and expect free cash flow to be in the range of $85 to $95 million for the full year of 2024, and we remain confident about the long-term target that we outlined at Investor Day. I also want to provide a few pointers to help model our expenses for the year. While we expect to continue to invest in our innovation engine and in sales and marketing in absolute dollars, We do expect to see an improvement in both line items as a percentage of revenue. We will once again hold our impact customer event and our impact world tour in the second quarter in 2024, begin our impact world tour in the second quarter of 2024, increasing our marketing expenses for that quarter. Our CapEx is expected to be 1.5% of total revenue. So to sum up, We are thrilled to deliver another stellar quarter and amazing full-year results showing continued demand for our platform, the execution of our land and expand motion, and durable tailwinds that have made identity security a must-have. As a recurring revenue company and a leader in identity security, CyberArk is well-positioned to drive leverage in our model across all areas and deliver the expanded profitability and cash flow levels in 2024, I just discussed. I will now turn the call over to the operator for Q&A. Operator?
spk02: At this time, I would like to remind everyone, in order to ask a question, simply press star, then the number 1 on your telephone keypad. Your first question is from the line of Saqib Khalia with Barclays. Please go ahead.
spk05: Okay, great. Hey, guys. Thanks for taking my questions here, and nicely done.
spk11: Thanks, Saqib. Great to hear from you.
spk05: Same here. Matt, maybe to start with you, I'd love to dig into your prepared remarks on the workforce or single sign-on market. Very helpful, by the way, prepared remarks. The question is, given some of the noise in that market competitively, how do you think CyberArk is positioned, and what are you seeing in the pipeline there for just the broader identity platform?
spk11: Does that make sense? It does, and it's a great question. And I think the first thing I would say is independent of the competitive environment and some of the things that are happening there, we feel really strongly, as I kind of outlined, that our approach to workforce security is differentiated. that is actually unique in the market. And that while MFA and SSO, as I said in the prepared remarks, are important, you must have them, they're no longer sufficient for how you actually cover the workforce from an identity security perspective. And so our notion of a holistic or a unified solution that brings together MFA SSO, but also brings in our workforce password management, our layers of security that sit within secure web sessions, and the browser as the access point actually for us kind of reinvents that space and puts us in a place where we can take some of the what we would consider kind of legacy approaches that are out there in the market and put them on their heels in terms of our ability to have a conversation there. Then when you connect that back to the identity security platform and the idea that you can actually manage those users in the same way or at the same time as you do your highly privileged users, it takes the differentiation even further. So we feel like we're in and kind of entering a sweet spot in terms of our ability to compete in that market. We see it building in our pipeline. And certainly, you know, the competitive atmosphere out there for us has hasn't really ever been better than we're seeing right now as we go into 2024.
spk05: Got it. Got it. Very clear. Josh, maybe for my follow up for you. Great to see the free cash flow inflect this year and appreciate the guide. And I know it's early to talk about that metric beyond 2024, but maybe anecdotally, what are some of the puts and takes for free cash flow beyond 2024 structurally that you want us to think about with that metric?
spk06: Yeah, thanks, Zach. You know, I think it's mostly around puts as we think about the next couple of years. And it's really the expanding leverage that we're getting in the operating income that, you know, we're seeing each of the years on our on our road to Rule 40. And then, of course, it's the flywheel effect that we are going to increasingly get this year and then again in 2025, which is, you know, really reflecting the renewals, the full-blown renewals of having already gone through round-tripping the SAS and subscription bookings that we, you know, built up in the last couple of years. And so that's, you know, gives us the strong confidence that we're on track to hitting our medium goals there.
spk02: Your next question is from the line of Shaul Yal with TD Cowan. Please go ahead.
spk00: Thank you. Good morning. Good afternoon. Congrats on the results and guidance. Matt, let me also echo my congrats on those kind of well-prepared remarks, taking us through a customer journey as it pertains to CyberArk's expanding platform. Maybe building on that journey, you just put out a press release on Indiana University Hospital, expanding relations with CyberArk. Maybe a good opportunity here to share with us what is it that they're doing with CyberRock on top of their core PAM deployment, and where else can they expand with you guys in the coming years? And I have a follow-up.
spk11: Thanks, Joel, and thanks for the comments on the remarks. And, you know, what I really do want to do is help everybody understand the full market opportunity that's before us. As we go after these spectrum of identities and we kind of move beyond where people have traditionally thought of us, which is in IT, it just opens up such a remarkable opportunity for us to expand as we cover the overall enterprise. When we think about that particular customer example, it's a good indicator of what we see across the board when a customer starts to partake of our SaaS platform. It kind of fits the bill, if you will, of the descriptions that I was walking everybody through. And the idea here is, The more solutions people get started on, the more identities they can start to bring into the platform. But even when customers like that get started with multiple solutions, there's such an expansion opportunity as we build out the longer-term roadmap for them as they bring on more identities. I think a good way to think about the market for us is, Every proliferation of identity, whether it be human or non-human or machine, equals another point for us here at CyberArk, another area that we can secure. And so if you take a customer like that that's also sitting in healthcare that's definitely under attack day in and day out by ransomware and other really kind of terrible threats, they can expand for years to come as we start to help them bring all aspects of their enterprise, all their identities into the platform. So it's a great example, actually, for us. And healthcare certainly is a vertical that we see exploding for us in the coming years.
spk00: Got it. Got it. Thank you for that. And, you know, for my next question, either you or Josh, a macro-driven one, I haven't heard you Mentioning the term elongated sales cycle, I think maybe you're amongst a handful of companies implying a stabilizing or a better than feared stabilizing macro environment rather than alluding to elongated sales cycle. Why is that? I think actually becoming better and you guys, unlike other companies, are not covering your behinds and adding those elongated sales cycle commentary.
spk11: Yeah, I'll take that one. And it is something that we're particularly both proud of and excited about. And throughout the whole year, you've heard us kind of talk about that, which is, listen, it is a tough macro. There is no question about it. When I talk with my colleagues and talk to the C-suite at our customers, they're living through tough budget cycles. That being said, everybody has money to spend on what's most important. And generally speaking, cyber is more important than the rest of the kind of tech stack. But within cyber, there are areas that actually are prioritized. And we've been lucky to be one of those areas throughout the year where when customers are putting together their budgets, they don't have the luxury of really avoiding spending on identity security. And when they're going to spend, they're going to spend with us. And so that opens the door, if you will, for a much more fertile ground for us to go harvest in within our customer base and even out into the broader market. Now, what we also are, as I said, proud about is that we actually adjusted our execution arm to make sure that we were checking the extra boxes. You know, we trained the team early on to bring the CFO into the discussion to make sure the Joshes of the world were We're actually part of the discussion early. Don't avoid them. Bring them in so they understand the value statement. We help them understand how to structure deals more appropriately for these macros. And so between the mission-critical nature of our solutions and the phenomenal execution of our teams, we've been able to navigate a tough macros throughout the year but do it much more effectively. Now, I would say we start to see, you know, some shoring up of those macros as we get towards the back half of the year here as we look forward. So, you know, that's encouraging for us as we look out. But generally speaking, I think it is a testament to the role of identity security in the security stack today.
spk02: Your next question is from the line of Fatima Boulani with Citigroup. Please go ahead.
spk09: Thank you for taking my questions. Matt, just to start with you, talked a lot about the momentum you're seeing with new customers coming into the CyberArk install-based family and landing with multiple solutions. But what I wanted to pick your brain on is we're now essentially going to anniversary the two-year mark of when you did the massive SaaS transition. I'd love any high level commentary from you on what this potential wave or renewal cycle tsunami could look like in terms of buying behavior and patterns. And then I have a quick follow up for Josh, please.
spk11: Yeah, so great question. I think what we see, first of all, is that as we go out and we are landing these logos, that the time to next purchase continues to compress. So we can land somebody in a Q1 and we can get a follow on deal in a Q3 or Q4. And so even before we get to the first anniversary of a renewal date, we're able to drive the land and expand motion. And to be honest, that's one of the things that gets us most excited because the flywheel of the sales process continues to accelerate. Now, that being said, as you mentioned, all of these contracts, as they start to come up for renewal, also creates a compelling event for an expansion play. And we think of that as, you know, a prime opportunity to not only upsell on the existing suite they have, but to introduce the new solutions and to cross-sell into the base. And we see that kind of sales momentum methodology change kind of kick in more and more over the last couple quarters where we're actually enabling our sales team and the conversation of, you know, it's a different conversation at the point of renewal of just understanding what have they consumed, read the telemetry, get the upsell in there because that's a basic motion you should be able to do always. And then understand through adoption curves and roadmaps that we've seen with other customers, what's the next best solution to introduce and make sure it's part of the renewal cycle when the wallet's already open. And, again, that's something that the sales team has really improved at and will continue to improve at as they become even more proficient in this SaaS selling motion.
spk09: I appreciate that. Josh, on a related matter, as we work through the maturation, if you will, of the base as it relates to converting some of your customers on the predecessor, perpetual form factors and any prior customers sitting on perpetual maintenance, I'm curious if you can help characterize what proportion of ARR growth is going to be coming from simply converting prior perpetual maintenance customers and any impact that had in this quarter to growth. Thank you.
spk06: Yeah, thanks Fatima. I think as we look at conversions and we go back already a whole bunch of quarters into 23 and even into 22, we're still seeing it really reflecting single digits. mid-single digits of our ARR growth coming from conversions. I think as we look into 2024, we're not really changing that view. We think it should behave similarly to what we saw in 23 and already at the end of 22.
spk11: And I'll just add on top of that just one element from a strategy perspective, if you will, which is when you analyze this base of customers and you try to understand, okay, what's their buying patterns, the first thing you're looking at is while they're still on maintenance, are they buying other solutions? Is there any last expansion that we're seeing in that base versus the rest of the base? And if the answer was yes, then you're really wanting to push them as hard and fast as possible to get them to move because otherwise you're gated yourself on your expansion in those accounts. When we actually analyze the maintenance paying base, their expansion sales, the rate at which they're buying the new solutions is not that much different than people who are sitting in a subscription model or on the SaaS platform. And so that gives us a little bit more leeway to be flexible with that customer base to keep them happy on that self-hosted or perpetual product and move when they're ready. And in fact, move them to SaaS when they're ready, not move them over to an on-prem subscription because when we move them to SaaS, the upsell is significantly higher. So strategically, as Josh said, I don't think you're going to see us be that aggressive in 2025. I think you'll see customers start to migrate because their own plans call for SaaS, but we're really excited by our ability to be able to drive NRR out of any base that we have.
spk02: Your next question comes from the line of Rob Owens with Piper Sandler. Please go ahead.
spk01: Yeah, thanks for taking my question. Matt, when you speak to the full identity market opportunity, What are your thoughts around IGA? Is it an IGA light approach or is it something that you're going to look to dive into more fully?
spk11: Rob, great question. And I think we still see fundamentally that the siloed nature of PAM access and IGA is at the detriment of customers and their security posture. And that organizations that implement kind of in that silo are not taking the most robust security posture that they can. So we increasingly focusing in on adding to our identity management stack and being able to manage the modern IGA workflows that sit out there, you know, in combination with our SEA solution, even in combination with our PAM customer base. And so I think you'll see us continue to invest in that. Now, again, if somebody needs to go and do a large scale IGA deployment across all legacy assets that sit in the data center, we have a great partnership with SailPoint and we're fine with SailPoint taking that bigger business. But as you move these workloads to the cloud, as you move into a modern real estate, We increasingly believe that in order to win, we need a hybrid approach. And every solution that we bring to market from this point forward, and the team knows, they hear it from me all the time, has to have components of governance, components of access, and components of privilege controls. That is what makes us unique. That's what makes our platform unique. And I think you'll hear us talking more about that in the days to come.
spk02: Your next question is from the line of Jonathan Ho with William Blair.
spk03: Please go ahead. Hi, good morning and congratulations on the strong results and guidance. I just wanted to understand a little bit more about your secure cloud access product and whether you can give us some additional detail on how big of an opportunity you think this could become. Thank you.
spk11: Thanks, Jonathan, and thanks for asking about my little favorite area here. So you gave me a chance to pontificate a little bit about it. But listen, we believe fundamentally that the idea here in the cloud that customers have moved fast and for good reason into their cloud real estate. And as they moved, they granted unfettered access. to all of these users out there in the developer community in order to facilitate speed. And that leads to a world of over entitlement and frankly, lack of control. Now, we have a lot of vendors out there that really look at discovery and trying to understand what that cloud real estate looks like, even presenting ways of managing posture and managing the overall cloud environments. And we think that's important, by the way, and we partner with some of them to make sure that we can tap into the great data that they're able to harvest. But ultimately, like the on-prem world, security comes back to control. And so our SCA solution is built on the idea that you need to have the same levels, the same concepts of control in your cloud estate as you did on-prem. You need to make sure that you're actually isolating sessions. You need to make sure that you understand and controlling entitlements. You need to actually make sure that there is the ability to be able to record, especially in audited industries. And so our SCA solution takes all the principles of PAM But then what it does, it says, actually, in that environment, you don't need standing access. You can actually have entitlements or privileges assigned at the point of access. So a cloud user or a developer can use their federated access, their personal accounts. They can log into the cloud console. They can start to work in the cloud services. And we can apply the right level of entitlements and privileges right at that time for a period of time. And the minute they log out, we can remove those entitlements so that when that account is sitting inactive, it is actually a zero privilege account, and we can drive a least privilege approach. We believe fundamentally, and as you can hear, I get excited when I talk about it, that moving into this control area of the cloud is an underrepresented piece of the market. It's not actually represented in the TAMs of all these other cloud security vendors that are out there and that we're uniquely positioned to actually capitalize on that. So while it's early days and while we're a couple quarters into the market, I would tell you that at our enterprise accounts, the numbers of conversations that are actually leading with How do we secure our cloud is remarkable to me. And that then sets up a long-term TAM for us in this area that I believe can be a meaningful, significantly meaningful contribution to our ARR growth.
spk02: Your next question is from the line of Tal Liani with Bank of America. Please go ahead.
spk07: Hi. A few questions. The first one is... Can you take us through a journey of a client? You spoke a lot about it. The journey of a client from a point of view of synergy with existing customers. I'm assuming that customers first land with a PAM. What happens when they want to go to different products? Where is the synergy? Is there any synergy in terms of products or sales motion or or management, et cetera, what's the incentive for them to continue with you with your other products? Sure. You know, let's take it one by one.
spk11: Sure. So I think when we think about that synergy or we think about that expand motion, if you will, it really depends on the priorities of the organization. And I'll give you like two different examples. You know, you might be sitting in an organization where they have invested heavily in their non-human identities, in their machines, in their ability to build out a modern application environment. And in that case, you know, if that's the priority of the organization, it's the most likely next step from someone who secures IT and their PAM users to actually move over and secure the non-human identities. And, you know, the synergy is, hey, we can take a least privilege approach. We can help them understand how to create these controls that I'm talking about, but we can do it in a developer friendly or a native way, especially with our Secrets Hub product and our easy to deploy Conjure Cloud product. And so you see some customers where that might be the first path they go towards expansion. An alternative is you might be sitting in an area of high attacks around ransomware. And it might be healthcare, it might be financial services. And in those areas, okay, they've locked down their core controls in IT. Now they need to secure their endpoints. They need to secure their servers. And the natural extension is to move into EPM. And in that case, that's the next expand motion for that customer. And then there's a third type of customer, to be honest, that actually buys a little bit of everything. And they start to deploy in pockets in different work groups, in different areas of the enterprise. And then they look to upsell or expand over time within a broader set of three, four, or five solutions. So, the other way to answer the question is there is no one typical pattern. The underlying element, though, that drives the success is a unified platform with single shared services, a unified audit, an ability to be able to run identity across all of that, the ability to run threat analytics across all of that. And so the idea being these customers, although they're not fully consolidating day one out across the platform, they're future-proofed in terms of the consolidation aims they have for the longer term. I think there was another question.
spk07: And in these cases, Do you replace an existing vendor or is it kind of a greenfield where you bring new features to areas where there's no such features? Do you have to compete with a legacy vendor or an existing vendor that is already there?
spk11: Michael Nutterman- Yeah, I think, again, it depends. You know, when you move into access in general, we're competing with something that's there. In a lot of cases, it's legacy, and it's things that are outdated and not ready for the modern stack. When you move into EPM, sometimes it's greenfield. Actually, the concept of least privilege on the endpoint is a new concept for them, and they're sitting with their endpoints unprotected, maybe just having invested in EDR or XDR, but not understanding yet the power of the EPM agent. When you move into the secret space, generally speaking, they're working at the workgroup level. Maybe they're using some open source tools at the workgroup level, but now they're trying to make an enterprise buy. So you're replacing or you're sitting on top of that open source. Or, for example, you're sitting on top of the cloud services providers and the native secret stores. In the cloud space, for sure, you're going in Greenfield. You know, this idea of control and the developer themselves, that's something that's new. So I took you around really quickly there, the real estate, but I think that represents the kind of things that we see out there in the market.
spk02: Your next question is from the line of Joshua Tilton with Wolf Research. Please go ahead.
spk04: Hey guys, thanks for taking my question. Matt, I thought it was very interesting. You talked a lot about new identities in your prepared remarks. How do you see the potential for co-pilot accounts to maybe act as a tailwind to either PAM or just the broader identity market as organizations try to secure what feels like a pretty big wave of incremental credentials that's about to hit the market?
spk11: Yeah, Josh, it's a really good question and it speaks to the larger point, which is any identity, need the level of identity security, right? And we believe that we can bring all of them into our platform. So if we take the co-pilot example, it's almost like a hybrid of a human identity and a machine identity all in one, with generally speaking, granted large swaths of privilege that mirror the human and machine that it's meant to augment or in some cases replace. And so, you know, as AI technology kind of takes off, It creates a lot of vectors for growth. It creates vectors as we kind of compete or combat against the attack vectors fueled by AI. It allows us to be able to build AI into our products to make them more effective, to make them better able to secure environments. And then it also is the tools themselves that need to be secured. And Copilot is a great example of that, where we're going to end up with multiple new identities. And, you know, we're going to need to secure it just as if it was a new developer coming on or if it's a new member of the workforce coming on. And I think that speaks to the market we're in where if you're in the identity security market, the number of identities is your market. And any increase is a good thing.
spk13: Your next question is from the line of Hamza Farawala with Morgan Stanley. Please go ahead. Tom, your line is open.
spk10: Sorry about that. Good morning, good afternoon. Thank you for taking my question. I had one question around distribution for Matt. It seems like you're going after a really broad opportunity, and the prepared remarks were really helpful. I'm curious how you plan to continue to improve on the sales velocity to go from 9, 10, 20,000 customers over time, or do you feel like there's more opportunity still within the installed base, and that's going to be driving the majority of growth going forward. Thank you.
spk11: Yeah, Hamza, thanks for the question. And, you know, I wanted to highlight the opportunity within the base because I think it's important that everybody understands how the expansion happens, but you can get me equally excited about our ability to be able to go and grab new logos. And if you were talking with our wonderful CMO, he walks around with a new logo T-shirt on every day because that's what he's going off and trying to drive for us and build up that channel. Now, as you said, it's not just about what we do direct. It's about our channel partners in that space. we have the best channel partners in the world, whether it's the SIs. You heard an example of where one of them was able to bring us into a Fortune 100 account this quarter, whether it's the reselling partners that are out there that are increasingly turning their attention to driving new logos, or if it's an area which I'm even more excited about, which is the MSP programs. And, you know, as you start to embed your entire platform into the MSPs, and you start to be able to have them represent you within their vast customer base, even in the enterprise and down market, that becomes a flywheel of its own in terms of the ability to be able to go after new logos and to be able to go after new logos with all of the product set. So I do think you're hitting on a key point here, which is the channel and the force multiplying effect of our channel is a critical ingredient of driving the productivity growth that we want to see, and we continue to want to see more productivity, and then also our ability to be able to get outside of our base and really capture this opportunity in the broader market.
spk02: Your next question is from the line of Ray McDonough with Guggenheim Securities. Please go ahead.
spk12: Great, thanks for taking the questions. Maybe one for Matt, and if I could, a follow-up for Josh after. But Matt, I wanted to follow up on your answer to Hamza's question around the MSST opportunity. What specifically are you doing to enable the channel from a product perspective to help them help you attack that market? And then how much of the demand and the need for cyber insurance plays into the role down market and what those MSSTs can help you achieve in terms of penetration?
spk11: Yeah, great, great, great follow-up, by the way. And I think there is investments in the product to make it serve the MSP market better. We've got a whole wing of product management that's actually just thinking about the MSP market and what needs to happen. And, you know, some of that we've built and some of it's still being built. You know, the idea of easier reporting, the ability of easier way to manage tenancy within the platform. The idea of even on the finance side, which isn't in the product but in the organization, to be able to bill more effectively and more flexibly. All these things are part of our MSP program holistically. We think of it as a market for us, and we run it like that, where we're tracking, you know, the contribution and what do we need to do throughout the entire parts of cyber, our concluding product, to serve that market. And so, you know, I think that's one of the big shifts we've made in the last 18 months is to think of it that way. It's not just a little bit of an offshoot of the channel partner program. It's its own thing. I think to your point, there is intersections all the time between the growth drivers of our business. On one end, you've got cyber insurance with absolutely in the lower end of the enterprise and in the mid-market is a driver of people towards PAM, towards identity security. It's a factor in whether somebody can get cyber insurance. And by the way, it's a factor in what their premium would look like. Then those companies are looking for an easy way to procure it. They might be procuring it, by the way, not even only through MSPs. They might be procuring it through their AWS marketplace and leveraging some of those lubricated routes to market. But in addition then, MSPs can manage the whole system for them, obscuring them from any of the complexity, and make sure that they're able to stand it up quickly and meet the cyber insurance requirements. We could take any one of the tailwinds that we talk about and routes to market that we talk about, and there's always that juxtaposition, and the one you're picking on is a particularly nice one for us as we move forward.
spk02: This concludes the Q&A session. I will now turn the call back to the CEO, Matt Kilwin, for any closing remarks.
spk11: So thank you to everybody. I want to finish up here by thanking our employees for their hard work and dedication. It's only because of them that we're able to talk about the success we had in 2023 and our optimism for the future. I want to thank our customers and partners for their support and partnership. And personally, I also want to thank Udi for his mentorship and support over the last year You know, I look forward to continuing to partner with him on the long-term strategy and in his role as executive chair. But personally, I have a big thank you to him to add into the talk track here. With that being said, we look forward to seeing you all and talking to you all real soon. Take care.
spk02: This concludes the CyberArk Software fourth quarter and full year 2023 earnings conference call. Thank you for joining. You may now disconnect.
Disclaimer