This conference call transcript was computer generated and almost certianly contains errors. This transcript is provided for information purposes only.EarningsCall, LLC makes no representation about the accuracy of the aforementioned transcript, and you are cautioned not to place undue reliance on the information provided by the transcript.
CyberArk Software Ltd.
11/13/2024
Thank you for standing by. My name is Jael and I will be your conference operator today. At this time, I would like to welcome everyone to the third quarter 2024 CyberArk Software Limited earnings conference call. All lines have been placed on mute to prevent any background noise. After the speaker's remarks, there will be a question and answer session. If you would like to ask a question during this time, simply press star followed by the number one on your telephone keypad. If you would like to withdraw your question, simply press star one again. I would now like to turn the conference over to Sri Anantha Vice President, Investor Relations. You may begin.
Thank you, operator. Good morning. Thank you for joining us today to review CyberArk's strong third quarter 2024 financial results. With me on the call today are Matt Cohen, our Chief Executive Officer, Josh Siegel, our Chief Financial Officer, and Erica Smith, our Deputy CFO. After prepared remarks, we will open up the call to a question and answer session. Before we begin, let me remind you that certain statements made on the call today may be considered forward-looking statements which reflect management's best judgment based on currently available information. I refer specifically to the discussion of your expectations and beliefs regarding our projected results of operations for the fourth quarter, full year 2024 and beyond. I also refer to our expectations and beliefs regarding the integration of Vanify into our operations. Our actual results might differ materially from those projected in these forward-looking statements. I direct your attention to the risk factors contained in the company's annual report on Form 20-F, filed with the U.S. Securities and Exchange Commission, and those referenced in today's press release that are posted to CyberArk's website. expressly disclaims any application or undertaking to release publicly any updates or revisions to any forward-looking statements made herein. As a reminder, we closed the acquisition of Vanify on October 1st, so the results we discussed today are CyberArk on a standalone basis. We do not have any financial contribution from Vanify in the third quarter. Our guidance for the fourth quarter does include contributions from Vanify. Additionally, non-GAAP financial measures will be discussed on this conference call. Reconciliations to the most directly comparable GAAP financial measures are also available in today's press release, as well as in an updated investor presentation that outlines the financial discussion in today's call. A webcast of today's call is also available on our website in the IR section. With that, I would like to turn the call over to our CEO, Matt Cohen.
Thanks Sri, and thanks everyone for joining the call today. We are very pleased to post strong third quarter results, outperforming our guidance across all metrics. Our results continue to demonstrate that our ability to secure every identity, human and machine, with the right level of privilege controls is resonating with customers. This is a key motivator for customers to consolidate spend across the full breadth of our identity security platform. and create even more strategic relationships with CyberArk, which in turn is driving our ARR growth. A few financial highlights from the quarter. Subscription ARR was $735 million, growing 46% year over year. Net new subscription ARR was $59 million. That's a record outside of our seasonally strong fourth quarter. Total ARR was $926 million, growing 31% year over year. and we outperformed our guidance metrics across every variable. We delivered a record total revenue of $240.1 million, growing 26% year-over-year. Non-GAAP operating income came in at $35.4 million, or 15% margin. That's up from a 9% margin in the year-ago period, highlighting the operating leverage in our business model as we come out of the subscription transition. and we are pleased to report 51.6 million in free cash flow, or a 21 percent free cash flow margin for the quarter. Our results are driven by three main factors. First, the mission-critical nature of our solutions. In a world where more than 90 percent of organizations are victims of an identity-related cyberattack, customers recognize that merely managing identities is not enough. Identities, both human and machines, are the predominant threat factors in today's attacks. And the traditional way of securing identities in siloed, often commoditized point solutions is no longer sufficient. Second, the power of our platform. We offer the only integrated platform that can help enterprises discover with context, secure with intelligent privilege controls, and automate the lifecycle across all identities. from workforce to IT to developers and machines. We further strengthened our ability to deliver on this vision with the closing of the acquisition of Ventify on October 1st. And third, the strength of our execution. To us, execution means working hand in hand with our customers to ensure their businesses can move forward and take full advantage of a digital world without fear by delivering measurable risk reduction in every program. Our relentless focus on ensuring customers realize transformative value from our solutions and platform is the foundation of our excellence in execution. We are benefiting from the market shift to consolidation of trust. As you can see in the success we are having selling our platform. In the third quarter, we continue to see momentum build in full platform deals. In one example, a leading healthcare company was driven by a desire to consolidate human and machine identities with one vendor. They replaced the competing secrets vendor and landed with CyberArk everywhere across four of our solutions. This customer will leverage CyberArk's capabilities across SSO, MFA, PAM, endpoint privilege, and secrets management by protecting IT users, workforce endpoints, and machine identities from the get-go. Independently, This customer also closed a deal with Venify at the end of Q3. While the Venify team closed with them on their own, we are confident this deal is a strong indication of the top-line synergies we can achieve as a combined company. As customers look to modernize their approach to securing IT, they are expanding their PAM programs with our enterprise IT solution. This solution provides a unique way to protect a broad set of users, including IT administrators, shadow IT, database and cloud administrators. While the need for traditional PAM use cases of vaulting shared accounts, password rotation, and session management as foundational layers of security remains, today's PAM programs are so much more. Enterprises are looking for a quicker adoption and faster time to value. They need secure access to modern databases, workloads, and cloud services. This needs to be done with a just-in-time and zero standing privilege approach without inhibiting the user's workflow, combining for a healthy marriage of security and productivity. What makes CyberArk truly powerful? We deliver all of these comprehensive capabilities from one single seat, integrated into our platform and fully enabled with built-in core AI and threat detection and response. The modern PAM program powered by CyberArk delivered through our IT solution is setting the new standard in the industry. This is helping to win new logos, and we added nearly 230 in the third quarter. In addition, it's driving our expansion with existing customers as they protect more users across more use cases. Our innovation and leadership position was once again recognized by industry analysts in the quarter. We were pleased to be named a leader in the 2024 Gartner Magic Quadrant for Privileged Access Management, positioned as the leader for the sixth consecutive time and furthest in completeness of vision. We were also recognized as an overall leader in the 2024 Leadership Compass on Privileged Access Management by Kuppinger-Cole, scoring highest in all three categories of product, innovation, and market leadership. Modern PAM, though, goes beyond just securing IT users. The concept of zero standing privilege to access modern cloud infrastructure and cloud environments is the key to securing the most privileged human identity group in the enterprise, the developer. Often left unattended with always-on access, developer identities dramatically increase risk and expand the attack surface. By offering zero standing privilege, CyberArk secure cloud access is a game changer for securing this high-risk population. With native workflows and access and automated life cycles and controls, Our solution for securing developers offers the best of PAM without needing a behavior change. More importantly, with our solution, security is not an impediment to innovation. It is an enabler of the innovation machine within organizations. In the third quarter, a leading European bank who is a longtime CyberArk customer and has worked with us closely to protect privilege access for the IT and extended IT teams over many years now decided to tackle the high-risk developer population. We were excited to see the customer expand into this new identity group, buying our enterprise solution in a seven-figure ACV deal. In the untamed world of cloud security and developer access, where developers often have always-on and overprivileged entitlements, it is critical we approach security as a team sport. We were thrilled to announce our strategic partnership with Wiz, unifying the capabilities of our identity security platform with Wiz's cloud security platform to help enhance customers as they tackle their multi-cloud security posture. Wiz's best-in-class visibility over risky and misconfigured cloud access and CyberArk's control over privilege with zero standing privilege approach can measurably reduce the risk of unauthorized access. All without impacting the speed and scale of cloud development. Our customers are excited about this partnership and the immediate benefit it can have in getting control of their cloud environments and developer access points. Moving on to securing the workforce, we had another strong quarter with our workforce solutions, which crossed the threshold of 100 million in ARR this quarter. Workforce identity is transforming from an efficiency tool, where SSO and MFA were considered enough, to one where every employee needs the right level of privilege controls throughout their workday, from the moment they sit down at their endpoint. As a result, there is a substantial and growing cohort of both CIOs and CISOs that not only understand but prioritize security first across all their workforce identities. Our workforce solutions implement least privilege on managed and unmanaged devices, secure and streamline the browsing experience, substantiate more secure SSO with intelligent privilege controls, and even integrate the ability to protect everyday workforce users' passwords with the security of the CyberArk Vault. Our solutions enable a passwordless workflow, seamlessly authenticating into the environment, and reimagines the way enterprise secure their entire workforce. This is evidenced by a leading SaaS company who landed with a substantial six-figure workforce deal. As a de facto protection against ransomware, our solution was the tip of the spear and a great showcase of the multiple landing spots of our platform. Before I move on to Ventify and our machine identity security vision, I wanted to just highlight another very strong quarter of growth for secrets management. We have never been in a better competitive position. The value of secrets management at enterprise scale is resonating, and the combination of Condra Cloud and Secrets Hub means SAS is leading the way. I want to share a deal with a leading U.S. energy company who recognized the value of secrets and machine identities with CyberArk. Expanding with a mid-six-figure ACP deal this quarter, they are protecting more of their IT users and tackling secrets and machines for the first time with Conjure Cloud and Secrets Hub. We are thrilled to have closed the acquisition of Ventify on October 1st. I want to take this opportunity to formally welcome the tremendous Ventify team to CyberArk. From the onset of our discussions with Ventify, it was clear that this acquisition was more than just a strategic fit. It was a powerful convergence of vision, technology, and culture. The past months have only reinforced our belief that joining forces will reshape the landscape of machine identity security. The feedback from customers and partners further rose our confidence in the tremendous value Venify will bring to our platform. In explaining the machine identity security landscape and the problems we have to solve as an industry, I often use the three Vs, volume, variety, and velocity. Starting with volume, the sheer number of machines, whether they are devices or workloads, is exploding. We have talked about the ratio of 45 machine identities for every human identity. In a constantly accelerating world that is only increasing its reliance on cloud-native applications and workloads, IoT devices, and AI agents, This ratio will soon be obsolete. With a rapidly growing volume, the ability to discover, secure, and manage machines with an automated lifecycle is critical to keeping this new world secure. On to variety. Variety refers to not just the various machine types I have mentioned, but also the variety in the forms of identity. From certificates to secrets to keys to tokens, there is a large variety of identity types adding a level of complexity not seen on the human side of identity. Managing this complexity requires an integrated solution. Organizations cannot get away with siloed tools or manual processes anymore. Customers have a clear and urgent need to simplify, reduce complexity, and bring in an enterprise-grade solution to bear across a diverse landscape of machine and machine identity types. And finally, velocity. Machines themselves are no longer static devices and applications. They are constantly changing, and in some cases, like with ephemeral workloads, they exist only for a brief period of time and then disappear. When you put together the pace of change of these identities and the shorter lifespan, all of a sudden the velocity of issuance and management of these identities has also exploded. The combination of CyberArk Secrets management offerings with Venify's machine identity management offerings will provide organizations with a centralized solution to manage and protect all machine identity types. By automating and securing these identities will help prevent misuse and compromise, ultimately reducing risk and enhancing operational efficiency. With Eventify acquisition closed, I want to highlight our top priorities over the coming months. First, we will unleash our go-to-market organization around the world to tap into the more than 8,500 CyberArk customers who are not Venify customers yet. Second, we will rapidly integrate our secrets management capabilities and Venify's capabilities into a streamlined machine identity solution. And third, we will work with our partner ecosystem to get them both certified on Venify and ready to hit the ground running as they go after the 10 billion addressable market. In summary, I want to leave you with the following takeaways. Identity security is a clear and present need for CISOs, and our solution selling has further aligned how we sell to how the customer wants to buy, and this is resonating with customers. Our vision to deliver the right level of privilege controls to every identity, human and machine, is expanding our competitive moat and leadership position in identity security. With Vanify, we're setting a new standard for end-to-end machine identity security, and finally, with our strong execution and unique platform, We are well positioned to deliver a stellar next phase of durable, profitable growth and take CyberArk to the next level. Before I turn the call over to Josh, I'm sure you've seen the CFO transition we announced this morning. Josh will see us through the year end and will be stepping down from his CFO role in January as part of a planned succession. We are grateful he has agreed to stay on in an advisory role through 2025 to ensure a smooth transition. I want to take a moment to acknowledge Josh's countless contributions to CyberArk for more than 13 years. Josh is an amazing leader. In his time at CyberArk, he guided the finance organization from less than $40 million in revenue in 2011 when he joined, through our IPO, the transition from a perpetual to subscription model, and turned finance into a force multiplier enabling the scale and results you've seen us deliver. We have scaled the company and stayed true to our values of delivering strong growth and profitability. He has been my trusted partner since I joined the company and his contributions are immeasurable. I'm also though delighted to announce that Erica Smith will be our new CFO effective January 1st, 2025. Erica has been a core member of our finance leadership team and has worked closely with me on the subscription transition and our long-term strategy. She is a trusted partner to the board and our executive leadership team, and I couldn't think of anyone better suited to be our next CFO. So, Erica, congratulations on your new role. With that, I want to hand it over to Josh.
Thank you, Matt, for those kind words. I'm indeed proud to have been part of this amazing cyber art journey, and I'm grateful to you, our executive team, and the board of directors for many years of partnership. I'm extremely pleased that Erica will assume the role of CFO starting January 1st. I've worked closely with Erica for more than nine years. She has been a core member of our finance leadership team, holding broad responsibilities in the finance organization that include investor relations, FP&A, treasury, ESG, and now the Venify finance team. It is critical for all of us to have a smooth transition, continuity of leadership, and someone who knows how and will execute so we continue to march forward and scale. Erica is a strong leader and has a deep understanding of our business. She is a great addition to the executive team, and given her performance and focus on scale, I am extremely confident that as CFO, she will help ensure CyberArk's position to execute on its long-term strategy. With that, I'm going to hand it over to Erica for just a few words from her, and then I'll return to speak about the quarter. Erica?
Thanks, Josh. It is an honor to be named the next CFO of CyberArk. I am grateful for the trust you, Matt, and the leadership team, as well as the board, is placing in me. As Matt said, Josh has played a critical role in setting the company's culture of operational excellence that has supported our strong growth and focus on profitability. He has been my mentor, and I am grateful for all of his guidance and support over the years. I am also looking forward to working closely with him as we move into 2025. Thank you, Josh, for staying on as an advisor to support the transition. I am also excited to work closely with such a talented and dedicated group of finance professionals in our corporate headquarters in Israel, as well as our offices in Asia, Europe, and the U.S., Continuity of our operating rhythm and execution will be a key focus as I move into my new role. I'm committed to building on our strong foundation as CyberArk looks to scale well beyond a billion dollars in ARR. With that, I'll hand it back to Josh to discuss our results in more detail. Josh?
Thanks, Erica. And now, on to the quarter results. The third quarter was another strong quarter, beating guidance across all metrics. We reported solid net new ARR, strong top-line growth, and substantial improvement in operating and free cash flow margins. Our execution is a testament to our platform differentiation, the growing criticality of identity security, and our ability to capitalize on these secular trends. Before I provide more details on the quarter, I want to remind everyone that while we are very excited to have closed the acquisition of Ventify on the first of October, it did not contribute to our third quarter results. All numbers I'm about to discuss, other than the guidance, are on a standalone basis. Moving into the results, total revenue grew 26% year-on-year, reaching $240.1 million and exceeding the top end of our guidance range. Annual recurring revenue reached $926 million. That's growing 31% year-on-year. We added $58 million in total net new ARR from $52 million in the third quarter last year. As expected, the SAS share of our bookings increased compared to the third quarter in the year-ago period and made up more than two-thirds of subscription bookings. Subscription ARR grew 46% year-on-year to $735 million and is now 79% of our total ARR. We also added $59 million in a net new subscription ARR, an 11% increase from the $53 million in the third quarter last year, and that sets a new record for any non-Q4 quarter. Our maintenance Annual recurring revenue was $191 million, a decrease year-on-year consistent with our move away from perpetual licenses, and like-for-like conversion activity still remains a single-digit percent of our year-on-year ARR growth. Our platform selling motion continues to drive land and expand as customers move to secure more users and more personas with CyberArk. In the third quarter, we signed nearly 230 new logos, and with our expansion engine, we also had a healthy mix of upsell and cross-sell into new solutions. In the third quarter, the cohort of customers with more than $100,000 in ARR grew to over 2,000 customers. The cohort with ARR of more than $500,000 is now over 375 customers, and that's growing nearly 40% year on year. Now, moving to the revenue lines, for the third quarter, recurring revenue reached $224.2 million, growing 29% year-on-year and accounting for 93% of total revenue. Subscription revenue was $175.6 million, growing 43% year-on-year and representing 73% of total revenue. Maintenance and services revenue was $61.6 million, and of that, recurring maintenance revenue was $48.6 million compared to $51.5 million in the year-ago period, and that's reflecting the year-on-year decreases in our maintenance ARR balance. From a geographic perspective, all regions continue to show healthy growth. Americas grew by 26% to $141.8 million. EMEA revenue was $73.1 million. That's up 22% year-on-year. And APJ revenue was $25.1 million, growing 34% year-on-year. All P&L line items will now be discussed on a non-GAAP basis. Please see the full GAAP to non-GAAP reconciliation in the tables of our press releases. Third quarter gross profit was $200.3 million, or 83.4% gross margin, compared to 82.7% in the third quarter last year. In the third quarter, our operating income was $35.4 million, or 14.7% operating margin. That's well ahead of our guidance and a significant increase from an operating income of $16.9 million, or the 8.8% operating margin in the third quarter last year. The outperformance was driven in part by the revenue upside as well as certain program expenses moving into the fourth quarter. Net income, it came in at $45.1 million or 94 cents per diluted share, also significantly outperforming our guidance and more than doubling from the EPS of 42 cents in the year-ago period. We ended September with 3,300 employees worldwide, including 1,400 in sales and marketing. We are pleased to deliver another strong quarter of free cash flow, with $51.6 million in the third quarter, our margin of 21%, and that's compared to $13.6 million in the third quarter of last year, our margin of 7%. We ended the third quarter with approximately $1.5 billion in cash and marketable securities, As a reminder, our cash balance at the end of the third quarter does not reflect the $1 billion cash portion of the consideration paid for the Ventify acquisition on October 1st. I want to touch on the upcoming settlement of our convertible senior notes maturing on November 15th. We plan to settle these convertible notes with shares, as we outlined in our 6K filing with the SEC back in March. The approximately 3.7 million shares associated with the convert have been included in our fully diluted share count as applicable already since the fourth quarter of 2022. Further, we expect the cap call associated with the convertible notes to result in cash proceeds of approximately $260 million. We will receive those proceeds at the maturity of the convertible notes. As you can see, we continue to have a strong balance sheet that supports our growth strategy. So now, turning to our guidance. For the fourth quarter of 2024, we expect total revenue of $297 to $303 million, which represents 34% year-on-year growth at the midpoint, and that includes approximately $41 million from Vennify. We expect non-GAAP operating income in the range of $43.5 million to $48.5 million for the fourth quarter, and that includes a contribution of approximately $11 million from Vanify. We expect our non-GAAP EPS to be in the range of 65 cents to 75 cents per diluted share, and our guidance assumes 51.2 million weighted average diluted shares. Our guidance also assumes about $16.7 million in taxes. Looking at the full year 2024, we expect total revenue in the range of $983 million to $989 million, representing 31% year-on-year at the midpoint. We expect our full-year operating income to be in the range of $135 million to $140 million. And as a reminder, Our full year guidance also includes $41 million contribution to revenue and $11 million to non-GAAP operating income from Venify's fourth quarter that I just said earlier. We expect our non-GAAP EPS to be between $2.85 and $2.96 per diluted share. We expect about 49 million weighted average diluted shares and about $52.2 million in taxes for the full year 2024. We expect our annual recurring revenue to be in the range of $1.153 billion and $1.163 billion at December 31, 2024. That includes an expected contribution of approximately $164 million from Venify at the year end. For the combined company, our guidance represents about a 50% year-on-year growth at the midpoint. I would remind investors that as a result of the largest cohort of customers coming up for renewal in the fourth quarter, we do typically see the largest sequential decrease to our maintenance ARR also in the fourth quarter. We are significantly increasing our cash flow guidance, our free cash flow guidance, for the full year 2024 to a range of $203 to $213 million, and that represents 21% free cash flow margin at the midpoint. That includes $8 million contribution from Ventify. To sum up, we are pleased to report another strong quarter and are thrilled to welcome the Ventify team to CyberArk. While the guidance I just provided includes the contribution from Ventify, it is important to note that even on a standalone basis, we are increasing our guidance for the year across all metrics. We are well ahead of the playbook we outlined at our investor day in 2023, which speaks to how we have expanded our leadership position and delivered consistently strong execution. With 31% ARR growth, 26% revenue growth, 15% non-GAAP operating margin, and 21% free cash flow margin in the third quarter, we're in an elite group. of enterprise software companies that are operating above the Rule of 40 benchmark. Before I hand it over for the QA portion of the call, I want to take this opportunity to express my gratitude to all those at CyberArk, and also a special note of gratitude to our founder and executive chair, Udi Makkadi, whose friendship and mentorship I treasure greatly. I also want to thank our investors and the broader investor community for their support, and I'm very excited about the future of CyberArk and believe we are in a position of strength to continue to deliver strong results going forward. With that, I'm now going to turn the call over to the operator for QA. Operator? Thank you.
The floor is now open for questions. If you have dialed in and would like to ask a question, please press star 1 on your telephone keypad to raise your hand and join the queue. If you would like to withdraw your question, simply press star 1 again. If you are called upon to ask a question and are listening via loudspeaker on your device, please pick up your handset and ensure that your phone is not on mute when asking your question. Due to high amounts of questions, we do request for today's session that you please limit yourself to one question and one follow-up. Your first question comes from the line of Saket Kalia of Barclays. Your line is open.
Great. Hey, guys, good morning, and thanks for taking my questions here. Josh, let me just start by saying I tip my cap to you, man, on just a heck of a run. And, Erica, congrats as well. It's just great to see the continuity and what seems like a very smooth transition. Thank you, Sackett.
Thanks, Sackett. Appreciate it.
Absolutely. Matt, maybe on to the business and what was a very strong quarter, maybe for you. You know, you called out the power of the platform in your prepared remarks, and you mentioned some examples of customers that consolidated their identity solutions to CyberArk. Can you just maybe talk about that trend as we look forward? And is there anything that you're doing at CyberArk to drive that motion within the sales team of a more consolidated type of sale, if that makes sense?
It does, Saka. Thanks for the question. I think what we see out there at the highest level is that customers are having, for lack of a better phrase, an identity crisis, right, as they try to figure out what are they going to do with the threat landscape that they face. And they're trying to figure out who they can trust in that threat landscape to actually provide security across all the types of identities that they need to secure. And increasingly the conversations with us in the CISOs and the C-suite, CIOs kind of across the board is the conversation is not specific to platform to begin with. It's specific to the idea of you have this spectrum of identities. You need security across all of them. Only CyberArk can do that for you. Do that across human and machine. Do it across the workforce and IT and developers. And so we get engaged in that type of conversation. And then we use our solution selling approach to make sure that we can provide a quick on-ramp and a quick time to value against whatever identity groups are top of mind or top priority. Then we bring in the platform selling approach to future proof them, to tell them, listen, you can get started with one identity group. You can get started with multiple. We will be there for you on an extensible platform that can bring you to value when you're ready. So we're not pushing from that perspective. What's happening in the market is that customers more and more are recognizing they want to go faster. They want to go deeper. And so if they're security-minded, and you heard me call that out, the security-minded buyer, they're sitting there and saying, why not go faster with CyberArk since they have the platform, since we need to tackle this identity security problem, since my board, my rest of the executive team are asking me about this. And so it becomes a very organic approach. sales process of conversation, and as I'd like to point out, trust in the CyberArk relationship.
Makes a ton of sense. Josh and Erica, maybe for my follow-up for you folks, really appreciate the detail on Venify. Understanding it's early, how do you sort of think about the growth profile for Venify relative to CyberArk's organic growth in terms of ARR? And as part of that, do you expect any changes in the makeup of Venify's ARR as you go into next year?
Yeah, thanks, Saket. You know, we absolutely see Venify's portion really contributing well at CyberArk, so a higher growth rate on ARR. We're confident about that. And one of the things that we'll also see is really a lot of movement towards their bookings going towards SaaS, and we can easily see next year where the majority of the SaaS, where the majority of the bookings will be in SaaS. And that's a change compared to their history where they've been traditionally more on-prem until this last year where they've started to ratchet that up.
Yeah, so I think I'll just jump in. I think when we think about Ventify, it's a growth play for us. We just see this broad landscape of of kind of unprotected machine identities. And I think, as Josh said, you know, we believe in our hands. We've said it since day one, and we've become even more confident in that, that Ventify will grow at or above the cyber art growth rates once we are fully able to roll it out across the sales team.
Very helpful.
Thanks, guys. Thank you. Your next question comes from the line of Hamsa Farawala of Morgan Stanley. Your line is open.
Great. Thank you for taking my question. First off, congrats, Erica, and congrats to Josh on a great run, not only for your contributions to CyberArk, but also to the broader cyber and Israeli startup community. I know you've been a mentor to many CFOs, including a few CEOs, so thank you for all your contributions.
Thank you, Hamza, for those words. It really means a lot. Thank you.
And thank you for the well wishes, Hamza. I appreciate it.
I wanted to ask a question for Matt. So, you know, a lot of CISOs we talked to are talking more and more about machine identity. I wanted to just maybe drill into a little bit what that looks like. So, you talked about a deal, I think, where you were able to cross-sell your machine identity capability with Venify. What does that look like? I mean, are you, you know, your core product is obviously priced on a seat basis. Was this the upsell based on the number of certificates? Was it other type of machines? And what could the deal multiplier be if Benify is included with Fibre?
Yeah, sure. So I think the foundational answer is the human side of the identity business is based upon humans, so the number of seats included. On the machine side, it's generally based upon what you're securing. So for our secrets business, especially our SAS-based, you know, Conjure Cloud and Secrets Hub, we're generally basing it upon applications because you're building in the credential management for applications as part of the secret security process. So on the machine side, on the secrets, it's going to be applications. On the machine side of Ventify or certificate lifecycle management, it's going to be based upon certificates. We call those instances. The reason we call it instances is actually each certificate can actually be stored or be leveraged across multiple machines. And we actually charge for each instance of that certificate. So you're going to see those differences across the board when we kind of bundle it together. We're looking at ways to make it easy for the customer to buy, especially between the secrets, obviously, and the certificate side. I think when you think about what potential there are here, you've heard us talk for a while that the secrets business alone can be a multiple of, for example, the PAM business that you've heard us talk about. We've talked about it actually being a fully deployed secrets deployment is one and a half times the deployed PAM deployment. I think on the certificate side, we see even bigger multiple opportunity where it could be 2X. It's a little bit bigger than even the secret side. So when you start to look at the deal size and really once deployed footprint that can happen on the machine identity side, when you combine secrets with certificates, those are bigger deals and ultimately can be a nice high growth business for us.
Thank you. Your next question comes from the line of Matt Hedberg of RBC Capital Markets. Your line is open.
Great. Thanks for taking my questions, guys. And I'll offer my congrats as well to both Josh and Erica. You know, I wanted to ask a little bit about your workforce business. It's impressive to see it pass the $100 million ARR mark this quarter. I'm wondering if you could provide a little bit more context about how quickly that's actually growing in the base and maybe, you know, what percentage of the base is actually leveraging workforce?
Sure, Matt, and welcome to the call. When we look at workforce, let's just start again with the kind of the strategic ability to be able to go in. You know, where we're winning is with CISOs, CIOs that have a security-first or security-minded way of buying. You know, some people still buy workforce SSO MFA as an efficiency tool. And in that case, you know, Microsoft or other providers out there are a perfectly good solution to provide kind of what we consider commoditized SSO MFA. Our solution is based upon the idea that actually that's not enough. It's not enough in this threat environment, in this threat landscape. And we need to use MFA SSO as kind of base level controls where we wrap around it intelligent privilege controls, vaulting of personal passwords, a more secure browsing, and actually a really tight tie-in to least privilege at the endpoint in our EPM product. And so that becomes the foundation of how we compete, how we differentiate out there. As you mentioned, we're pretty proud to see that business kind of cross the 100 million ARR threshold, kind of in line with where we actually expected it to be when we actually acquired Adaptive several years ago. And what we see there is that it's a business that's growing, you know, really strongly, faster than our core for sure, and increasingly becoming a part of more and more deals. Now, you asked the question around our penetration rate, I would tell you the penetration rate is still pretty low. You know, we've got over 9,000 customers now. And, you know, I think we're talking about, you know, a little around 1,000 or so that are using our workforce solutions. And I think that's the opportunity we still have here is to sell into that base, really bring them onto the platform, as you heard me talk about on Socket's question a little bit earlier, and expand the number of identities that our platform is securing as a whole. It's an exciting opportunity for us, and I do want to just call out the tie-in between the workforce business, the traditional SSO MFA and our kind of advanced controls, and the EPM business, which is securing the endpoint of that workforce user. Because when you combine those two businesses together, you start to see a really meaningful portion of our ARR coming from securing the workforce population as a whole.
Thanks, Matt. Great comprehensive answer. And then maybe just a quick housekeeping one for Josh or Erica. It looks like Venify is contributing about 160 million of ARR to the full year. I'm curious. You know, how quickly was Venify ARR growing, exiting kind of the Q3 quarter, and do you have a rough estimate of what that SAS mix was for Q3?
So, yeah, they were growing at about the 10% mark, if you think about it, in the double digits, and then the SAS mix was actually roughly 10% of their overall base. A little, it's ratcheted up in the last few quarters to closer to 12% right now, but it's right in that range.
And it's something we see, which is really interesting. We've talked about even in our core business, which is just dramatic shift to SaaS as the leading motion our sales team is most comfortable with. So while they sat at 10% of ARR and a small percentage of their overall new bookings earlier in the year, even when we look into the pipeline for Q4, we see as Josh said, it's starting to become more of the majority of the pipeline is SaaS led for them. And as you've seen with us, it just continues to grow each quarter, the amount of our pipe on our execution that's tied to our SAS portfolio.
Thanks, guys. Best of luck.
Your next question comes from the line of Brian Essex of JP Morgan. Your line is open.
Good morning, and thank you for taking the question. First of all, Josh, congratulations to you. What a great track record you've built. And Erica, congratulations to you as well. It's great to see. Thanks, Brian. Of course. Maybe for Matt, I know you talked about in your prepared remarks the ability to unleash your go-to-market motion on over 8,500 non-Venify customers now within your install base. Can you talk a little bit about what needs to be done within your direct sales force and then what you're doing within the channel and perhaps how long that will take to have an effect on the trajectory of Venify's growth rate?
Sure. Yeah, great question. We started training our sales team the minute we could. And, in fact, we've gone out and really gotten them ready to have the conversation post-close date. And so we're already seeing pipeline being built here in Q4 for next year that our sales team is able to contribute hand-in-hand with the Ventify team. So we feel ready to go. I think at some level we were itching to go, and we wanted to get through, obviously, the regulatory approval so that we could get started. And we really can't wait to start to, as I said and then you repeated, unleash that sales team to be able to go push this product. It is a really easy conversation. And what I mean by that is it's the CISO who's sponsoring the conversation. It's the same buyer. We know the parties involved. And ultimately, it becomes part of our talk track pretty easily, pretty quickly, and we haven't seen a need to kind of bring in specialists in every conversation. I think the partner one side of the fence is probably what surprised us the most to the upside. You know, I think when we first announced it, we said we were, I think, down at the event, and we had our partners in the other room, and we said they were so excited. And, you know, sometimes that can fade. What we found is the exact opposite. We actually were at standing room only in classes and certifications that we were doing for partners around the world throughout the last quarter. We've had to actually add in more and more training classes for our partners. We're kind of racing to kind of have first mover advantage to be able to bring Ventify into the market. So I think we've seen even more of an uptake in the partner community than I would have expected, to be honest. And I think it speaks to the need to solve the problems is, problems of the machine identity security story. Now I will say that it's a similar sales cycle to the cyber arc sales cycle. So, you know, we've always talked about, you know, a three, four quarter sales cycle, and sometimes we do better and it's, you know, two quarters or so. So I think we will see the impact of all this enablement and certification happen as we get into next year and into the back half of the year, especially. But it's why we're so confident in our ability to say we're going to grow this at or better than the cyber arc overall growth rate is because we see these conversations really taking off.
Got it. That's super helpful. Maybe one quick housekeeping question, if I could, for Josh or Erica. Is there any deferred revenue write-down that we have to consider as we tune our models and we add benefit into the equation?
No, there's nothing material on that subject.
Fantastic. Thank you so much. Great.
Your next question comes from the line of Jonathan Ho of William Blair. Your line is open.
Hi, good morning, and let me echo my congratulations to Josh and Erica as well. It has been fantastic to work with you, Josh. Just in terms of Ventify, can you talk a little bit about the opportunity to expand the awareness of the machine identity problem? And across your base, as you engage with customers, can you give us a sense of where they are in terms of understanding the challenges as well?
Sure, Jonathan. And I think I'll use a couple of examples maybe to help here, just in terms of the ability for us to scale. We've talked before about more than 10x sales reps and our ability to be able to bring it into the base and educate through a sales driven process. But we've also been able to really attack it already from a marketing event based process, from a partner landscape, as I was talking about. They did an event prior to close here in Boston called the Machine Identity Security Summit. And, you know, there were a couple hundred people there. I think it was about 200 people, and it was a great message. We then took the content, combined it in with our Impact on the Road world tour, did an event out in San Jose. We had, you know, well over 300 people there at the event. We had well over 1,000 people register for the event online. And you start to see the scale take off in just amplifying the message out into the base. You know, we've obviously gone out and pushed our partners around in this enablement and in this training. Also, can they turn on their marketing engine around this problem of machine identity? And they've been rallying around our secret story over the last couple quarters, and I think this just becomes a nice extension of what they've already been doing. So I think you're going to see that the education process, the awareness process has really started to kick into full gear. Our marketing team has a great plan of attack for how they're going to continue pushing it going forward. And I think when you talk with the customer base, and I've done 40 or so calls in the very near recent couple weeks, they all understand that they've got to get their arms around this machine identity problem or they're going to get themselves in a lot of trouble. This Google mandate, for example, that brought down certificate lifespans from hundreds of days to a mandate of 90 days. Apple came out with a mandate of 45 days. Those things are driving actually a good degree of uncertainty down into the enterprise on what are they going to do if they're managing certificates, keys in a manual process. And so I really feel strongly that we are at a cusp of where the customer understands that our marketing engine is going to kick in. And ultimately, this is an area where the customers are going to start pulling as much as we're pushing.
Excellent. And just in terms of a quick follow-up, can you give us a sense of what drove the strong margin outperformance this quarter? It's just exceptional in terms of the profitability. Thank you.
Yeah. You know, in part, it's the revenue beat. As you saw, we ended up beating revenue above the top line. And then there are, and I called this out, there are some expenses that we'll be doing in Q4 that were planned for Q3. And then just, you know, overall good, strong efficiency, you know, as we operate the company.
Your next question comes from Roger Boyd of UBS Securities. Your line is open.
Great. Thanks for taking the questions, and I'll add my respective congrats to both Josh and Eric. Happy for you both. Matt, high-level question around post-quantum. It seems like awareness is raising there. I'm wondering, based off your conversations with customers, do you think that we're getting into the actual adoption curve where customers are looking to pick up post-quantum security tools, some of the stuff you're talking about with being able to gauge exposure and get to a place of certificate agility there? And now with Venify and the platform, is there any sense of how material you think this could be as a driver in the next year? And then I have a quick follow-up.
Sure. Yeah, no, I think you hit a nail on the head there around the idea that the willingness and want to talk about kind of post-quantum plans is a part of every conversation we're having on the Venify side. Now, I still think it's, you know, obviously several years out until the actual quantum impact is felt and thankfully for that. But what we're able to do now is really talk with the customers about their programs and plans. We have an ability to come in and do workshops around how the Benify solution and our overall machine identity security solution can help prepare them for a post-quantum world And, you know, it speaks not only to the need for, you know, obviously innovating around the algorithm and making sure that you're able to prepare. It also speaks to this idea of lifecycle management, because in a post quantum world where an algorithm might be able to be breached or hacked into, we need to be aware of all of the assets, all the identities that are out there, and we need to be able to reissue maybe with a new algorithm. on demand based upon what's happening in the kind of threat landscape or threat environment. So I do think it's a piece of the strategy. I think you're right that customers are starting to talk about it. Still many years out until they have to actually implement, but I think it's a part of what's driving the awareness of what we're doing on the machine identity side.
Got it. Super helpful. And then just for Josh or Erica, just around 4Q, I know you've talked about moving to shorter contract durations on the maintenance side. Any color you can provide on what you're seeing around renewal rates there and anything to be mindful of relative to your 4Q assumptions for maintenance given the renewal base and seasonally larger quarter? Thanks.
Yeah, Roger, it's a great question. I think we've seen continued strong renewal rates as it relates to that maintenance space, but as you know, that Q4 is one of the biggest quarters. So, baked into kind of our forward-looking, our fourth quarter guidance is about an $8 to $10 million decline in that overall maintenance ARR sequentially. So, just kind of keep that in mind when you're thinking about the ARR build into the fourth quarter and the exit rate there.
Great. Thanks again.
Your next question comes from the line of Adam Bork of Stifel. Your line is open.
Awesome. Thanks so much for taking the question. And, of course, Josh and Erica, many congrats to you both. Maybe a bigger picture question for you, Matt. You talked about the platform selling approach being great traction, especially with some of the wins you talked about. Now, I'm just curious maybe from a technology perspective under the hood, especially as we now fold in Medify, how do we think about how – integrated, as we call it, the human side of the portfolio is today. You talked about efforts to integrate secrets and Venify. And how should I think about almost a converged human slash non-human identity portfolio on the back end in coming years? Thanks so much.
Sure, Adam. So I think as you highlighted, our first priority is let's get Venify and secrets integrated into what we're calling this machine identity security solution. And let's hit the ground running as fast as possible with that so we can take advantage of of the increased awareness and the need to really lock down those machine identities themselves. I think what we look for is two things. One is the shared experience across human and machine so that organizations and customers can partake of, you know, shared dashboards, shared discovery. And I think those types of things start to come online more towards the end of the year into 2026. And then we're always looking to look how can we leverage the shared services of our platform, for example, things like unified audit and unified identity management. And that's an area where we can be building up over time also as part of a shared platform approach. So I think 2025 is really about integrating the machine identity solution itself. 2026, you start to see the technologies come together, and we have a roadmap and an idea of what that would look like. Independent of the technology, there's a conversation with customers that we're having all the time, which is machines and humans need to be integrated and managed under one platform, one ability to understand what is going on. We need to make sure that we can provide a future proof for the years to come across human and machines because that's needed for a comprehensive view of what identity security is. And so I think that starts from day one. And, frankly, I've received multiple comments from customers, customers I trust implicitly, actually, that help advise that say this is, like, one of the things that they would have hoped happened in the industry is bringing human and machine more together for where they need to go for the future.
Awesome. Thanks so much.
Your next question comes from the line of Don DeFucci of Guggenheim Securities. Your line is open.
Thanks for taking my question. I have been called Don before, but anyway, Mike, I don't mean to beat a dead horse on this, but really, I think I'm curious, like why Venify represents an incremental growth plan for you? Matt, you talked about the go-to-market push, and that makes some sense. And you talked about a bunch of things here, but we've heard about this for a while, and Benefi has been around for a while, and it was a good company, a decent company, but it never seemed to fulfill its promise, right? Machine identities always made sense, but they never fulfilled its promise. And I just wonder if we're getting... a little bit too far ahead of ourselves here. And you guys have executed really well, and that's part of it too, right? That's positive. But I don't know, if you could speak a little bit to that. I'm sure there's a question in there somewhere.
There is, and I think it's a good one, which is why now? And, you know, I think I've hit on, as you mentioned, you know, all right, did Benify ever invest in the go-to-market scale and breadth to be able to truly go out there and penetrate the market, you know, They were mainly focused in the U.S. They didn't have much presence in EMEA and APJ. They had a relatively limited spending on marketing and on sales. They had a very, very, very small channel program, so they were not able to actually bring in the SIs and the bigger channel partners that we bring to the table. So for sure, one part of it is what cyber art brings to the story. But I think there is a second part, which is an inflection in the market of, as I said, volume, variety and velocity. And that's a change. Like we go back five, six years ago, the volume was not where it was and the variety actually was not as complex. And ultimately, the very nature of these modern workload identities were much different in terms of the velocity of change that was happening. When you go out and look at the market factors around the Google mandate, the actually regulations that are coming in that actually speak to the machine identity landscape, there wasn't the pressure to get your arms around what was a very basic problem to begin with of certificate lifecycle management. What's happening now, and by the way, that's what drove them up into only the upper echelon of big banks, big financial institutions, where the problem was really tough and they weren't actually penetrating down into the mainstream enterprise because it wasn't really part of a big problem statement. Given the volume, given the variety, given the velocity, what we find now is actually manual processes, spreadsheets, kind of point solutions can't manage the problem. And that's what our enterprise customers were telling us before we acquired Ventify. And that's what they're telling us even more now post-acquiring Ventify. So I think when you combine those factors together, that's what gives us the excitement and the confidence in what we're out there describing. And ultimately, you'll see that materialize as we move throughout 2025. Okay. Okay.
And I just wanted to make sure that Josh wasn't putting a high bar for Erica, just leaving that for her because I know, well, she's been by his side for a long time.
I don't know that Josh has ever found a high bar. I think he always is putting the right bar out there prudently. That's why I love Josh.
That all makes sense. And you guys, like I said, have executed well. But I guess ARR was strong this quarter, my follow-up here. And it was in the range of what we thought you could do, and that's great. But just curious if you saw any influence on this last quarter due to the U.S. election, and if you did, how do you see this influencing business going forward, if at all?
Yeah, so we definitely didn't see anything materially different than what we've seen in other quarters. I think we continue to see, like we say, a tough macro out there, one in which, though, we continue to perform well. of security being at the top of the list, our security, identity security being at the top of that list. You've heard me say that before. I don't think we saw anything measurable or change there. I think as we look towards Q4, we're not anticipating some large budget flush out there, you know, as people kind of figure out maybe what the implications of the macros and the environment is. So our guide doesn't assume that. But no, I don't think we're seeing anything different in the environment as a whole. And we're kind of in a wait and see approach as it relates to the election itself.
Great. Thank you and congrats to the team.
Thank you. That concludes our Q&A session. I'll now turn the conference back over to Matt Cohen, CEO, for closing remarks.
Thank you. And we are excited to deliver another strong quarter that showcases our leadership in identity security. and that our vision of delivering the right level of privilege controls for every identity is working. We're thrilled to welcome the exceptional Ventify team to CyberArk. I want to congratulate Erica on joining the leadership team, and I want to say my heartfelt thanks to Josh for being such a strong partner to me as I came into the CEO role and for helping to guide CyberArk for all these years to our success. Thank you, everybody.
This concludes today's conference call. You may now disconnect.