This conference call transcript was computer generated and almost certianly contains errors. This transcript is provided for information purposes only.EarningsCall, LLC makes no representation about the accuracy of the aforementioned transcript, and you are cautioned not to place undue reliance on the information provided by the transcript.
Palo Alto Networks, Inc.
11/20/2024
Good day, everyone, and welcome to Palo Alto Network's first quarter 2025 earnings conference call. I'm Walter Pritchard, Senior Vice President of Investor Relations and Corporate Development. Please note that this call is being recorded today, Wednesday, November 20th, 2024, at 1.30 p.m. Pacific time. With me on today's call to discuss first quarter results are Nikesh Arora, our Chairman and Chief Executive Officer, and Deepak Golecha, our Chief Financial Officer. Following our prepared remarks, Lee Klarich, our Chief Product Officer, will join us for the question and answer portion. You can find the press release and other information to supplement today's discussion on our website at investors.paloaltonetworks.com. While there, please click on the link for quarterly results to find the 1Q25 supplemental information and 1Q25 earnings presentation. During the course of today's call, we will make forward-looking statements and projections regarding the company's business operations and financial performance. These statements made today are subject to a number of risks and uncertainties that could cause our actual results to differ from these forward-looking statements. Please review our press release and recent SEC filings for a description of these risks and uncertainties. We assume no obligation to update any forward-looking statements made in the presentation today. This presentation contains non-GAAP financial measures and key metrics relating to the company's past and expected future performance. Non-GAAP financial measures should not be considered a substitute for financial measures prepared in accordance with GAAP. The most directly comparable GAAP financial metrics and reconciliations are in the press release and the appendix of the investor presentation. Unless otherwise noted today, all results and comparisons are on a fiscal year-over-year basis. We also know that management is scheduled to participate in the UBS Global Technology Conference. I will now turn the call over to Nikesh.
Thank you, Walter. Good afternoon and thank you everyone for joining us today for our earnings call. We're delighted to report a strong start to fiscal year 2025. In our first quarter of focusing on RPO and NGS-ARR, we saw strength in both metrics and saw them perform well ahead of our expectations. The market for cybersecurity continues to be robust and continues to grow faster than the overall technology market. Despite the acceleration of technology spend due to AI, cybersecurity continues to ice out space technology spend. We saw particular strength in our next generation security offerings, notably in Cortex and in NetSec. NGS ARR grew 40% toward $4.5 billion. It is still well ahead of our industry's expectations, independent of a one-time increase due to the IBM deal. On the profitability front, we expanded our operating margin by 60 basis points year-over-year as we continue to see benefits from our broad efficiency focus while making the necessary investments to sustain our growth. This translated into a 13% EPS growth and strong cash generation. We are particularly pleased with our continued execution at scale where we are able to balance our growth initiatives within our financial investment envelope, allowing us to deliver upside to our EPS guidance. We've been talking about the benefits of simplifying security architectures and consolidating point products into platforms for a while now. I'm sure all of you remember our eventful quarter where we changed gears on platformization. As I've said before, I wish we could have made our good decisions faster. We continue to see momentum across our partner ecosystem and our customers. More recently, our industry peers have been evangelizing the virtues of platformization and industry experts have begun to weigh in. I had our teams go back and compare the growth in the mentions of the word platform on cybersecurity earnings calls this year versus last year. We found an overall 50% increase amongst our peers. As they say, imitation is the highest form of flattery. As another point of reference in recent research, Gartner sees 75% of security leaders actively pursuing a vendor consolidation strategy, although less than 15% of large enterprise customers have implemented at least any one security platform solution. Gartner expects that by 2028, 45% of organizations will use fewer than 15 cybersecurity tools in their product portfolio, up from 13% of organizations in 2023. I do want to reiterate the definition of what we want to achieve as a platform. Central to stopping threats of the future is a robust AI and automation platformization strategy, and data is at the heart of it all. Our approach is to ingest all relevant security data once, stitch and analyze this with precision AI technology, and natively automate end-to-end workflows. It's a tall order to take data from many different security vendors, analyze it on the fly, and make a decision to stop an attack fast enough, but we're encouraged with the early success of our XIM and cloud platform to do exactly this. In network security, we also collect all data across all parallel network security products and enable our customers to operate on a single pane of glass with consistent services which work across all our form factors. We believe our network security strategy is the most comprehensive platform available in the industry, encompassing a majority of the use cases via a single consistent interface. As one of our customers recently said, that's one pane of glass versus many glasses of pain. So while many of our competitors are talking about their platform approach, we don't believe they're equipped to deliver it in the way we can. We feel the cybersecurity industry is embarking into its next phase, where the market will continue to converge towards a fewer set of platformization players over the next five to ten years. Point solutions will continue to get subsumed in these platform plays. Having started this trend, we intend to be one of those few players. With this being the first quarter of our fiscal new year, we further oriented our go-to-market enablement around platformization. Our goal is to broaden the effectiveness of our solution selling across thousands of sellers and arm them to sell the value of our differentiated security outcomes across network security, cloud security, and security operations. With platform-specific domain consultants and architects, we are able to bring tremendous focus to our go-to-market efforts. I'm again pleased with the results we're seeing. These came through in our Q1 metrics. We added more than 70 new platformizations with about a third coming from our acquisition of Creator SaaS. We ended Q1 with approximately 1,100 platformizations. Beyond the number of new platformizations in Q1, we also saw strength in ARR per platformized customer. Our Q1 ARR per platformized customer was up 6% versus the average we saw during fiscal year 2024. The improvement in ARR is driven not only by our success signing larger transactions, it is also driven by our team's ability to expand existing platformized deployments continuously with new innovation that is delivered. For example, in network security, we have seen significant value from the adoption of advanced subscription services and uptake of add-on modules in SASE, such as ADEM or Autonomous Digital Experience Management, or CASB. ADEM and CASB are essential for us to be able to deliver AI solutions and AI access capabilities in the future, and we believe this capability will become existential for all SASE customers. Our Q1 performance keeps us on track to achieve 2,500 to 3,500 platformization deals by fiscal year 2030. We're happy with our continued strong growth in NGS ARR on Q1, fueled by our continuous platformization momentum. We see multiple drivers here. Network security customers are increasingly deploying our software and SASE form factors, including adopting advanced Zero Trust security subscriptions across them. Over time, these customers have a significant incentive to converge their network security architecture towards adoption of our full suite of three form factors. Outside of network security, where we now have well over $2 billion in NGS ARR, we are also seeing our cloud security and Cortex security operations business become significant as well. Last quarter, cloud security crossed the $700 million milestone, and this quarter, Cortex crossed the $1 billion milestone. Looking at the large platform deals, we see a variety of opportunities across all of our customers. We signed a transaction with a large technology firm for over more than $50 million. This deal was headlined by a SOC transformation where we both replaced multiple SIMs with XIM and added XDR. The customer was facing rising costs in their SOC with little automation and inadequate visibility into the rising number of tailored attacks that leveraged AI. The customer was a QRadar customer and a year ago had platformized with us in network security. In this transaction, they added SD-WAN as well. Next. We had a deal north of $15 million in value to the national hospital system, platformizing their network security, which included an ELA for our firewalls. The customers focused on both preventing a breach after observing the many high-profile incidents in the healthcare industry, as well as reducing operating costs. We displaced a legacy firewall vendor and also set ourselves up for future SASE deployments. In SecOps, we also have an initial Cortex footprint and secured our customer with an XOR deployment. a financial institution customer standardizing our firewalls, including an ELA, in a transaction for over $20 million, after standardizing on our network security platform with SASE in fiscal year 2024. While we had to win the firewall business based on the capabilities of our appliance, our SASE platformization and our consistent NETSEC architecture across form factors was a big differentiator. With the benefit of our consistent network security architecture, we were able to streamline operations across the network and drive lower costs. Last but not the least, we tried the transaction greater than $30 million with a physical security services company. The customer signed a large transaction with us last year, platformizing network security and security operations. In this quarter, the customer expanded both its XIM and XDR deployments and added SASE network security. This was a challenging deal as there were significant changes of the customer with new IT leadership, including someone who had previously deployed a SASE point product from a competitor. We were able to show both cost savings and a better security outcome from our consistent NETSEC architecture. Our expanded Cortex footprint was driven by the customer's confidence that we are helping them identify and stop attacks. Overall, these are representative of a large deal momentum where we saw 305 transactions over $1 million up 13% and 60 transactions over $5 million up 30% this quarter. Switching gears, let's take a look at our three platforms and how they're supporting our growth. In network security, we continue to see steady demand in our product business. The demand continues to be a function of customer refreshes, capacity expansion, and selective competitive takeouts driven by the customer's desire to deploy a network security platform across the category. We're also seeing customers who, as they move to the cloud, are beginning to deploy more and more software firewalls to protect their cloud instances. With the recent upgrade of our products to be able to solve AI use cases, we continue to feel positively about strength in public cloud-deployed software firewalls. These represent 70% of our total virtual firewalls ARR and are driving our growth in this area. SASE continues to drive transformation deals as you saw in our customer stories. The true power of SASE and its extensibility now to our newer use cases helps validate the case for many of our new customers. Our SASE platform has recently integrated AI-based monitoring, incremental capabilities to manage AI applications, and even more recently, the Prisma Access Browser, which we will talk more about in a minute. Whilst our SASE customers grew 20%, more interestingly, 40% of our SASE customers this quarter are net new to Palo Alto Networks. This is exciting since it creates a future opportunity post-implementation to drive consistency by evolving these customers to the full network security platform. This was true for the financial services customer I mentioned. In addition to landing these SASE customers, we also have seen success driving large deals with SASE transactions over $1 million in contract value up 40% in Q1. Critical to sustaining our NETSEC performance are investments we are making in innovation. We released an enhanced security capability for operational technology environments to address the growing challenges our customers face as the number of non-IT connected devices accelerate. Challenges in OT environments include a need for more visibility, a lack of segmentation and unsanctioned remote access. We have brought precision AI to bear on this challenge along with our new line of ruggedized firewalls. We also saw strong interest from customers in our broad secure AI by design portfolio with AI access leading the way. Our teams have been busy driving customer engagement and we have hundreds of customers leveraging AI access. We currently secure over 750 AI applications, a volume which we believe leads the industry and are growing this figure by the day. We are also providing inline data loss prevention for more than 65 applications with this number growing as well. Lastly, as part of our general availability release of our Copilot capabilities across our three platforms, we rolled out the Strata Copilot. In our development process, we prioritized delivering superior accuracy and we've had fantastic feedback. The Strata Copilot trained on nearly 50,000 vetted sources, leverages best practices to help guide customers to faster decisions and help accelerate remediation. We have made a version of this copilot available to our customer support teams, which is beginning to positively impact our time to resolving customer issues, which we believe will continue to improve significantly going forward. I want to spend a few minutes on the Prisma Access Browser. We acquired Talon cybersecurity in December of last year. We knew this technology would become increasingly important to secure unmanaged devices such as those used by contractors. We saw an opportunity to acquire a high-quality, scarce asset and be the first to natively integrate a secure browser into a SASE offering. Since then, we have been integrating the Talon browser with our leading security, DLP and access services, and leveraging our broader network security capabilities. This has resulted in a much more robust secure enterprise browser, our Prisma Access Browser. What has been rewarding has been the surge in interest and emergence of various use cases. The browser is the ideal place to counter targeted attacks such as phishing, secure privileged users, and enable access to risky web applications. customers are deploying Prisma Access Browser as an additional security control that is transparent to the end user. Customers running the heart of their business with SaaS applications and leveraging emerging AI applications are especially seeing the benefits of Prisma Access Browser as a critical end user security control. Also, the replacement of Virtual Desktop Infrastructure, or VDI, is also starting to emerge as an opportunity. This is a legacy technology for which users are collectively unhappy. We are working to expand the pool of VDI users, which you can address by adding new protocols such as SSH and RDP, and securely enabling mobile device users. Adding our ADEM capabilities to the browser can further enhance the end user experience with Prisma Access Browser compared to VDI. We've seen significant commercial transaction for Prisma Access Browser, with over 115 new customers and one million licenses sold since the time of the talent acquisition. This traction with all of our network SASE customers, including some of our largest customers, highlights our ability to successfully integrate the innovation and the innovative technologies that we acquire and rapidly take to market. Prisma Access has about 16 million active licenses today. Our enterprise customers, the largest Prisma Access cohort, are now eligible to leverage this license to adopt Prisma Access browser. We're seeing strong interest in this newly integrated capability. moving on to cortex a strong momentum this business continued with us crossing the one billion dollar arr milestone in q1 as i mentioned before we have built the cortex portfolio steadily over the last six years starting with xdr our cortex offerings have both been recognized as leaders in their markets but also work together seamlessly as a platform that can deliver superior security operations outcomes for our customers in q1 Our leadership position continues to be reinforced by third-party recognitions, including from Gartner in endpoint protection, Forrester in attack surface management, and Kuppinger-Kohl in security automation, orchestration response, or SOAR. XIM is a standout within Cortex, and we have made significant progress since its release with GA about two years ago. We continue to deliver both strong innovation and commercial momentum with XIAM. We released over 400 new machine learning detection modules leveraging precision AI to broaden the scope of our autonomous SOC capabilities. We now have over 150 active XIAM customers, about 40 of which have more than $1 million in ARR. We also roll out a program for managed security service providers in Q1. One of the key highlights this quarter has been our partnership with IBM, including the QRadar transaction that closed this quarter. This is an amazing burgeoning relationship. I'm excited about the early momentum we're seeing from customers to migrate from QRadar to XIM. Following the close of the deal at the end of August, we have added over 550 Curadar SaaS customers to our Cortex customer base. Since announcing the transaction, we have seen a number of customers sign Curadar to XIOM transactions for a total TCV of, so far, over $80 million, as we execute against our well-planned go-to-market programs. Over 500 active XIOM customer opportunities are in the pipeline across the full SaaS and on-prem Curadar base, worth over $1 billion in total value. but also seeing further opportunity across its customer set with a broader Cortex office. This opportunity we see is global, with over half of the installed base outside the United States. We believe that this deal will help us to become one of the top three players in the SIM space over the upcoming years. Beyond our success in Cortex and with Excience specifically, I want to highlight another trend we see in the market. Many of the attacks we see on our customers are targeting their cloud environments. The pace of change in cloud is far faster than on-prem, is challenging for security teams to keep up with, as new code is sometimes being pushed multiple times per day, and new cloud services are constantly being adopted by developers. This demand for real-time cloud security is driving us to bring together the capabilities of our leading CNAP portfolio, Prisma Cloud, and our Cortex security operations capabilities to stop cloud attacks. Against this backdrop, we have sold millions of cloud detection and response agents, with these deployments up 10x in the two quarters since the April launch of our new offering. This has helped drive our combined Prisma Cloud and Cortex customer base, which is up 15% year-over-year. Interestingly, about a third of our Prisma Cloud customers already use at least one Cortex product. Our combined portfolio can bring superior security, value, and operational improvement to our customers. We recently released a new capability integrating our XO automation capability in Cortex with our data security posture management, or DSPM, in cloud to automate the remediation of data security risks identified. We also released our AI co-pilots for Prisma Cloud and Cortex to general availability. While early in their adoption, we see significant promise here, driving towards security operations that are machine-led and human-empowered. In our Cortex co-pilot beta, nearly half of users trusted to take security action on their behalf. With the recent flurry of conversations around agentic AI, we have begun embedding agentic capabilities across our co-pilots. We believe this agentic vision of AI will be hugely impactful in security and we're moving swiftly to adopt that into our products. We continue to drive innovation in our cloud security offerings. We released DSPM from our DIC acquisition. We integrated that into Prisma Cloud to counter the rise in cloud data attacks. These critical DSPM capabilities enable customers to trace potential attack paths in their cloud environment to determine what sensitive data is at risk, appropriately prioritize their response, and remediate automatically. Along with our overall launch of Secure AI by Design, our AI runtime and AI SPM offerings targeted at cloud environments have also seen positive early traction. Lastly, we also launched another program for managed security providers as customers to enable partners to deliver security service in their customer cloud environments. Before I wrap up and hand the call over to Deepak, I want to leave you with a few thoughts. One, we're seeing growing industry validation of our strategy with Q1 marking yet another steady quarter of progress. Platformization is fueling the growth of our NGS ARR and puts us on track to hit our long-range targets as we drive sustainable, profitable growth. We're signing large transactions with leading global organizations because our approach delivers better security outcomes than the alternative. Over the last six years, we have integrated our solutions across three AI-powered platforms, and this approach is driving our business. We believe we have the best network, cloud, and security operations platforms, and we will continue to invest across these areas and keep ourselves at the forefront of the nexus of cybersecurity and AI. Over time, we will steadily bring these platforms closer together to solve problems, leveraging our integrated capabilities and common data. We hear our customers asking for it, and we are delivering on it today with real-time security across cloud and Cortex. We also intend to lead these platform convergence opportunities that arise in the future. As you can see in Q1, our conviction in platformization and momentum gives us the confidence to make significant investments, notably in innovation. I believe we are the only dedicated cybersecurity company with the resources and focus to drive consistent innovation and harness a substantial dedicated go-to-market capability to fuel our differentiated strategy. We're releasing capabilities that our single form factor competitors network security are not able to offer, such as our natively integrated browser in SASE. Our leading cloud and SecOps portfolio position has to lead in real-time cloud detection and response. We're also seeing good early signs from our product and go-to-market investments around the opportunity to create our customer base to accelerate our exercise momentum further. As for securing AI itself, Our secure AI by design portfolio is off to a great start, enabling organizations to confidently and securely leverage AI in the enterprise. If I look at the broader technology industry, we have seen evergreen companies that successfully execute a platform approach in markets such as CRM, HR, ITSM. We think this will happen in cybersecurity, and we are poised to be that company. Boiling this down to the impact on our fiscal year 2025 outlook, we are raising our full year 2025 NGSAR revenue and EPS on the back of the strong performance. Also, reflecting our belief in the company's future and the momentum and confidence we have in our strategy, we announced a two-for-one stock split. This was also done to help ensure our shares are accessible to all employees and investors. I'll now turn the call over to Deepak to give you more details of our Q1 performance and higher guidance.
Thank you, Nikesh, and good afternoon, everyone. To maximize our time spent on Q&A, I will provide you with highlights of Q1. You can review the results in our press release and the supplemental financial information on our website. Note that we have removed billings and added NGS ARR and RPO to our supplemental financials, reflecting our focus on the ladder metrics. In Q1, total revenue was 2.14 billion and grew 14% above the high end of our guidance. Within revenue, product revenue grew 4% while total services revenue grew 16%. Drilling into services revenue, subscription revenue grew 21% and support revenue rose 8%. As Nikesh mentioned, the demand for firewall appliances was stable in Q1, and we continue to expect growth of 0% to 5%, as we have previously discussed. Our support revenue is mainly tied to our appliance form factor. Moving on to geographies, we saw double-digit revenue growth across all of our theaters, with the Americas growing 12%, EMEA up 21%, and JPAC growing 13%. Total RPO grew 20% to 12.6 billion. We added approximately 68 million in RPO sequentially from the acquisition of the QRadar SaaS business. Approximately 30 million of this RPO was also included in our deferred revenue. Our current RPO grew 18% to $5.9 billion. The average duration of our new contracts remained at approximately three years, in line with the year-ago quarter and slightly down from Q4. Our NGS ARR grew 40%, finishing Q1 at $4.52 billion. We added $74 million in NGS ARR from Curator SaaS. We expect this QRadar NGS ARR to decline to approximately half this amount by Q4 as we focus on upgrading these customers to XIAM and growing our XIAM ARR. Also, it is worth noting that about a third of our new platformizations in Q1 came from QRadar. These customers both have over 100,000 in QRadar ARR and are active customers of Cortex XDR and or Cortex XSOAR. That is a one-time increase as we completed the acquisition. Moving down the income statement, gross margin of 77.3% was down slightly as we saw the impact of some of our newer SaaS offerings that haven't yet scaled. We continue to see efficiencies across the company as we focused on driving profitable growth. This resulted in 60 basis points of operating margin expansion and along with some higher interest and other income drove upside to our earnings per share. Our diluted gap EPS continues to grow along with our overall profitability and we generated strong free cash flow in Q1 based on collections of our substantial Q4 bookings. On our balance sheet, you will see that our debt balance came down by over $300 million. We have continued to see early conversion of our convertible debt, which occurred at the option of the debt holders and was settled by us in cash and equity. Our remaining debt matures in June 2025, although we may continue to see early conversions. We did not repurchase any shares in Q1, and our buyback strategy remains opportunistic. We have a billion dollars in authorization remaining through December 2025. Before I turn to guidance, I wanted to touch on the early impact we saw as we shifted our focus squarely to RPO and NGS ARR as our top line metrics. We did this believing it would help further drive company-wide behavior to optimize our business for long-term value creation. And we are encouraged by the early results in Q1. As we drove sales enablement and training to kick off the year, we focused the teams on maximizing exit ARR and deal profitability as compared to specific invoicing structures. I'm encouraged by some early signs we saw in Q1 where we reduced cycle times within certain steps of our deal close process. We also saw a handful of larger deals that worked their way through the process more smoothly than in the past. For example, a seven-figure SASE deal with one of the world's largest semiconductor companies accelerated through our process after we structured the deal around annual billings as compared to prior Panafest proposals, which would have needed longer scrutiny and approvals at our customer. In another seven-figure transaction for XTR with a healthcare customer, we were able to structure a deal to accommodate the customer's payment terms requirements while focusing on maximizing exit ARR. We look forward to building on this to drive further improvements in predictability in our business as we focus squarely on NGS ARR and profitability in our deals. In Q1, we focused our PanFS financing capability on transaction where it was best suited, resulting in a meaningful reduction in the volume of these transactions. Instead of PanFS, we leveraged annual invoicing, which can be simpler for customers, especially when procuring SaaS offerings. Last quarter, I mentioned to you that we would have expected our billings to grow 12% this fiscal year if we did not change any of the practices in our business that impact billings. After reviewing Q1 results, this would continue to be true under the same assumptions. The quarterly analysis of billings is no longer meaningful as it does not reflect how we now run the business. Based on our Q1 performance, we also remain confident in our cash flow outlook for the year. With that, let me turn to guidance. For the fiscal year 2025, we expect NGS ARR to be in the range of $5.52 to $5.57 billion, an increase of 31% to 32%. As a reminder, this guidance includes the contribution of QRadar SaaS of about half of the approximately $74 million in ARR from QRadar in Q1, as well as incremental momentum in our NGS offerings Nikesh and I discussed. Remaining performance obligation of $15.2 to $15.3 billion, an increase of 19% to 20%. Revenue to be in the range of $9.12 to $9.17 billion, an increase of 14%. Operating margins to be in the range of 27.5% to 28%. Diluted non-GAAP EPS to be in the range of $6.26 to $6.39, an increase of 10% to 13%. An adjusted free cash flow margin in the range of 37% to 38%. For the second fiscal quarter, we expect NGS ARR to be in the range of $4.70 to $4.75 billion, an increase of 35% to 36%, remaining performance obligation of $12.9 to $13.0 billion, an increase of 20% to 21%, and revenue to be in the range of $2.22 to $2.25 billion, an increase of 12% to 14%. We expect diluted non-GAAP EPS to be in the range of $1.54 to $1.56 per share, an increase of 5% to 6%. We included our typical modeling points in the presentation for you to review. Finally, as Nikesh noted, we announced today a two-for-one split of Palo Alto Network's common stock. This decision is supported by underlying confidence in our continued business momentum and by our desire to make our stock more accessible to our employees and a broader group of investors. Shareholders of record at the close of trading on December 12th, 2024 will receive one additional share after the close of trading on December 13th, 2024 for every outstanding share held on December 12th. Our stock will begin trading on a split adjusted basis on December 16th, 2024. With that, we will roll one more video and then we'll start Q&A.
To allow for broad participation in the Q&A, I ask that each analyst only ask one question. Our first question will come from Socket Kalia from Barclays, followed by Brad Zelnick from Deutsche Bank. Go ahead, Socket.
Okay, great. Hey, guys, thanks for taking my question and nice start to the year. Maybe this is a question for both you, Nikesh, and Deepak. You know, the platformization strategy is clearly starting to hit its stride. And we've talked about the ARR implications of that longer term, specifically the long-term ARR target. But I'm curious if we can just talk about the margin implications from platformization long-term as those deals tend to be bigger and also tend to have higher lifetime value.
Well, I'm going to add Deepak to add, but look, we look at margin. If you look at the biggest cost on any enterprise company's P&L, it's the cost of sales. by far. The second largest cost is your call as it relates to cloud spend. Now, we are privileged to have some amazing deals with two large cloud service providers, which allow us to maintain margins that are consistent almost with on-prem solutions that other people do because of our scale. And we expect that to continue to improve over time. So at one end, that's a significant factor. The second significant factor towards margin improvement is, as I mentioned, cost of sales. So the more we can platformize with existing customers and have large deal sizes of customers, it reduces our effort. We don't have to get 20 deals to get $20 million. Like some of our peers, we can have one deal for $20 million, which means the cost of sales is lower on an incremental basis as we establish the land and expand strategy from a customer perspective. And last but not the least, I sort of alluded to it, we're noticing some very interesting outcomes from a customer support perspective, which ends up being the third largest area of cost. We're seeing in some cases, our tier one support cases are getting solved by support co-pilots, which our support team they're using. So we're significantly reducing the time to resolution of support tickets, at least on the sort of simpler end for now. But as I said, we've trained 50,000 data points into our network security co-pilot. I think as we get better and better at training our models and training our customer support co-pilots, where we have fully revamped the way we collect data on customer issues, I think there's tremendous potential there to give us future margin expansion. So I think across the board, Margin expansion on COGS, margin expansion from lower cost of sales, and margin expansion from customer support automation.
Great. Thanks, Saket, for the question. Next up is Brad Zelnick from Deutsche Bank, followed by Hamza Farawalla from Morgan Stanley. Go ahead, Brad.
Great. Thanks so much, and congrats on a strong start to the year. Your NetSec competitors are talking about hardware refresh cycles, and I appreciate hardware is a much smaller part of your mix. So I won't bother asking why you're not expecting a refresh benefit like they are.
But we look forward to their refresh cycle, so we get a chance to take out their customers and replace them with our auto. So I'm delighted there's a refresh cycle in the market.
And that's exactly what I wanted to ask. Instead, how should we think about their refresh impacting your opportunity, both in the positive sense that you can go in and displace them as their boxes reach end of life, but also perhaps as a headwind if they're using the event to bundle in SASE, SecOps and other next gen capabilities. Are you running campaigns actively to go after this? Thank you.
So, Brad, let me parse that out. Actually, you know, I know I spoke fast and English is my second language, so I did try to subtly land in there that I am positive about hardware. Or I said we're seeing steady growth in hardware, both from refreshes of boxes for our customers, we're seeing expanded demand for new use cases like ruggedized and IoT, et cetera. And last but not the least, we are seeing slow and steady takeouts of other customers. So what's happening is our SASE cohort from two or three years ago, we landed with SASE. As that end of life happens in that customer base for firewalls, They turn to us and say, now I know the Palo Alto security interface. I don't have to learn it. And they can just put firewalls, hardware firewalls, against that SASE management pain because we have the same security management pain across SASE. So it's not going to be revolutionary, but it is going to be evolutionary. If you look, every year our market share in hardware firewalls goes up 200 to 300 basis points. So we think there are donors in the market of market share who will constantly donate market share as they hit their refresh cycles. And there are acquirers of market share, and we're hopefully one of those. So I actually have a steady expectation from product hardware, which I think is going to underpin our growth across the board over the next few years.
Great, thanks for the question, Brad. Next is Hamza Fadarwala from Morgan Stanley, followed by Brian Essex from JP Morgan. Hamza, go ahead.
All right, great. Good afternoon. Thank you for taking my question and great to see the success with Prisma Access Browser year into that acquisition. Nikesh, I wanted to get your just maybe early view into 2025. I mean, on the one hand, there's some optimism on the macro. You have a lot of new products. On the other hand, CIOs, CISOs, they still want value for what they're spending. There's some talks about the incoming administration looking to perhaps roll back certain regulations, maybe cut entire civilian agencies, you're a big seller into the federal government. So I'm just curious how you weigh those puts and takes as you look into 2025. Thank you.
Thank you, Hamza, for a great question. Look, I think the most, if you separate signal and noise, the biggest signal is AI in the next 12 to 48 months. And AI is already having significant impact both on the attack side, attacks are getting faster and faster and quicker. Basically, AI is possibly being used to evaluate what are the more vulnerable parts of your infrastructure so we can go after that. So I think from a cyber incident perspective, unfortunately, it's not going to slow down. And that's the biggest driver of improved security posture and improved higher spend from CIOs. I think you're right. There is a consolidation. Let me spend less money for security. And there we are discovering it's a more top-down motion than it is a bottom-up motion. And as you're aware, we're expending a lot of effort towards interacting with CIOs and C-level executives. And actually, we're spending a lot more time with our GSI partners trying to address that issue because they're typically involved in the transformation stage where they say, let's take all of this stuff, put it together, and replace it. So we're seeing early success. As I said, we should have done that sooner, because when we sit across the sea, I say, look, you have nine different products. We could bundle it together, take it down, have one management pane, and you'll save a lot of cost. And they understand, because we're not ingesting data nine times across nine products. We're ingesting it once, analyzing it nine times, and giving them the outcomes they want. So I think the trend is in our favor. As regards the incoming administration, I think clearly a higher standard deviation administration by the sounds of it. And highest standard deviation implies more risk, and more risk implies possibly a more return.
All right. Thank you, Hamta. Next up is Brian Essex from JPMorgan, followed by Joe Gallo from Jefferies. Go ahead, Brian.
Thanks, Walter. Thank you for taking that question. And great to see the strong profitability and cash flow, by the way. I want to ask about the integration between Cortex and cloud. And I wanted to understand, you know, when did that kind of hit the market? Is it typically led by Cortex or cloud? And how should we think about how that positions you competitively, not just in the cloud security market, but across all of, you know, Strata, Prisma, Cortex segments of the business?
So like at a higher level, The cloud market is effectively, right now, three parts. There's the entire configuration management part, which is the CNAP part, and posture management part. There is the blocking real-time threats and protecting enterprises part, which is the CDR, cloud detection response part. And then there's the network traffic that needs to be inspected from a firewall perspective. We're clearly leaders in the network traffic part, as we talked about. 70% of our use case is now public-facing cloud service provider traffic. We are still one of the leaders in the CNAP space from our early start in Prisma Cloud. But what I think is going to happen in the next few years is the market is going to shift more and more towards the real-time security side on cloud, which is where CDR, Cloud Socks, XIM become more and more important. So almost every one of our XIM deals, there is a portion of that that is deployed towards cloud security now. And having that data together allows us to prioritize all the configuration issues and separate, again, signal from noise. So I don't let Lee describe a bit more about how we see that evolving, but I think that will change the cast of characters who are going to win in cloud security in the future.
Yeah. Thanks, Nikesh. Thanks, Brian, for the question. Picking up where Nikesh left off, if you think about end-to-end Cloud security, all of the work that goes into the Cloud posture side generates a lot of data and understanding about what assets are deployed, what workloads are deployed, how they're configured, how they might be vulnerable or susceptible to attack. And by connecting that with CDR, it allows us to both leverage that for better protection of the cloud workloads in real time, and vice versa, it allows us to leverage all the runtime, cloud runtime components back into posture from a mediation perspective. And so we initiated this early this year with the initial launch of CDR, which basically connects Prisma Cloud with Cortex. And then since then, we've been continuing to iterate on that and drive closer and closer integration between those two platforms.
Great. Thank you.
Great. Thanks, Brian. Next up, Joe Gallo from Jefferies, followed by Matt Hedberg from RBC. Go ahead, Joe.
Hey, guys. Thanks for the question. I think you could characterize cyber guidance broadly for calendar 4Q as tepid at best, but yet your F2Q guide calls for an acceleration in RPO and really strong ARR. So, I mean, what are you seeing with budget flush or Fed or pipeline that's allowing you to kind of defy the gravity that others are feeling? Thanks.
Well, I think we covered a lot of these, Joe, in our prepared remarks. I mean, we've got a product portfolio that we feel very proud of. We've just recently done an IBM acquisition where we have a lot of additional pipeline that's coming through the pipeline there. And hopefully, we've proven over the last few years that we have a forecasting process that we feel comfortable manages the business. So I don't want to comment about others, but we really focus more on what we see. Maybe your comment is just proof positive that our platformization strategy is working and is somewhat unique.
Great. Thanks for the question, Joe. Matt Hedberg, go ahead, followed by Greg Moskowitz after that.
Thanks for taking my questions, guys. You know, what stood out to me, the large deal success was striking. And you spent a lot of time talking about platformization. Things like Q1 brings a whole other level to it. Could you talk about specifically on the SIM side of it, the NGS? It really does seem like there's a next-gen SIM replacement opportunity here. And we've talked a lot about some of the competitors with Splunk. Can you talk about just like what are some of the catalysts to unlock some of these large replacement deals? I know they take a long time, but curious if there's anything that you guys can do to accelerate that.
Matt, look, we're very happy. In two years since going GA on XIM, we're positively enthused about the progress we've made. We've crossed a billion dollars in ARR and Cortex. We're seeing larger and larger XIM deals. We have 150 customers. And as we mentioned, we have a robust pipeline north of a billion dollars. This is the fastest-going product in the history of cybersecurity at scale. Now, the good news is there are two or three very interesting characteristics of the SIM market. If you look at the SIM market, 90% of the SIMs, are of technology that is 10 to 15 years old. If you go back and look at the history of what SIMS are, what the security are, logarithm, Exabeam, JASP, Sumo Logic, Splunk, these things are 10, 7, 10, 15 years old. I think there's a new breed of SIM players that is fast coming in to replace these legacy SIMs. I think we're going to go through a SIM replacement cycle that we went through the endpoint replacement cycle from Symantec and McAfee to the XDR vendors. I think it is the moment of SIM now for the next five years. Now, interestingly, every SIM deal that we see, we are able to deliver a much better security posture and median time to remediate and detect. which is better than the current deployment, and we're able to save cost. So from a compelling proposition perspective, this is a no-brainer. You come and say, I know you're spending $10 million a year running your SOC. I can do it for nine. I can consolidate, and I can improve your median time to remediate from four days, in many cases from 19 minutes to four hours. So that's a compelling proposition. We are seeing tremendous amount of interest in the market. We have created a compelling event in the case of QRadar customers because they have to migrate to us or elsewhere. And we're seeing enough traction where people are considering Palo Alto instead. So I think the next three to five years you will notice that the entire 20 billion TAM of SIM is going to go through upheaval.
Great. Thanks for the question, Matt. Next up, Greg Moskowitz from Mizzou, followed by Rob Owens from Piper Sandler. Go ahead, Greg.
Great. Thanks for taking the question. Nikesh, now that we're a few quarters into the platformization go-to-market, I'd love to get a little more of a flavor of how it's going. Is there an aspect or two of the strategy that's been most successful so far? For example, if you were to look at traction with legacy trade-ins versus introductory offers or more multi-product incentives, what would you say is resonating the most with customers?
The thing that seems to resonate the most, Greg, is elimination of execution risk. And what I mean by that is when I go to a customer saying, okay, let's go do this in a phased manner, we'll replace your SASE or deploy SASE for you, and then phase two, we'll come in and replace your firewalls, they like that. If I say, don't worry, I'll start executing today, and you can start paying me when you stop paying the other vendor, that's kind of the... That's like the golden bear hug, because the biggest risk they have is, wait, I have to go extend that other deal by one year. Guess what? That you're sending a signal to the other vendor, you're out in a year, so the prices go up. And I say, don't worry about it. Let's start executing now, and we're deployed. You can pay me when the current contract expires. That elimination risk is resonating the most. Again, the customers fully understand that we're going to get our pound of flesh in the year two or year three of that deal, so they understand there is no free lunch. But eliminating that execution risk goes a long way. I think, as I said to Hamza and I said in our prepared remarks, it really helps us step back and say, look, what are you trying to achieve? And in many cases, we've been able to converge XDR and SIM RFPs, for example, saying, listen, 50% of data is going to go into XDR, which is going to be one vendor. That data is needed for AI-based or machine learning-based analysis across your entire stack. Why wouldn't you make sure that that data can be part of the SIM and be used to improve your posture and get better, faster outcomes?
Thank you. Great. Thank you, Greg. Next question, Rob Owens from Piper Sandler, followed by Gray Powell from PTIG.
Yeah, thanks, Walter. And Nikesh, as part of your prepared remarks, I'd love for you to build on the data security. And, you know, another one of those holy grails alongside next generation SIM, of course, is data that everybody's chasing. So what you're seeing from end customers, I know you've made acquisitions of a DSPM capability in the space, but how you see Palo Alto's evolution longer term relative to the data opportunity? Thanks.
Thanks, Rob. Look, take a step back. Data security is a longstanding sort of product category that's often been very painful.
It's difficult to be accurate in data classification, it's difficult to figure out what policies to enforce, and it's difficult to do that holistically everywhere that data might exist and need to be protected. There's two pieces to our data security strategy that you've seen us evolve. First is around getting coverage of all the places where data might exist, and improving the data classification capabilities within those. So, over the last six months, we've launched AI-based data classification, leveraging large language models, machine learning models to get more and more accurate in data classification, being able to apply that to all different places where data can exist and move. The second piece, and very importantly, is the tie-in with Prisma Access Browser. The way that users interact with data, access it, download it, share it, is one of the highest risk areas for data security, and historically has been very difficult to get all of the necessary context for enforcing an accurate policy. Within the secure browser, we get all of the context needed. And what we're already seeing with the early adopters of Prisma Access Browser is the realization that this one component of what it does is effectively a next-gen data security component for how they secure data interaction with all of their employees. And this is part of the reason why the browser is expanding from being primarily focused on unmanaged device and third-party contractors to actually being something that applies to all devices and all users across the entire enterprise.
Great. Thanks, Rob, for the question there. Next up is Gray Powell from BTIG, followed by Andy Nowinski from Wells Fargo. Go ahead, Gray.
All right, great. Thanks for letting me ask a question on the call. I really appreciate it. So I have to admit, I'm a little confused on the NGS ARR statistics. If I look at the numbers and back out the QRadar deal, you added around 230 million in net new ARR this quarter versus 270 a year ago um that metric's never been down um on a year-over-year basis before so is there something i'm missing or something with the acquisition that maybe i'm not thinking about or just like what was the driver there and then for the full year increase to ngs arr um how much of that is organic versus um you know full visibility on the q radar asset
So let me answer both, Graham. Let me just start off with the NGS ARR was above our guidance. So some of this we already knew when we provided the guidance. But some of the products that move into NGS ARR have also been the advanced versions of our cloud subscriptions from a year ago, so things that were attached to our firewalls where we made them cloud enabled. Some of that happened last year, which is what led to a lot of the increase in the ARR. We're now lapping that. So that's really the bigger explanation of the base. We knew that. That's why we included that in our guidance to begin with. When it comes to what's happening with Q Radar, we talked about the one-time benefit. Our strategy is to convert all of the customers to XIM over time. We expect about... half of that to occur within this year so we would expect maybe half of that um additional ngs arr to be there by the end of the year so great i think to to recast what deepak said you have seen the peak uh inorganic ngs ar this quarter at 74 million or is that the number
from ibm and half of that we will migrate to us and we expect half of that still stay on q rock for to the end of this fiscal year so there's no more net new inorganic ngsa are expected this year understood okay thank you all right great thanks ray next up andy nowinski from wells fargo followed by fatima balani from city go ahead andy
Great, thank you. Good afternoon and great results this afternoon. I wanted to ask you about the Prisma SASE. You highlighted a number of large deals that either deployed SASE or they expanded with SASE. And I know it's bringing a lot of new customers, which is great, but I was wondering if you could provide an update on the growth of ARR from that solution, whether those new customers you're bringing into Palo Alto onto the platform are coming at the expense of other vendors or are those, were they just not using any SASE solution previously? Thank you.
So all of the above. There are some customers who are going through a network transformation and they're now replacing their legacy VPN, VPN clients or other solutions they've had in the past. In some cases, there are competitive vendors who only had a Internet proxy based deployment with legacy VPN, or in some cases, Palo Alto VPN, which is converting to a full SASE solution from us. So we see all variants of that, as we said. 40% of them are net new logos to us, which means they are not deploying a Palo Alto VPN. They are deploying our SASE solution. So we're seeing all of that. I just think the SASE market, as I've said in the past, is a fast-growing market. We have clearly established ourselves as one of the top three players in the market. I think we're definitely growing faster than some of the others, at least one more of the other top three players in the market. And we particularly like the SASE space because We're always innovating, providing new stuff. Basically, as I said in my remarks, we've made it available to every existing SASE customer. They can deploy Prisma Access Browser for the unused licenses, so they can actually experience the browser. It's integrated, it's in the same management pane, it's the same UI. Yeah, so I guess feel positive about it. We haven't quite reached a billion dollars yet, as we've told you, but we're looking forward to it.
Thank you.
Great.
Thanks, Andy. Fatima Balani from Citi's up next. And our last question will be from Roger Boyd from UBS. Fatima, go ahead.
Thank you. Good afternoon. I appreciate you taking my questions. You know, I think the topic du jour is definitely QRadar and a lot of the momentum that you've been seeing, the 80 million or more than 80 million of bookings that you've already seen in the short amount of time. What I wanted to actually shift gears on is on the on-premise side of the QRadar business. And Nikesh, some of your commentary, which I think is so apropos, there is just a stodgy, stale technology in the SIM market, right? So that 500 million or so of revenue that is just still captive in the queue radar on premise space, what is the thought process, the strategy to really forklift those customers to the goodies and XIM? And as you think about the arc of the next 12 to 24 months, How should we think about, you know, a multiplier effect on that business to really give Cortex the booster shot to have it potentially be your biggest pillar?
Yeah, Fatima, we had our board meeting yesterday, and one of my board members and I had this debate about which deal is going to look like the best deal Palo Alto ever did. And my bet isn't the IBM deal. He bet on the talent deal. Of course, I'd like both of them to be equally successful. But specifically as it relates to Curator, Our teams are very focused. Since close, we've called the top 500 customers and reached out to see if we can support the migration from QRock to Palo Alto. This is irrespective of whether they are QRock or on-prem. I mentioned a billion-dollar pipeline. That billion-dollar pipeline is a hybrid pipeline of both QRock and on-prem customers. the message is out there to on-prem customers that this technology will also over time be migrated and I have to say IBM is doing a phenomenal job working with us and being proactive with those customers where we go I had a call yesterday with the CIO where IBM and us were together in the room or we're talking to the customer saying they will provide the migration services they'll work on the on the migrating the rules from QRadar to Palo Alto XIM and we're gonna do it together so and Look, we haven't done a partnership like this ever in the history of our company. I haven't seen one in the cybersecurity industry yet. We have a lot of expectations, but it's a lot of execution, a lot of hard work. It's not going to happen because I snap my fingers, but our teams are focused, we're dedicated, we're trying to do that. I think this will propel us into the top three SIM players in the market in the next two years. From nowhere. We did not play in this space two years ago.
Thank you. I appreciate that. Last question, Roger Boyd, to wrap it up. Go ahead, Roger.
Great. Thanks, Walter. Deepak, you noted that contract duration on new business remained constant at roughly three years. Can you comment on what you're seeing with renewal and upsell business, and particularly when customers are renewing on a platform deals and adopting XI, which carries longer duration? I guess as we look to gauge success as some of these platformization deals, shouldn't we expect to see contracts lengthen as customers place more strategic bets on your platform? Thanks.
Yeah, so I think, Roger, thanks a lot for the question. Look, at the end of the day, we're a large company with lots of different customers. We're definitely seeing the dynamic that you mentioned on some customers. We also see dynamics where other customers are saying, look, I know that there's a lot more innovation to come. let me go shorter duration on the renewals because that could be ahead of a large platformization in the future. So we see a little bit of everything. I think on the renewals, just the data trended slightly up, but nothing significant.
Got it. Super helpful. Thank you.
Great. Thank you, Roger. And that'll end the Q&A. I'll turn the call back over to Nikesh for his closing remarks.
Thank you, everyone, once again for joining us. As I said, I'm very excited about our great start to F525. We look forward to seeing many of you at upcoming investor events. I also want to thank all of our employees who put in a lot of hard work to help us deliver these amazing results. And also, of course, I want to thank all of our customers to Trusting Palo Alto for delivering cybersecurity solutions to them. With that, have a wonderful day.