This conference call transcript was computer generated and almost certianly contains errors. This transcript is provided for information purposes only.EarningsCall, LLC makes no representation about the accuracy of the aforementioned transcript, and you are cautioned not to place undue reliance on the information provided by the transcript.

Rubrik, Inc.
12/5/2024
please stand by we're about to begin good afternoon everyone welcome to the rubric third quarter fiscal year 2025 results conference call at this time all participants are in the listen-only mode later you will have the opportunity to ask questions during the question and answer session you may register to ask a question at any time by pressing star 1 on your telephone keypad also today's call is being recorded and if you should need any operator assistance during the call today please press star zero. Now at this time, I'll turn things over to Melissa Franke, Vice President, Head of Investor Relations at Rubrik. Please go ahead, ma'am.
Hello, everyone. Welcome to Rubrik's third quarter fiscal year 2025 financial results conference call. On the call with me today are Bipul Sinha, CEO, Chairman, and co-founder of Rubrik, and Kiran Chowdhury, Chief Financial Officer. Our earnings press release was issued today after the market closed and may be downloaded from the Investor Relations page at www.ir.rubric.com. Also on this page, you'll be able to find a slide deck with financial highlights that, along with our earnings release, includes the reconciliation of GAAP to non-GAAP financial results. These measures should not be considered in isolation from or as a substitute for financial information prepared in accordance with GAAP. During this call, we will make forward-looking statements, including statements regarding our financial outlook for the fourth quarter and full fiscal year 2025, our expectations regarding market trends, our market position, opportunities, including with respect to generative AI, growth strategy, product initiatives, and expectations regarding those initiatives, and our go-to-market motions. These statements are only predictions that are based on what we believe today, and actual results may differ materially. These forward-looking statements are subject to risks and other factors that could affect our performance and financial results, which we discussed in detail in our filings with the SEC. Rubric assumes no obligation to update any forward-looking statements we may make on today's call. With that, I'll hand the call over to Biffle.
Thank you, Melissa. And thank you everyone for joining us today. Now let's get started. Rubrik delivered another outstanding quarter. We not only achieved very strong growth at a scale, but also generated positive free cash flow. We are incredibly proud to have surpassed 1 billion in subscription ARR, growing 38% year over year. And we did this in just over 10 years since Rubrik was founded. a big milestone for us. This quarter, once again, we have exceeded all top-line and profitability-guided metrics. And more importantly, we are raising our outlook for the rest of the fiscal 25. Here are the five key numbers that highlight yet another positive quarter for Rufex. First, and this is a record, we added $83 million in net new subscription ARRs. a clear indication that we are winning the cyber resilience market. Second, our subscription revenue was over 221 million, growing 55% year-over-year. Third, our subscription NRR remained strong, above 120%. Fourth, customers with 100K or more in subscription ARR reached 2,085, growing 32% year-over-year. And finally, on profitability, we once again made material improvement in subscription ARR contribution margin of 1,100 basis point year-over-year. On the cash generation front, we are very happy to report we had over $15 million in free cash flow this quarter. Once again, these results are only possible because Rubrik is winning the cyber resilience market. Now let's look at why we are winning. Cyber resilience is the number one topic in cybersecurity. There is a broad realization that cyber attacks and breaches are inevitable. And therefore, organizations have to be resilient against such attacks. Rubrik has a unique architecture and solution for cyber recovery and resilience. This is what is powering our growth and market momentum. Let me unpack this in three parts. Number one, Rubrik delivers the fastest cyber recovery for our customers. This is due to our unique AI powered zero trust architecture. Number two, Rubrik Security Cloud or RSC offers a differentiated single platform for automated data management and security control, across all workloads, across enterprise, cloud, and SaaS applications. And number three, we are the only vendor in the market that combines fast cyber recovery with data security posture management, or DSPM. We believe DSPM plus cyber recovery is the only way to deliver complete cyber resilience. In summary, Enterprises are turning to Rubrik as their trusted cyber resilience partner because we can confidently meet their cyber recovery time objective or RTO. Let's talk about how our focus on cyber resilience drove these strong results in the third quarter and how our investments in innovation are enabling us to deliver even greater value to our customers over the long run. As the outset, Rubrik built a unique zero trust architecture that combines data and metadata from business applications. This architecture allows us to apply AI and machine learning directly to the business data to provide customers with the visibility into the scope of the attack, the time of infection, the sensitivity of the impacted data, and the ability to do malware hunting and quarantining. We deliver all these functionalities natively, not with bolt-on security tools or third-party integrations. This differentiated architecture enables us to uniquely pre-calculate clean recovery points so that our customers can deliver the fastest cyber recovery times. This transforms cyber recovery from a long, drawn-out affair with significant business disruption and loss to a simple and efficient recovery operation with minimal impact. This is why we continue to win the vast majority of deals in competitive situations. Let me give you a few examples. This quarter, a global engineering and construction service provider selected Rubrik to protect its entire data ecosystem, including SAS data protection for Microsoft 365. This was driven by a board mandate seeking to consolidate multiple backup providers and improve cyber recovery time. In a proof of concept with other new gen backup providers, Rubrik was the only vendor that beat their required RTO of less than four hours for their mission critical applications. Another logo win was with a Fortune 20 healthcare company. That selected Rubrik as their only cyber resilience partner. After a thorough evaluation, we were the only immutable cyber resilience provider that could meet the organization's RTO, both on-premises as well as in the cloud. In addition, adoption of RSC Enterprise Edition allows this customer to rip and replace six disparate new gen and legacy backup vendors while delivering superior cybersecurity functionality. And lastly, we had a win this quarter with Simpler, a healthcare technology company that provides access to systems critical to patient care across 5,000 hospitals and networks in the U.S. Rubric was selected over other new gen and legacy backup vendors due to our strong cyber resilience and cybersecurity capabilities. Simpler CEO remarked, quote, downtime can be a matter of life and death in healthcare industry. Rubik was the only vendor that met our security standards, met recovery objectives for our business, and demonstrated a commitment to continued innovation to combat modern adversaries." We continue to drive innovation to expand the reach of Rubik's Security Cloud Platform. We recently added PostgreSQL and Red Hat OpenShift virtualization to our growing portfolio of hybrid cloud workloads. This expands our wallet share within enterprises that are transforming their hybrid cloud solutions. Turning now to the success we are seeing in protecting public cloud and SaaS applications. Enterprises are adopting rubric cloud protection for our simplified policy management across multiple cloud and SaaS workloads, our fast recovery time, and our ability to drive immediate cost savings. As more businesses move more workloads to public cloud infrastructure and adopt SaaS applications, rubric cloud protection becomes an even more essential component of enterprise security stack. Let me highlight a few examples of new logos as well as expansion wins with cloud protection. This quarter, a pharmaceutical giant selected rubric to protect its AWS cloud data estate after evaluating multiple new gen and legacy backup providers. This customer consolidated disparate cloud native and legacy backup deployments into rubrics single platform. This resulted in a 35% total cost of ownership savings for the customer compared to their prior backup solution for AWS. All while providing faster recovery times and superior cybersecurity features. Another new logo is an Indian multinational company that selected Rubrik cloud native protection for their Azure environment in Q3. This company simplified its vendor landscape with Rubrik, replacing multiple legacy and cloud native backup providers. This drove 40% hard cost savings compared to their prior deployment. In a notable expansion deal, a top Japanese automaker selected Rubrik to protect its large and critical M365 environment after evaluating Rubrik against a legacy backup provider. This customer selected Rubrik for our superior security features and ease of use for the IT and security teams. Now moving on to data security posture management or DSPM. DSPM provides visibility into sensitive data exposure to minimize surface area of attack and the risk of data exfiltration. We are the only vendor in the market to offer DSPM plus cyber recovery in an integrated platform. This allows us to deliver complete cyber resilience before, during, and after an attack. Our complete cyber resilience value proposition is resonating with customers as demonstrated by growing volume of DSPM deals. which nearly doubled quarter on quarter in Q3. One example of a DSPM win, a large healthcare organization added DSPM and Rubik's Security Cloud Enterprise Edition for their enterprise workload to their existing Rubik footprint, which was purchased just last quarter. This customer displaced an existing DSPM vendor with Rubik's solution as we offered superior capabilities around managing sensitive data risk as well as the ability to deliver a fast recovery in case of a cyber attack. In addition, the adoption of GenAI applications such as M365 Copilot brings an urgency to DSPM adoption. What makes Copilot such a powerful tool is its ability to leverage content across a company to provide accurate and relevant insight. However, companies need to have the right data security controls in place to ensure Sensitive data remains secure when using AI tools such as Copilot. This quarter we announced Rubrik DSTM for M365 Copilot. This new set of capabilities not only helps enterprises reduce the risk of sensitive data exposure and exfiltration, but also helps them accelerate the secure adoption of Copilot. Rubrik's powerful classification engine is designed to continuously and autonomously discover and classify all known and unknown data at a very rapid rate. Rubik DSPM for M365 Copilot is designed to ensure sensitive data is correctly classified, labeled, and segmented while ensuring right access permissions. This allows customers to leverage the power of Copilot while safeguarding sensitive data from the risk of exposure all within our comprehensive cyber resilience platform. Next, innovation is absolutely critical to building an enduring company. So let's talk about some of the big ideas that we are working on. As some of you might have read in our IPO prospectus, Rubik by design perpetually lives on the frontier of innovation. And our long-term success depends upon our ability to continuously create and commercialize pioneering products. In this vein, just this week at AWS reInvent, we announced Rubrik Annapurna, which along with an exciting new partnership with AWS will accelerate the development of trusted gen AI applications. There are three parts to this groundbreaking innovation. Number one, Rubrik Annapurna API service will allow customers to have ready to go access to all business data to quickly build more powerful and trusted GenAI applications. Number two, Annapurna will deliver secure data embedding powered by RSC. And number three, Rubrik Annapurna leverages all enterprise data and metadata in RSC to easily set and manage data access controls for AI applications. We believe we are uniquely positioned to enable GenAI adoption in a secure and compliant manner, which is a top priority for enterprises. We are excited about what we can do with Annapurna because Rubrik extracts, manages, and secures the most important real estate in the brave new world of GenAI, business data. However, I would like to note that we are in the very early innings of a multi-year strategy for Rubrik to be the secure data infrastructure platform for GenAI applications. We look forward to providing more color on this roadmap as it advances in the next several years. Now let's discuss a few notable updates to our partnership across the security and data landscape, a key component of our go-to-market motion. Our strategic partnership focused first and foremost on creating more value for our joint customers to product integrations so that one plus one equals more than two for our customers. A few examples from Q3. This quarter, Rubrik became the first data security platform vendor to integrate with Okta's identity threat protection. RSC provides visibility into user access to data and automatically monitors for changes to access permissions to sensitive data. The data context from RSC combined with threat context from other security tools allows Okta to orchestrate tailored response based on policy configuration and assist user risk level. This integration helps companies manage risk around sensitive data access and respond to identity-based threats and attacks faster and more effectively. We also announced a new partnership with Pure Storage. joining forces to deliver a complete cyber-resilient solution. This partnership combines the strength of RSC with Pure Storage FlashArray and FlashBlade to deliver a secure approach to data protection across short-term and long-term storage needs. As an example, Rubik plus Pure's FlashArray and FlashBlade can reduce backup windows from hours to minutes, and Rubik allows Pure customers to find anomalies, hunt for threats, and discover sensitive data in their production environment. Lastly, let me discuss business efficiency and profitability. As discussed last quarter, we are focused on delivering leverage and profitability in our business model. Our Q3 results demonstrate this commitment, with subscription ARR contribution margin up by over 1,100 basis points year on year. We look forward to continued improvements based on our increasing scale, our focus on efficiency in the go-to-market, and our disciplined investment for growth. We are incredibly proud to have surpassed $1 billion in subscription ARR with this level of growth and improving profitability. Thank you very much to all rubricants for helping achieve this milestone, and more importantly, for your relentless focus on innovation and creating the next horizon for rubric. We are also very grateful to our customers, partners, and investors for their continued support. But let me be very clear. It is still very early days of the Rubrik story. We are creating a new vision for the cybersecurity industry based on cyber resilience. I'm personally even more excited today than I was at our founding in 2014 for what's ahead for Rubrik. With that, I'm pleased to pass it over to our Chief Financial Officer, Kiran Chaudhary.
Thank you, Bipol. Good afternoon, everyone, and thank you for joining us today. We posted outstanding results in the third quarter, and we exceeded our guidance across all metrics. Q3 was highlighted by strong top-line growth at scale due to our leadership in the growing market for cyber resilience, significant expansions within our existing customer base, and strong continued improvement in profitability. Let me start by briefly recapping our third quarter fiscal 2025 financial results and key operating metrics, and then I'll provide guidance for the fourth quarter and full year fiscal 2025. All comparisons, unless otherwise noted, are on a year-over-year basis. Subscription ARR best illustrates the momentum of our business and we are incredibly proud to have surpassed $1 billion in Q3, growing 38%. We added $83 million in net new subscription ARR. We continue to drive adoption of our rubric security cloud, which resulted in $769 million of cloud ARR, up 69%. Our subscription ARR growth benefited approximately two percentage points from transitioning our declining maintenance base to subscription. We have a differentiated learn and expand model, where we have multiple avenues to acquire new customers and expand relationships with our customers after the initial contract. We can expand through the growth of data and applications already secured by Rubrik, through the expansion of our footprint of applications secured, and or by the addition of more security functionality. As a result, we continue to see a strong subscription net retention rate which remained over 120% in the third quarter. All vectors of expansion are healthy contributors to our net retention rate, highlighting the meaningful runway we have to more deeply penetrate our customer base. Adoption of additional security functionality remains at approximately one third of our subscription net retention rate, stable from last quarter, but up from approximately a quarter in the year-ago period. We ended the third quarter with 2,085 customers with subscription ARR of $100,000 or more, up 32%. These larger customers now contribute 83% of our subscription ARR, up from 79% in the year-ago period, as we become an increasingly strategic partner to our enterprise customers. For our third quarter in fiscal 2025, subscription revenue was $222 million, up 55%. Total revenue was $236 million, up 43%. The Q3 revenue outperformance related to our guidance reflects our strong ARR growth and higher-than-expected upfront and non-recurring revenue. This is due to higher-than-expected new sales and renewals of RSC Private from regulated and government verticals in Q3, as well as the extension of transition licenses to some of our customers as they progress through the adoption of Rubric Security Cloud. Turning to the geographic mix of revenue, Revenue from Americas grew 46 percent to $169 million. Revenue from outside Americas grew 35 percent to $67 million. Before turning to gross margins, expenses, and profitability, I would like to note that I will be discussing non-GAAP results going forward. We are committed to balancing strong growth at scale with improving profitability. We are focused on delivering strong gross margins improving our subscription ARR contribution margin, and growing free cash flow. We're achieving this leveraging the benefits of scale, as well as improving efficiencies and management of costs across the business. Our non-GAAP gross margin was 79% in the third quarter, compared to 80% in the year-ago period. Our gross margins continue to benefit from improved efficiency of our customer support organization, offset by continued investments in our cloud hosting infrastructure. We benefited from one-time cloud hosting credits this quarter, which bolstered our gross margins by approximately 150 basis points. The gross margin also benefited from the revenue outperformance, including the higher than expected non-recurring revenue. These benefits are non-recurring in nature, and we anticipate total gross margin to stay at the lower end of our long-term target of 75% to 80%. As a reminder, we look at subscription ARR contribution margin as a key measure of operating leverage supporting our path to profitability. We believe the improvement in our subscription ARR contribution margin demonstrates our ability to drive operating leverage and profitability at scale. Subscription ARR contribution margin was negative 3%, and the last 12 months ended October 31st compared to negative 14% in the year-ago period, an improvement of over 1,100 basis points. The improvement in subscription ARR contribution margin was driven by a growing scale and continued focus on driving leverage across the organization. In particular, our sales and marketing expense as a percentage of subscription error moved down approximately 1,000 basis points year on year. We expect to see further improvements in sales and marketing as we deliver on greater organizational efficiencies, improving cost of acquisition, and a ramping renewal base. Pre-cash flow was $15.6 million compared to $3.5 million in the third quarter of fiscal 2024. This increase was driven by improved scale, operating leverage, and working capital improvements, offset by a slightly higher mix of annual and monthly consumption payments and shorter contract terms relative to the year-ago period. Turning to our outlook, we remain confident about the strength of the cyber resilience market and demand for our differentiated offerings. We believe these drivers Alongside our strong and consistent execution, we'll deliver strong subscription era growth ahead. Revenue and revenue growth can fluctuate to a number of variables, including the pace at which we add new rubric security cloud customers, or RSC, and the pace at which we continue to migrate our existing customers to RSC. In terms of operating expenses, we plan to continue to invest into this enormous opportunity ahead of us while delivering efficient growth at scale. Now turning to guidance for the fourth quarter and full year fiscal 2025. In Q4, we expect revenue of $231.5 million to $233.5 million, up 32% to 33%. We expect non-GAAP EPS of negative $0.41 to negative $0.37 based on approximately 187 million weighted average shares outstanding. For the full year fiscal 2025, We are pleased to raise our guidance across both our top line and profitability metrics. We now expect subscription ARR in the range of $1,057,000,000 to $1,061,000,000, reflecting a year-over-year growth rate of approximately 35%. We expect total revenue for the full year fiscal 2025 in the range of $860,000,000 to $862,000,000, implying approximately 37% growth. We expect non-GAAP subscription ARR contribution margins between negative 3% and negative 2% reflecting further margin improvement from Q3. We expect non-GAAP EPS of negative $1.86 to negative $1.82 based on approximately 154 million weighted average shares outstanding for the full year. We expect free cash flow of negative $45 million to negative $39 million, or negative $22 million to negative $16 million, excluding the $23 million in one-time payroll tax associated with our IPO. And finally, while we are still early in our planning for next year, I wanted to call out a few high-level modeling points for fiscal 2026. As a reminder, the benefit for subscription AR growth from the conversion of maintenance to subscription has been moderating, and we saw approximately two points of benefit in Q3. We are not expecting any benefit to growth from converting maintenance to subscription ARR in fiscal 2026. In addition, historically we see higher net new subscription ARR in the second half of the year versus the first half. As we have discussed previously, we had an exceptional start to fiscal 2025, which offset typical seasonality. In fiscal 2026, we expect to see more normalized quarterly seasonality in subscription ARR. In terms of profitability, we have made strong progress in business efficiency so far this fiscal year, and we also continue to stay focused on free cash flow generation. Based on where we stand right now, after completing the third quarter, we expect to deliver break-even or better subscription ARR contribution margin and modestly positive free cash flow for the fiscal year 2026. We look forward to providing our fiscal year 2026 outlook on our Q4 fiscal 2025 earnings call. In closing, we are pleased with our performance in the third quarter and our higher outlook for the full year. Looking forward, we believe we are well positioned to continue to deliver efficient and durable growth given the large and growing opportunity for cyber resilience and our leadership, innovation, and ability to execute on our vision. We look forward to seeing many of you on the road in the coming months, including at the upcoming Barclays Conference. With that, we'd like to open up the call for any questions.
Thank you, Mr. Chaudhry. Ladies and gentlemen, at this time, if you do have any questions, please press star 1, and if you find that your question has been addressed, you may remove yourself from the queue by pressing star 2. We'll go first this afternoon to Saket Kalia at Barclays.
Okay, great. Hey, guys. Thanks for taking my questions here, and congrats on reaching the billion-dollar ARR mark. Thank you, Saqib. Absolutely. Bipul, maybe just to start with you, you know, in your prepared remarks, I thought you had some great examples of customer wins where cloud backups seemed like the main reason for the win. And I think that some of us sometimes wonder what backup for cloud applications and cloud workloads look like since the cloud presumably provides some sort of native backup. So maybe the question is, can you just talk about what you hear from customers about their desire to use third-party data protection tools like Rubrik for cloud workloads versus maybe relying on a backup solution from their cloud provider. There was a lot there, but does that make sense?
It does. Rubrik has a huge opportunity in the cloud. And the reason is that cyber resilience is needed wherever your application and data resides. But the fundamental question is that you have your data in three clouds, five SaaS applications, and five data centers, and you can't have different methods to do cyber recovery in different places. Because if you have to turn 30 knobs when you had a bad breach, you will be down for a very long time. So customers are looking for a single policy engine and single security controls to actually deliver cyber recovery across all of their data states. And that's why we are winning in the cloud, because we have a very comprehensive solution for all the native cloud providers, as well as data centers, as well as SaaS applications such as Salesforce and M365. As an example, this quarter in Q3, a Fortune 500 insurance company came to us to actually replace their native backup solution on their cloud platform with Rubrik cloud native protection because they wanted the consolidated, again, policy management and security controls across all of their data so that they can have a native data threat engine that Rubrik provides for complete visibility control and being able to confidently do cyber recovery when the inevitable cyber attack happens.
Got it. Got it. That makes a ton of sense. Karen, maybe for my follow-up for you, you know, the contribution margin here continues to improve, and it was great to hear that that can be breakeven next year. And you correct me there if I'm wrong. But maybe the question is, how do you sort of think about that in terms of your pace of investments going into next year? And how long of a lag do you think about sort of reported operating income sort of following that contribution margin?
Thanks for the question. So we are very pleased with the progression we have made in margin to date. You know, this quarter we delivered minus 3% subscription margin, which was almost 500 basis points better than the last quarter Q2 and 1100 plus basis points year over year. But really the drivers of the progression and margin are twofold. One is the top line scale and outperformance, but also the work we've been doing on efficiency both across sales and marketing. and R&D in terms of the big investment areas for us. And we look to improve that further based on the guidance we gave for Q4, finishing up this year. And I did mention in my prepared remarks that based on where we are today after the third quarter, our goal is to be subscription ARR contribution margin break even or better next fiscal year. that's how we are thinking about the goal is to build a profitable uh growth business here now when it comes to uh the operating margin uh we expect that to follow uh after subscription margin normally i would think that will follow within you know a few quarters but uh just to remind uh everybody that we went through a cloud transformation we're nearing the end of it but that suppressed our revenue under a top line accounting perspective for some time and because of that the lag will be longer but uh Subscription era margin is the leading indicator for up margin over time.
Very helpful, guys. Thanks.
Thank you. We go next now to Fatima Bulani at Citi.
Oh, good afternoon. Thank you for taking my question. Kieran, you made an interesting point on the prepared remarks that I wanted to drill into with regards to DSPM deals doubling in volume sequentially. I wanted to ask about how much this is contributing to the pipeline and or potentially shortening some of your deal cycles. And then I have a follow-up for Kiran. Please, thank you.
Thanks, Fatima. Let me give you a little bit of a business color, and then Kiran might add some more details. In terms of, like, DSPM, we are continuing to see a strong traction with DSPM, and as I mentioned in our prepared remarks, that number of customers doubled quarter over quarter in Q3. The issue is DSPM provides data risk and data threat visibility, and then combination of DSPM plus cyber recovery is the complete cyber resilience. And since generative AI is now pulling data from the nooks and crannies of enterprise applications, Folks need to understand the sensitivity of the content to be able to deliver responsible AI. And that is also our attempt in terms of the rubric DSPM for Microsoft Co-Pilot. In fact, the healthcare organization in Q3 added DSPM to their existing rubric footprint because their chief information and digital officer was concerned about their ability to recover quickly. And they actually replaced their existing DSPM vendor to be able to offer superior cyber resilience capability and be able to understand the data risk, data threat, and to be able to deliver fast cyber recovery.
I think on your sales cycles question, DSPM is still a relatively smaller part of our business, so it's not influencing our overall sales cycles, which have been stable this year.
Thank you, Karen. And just on the free cash flow outlook, the preliminary outlook you shared for fiscal 26, very much appreciate that color looking out. But you did talk about some consumption-related headwinds that are starting to peak into the profile this year. I'm wondering if you can give us a quick refresher on what some of the parts of the product portfolio are more tethered to the consumption modality of if you will, of pricing and how much of an impact that could potentially have as maybe sort of a headwind for next year to think about. Thank you.
Sure, Fatima. So I'll point out that it's not consumption specifically. It is more related to the shorter term and shorter invoicing cycles for some of our cloud and SaaS products. As we progress more into selling some of those products, some of our customers prefer to buy it the data security portion from us in line with how they purchase the core cloud or SaaS products like Microsoft 365. So we have seen over the past several quarters a bit of a shortening on contract cycles as well as invoice cycles. And that is what I've referred to as modest headwinds to pre-cash flow through this year as well. And as we think about next year, we're not giving guidance or an outlook yet. We'll do that after our Q4 call. But in regards to the comment on cash flow positive as a modeling point, we would expect some further modest compression as well.
Very clear. Thank you. Thank you.
We'll go next now to Cash Rangan at Goldman Sachs.
Hi. Thank you very much. Congratulations to the rubric team. My question to you, Bipul, and I have one for Kiran as well. You've always maintained the view that the TAMFORD rubric in this cycle is not just a replacement of the legacy technology, but also participation of the broader budget pool available to you in cybersecurity. That would make it truly a more sustainable growth company. I'm wondering if you could point to any evidence in the quarter and evidence in the pipeline that you see the time in cybersecurity, which is a vast, bigger pool of spending than the legacy business, and how that is helping your business. Are you able to participate in those new budgets? And once again, congratulations on the operating efficiency improvement. How sustainable is this improvement that we saw going forward? Thank you so much.
Thanks, Kash. Hope you're well. So if you think about what Ruby did to the backup and recovery industry, we transformed this market from backup and recovery for human error recovery or natural disaster recovery into a cyber disaster recovery platform. We call it cyber recovery, cyber resilience. And that has really expanded the time for this market because to be able to deliver cyber resilience, you fundamentally assume that attacks are inevitable. And if attacks are inevitable, then you have to think about what are you doing before actual attack happens. So how do you assess the risk? Then, during a legal-illegal activity, runtime, how do you assess the threat? And finally, if the breach has happened, then how do you deliver faster cyber recovery to be able to keep your applications up and running? And what Rubrik did was all these three pieces, Rubrik built into a single platform. Rubric Security Cloud, which combines DSPM plus cyber recovery on a single platform. And that's the unique architecture that we created from day one. And it is not something that is bolt-on or you can pivot into. This is inherent to our architecture. And that platform is the unique solution in the market where market is looking for a cyber resilient solution, not looking for legacy backup recovery solutions. So if you look at our transaction, about half of our new customers adopt Enterprise Edition, which is the full cyber recovery solution in their first purchase. And if you look at our NRR, about a third of our NRR comes from the cyber data security product attach that we are doing on our Rubik's Security Cloud platform. So essentially, we have transformed this market from this legacy backup recovery approach to a cyber resilience platform, a data security platform to make sure that folks can do cloud transformation, digital transformation confidently and keep their services up and running even when confronted with an attack.
And Cash, just to answer the second question you had on operating efficiency, so we are really pleased with the progress we've had over the past several quarters, both in terms of subscription contribution margin as well as cash margins. If you look at the drivers for them in terms of the big investment areas, sales and marketing and R&D, we expect many of these drivers to continue, including the ability to drive higher productivity from multiple products, Our focus on enabling the sales and go-to-market teams and lowering the cost of acquisition with targeted marketing as well as more partner leverage. And I'll say that renewals are still a minority of our business, and we expect that to grow in contribution. And with that, we get natural leverage as well. On R&D, we continue to hire talent globally with a particular focus on our India center, where we have had great talent over the past years, and we expect that to continue as well. So many of these drivers will see it continuing, but of course they will moderate over time in terms of the improvements we see.
Terrific. Thank you so much. Happy holidays.
Thank you, Cash. Thank you. We'll go next now to Andrew Nowinski at Wells Fargo.
Okay, good afternoon, and congrats on another great quarter, and particularly the improvement in contribution margin, I think, really stood out. I just wanted to ask a question. So coming back from the Wells Fargo TMT conference this week, I mean, it was really clear that data protection, DSPM, and, of course, cyber resilience, I think, were top of mind for many organizations. That really stood out to us as like the one key takeaway. You know, based on the strong growth you're seeing in your cloud ARR, I mean, it looks like you're seeing this too, and I'm wondering if this inflection in demand for DSPM and cyber recovery is related to an inflection maybe in Gen AI rollouts, or is it something else? Just wondering if you could pinpoint what's driving this inflection. Thank you.
Thank you, Andrew. In terms of Gen AI, Gen AI is certainly a driver for a lot of enterprise activities right now, because Gen AI is forcing people to focus on data, to understand the integrity of the data, to understand the sensitivity of the data, to understand potential risk of the data, to understand who has access to what data and what they can do with data. And if you look at where we play, Rubrik, is the data security platform. At the outset, our goal was to transform backup and recovery, which was a legacy platform, into a data security platform to deliver cyber resilience. And so our DSPM plus cyber recovery together delivers our customers an understanding of data risk and delivers data integrity and availability. And so truly, the GenAI initiatives bring the focus back into data, and that definitely is a tailwind for this market. Having said that, obviously, digital transformation, cloud transformation, SaaS application adoption, And everything that is accelerating throughout the years is also contributing. So it's a broad set of capabilities and broad set of market drivers driving the secular tailwind for this market.
Thanks, Bipol. And maybe as a follow-up to that, you know, I think your enterprise edition gets about a 75% uplift over the foundation edition. I'm wondering if you could just give us an update on maybe the adoption rate of the Enterprise Edition over the last six months, you know, since your IPO, how that's maybe changed and what you're seeing there. Thank you.
So Enterprise Edition continues to be the flagship platform for cyber recovery. And we are also attaching DSPM to bring the security and threat perspective into it. And we are continuing to see a strong adoption of Enterprise Edition About half of our new customers continue to adopt enterprise edition at the outset. And as I mentioned before, nearly a third of our NRR is actually coming from the adoption of data security product, which includes a lot of enterprise edition, cyber recovery, plus the SPM offerings that we have.
Thank you.
Keep up the good work.
Thank you. Thank you, Andy.
We'll go next now to Brad Zelnick at Deutsche Bank.
Oh, great. Thanks so much, and congrats on the strong execution. The entire team has so much to be proud of. Bipol, I wanted to start by asking you about Annapurna, the goddess of nourishment. Can you talk about the vision and evolution leading up to this week's announcement, what we should expect in terms of availability across other cloud platforms, And is this something you expect to price and monetize implicitly or explicitly?
Thank you so much, Brad. This is a very important question for us. Look, Rubrik is an ambitious company. And from the outset, we had actually decided to make Rubrik a company that lives on the frontier of innovation. And our goal is to build pioneering innovation and commercially successful products to really do real transformation and perspective change at our customers. And we want to build a long-term, long-lasting company, long-term profitable company. And long-term companies cannot just focus on what is in front of them, but they create horizons. And that horizon is three to five years out. Just like in the past, back in 2016 and 17, we were working on cyber recovery. And the set of capabilities that we built then is finding success in the marketplace today. So we always think about what do we do today that three to five years out can change the game of the industry, can change the game of the market. And Annapurna is a very important multi-year strategy for Rubrik. Because if you think about what Rubrik is, we are a centralized data platform with data security built into it. where we pull data from a multitude of enterprise applications and create a common data-metadata format with data security built into it. And as you know, Gen AI is forcing businesses to extract data from multiple applications to be fed into the model. And we have a ready-made next-gen data lake because we use this data lake to recover applications. It's kind of like a reverse ETF back into the production applications. We can use the same data infrastructure with data security built into it to deliver data into RAG or GenAI or whatever workflow they want to use to build powerful LLM apps. But LLM apps that are trusted, that has security, that has responsible AI built into it. Obviously, the secure data embedding that is powered by Rubik's Security Cloud and access control and all of that is inherent to our platform. And our goal is we started with AWS Bedrock, but it is designed in an API-first platform. It is equally applicable to GCP, Azure, bring your own model, a third-party set of frameworks, whether it's Lanche or Lama Index, or whatever folks are using to build their Gen AI applications, LLM applications. We will actually do market experimentation just like in the past four or five years ago we did experimentation with data security products. We'll figure out messaging, product market fit, pricing, what price the customer will sustain, what value we are creating for them. And as we make more progress on on the path to monetization, packaging, pricing of Annapurna will keep you updated in the next several years. I mean, this is, again, a long-term thing for Rubrik, but this is a very exciting new area, and we are working really hard on it.
Super exciting, Vipul. Maybe a quick follow-up for Kiran. You're clearly taking market share, and it seems even more so in a quarter like this. Is there anything that you can share with us in terms of win rates and where the share might be coming from? Thanks so much, guys. Congrats again.
Let me take this question, Kiran. We continue to win vast majority of deals against other new gen as well as legacy backup and recovery vendors. And this is because, as I mentioned before, we are the only vendor in the marketplace that has a unique zero-trust platform that combines DSPM and cyber recovery in a single platform. So we have the full understanding of data risk, data threat, and cyber recovery. And architecture matters when it comes to data and data security and availability of applications. And because we build this architecture grounds up, when the customers see the product, there's a reaction, positive reaction that happens. And this product can't be like, you can't build this product by bolting on 30 different cybersecurity products or pivoting into cybersecurity. This was the decision that we made day one, where we said data, metadata, and data threat engine is in a single platform. We took a risky bet 10 years ago, but we were right in that risky bet, and we are reaping the rewards of a unique architecture.
Thank you. Thank you, Brad.
We'll go next now to John DeFucci at Guggenheim Securities.
Thank you. And by the way, the Q&A, this is really helpful. And really appreciate, Biple, your answer to Cash's question. He always asks good ones. But we all get that from investors. Like, why is this going to last? And that was helpful. That was clear as to why you're not going to be Veritas in 1999 by the time 2003 came along or whatever. But my question here is on partnerships. You spoke about technology partnerships. And by the way, you need to have everything you're talking about. But one thing that really hasn't been hit on here is go-to-market. So can you talk a little bit more about go-to-market partnerships? We all know that you have a really strong go-to-market team, but our fieldwork indicates that you sign more VARs. We're just hearing more VARs and more reseller partnerships. And they want they want to partner with you, and those that focus on security. And they're already starting to see early traction. This is the traditional way that enterprise security is sold. So can you talk a little bit about your efforts there? And is what we're hearing right? And how should we think about go-to-market partnerships, that contribution going forward? Thank you.
Thank you, John. Really appreciate your comments. If you think about rubrics, go-to-market strategy, we are a technology platform company with a multi-product that is sold on this platform. And it is a global product. We actually sell our product all around the world, and then the routes to market is critical for us to have long-term success. So we think about go-to-market, routes to market in multiple ways. Number one is, as you mentioned earlier, the VARs, because we are 100% indirect business. We work with VARs, and VARs take our product and attach some of their services to it to take us to their trusted customers. So that's one motion. The second motion is GSI partners, whether it's global SIs or regional SIs, they again do the operationalized rubric for their trusted customers. If you look at the third way, is our technology alliance partner from Zscaler to CrowdStrike to Pure Storage to Cisco. We work with all of them to actually take our product to market and we have a co-engineered solution with these technology partners where one plus one is more than two. So that end customers see bigger value from Rubik partnership with, for example, Zscaler where we provide the Zscaler customers full visibility into the threat of a data passing over the network. And that value is, again, one product alone can't deliver. And this is where we are actually creating this multi-faceted go-to-market strategy to comprehensively deliver cyber resilience solution around the world across whatever trusted advisor partner products that our customers have.
And that all makes sense, but in the technology partnerships, they come out with big, you know, announcements, and we look at those, and they're interesting, and we hear about them in the field. But is what I said happening, like, am I just, like, noticing it more, or are more and more, and the first two you mentioned, VARs and GSIs, is there greater engagement over the last quarter or two? than there has been? Are you signing more partnerships with VARs and GSIs, or it's just something that, I don't know, maybe it's been happening and I just didn't, I don't know. I think we were trying to pay attention, but is it happening more?
It is definitely happening more, but it has been happening for the last many quarters because what has happened is that in the last couple of years, the customers are demanding for cyber-resilient solutions, cyber-resiliency. They are asking for how do I keep my services up and running even when I'm breached? How do I keep my hospitals up and take patients even when it is breached? How does kids go to school when the school is breached? And when the GSIs and VAR hear this question, they're not thinking about backup and recovery. They are saying that how do I bring a complete cyber-resilient solution and protect our customers? And it is doing two things to the VARs and GSI. One is they're not having a discussion around infrastructure and dollar per terabyte. They are having a strategic dialogue with the customer around risk and risk mitigation. And then the second thing is that it actually broadens their scope in the enterprise from just infrastructure into infrastructure plus cybersecurity. So you really noticed it, right? Large GSIs, large bars, and many bars and many GSIs are taking Rubrik to market. Because their success with their end customer depends upon their ability to drive cyber resiliency. And that's why you're noticing more and more folks are signing up with Rubik's.
Got it. Well, keep it up, guys, because you know this. What we saw tonight is rare. Thanks.
Thank you, John.
Thank you. And ladies and gentlemen, that is all the time we do have for questions today. At this time, I would like to turn things back over to you, Mr. Sena, for any closing comments.
In closing, I would like to thank all our customers, all our partners, all our rubricants, as well as all our investors for your continued support. These are still very early days of rubric because companies' life is in decades. not in years. And we just finished the first decade of Rubrik and has entered the next decade. We want to build a long-term, large, profitable business. And we look forward to working closely with you to learn from you to understand where the market is moving and how do we continue to build market-defining products to keep our customers secure and make sure that they can do digital transformation confidently. Thank you so much.
Thank you, Mr. Sena. Again, ladies and gentlemen, that will conclude the rubric third quarter fiscal 2025 results call. Again, thanks so much for joining us, everyone, and we wish you all a great remainder of your day. Goodbye.