Transcripts

FireEye (FEYE) Q1 2018 Results - Earnings Call Transcript

May 02, 2018 9:47 PM ETAlphabet Inc. (GOOG)

SA Transcripts

137.99K Followers

FireEye, Inc. (FEYE) Q1 2018 Earnings Call May 2, 2018 5:00 PM ET

Executives

Kate Patterson - FireEye, Inc.

Kevin R. Mandia - FireEye, Inc.

Frank E. Verdecanna - FireEye, Inc.

Analysts

Andrew James Nowinski - Piper Jaffray & Co.

Fatima Boolani - UBS Securities LLC

Ken Talanian - Evercore Group LLC

Gabriela Borges - Goldman Sachs & Co. LLC

Anne M. Meisner - Susquehanna Financial Group LLLP

Sterling Auty - JPMorgan Securities LLC

Melissa Gorham Franchi - Morgan Stanley & Co. LLC

Gur Yehudah Talpaz - Stifel, Nicolaus & Co., Inc.

Michael Turits - Raymond James & Associates, Inc.

Gray Wilson Powell - Deutsche Bank Securities, Inc.

Walter H. Pritchard - Citigroup Global Markets, Inc.

Saket Kalia - Barclays Capital, Inc.

Erik L. Suppiger - JMP Securities LLC

Operator

Good day, everyone, and welcome to the FireEye First Quarter 2018 Earnings Results Conference Call. This call is being recorded.

With us today from the company is Chief Executive Officer Kevin Mandia; Chief Financial Officer and Chief Accounting Officer Frank Verdecanna; and Vice President of Investor Relations Kate Patterson.

At this time, I would like to turn the call over to Kate Patterson. Please go ahead.

Kate Patterson - FireEye, Inc.

Thank you. Good afternoon, and thanks to everyone on the call joining us today to discuss FireEye's financial results for the first quarter of 2018. This call is being broadcast live over the Internet and can be accessed on the Investor Relations section of FireEye's website at investors.fireeye.com. With me on today's call are Kevin Mandia, FireEye's Chief Executive Officer; and Frank Verdecanna, Executive Vice President, Chief Financial Officer and Chief Accounting Officer of FireEye. After the market closed today, FireEye issued a press release announcing the results for the first quarter of 2018.

Before we begin, let me remind you that FireEye's management will make forward-looking statements during the course of this call including statements relating to FireEye's guidance and expectations for certain financial results and metrics, FireEye's priorities, initiatives, plans and investments, drivers and expectations for growth, the expansion of FireEye's platform and the benefits, capabilities and availability of new and enhanced offerings. We'll also discuss our competitive position, market opportunities, and go-to-market strategies. These forward-looking statements involve a number of risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. These forward-looking statements apply as of today and you should not rely on them as representing our views in the future. And we undertake no obligation to update these statements after the call.

For a detailed description of the risks and uncertainties, please refer to our SEC filings, as well as our earnings release posted an hour ago on the website. Copies of these documents may be obtained from the SEC or by visiting the Investor Relations section of our website.

Additionally, certain non-GAAP financial measures will be discussed on this call. We have provided reconciliations on these non-GAAP financial measures for the most directly comparable GAAP financial measures in the Investor Relations section of the website. We'd also like to remind you that the results included in this call and the earnings release are using the newly adopted revenue standard ASC606.

Finally I'd like to point out that we posted, or will post shortly, the supplemental slides and financial statements on the Investor Relations section of the website.

With that, I'll turn the call over to Kevin.

Kevin R. Mandia - FireEye, Inc.

Thank you, Kate, and thank you to all the investors, employees, customers, and partners who are joining us on this call. We appreciate your continued interest and support. We did what we said we would do in Q1, meeting or exceeding our guidance ranges for all key financial metrics. We exceeded the ranges for billings revenue and cash flow, and our earnings per share was at the high end of our range.

Looking beyond our financial results, we continue to innovate across our product portfolio, and we greatly simplified our pricing model. Today is my eighth earnings call as FireEye's CEO, and I feel very privileged to hold this position, and I'm proud of the progress we have made in the last two years.

We have driven countless incremental improvements, as well as made some fundamental changes. We redefined our mission and vision, establishing a built to last mentality. We took the appropriate steps to align our investments with our opportunity. We added depth to our management team with new leaders in sales and marketing. We invested in improving our Network, Email, and Endpoint Security products while reallocating resources to create Helix, our next-generation security operations platform, and we returned to a growth business.

This is an exciting time to be at FireEye. The RSA Conference a week ago showed that the security industry is ripe for disruption and consolidation. There is simply too many vendors with too little differentiation to be sustainable. Our mission is to relentlessly protect our customers with technology and expertise from the front lines, and it has never been more relevant.

In the current environment, the impact of a security breach is rising. There's a shortage of security professionals. Organizations are focused on product consolidation and more efficient and effective security operations, and customers are realizing that good enough security is simply not good enough. These trends are aligned with FireEye's mission and our competitive advantages, and we believe they provide a great opportunity for our Helix platform, as well as our services and intelligence.

In my remarks today, I would like to discuss three things: I'm going to talk briefly about some first quarter highlights, talk about our innovation across our portfolio, and provide with you an update on how we simplified our pricing and packaging to drive growth.

First, let me discuss some first quarter highlights. We executed well on our refresh opportunity as existing customers continued to renew and expand their commitment to FireEye's technology. We remain extremely relevant in the enterprise.

We currently have over 900 Global 2000 customers. Of these customers, almost half of them purchased FireEye products or services in Q1. Our subscription and support renewals were up more than 50% year-over-year, and we continue to cross-sell and upsell.

Of the 29 first quarter deals greater than $1 million, approximately 85% of them included more than one product, and half included four or more product families. We also provided thought leadership and we were relevant and we provided a lot of relevant national intelligence to the cyber security professionals around the world in the first quarter.

Our Mandiant services revenue grew 8% year-over-year, and we responded to more security breaches in Q1 compared to the first quarter of 2017. This reinforces my belief we have earned the market's trust as the brand to solve the most complex security challenges. Our intelligence business was a major contributor to the 62% billings growth we saw in our cloud subscription and managed services year-over-year. Our thought leadership has never been more recognized or relevant.

During the quarter, customers relied on and reviewed over 4,700 FireEye intelligence reports and used hundreds of thousands of our threat indicators to protect their networks. Our expertise creates a market pool as we are routinely requested by companies and organizations around the world to brief them on our security expertise and on our depth of knowledge about cyber attacks and the actors that carry them out.

In January, we launched our customer success organization led by our CTO, Grady Summers. By combining several of our customer-facing teams from support, training, and deployment services, we now have over 200 people chartered with proactively ensuring that our customers are successfully leveraging their FireEye Security Solutions. This is a critical component of our strategy to evolve and grow our business. Our products appeal to a much wider base today than even a year ago. And as Helix advances in the market, its use cases and implementation address a far greater number of security concerns than our initial suite of network detection products.

As we continue to evolve and integrate technologies, orchestrate security playbooks, and automate security operations, we will need to interact differently and more frequently with our customers than traditional customer support. Our new customer success organization will allow us to be more proactive in addressing our customers' needs and to evolve over time into a seamless extension of our customers' security teams.

In the first quarter, we also partnered with Oracle and began offering our cloud email solution on Oracle's Cloud Infrastructure, or OCI. This is an important step in offering additional security services for customers migrating to the cloud, as well as our expansion into multiple cloud platforms.

In addition to these Q1 business highlights, we continue to be laser-focused on innovation across our product portfolio. As a reminder, we have created a platform that incorporates a hub-and-spoke model with Helix as our hub or brain that integrates data from the FireEye spoke products, as well as third-party solutions. We need to offer great spoke products that compete on a stand-alone basis because that is how customers often budget and buy in security today. We meet this demand with our Network, Email, and Endpoint Security products. In addition, we need to lay the foundation for how customers will purchase security in the future, which is what we are doing with our Helix platform.

As a result of the ongoing innovations to our Endpoint, Email, and Network Security product spokes, we are detecting more attacks. As an example, our Email Security products have detected almost 400% more attacks over the last five months. Over the same period, we have seen attacks blocked by our Network Security product increase almost tenfold. And let me make one thing very clear: nearly every one of our products is deployed behind another vendor's firewall or secure email gateway or endpoint antivirus, which means virtually everything we catch has evaded these other defenses. FireEye provides a vital layer of defense that is indispensable to security-conscious organizations. And I feel confident about the competitiveness of our Endpoint, Email, and Network spoke products.

Now, I'd like to give you a quick update of our innovation for each product line. Let me first discuss Endpoint.

FireEye has more than 14 million licensed Endpoint agents worldwide and we continue to distinguish ourselves in a crowded endpoint market. Job one is to prevent as many security incidents as possible. So in addition to our exploit prevention and IOC detection engines that's indicator of compromised detection engines, we added antivirus prevention in September of 2017. This brought us into parity with many other AV vendors in the EPP space, but we did not stop there. This summer we plan to release Malware Guard, a powerful machine-learning malware classification engine designed to complement the malware and exploit detection engines already integrated into our Endpoint product.

With Malware Guard, FireEye's Endpoint Security will consolidate signature-based, IOC-based, and multiple signature list detection methods to identify malicious files and activities conducted on an endpoint by an attacker. In addition to these detection engines, all of our products are supported by a team charged with optimizing our detection capabilities every day based on our unique visibility into the threat landscape. We believe people and technology working together address the security problem most effectively.

Finally, we offer unique, advanced investigative and forensic features that are critical to any post-breach security operations. Many endpoint vendors focus on prevention or they have some EDR capabilities, but they lack the investigative features required when prevention fails. We go beyond EDR by offering in-depth forensic capabilities required to accurately investigate and remediate a security incident. In short, in a world of many endpoint vendors and start-ups, I am confident FireEye will continue to grow this business and be the endpoint security provider that security-conscious buyers turn to.

Advanced Network Security will always be an important piece of our business, and we intend to extend our leadership in the Network Security market. While the long-term strategy for our Network Security is to feed the brain of our Helix platform, we also see an opportunity to consolidate Network Security. For example, we are adding new functionality into our sensors to expand the value it provides to our customers. We added SmartVision for dynamic inspection of east-west traffic to identify lateral movement, and we are planning to add data exfiltration capabilities, SSL decryption capabilities, and network metadata evidence collection shortly. Combining these new features with our simplified pricing model, I believe we can continue to gain market share with our Network Security products.

Our Email Security solutions were a significant growth driver for us in Q1. I believe Email Security is a growing opportunity for FireEye, and we will continue to add features to compete successfully with existing secure email gateways. Our purchase of The Email Laundry in Q4 is already paying dividends for our Email product. The former Email Laundry CEO now oversees our Email products, and we have successfully incorporated their anti-spam and business email compromise capabilities into the FireEye Email products.

In Q1, we introduced an additional AI model into our advanced URL detection engine to detect phishing-based attacks and we saw a fourfold increase in our phishing detection numbers in the first month. Those detection numbers have continued to grow, and we are now blocking more than 1 million malicious emails a week. Just think about that. We are blocking more than 1 million attacks per week and yet we are typically deployed behind a secure email gateway. In short, we have progressed well beyond the attachment detonation capability you introduced years ago and we have an aggressive roadmap for the future.

As good as our spoke products are, they will be even better when deployed with Helix. We added 40 new Helix customers in Q1, bringing the total to over 200. As we build Helix into an automated security operations platform, one of our highest priorities is integrating X15's big data management technology with Helix. As the basis for our analytics, our customers will find X15 efficient to operate, deploy and extend. X15's technology also enables us to support different environments in deployment operations or excuse me, in deployment options, including different cloud services and on-premise Helix. The X15 technology has the potential to transform all of our offerings and accelerate the ability to develop and deploy new features into Helix.

In addition, earlier this quarter, we launched the first phase of our Expertise On-Demand program with a menu of micro services. The idea is to make it easy for customers to consume our services and expertise as needed, and we see it as a natural extension of our portfolio of consulting and intelligence services. We launched Expertise On-Demand with a limited number of customers so we can test our pricing and demand assumptions. But it has been my experience that if we can provide expertise in a seamless way through our products, we become a vital member of our customers' security teams. Ultimately, we plan to offer the Expertise On-Demand program to all our customers, and to do so directly through our Helix platform.

With the impact and consequences of a security incident getting higher, we believe no single organization should be alone when it comes to cyber security. Therefore, we will offer instant access to our experts so we can be of assistance all the time or when it matters most. In the future, this access will be a click or touch away in the Helix platform.

Our commitment to innovation extends beyond our products to all aspects of our business. To that end, we formally launched our new pricing and packaging two weeks ago at RSA Conference. While not all customers will move to the new pricing model immediately, the early response from customers, channel partners and industry analysts has been very positive. I would now like to summarize our new pricing.

For mid-market customers with up to 2,000 users, we introduced the FireEye Security suite. The suite includes cloud versions of our Network, Email and Endpoint Security products as well as Helix at the right price point for this market. I believe most mid-market customers want the same enterprise grade security as larger organizations and our new suite pricing makes it more accessible to them. For larger customers, we have simplified the pricing of our spoke products with a single subscription price based on the appropriate consumption metric.

Network Security is priced per megabit per second. Email Security is offered on a per mailbox basis. Endpoint Security is priced based on the number of devices protected. Virtual and cloud sensors are included at no additional cost, and each subscription includes an entitlement to Helix. Appliance hardware is available as an add-on purchase by subscription or outright purchase and is priced on a cost plus model. For the first time ever, our customers now have the option to subscribe to any of our products. This new pricing model encourages broader deployments of our technology, offers the flexibility to mix and match physical and virtual appliances, and allows customers to optimize capacity as needed.

To summarize before I turn the call over to Frank, I believe we have built a competitive advantage through the combination of our technology, our threat intelligence and our frontline expertise which drives a continuous cycle of innovation at FireEye. This keeps our products relevant and allows us to adapt rapidly in response to new threats.

We are delivering best-in-class security products and services to customers today, and I believe this will drive continued growth. Equally important, we are building a foundation for future growth with Helix in our services and intelligence. We have also simplified our pricing model and expanded our addressable market with flexible deployment operations and options. We have returned to growth, we have improved our execution and we continue to innovate. We are building FireEye to last.

I would now like to turn the call over to Frank.

Frank E. Verdecanna - FireEye, Inc.

Thanks, Kevin. As Kevin outlined, FireEye has successfully navigated transitions in our product portfolio and our business model, including the transition to non-GAAP profitability from non-GAAP annual operating losses of more than $150 million just two years ago, and the transition to positive operating cash flow. With best-in-class products, simplified pricing and packaging and an energized team, I believe we are now on the path to sustained growth and leverage in our financial model.

As we go through the details of our Q1 results, there are a number of leading indicators that we can sustain our momentum. My confidence in our opportunity and our ability to execute translates to an increase in our annual guidance for both billings, revenue and operating cash flow.

In discussing our financial results, I want to remind you that I will be referring to non-GAAP metrics except for revenue and operating cash flow. Our non-GAAP measures exclude stock-based compensation, amortization of intangibles, non-cash interest expense on our convertible debt and other non-recurring items.

Also note that all our financial results and guidance ranges reflect the adoption of ASC 606 as of January 1, 2018. We adopted ASC 606 on a full retrospective basis and we have posted the recast financials for 2016 and all four quarters of 2017 in the Investor Relations section of our website.

Total billings of $175.1 million were slightly above our guidance range of $165 million to $175 million and grew 21% year-over-year. Billings decreased 27% sequentially from our very strong Q4 billings, which was slightly less than historical Q4 to Q1 seasonality declines. While this was very strong performance, this level of year-over-year growth was partially due to the recast of Q1 2017 billings under ASC 606 which reduced total billings in Q1 2017 by $7.4 million.

We had strong renewal performance across all categories in Q1 and customer retention remained at approximately 90%. On a dollar basis, our renewal rate, including upsells and cross-sells, remained above 100%.

We closed one renewal transaction slightly over $10 million which was included in our forecast when we guided to Q1 billings. By comparison, we had no transactions greater than $10 million in Q1 of 2017. Overall, we booked 29 transactions greater than $1 million, the same number as in Q1 2017.

Contract length increased slightly in Q1 to 22.8 months from 22.3 months in Q1 2017, reflecting a slightly lower average contract length on product and related subscription and support and a higher average contract length on cloud subscriptions and managed services compared to a year ago.

We ended the quarter with $500 million in annual recurring revenue or ARR, an increase of 14% from the end of Q1 2017 and an increase of 2% from the end of Q4 2017. We define ARR as the annualized value of all recurring revenue-related contracts in place at the end of the quarter.

We added 230 new customers in the quarter compared to 237 in Q1 of 2017. Although we added slightly fewer new customers in the quarter than a year ago, we are already seeing a healthy increase in new customers so far in Q2 as channel partners begin to gain momentum selling our cloud Endpoint and cloud Email subscriptions. Since sales cycles are typically six to nine months in Security and we first launched our next generation Endpoint with antivirus at the end of Q3 2017, the timing of the inflection in new customer growth is consistent with our expectations.

Transaction velocity increased 15% in Q1 compared to a year ago, another indicator of momentum in our business. Revenue in the quarter was $199 million, an increase of 8% from Q1 2017 and above our guidance range. Growth was evenly distributed across the three revenue categories, with products and related subscriptions and support up 8%, cloud subscriptions and managed services up 7% and professional services revenue up 8%.

Looking at product and related subscriptions and support and cloud subscription and managed services revenue together, approximately 90% was recognized from deferred revenue on the balance sheet at the end of December 31, 2017, and approximately 10% was recognized from current Q1 billings. Our strong performance in the top line was accompanied by a continued discipline on the cost and expense lines and our operating margin and EPS were both better than the midpoint of our guidance ranges.

Overall gross margin was approximately flat year-over-year and operating expenses increased 6%. The majority of the increase was on the R&D line, reflecting the acquisitions of Email Laundry in Q4 2017 and X15 in Q1 2018. We also saw the usual seasonal increase in payroll taxes and other employee-related expenses, some of which was due to higher employee stock sales, resulting in sequential increases in each of the operating expense lines. We ended the quarter with 3,031 employees, up slightly from the end of Q4.

Turning to the balance sheet and cash flow, we continue to maintain a very healthy balance sheet. We ended the quarter with $886 million in cash and short-term investments and had DSOs based on billings of just 53 days. Ending deferred revenue was $886 million split 60/40 between current and long-term.

The sequential decrease from the end of Q4 reflects the seasonality in Q1 billings. About 5% of total referred revenue was related to the timing of services delivery in our Mandiant consulting business. Overperformance on billings, coupled with good linearity in the quarter and strong collections resulted in positive operating cash flow of approximately $9 million compared to our guidance of breakeven to negative $10 million.

Turning to our guidance, for 2018, we are raising our billings and revenue guidance range by the amount of our Q1 over performance, reflecting our continued confidence in the business. We now expect billings in the range of $815 million to $835 million, implying a growth rate of 8% at the midpoint of $825 million. We expect revenue in the range of $820 million to $830 million, implying a growth rate of 6% at the midpoint. We are raising our guidance range for operating cash flow by $5 million, which was the increase in billings guidance, and leaving guidance for operating margin unchanged.

For the second quarter of 2018, we expect billings in the range of $180 million to $195 million, implying a growth rate of 8% at the midpoint; revenue in the range of $199 million to $203 million; and operating margin in the range of negative 2% to positive 1%; and earnings per share in the range of negative $0.03 to breakeven.

Our guidance for operating cash flow of negative $50 million to breakeven reflects our strong Q1 collections, which resulted in operating cash flow above our expectations in Q1 and historic low in accounts receivable to collect in Q2.

On a six-month basis, we are expecting positive operating cash flow of approximately $2 million at the midpoint compared to negative operating cash flow of $28 million last year.

With that, I'll turn the call back over to the operator for questions.

Question-and-Answer Session

Operator

Thank you. And our first question comes from Andrew Nowinski with Piper Jaffray. Your line is open.

Andrew James Nowinski - Piper Jaffray & Co.

Great. Thanks and congrats on the nice quarter.

Kevin R. Mandia - FireEye, Inc.

Thank you, Andrew.

Andrew James Nowinski - Piper Jaffray & Co.

I just wanted to, question on the enterprise pricing model that you talked about and how you combined some of your three core products with Helix. Can you just tell us whether those changes had an impact on your new customer growth rate, as well as the impact to your competitive win rate this quarter?

Frank E. Verdecanna - FireEye, Inc.

You know, Andrew, we launched that at the tail end of Q1, so we didn't see much of an impact in Q1 relating to that, but we fully expect to see a nice impact in Q2. And I did mention that right now, we're seeing really strong new customer growth early in the quarter, and I think a lot of that's due to the new pricing and the new channel partner relationships on the cloud Endpoint and cloud Email solution.

Andrew James Nowinski - Piper Jaffray & Co.

Okay. Great. And then just as a quick follow-up, along the lines of the partner – your channel, at the Analyst Day you said partner-led sales had accounted for just over about $45 million in Q4 which I think was the second consecutive quarter it increased. I guess with the new pricing changes you announced here, do you think you'll see an increase in the partner-led sales or did you see one in Q1 and do you expect it to continue increasing in Q2?

Frank E. Verdecanna - FireEye, Inc.

Yeah. I think we do definitely expect as we go throughout this year that the new pricing and packaging and the investments we're making in some of the channel partnerships that we're going to continue to see more and more channel leverage. The channel leverage story has been improving over the last year. I think we still have a long way to go and a lot of opportunity there. But we are starting to see some good signs there.

Andrew James Nowinski - Piper Jaffray & Co.

All right. Thanks.

Kevin R. Mandia - FireEye, Inc.

Yeah and this is Kevin speaking. For like the last two years we've been talking about, I call them the three Ps: policy, products and price in our channel. We've got the policy right going into 2017, just that consistent FireEye's not selling directly. We're doing fulfillment through the channel. We're working with the channel.

One of the things I often wondered was how channel-friendly were our products and how channel-friendly was our price? I believe that our Email – or not Email – we have Cloud ETP, by the way, channel-ready but the Endpoint product that we released in September 2017 felt to me like the most channel-ready product, and then I think the pricing that we just went through really helps us as well. So, we'll see it bear fruit over the next few quarters.

Andrew James Nowinski - Piper Jaffray & Co.

Thanks, Kevin.

Kate Patterson - FireEye, Inc.

Next question, please.

Operator

Our next question is from Fatima Boolani with UBS. Your line is open.

Fatima Boolani - UBS Securities LLC

Good afternoon. Thank you for taking the question. I know something Bill mentioned during the Analyst Day was this bogey of 1,000 customers, but he'd be more enthusiastic to beat that target. So, with some of the momentum you're seeing in the new customer acquisition rate, Frank, I'm curious what sort of engagement in terms of new products or what type of products these new customers that previously weren't being targeted under the old pricing impacting plan are kind of coming into the roster here?

Frank E. Verdecanna - FireEye, Inc.

Yeah. Fatima, I think that's a really good question. I think what we're seeing is a lot of the newer customers, especially in the mid-market, coming with cloud Endpoint and cloud Email. And one of the things that you can look at on the breakup of our billings and revenue, you can see that we had a really strong performance in the cloud subscriptions and managed services, with 62% year-over-year growth in billings. And a lot of that is we're seeing a significant traction on the cloud offerings. And like we mentioned in Q4, we had initially saw most on-premise Endpoint, but in Q4, we started seeing a big shift to cloud Endpoint and we're seeing the same thing in Q1.

Fatima Boolani - UBS Securities LLC

And just a quick follow-up on the cloud traction that you are seeing with these new customers. What sort of implications does that have for your gross margin outlook?

Frank E. Verdecanna - FireEye, Inc.

Yeah. We actually – it hasn't changed our gross margin outlook at all because for the cloud transition that we've been going through, it really hasn't had an impact on gross margin. We've been able to maintain or slightly better our gross margin even as we transitioned from on-premise to cloud.

Fatima Boolani - UBS Securities LLC

Very helpful. Thank you.

Operator

And our next question comes from Ken Talanian with Evercore ISI. Your line is open.

Ken Talanian - Evercore Group LLC

Hi, guys. Thanks for taking the question. I was wondering if you could give us an update on the renewal yield you saw in the quarter and any thoughts on the trend for the remainder of the year.

Frank E. Verdecanna - FireEye, Inc.

Sure, Ken. So, 2018 is a bigger renewal year than 2017 was, and we are seeing a significant amount of renewals. In Q1, we actually over-performed in renewals as well. And I think what we're going to see as we go throughout the year is continued ability to cross-sell and upsell during those renewal opportunities. And one of the metrics that Kevin mentioned in his prepared remarks was that of our Forbes Global 2000 customers, approximately 50% of them actually transacted in the quarter. And so, I think we're seeing a lot of customers that come up for renewal look to buy additional products from us, and that's why our number of products per customer continues to increase.

Ken Talanian - Evercore Group LLC

Great. And I guess just a bigger picture question. Could you rank order the factors that might cause you to outperform your 2018 billings guidance?

Frank E. Verdecanna - FireEye, Inc.

So, I think they're going to be the same growth drivers we really have been talking about over the last couple quarters. It's going to be the refresh opportunity. It's going to be Endpoint. It's going to be Helix. And then I'd probably put managed services and Email right behind that.

Ken Talanian - Evercore Group LLC

Great. Thank you very much.

Frank E. Verdecanna - FireEye, Inc.

Thanks, Ken.

Operator

Thank you. Our next question is from Gabriela Borges with Goldman Sachs. Your line is open.

Gabriela Borges - Goldman Sachs & Co. LLC

Good afternoon. Thanks for taking the question. Kevin, you mention in the prepared remarks how the Incident Response business can sometimes pull through sales of the cloud subscription. We've talked before about how this helps inform the product roadmap. Maybe you could just elaborate. Are there situations where a customer will decide that they want to buy Endpoint and you're able to be part of that conversation either earlier or in a more influential way because (32:48)?

Kevin R. Mandia - FireEye, Inc.

Yeah. A lot of ways to address that, Gabriela, but great question. It's – right now, there's no question you can buy our Endpoint before you have a breach. A lot of people will back in endpoint protection or prevention in many different ways. First and foremost, we had to build a Forensics Endpoint, which is actually, in my opinion, the hardest Endpoint to build because we needed technology-enabled services. We had to go in and investigate the breaches that were at a scale and scope that our customers needed help with. And we went niche with forensics really back in 2007, 2008 timeframe. And like all start-ups over time as you get bigger, you go into adjacencies and the adjacencies that we've gone into include prevention.

One of the comments we always used to get from customers when we did just forensics in our Endpoint is if you know what to look for, can you look for it ahead of time and stop it? So, obviously, we've been innovating into that direction for a couple of years now. And I would say the first step we took or leap into endpoint prevention was September of 2017. We have advanced forensics capabilities, and you're going to keep seeing us add multiple ways to find bad stuff on the Endpoint, not just signature-based but signature-less based and in my prepared remarks, I talk about machine learning models and some of the behavioral things that we do on the Endpoint. And what I like about our Endpoint is a lot of folks' Endpoint is just find malware. And we go a step further on our Endpoint and say, well, even if you don't find the malware, let's say you detect 99.999% of all malware but you miss 0.0001%. For that tiny fraction that gets by, what does an attacker do in the second inning of the breach, the third inning of a breach, the fourth inning? And we look for those things as well.

So, I think over time, our Endpoint will be very formidable at prevention and already is absolutely great at the EDR and forensic capabilities. So, I was proud last year, too, Gabriela, since you gave me the platform to speak about it, we entered 2017 with a Forensics Endpoint for Windows. We exited 2017 with Windows, Mac, Linux and endpoint prevention capabilities. So, I think we've proven we can innovate fast, and we'll keep doing that.

Second part of your question is how does IR help business? There's direct and indirect help there. But I've always positioned throughout my career you know the market best when you see the breaches occur. And there will be a lot of folks that will say well, we prevent them all. It's been my experience that there's a lot of things that unfortunately, we can't prevent in this world, and one of them is security breaches. They happen over time even when you do all the right things. And what we do is we get to see how other people's technology and any security technology gets evaded. We have that front row seat. And I genuinely don't know how to build great products at the velocity you need to build them at without that front row seat.

We have it. We had a good amount of breaches in the first quarter we responded to. And it gives us a couple of things. It gives you a high level relationship with the customer because it's not just a technical challenge you're solving at that point. You're solving a business problem, but it, again, gives you a threat intelligence to see how attackers are remaining surreptitious on the network and evading detection, all things we learn from. So, bottom line, it's a fantastic innovation feedback that we've built here.

Gabriela Borges - Goldman Sachs & Co. LLC

Appreciate the color. The follow-up is for Frank. So, that 62% growth number, could you give us a sense for what that would have been if contract length hadn't increased? And if you could just detail for us a little bit there are a number of things in there between iSIGHT, FireEye as a Service, Endpoint. Which of the product lines contributed more or less to growth? Thanks.

Frank E. Verdecanna - FireEye, Inc.

Yeah, thank you. So, Gabriela, what's in that bucket, again, is really the cloud versions of all our different spokes, so Network, Endpoint and Email, and then it's the unattached subscriptions like iSIGHT and managed services. And all – they all had an impact in growing the business. I think, overall, that line item will continue to be helped with the transition from on-prem to cloud, so I think that'll be an area to keep focused on.

And the contract length, I'm not sure if you saw the detailed slides yet, but we did have an increase in contract length in the cloud and managed services of close to two months. And so, that works out to probably around $6 billion of additional billings ...

Kate Patterson - FireEye, Inc.

I think that's too much.

Frank E. Verdecanna - FireEye, Inc.

Actually, yeah. When you take it for that specific line item, it's probably about half of that.

Gabriela Borges - Goldman Sachs & Co. LLC

Okay. Thank you.

Operator

And our next question comes from Anne Meisner with Susquehanna Financial. Your line is open.

Anne M. Meisner - Susquehanna Financial Group LLLP

Hi. Thanks for taking my question. Question is for Kevin. I know it's early, but you mentioned the Oracle partnership that you announced a few weeks ago at RSA with the Email product available through the e-cloud marketplace. Do you have any sort of early indicators of tracking with that partnership and should we expect to see similar relationships with other public cloud vendors?

Kevin R. Mandia - FireEye, Inc.

Well, I think we got to be where our customers are going to be. So, wherever our customers are, we're going to have to have relationships with those vendors as well. So, yeah. I would expect we will have relationships with other cloud vendors because our customers will require that.

I think it's too soon to tell in the partnership as to how that's going to play out, but I'm glad we did it. I think that you want to give your customers choice as to what cloud you are performing in, and we just added another to that list.

Anne M. Meisner - Susquehanna Financial Group LLLP

Okay. Perfect. Thank you.

Kevin R. Mandia - FireEye, Inc.

Yeah.

Operator

Thank you. Our next question comes from Sterling Auty with JPMorgan. Your line is open.

Sterling Auty - JPMorgan Securities LLC

Yeah. Thanks. Hey, guys. I want to broaden out the last question that Gabriela asked. So, lots of discussion around a lot of different technologies that you have; Helix, Endpoint, EX, Network, et cetera. Can you level set for us what's moving the needle? So, when you look at billings and bookings in the quarter, what were the big buckets of the contributors this quarter and how did that compare to the big buckets a year ago?

Frank E. Verdecanna - FireEye, Inc.

Sterling, if you look at what the growth drivers have been, so NX, the refresh renewals and refresh hardware is doing better than we expected, or better than a year ago. The cloud versions of all our products are doing better. Because if you looked at Endpoint, for example, a year ago in Q1 2017, nearly all the Endpoint deals were on-prem Endpoint. And in Q1 2018, the majority of the deals were cloud Endpoint. ETP, that transition cut was beginning already, so that wasn't – we had a strong Email quarter, but from a ETP perspective or cloud or Email, that already had significantly transitioned to cloud in Q1 2017. Yeah. iSight...

Sterling Auty - JPMorgan Securities LLC

Great. And...

Frank E. Verdecanna - FireEye, Inc.

iSight Intelligence continues to be very relevant and very important, and so that had a very quarter in Q1 as well.

Sterling Auty - JPMorgan Securities LLC

Great. And then, the one follow-up. You mentioned the $10 million refresh deal in the quarter. Is there any similar size type of items that are included in the second quarter guidance? And for the big deal that was closed in this quarter, can you just give us what industry was that?

Frank E. Verdecanna - FireEye, Inc.

Sure. So the big deal this quarter was in FAD. (40:40) And for Q2, yeah, we typically have anywhere from one to three deals that are in the $5 million to $10 million range. I think for Q2, right now, baked into our guidance is probably one deal around the $10 million range and probably one or two around the $5 million range.

Sterling Auty - JPMorgan Securities LLC

Great. Thank you so much.

Operator

Thank you. Our next question is from Gregg Moskowitz with Cowen and Company. Your line is open.

Unknown Speaker

Yes. Hi. This is Mike on for Gregg.

Kevin R. Mandia - FireEye, Inc.

Hey, Mike.

Unknown Speaker

Thanks for taking the questions. I guess to start, what are the primary subscriptions that are being attached to the Helix thus far?

Frank E. Verdecanna - FireEye, Inc.

So TAP, our Threat Analytics Platform, is one of the subscriptions that when customers are using Helix's user interface for FireEye products, if they want to add third-party alerts onto that, they have to add a TAP subscription or a Threat Analytics subscription. So that's an add-on. And then we have additional spoke sales. So once a customer is a FireEye Endpoint customer, they're more likely to then add Network and Email on top of that and vice versa depending on what they start with.

Unknown Speaker

Okay. Great. And just as my follow-up, why did professional services billings significantly decline year-over-year? Thanks.

Kevin R. Mandia - FireEye, Inc.

So on the PS side, if you looked at over the last four quart quarters, services billings has exceeded services revenue. So we had built a pretty big backlog of services contracts over the last year. And so Q1, we focused on delivering a lot of those engagements and I would expect we'll see an uptick in billings on Q2 on the services side.

Frank E. Verdecanna - FireEye, Inc.

Yeah, Mike, ordinarily in the services business, you invoice after you've completed the work. So if you have a big Q4, the billings go out in Q1. And in reality, billings are sometimes a trailing indicator in services.

Unknown Speaker

Great. Thanks.

Kate Patterson - FireEye, Inc.

Next question, please.

Operator

Thank you. Our next question comes from Melissa Franchi with Morgan Stanley. Your line is open.

Melissa Gorham Franchi - Morgan Stanley & Co. LLC

Thank you. Frank, you talked about the refresh of the hardware being better or at least being up year-over-year relative to last year. I'm just wondering if you think that dynamic sustains through 2018, if that's embedded in your guidance. And is there any way to think about some sort of multiplier of when the appliances come up for refresh, what you're seeing in terms of greater spending with customers?

Frank E. Verdecanna - FireEye, Inc.

Yeah, I think, Melissa, we're still pretty early in that refresh cycle. We came out with the refresh hardware at the tail end of Q3. So I would say we were pretty excited about what we saw in Q4 and Q1 as far as customers that came up for renewal.

One, just renewing existing subscriptions but also adding to that. I think one of the things that we've seen is a lot of on-premise customers expanding deployment by adding the cloud MBX as well. And so previously they were not at all their egress points and now they're able to put virtual or cloud sensors in a lot more places. So I think that trend we expect to continue. I think some of that is obviously built into our 2018 guidance. If we see more of that, that will be an area that we may see an overachievement on.

Melissa Gorham Franchi - Morgan Stanley & Co. LLC

Okay. Thank you. And then just one quick follow-up, can you maybe just comment on what you're seeing by Geo if you saw any outperformance maybe in Europe ahead of GDPR?

Frank E. Verdecanna - FireEye, Inc.

From a revenue perspective, we did see our international come in with about 37% of our total revenues, which is a peak for international. I think that trend has been continuing as we continue to do better in EMEA and APAC. We've seen a lot of improvement in EMEA, but a lot of that I think is just due to kind of the revamped sales leadership and sales team there. I think GDPR is helping the conversation but I don't think it necessarily has had a huge impact yet.

Melissa Gorham Franchi - Morgan Stanley & Co. LLC

Okay. Thank you very much.

Operator

Thank you. And our next question comes from Gur Talpaz with Stifel. Your line is open.

Gur Yehudah Talpaz - Stifel, Nicolaus & Co., Inc.

Okay. Great. Thanks for taking my questions. So you noted 14 million agents for Endpoint. How does that compare to the year ago period? And then I guess the follow-up to that is how important was the launch in September of Endpoint 4.0 and driving further adoption?

Kevin R. Mandia - FireEye, Inc.

Gur, this is Kevin speaking. It's up from last year. And when you look at our Endpoint, one of the neat things about FireEye – I'm talking about the HX endpoints in the field. In our innovation feedback loop, we have innovation that occurs that our consultants can bring to the field before the UI catches up with it. And we may have over 1 million endpoints in that version out there in addition. And the features that our consultants use built by real software engineers but when you get the guard rails on them, find their way into HX.

And what I'm getting at is we're probably understating the total number of endpoints that we have out there because we have multiple endpoints. And that's just unique to FireEye with the services component that can get stuff to the market quicker.

But it's up and I think it's still early to tell what endpoint prevention does for us. And I'm observing that market and thinking, to some extent, it's table stakes. You've got to be able to do it. There's multiple arguments. Some will say, well you get AV for free, and some that will say what you get for free isn't good enough.

But either way we've had machine learning models to analyze malware really since 2011 timeframe. We know how to find bad stuff. There is no reason for us to not automate that and get it into our products. So we're convinced we'll be great at endpoint prevention. We'll keep adding to it and we're new to it. So we'll see how it grows over the next few quarters.

Gur Yehudah Talpaz - Stifel, Nicolaus & Co., Inc.

That's helpful. And then maybe continuing on that theme, it's obviously a crowded space. How important do you think the simplified go-to-market is as far as kind of creating broader awareness, easing the go-to-market and perhaps helping you rise above a lot of the noise that exists within the market itself?

Kevin R. Mandia - FireEye, Inc.

Well, I think we're just at an interesting time on endpoint. You have endpoint prevention folks trying to get into EDR. You have EDR trying to get into prevention. You've got forensic capabilities out there that we have. And people are searching for one endpoint that can do everything, and right now I think that no one's arrived there just yet, and that's what's creating some of the confusion in the market. I think our roadmap is to consolidate and detect what AV detects, detect what AV misses, provide your experts with the capability to find things should our signature list-based detection miss, do exploit prevention. It's a roadmap that a lot of people are on, but we're going to execute to it.

Frank E. Verdecanna - FireEye, Inc.

And, Gur, just to add on to that, this is Frank, the mid-market suite that we're selling now, I do think puts us in a unique position because a lot of those competitors are point products. They have a solution just for the endpoint. And being able to offer a solution both for cloud, Network, Endpoint, and Email under one package that's priced competitively I think is a unique opportunity for us to compete well there.

Gur Yehudah Talpaz - Stifel, Nicolaus & Co., Inc.

That's helpful. Thanks, guys.

Operator

Thank you. Our next question comes from Michael Turits with Raymond James. Your line is open.

Michael Turits - Raymond James & Associates, Inc.

Hey, guys. Good evening. I'd just like to drill down further on Endpoint. Can you just describe the deals that you have been in? Have they been more supplementing existing AV? Are you replacing existing AV? And who are you replacing the dynamics of those wins?

Kevin R. Mandia - FireEye, Inc.

Michael, my opinion, this is Kevin speaking, it's all of those. Sometimes we get in because we're the endpoint that has to investigate when the other endpoint missed something, and that's an avenue in with the forensics capability. We have done AV replacement with our endpoint, and we are being supplemented. I mean, AV is free on several platforms, so you might as well take what you get for nothing. But people usually supplement free AV with additional AV. But it has been, Michael, a selling motion for all three of those paths that you just went through.

Michael Turits - Raymond James & Associates, Inc.

And if I could just follow up on that, where do you see the pricing dynamics around Endpoint right now? People are paying a lot more for let's call it a suite of next-generation endpoint than they were for straight AV. Is that stable? Is that starting to compress?

Kevin R. Mandia - FireEye, Inc.

Do you have an opinion on that, Frank?

Frank E. Verdecanna - FireEye, Inc.

Yeah, I think it's starting to compress a little bit. I think we've seen in the market a lot of the next-gen EDR players coming down quite a bit. We've obviously seen the EPP on the AV side going down for quite some time, but I do think kind of the EDR side is starting to compress a little bit. And that's why again, all these kind of play in our favor because now because we're able to package and bundle. We have a little bit more unique opportunities than some of our peers.

Michael Turits - Raymond James & Associates, Inc.

Okay. Thanks very much.

Operator

Thank you. And our next question comes from Gray Powell with Deutsche Bank. Your line is open.

Gray Wilson Powell - Deutsche Bank Securities, Inc.

Great. Thanks a lot. Maybe focusing in on the Email side, so what needs to happen for you to be considered more of a front-line defense, like a secure email gateway versus that second line more advanced defense? And then when do you think you'll have the potential to move up directly into that market?

Kevin R. Mandia - FireEye, Inc.

That's a great question. This is Kevin speaking. One, we're going to have to start scanning outbound emails. I also think there's electronic evidence discovery features that people expect in their email gateway that we don't have today. We've been expanding, and by the way, that's just general – every company goes through this. We had a niche, we could detect things nobody else could detect, and we could detonate email attachments and find spear-phishes that nobody else could find. Then we had to do it based on URLs, and now we have anti-spam capabilities. And we're going to get into looking at data leakage prevention capabilities.

So we have to keep expanding. I saw the roadmap, and I'm forgetting it right now, and I saw it only six days ago. But I know that we're going to start scanning outbound emails in the near future, and we may have to partner here or there for a few of the gaps. But what I love about our Email product is we are behind secure email gateways at hundreds of customers yet we're still finding millions of attacks a week. That's just amazing to me. It shows the need for a multi-layer defense and how relevant we are. But I can't comment – I can't recall all the details in it, but I know EED features was one, scanning outbound email was another, and I'm blanking on a few of the other ones, but we're moving quickly in that direction.

Gray Wilson Powell - Deutsche Bank Securities, Inc.

Understood. Thank you very much.

Operator

Thank you. Our next question is from Walter Pritchard with Citi. Your line is open.

Walter H. Pritchard - Citigroup Global Markets, Inc.

Hi. Thank you. Two questions. First, for Kevin, just a follow-up there on the one (52:06). So, I guess, generally as you look out at the roadmap and growth that you're looking for over the next several years, are you looking – do you sort of need to be in that primary position in all product areas? Or how important is that as we look at not this year but say next year in sort of your growth roadmap?

Kevin R. Mandia - FireEye, Inc.

Yeah. That's a great question. There's no question right now. The buying patterns of our customers are I need Email right now, or I'm interested in Email, or I'm interested in Endpoint. If they're interested in more than that, then a whole bundle of things comes into play, and that's really nice. But right now when I look at our now when I look at the other Email products Email products and I had the privilege of sitting through a TVR and sitting with all our product leads and seeing them, you want to be as good or better than the folks that are in there. And with Email, for what it does, it does it exceptionally well. And when you compare us to a secured email gateway, we just need to do a few more features.

But the bottom line is right now we've always made our claim to fame in high fidelity alerts and detecting what others miss, and we got to own that. A lot of times I refer to us, Walter, as like the second layer. We're the goalie in the net when the puck gets past the defenders. We have to go from Layer 2 into Layer 1 over time. So what that means is our comparisons change. Right now, I don't know who we're up against as a second layer in defense, because there's no other person that I'm aware of. There's just, but we got to work into Layer 1. We've done that endpoint. Layer 1 to me on Endpoint, it was EPP. We moved into that space. We're going to move into Layer 1 on Email as well. So...

Walter H. Pritchard - Citigroup Global Markets, Inc.

And then a question for Frank. You, I think, were looking for duration to actually be a headwind this year. It sounds like it was a tailwind in Q1. Is there any changes to what you're expecting for duration for the year embedded in the guide, especially for billings?

Frank E. Verdecanna - FireEye, Inc.

Yeah. We expected duration to actually be kind of flat to slightly down. So if it wasn't going to be a headwind, our expectation was it was going to be a pretty slight headwind. In Q1, overall contract length only increased half a month. So it wasn't a significant tailwind in Q1, but it definitely didn't go the wrong way, which is – I think the good news is what we're seeing is that even as we transition to cloud offerings, we are still seeing customers sign up for multiyear. And so that's a good sign because I think that means we're less likely to see a bigger headwind even if we accelerate to cloud quicker.

Walter H. Pritchard - Citigroup Global Markets, Inc.

Got it. Okay. Thank you.

Frank E. Verdecanna - FireEye, Inc.

Thanks.

Operator

Thank you. And our next question comes from Saket Kalia with Barclays Capital. Your line is open.

Saket Kalia - Barclays Capital, Inc.

Hey, guys. Thanks for taking my question here and for fitting me in. I'll just keep it to one. Frank, the simplified pricing model sounds great and very compelling. What of your pricing studies maybe showed about how this can change deal size going forward? And what are just maybe some of the other sales operation metrics that the simplified pricing could drive in one way or the other? Does it make sense?

Frank E. Verdecanna - FireEye, Inc.

Okay.

Saket Kalia - Barclays Capital, Inc.

Sorry. Did that come through?

Kevin R. Mandia - FireEye, Inc.

No. Sorry, Saket.

Frank E. Verdecanna - FireEye, Inc.

No. Saket, we missed it. Sorry about that.

Saket Kalia - Barclays Capital, Inc.

Okay. No. No worries. No worries. So I'll just keep it to one question. So the question is the simplified pricing is really interesting. What of your pricing studies showed about how it can change deal size going forward and kind of any other sales operations metrics? I'm thinking renewal rate, or customer adds. Any other kind of open-ended question. Any other metrics that that simplified pricing model could really impact in a big way going forward.

Frank E. Verdecanna - FireEye, Inc.

Sure, Saket. I think what we saw in the study is that it would actually open up a new market for us. What we saw for our existing customer base in the large enterprise is it was kind of net neutral to slightly up. Because we can now offer the virtual and cloud sensors, it enables people to actually expand their deployment. So even though they may be buying less on-prem appliances, the overall ACB of that customer has typically been higher. So we introduced new pricing, we had deals in Q1. Those ACBs actually all increased. It's very early in the process, but the quotes that we have out all look to be net positive. So we're pretty excited about the impact. And again, the real impact ultimately is getting us into a market that we haven't been into before at the mid-market.

Saket Kalia - Barclays Capital, Inc.

That makes a lot of sense. Thanks very much for taking the question.

Frank E. Verdecanna - FireEye, Inc.

Thanks, Saket.

Kate Patterson - FireEye, Inc.

We're at the top of the hour, so we'll take just one more question, please.

Operator

Certainly. And our last question will come from Erik Suppiger with JMP Securities. Your line is open.

Erik L. Suppiger - JMP Securities LLC

Thanks for fitting me in. On the new pricing, what kind of effect has that had on your hardware?

Frank E. Verdecanna - FireEye, Inc.

So I think again it's very early days because we just introduced it at the end of Q1. But I think what we're seeing is that we've had some customers opt for buying hardware on a subscription basis, that's new. But the ACB, and that's what we're really focused on ultimately has been at or higher than previous deals. And again, I think that's because folks are covering more of their network than they have in the past. So I think we'll be able to give obviously a lot more indication of the impact as we go through another full quarter of the new pricing.

Erik L. Suppiger - JMP Securities LLC

And of the new customers that you added, can you give us any sense for whether you saw some shift towards more of the mid-market in the new customers?

Frank E. Verdecanna - FireEye, Inc.

So we really just launched it at the end of Q1, and we are – I did mention in my prepared remarks that we are seeing significant traction on new customer logos compared to a year ago, and I think a lot of that is the new pricing in the channel.

Erik L. Suppiger - JMP Securities LLC

Okay. Very good. Thank you.

Frank E. Verdecanna - FireEye, Inc.

Thanks.

Kate Patterson - FireEye, Inc.

So before we close out, I just want to let you know that they've informed me that the slides and the excel spreadsheet with the historical financials have been posted to the Quarterly Results section of the Investor Relations site if you're looking for them.

Operator

Thank you. And this does conclude today's question-and-answer session. I would now like to turn the call back to Mr. Kevin Mandia for any closing remarks.

Kevin R. Mandia - FireEye, Inc.

Well, I'd just like to thank everybody for their interest in FireEye and look forward to speaking with you over the next 90 days.

Operator

Ladies and gentlemen, thank you for participating in today's conference. This does conclude the program and you may all disconnect. Everyone, have a great day.

Read more current GOOG analysis and news
View all earnings call transcripts

Recommended For You