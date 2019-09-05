Palo Alto Networks, Inc. (NYSE:PANW) Citi Global Technology Broker Conference Call September 5, 2019 11:00 AM ET

Company Participants

Nikesh Arora - CEO & Chairman

Conference Call Participants

Walter Pritchard - Citigroup

Walter Pritchard

Let's keep it going here. I'm Walter Pritchard, the software analyst here at Citi. I would ask to, let's say there may be a few empty seats. So, I think we're going to have a decent crowd in the room here. So, if there's any empty seats, I encourage you to take those.

We're very happy to have with us Palo Alto Networks' Nikesh Arora, the CEO. They had an Analyst Day yesterday. I think we could spend all session here recapping the Analyst Day. There's a lot out there yesterday in the slide deck and so forth. So, I was going to try to dive into some of the questions I had prepared as well as some of the follow-ups that came up yesterday from the Analyst Day, and we can take some questions from the field as well. We'll have a couple of microphones going around, and just raise your hand and we'll make sure we get that on the webcast.

Question-and-Answer Session

Q - Walter Pritchard

So Nikesh, again, thanks for joining us here, especially with all that you have going on. I'm not usually one on overtly complimenting management teams too much, but I thought you did a very good job yesterday of sort of taking questions that were coming in and addressing those.

So, I guess what I wanted to start, you've been CEO for about a year. I think one of the issues that have been out there is a lot of people, investors sort of didn't know you that well. You didn't know the security space well. You came in from a different background. I guess we'd love to hear a short summary of sort of how you've thought about the opportunity that you took at Palo Alto and sort of where you're taking it as we look at the future, and how that might be different than we thought about Palo Alto before you arrived.

Nikesh Arora

Great. So, first of all, thank you for having me, and I appreciate the compliments, especially since you qualify it by saying you don't compliment managements. So, I'll take it for what it's worth. We'll see what it is next here. But I came to Palo Alto about 12, 13 months ago. And at a macro level, I was convinced that cyber -- both technology spending and cybersecurity is a growth business, right? I personally believe that in the next 10 years, 50% of the market capital world will be tech-enabled businesses, right? And again, we can debate whether Uber is a tech-enabled business or a transportation business, but that's what I believe.

If you couple that with the fact that there is constant connectivity, ubiquity of bandwidth, everybody has to be connected, which is both an opportunity and a challenge because you have to secure things very differently enough. I have to secure every interaction from every consumer and every business going forward.

So, with that as a background, I came to Palo Alto Networks. I spent the last 12 months studying the space and obviously understanding the company and keeping us on track. And what is fascinating is that in cybersecurity, no company has actually made a successful long-term move from being a great single product company to being able to provide multiple products that talk to each other and make sense. And that's kind of the ding against the industry. If you look, there's been companies gone to $20 million [indiscernible] because they were great and people thought they were going to be the next best thing, and then suddenly they got deflated to being a one-product play. And we talk about customers having lots and lots of vendors in their security infrastructure.

So with that as a background, we spent the last 12 months aligning on how we believe we can be a multiproduct business and make our products talk to each other in a way that it provides customers what they need and also allows us to leverage what we’ve already built from a distribution perspective. So, I'll stop there and as we go through the rest of the session, we can elaborate on those things.

Walter Pritchard

Sure. So, let's take it up there. So undisputedly, the company has come in, taken a lot of share in the firewall market, is the leader in terms of new sales. We can talk about installed base and all that, but in terms of new sales, how do you -- I think one of the primary investor concerns I hear is the firewall is going to become less important as we move to the cloud. And you have this challenge of a large revenue base in the firewall market, trying to stay relevant as -- and trying to lead the relevance as the security world moves to the cloud, so how do you sort of play that balance where near-term revenue is firewall, the future is cloud, and you kind of you've got to balance it?

Nikesh Arora

So, 12 months ago, again, when I came, we were at $200 million plus of billings outside of firewalls. About 8% of our billings were non-firewalls, right? We spent the last 12 months taking that number up to 13%. And it's not just taking the number up to 13%, it is really understanding what's the right go-to-market motion, what's the leverage model, what's the customer success model to take it to 13%. We feel very comfortable that in the next 3 years, we can take it to 30%. And if you don't mind, I've asked my team to see if we can pull up a slide we showed yesterday at the Analyst Day. And if they can, I'd like to highlight that letting that fundamentally encapsulates what we're committing to and what we're trying to do. And hopefully, they can pull it up.

But we focused on cloud early, 12 months ago. We've had success. We've got over 1,000 customers using our cloud security. There's no company in the cybersecurity space with 1,000 cloud security customers, none. And cloud security is not you're routing your traffic with the proxy. It's actually securing your AWS workloads, your GCP workloads, your Azure workloads, your containers out there in the public cloud. So that's cloud security. It's not SaaS securing your Salesforce. It's actually securing where the $60 billion is being spent this year. And if people move their stuff to cloud, you've got to secure it. We're the one company in the world with 1,000 customers. We spent the last 12 months getting there. We plan to stay in that leadership position for the rest of our lives at Palo Alto Networks.

So, we believe it's a blue ocean. Nobody is out there. No other traditional cybersecurity companies have a play in that space. Every competitor of ours is less than 100 people either in some tech hub in Israel or in some tech hub in Silicon Valley, and hence I think it's an unfair fight for them because they have to figure out how to scale this from a go-to-market perspective. So, we feel comfortable on that.

And we spent the last 12 months, I think the best way to describe it is the next generation of EDR, which is called XDR, which is effectively probably what CrowdStrike does in the market, where I am taking firewall data and endpoint data, putting it together and being able to stitch it and to be around -- it's just like what CrowdStrike does with the endpoint, we don't have the endpoint and the firewall. Launched just 5 months ago, 250 customers, winning against CrowdStrike head-to-head in pretty much a majority of our installed base.

So, we feel comfortable that we have 2 product platforms that sit next to the firewall, we did $452 million in billings this year at 13%. We are committing to getting to between $800 million, $810 million in FY '20, and $1.75 billion in FY '22. If the slide was up there, we can -- we're technologically challenged right now. So, we will get it there.

But we just did a little thing for ourselves to see how would that compare to billings projected by Okta, CrowdStrike, and Zscaler. At $1.8 billion, we are $700 million more in FY '22 than Okta, probably $1 billion more or more than that than CrowdStrike or Zscaler. So, if that's not us being able to build a second and third product leg for Palo Alto Networks in a span of 4 years, I don't know what it is.

Walter Pritchard

Got it. So, if we focus -- so you've laid out this securing the enterprise, securing the cloud, securing the future. I think that's the third bucket. So on the securing the enterprise piece, I think as you sort of back-calculate the guidance and look at sort of the trajectory to 2023, you actually are still looking for growth in the securing the enterprise bucket. Where -- I think what gives you the confidence in the growth of that piece? Because I think we could talk about the other 2 pieces and how much growth -- the only question with growth markets. That's the one, I think, a lot of investors debate sort of what does the trajectory look like there as we go through this transition.

Nikesh Arora

Look, I mean, if you look at our forecast, we have significantly tamed our expectations on boxes and firewalls. We believe a lot of the shift will be software form factors. For example, we highlighted it yesterday, a very large retailer trying to secure 2000 stores. They got a pitch from a traditional firewall company with a hardware box in 2,000 stores. We believe architecture is better to a software form factor because going to 2,000 stores and putting a hardware box and connecting it takes about 1 year for most customers. That's a long time for you to be going through a hardware refresh, 1 year.

Software form factor can be deployed in 3 months, and every software update is instantaneous. You can update. You can deploy it the next day in your entire enterprise. So, we went on the software form factor. It's an over $10 million software form factor deal for Prisma Access competing with a hardware firewall. So, what we’ve discovered -- there we go, thank you.

What we discovered is that we think the shift is going to be more towards software. In addition to that, we added over 10,000 customers last fiscal year. We’ve added 10,000 customers the year before. We don't see that trend stopping. So, we believe there's customer additions going on. We have over 65,000 customers for firewalls. We see that trend continuing, being able to add customers, which adds to the revenue as well as this ability to replace competitors to software form factor.

Can we just -- so that's the slide we put up yesterday. We grew our next-generation security business, Prisma and Cortex, by 89% this past year, which compares well with the 3 -- somebody called them 3 horsemen or horse people or horse companies of security or the darlings. We're just envious of their valuations, so we feel compelled to compare ourselves with them.

We're very comfortable getting the HO 5 [ph] next year, which we believe is approximately twice the growth rate of anybody else in this space. And we think that gets us to a bigger absolute billings number compared to any of those three. And we believe in FY '22, if we get to $1.8 billion, which we are committing to get there, we would have been growing at 57%. And as I said, it puts us between $800 million to $1 billion more than any of the three who enjoy robust valuations.

Walter Pritchard

So, diving into this year, you have the Prisma and Cortex logos here kind of flagshipping the next-gen security. Maybe you could help us understand what are the -- are those two the biggest drivers? What are the biggest drivers to achieving this? And then do you -- you've done some organic build. You've done some acquisition. Do you have the portfolio you need at this point to get to the implied $1.8 billion in 2022?

Nikesh Arora

So, Prisma has two parts. One is Prisma Access. The best way to think about it is Zscaler with security, which is basically where the market is going, the software form factor, the connected to the branch, mobile users, SD-WAN, that's Prisma Access, which is where I just explained, we just won a very large deal with a retailer. We showed a video yesterday, one of the largest health care systems in Europe with over 1 million employees. Both are over €10 million deals just for Prisma Access replacing hardware firewalls from competitors, right? So that's Prisma Access.

The other piece of that is Prisma Cloud, which is the combination of our acquisition of RedLock, Twistlock and PureSec, which will all be integrated [ph] before the end of this calendar year, which is where we have over 1,000 customers, which we announced last quarter we had done $25 million in billings in our workload business -- workload security business. And that's doing really well for us. So, the combination of Prisma Access and Prisma Cloud is where Prisma is.

Cortex is two pieces. One is Cortex XDR, which is effectively the next generation of CrowdStrike. And Demisto, which is an acquisition we made, which competes Phantom, which was bought by Splunk. They're both doing really well for us. They're part of our [indiscernible] strategy and the future strategy we talked about. So those are the two big pillars we believe we can create the opportunity to get $1.8 billion.

The last 12 months, we'd really have worked hard at making sure that these products win on technical merits and are best of breed. So, Forrester just did a ranking, and they claimed Cortex XDR beats every competitor by at least 10 percentage points on security, which was not the case 12 months ago when we had the product.

Walter Pritchard

Got it. So, talking about that 1,000 customers and securing the workloads in the public cloud, I think investors have become pretty comfortable with the model on-prem, where there's an amount of IT spend and there's security spend that sort of almost is like you buy insurance for your house, you buy insurance for your car, you buy insurance for your IT. How do you think about, there's $60 billion, whatever the number is, if you want to talk about hyperscale. 1,000 customers each spending some money, but not a lot. I mean it feels like, to some degree, the security opportunity in the public cloud, if you think about that on-prem model, isn't necessarily attaching at the rate that we see on-prem. How do you think that goes?

Nikesh Arora

There's two parts to it. When customers go to public cloud, they don't have to secure their data center anymore because it necessarily belongs to AWS, GCP, Azure, and those guys have figured out how to secure the data center. But when you go there and you take your workload, your take your application. You have an e-commerce application, which is your customer is accessing your store. It's running on AWS. How you write the application determines whether you get hacked or not, right? We had a recent big hack -- an insurance services client who -- not ours, who would deploy their workload to the cloud and they were not secure.

Walter Pritchard

Yes. Not Citi.

Nikesh Arora

Sorry?

Walter Pritchard

I said not Citi.

Nikesh Arora

Yes. Not you guys. Not -- so that part is not fully appreciated that the amount of security is needed to protect it. Now our estimates are, if securing the enterprise is 6% to 10% of IT spend in the financial services and governments go to 10%, other customers at 6%, we think roughly 3% to 5% should be advanced to cloud security -- to cloud security. Now cloud security will come either from your native cloud provider. AWS, GCP, Azure have security products, but they only secure you for specific cloud, AWS or GCP or Azure. The moment our customers go multi-cloud, VMware and AWS, GCP, Azure, you need a multi-cloud product. So we're focused on multi-cloud security. That's why we believe we should be able to get share.

But we're 2.5% of the cybersecurity industry. From a market share perspective, we're number one. I'd love to have 30% of public cloud security. That's a pretty good place to start. I don't mind if the native guys have 70% or other people have it, but we're trying to make sure that we become a significant player in the cloud security space. And so far, as I mentioned, we don't have any competitor in the market who can do cloud workload, serverless and containers in one platform. And we intend to stay at the forefront of this. If there is a next-generation technology that's out there that somebody else has got, which we don't, we will either rapidly build or most likely rapidly acquire.

Walter Pritchard

Got it. Okay. I want to return to that topic because I think there's a discussion, there's been a discussion ongoing here with you, the CEO, and so forth. But as it relates to the public cloud players, so I'd say you arguably know at least one of them very, very well given your tenure at Google. This debate about what the native cloud providers do themselves, I think no one argues there's not a role for an independent. The question is, do the native players do 90% of that and there's a management layer on top? How do you think about in terms of your observations from customers that are maybe on the forefront there of public cloud adoption, sort of what are they turning to the independent provider like you to do? And where in your product portfolios that's manifesting itself?

Nikesh Arora

So let's talk about what does -- when Citibank goes to the cloud, what happens, right? You have two choices. You can delete your apps you have running in a data center or use publicly available apps, like Salesforce, Workday, which you do for some things. But there's a whole financial transaction app here, right, which is looking great now. I'm going to go write this apps into AWS. I'm going to use a combination of workloads and serverless code and containers [indiscernible]. Now that app is going to make calls back into your data center, where you're going to just keep your data and offering the cloud. So you're going to go back between the public cloud and your private cloud and you have other databases that belong to your data center.

Now you need a security product that allows you to look across the entire ecosystem, say, where is this thing going? Now when it comes out of the public cloud, it's going to go through a firewall and through a data center. If you don't have visibility in the firewall, then you lose sight the moment you come from the public cloud. You can start looking at Palo Alto firewalls. When you're in the public cloud, you're looking at AWS security bins.

So you need to be able to follow the journey of the entire application through a multitude of clouds or different data centers that you have. So you need a product that allows you to look at one end-to-end basis. Otherwise you're back to the SoC, where you've got secondary products, and you say, wait, how do I trace the journey of my application? So that's where we think our customers understand this, and they want to go operate a multi-cloud security product. The good news is unlike enterprise IT security, cloud security is priced just the way cloud is priced on a consumption basis, right? So depending on the number of workloads you're protecting, you're going to pay for cloud security. So customers don't have to go write a big $10 million check upfront and say I'm buying firewall. Okay, you know what, as my workloads go from 5,000, 10,000, 15,000, 20,000 to 40,000, I'm just going to see a 2% to 4% increase in my, like you said, insurance to make sure that my cloud is protected.

Walter Pritchard

Got it. So going back to the build or buy topic, I think that -- when you came in as CEO, there was a large acquisition that didn't -- that had to happen. You actually have spent a fair amount of money, say, in the few months, few quarters before you came as CEO until maybe last quarter. What is your sort of as you look at using capital to do acquisitions, how do you -- or the multiples? Is it return on -- you're looking for return? Is it a product hold that you have to get to market quickly? What's sort of the framework around buying? And how should we look at the future relative to what you've done over the last 15 months or so?

Nikesh Arora

Yes. Great. So we laid out five very clear principles in M&A. So doing that, people say I'm going to go out and buy large companies just for shareholder value is not a good idea. So first and foremost, we prefer not to buy overlapping products. I don't want to buy another firewall company. I don't want to buy another endpoint company because it's a nightmare to maintain them, it's a nightmare to maintain 2 sets of code. And who do you tell your customer which is better? We've been fighting new sales if ever. So no large overlapping companies, not interested. We prefer blue oceans. We like spaces where there are less competitors, much easier to convince customers to use our products. Cloud security is one of those. I'd love -- just love PureSec, have small competitors, which are not big enough to compete with us.

We prefer product and team versus revenue. I want to pay 10x $100 million because that $900 million that I'd have to go generate enough revenue for the next 3 years to pay back for the multiple I pay. I prefer to have a team that has worked for 4 or 5 years, built a great product, a product market fit, has $2 million to $5 million, $10 million in ARR to show that they've actually got customers that are going to pay for their product. That's a wonderful sweet spot for me to go acquire them because I have a go-to-market machine now, which I can go in just and integrated product into and amplify 2,000 sales people on the field. So we prefer buying product, not revenue.

And we want to look at areas which have long-term large dams. So cloud security is a large TAMs. So cloud security has a large TAM. IoT has a large TAM for the amount we pay. We paid $75 million to buy Zingbox. We think if 10,000 customers pay us $52,000 each, that's $500 million, right? So that's a nice return on investment on a revenue basis. It may take us 3 to 5 years to get there. But anytime I can put $75 million to work and generate $500 million of revenue with low go-to-market cost and low friction, I'd like to do it.

And that's the only exception, that if we can attach it to a firewall, then we'll buy things which are in red oceans. But because our go-to-market, to illustrate that, we launched a product called DNS Security 6 months ago. We attached to our firewall as we get approximately 2,000 to 3,000 customers a quarter. We, in the last 2 quarters, have attached to over 500 firewall sales with one salesperson. Actually, one go-to-market person. That person generated 600 firewall attaches by purely educating our sales team going on in selling. I like that return on investment.

Walter Pritchard

Yes. Yes. Got it, got it.

Nikesh Arora

So that's our strategy. So don't expect us to go out and buy large cybersecurity companies. We prefer competing against them.

Walter Pritchard

Got it. One other thing I get a lot of questions on from investors and there's been a lot of CRM coverage, sell side coverage. There's been -- you came in as CEO and there's been a fair degree of turnover within the company. Can you talk about the management team as it stands today sort of how you're sort of pushing that to evolve and maybe just a broader employee population given you're evolving from an appliance-centric hardware business to a business that's going to be 1/3, at least 1/3 these software products over time?

Nikesh Arora

Yes. So I think that's a good question. Look, we were a 92% firewall or firewall attached business when I walked in 1 year ago. That means our DNA is to have appliances. How do you make sure the boxes get out in time? How do you revenue upfront? It's the whole DNA of the company is set up to sell hardware. As many of you know, it's hard to change DNA quickly in a company who's been doing something very successful. 11 years of success and 11 years of competing with Fortinet, Check Point, Cisco. All these guys are actually building the largest firewall business to supply it in the way people did things.

Now you've got to make sure you can build category 2 and category 3 products. So I'll give an example. When I walked in, we bought a company. We discombobulated that company and put it functionally into different teams. Now remember, our product development structure was a hardware structure. So QA is a very big part of product development and hardware because if you send a box out which has a bug or a flaw, you've got to call all the boxes back. That's not a good outcome in any hardware business.

So QA is very important, very, very critical and takes a long time. We took a software company and put it in the same model. You can spend 2 months doing software QA. Your developer is sitting, twiddling their thumbs, saying, okay, hurry up guys. Do you like my code? I only got version 7 of what I gave you 2 months ago, right? So we discombobulated the software business and tried to put them into a hardware model. We can't do that. You have one software business that's different than a hardware business and appliance and go-to-market. How do you sell software versus hardware?

So we have to make sure we were creating a new motion across the company on customer success and go-to-market, on product development, which is more akin to the two platforms we're trying to create as opposed to the hardware model. That requires different DNA. We've added about 15 -- or we have about 1,500 people in Prisma and Cortex out of 7,000, which is to be much smaller number. We got about 1,000 last year in that space, which is effectively DNA across the entire stack from all the way from entry level, all the way to senior management. But we had to make the management DNA adapt as well to this new place we want to be.

So part of the evolution you're seeing is you're seeing us bring in management who understands the different places we want to play in and none of the transitions that you read about are surprises to us. These are managed transitions. There's a logic why these happen and the timing of these.

Walter Pritchard

Got it. I'm going to pause a second and see if there's anybody out there that has a question. Yes, there's one in the back.

Unidentified Analyst

Yes. Thinking about on the last point in terms of go-to-market and channel strategy. We have seen some conflicts in February. We've seen some very hard phrases from channels in the Internet.

Walter Pritchard

I'm sorry, what?

Unidentified Analyst

You have seen some very harsh phrases from channels. What happens since then? And what's your philosophy? Do you prefer to basically do the writing for the long term and sacrifice the short term, meaning, getting into more conflict with the channels for the sake of cloud sales model? Or the other way around, you say, hey, I want to get to the quarter if that means that I will delay my strategy transition to the cloud sales model?

Nikesh Arora

Yes. Thank you for the question. I've read a lot of analysts notes, and there has been a lot of consternation around that topic. We had a customer advisory board last year in February, where we talked about the cloud model, how the cloud model is evolving. As AWS, GCP, Azure require you to list your cloud products in their marketplace and sell it to their marketplace, they have no role for a channel in that model.

So I think we shared that with the customer advisory. That got taken and blown out of proportion. And we're still sort of talking about it 1 year later. I put up a slide yesterday to show that over the last 2 years, 99% of our business comes directly to the channel or through the channel, which hasn't changed. And the more important part I showed yesterday was in the last 2 quarters, we've done a lot of work with the channel, and our channel originated business has gone up by 300 basis points. So 42% of our business now is originated by the channel and many of our large channel partners are growing literally at twice the rate of our revenue because the amount of impact they have.

So look, channel is an important component of doing enterprise sales today and in the future. Channel is struggling with their own challenges. In cybersecurity in the last year, there is a strong surge from telcos and system integrators. So Accenture, Deloitte, PwC are building very large cyber practices. AT&T has a very large cybersecurity practice. Verizon is building one. So Telefónica has got one. So what's happening is because these people have realized the big shift to the cloud and cybersecurity, they're building cloud consulting and cybersecurity practices because both have a consulting arm as a managed service piece. So channels got more challenges from that vector as opposed to us wanting to change our models like that. I'll give anybody the 12% or 18% they need to sell more of my product. I'm not trying to be a different enterprise company.

Walter Pritchard

Just another topic I think came up yesterday was highly anticipated into the Analyst Day yesterday was some of the financial parameters. And you gave a very clear, I think, 2022 path. One of the debates was around cash flow and companies' stocks have been valued on cash flow basis. And much of the sales come in as customers make three year commitments and to a high degree pay three years of cash upfront. The notion, you look at the SaaS world, a lot of customers pay you at a time, and you talked about consumption-based and so forth. You gave some very clear parameters. But as it relates to how you're running the business, what changes are you making that will impact sort of the way cash flows through? And how do you have confidence in the scenarios that you put out given the amount of changes going on within the business?

Nikesh Arora

Yes. So thank you again. So we generated approximately $1 billion of free cash flow this year. We expect to generate over $1 billion a year over the next 3 years. We've set out a target that we will generate $4 billion of free cash flow over the next 3 years, right? So look at that out there. If you look at our products, the firewalls sold cash upfront, subscriptions have sold roughly in 3-year bundles cash upfront. Some of the newer cloud products, they're more 2-year deals as opposed to 3-year deals on average on Prisma Cloud. Prisma Access is again a 3-year bundle because it gets compared to firewalls. Cortex XDR is kind of like firewalls because it's firewall data and endpoint data. Again, 3 years.

So when you look at it, in the last quarter, we're going through a very rigorous analysis whether we should become an ARR business and go to analog billing model. Our Board wanted us to take a look at it. I looked at it. And honestly, the rationale I think was the market gives better multiples to ARR companies. But we're not an ARR business. We're a hardware business, 87% of it this year. And I like cash flow upfront. It's phenomenal. Like people pay you upfront for 3 years in cash. It's stickiness. You paid me but you'll have to use my product for 3 years. And if I create products that are good enough, then you will come back and renew it. And our renewal rates are in the high 80s across our products. So why would I go to a shorter duration, give up cash, take a big hit from my operating margins for the next 2 or 3 years because my revenue is going to change for what, to get a better multiple 3 years out? I think we can get a better multiple growing our business at $1.8 billion of billings.

The other problem of going -- changing our model is -- and it took me 3 months to figure it out. And Kathy, our CFO, has already done this analysis before for the Board but the Board tried a new guy. So the new guy had to go and analyze it again, and I did it. And I learned right off my sales guys. The sales guys said, look, Nikesh, I'd go to a 3-year deal upfront. I will get paid commission on a 3-year deal. You ask me to do a 1-year deal, you're asking me to do 3 times as many deals to feed my family the same amount of money I've got last year. You're making my job three times harder. You sure you want to do that? The one thing I learned in enterprise is do not move the cheese around with your salespeople. It changes -- you don't know what impact you're causing. Cause-and-effect are not easily determined if you take 700 sellers and move their cheese another two months.

So as a consequence, we said we like the way our business runs. We can run to it. We can run it. Cloud is naturally going to be two year deals. So we've said we expect an erosion of duration by about 10% over the next 3 years. Our duration is in the mid-30s. So 10% duration still keeps us in the 30s. 30 months, 31 months, something like that, 28, 29 months, somewhere in that range. I think that's fine. I think that allows us to stay and generate $4 billion free cash. We have approximately $3.8 billion of cash in our balance sheet. So 3 years from now, we'll be sitting and some of that will be used for bolt-on M&As as we've described. So we're happy about our cash flow.

Walter Pritchard

Got it. Any other questions in the audience here? Happy to entertain if somebody's got one. Maybe I'll move on to another product area we haven't talked as much about, but there's this idea, there's the existing SIM market, which sort of aggregates all your security events, puts it into one place ideally and then you can take action from, respond to incidents and so forth.

You've unveiled this idea of the Cortex data lake. And can you talk about on the sort of backdrop of that existing SIM market, what you hope to accomplish in that market? And what convinces you that you can take share in that space?

Nikesh Arora

Yes. Look, we fundamentally believe the SIM market is broken and the architecture to sell security is wrong, right? The current SIM model is you take a lot of data and put it into a large data lake. There's a lot of unstructured data. There's some very successful companies which have made a living out of it, large market caps again. You collect all the data. You put it in one place. You get paid a lot money for it.

The challenge in collecting all the data without normalizing it that you can't do much with it because you can't run analytics against a normalized data set because an alert from Palo Alto is different from an alert from Check Point. It's different from a log from your IDS device. So how do you make sense of that?

So then you run analytics software against it. Analytics software choose certain data sources, normalize them, the ones that they understand, and get you to decide what you do with the rest. So SIMs take all these alerts, put them into a large bin, you look at it and then you write rules and say, hey if it's a phishing alert, put it as priority 1. If it's this, put it as priority 2. So you write your own rules.

That's a lot of manual labor, a lot of policy-setting against an alert. So you get an alert because you got a policy. Then you bring it to a SIM, you got another policy to prioritize the alert. So there's tons of manual labor. It takes between 4 days to 157 days to remediate an alert as target. They saw the alert. They didn't pay attention to it because their rules didn't rank that alert high enough. And if I'm a bad guy and I understand how SIMs work, I want to stay under the radar. I will be always below you 58% of the time. So the only way to sell security in the long-term is to make sure you look at every alert and either decide it's not important actively or you decide to investigate it. You can't do it today. A company gets 174,000 alerts a week. You've got to remediate.

So what we've decided is we are focused on alert elimination, if that's a simple way to think about it. Demisto, which we acquired, reduces alerts by 50x. So we can walk into a company and say, we can take 175,000 alerts, automate them and take them down by a factor of 50, right?

Then our XDR product goes in and takes our data from Palo Alto data. On average, we can reduce it by 8x. And so you take Palo Alto firewall alerts and endpoint alerts and VM alerts, put it together, stitch it and say, okay, these are actually 1/8 because it's the same event triggering. It's like you're having a mouse running around and triggering trapdoors around your room, and there are 14 trapdoors. One mouse can trigger all 14 trapdoors, which ends up in 14 alerts. And if you don't know it's the same mouse, you're sitting and looking for 14 different things that are happening, but actually it's one mouse.

So the key is you've got to be able to stitch these. You've got 14 different vendors, you have to figure out how do you make sense it's the same mouse and it's not 14 different alerts. So we're going after alert elimination, and we're doing that through automation at Demisto, where we use playbooks, where customers write their own automation. We can work that automation to AI over time as we get more and more experience, our customers do it. And we're only collecting data which we believe can be normalized and analytics can be applied to it. So we collect our own data. Yesterday, we announced we're going to collect third-party data with all firewalls. Hopefully, that trend will continue. We'll keep normalizing more and more data. So we'll build out the security use case for the next generation software, if you will, which is effectively Cortex for us.

Walter Pritchard

Got it. It looks like we have a question in the back there.

Unidentified Analyst

What are your thoughts on e-mail security? Is that relevant to Palo Alto at all?

Nikesh Arora

Look, e-mail is the largest SaaS application in the world, right? It's bigger than Salesforce, it's bigger than Workday because we all have e-mail. That's effectively a SaaS application, and it is a large repository of threat data because a lot of the malware comes from e-mails, a lot of the attacks come from e-mail. It's a great market. We like the data that comes out of it very much. We have a partnership with the last company that's up here, where we share data with them and Wildfire. We use that. We use it for phishing attacks. I don't have a next-generation e-mail security talk in our team in terms of what we can do. My customers are perfectly happy buying it from Proofpoint or Office 365 or G Suite. I can add value to it. So shall I go spend $7 billion and make ourselves a $27 billion company? You guys can buy both stocks individually if you want. So I don't have the value. I can't bring enough synergies and value. And I've never seen a company do a value play and a growth play at the same time successfully. So it's either you're a growth company, you're focused on building new markets and generating $1.8 billion of new billings and new categories and changing the world; or you're a company where you're supporting 3,000 salespeople and doing PLAs and say, buy my chips, buy your chips from me, buy your consulting from me and now buy our security. It's kind of the Walmart strategy versus the other one. So we're going to stick to the break new ground, change the world and let other people clean up the messes of the past.

Walter Pritchard

Any other questions out there? So Nikesh, I want to ask you about you haven't even in security market for 15 months, 14 months. There's, I think, probably more macro cross currency out there in the world. Generally, there is this sort of same or more malicious threat environment now as you had before. How do you think about you look at the space, you look at your business, economic cycle has gone up for a while. How do you think about the risks from a macro perspective, the climate we're in right now? And what are you doing as the CEO of the company to help plan for that contingency and so forth?

Nikesh Arora

So look, from our perspective, we don't see as much of a macroeconomic risk to our business over the next 3 to 5 years. Maybe on the margin, 100 basis points, 200 basis points, but we don't think it has a big impact. Because when you look at it, right, I think technology is going to be an existential issue for most companies in the next 10 years, right? If you're competing with Uber, you're competing with Airbnb and you're a hotel, you're competing with some of the tech-enabled new businesses, you have no choice. You have to go stack up the tech or back up the truck and technologically make yourselves leading edge because you're not going to compete with Amazon if you're not deploying everything in e-commerce. If you're not in AR/VR and you're a Walmart store, you're going to have to figure out how to.

So I think the generational shift in the tech spend is so much more overwhelming than the macroeconomic impacts, and I don't think tech spending is going away in the next 10 years. And you guys might have a different view. It may have marginal impacts in certain companies, one.

Two, we don't have a lot of businesses in China. We don't make our product in China. Our products are made in Milpitas, California because if you make your product in China, it causes consternation in the security industry. So we're making it all here in the U.S., right? So we don't have that impact. So we feel like on a macroeconomic perspective, our business is reasonably sort of protected, less impacted. From the margin, there's a 100 to 200 basis point change. I think we're more protected than most other companies, which might have a larger impact.

Walter Pritchard

Got it. Got it. Last question before we let Nikesh go? All right. Well, Nikesh, thank you very much for coming despite your busy schedule.

Nikesh Arora

Thank you, Walter.

Walter Pritchard

Thanks, everybody, for coming.