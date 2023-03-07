Palo Alto Networks, Inc. (NASDAQ:PANW) JMP Securities Technology Conference March 7, 2023 1:00 PM ET

Nikesh Arora - Chairman & Chief Executive Officer

Trevor Walsh - JMP Securities

Trevor Walsh

Good morning, everyone. Really happy to be hosting our keynote presentation for the day today on day two of our conference. And really happy to welcome Nikesh Arora, CEO and Chairman of Palo Alto Networks to the stage to have a conversation with us. Welcome.

Nikesh Arora

Thank you.

Trevor Walsh

Thanks for being here. Nikesh, if it's all right, I'd like to just read through your bio first, just to help kind of set a framework for kind of maybe some of the things we will talk about and just give maybe the folks in the room that don't kind of know your full history, give them -- the summary.

Nikesh Arora

Sure.

Trevor Walsh

Terrific. Nikesh Arora joined as Chairman and CEO of Palo Alto Networks in June 2018. Before joining Palo Alto Networks, Mr. Arora served as President and Chief Operating Officer of SoftBank Group. Prior to that, he held a number of positions at Google, during a 10-year span, including Senior Vice President and Chief Business Officer, President of Global Sales and Operations and Business Development, and President of Europe, the Middle East and Africa. Prior to journeying Google, Mr. Arora held the role of Chief Marketing Officer for the T-Mobile International division of Deutsche Telekom. He was Chief Executive Officer and Founder of T-Motion PLC, which merged with T-Mobile International in 2002.

Mr. Arora serves on the Board of Richemont, a public Switzerland-based luxury goods holding company; and as well as Tipping Point, a non-profit organization that fights poverty in the Bay Area. Previously, he served on the Boards of SoftBank Group, Sprint, Colgate-Palmolive and Yahoo! Japan, among others. He holds a Masters in Business Administration from Northeastern University, a Masters in Finance from Boston College and a Bachelors in Electrical Engineering from the Institute of Technology at Banaras Hindu University.

Again, great to have you.

Nikesh Arora

Wow! You read that out loud. All right.

Question-and-Answer Session

Q - Trevor Walsh

So Nikesh, lots to talk about. But I thought as we normally do when we have keynotes at the conference, we start a little bit with about -- just about your background.

Nikesh Arora

Sure.

Trevor Walsh

And kind of how -- just get into your head a little bit. And I was noted when I was going through your bio that you took the easy path of being EE as a bachelor. So clearly a glutton for punishment. But in all seriousness, do you -- how do you think that more technical scientific background has kind of been leveraged or come into the various roles that you've done and kind of throughout tech?

Nikesh Arora

Well, you missed the part, I actually tried to do what you guys do for a living did last long. I worked at Putnam and Fidelity for a few years, and I figured it's much harder to figure out what's going to work that's supposed to try and make it work.

So technically, it helps. Look, every role that I've had had some element of technology. So even what we do today in cybersecurity, it's very hard to figure out where we should go as a business, if you don't understand the bits and bites that flow through everything we do, or if you got to invest in the Internet business, if you don't understand what the Internet's about.

So my most recent area of incompetence is AI. So I'm working hard to figure out how to -- how all this stuff is going to change our lives. No, but it helps to have that grounding.

Trevor Walsh

How you -- whether it's been at Palo Alto or other roles, how do you kind of maintain that technical -- on the product kind of and services side of what you guys are doing? Do you have kind of certain folks you kind of lean on to kind of get smart on things? Or do you do a kind of self-study? How do you maintain that kind of technical know-how with the products?

Nikesh Arora

Well, 4.5 years ago, when I came to Palo Alto, I didn't know what cybersecurity was. There are some people in the industry will tell you, I probably still don't know what it is.

I would spend my morning drive talking to our Founder, and then I would spend the evening drive getting therapy from my Chief Product Officer about everything my Founder had told me, which I didn't understand. So between the two of them, they keep me honest. And then with Walter's help, I must have seen north of 350 cybersecurity companies and their management trying to understand what they do in an attempt to make sense both of the industry and also what are the areas we need to work on. So we end up buying 17 of those, so that was helpful.

But I guess it's been a journey of trying to understand that. And we still maintain not that pace, but a similar pace with Walter and myself, meeting a whole bunch of companies in any area we believe is interesting for us. And most recently, I've been spending my time reading every company's attempt to team the AI dragon. Everybody's got now. I think about yesterday, HubSpot announced that they have something called Chathub.ai. I think Marc Benioff said, Salesforce is going to have it, AI bot, you can talk to and get data from. So everybody is chasing the AI dream.

Trevor Walsh

Yes. Indeed. We'll, I want to get into the kind of AI/ML stuff around particularly to Palo Alto and kind of what you're doing kind of across the platform with it. And you've made some, I think, good commentary in the last earnings call kind of around that. But I'll say that I want to get ahead of myself.

You've done obviously a lot around as far as roles within orgs and leadership positions, marketing, operations, et cetera, either at Palo Alto now or even before, are there particular functions within the business that you find yourself kind of gravitating towards or kind of more passionate about? Or is it more CEO many hats?

Nikesh Arora

No, look, I think when I was at Google, I remember a conversation that I paid and Steve Jobs and Steve's alive and Steve told Larry that Google was not going to be very successful because Larry needed to learn how to focus. And Steve showed you the power of focus on product. We could say it's one of the most amazing product development companies in the world for what they've been able to achieve.

But Larry proved him around the other way, Larry had a whole bunch of products at work. And as a consequence, I suspect both of them are equally valuable in terms of what they've been able to build. But the underlying lesson from both their conversation was, if you're going to work in technology, you have to constantly focus on the product. If you don't focus on the product, eventually companies die.

So whether I like it or not, I spend a disproportionate amount of my time creasing product, people working with them, trying to figure out what they're working on and whether our product is resonating in the market or not.

Trevor Walsh

How much, in those conversations, do you take it kind of externally with mean you're obviously talking with customers all the time. But how do you kind of balance sort of what your internal folks are saying and helping them to get out of their bubble because you don't know what you don't know? And how does that dynamic play out in terms of…?

Nikesh Arora

Well, the proof of the pudding is in its eating, right? We are in a very competitive market, and you can be mark-to-market every day. Every deal that's out there, you're competing with either Zscaler or CrowdStrike or Fortinet, or firewalls or Exabeam, Splunk in the SOC business or [where’s some cloud]. So there's competition out there, and our product team can tell me whatever they want, when I find out that they lost a deal to somebody else and it wasn't for price or it was for some product feature, then they're telling me something that they haven't worked out.

So the good news is when you work in a highly competitive market, you're getting feedback every day. And our teams are aware of that. They work on it every day. We've been fortunate to be able to have transformed into many different swim lanes of security and beginning to see product market fit. And some we have more work to do than the others, a little less. But again, the industry keeps changing. So we're going to be on your tools now the big thing not to belabor it, but we have an internal AI summit in a week or two. Every product team is supposed to come back and write down how AI is going to change the future of the product, not where they're going to embrace ChatGPT or not, which is it seems part gimmicky to some of us, I suspect. But there is a lesson there. So the question is what lessons are you taking from it? And how are you going to adapt your thinking and your product philosophy to adapt to this change in the market.

Trevor Walsh

Yes. Maybe one last question around just your history and experience. What was -- do you think you're kind of -- of your 10 years -- 10 or so time at Google, what was the single biggest lesson? You mentioned one of kind of a good story or anecdote around that with Steve Jobs. But just overall, what do you think you kind of gleaned as the most important takeaway?

Nikesh Arora

I guess the best thing it teaches you, you want to be in a growth market. You want to be in a market where things are growing. I don't think I sweated any quarters when I was at Google. I must have done 26 quarters -- quarterly calls when I was at Google as Chief Business Officer. I don't think I said it one of them. You could tell every day what the revenue is going to be.

And if it wasn't going to be, then you couldn't do much about it because it meant people weren't searching for the keywords and sold those keywords. So it's a great business to be in, and you're spending all your time figuring out how to scale the business on a global basis and the demand was there. So it was a wonderful lesson in scaling.

And when you come to a place like Palo Alto, then you sit down, I wonder how do you scale that business? How do you take it and scale it because I think cybersecurity is as much of a growth market as any other market on the world.

Trevor Walsh

Yes. But as you mentioned, it's changing fast and a lot.

Nikesh Arora

Yes.

Trevor Walsh

So it's a lot to keep up with. So that's a good segue. Let's dig into Palo. And what are you excited about for '23? Maybe it's AI when it fits that, that's okay. It doesn't -- I would say that's probably not it. What's...

Nikesh Arora

I think at an abstract macro level, and I'm sure everybody has heard this in some way, shape or form. But is not new news, the world is going through a huge technical transformation. And I was talking to your CIO this morning, and he's going to go transform to the cloud. He needs another two years to turn everything upside down go to the cloud.

So I think it's not a secret. Everybody wants to go to the cloud. You're going to see most companies going to -- pretty much every large company, Fortune 500 or Global 2000 you talk to, in some way, shape or form, they're going to the cloud. So they're going to use technical transformation at one end.

Two, even before the conversation around AI, every company is going direct to consumer, one way shape or form, right? Everybody wants to get more engaged with the consumer. They want to have apps. They want to engage with the customer. Like normal retail stores, which used to be used to walk in, bought your stuff chose a credit card, now they wanted to engage in the app. They wanted to give returns on the app. So they've got a whole IT department working with them in the customer engagement piece.

So I think -- it's needless to say, every company is going through a lot of -- that is embedding a lot of technology in their business. Technology is becoming a critical part of the business. They're collecting a lot of consumer data, which means they are now susceptible to bad actors getting access to that data. I think yesterday, the City of Oakland had some data, which was released on the dark web because they hadn't paid their ransomware bill. Guess what? Ransomware is up on the rise again, right?

We're seeing more cases now than we were seeing a few months ago. So this is a perpetual problem. It's not going to go away. Nobody's plugged the holes. Like you can sit in a remote country from here. You can go get paid in Bitcoin. You can ask them between $5 million to $20 million, you're going to get paid some amount of money for a few days of labor.

And what it does is it causes havoc in a company over here and everybody has to go upgrade their entire technical stack. So I don't think cybersecurity is going away. I think cybersecurity is going to be here to stay. I think there's a lot of technical debt we have not paid in the cybersecurity space. Cybersecurity -- cyber risk is now the #1 enterprise risk for companies, one that they can try and manage, excluding pandemics, et cetera. So it's a growth market.

So in that market, with the huge technological change that is going on, now with the advent of AI, the people are using AI to write malware. We're testing in our labs. We're trying to figure out if we can write malware and go protect ourselves against malware written by ChatGPT. So try doing that, right?

So I think, unfortunately, that's a gift I will keep on giving as long as we keep going down the technology transformation path. So in a way that's exciting because it allows us to be a mission-driven business. We're trying to protect our customers, and we're going to go out and build great cybersecurity solutions to our customers.

I think the big difference in what we're trying to do at Palo Alto is, I was saying this to a bunch of investors earlier, there has been no security company, which has been in a single swim lane that has stayed evergreen in past a decade. So there was the endpoint companies, there was the firewall companies, there was the next generation of SOC companies. Nobody is actually a driver of swim lanes and been alive past a decade in a way that people want to keep their money in there. I think we are the first company, which has been around for 17 years, which has reached a market cap of $57 billion by reinventing ourselves and being in multiple swim lines. Today, compete in XDR with Microsoft and CrowdStrike with SASE and Zscaler and Netskope in cloud with all the upcoming cloud companies. We are ahead of every one of them and firewalls with Fortinet, Check Point, Cisco. So we are now a player in multiple spaces. We need to consolidate the market. And our aspiration is to stay evergreen and keep innovating so that we can be around probably a few decades.

Trevor Walsh

That’s a perfect segue for me. So thank you. The consolidation story I think is becoming just more prevalent now in the last call it 12 months just with the macro and customers looking to produce ROI with whatever they are going to additionally be spending on or whatever -- just simplifying their stack. Everyone is talking about it. I think you alluded to it just now. But how maybe as you look at those there product pillars and the swim lanes that you have established, maybe why is Palo Alto -- maybe it’s a function of those three that you have chosen, why is that the best kind of consolidation, why those -- I guess why those three swim lanes if you will?

Nikesh Arora

Well, I think the Trevor it’s kind of interesting. Five years ago, when I started in this business, the industry wisdom was customers don't want consolidation. They want best of breed. Everybody I talked to whether it was a sell side or the buy side, they told me, look at the industry, there is no consolidation that are best of breed companies that are doing really well, they are worth $10 billion or $15 billion or $20 billion. My thesis is somewhat different. I don't think we as an industry gave the customer a choice to consolidate with great products on the other side. As always, you had a great endpoint product and you bought a somewhat mediocre product for CASB or somewhat mediocre product for something else and you try to bundle it and sell to customers.

Like, I don't want bad stuff. If this stuff doesn't work, and we get fired, because it's a security, security is going to be good. So we took a slightly different approach. We are now in 13 leadership quadrants on the right in our product capabilities. So we can give you best of breed, but we can also make it work together and we can compete individually these players out there. So from that perspective, why in these swim lanes we are in because that's where the puck is going. Like SASE is a huge growth market, I think it's going to be a market that's going to keep growing for the next few years. Cloud security is going to be a huge market for the future. And I think the one big bet which we announced and we made in the last few months is, we think the entire SOC is going to get transformed.

The SOC is 15 years old. Nobody has built any technology to transform it. People have been sort of feeding the old model of ingest a lot of data, accumulate the data, try and run analytics against it. That's not the new world. And guess what? And AI has been the tipping point, which has made it apparent and we can go down that path as we want to, kind of fill in a minute. But think that's where the next big opportunity in cybersecurity is, and we are positioned with our XSIAM product to chase that down.

Trevor Walsh

Let's go down that path. You've made comments I think that I thought were in your way, humorous, and I am being a little sarcastic, but very true that we are all in a kind of a frenzy around ChatGPT and AI. But if you look at kind of the messaging, at least, of security, last five, 10 years, AI and ML has been upfront. Now, whether or not that was kind of real or fluff, it could be debatable, but we've certainly been talking about it within cyber as far as the benefits of kind of all the data and using the power of those technologies to help kind of reign that in and make sense of it all. So not necessarily anything new. Are we at, I think with -- are we at some sort of new inflection point in terms of AI do you think?

Nikesh Arora

Yes. Look, I discovered ChatGPT when I was on my way to India to go do a graduation speech at my university with 37,000 people graduated. And I was doing a bunch of research and I ran into ChatGPT that weekend. So I was on -- sitting in Dubai waiting to catch a plane eight hours later. I spent hours on that thing, and I analyzed that in 1989 when I graduated, I programmed an ICL1904. For those of you who are not old enough, don't worry about, it's a very old computer, which can barely code.

Today, these two phones I carry have 10,000 times the computing power off the computer I learned how to program on, 10,000 times. And that was 30 years ago. Imagine if ChatGPT was 10,000 times more powerful than 30 years, what would it be doing? I don't think it's going to be 10,000. It's going to be 1 million times more powerful. That's what Jensen say is in 10 years. If it's 1 million times more powerful, what would it be doing? So I think what ChatGPT is, I think people already called it, I claim I called it first. If you go back and what's that graduation speech, I was the first one to say, it's the iPhone moment of AI. I think, everybody's discovered AI. You've never seen a 100 million users go flock to any product in two and a half days. You've never seen in a grown men or women running large companies go and embrace it as if like it's the flavor of the decade. Like suddenly every CEO's announcing a ChatGPT type clone where it's going to get embedded in their product.

Now if you step back and parse it, what has ChatGPT proven to us? It has proven that a lot of data got processed. That data allowed a large language model to learn, and then allows it to predict what the answer needs to be for what you're asking. It shows you a bunch of creative stuff, which is interesting, but it also shows you if you actually had accurate data in there and you had AB testing, you knew what good was or what bad was. It'll tell you what the right answer is. We're dealing with the creative side of ChatGPT right?

I imagine if you knew AB what is good, what is bad. In security, we know AB, we know what causes a breach. We know what doesn't cause a breach. If I can train the data against this large language model, I can actually predict an attack and stop it, right? There's a bunch of stuff that we've been doing that. Why has it not happened so far? It’s great. You get it. You've been working on AI for 17 years, unsupervised, supervised learning, and unsupervised for 12 years. Why has it happened? It hasn't happened because we don't have good data. Companies don't have good data. That’s why we have good data. We put it in Splunk. You put in Exabeam for the log data like, well, it's not good data, because you collected from 40 different vendors. The vendors don't talk to each other. I don't know how somebody else collects their data. The question is, how can you get normalized security data in an enterprise which you can trust? So our product, which we launched four months ago, does exactly that. We've been working for three years. That product's job is to collect all the data and enterprise between our firewalls and the endpoints.

Firewall and endpoints make up 85% data in any enterprise for a security use case. If I have access to 85% of good data in an enterprise, I can run AI against it, and start doing real time security. Today, all security is set up as post breach analysis security. So I think AI is huge promise. I think it's going to transform our industry. It's going to be an arms race, no pun intended, to see who we can get this order faster.

Trevor Walsh

How do you -- around that data piece and kind of -- Palo Alto has a lot of sensors to go and grab like, as you mentioned, the firewall, the endpoint piece. How do you play nice in the sandbox with others? Because invariably, yes, there's going to be maybe platforms within a stack, but there's going to be multiple tools because security guys want and gals want redundancy. They can't rely on one thing because that's just…?

Nikesh Arora

That's the fatal flaw. They're going to have to rely.

Trevor Walsh

Okay.

Nikesh Arora

They're going have to rely. I think part of the problem -- part of the reason we are in this mess today is because you have 40 different security vendors. Here is a very simple thing. You deploy 40 different security vendors in enterprise, guess who's responsible for security? You. Because I don't know what the other 39 are doing. I don't know how you configured them. I don't know if you're using them right. It's too complicated. There's -- not every CIO and CSO in the world is so smart, they can understand 40 different vendor products, understand how data is manipulated by all of us, do real-time analysis against them and stop a breach in action. It's impossible. It is -- it defies the laws of physics.

So I think those days should be over. The only way to get done right is that somebody collects all the data, analyze it. It's analyzed by computers. At that point in time, they figure out where the behavior analytics is -- so I'll give you an example. SolarWinds. Solar winds, a big attack. We had a SolarWinds -- we had 18 SolarWinds servers at Palo Alto, right?

We buy -- good IT people, our IT team said, "Oh, new software upgrade. Let's upgrade the software." Which is what you do. As a good security company, you upgrade your software, keep it to the most recent version of software, an upgraded software. And we saw some unnatural activity. The unnatural activity was the SolarWinds servers trying to connect to command and control server in Eastern Europe. Now SolarWinds server should never connect outside your company. That's how it's architected. We had an endpoint sitting on the server like we do on every Palo Alto product, which recognize this abnormal behavior. It was configured to shut down abnormal behavior. So we shut it down. We didn't let that SolarWinds server connect.

Now if we had instead collected the data -- behavioral data, put it into a large data lake and put people with SQL queries trying to analyze what's behaving abnormal and say, "[Expletive], you're trying to behave normally yesterday, I should have shut you down. It was too late. So you can't do post-breach security. There's a ransomware attack in progress a few weeks ago. The entire time from initiation until the time they extracted petabytes of data was 14 hours. They went into a company, they took out the data -- terabytes of data in 14 hours. If you hadn't stopped them just -- the data's gone. You show me the current security architectures that are designed to protect that kind of behavior, they're not, right?

So everybody have to get there. And until you do, there's a -- the sad part is if you got breached last month, it doesn't mean you can't be breached again next month. It's not like a COVID vaccine. In fact, COVID, you can get us in 12 months -- in one month. So even that period doesn't work.

Trevor Walsh

Yes. Well, so they only need one tool, one -- as a…?

Nikesh Arora

They will need a coherent architecture, which is designed to collect good data, analyze it and stop real-time breaches. I'm not suggesting we are the [indiscernible] and everybody should only deploy Palo Alto and everybody [indiscernible]. Please don't read that. What I was saying is you will need a much better security architecture which is based on being able to stop real-time threats. That's the new game in town.

Trevor Walsh

Can we talk SASE a little bit?

Nikesh Arora

Sure.

Trevor Walsh

Awesome. So you've talked about 15x opportunity within the firewall base, just specific to SASE, and that represents kind of on a per account revenue basis, 2.5x or so I think it was the latest number you guys put out. So -- and that's the largest kind of open pipeline, I think, for you guys. What are, in your mind, the top requirements, whether it's internal process-wise, go-to-market product for you to kind of capitalize on that opportunity going forward?

Nikesh Arora

Look, we've been in that business for three years in the SASE business. When I came to Palo Alto, we had 25 engineers working on it. Now we have north of 800 people working on it. We have an architecture which is now, we think -- for those of you who are -- everybody must know SASE, but not go these gathers security exports.

So -- but for those who are not, just two people in the room, basically, when you access your company's applications off your laptop, you're sitting here and accessing, you're going through some sort of connection to connect. You have two choices. You can connect to a VPN, which many of you probably do or you can use a SASE product to connect.

When you're connecting, you connect to one of two apps. You're either connecting to a ServiceNow or a Salesforce or a Workday, which is a cloud SaaS app or are you connected to a proprietary app in your data center, which is what you're doing.

Outsourcing that whole process of securing that traffic from where you are into your data center and back or into service non-back is effectively SASE. It's security and the network. The most important thing to note there is, for the first time, you're outsourcing the operations of your network to a security company. I don't sell your firewall and go way anymore and your IT department operates it, I actually run your traffic.

So when you log in, you're now moving to Palo Alto servers, and I'm running your traffic. And I'm testing everything against security. For that, it's very important that when you give your traffic to somebody, you know that I can be alive and I can function all the time, and I can give you 99.99% availability because if I can't, your business is sort of impacted, let's just say. That's the big shift in going from selling products to selling a service. We're actually selling a network service in SASE. I worked at Google for 10 years. And I'll tell you, they spend the most amount of money on building a network. They will give you five 9s of service, which is what we use.

So we basically said, we're not going to build our own network, we want to take your traffic and move it to Google Cloud or run on Google Cloud because they run a much better network than I could with a $7 billion revenue business.

But then we also did another thing we said, well, what if Google Cloud goes down? It does sometimes for a few hours, we hot switch you to Amazon. So running our product on Amazon and Google, and we hot switched the network traffic from one to the other. So I can give 99.99% availability. We believe that is the right architectural choice in the future.

Now we've done $1 billion of business in the last 6 quarters on SASE, where we basically taken large organizations. Our largest data last quarter was $45 million over three years. I'm not sold to $45 million firewall deals since I came to Palo Alto, sold last year -- last quarter in a SASE deal. Our SASE pipeline is the largest. I think a lot of companies are still under journey towards SASE. You're going to see that across the board. The U.S. government announced Zero Trust initiative last week. They said Thunderdome was approved by Department of Defense, the SASE project. There's going to be a lot of SASE.

Trevor Walsh

Do you -- it brings up a lot to unpack there, but probably what's I think most interesting is your point around security taking -- security company can take in control of the kind of the just the basic network?

Nikesh Arora

Operating, not control. Control is a dangerous word. We operated for customers.

Trevor Walsh

Right. Yes. You're -- but either way, you're moving into more of the kind of traditional operation -- just basic IT operation space?

Nikesh Arora

Network operations. Yes.

Trevor Walsh

Network. So how does -- there are I've dealt with it on the endpoint side in my prior life. There's always kind of -- there's different bureaucracies within an IT org between security and kind of -- how do you manage through those? Or what are you seeing, I guess, with customers in the SASE realm of kind of taking over some of those?

Nikesh Arora

Good customers, typically both the network team and the security team, are involved in SASE decision. They are. But the biggest question is, what is your break-fix process? If your CEO is trying to access an app on their laptop and it's not working, who do you call? And do you have the tools and capabilities set up that it's going to work and you can go -- you can troubleshoot it.

Trevor Walsh

How is the -- kind of from a sales field perspective, you have probably a lot of sellers that are come up and just selling security products. How is that transition over kind of having more of that operational discussion and taking some enablement there? How is that...

Nikesh Arora

What's interesting is I don't think there's enough of a network conversation yet on SASE, which is bizarre. I think there should be. I think customers should be demanding to see what your network looks like and how you -- what is your processes to come back up. What do you have to troubleshoot it? I think you will see more and more of that as more and more people deploy SASE and as it becomes more of a prevalent. But yes.

Trevor Walsh

You've alluded to it a little bit, I think also in your comments, but I mean there's obviously the two schools of thought around how you architect a SASE kind of offering, one using hyperscaler's public cloud and then versus proprietary networks, points of presence, et cetera.

Does the customer at the end of the day, if they're getting the same type of uptime and SLAs, do they necessarily care which one they use? I mean they can see maybe the risks of kind of one or the other, but at the end of the day, if the offering to them like things are up and running, and it's the same, do they care, I guess, is it make...

Nikesh Arora

They should. Because the only one way to find out if it's going to work or not, if it goes down. So the risk is if the proprietary network goes down, there is no recourse. You don't have a hot switch anywhere. If you're using a hyperscaler, I can do a hard switch, then there is recourse. It's the architecture that we've made, we think is going to -- it's more expensive to run it on hyperscalers than it is to run your own proprietary network.

But let's be fair. We're a $7 billion company, have 15,000 employees. Imagine we run -- we're getting in close to about 10 million end users we run on SASE. Imagine if that number goes at 5x or running 50 million end users at any point in time, I'm running a network in 150 POPs, 150 countries. One goes down, how am I going to manage it? That will become a network services company. We’re staying $7 billion company, which is we are the largest obviously getting to $7 billion. Imagine we're a lot smaller, I just think it's -- you've got to be good at one more thing. I think there are people who are better at.

Trevor Walsh

Do you think -- any -- what about kind of the Azure piece will that kind of that -- is there a need or a kind of a benefit of kind of partnering with them, too? Or what -- how is that in terms of the mix of the offering?

Nikesh Arora

Look, there are customers who demand that we reported to Azure, we will. We're not beholden to any one cloud. Remember, there is a cloud security stack, which we have, which works in the public cloud. And there's a network stack that they provide. As long as the network stack works, which it does, we can easily put the cloud security stack onto their -- which, by the way, we already run firewalls in all public clouds, including Oracle. So we can run firewalls in Azure today.

Trevor Walsh

That leads -- points a little bit towards Prisma and just all things kind of cloud security and shared kind of security models, et cetera. But maybe before we leap there, let's do a little bit of just talking about product line revenue and hardware.

You've had really great quarters of good -- really excellent performance on that around with this current refresh cycle. And you've spoken at length, I think, especially throughout last year, around all the different factors around COVID and supply chain challenges, macro pressures, et cetera, that kind of have influenced this current refresh cycle.

You've also made, again, in your way, very humorous comments around, I think, just -- and I'm paraphrasing here. The -- it's not like the firewalls at the end of their life are going to inflow or blow up and customers realize that so -- which I think is a good point.

And so I guess the -- lead to the ultimate question, do you think we will ever kind of given the change of the -- of this refresh cycle, do you think we will ever go back to kind of a “normal” type of cycle, I guess?

Nikesh Arora

What is a normal cycle? 5 years of running a security company, I don't see normal. I've seen pandemic. I've seen [indiscernible] beat the world down on interest rates. I've seen supply chain events. I've seen the great Silicon Valley hiring. I've seen the great Silicon Valley, which you call it, dehiring right now? Or what are they calling it?

So there hasn't been a normal yet. Like I think when I came 5 years ago, there was a general thesis that hardware was going to decline as people go to the cloud. The market has shown us some degree of seasonality because of all these confounding factors between supply chain and all the other stuff. So I don't think hardware is going away.

There are still some use cases or hardware. If you're running a large financial service organization, you're processing lots of traffic, you're probably better off running your own data centers as opposed to going to the public cloud.

And you see that already, most banks don't run their large transaction processing systems. They're not moving them to the public cloud. It's expensive, and they're not purpose-built for this thing.

So hardware still is the best solution for high throughput, low latency period than software. And that's why it's being used in most cases. And when you're running offices or campus or data centers, you're going to have a big box. The boxes are actually getting bigger, not smaller. In Palo Alto, we went to the cloud. Our box and our campus tripled in size because I see got to move all the traffic in and out of my campus.

So there is a use case for hardware is not going to go. Is hardware going to be growing at 30%, 40%? I don't think so. I think the underlying hardware growth is single digits. I think it's going to stay there for a while. In the meantime, there's also share shifts going on in the market because the whole paradigm was, let's get parables who bought like IT, let's get two vendors.

Today because the cloud is there, the customers don't feel compelled that I got to be in two vendors. As long as I'm on one vendor in the firewall, I'm in the cloud, I still have redundancy between the two architectures. So you're going to see consolidation on hardware, which you're seeing in the market.

There are a few share donors, there are a few chair-takers in the market. You're going to see hardware limp along at normal, perhaps in single digits, low single digits. And you'll see some of the, I'd say, confounding effects perhaps normalize in the next 12 months.

Trevor Walsh

Got it. Okay. Well, so if not normal then, that's fair. I get it. were there, I guess, maybe lessons that you've taken from this more recent not normal phase that you think you can carry -- whether it's supply chain or whether it will maybe help make you stronger kind of on the go forward?

Nikesh Arora

Well, there was -- it was supply lead times now feature weren't a buck because we weren't able to ship everything and the costs were too high. And now that everything is available and we can ship everything, the gross margins are higher.

So it's good, don't ship a lot of product when you're having to pay a lot for the cost of goods. I think we're beginning to get to normal. I think you're beginning to see across the industry that people are unwinding their backlog, things are normalizing. Supply chain prices are going away. Lead times are shortening forward there in the next three to six months.

Trevor Walsh

Cool. As far as the installed base, 60,000, give or take, firewall customers. How important -- and you've talked about again on the calls and as is other cyber within our coverage about just how it's easier to just generally upsell in this current environment than new logos. How important is new logo generation for Palo Alto for your kind of next phase of growth and your kind of mission to get to top of us?

Nikesh Arora

I think it's important to understand that the fact that somebody has our firewall does not make them walk up to me and say, "I'll buy your cloud because I have your firewall or I buy your SaaS because of a firewall. So for me, we've acquired 4,500 net new endpoint customers, which were not Palo Alto endpoint customers. We acquired north of 2,000 cloud security customers who were not cloud security customer. They were customers of Azure, GCP and AWS, not of ours, they might have been on the firewall side, but they didn't make them by cloud.

And so we bought -- we've got SASE customers who were not SASE customers. So we are acquiring net new logos in all these new categories that we have. It does help if you have a happy firewall customer where they have a good reputation, they have a relationship with us that allows us to open the door. But once you're in the door, you got to prove yourself again on the merits, which goes back to the whole conversation about you can't sell mediocre security products into customer bases because CSOs get fired for bad security products.

Trevor Walsh

Is there a particular subset of within either the pillars where, again, from a absolute kind of net new perspective that you're finding kind of if someone hasn't had any kind of exposure to Palo that you're kind of -- is it still firewalls? Or is it now kind of getting more into that SASE realm?

Nikesh Arora

There are more net new customers in SASE and XDR than there are in firewalls because pretty much everybody who wanted a firewall has one. So either they're existing Palo Alto customers or existing half follow-up to customers or there's somebody else's customer who's going to rip out somebody else's firewall and put us in.

So there are very few Fortune 500 companies being created in 12 months. It takes a while. So usually, they have a firewall that they need to place or they want. So they usually most net new logos are coming in the form of somebody who want to do a network transformation or somebody want to do a cloud transformation or a soft transformation.

Trevor Walsh

Yes. As far as just kind of market -- mid-market more down-market type of movements, can you talk to us a little bit about SASE's -- or excuse me, Prisma's ability, just given that it is a nice kind of robust set that you guys have built out, obviously, kind of over the last few years to…?

Nikesh Arora

Are you talking about cloud or SASE?

Trevor Walsh

On cloud, on Prisma side. Prisma Cloud, on the cloud security front, how are you finding -- just because, again, that breadth of offering is well developed and there's a lot of things you can offer is that how attractive is that for a mid-market business necessarily have an account that doesn't have the resources to?

Nikesh Arora

So I think it's important to parse the cloud security opportunity for a second. If you look at the combined amount of public cloud sold by the hyperscalers, the Amazons, Googles and the Microsoft the world, this is the hundreds of billions of dollars, right?

Rule of thumb, cloud security should be 2% to 5% of that spend on average. So we, at Palo Alto, spend close to $250 million a year. Our cloud security spend is slightly on the higher side on the 5% range, but we should be spending $10 million to $15 million in our own product because we use it fully to protect us of cloud security.

So that's -- in my mind, that's normal, right? To go back to your word normal. So if you believe that, that should be the amount of money spent on cloud security in a normal circumstance is not being spent today. And it's partly because most customers are not fully deployed, partly because people are using some sort of point solutions, partly because they haven't fully understood the impact of a cloud breach. So I think it's an industry evolution.

Now we see that our cloud security consumption goes up pretty consistently 40% every quarter -- 40% every year, quarter-over-quarter. So we're seeing a 40% growth in people deploying cloud security, which means we're seeing consumption in the market. We'll get to about $1 billion TCV in the next 12 to 18 months, which is a good start for us.

So in that context, I think we're early in the cloud security space. Having said that, if Palo Alto, which is probably in Fortune 500, #500, if you're spending $250 million a year in a fully deployed state, there's no reason why there shouldn't be hundreds of other companies in that state.

So our focus on cloud is on larger customers, which can spend $10 million to $15 million a year in the long term. We get a few hundred of those, that's real money. So we're really focused on customer acquisition, net new logo acquisition, expansion within the customer where we have 9 different modules.

And as I mentioned, our largest deal last quarter was $38 million, with one customer, which probably is the combined ACV of some security startups out there of one deal. So we'd like to do a few more of those.

Trevor Walsh

Yes, absolutely. Let's -- can we switch gears and talk about the new MDR offering a little bit.

Nikesh Arora

Sure.

Trevor Walsh

That would be great. Recently launched through Unit 42. And there's a lot of -- and really good metrics or performance around the inaugural MITRE assessment of those solutions, which is great to see. Can you just maybe walk us through or explain kind of what you thought the kind of primary drivers of you guys launching into that pretty fairly crowded field of managed security?

Nikesh Arora

Yes. Look, if you look at it, you saw this basic inflection point and end point companies where you had the McAfees, Symantecs of the world. Suddenly a whole new wave of EDR and XDR companies came about, they were 10 or 11 at their peak. I think it's consolidated down to four and possibly may even go down to three at some point in time, which tells you the market is competitive. We are seeing -- we have north of 4,500 customers in that space from a standing start. These are complex products. Customers would prefer if there was some but who came along with the product and allowed you to actually understand what the breaches were, what the instances are, what the behavior and analytics are telling you.

So there is a need in the market, especially for the midsized companies to have some sort of managed service. I think this managed service is an interim step before we get into this full-blown AI model requires a fully managed stock over time. those socks are typically managed by the IBMs, the Infosys, the Deloittes of the world. And you'll see that these MDR things will start migrating towards managed SoCs over time.

Trevor Walsh

Is there -- within either Cortex or with any of the pillars, is there kind of a thrust or a priority of effort around what you're kind of doing within the MDR in terms of which portion, I guess, of the portfolios you're leading with or that…?

Nikesh Arora

No, it's really -- so look, if you want to get into a detailed discussion, like the thing is, I think the XDR or the endpoint business is in interim state. I think eventually, it all converges on the slot. I think the MDR and the SOC spaces are going to emerge. It will become an AI game, as we started talking about in the beginning, I think right now, it's all crutches for people who are not able to deploy the capabilities where everybody capability. Eventually, you want an autonomous SOC. You want the stock to look at data, understand what the behavior issues are, not have to spend too much time configuring and running policies and watch bad access stock. That's what you want.

Today, we say, here's a tool, go configure it yourself, we figure it out, then it gives you an alert and have some people analyze the alert. See there's a problem about it. That's too much to DIY to your customers. You want to get to a place we're saying, I come in, I deploy the tools and I give you better security outcome. That's what you want. That's what XSIAM will do. That's what managed SOCs will do. For that, you will need consulting services associated with it. Long term, we don't want to be in the consulting services business. There's established businesses out there, they have different margin structures than ours. They want to be the product business, to build great products. We'll partner with consulting companies, they'll provide the full managed SOC. In the interim, we'll make sure there is transitory services allowed where we can manage endpoint response with our customers.

Trevor Walsh

Great. Cool. I'll open it up for questions here in a second. But just for maybe anyone in the room that's maybe newer to Palo Alto or kind of newer to the story or considering it kind of as a potential investment. Any parting words or thoughts that you might have for?

Nikesh Arora

Yes, I was -- I asked Walter this morning at 4:00 o'clock. I e-mailed him and he responded back at 4:30. Let's just remind me, again, where we have come in the last 5 years. We have in 5 years, just tripled the revenue of the company, we tripled the EPS. We started a 21.8% margin when I joined in 2019 -- 2018, and we're back to a 22% operating margin. We've done a huge sort of resetting of the company investment cycle. I see no reason why we couldn't do similar things in the next three to five years of our company, especially now where we believe there is operating leverage at the scale that we have, which is what we're guiding to from a margin perspective.

And our free cash flow margins are healthy. As interest rates [indiscernible] right, and started getting 5% or 6%, that's an uplift to free cash flow margins because we have $6 billion of cash on our balance sheet. We generate north of $2.5 billion of cash a year. So okay…

Trevor Walsh

Awesome. Questions for Mr. Arora.

Nikesh Arora

Great. There's a sale before 1:00 o'clock. You can buy a lot of stock, just kidding.

Unidentified Analyst

So which products does the SOC, XSIAM typically displays and within the [indiscernible] more security or IT use cases?

Nikesh Arora

It's only security. So the product that XSIAM over time should replace your data lakes, in your SoC because people collect a lot of data to be able to post-breach analysis. We normally allow you to ingest data into exome like you would with any other large data lake. We can ingest 400, 500 security vendors worth the data. But on top of that, we normalize that data to allow it to be AI ready.

And then we have a bunch of AI layers that sit on top, but we just launched something last week called ITDR for identity threats. We ingest on identity data in there. We can analyze that against your firewalls, against your endpoints. We have other endpoint-related analytics that we're going to run on it, and it also can replace your SIEM. So it's a full unsecured use case. It's the next-generation SIEM tool. That's what we call it XSIAM but has embedded automation in it, so you can actually automate away some of the alerts that you get. So you can keep it.

Look, the fundamental problem in security has been you collected a lot of data, a lot of alerts. We used to get 67,000 horsepower of networks. And the or sought would get a prioritization saying, these are the important ones to pay attention to these Guess what, the bad actors know how we prioritize these like, "I want to slide in from the bottom."

So we took a point of view of saying, oh, 67,000 have to vanish. You have to solve all of them. You can't solve 67,000 alerts. So with our product, which we started using internally first, we eliminated 50x the alerts by cross-correlating data between endpoints and firewalls.

Then we cut it down another 8x by automating. So we're down to 137 events at Palo Alto a week, which we have four people analyzed. But that gives us 0 exceptions. If you run a SOC with exceptions, the bad guys will figure it out. You have to run a SOC with 0 exceptions.

That is why we think it's an inflection point in the way SOCs need to be managed. That's why I'm excited about it. Again, I don't want to get ahead of my skids. It's been 4 months, we're still building the product. We're 70%, 80% there, but [indiscernible] a new paradigm that is needed in the SOC.

Unidentified Analyst

Can you talk about how XSIAM is [indiscernible] to driving XDR adoption?

Nikesh Arora

Yes. Look, one out of the 14 customers looked at our products, I really like your XSIAM product, but can you make it work in my endpoint agent.

I said, our endpoint agent collects 200 megabytes of data per day. If I use your existing endpoint, I get 5 megabytes of data from them. I don't have enough data to cross-coat everything else. So my product is not going to be as effective as if I was to go with an end point -- so that customer ended up buying XDR first, deploying it to be ready for XSIAM, right? Because for the first time, we're trying to give an outcome-based orientation and saying, I can reduce your cycle time from days to minutes. What do I need to do?

Unidentified Analyst

[Question Inaudible]

Nikesh Arora

Yes, look, when I mentioned when 2018, our operating margins were 21.8%, and we took them down to the 17% in 2020. And part of that was we had to reinvest in the company because we had technical debt we hadn't paid. Our R&D costs, our R&D proportions were off because we were not investing in XDr, not investing in SASE.

And then when you invest and you have no revenue, then you're in a situation where your cost base goes out of whack. Today, after 4 years, we built a north of $1 billion TCV business SASE, cloud and XDR in the next 12 to 18 months, which are all going to start. And you know what, TCV is ahead of revenue.

So our revenue waterfall from these products is kicking in at high growth rates, which is allowing us our costs to start getting amortized much easier across these numbers. That's kind of like one, is a pure math outcome. Two is, yes, the environment has helped because one year ago, at a similar conference not too far from here, I was being asked, -- there's this huge crazy thing where it's very hard to retain people. What are you doing? Are you going to spend more money for attention?

There's people who are being posted by every other company, why are you going to increase your wage budgets? Today, it doesn't seem as a problem. I can retain my people, my attrition is down. People are happy working at Palo Alto. We haven't gone through a big rightsizing as many of the companies in the tech space. So this is a better time as an employer than we had 12 months ago, which allows you to be a bit more rational and say, "Listen, can you get this project done with four people instead of six? And I say, yes, I can get it done. Just don't ask me to take to out. So it's a different environment.

Unidentified Analyst

You want a glib answer or real one? The glib answer is the customer. If the customer doesn't want my product and they're a public company, then I'm a deep ship, so that is my biggest competitor. The customer says, you're not the right person. I'll go get it done myself.

On a more serious note, I think I peel back from a macro perspective, as I said, there are very few single swim lane cybersecurity companies that have survived cycles, whether it's endpoint or whether it's firewalls. And they eventually plateau. They are $10 billion to $15 billion company to end up being operating margin cash flow companies, which, over time, lose their competitive edge and innovation edge.

So that's one part of it. Now having said that, we've showed the market there as reinvention possible. There are still some new wage companies out there in the security space, which would definitely evolve and getting multiple subline. So there is hope that there will be two or three other people out there. SASE, Zscaler is a formidable competitor, CrowdStrike is a formidable competitor in the XDR and SoC space. Fortinet's a formidable competitor in the firewall business, but none of them have the other two pieces.

I think the other one out there is Microsoft. They are very good at what they do. They have a large established base on identity. They have large tables based on endpoints. So -- and they're active in the security space. And by most accounts actually have a bigger revenue number than most of us.

Trevor Walsh

Maybe one more. Yes, sir.

Unidentified Analyst

[Question Inaudible]

Nikesh Arora

So we have a solution for IoT OT or we take a slightly different tack. Our tack is we have 61,000 firewall customers. Every IoT OT device, we see the traffic on the network. We identify the traffic on the network, and we segment them away. So they don't get interfere with the core IT network.

Our approach is that we don't think you need to go deploy yet another sense. But the biggest problem of security is that -- everybody who wants to deploy good security says, please deploy my sensor. Every time you deploy one more sensor in the infrastructure, you're introducing another vendor into your infrastructure and you've got to understand their alerts, understand how they work.

We're seeing you don't need a new sensor. You can use our existing sensor of the firewall, you can go use another pane of glass in our PAN-OS and you can do that from an IoT OT perspective. So we have a slightly alternate view. Look, there's a lot of billion-dollar unicorns in security that are out there. Now at the end of the day, the question is when do they become profitable? When did it become companies that are formidable.

I think IoT OT will be a narrow swim lane. And I think eventually, it's a feature of large security enterprise operations as opposed to big enough for themselves, but what do I know?

Trevor Walsh

Great. I think that's all we have time for. I want to thank you Nikesh for being with us. This has been terrific. So thank you, and have a rest of the week.

Nikesh Arora

Thank you, guys.