CyberArk Software Ltd. (NASDAQ:CYBR) Q2 2024 Earnings Call Transcript

CyberArk Software Ltd. (NASDAQ:CYBR) Q2 2024 Earnings Call Transcript August 8, 2024

Operator: Good morning, and welcome to the Second Quarter 2024 CyberArk Software Earnings Conference Call. All lines have been placed on mute to prevent any background noise. After the speaker’s remarks, there will be a question-and-answer session. [Operator Instructions] I would now like to turn the call over to Sri Anantha, Vice President, Investor Relations. Please go ahead.

Srinivas Anantha: Thank you, operator. Good morning. Thank you for joining us today to review CyberArk’s second quarter 2024 financial results. With me on the call today are Matt Cohen, our Chief Executive Officer; and Josh Siegel, our Chief Financial Officer. After prepared remarks, we will open up the call to a question-and-answer session. Before we begin, let me remind you that certain statements made on the call today may be considered forward-looking statements which reflect management’s best judgment based on currently available information. I refer specifically to the discussion of our expectations and beliefs regarding our projected results of operations for the third quarter full year 2024 and beyond. I also refer to our expectations and beliefs regarding our proposed acquisition of Venafi.

Our actual results might differ materially from those projected in these forward-looking statements. I direct your attention to the risk factors contained in the company’s annual report on Form 20-F filed with the U.S. Securities and Exchange Commission and those referenced in today’s press release that are posted to CyberArk’s website. CyberArk expressly disclaims any application or undertaking to release publicly any updates or revisions to any forward-looking statements made herein. Additionally, non-GAAP financial measures will be discussed on this conference call. Reconciliation to the most directly comparable GAAP financial measures are also available in today’s press release, as well as in an updated investor presentation that outlines the financial discussion in today’s call.

A webcast of today’s call is also available on our website in the IR section. With that, I would like to turn the call over to our CEO, Matt Cohen.

Matt Cohen: Thanks, Sri. And thanks, everyone for joining the call today. We started the year with a clear vision and strategy to strengthen our position as the identity security company. In the second quarter, we executed against this strategy exceptionally, and the results exceeded expectations with momentum continuing to build across all aspects of our business. After a strong first half of the year and with our proposed acquisition of Venafi in the second half on track, we are well positioned to extend our leadership across all identity use cases with our industry-leading platform and solutions. More on Venafi later, but first, a few highlights from our strong second quarter. Net new subscription ARR was $56 million. That’s a record outside of our seasonally strong fourth quarter.

Subscription ARR of $677 million grew 50% year-over-year. Total ARR of $868 million grew 33% year-over-year. And our Q2 results significantly exceeded guidance across revenue, operating income, and EPS. We delivered record total revenue of $224.7 million, growing 28% year-over-year. Non-GAAP operating income came in at $23.7 million, highlighting the operating leverage in our business model. Non-GAAP earnings per share was $0.54, and we are pleased to report $41.7 million in free cash flow or a 19% free cash flow margin for the quarter. Another proof point of the subscription flywheel effect and the power of our business model. We are incredibly proud to be among an elite class of software companies that delivered faster than 30% ARR growth, increased net new ARR year-over-year, and drove meaningful upside in profitability and free cash flow.

That’s a testament to our relentless focus on driving profitable growth, our expanded position as the leader in identity security, and the unique value proposition of our unified identity security platform, solving clear and present needs for the CISO’s around the world. The strength of our results and business momentum gives us the confidence to raise our guidance for the full year 2024 on all metrics, which Josh will discuss later. Today CISOs recognize that traditional methods of securing identity no longer work. Three forces, new identities, new environments, and new attack methods, are fundamentally redefining the market. The modern enterprise has to secure four different types of identities or personas, with each one having unique challenges and levels of complexity.

The four groups are workforce, IT, developers, and machines. These identity groups are increasingly accessing heterogeneous targets located on-prem and in hybrid and multi-cloud environments, meaning, security has moved from perimeter-based to identity-centric. Given this complexity, it’s no surprise that in today’s threat landscape, all roads lead back to identity. Last year, 93% of organizations were victims of an identity-related cyberattack, and nearly all of them more than once. As I talk with customers and experts around the world, it’s evident that a new paradigm for securing identity is required. This new paradigm centers around our fundamental vision that every identity, human and machine, needs to be secured with the right level of privileged controls.

CyberArk’s unified end-to-end platform is the only one to deliver on this vision. Increasingly, this is resonating with customers and it’s driving tremendous business momentum and fueling our growth. In Q2, the strength of our platform and land and expand execution resulted in strong close rates and robust pipeline build. Customers are allocating significant portions of their budget to identity security, consolidating spend and most importantly consolidating trust with CyberArk. As an example of all these factors coming together, we can look at a strategic customer [ProDesk] (ph). Less than a year ago, the International Government Agency landed as a new logo with a seven-figure deal that secured IT users with PAM, workforce identities with Identity and EPM, and machines with Secrets Management.

Since then, they have grown with CyberArk, and this quarter, they further expanded their workforce protection with another seven-figure ACV deal. The deep relationship we have formed with [ProDesk] (ph) and the speed of expansion after initial land shows the power of our identity security platform and how it is well aligned with what great organizations like ProDesk need to do to be secure. As the scope of PAM programs continues to expand to include shadow IT, database and cloud administrators, as well as high risk workforce users, we are continuing to help our customers modernize their identity security programs with broader, more agile privilege controls across these personas. In a rip and replace new logo win, a leading biotechnology company signed a six-figure deal to replace a competing PAM vendor.

CyberArk’s comprehensive identity security platform was a key differentiating factor as the customer wanted to modernize not just the protection of the IT user with Privilege Cloud, but also enhance security for their workforce with Workforce Password Manager and protect machine identities with Secrets Management. Every organization today has a substantial and rapidly growing developer population. In the pursuit of speed and efficiency, developers are often afforded always-on privileges with only light, if any, security in place. Here, too, we have to shift the paradigm to one of security first, without interfering with the developer’s pace of innovation. At the foundation of our developer solution is our Secure Cloud Access or SCA functionality.

SCA applies the principle of least privilege access to developers, data scientists, and cloud engineers, while allowing them to work natively and efficiently without having to change the preferred workflow. In the second quarter, we continue to see strong traction with this offer. In a deal that included SCA and Privilege Cloud, leading enterprise software company SAP saw standing access just in time access and zero standing privilege from a unified solution as the key differentiator for choosing CyberArk. With SCA, they can now seamlessly enable a zero-standing privilege approach, while fully securing their modern cloud environments. On the spectrum of identities, the need to do things differently is especially top of mind for securing workforce users.

Each workforce identity is more powerful today than ever before and can become privileged throughout the workday. Traditional SSO and MFA functionality on their own don’t provide the security needed, as evidenced in many high-profile breaches. In the second quarter, our workforce solution was once again one of the strongest performers because we are solving this critical customer problem. We reimagined workforce identity by wrapping MFA and SSO with more controls that secure web sessions, the browser, and manage passwords. In addition, workforce protection extends to the endpoint with Endpoint Privilege manager. The following two deals showcase the power of bringing privilege controls to the workforce. A US financial services company who is a longtime CyberArk PAM customer had a need to keep its workforce more secure by managing passwords.

With [double EPM] (ph) they can now do exactly that. The ability to add secure browser and secure web sessions on top of their existing vendors, SSO and MFA, means they can also benefit from the additional security layer of CyberArk’s broader access suite that’s integrated within our platform. In a different example of the importance of least privilege at the endpoint when securing the workforce, a major aviation company chose to protect their workforce workstations by implementing our EPM solution. Choosing to deploy EPM with our FedRAMP High certification, they landed with a high six-figure deal that closed through the AWS Marketplace. In machine identity, we had an outstanding quarter, and our momentum continues to build. Underpinning our current machine identity solution, our Conjur Cloud and Secrets Hub, which when combined, empower the developer with agility and security within their native workflow.

In one outstanding deal from the quarter, a major airline, who is a longstanding CyberArk customer, recognized the need to move its secrets management strategy within the security team’s remit. We quickly demonstrated the value of CyberArk Secrets Hub, resulting in a mid-six-figure ACV deal. We believe that the market for protecting machine identities is inflecting. And we have increasingly heard from customers that there’s an urgent need to protect all machine identities. Machine identities themselves are growing exponentially due to the increase in cloud computing and the rise of AI. The machine identity landscape is also becoming more complex with increasing regulatory scrutiny and emerging standards like Google’s guidance to rotate certificates every 90 days.

A data center with a repetetive design of computer servers, showing the companies' efficient and secure IT infrastructure.

All of this is happening as machine identities are increasingly targeted by adversaries as a weak point in organizational security controls. We are very excited to be building out and expanding our leadership position in machine identities with the pending acquisition of Venafi, which is undergoing regulatory review. All machine identities need to be discovered, secured, managed, and automated to keep their connections and communication safe. Venafi’s machine identity management solutions are complementary to CyberArk with no technology overlap. We believe that by combining our Secrets Management with Venafi’s modern machine identity management, certificate lifecycle management, and SSH Key Management, we will set a new standard for end-to-end machine identity security.

As you can see from these deal examples, our platform provides the ability to land in multiple spots and with multiple products. In the second quarter, we signed 245 new logos, and approximately half of these new logos landed with two or more solutions. In other words, customers are protecting multiple types of identities with CyberArk from day one. In addition, we had a strong quarter of expansion within our base across all our solutions, but machine identities with secrets management and workforce identities with our access offerings were particularly strong. At IMPACT, our marquee customer event held in May, attendance was up more than 25% compared to last year. We showcased that we are the frontrunner in innovation and are expanding the capabilities of our identity security platform, all serving our fundamental vision of securing every identity, human or machine, with the right level of privilege controls.

We announced exciting product innovations across the whole portfolio, but I want to highlight two of them here, CORA AI and ITDR. CyberArk’s CORA AI provides identity security focused artificial intelligence embedded within our identity security platform. Our unique data set on the behavior of all identities enables CORA AI to do more and ultimately effectively analyze sessions, detect threats, and recommend action. In addition, user and admin lives are made easier and adoption is faster with an identity security assistant that understands natural language. This will fundamentally transform how users interact with our platform, significantly reducing the time it takes to deliver critical information and analysis. Identity threat detection and response or ITDR is sometimes discussed as a separate market or product.

We at CyberArk believe ITDR capabilities need to be part of a broader platform. They should not just be about monitoring the vendor’s infrastructure or limited to active directory, they need to look across all identities to detect identity risk, and then be able to take automated response before damage is done. Our ITDR capabilities powered by CORA AI will detect and identify risky behavior, anomalous use of secrets, and much more. The powerful combination of CORA AI and ITDR enhances security, improves resiliency, drives increased productivity, and enhances engagement with our platform. In summary, I want to leave you with the following takeaways from today’s: First, momentum continues to accelerate in our business. Identity security is a top priority for CISOs and customers are consolidating spend with CyberArk; Second, our solution selling is increasing our momentum in the market.

Applying the right level of privilege controls to every identity is a security imperative that is recognized by boards, by the C-suite, security teams, and increasingly by operations and developers; Third, we are leading the charge when it comes to thought leadership and execution in the identity security space. Our ongoing innovation and pending acquisition of Venafi will further extend our leadership position and competitive mote and help further solidify our position as the identity security company. And lastly, we are executing. Deals are progressing at a faster pace and our close rates remain strong. A clear testament to the fact that customers are allocating budgets to identity security. Momentum continues to build across our entire business and the strength of our platform is driving our outstanding results.

With our 28% revenue growth and our 19% free cash flow margin, we were a solid Rule of 40 company in Q2. I’ll now turn the call over to Josh, who will talk about our strong financial results and the increase in our yearly guidance.

Josh Siegel: Thanks, Matt. Q2 was another strong quarter for CyberArk. Once again, we exceeded our guidance across all metrics, highlighting our strong execution and durable demand for our identity security platform. We delivered strong net new ARR growth, 245 new logos, solid top line growth, and our subscription flywheel is helping us drive robust operating leverage and healthy free cash flow. Now, moving into the results. Total revenue grew 28% year-on-year, reaching $224.7 million and exceeded the top end of our guidance range. Annual recurring revenue reached $868 million, that’s growing 33% year-on-year with $57 million in total net new ARR. As expected, SaaS made up a larger share of our bookings in the second quarter compared to the year ago period from last year.

Subscription ARR grew 50% and reached $677 million and is now 78% of total ARR. We added $56 million in net new subscription ARR, that’s an increase from the $49 million in the second quarter last year and a record for any non-Q4 quarter. Maintenance ARR was $191 million. Like-for-like conversion activity still represents a single-digit percent of our year-on-year ARR growth. Our business continues to benefit from the momentum we are seeing in upselling and cross-selling new solutions across our platform, which is a significant factor in our strong growth. In the second quarter, the cohort of customers with more than $100,000 in ARR grew to nearly 1,900 and the cohort with ARR of more than $500,000 is now over 340 customers that grew 38% year-on-year.

Moving into the details of the revenue lines for the second quarter. Recurring revenue reached $208 million, growing 32% year-on-year and accounting for 93% of total revenue, continuing to go up from the 90% in the second quarter last year. Subscription revenue was $158.4 million, growing 49% year-on-year and representing 70% of total revenue. Maintenance and professional services revenue was $62.7 million. Of that, recurring maintenance revenue was $49.6 million compared to $51.6 million in the year ago period, and our maintenance renewal rates remained strong and in line with historic levels. Professional services revenue was [$2.1] (ph) million. From a geographic perspective, all regions showed healthy growth. Americas was $129.2 million, growing 21% year-on-year.

EMEA revenue was $69.9 million, up 39% year-on-year and APJ revenue was $25.6 million, growing 40% year-on-year. All P&L items now will be discussed on a non-GAAP basis. Please see the full GAAP to non-GAAP reconciliation in the tables of our press release. Second quarter gross margin, gross profit was $186.9 million or 83.2% gross margin, that’s up from 81.5% in the second quarter last year. In the second quarter, our operating income was $23.7 million or 10.6% operating margin, also up compared to the operating loss of $5.6 million in the second quarter of last year. The significant improvement from the year ago period highlights the inherent operating leverage of our business model. Net income came in at $26.1 million or $0.54 per diluted share, also significantly outperforming our guidance and up from earnings per share of $0.03 in the year ago period.

We ended June with 3,200 employees worldwide, including about 1,370 in sales and marketing. We are pleased to deliver another strong quarter of free cash flow, which was $41.7 million in the second quarter, as compared to a negative $12.6 million in the second quarter of last year. That means, we have delivered $108 million in free cash flow in the first six months of the year. That’s well ahead of our expectations. We believe this is a clear demonstration of the inherent cash flow potential in our recurring revenue model. Before going into guidance, I want to briefly touch on our proposed Venafi acquisition, which is still expected to close in the second half of 2024. As we noted previously, Venafi had approximately $150 million in ARR with more than 550 customers.

Like CyberArk, about 95% of Venafi’s revenue is recurring adding to our durable subscription revenue model. Importantly, we expect Venafi to be immediately accretive to non-GAAP margins. It’s rare to find an acquisition opportunity that meets both strategic and financial objectives. We’re confident with Venafi, we did exactly that. Now, let’s turn to our guidance. For the third quarter of 2024, we expect total revenue of $230 million to $236 million, which represents 22% year-on-year growth at the midpoint. We expect non-GAAP operating income in the range of $20.5 million to $25.5 million for the third quarter. We expect our non-GAAP EPS to be in the range of $0.38 to $0.49 per diluted share. Our guidance also assumes 48.2 million weighted average diluted shares and about $12 million in taxes.

For the full year 2024, we are increasing our guidance across all our metrics. We now expect total revenue in the range of $932 million to $942 million, representing 25% year-on-year growth at the midpoint of the range. As we look at our pipeline for the remainder of the year, SaaS continues to be expected to lead the way. Reflecting the power of our subscription model and our continued commitment to driving operating leverage, we are increasing our full year operating income to a range of $107.5 million to $116.5 million. We expect our non-GAAP earnings per share to be between $2.17 and $2.36 per diluted share. We expect about 48.2 million weighted average diluted shares and about $53 million in taxes for the full year 2024. We are also raising our annual recurring revenue to a range of $985 million to $995 million at December 31, 2024, or about 28% year-on-year growth at the midpoint.

We are significantly increasing our free cash flow guidance for the full year to a range of $145 million to $155 million that will represent 16% free cash flow margin at the midpoint. I want to note that our guidance for the third quarter and full year 2024 does not include contribution from the proposed acquisition of Venafi. We will update our guidance for the Venafi acquisition in the first quarterly earnings call after we closed the transaction. To sum up, we are thrilled to report another strong quarter to finish out a strong first half of the year and confidently raise our guidance. We are pleased with the progress we have made towards closing the Venafi acquisition and look forward to the industry leader joining CyberArk later this year.

With reporting now, the 33% ARR growth, 11% operating margin, 19% free cash flow margin, we are firing on all cylinders. Identity security is a top priority for CISOs, and our platform is a clear industry leader, delivering tremendous value for our customers. And I will now turn the call over to the operator for Q&A. Operator?

Q&A Session

Follow Cyberark Software Ltd. (NASDAQ:CYBR)

Operator: Thank you. [Operator Instructions] Your first question comes from the line of Saket Kalia with Barclays. Please go ahead.

Saket Kalia: Okay, great. Hey, good morning, guys. Thanks for taking my questions here, and congrats on the strong execution.

Matt Cohen: Thanks, Saket. We appreciate it.

Saket Kalia: Absolutely. Matt, maybe just to start with you. I think we all understand CyberArk’s sort of undeniable leadership, right, in the PAM market. But I was wondering if you could just talk about how you feel like you’re differentiating in areas like workforce identity and Secrets Management. Because during your prepared remarks, it just sounds like there’s a lot more functionality that you could offer in at least those two areas versus competitors, but just wanted to hear how you think about that.

Matt Cohen: Thanks, Saket. I actually love that question. I might spend a little bit more time on answering it because, I think it’s core to kind of our growth strategy here is our ability to be able to differentiate on those two pillars versus the market competitors. So if we start with securing the workforce, and you’ve heard me say this before, but we really have taken a stance that we need to reimagine how we secure workforce identities. And for a long time now, we’ve been securing the workforce, the general workforce with single sign-on and multifactor authentication. And those are really important core security controls, and we offer it and the competitors offer it. But the reality is, in this breach environment, we need to go beyond those basic security controls.

We need to do things like extra security when a high-risk user is accessing the increasing number of SaaS applications. That’s our secure web sessions. And the idea there is, a normal user who’s going through their daily work, they can look like a regular user when they’re accessing certain applications. But if you’re the admin in HR accessing the workday system, you’re actually a high-risk privileged user every time you go into that SaaS tool. And so we need to be able to wrap extra security controls for those use cases. We add in our secure browser. The idea of really enterprise-grade security browsing for these users so that we can tie in things like cookie less browsing. We can have the ability to be able to monitor sessions. The idea of Workforce Password Manager, which we heard talk about in the release.

So these ideas together into one integrated solution puts our package, our solution versus the competitors, and the customers are increasingly saying, “wait, I can get that, why wouldn’t I go with that because we need to think about how we substantiate a better security posture for the workforce”. So we are having a higher win rate. We are seeing strong growth on the workforce side, and you hear the excitement as I’m describing it. It’s a similar story over on the machine side. I’d say it’s a story that’s even going to get better post Venafi acquisition. But here, we’re talking about the idea of how do we get control across the broad spectrum of machine identities that sit out there. And we can be talking about legacy applications that are still sitting in the data center.

We can be talking about modern container-based applications coming out of the developer group. We can even be talking about the idea of the micro services or the workloads that sit underneath all these modern applications. They all have identities. And we need to be able to make sure that we can discover them, we can secure them and we can manage them. But we have to do it in a way that naive to the workflow of the people who are actually building these applications in our combination of Conjur Cloud and Secrets Hub allows us to differentiate both the ability to offer a full-scale solution like Conjur Cloud, but also to be able to add or layer on top of the secret stores that sit within the hyperscalers, AWS, Microsoft, Google, so that the developers can actually choose what tools they want to use, but security can layer the right controls on top.

And you heard that in the example I used in the script of the airline who basically made a decision that machine identity security was going to be under the control of the security team. And the minute that decision was made, CyberArk became the only choice. So, I think this is what we’re seeing out there in the market. And as we think about Venafi and the expanding opportunity to actually go after certificates and other forms of machine identity, we just see a long runway of growth ahead of us.

Saket Kalia: That makes a ton of sense. Josh, maybe for my follow-up for you. The inflection in free cash flow is just great to see. I know that billings isn’t a metric that we’ve really focused on much in the past, but I’m just wondering, is that sort of flywheel with subscription renewals grows, how do you sort of think about when that metric becomes more meaningful?

Josh Siegel: Yes. Hi, Saket. Thanks. First of all, you’re right. We’re really excited with the free cash flow that we generated not only in Q2, but really for the whole first half of the year. And also excited that we’re able to continue to raise the guidance significantly for the full year, and it’s really based off of the factors around just really strong renewal rates, strong bookings as well. And I think when we think about billings, one of the things that — is the reason why we’ve always kind of shied away is the noise that comes from the maintenance piece of the component within the deferred revenue for — that goes into the billings calculation. So I think to the extent that when ARR for the maintenance goes down dramatically, and we become where everything around the ARR growth and the deferred revenue is focused on the subscription SaaS.

I think that’s where billings becomes a lot — more of a clear predictor or an indicator of the growth in the business, and that’s why we’re still really focused today on our ARR growth, which is really the strongest indicator because it kind of helps to wash out any impact from the tail of our transition out of the perpetual business model.

Saket Kalia: It makes ton of sense. Thanks, guys.

Operator: Your next question comes from the line of Jonathan Ho with William Blair. Please go ahead.

Jonathan Ho: Hi, good morning. Matt, can you maybe give us a little bit of additional commentary on how your platform vision is resonating with customers? And are you perhaps seeing channel partners start to bring you more into these types of deals as well?

Matt Cohen: Yes. Hi, Jonathan. So absolutely. I mean I think the platform is the very foundation of our ability to do solution selling. And it’s the combination of both that is actually differentiating us in the market. So, we come to the customers, and we’re talking about these four personas, these four identity groups, workforce, IT developers and machines. And then we’re talking about this vision, which is the idea to be able to secure every identity with the right level of privilege controls. The only way that that’s possible is with an integrated platform with the ability to be able to understand the behaviors of each identity group and apply the right level of controls, we call that intelligent privilege controls based upon what behaviors we’re seeing, what the user is trying to do, what the target they’re trying to access.

And so, we’re not even into the discussion yet around the particular technologies that we offer. I’m talking about a high-level vision with customers about this ability to be able to expand across all their identity groups. That introduces the notion of the how. Well, how do we do that? We do that with one integrated platform, one user experience, one ability to be able to run unified audit and unified reporting. And absolutely, that is not only resonating with customers, but I think it’s the backbone of the relationship. Because even if a customer decides, you know what, you’re the PAM leader. I want to get started with securing IT, they feel future proof. They feel safe in the relationship because they know they can expand off of one platform into those other identity groups when the time comes.

Now of course, as we mentioned, about half of our new logos land with more than one solution, more than one identity group because customers actually from the get-go want to get started with leveraging more and more of the platform. So I do think it’s fundamental to our strategy, and it’s fundamental actually to the elevation of our relationships with our customers as we map out their long-term identity security strategy.

Jonathan Ho: Got it. And then just in terms of a quick follow-up. When we look at the strength in the free cash flow margins this quarter, I mean, is this sort of the new normal level? Or should we expect there to be additional leverage just given the strength in your performance? Thank you.

Josh Siegel: Yes. Thanks, Jonathan. So I think we guided and increased our guide for the full year. So that’s the expectation going to the back half of the year. But I do think that what the cash flow from the second quarter and also from the first quarter indicators that, yes, we do have a lot of leverage in our model to be able to continuously increase our cash flow margin, our free cash flow margin against revenue going forward, and we anticipate doing that in the years to come.

Jonathan Ho: Thank you.

Operator: Your next question comes from the line of Madeline Brooks with Bank of America. Please go ahead.

Madeline Brooks: Great. Thanks for taking my questions and nice performance of course. Just two quick ones from me. First of all, Matt, in your prepared remarks you called out some nice wins. And I just wanted to double click on those. I’m trying to understand that or I guess, confirm with you that second quarter was really driven by a host of different deals versus one or two really oversized large ones. And then second question for me, both for Matt as well as for Josh is just getting an update on some of those other business metrics. And you mentioned over 50% are landing with two or more solutions. So how should we think about growth in just core PAM versus the other areas in your portfolio? And additionally, if you could just touch on any type of NRR type of a metric. I know last time you spoke, I think it was still trending above [125%] (ph). So if we could just kind of get an indication of where it is now, that would be helpful. Thanks so much.

Matt Cohen: [Technical Difficulty] make up from the top 10 deals as a percent of our overall bookings. And we continue to see a really strong breadth of business across all our markets actually driving our results. So it’s a great indication actually of the strength of the business when we look under the covers from that perspective. I think when you think about the metrics that we’re seeing out there, I think we’re continuing to feel — we feel good about all of them. I think when we think about our new logo lands, we were really happy with that. So yes, the multiple solution lands. But just in general, getting to 245 new logos in this economy, it feels like a strong landing spot for us, and we continue to plant seeds across the board, and we plant seeds across the board across all of the product lines.

And I think that’s the other kind of underlying message. We’ve talked about this mix or this pie for a while, and the pie continues to maintain in the consistent kind of slices as we’ve seen in prior quarters. And the reason for that is that PAM continues to grow. So our newer areas obviously are growing faster, and they’re performing well. But the core PAM business itself from an ARR perspective continues to grow. And so the overall shifting of the underlying pie doesn’t change all that much. Which is where you want to be, right? You want your core business to continue to perform and you want your emerging businesses to perform even better, but not catch up so much because you have any weakness in your core. And so this is what we’re seeing.

I think we’re still too early to really talk about NRR as a number out there. We want to get through some more cycles. So it’s actually not a number that we’ve disclosed out there. But I think we feel very strong in our ability to be able to harvest deals within our base, and we see really strong expansion within that base.

Madeline Brooks: Thanks so much.

Operator: Your next question comes from the line of Rob Owens from Piper Sandler. Please go ahead.

Rob Owens: Yes. Thanks for taking my question this morning. And Matt, you’re coming in at the tail end of earnings and your call sounds quite different than pretty much what we’ve heard out there. And so, I want to drill down a little bit into that relative to — is there a sense of urgency you’re finding from companies or customers, excuse me. I mean your new logo count is up, few companies have had the net new ARR growth in the first half that you guys have. So, is it just all coming together at this point? Or is there some sense of urgency, because the economy has been relatively uneven or flat at best for most?

Matt Cohen: Yes, Rob, it’s a good question. And I think is indicative of what we’re seeing out there. So let’s break down again what the landscape looks like. At the moment in time, the threat vectors, the adversaries out there, it continues to elevate, right? And so the breach environment, the risk environment increases. And CISOs and security teams are under a tremendous amount of pressure. And within that construct, they’re asked by their Boards, by their C-suite to focus in on what’s most important, what’s most likely to reduce risk, and that’s the ability to actually secure environments. And then, frankly, also what’s most likely to help them be resilient if risk materializes. And we, within the identity security space as a whole and as the leader in identity security are just at the forefront of those conversations.

Because ultimately, the CISOs prioritize identity security at the top of the list. So the answer of what they can do to reduce risk is, implement core controls, implement privilege controls, understand how to protect the workforce more securely than just MFA, SSO. Go and attack the machine identity environment has been neglected for years, expand out or modernize how we secure IT to make sure that we’re not just doing the basics, but we’re moving beyond that to actually, for example, secure access to VMs into cloud. And so, all of that then becomes a conversation with us and the customer about, all right, how do we move and how fast can we move? Our partners get it, so they’re pushing it harder. So we become a top priority for our partner ecosystem.

And ultimately, it materializes in the results that we see. I think independent of macros and independent of other factors out there and uncertainty, ultimately, securities teams have a mission, and it’s the same mission of ours, which is to secure their environments, to protect their organization and their digital transformations. And I think we’re just top of mind for that and then we’re able to go deliver and we see that in the results, and we see it even in the outlooks of what we see in the pipe moving forward.

Rob Owens: Thanks for your commentary there. Josh, just a quick one on free cash flow margin. If I look on a trailing 12-month basis, you’re closer to about 20%. Historically, the shape of free cash flow in any given year is a little more second half weighted, if not, even throughout the year. So is there something unique in this year relative to that second half? Because I think guiding to roughly 16.5% cash flow margin at the high end of the range, which is actually below your TTM numbers? Thanks.

Josh Siegel: Yes. Thanks, Rob. So when we look at the guidance for the full year that we raised, I think, by $30 million, but we’re still handicapping, so to speak, for the impact of the Venafi transaction, of the investment that we’re doing today around it and related costs. We’re also taking into consideration potential rate cuts in the second half that could be significant on the interest income. And third, I would say that there’s consideration of tax obligations in the second half. So when we kind of think about that and we — obviously, we’re much more bullish on our free cash flow this year than we had started out in February. And we were glad that we were able to still increase the guidance for the full year, but we did consider some of these other factors about — to the extent that we increased our guidance.

Rob Owens: Thank you.

Operator: Your next question comes from the line of Shaul Eyal with TD Cowen. Please go ahead.

Shaul Eyal: Thanks you. Good morning, good afternoon, guys. Congrats on the ongoing consistent execution. Guys, any views on how the public — any views on how the public vertical has performed this quarter? Maybe just to word about linearity trends during the quarter and maybe how it’s been performing during the month of July? Thank you.

Matt Cohen: Sure. I’ll take that. So I think we’ve talked about this before, but as the nature of our solutions have become more mission-critical, we’ve seen kind of more even distribution in our federal government space, kind of across the board. And so, we don’t generally see a huge tick up. We actually are seeing just good solid behavior across government, global government, across [SLED] (ph) and state and local, which is a growth area for us. And so, I think we’re happy with our performance overall. We expect it to continue, but I wouldn’t say there was any outsized differences in the quarter. And frankly, I don’t think there’ll be any outsized differences in the quarter to come. I think we’re just going to continue to see strong growth. I think our global government vertical represents about 10% of our overall ARR. And I think we continue to see that perform well.

Shaul Eyal: Any views about linearity trends?

Matt Cohen: Across the entire business, we continue to see — we see our normal hockey stick. So we are always back-end loaded in the quarter. We saw Q2 perform kind of consistent with normal Q2s. I would say we’ve had a strong start to Q3 here. So we’re feeling pretty good. But I haven’t quite solved the quarterly hockey stick, it’s one thing yet to be solved here at CyberArk.

Shaul Eyal: Thank you so much.

Operator: Your next question comes from the line of John Difucci with Guggenheim. Please go ahead.

John Difucci: Thank you. I’d like to follow up to Rob’s question because the results here, as everyone is saying here, is they’re impressive. It’s — but it’s not only meant that CISOs that identify — that have said, hey, identity is a priority here. But it’s also cyber insurance companies. I know that you and I have talked about this a lot in the past. But I’m just curious, are you seeing sort of any uptick in at least conversations around cyber insurance or demand? Because to Rob’s point, having new logos grow year-over-year for the first time in 1.5 years, in this quarter in this IT spending environment is not only impressive, it’s also very unique. Like you spoke about the origin and the strength of the CISOs, they’ve recognized they really need to protect identities in a more robust way.

But what’s the tactical catalyst to that happening other than some of the, I guess, breaches we’ve heard about out there. Is — are you — is cyber insurance — to get cyber insurance at a decent price, you have to have PAM, and is that part of what’s driving this sort of uniqueness?

Matt Cohen: Yes. Listen, I think we’ve talked about it, cyber insurance is a nice tailwind for us and absolutely the cyber insurers as they’ve kind of perfected their models, look at core security controls that need to be in place. And PAM is there. By the way, EPM is increasingly there. You see them starting to move over and look at the machine identity space given the threat vector there. For sure, MFA, SSO has always been there. So, I think cyber insurance is a nice tailwind. And you kind of started to hit on other factors. And what I would tell you is, there’s a lot of tailwinds. The regulatory environment is a tailwind for us. We’re talking about DORA regulations in Europe or SEC regulations here in the U.S. they create an awareness of what is most important to go do.

Cyber insurers, as you just talked about, create an awareness of what’s most important to go do. You mentioned the breach environment. And increasingly, we’re seeing both customers and even the IR firms making sure that the first thing they go do or recommend is come talk to us, and we see kind of post breach deals picking up coming our way from a CyberArk perspective. So I think across the board, the tailwinds that support the fundamental thesis that I gave, Rob, which is, we’re top of mind and we’re a priority. They all kind of reinforce that point and ultimately lead to stronger results.

John Difucci: Okay. So it sounds like lot of things are happening out there. Okay. Nice job guys. Thank you.

Matt Cohen: Thank you.

Operator: Your next question comes from the line of Joshua Tilton with Wolfe Research. Please go ahead.

Joshua Tilton: Hey, guys. Thanks for taking my questions. Just one for me. Matt, I think you mentioned that win rates were improving on the workforce side. I know you guys talk a lot about how your workforce product portfolio is differentiated because you have some adjacent offerings that just makes SSO and MFA feel more secure. But can you talk to some of the strategic pricing initiatives you’re taking that help make customers not only feel like the product portfolio is differentiated, but they’re just getting much more value from it as well and how that maybe helped driving those improving win rates?

Matt Cohen: Sure. Hi, Josh. So thank you. I think we talked about this a little bit at our Investor Day, but we’ve moved to this solution motion and it’s a really simple concept, right? Which is, we’re pricing per the Persona Group — we’re launching solutions for the Persona Group. So there’s workforce, again, IT, developers and machines. For each one of those personas, we’ve got a kind of standard in an enterprise package. And our goal is to make sure that even the standard package is better than anything you can get from any competitor out there. And obviously, the enterprise takes it one step further. And so, when we think about the workforce side for a second, and you think about our standard workforce solution, certainly our enterprise one, you’re getting a slice of not just MFA, SSO, but you’re getting the first two layers of security of secure web sessions and standard and the second two layers in enterprise.

You’re getting a level of identity management around life cycle management and workflow engine. You’re getting the browser. You’re getting an element of Workforce Password Manager. And so, as you kind of pointed out, in spaces where we’re competing from the, let’s say, challenger position, especially in workforce. We’re not the biggest shark out there, then we’re competing on value in security, and we’re going in with our new solutions, and we’re saying, wait, you really want what they offer for SSO, MFA versus what we offer as a total solution to secure your workforce. And I think that’s resonating. And by the way, it resonates even if the customer doesn’t want to swap out their IDP, their SSO, MFA provider. And I shared that example in the script because it’s an important one which is to say, listen, if you’ve made a choice on Microsoft or even Okta recently, and you don’t want to swap that out, that’s fine.

We can start to wrap our security controls on top of that. We can bring you into our platform and then over time, we can see what happens. And I think that’s what the sales team is feeling energized by, and they’re out there competing not only more effectively, but I think with a lot more confidence.

Joshua Tilton: That makes a lot of sense. And then just maybe a quick follow-up. You — I think also in the prepared remarks, you called out how the lifetime of certificates kind of shrinking to 90 days when it used to be, I think, multiple years. There seems to be a lot of little incremental news headlines of just companies out there losing faith in their incumbent certificate management providers. Are you seeing a rate of change in the demand with which people are realizing that Venafi is a modern solution that can handle these new requirements that the market is impressing upon these companies.

Matt Cohen: Yes. Listen, I think we remain incredibly enthused by the Venafi acquisition. We need to go finish it out, close it and get them on board. But I’m out there talking to customers, our customers really every day. And of course, as you might imagine, I’m discussing machine identities. And we’re talking about this kind of broad end-to-end machine identity landscape. And I just want everybody to try to understand this for a second. For each machine identity, let’s take an application. It can be an application, it can be a bot. It can be an AI-driven bot, it can be an IoT device. But let’s take an application. That application has multiple identities. So that application can have an identity that looks a lot like a user name and password.

We call that a secret. It can also have an identity with its core identifying features, think like the equivalent of a human with their passport or their drivers license. That’s a certificate. And without the ability to be able to identify themselves through a certificate, they can’t, for example, the application can’t get listed on website. You can’t get listed in Google. So the idea here is, our end-to-end machine identity goes across all machines. And then within each machine can manage whether it’s the secrets, the credentials, it can manage the certificates these identifying features. It can manage their [indiscernible], modern keys. And our combination of Venafi plus CyberArk allows us to be able to be really the only provider that can do that end-to-end.

Now diving into your question, actually, that was all a long preamble is, when we think about the certificate space, there has been organizations out there that aren’t on the upper tier of the enterprise or aren’t highly regulated, they been able — they thought they could do this themselves. I can create a spreadsheet and track all my certificates, which can be in the thousands or even more. And I can figure out when I need to rotate or issue a new certificate when it expires through an automated script, that’s impractical today. If you are managing more than 5,000 certificates, the idea of doing it manually or through an automated fashion is just not possible. And so, that then triggers real interest in an enterprise-grade certificate life cycle management tool in a modern SaaS environment, which is really what Venafi offers.

And so, I really think we’re at this inflection point where the do-it-myself or do it with some smart people on IT is no longer applicable. So you add that with the total end-to-end story. And that’s why, as you can tell because I’m going on about it, that’s why you can see this idea of, wow, what can we do at CyberArk as the leader in machine identity. And when we close this acquisition and we come back, we’ll talk a little bit more about what that offering looks like and the momentum we’ll see.

Operator: Your next question comes from the line of Fatima Boolani with Citi. Please go ahead.

Fatima Boolani: Hi, good morning. Thank you for taking my questions. Just one from me. Josh, you alluded to maybe bringing down the free cash flow directly in response to some of the things that you might be doing around Venafi. So I’m wondering if you could give us a little bit more detail or maybe a taste of what maybe some of these anticipatory investments or plans or efforts or initiatives might be around Venafi, provided that hasn’t closed yet. But again, anything anticipatory that you’re doing, if you could give us a flavor on. Thank you.

Josh Siegel: Yes, I’ll start and Matt, if you have anything to add. But first of all, I think it’s from my angle, and we’re trying to forecast cash flow, free cash flow for the second half of the year. It’s really more around what are we doing now around PMI for the transaction, the additional investments around making sure that it’s successful, the full integration as well as, of course, related transactional costs that are going to be going into it, whether the dry one of legal and various advisory costs as well. And I also would not — I would want to repeat, there’s also — we took actually consideration of where interest rates are going in the second half of the year, which is also has an impact on the free cash flow. But it’s really the things around related to what we know we’re doing today around direct and indirect costs related to the integration with Venafi.

Operator: Your next question comes from the line of Junaid Siddiqui with Truist Securities. Please go ahead.

Junaid Siddiqui: Great. Thank you for taking my questions. Matt, you’ve talked about the importance of the MSP channel. And have really leaned into it. Could you talk about the traction that you’re seeing in the MSP console that you recently launched and maybe any other initiatives that are contributing to growth in new logos?

Matt Cohen: Yes, sure. No. I think MSPs are important component of today and an even more important component of the future. I think more and more organizations, not just down but actually enterprise organizations are choosing to outsource their security stack to the MSP providers for out there. And so, we see that as a big piece of our partner program. We talk about it actually regularly. We did launch the MSP console earlier in the year, and it’s gotten rave reviews. It’s made the life of the MSP significantly easier and allows them to be able to focus on going out and helping find us customers. once they have it, keeping those customers happy and satisfied. And the console itself really helps with kind of tenant management.

It helps with the ability to understand usage and again, it just makes their life easier. So I think MSPs are a big piece of the future of CyberArk. You see more and more of the kind of nontraditional, kind of SIs get into MSPs, resellers become MSPs. And I think it’s a big piece of how we see ourselves going forward. It also allows us, by the way, to talk about a broader portfolio stack. If you would talk to us maybe a year or two ago with the MSPs we did have, they were really focused in on PAM. And now we see the MSPs really embracing the full portfolio strategy, the platform itself, actually moving into machines, moving into the access side. One of the areas that all of our partners, not just the MSPs are most excited about is actually this idea of cloud access and how do we secure developers, whether they’re cloud architects sitting in IT, or developers sitting in the developer organization.

And what we’ve seen here, and it was evident in the SAP example, we have released a press release and I mentioned them in the script, they really wanted to think about how they expand the notion of PAM to a modern stack that actually secures the cloud environment, and they adopted our Secure Cloud Access is the fundamental component platform of how developers will access the cloud environment. It’s a really exciting win for us. And those types of new use cases come to play with the MSPs as well, and they realize that they can cover all of the personas of their organizations if they effectively adopt the CyberArk platform.

Operator: That concludes our question-and-answer session. At this time, I will now turn the call over to Mr. Matt Cohen for closing remarks. Please go ahead.

Matt Cohen: Thank you. And as you can tell, we’re just thrilled to deliver another strong quarter. We’re delivering innovation, and we’re continuing to build our vision around this idea of delivering the right level of privilege controls to every identity. We couldn’t be more excited about the Venafi acquisition, which remains on track to close in the second half of 2024. And we’re in an amazing position overall to continue expanding our leadership position in identity security. I want to end by thanking the more than 3,000 employees at CyberArk all around the world for their hard work, and their diligent effort in making CyberArk what it is today. Thank you, and we’ll talk soon.

Operator: This concludes today’s call. Thank you all for joining. You may now disconnect.

Follow Cyberark Software Ltd. (NASDAQ:CYBR)