CyberArk Software Ltd. (NASDAQ:CYBR) Q3 2024 Earnings Call Transcript

CyberArk Software Ltd. (NASDAQ:CYBR) Q3 2024 Earnings Call Transcript November 13, 2024

Operator: Thank you for standing by. My name is Jale and I will be your conference operator today. At this time, I would like to welcome everyone to the Third Quarter 2024 CyberArk Software Limited Earnings Conference Call. All lines have been placed on mute to prevent any background noise. After the speakers’ remarks, there will be a question-and-answer session. [Operator Instructions] I would now like to turn the conference over to Sri Anantha, Vice President, Investor Relations. You may begin.

Sri Anantha: Thank you, operator. Good morning. Thank you for joining us today to review CyberArk’s strong third quarter 2024 financial results. With me on the call today are Matt Cohen, our Chief Executive Officer; Josh Siegel, our Chief Financial Officer; and Erica Smith, our Deputy CFO. After prepared remarks, we will open up the call to a question-and-answer session. Before we begin, let me remind you that certain statements made on the call today may be considered forward-looking statements which reflect management’s best judgment based on currently available information. I refer specifically to the discussion of your expectations and beliefs regarding our projected results of operations for the fourth quarter, full year 2024 and beyond.

I also refer to our expectations and beliefs regarding the integration of Venafi into our operations. Our actual results might differ materially from those projected in these forward-looking statements. I direct your attention to the risk factors contained in the company’s annual report on Form 20-F, filed with the US Securities and Exchange Commission and those referenced in today’s press release that are posted to CyberArk’s website. CyberArk expressly disclaims any application or undertaking to release publicly any updates or revisions to any forward-looking statements made herein. As a reminder, we closed the acquisition of Venafi on October 1st, so the results we discuss today are CyberArk on a standalone basis. We do not have any financial contribution from Venafi in the third quarter.

Our guidance for the fourth quarter does include contributions from Venafi. Additionally, non-GAAP financial measures will be discussed on this conference call. Reconciliation to the most directly comparable GAAP financial measures are also available in today’s press release, as well as in an updated investor presentation that outlines the financial discussion in today’s call. A webcast of today’s call is also available on our website in the IR section. With that, I would like to turn the call over to our CEO, Matt Cohen.

Matt Cohen: Thanks, Sri, and thanks everyone for joining the call today. We are very pleased to post strong third quarter results, outperforming our guidance across all metrics. Our results continue to demonstrate that our ability to secure every identity, human and machine, with the right level of privilege controls is resonating with customers. This is a key motivator for customers to consolidate spend across the full breadth of our identity security platform and create even more strategic relationships with CyberArk, which in turn is driving our ARR growth. A few financial highlights from the quarter. Subscription ARR was $735 million, growing 46% year-over-year. Net new subscription ARR was $59 million. That’s a record outside of our seasonally strong fourth quarter.

Total ARR was $926 million, growing 31% year-over-year. And we outperformed our guidance metrics across every variable. We delivered a record total revenue of $240.1 million, growing 26% year-over-year. Non-GAAP operating income came in at $35.4 million, or 15% margin. That’s up from a 9% margin in the year-ago period, highlighting the operating leverage in our business model as we come out of the subscription transition. And we are pleased to report $51.6 million in free cash flow, or a 21% free cash flow margin for the quarter. Our results are driven by three main factors. First, the mission-critical nature of our solutions. In a world where more than 90% of organizations are victims of an identity-related cyberattack, customers recognize that merely managing identities is not enough.

Identities, both human and machines, are the predominant threat vectors in today’s attacks, and the traditional way of securing identities in siloed, often commoditized point solutions is no longer sufficient. Second, the power of our platform. We offer the only integrated platform that can help enterprises discover with context, secure with intelligent privilege controls, and automate the life cycle across all identities, from workforce to IT to developers and machines. We further strengthened our ability to deliver on this vision with the closing of the acquisition of Venafi on October 1st. And third, the strength of our execution. To us, execution means working hand in hand with our customers to ensure their businesses can move forward and take full advantage of a digital world without fear by delivering measurable risk reduction in every program.

Our relentless focus on ensuring customers realize transformative value from our solutions and platform is the foundation of our excellence in execution. We are benefiting from the market shift to consolidation of trust, as you can see in the success we are having selling our platform. In the third quarter, we continued to see momentum build in full platform deals. In one example, a leading healthcare company was driven by a desire to consolidate human and machine identities with one vendor. They replaced the competing secrets vendor and landed with CyberArk everywhere across four of our solutions. This customer will leverage CyberArk’s capabilities across SSO, MFA, PAM, endpoint privilege, and secrets management by protecting IT users, workforce, endpoints, and machine identities from the get-go.

Independently, this customer also closed a deal with Venafi at the end of Q3. While the Venafi team closed with them on their own, we are confident this deal is a strong indication of the top line synergies we can achieve as a combined company. As customers look to modernize their approach to securing IT, they are expanding their PAM programs with our enterprise IT solution. This solution provides a unique way to protect a broad set of users, including IT administrators, shadow IT, database and cloud administrators. While the need for traditional PAM use cases of vaulting shared accounts, password rotation, and session management as foundational layers of security remains, today’s PAM programs are so much more. Enterprise are looking for a quicker adoption and faster time to value.

They need secure access to modern databases, workloads, and cloud services. This needs to be done with a just-in-time and zero-standing privilege approach without inhibiting the user’s workflow, combining for a healthy marriage of security and productivity. What makes CyberArk truly powerful? We deliver all of these comprehensive capabilities from one single seat, integrated into our platform and fully enabled with built-in core AI and threat detection and response. The modern PAM program powered by CyberArk delivered through our IT solution is setting the new standard in the industry. This is helping to win new logos, and we added nearly 230 in the third quarter. In addition, it’s driving our expansion with existing customers as they protect more users across more use cases.

Our innovation and leadership position was once again recognized by industry analysts in the corridor. We were pleased to be named a leader in the 2024 Gartner Magic Quadrant for Privilege Access Management, positioned as the leader for the sixth consecutive time and furthest in Completeness of Vision. We were also recognized as an overall leader in the 2024 Leadership Compass on Privilege Access Management by KuppingerCole, scoring highest in all three categories of product, innovation, and market leadership. Modern PAM, though, goes beyond just securing IT users. The concept of zero standing privilege to access modern cloud infrastructure and cloud environments is the key to securing the most privileged human identity group in the enterprise, the developer.

Often left unattended with always-on access, developer identities dramatically increase risk and expand the attack surface. By offering zero standing privilege, CyberArk Secure Cloud Access is a game changer for securing this high-risk population. With native workflows and access and automated life cycles and controls, our solution for securing developers offers the best of PAM without needing a behavior change. More importantly, with our solution, security is not an impediment to innovation, it is an enabler of the innovation machine within organizations. In the third quarter, a leading European bank who is a long-time CyberArk customer and has worked with us closely to protect privilege access for the IT and extended IT teams over many years, now decided to tackle the high-risk developer population.

We were excited to see the customer expand into this new identity group, buying our enterprise solution in a seven-figure ACV deal. In the untamed world of cloud security and developer access, where developers often have always-on and overprivileged entitlements, it is critical we approach security as a team sport. We were thrilled to announce our strategic partnership with Wiz, unifying the capabilities of our identity security platform with Wiz’s cloud security platform to help enhance customers as they tackle their multi-cloud security posture. Wiz’s best-in-class visibility over risky and misconfigured cloud access and CyberArk’s control over privilege with zero standing privilege approach, can measurably reduce the risk of unauthorized access, all without impacting the speed and scale of cloud development.

Our customers are excited about this partnership and the immediate benefit it can have in gaining control of their cloud environments and developer access points. Moving on to securing the workforce. We had another strong quarter with our workforce solutions, which crossed the threshold of $100 million in ARR this quarter. Workforce identity is transforming from an efficiency tool where SSO and MFA were considered enough to one where every employee needs the right level of privilege controls throughout their workday, from the moment they sit down at their end point. As a result, there is a substantial and growing cohort of both CIOs and CISOs that not only understand but prioritize security-first across all their workforce identities. Our workforce solutions implement lease privilege on managed and unmanaged devices, secure and streamline the browsing experience, substantiate more secure SSO with intelligent privilege controls and even integrate the ability to protect everyday workforce users passwords with the security of the CyberArk Vault.

Our solutions enable a passwordless workflow, seamlessly authenticating into the environment and reimagines the way enterprise secure their entire workforce. This is evidenced by a leading SaaS company who landed with a substantial six-figure workforce deal, as the de facto protection against ransomware, our solution was the tip of the spear and a great showcase of the multiple landing spots of our platform. Before I move on to Venafi and our machine identity security vision, I wanted to just highlight another very strong year of growth for Secrets Management. We have never been in a better competitive position. The value of Secrets Management at enterprise scale is resonating and the combination of Conjur Cloud and Secrets Hub means SaaS is leading the way.

I want to share a deal with a leading US energy company who recognize the value of Secrets and Machine Identities with CyberArk. Expanding with a mid six-figure ACV deal this quarter, they are protecting more of their IT users and tackling secrets and machines for the first time with Conjur Cloud and Secrets Hub. We are thrilled to close the acquisition of Venafi on October 1. I want to take this opportunity to formally welcome the tremendous Venafi team to CyberArk. From the onset of our discussions with Venafi, it was clear that this acquisition was more than just a strategic fit. It was a powerful convergence of vision, technology and culture. The past months have only reinforced our belief that joining forces will reshape the landscape of machine identity security.

The feedback from customers and partners further rose our confidence and the tremendous value Venafi will bring to our platform. In explaining the machine identity security landscape and the problems we have to solve as an industry, I often use the three Vs, volume, variety and velocity. Starting with volume. The sheer number of machines, whether they are devices or workloads, is exploding. We have talked about the ratio of 45 machine identities for every human identity in a constantly accelerating world that is only increasing its reliance on cloud native applications and workloads, IoT devices and AI agents. This ratio will soon be obsolete. With a rapidly growing volume, the ability to discover, secure and manage machines with an automated life cycle is critical to keeping this new world secure.

On to variety. Variety refers to not just the various machine types I mentioned, but also the variety in the forms of identity. From certificates to secrets to keys to tokens, there’s a large variety of identity types, adding a level of complexity not seen on the human side of identity. Managing this complexity requires an integrated solution. Organizations cannot get away with siloed tools or manual processes anymore. Customers have a clear and urgent need to simplify, reduce complexity and bring in an enterprise-grade solution to bear across the diverse landscape of machine and machine identity types. And finally, velocity, machines themselves are no longer static devices and applications. They are constantly changing and in some cases, like with the femoral workloads, they exist only for a brief period of time and then disappear.

A data center with a repetetive design of computer servers, showing the companies' efficient and secure IT infrastructure.

When you put together the pace of change of these identities and the shorter lifespan, all of a sudden, the velocity of issuance and management of these identities has also exploded. The combination of CyberArk Secrets Management offerings with Venafi’s machine identity management offerings will provide organizations with a centralized solution to manage and protect all machine identity types. By automating and securing these identities, we will help prevent misuse and compromise, ultimately reducing risk and enhancing operational efficiency. With the Venafi acquisition closed, I want to highlight our top priorities over the coming months. First, we will unleash our go-to-market organization around the world to tap into the more than 8,500 CyberArk customers who are not Venafi customers yet.

Second, we will rapidly integrate our Secrets Management capabilities and Venafi’s capabilities into a streamlined machine identity solution. And third, we will work with our partner ecosystem to get them both certified on Venafi and ready to hit the ground running as they go after the $10 billion addressable market. In summary, I want to leave you with the following takeaways. Identity security is a clear and present need for CISOs and our solution selling has further aligned how we see how the customer wants to buy, and this is resonating with customers. Our vision to deliver the right level of privileged controls to every identity, human and machine, is expanding our competitive moat and leadership position in identity security. With Venafi, we’re setting a new standard for end-to-end machine identity security.

And finally, with our strong execution and unique platform, we are well positioned to deliver a stellar next phase of durable profitable growth and take CyberArk to the next level. Before I turn the call over to Josh, I’m sure you’ve seen the CFO transition we announced this morning. Josh will see us through the year-end and will be stepping down from his CFO role in January, as part of a planned succession. We are grateful he has agreed to stay on in an advisory role through 2025 to ensure a smooth transition. I want to take a moment to acknowledge Josh’s countless contributions to CyberArk for more than 13 years. Josh is an amazing leader. In his time at CyberArk, he guided the finance organization from less than $40 million in revenue in 2011, when he joined, through our IPO, the transition from a perpetual to subscription model and turned finance into a force multiplier, enabling the scale and results you have seen us deliver.

We have scaled the company and stayed true to our values of delivering strong growth and profitability. He has been my trusted partner since I joined the company, and his contributions are measurable. I’m also though delighted to announce that Erica Smith will be our new CFO, effective January 1, 2025. Erica has been a core member of our finance leadership team and has worked closely with me on the subscription transition and our long-term strategy. She is a trusted partner to the Board and our executive leadership team, and I couldn’t think of anyone better suited to be our next CFO. So, Erica, congratulations on your new role. With that, I want to hand it over to Josh.

Josh Siegel: Thank you, Matt, for those kind words. I’m indeed proud to have been part of this amazing CyberArk journey, and I’m grateful to you, our executive team and the Board of Directors for many years of partnership. I’m extremely pleased that Erica will assume the role of CFO starting January 1. I worked closely with Erica for more than nine years. She has been a core member of our finance leadership team, holding broad responsibilities in the finance organization that include Investor Relations, FP&A, treasury, ESG and now the Venafi finance team. It is critical for all of us to have a smooth transition, continuity of leadership and someone who knows how and will execute, so we continue to march forward and scale. Erica is a strong leader and has a deep understanding of our business.

She is a great addition to the executive team. And given her performance and focus on scale, I am extremely confident that as CFO, she will help ensure CyberArk is positioned to execute on its long-term strategy. With that, I’m going to hand it over to Erica for just a few words from her, and then I’ll return to speak about the quarter. Erica?

Erica Smith: Thanks, Josh. It is an honor to be named the next CFO of CyberArk. I am grateful for the trust you, Matt and the leadership team, as well as the Board is placing in me. As Matt said, Josh has played a critical role in setting the company’s culture of operational excellence that has supported our strong growth and focus on profitability. He has been my mentor and I am grateful for all of his guidance and support over the years. I am also looking forward to working closely with him as we move into 2025. Thank you, Josh, for staying on as an adviser to support the transition. I am also excited to work closely with such a talented and dedicated group of finance professionals in our corporate headquarters in Israel as well as our offices in Asia, Europe and the US.

Continuity of our operating rhythm and execution will be a key focus as I move into my new role. I’m committed to building on our strong foundation as CyberArk looks to scale well beyond $1 billion in ARR. With that, I’ll hand it back to Josh to discuss our results in more detail. Josh?

Josh Siegel: Thanks, Erica. And now, on to the quarter results. The third quarter was another strong quarter, beating guidance across all metrics. We reported solid net new ARR, strong top line growth and substantial improvement in operating and free cash flow margins. Our execution is a testament to our platform differentiation, the growing criticality of identity security and our ability to capitalize on these secular trends. Before I provide more details on the quarter, I want to remind everyone that while we are very excited to have closed the acquisition of Venafi on the 1st of October, it did not contribute to our third quarter results. All numbers I’m about to discuss other than the guidance are on a stand-alone basis.

Moving into the results. Total revenue grew 26% year-on-year, reaching $240.1 million and exceeding the top-end of our guidance range. Annual recurring revenue reached $926 million, that’s growing 31% year-on-year. We added $58 million in total net new ARR, up from $52 million in the third quarter last year. As expected, the SaaS share of our bookings increased compared to the third quarter in the year-ago period and made up more than two-thirds of subscription bookings. Subscription ARR grew 46% year-on-year to $735 million and is now 79% of our total ARR. We also added $59 million in a net new subscription ARR and an 11% increase from the $53 million in the third quarter last year, and that sets a new record for any non-Q4 quarter. Our maintenance annual recurring revenue was $191 million, a decrease year-on-year, consistent with our move away from perpetual licenses and like-for-like conversion activity still remains a single-digit percent of our year-on-year ARR growth.

Our platform selling motion continues to drive land and expand as customers move to secure more users and more personas with CyberArk. In the third quarter, we signed nearly 230 new logos. And with our expansion engine, we also had a healthy mix of upsell and cross-sell into new solutions. In the third quarter, the cohort of customers was more than $100,000 in ARR, grew to over 2,000 customers. The cohort with ARR of more than $500,000 is now over 375 customers, and that’s growing nearly 40% year-on-year. Now moving to the revenue lines. For the third quarter, recurring revenue reached $224.2 million, growing 29% year-on-year and accounting for 93% of total revenue. Subscription revenue was $175.6 million, growing 43% year-on-year and representing 73% of total revenue.

Maintenance and services revenue was $61.6 million, and of that, recurring maintenance revenue was $48.6 million, compared to $51.5 million in the year-ago period, and that’s reflecting the year-on-year decreases in our maintenance ARR balance. From a geographic perspective, all regions continue to show healthy growth. Americas grew by 26% to $141.8 million. EMEA revenue was $73.1 million, that’s up 22% year-on-year. And APJ revenue was $25.1 million, growing 34% year-on-year. All P&L line items will now be discussed on a non-GAAP basis. Please see the full GAAP to non-GAAP reconciliation in the tables of our press release. Third quarter gross profit was $200.3 million or 83.4% gross margin, compared to 82.7% in the third quarter last year.

In the third quarter, our operating income was $35.4 million or 14.7% operating margin that’s well ahead of our guidance and a significant increase from an operating income of $16.9 million or the 8.8% operating margin in the third quarter last year. The outperformance was driven in part by the revenue upside as well as certain program expenses moving into the fourth quarter. Net income came in at $45.1 million or $0.94 per diluted share, also significantly outperforming our guidance and more than doubling from the EPS of $0.42 in the year ago period. We ended September with 3,300 employees worldwide, including 1,400 in sales and marketing. We are pleased to deliver another strong quarter of free cash flow, with $51.6 million in the third quarter or a margin of 21%, and that’s compared to $13.6 million in the third quarter of last year, or a margin of 7%.

We ended the third quarter with approximately $1.5 billion in cash and marketable securities. As a reminder, our cash balance at the end of the third quarter does not reflect the $1 billion cash portion of the consideration paid for the Venafi acquisition on October 1. I want to touch on the upcoming settlement of our convertible senior notes maturing on November 15. We plan to settle these convertible notes with shares as we outlined in our 6-K filing with the SEC back in March. The approximately 3.7 million shares associated with the convert have been included in our fully diluted share count as applicable already since the fourth quarter of 2022. Further, we expect a cap call associated with the convertible notes to result in cash proceeds of approximately $260 million.

We will receive those proceeds at the maturity of the convertible notes. As you can see, we continue to have a strong balance sheet that supports our growth strategy. So now, turning to our guidance. For the fourth quarter of 2024, we expect total revenue of $297 million to $303 million, which represents 34% year-on-year growth at the midpoint, and that includes approximately $41 million from Venafi. We expect non-GAAP operating income in the range of $43.5 million to $48.5 million for the fourth quarter, and that includes a contribution of approximately $11 million from Venafi. We expect our non-GAAP EPS to be in the range of $0.65 to $0.75 per diluted share. And our guidance assumes 51.2 million weighted average diluted shares. Our guidance also assumes about $16.7 million in taxes.

Looking at the full year 2024, we expect total revenue in the range of $983 million to $989 million, representing 31% year-on-year at the midpoint. We expect our full year operating income to be in the range of $135 million to $140 million. And as a reminder, our full year guidance also includes $41 million contribution to revenue and $11 million to non-GAAP operating income from Venafi’s fourth quarter that I just said earlier. We expect our non-GAAP EPS to be between $2.85 and $2.96 per diluted share we expect about 49 million weighted average diluted shares and about $52.2 million in taxes for the full year 2024. We expect our annual recurring revenue to be in the range of $1.153 billion and $1.163 billion at December 31, 2024, that includes an expected contribution of approximately $164 million from Venafi at the year end.

For the combined company, our guidance represents about a 50% year-on-year growth at the midpoint. I would remind investors that as a result of the largest cohort of customers coming up for renewal in the fourth quarter, we do typically see the largest sequential decrease to our maintenance ARR also in the fourth quarter. We are significantly increasing our cash flow guidance — our free cash flow guidance for the full year 2024 to a range of $203 million to $213 million, and that represents 21% free cash flow margin at the midpoint, that includes $8 million contribution from Venafi. To sum up, we are pleased to report another strong quarter and are thrilled to welcome the Venafi team to CyberArk. While the guidance I just provided includes the contribution from Venafi, it is important to note that even on a stand-alone basis, we are increasing our guidance for the year across all metrics.

We are well ahead of the playbook we outlined at our Investor Day in 2023, which speaks to how we have expanded our leadership position and delivered consistently strong execution. With 31% ARR growth, 26% revenue growth, 15% non-GAAP operating margin and 21% free cash flow margin in the third quarter, we’re in an elite group of enterprise software companies that are operating above the Rule of 40 benchmark. Before I hand it over for the QA portion of the call, I want to take this opportunity to express my gratitude to all those at CyberArk and also a special note of gratitude to our founder and Executive Chair, Udi Mokady, whose friendship and mentorship I treasure greatly. I also want to thank our investors and the broader investor community for their support, and I’m very excited about the future of CyberArk and believe we are in a position of strength to continue to deliver strong results going forward.

With that, I’m now going to turn the call over to the operator for QA. Operator?

Q&A Session

Follow Cyberark Software Ltd. (NASDAQ:CYBR)

Operator: [Operator Instructions] Your first question comes from the line of Saket Kalia of Barclays. Your line is open.

Saket Kalia: Okay, great. Hey, guys, good morning and thanks for taking my questions here. Josh, let me just start by saying, I tip my cap to you man on just a heck of a run, and Erica, congrats as well. It’s just great to see the continuity and what seems like a very smooth transition.

Josh Siegel: Thank you, Saket.

Erica Smith: Thanks Saket, appreciate it.

Saket Kalia: Absolutely. Matt, maybe on to the business and what was a very strong quarter, maybe for you. You called out the power of the platform in your prepared remarks. Then you mentioned some examples of customers that consolidated their identity solutions to CyberArk. Can you just maybe talk about that trend as we look forward? And is there anything that you’re doing at CyberArk to drive that motion within the sales team of a more consolidated type of sale, if that makes sense?

Matt Cohen: It does, Saket. Thanks for the question. I think what we see out there at the highest level is that customers are having, for lack of a better phrase, an identity crisis, right, as they try to figure out what are they going to do with the threat landscape that they face. And they’re trying to figure out who they can trust in that threat landscape to actually provide security across all the types of identities that they need to secure. And increasingly, the conversations with us in the CISOs and the C-suite, CIOs kind of across the board is the conversation is not specific to platform to begin with. It’s specific to the idea of you have the spectrum of identities, you need security across all of them, only CyberArk can do that for you, do that across human and machine, do it across the workforce and IT and developers.

And so we get engaged in that type of conversation, and then we use our solution selling approach to make sure that we can provide a quick on-ramp and a quick time-to-value against whatever identity groups are top of mind or top priority. Then we bring in the platform selling approach to future proof them to tell them, listen, you can get started with one identity group. You can get started with multiple. We will be there for you on an extensible platform that can bring you to value when you’re ready. So we’re not pushing it from that perspective. What’s happening in the market is that customers more and more are recognizing they want to go faster, they want to go deeper. And so if they’re security minded, and you heard me call that out, the security-minded buyer, they’re sitting there and saying, why not go faster with CyberArk since they have the platform since we need to tackle this identity security problem, since my Board, my rest of the executive team are asking me about this.

And so it becomes a very organic sales process of conversations and as I like to point out, trust in the CyberArk relationship.

Saket Kalia: Makes a ton of sense. Josh and Erica, maybe for my follow-up for you, folks. Really appreciate the detail on Venafi. Understanding it’s early, how do you sort of think about the growth profile for Venafi relative to CyberArk’s organic growth in terms of ARR? And as part of that, do you expect any changes in the makeup of Venify’s ARR as you go into next year?

Josh Siegel: Yeah. Thanks, Saket. We absolutely see Venafi’s portion really contributing well and — at CyberArk, so a higher growth rate on ARR. We’re confident about that. And one of the things that we’ll also see is really a lot — is a lot of movement towards their bookings going towards SaaS. And we can easily see next year with the majority of the SaaS — where the majority of the bookings will be in SaaS, and that’s a change compared to their history where they’ve been traditionally more on-prem until this last year, where they’ve started to ratchet that up.

Matt Cohen: Yeah. So I think I’ll just jump in. I think when we think about Venafi, it’s a growth play for us. We just see this broad landscape of kind of unprotected machine identities. And I think as Josh said, we believe in our hands. We said it since day one, and we’ve become even more confident in that, that Venafi will grow at or above the CyberArk growth rates once we are fully able to roll it out across the sales team.

Saket Kalia: Very helpful. Thanks guys.

Matt Cohen: Thank you.

Operator: Your next question comes from the line of Hamza Fodderwala of Morgan Stanley. Your line is open.

Hamza Fodderwala: Great. Thank you for taking my question. First off, congrats Erica, and congrats to Josh on a great run not only for your contributions to CyberArk, but also to the broader cyber and Israeli start-up community. I know you’ve been a mentor to many CFOs and including a few CEOs. So thank you for all your contribution.

Josh Siegel: Thank you, Hamza, for those words. It really means a lot. Thank you.

Erica Smith: And thank you for the well-wishes, Hamza. I appreciate it.

Hamza Fodderwala: I wanted to ask a question for Matt. So a lot of CISOs we talked to are talking more and more about machine identity. I wanted to just maybe drill into a little bit what that looks like. So you talked about a deal I think where you were able to cross-sell your machine identity capability with Venafi. What does that look like? I mean, are you — your core product is obviously priced on a seat basis. Was this the upsell based on the number of certificates? Was it other type of machines? And what could the deal multiplier be if Venafi is included with CyberArk?

Matt Cohen: Yeah, sure. So I think the foundational answer is the human side of the identity business is based upon humans. So the number of seats. On the machine side, it’s generally based upon what you’re securing. So for our secrets business, especially our SaaS-based Conjur Cloud and Secrets Hub, we’re generally basing it upon applications because you’re building in the credential management for applications as part of the secret security process. So on the machine side, on the secrets, it’s going to be applications. On the machine side of Venafi or certificate life cycle management, it’s going to be based upon certificates. We call those instances. The reason we call it instances is actually each certificate can actually be stored or be leveraged across multiple machines.

And we actually charge for each instance of that certificate. So you’re going to see those differences across the board when we kind of bundle it together, we’re looking at ways to make it easy for the customer to buy, especially between the secrets obviously and the certificate side. I think when you think about what potential there are here, you’ve heard us talk for a while that the secrets business alone can be a multiple of — for example, the PAM business that you’ve heard us talk about. We’ve talked about it actually being a fully deployed Secrets deployment is 1.5 times the deployed PAM deployment. I think on the certificate side, we see even bigger multiple opportunity where it could be 2x. It’s a little bit bigger than even the secret side.

So when you start to look at the deal size and really once deployed, footprint that can happen on the machine identity side when you combine secrets with certificates, those are bigger deals and ultimately, it can be a nice high-growth business for us.

Hamza Fodderwala: Thank you.

Operator: Your next question comes from the line of Matt Hedberg of RBC Capital Markets. Your line is open.

Matt Hedberg: Great. Thanks for taking my questions, guys, and I’ll offer my congrats as well to both Josh and Erica. I wanted to ask a little bit about your Workforce business. It’s impressive to see it pass the $100 million ARR mark this quarter. I’m wondering if you could provide a little bit more context about how quickly that’s actually growing in the base? And maybe what percentage of the base is actually leveraging workforce?

Matt Cohen: Sure, Matt, and welcome to the call. When we look at workforce, let’s just start again with the kind of the strategic ability to be able to go in. Where we’re winning is with CISO, CIOs that have a security-first or security-minded way of buying. Some people still buy workforce SSO, MFA as an efficiency tool. And in that case, Microsoft or other providers out there are perfectly good solution to provide kind of what we consider commoditized SSO, MFA. Our solution is based upon the idea that actually that’s not enough. It’s not enough in this threat environment, in this threat landscape. And we need to use MFA, SSO as kind of base level controls where we wrap around intelligent privilege controls, vaulting of personal passwords, a more secure browsing and actually a really tight tie-in to least privilege at the endpoint in our EPM product.

And so that becomes the foundation of how we compete, how we differentiate out there. As you mentioned, we’re pretty proud to see that business kind of cross the $100 million ARR threshold, kind of in line with where we actually expected it to be when we actually acquired Adaptive several years ago. And what we see there is that it’s a business that’s growing really strongly, faster than our core for sure, and increasingly becoming a part of more and more deals. Now you asked the question around our penetration rate, I would tell you the penetration rate is still pretty low. We’ve got over 9,000 customers now. And I think we’re talking about a little around 1,000 or so that are using our workforce solutions. And I think that’s the opportunity we still have here is to sell into that base, really bring them onto the platform, as you heard me talk about on Saket’s question a little bit earlier and expand the number of identities that our platform is securing as a whole.

It’s an exciting opportunity for us. And I do want to just call out the tie-in between the workforce business, the traditional SSO, MFA and our kind of advanced controls, and the EPM business, which is securing the endpoint of that workforce user because when you combine those two businesses together, you start to see a really meaningful portion of our ARR coming from securing the workforce population as a whole.

Matt Hedberg: Thanks, Matt. Great comprehensive answer. And then maybe just a quick housekeeping one for Josh or Erica. It looks like Venafi is contributing about $160 million of ARR to the full year. I’m curious, how quickly was Venafi ARR growing exiting kind of the Q3 quarter? And do you have a rough estimate of what that SaaS mix was in Q3?

Erica Smith: So yeah, they were growing at about at the10% mark, if you think about it in the double digits and then the SaaS mix was actually roughly 10% of their overall base. A little — it’s ratcheted up in the last few quarters to closer to 12% right now, but it’s right in that range.

Matt Cohen: And it’s something we see, which is really interesting, we’ve talked about even in our core business, which is just a dramatic shift to SaaS as the leading motion our sales team is most comfortable with. So while they sat at 10% of ARR and a small percentage of their overall new bookings earlier in the year, even when we look into the pipeline for Q4, we see — as Josh said, it’s starting to become more of the majority of the pipeline is SaaS led for them. And as you’ve seen with us, it just continues to grow each quarter, the amount of our pipe on our execution that’s tied to our SaaS portfolio.

Matt Hedberg: Thanks, guys. Best of luck.

Operator: Your next question comes from the line of Brian Essex of JPMorgan. Your line is open.

Brian Essex: Good morning and thank you for taking the question. First of all, Josh, congratulations to you, what a great track record you’ve built. And, Erica, congratulations to you as well. It’s great to see.

Josh Siegel: Thanks, Brian.

Brian Essex: Of course. Maybe for Matt, I know you talked about in your prepared remarks the ability to unleash your go-to-market notion on over 8,500 non-Venafi customers now within your install base. Can you just talk a little bit about what needs to be done within your direct sales force? And then what you’re doing within the channel and perhaps how long that will take to have an effect on the trajectory of Venafi’s growth rate?

Matt Cohen: Sure. Yeah. Great question. We started training our sales team the minute we could. And in fact, we’ve gone out and really gotten them ready to have the conversation post close date. And so we’re already seeing pipeline being built here in Q4 for next year that our sales team is able to contribute hand-in-hand with the Venafi team. So we feel ready to go. I think at some level, we were itching to go and we wanted to get through, obviously, the regulatory approval so that we could get started. And we really can’t wait to start — as I said, and then you repeated, unleash that sales team to be able to go push this product. It is a really easy conversation. And what I mean by that is it’s the CISO who’s sponsoring the conversation.

It’s the same buyer. We know the parties involved. And ultimately, it becomes part of our talk track pretty easily, pretty quickly, and we haven’t seen a need to kind of bring in specialists in every conversation. I think the partner one side of the fence is probably what surprised us the most to the upside. I think when we first announced it, we said we were, I think, down at the event and we had our partners in the other room. And we said they were so excited. And sometimes that can fade. What we found is the exact opposite. We actually were at standing room only in classes and certifications that we’re doing for partners around the world throughout the last quarter. We had to actually add in more and more training classes for our partners.

We’re kind of racing to kind of have first-mover advantage to be able to bring Venafi into the market. So I think we’ve seen even more of an uptake in the partner community than I would have expected, to be honest, and I think it speaks to the need to solve a problems of the machine identity security story. Now I will say that it’s a similar sales cycle to the CyberArk sales cycle. So we’ve always talked about a three, four quarter sales cycle, and sometimes we do better and it’s two quarters or so. So I think we will see the impact of all this enablement and certification happen as we get into next year and into the back half of the year, especially. But it’s why we’re so confident in our ability to say we’re going to grow this at or better than the CyberArk overall growth rate is because we see these conversations really taking off.

Brian Essex: Got it. That’s super helpful. Maybe one quick housekeeping question, if I could, for Josh or Erica. Is there any deferred revenue write-down that we have to consider as we tune our models and we add Venafi into the equation?

Josh Siegel: No, there’s nothing material on that stuff.

Brian Essex: Fantastic. Thank you so much.

Matt Cohen: Okay.

Operator: Your next question comes from the line of Jonathan Ho of William Blair. Your line is open.

Jonathan Ho: Hi, good morning. Let me echo my congratulations to Josh and Erica as well. It has been fantastic to work with you, Josh. Just in terms of Venafi, can you talk a little bit about the opportunity to expand the awareness of the machine identity problem? And across your base as you engage with customers, can you give us a sense of where they are in terms of understanding the challenges as well?

Matt Cohen: Sure, Jonathan. And I think it’s — I’ll use a couple of examples maybe to help here, just in terms of the ability for us to scale, right? We’ve talked before about more than 10x sales reps and our ability to be able to bring it into the base and educate through a sales-driven process. But we’ve also been able to really attack it already from a marketing event-based process, from a partner landscape, as I was talking about. They did an event prior to close here in Boston called the Machine Identity Security Summit. And there were a couple hundred people there, I think it was about 200 people, and it was a great message. We then took the content, combined it in with our impact on the road, World Tour, did an event out in San Jose.

We had well over 300 people there at the event. We had well over 1,000 people register for the event online. And you start to see the scale take off in just amplifying the message out into the base. We’ve obviously gone out and pushed our partners around in this enablement and in this training, also can they turn on their marketing engine around this problem of machine identity. And they’ve been rallying around our secret story over the last couple of quarters, and I think this just becomes a nice extension of what they’ve already been doing. So I think you’re going to see that the, education process, the awareness process has really started to kick into full gear. Our marketing team has a great plan of attack for how they’re going to continue pushing it going forward.

And I think when you talk with the customer base, and I’ve done 40 or so calls in the very near recent couple of weeks. They all understand that they’ve got to get their arms around this machine identity problem or they’re going to get themselves in a lot of trouble. This Google mandate for example, that brought down certificate life spans from hundreds of days to a mandate of 90 days. Apple came out with a mandate of 45 days. Those things are driving actually a good degree of uncertainty down into the enterprise and what are they going to do if they’re managing certificates, keys in a manual process. And so I really feel strongly that we are at a cusp of where the customer understands it, our marketing engine is going to kick in. And ultimately, this is an area where the customers are going to start pulling as much as we’re pushing.

Jonathan Ho: Excellent. And just in terms of a quick follow-up, can you give us a sense of what drove the strong margin outperformance this quarter? It’s just exceptional in terms of the profitability. Thank you.

Josh Siegel: Yeah. In part, it’s the revenue beat, as you saw, we ended up beating revenue above the top line. And then our — I called this out, there are some expenses that we’ll be doing in Q4 that were planned for Q3. And then just overall, good, strong efficiency as we operate the company.

Operator: Your next question comes from the line of Roger Boyd of UBS Securities. Your line is open.

Roger Boyd: Great. Thanks for taking the questions and I’ll add my respective congrats to both Josh and Erica. Happy for you both. Matt, a high-level question around post-quantum. It seems like awareness is raising there. I’m wondering, based on your conversations with customers, do you think that we’re getting into the actual adoption curve where customers are looking to pick up post-quantum security tools, some of the stuff you’re talking with being able to gauge exposure and get to a place of certificate agility? And now with Venafi in the platform, just any sense of how material you think this could be as a driver into next year? And then I have a quick follow-up.

Matt Cohen: Sure. Yeah. No, I think you hit it — a nail on the head there around the idea that the willingness and want to talk about kind of post-quantum plan is a part of every conversation we’re having on the Venafi side. Now, I still think it’s obviously several years out until the actual quantum impact is felt and thankfully for that. But what we’re able to do now is really talk with the customers about their programs and plans. We have an ability to come in and do workshops around how the Venafi solution in our overall machine identity security solution can help prepare for post-quantum world. And it speaks not only to the need for, obviously, innovating around the algorithm and making sure that you’re able to prepare.

It also speaks to this idea of life cycle management because in a post-quantum world, where an algorithm might be able to be breached or hacked into, we need to be aware of all of the assets, all the identities out there, and we need to be able to reissue maybe with a new algorithm on demand based upon what’s happening in the kind of threat landscape or threat environment. So I do think it’s a piece of the strategy. I think you’re right that customers are starting to talk about it. Still many years out till they have to actually implement. But I think it’s a part of what’s driving the awareness of what we’re doing on the machine identity side.

Roger Boyd: Got it. Super helpful. And then just for Josh or Erica, just around 4Q, I know you’ve talked about moving to shorter contract durations on the maintenance side. Any color you can provide on what you’re seeing around renewal rates there? And anything to be mindful of relative to your 4Q assumptions for maintenance given the renewal base and seasonally larger quarter? Thanks.

Erica Smith: Yeah. And, Roger, it’s a great question. I think we’ve seen continued strong renewal rates as it relates to that maintenance space. But as you know, that Q4 is one of the biggest quarters. So baked into kind of our forward-looking or fourth quarter guidance is about an $8 million to $10 million decline in that overall maintenance ARR sequentially. So, just kind of keep that in mind when you’re thinking about the ARR build into the fourth quarter and the exit rate there.

Roger Boyd: Great. Thanks, again.

Operator: Your next question comes from the line of Adam Borg of Stifel. Your line is open.

Adam Borg: Awesome. Thanks so much for taking the question. And of course, Josh and Erica, many congrats to you, both. Maybe a bigger picture question for you, Matt. You talked about the platform selling approach is in great traction, especially with some of the wins you talked about. I was just curious maybe from a technology perspective under the hood, especially as you now hold in Venafi, how do we think about how integrated, let’s call it, the human side of the portfolio is today, you talked about efforts to integrate secrets and Venafi. How should I think about almost a converged human/non-human identity portfolio on the back-end in coming years? Thanks so much.

Matt Cohen: Sure, Adam. So I think as you highlighted, our first priority is let’s get Venafi and secrets integrated into what we’re calling this machine identity security solution and let us hit the ground running as fast as possible with that, so we can take advantage of the increased awareness and the need to really lock down those machine identities themselves. I think — what we look for is two things. One is the shared experience across human and machine so that organizations and customers can partake of shared dashboard, shared discovery. And I think those types of things start to come online more towards the end of the year into 2026. And then we’re always looking to look how can we leverage the shared services of our platform, for example, things like unified audit and unified identity management.

And that’s an area where we can be building up over time also as part of a shared platform approach. So I think 2025 is really about integrating the machine identity solution itself. 2026, you start to see the technologies come together, and we have a roadmap and an idea of what that would look like. Independent of the technology, there’s a conversation with customers that we’re having all the time, which is machines and humans need to be integrated and managed under one platform, one ability to understand what is going on. We need to make sure that we can provide a future proof for the years to come across human and machines, because that’s needed for a comprehensive view of what identity security is. And so I think that starts from day one.

And frankly, I’ve received multiple comments from customers. Customers I trust implicitly actually that help advise that say, this is like one of the things that they would have hoped happened in the industry, is bringing human and machine more together for where they need to go for the future.

Adam Borg: Awesome. Thanks so much.

Operator: Your next question comes from the line of Don DiFucci of Guggenheim Securities. Your lien is open.

John DiFucci: Thanks for taking my questions. I have been called Don before. But anyway, I don’t mean to beat a dead horse on this, but really, I think I’m curious like why Venafi represents an incremental growth plan for you. Matt, you talked about the go-to-market push, and that makes some sense. And you talked about a bunch of things here. But we’ve heard about this for a while, and Venafi has been around for a while, and it was a good company, a decent company, but it never seemed to fulfill its promise, right? Machine identities always made sense, but they never fulfilled. And I just wonder if we’re getting a little bit too far ahead of ourselves here. And you guys have executed really well, and that’s part of it, too, right? That’s positive. But I don’t know if you could speak a little bit to that? I’m sure there’s a question in there somewhere.

Matt Cohen: There is. And I think it’s a good one, which is why now. And I think I’ve hit on, as you mentioned — all right, did Venafi ever invest in the go-to-market scale and breadth to be able to truly go out there and penetrate the market, they were mainly focused in the US. They didn’t have much presence in EMEA and APJ. They had a relatively limited spending on marketing and on sales. They had a very, very, very small channel program, so they were not able to actually bring in the SIs and the bigger channel partners that we bring to the table. So for sure, one part of it is what CyberArk brings to the story. But I think there is a second part, which is an inflection in the market of, as I said, volume variety and velocity.

And that’s a change. Like if we go back five, six years ago, the volume was not where it was. And the variety actually was not as complex. And ultimately, the very nature of these modern workload identities were much different in terms of the velocity of change that was happening. When you go out and look at the market factors around the Google mandate, the actually regulations that are coming in that actually speak to the machine identity landscape, there wasn’t the pressure your arms around what was a very basic problem to begin with of certificate life cycle management. What’s happening now — and by the way, that’s what drove them up into only the upper echelon of big banks, big financial institutions where the problem was really tough and they weren’t actually penetrating down into the mainstream enterprise because it wasn’t really part of a big problem statement, given the volume, given the variety, given the velocity, what we find now is actually manual processes, spreadsheets, kind of point solutions, can’t manage the problem.

And that’s what our enterprise customers were telling us before we acquired Venafi. And that’s what they’re telling us even more now post acquiring Venafi. So I think when you combine those factors together, that’s what gives us the excitement and the confidence in what we’re out there describing. And ultimately, you’ll see that materialize as we move throughout 2025.

John DiFucci: Okay. Okay. And I just want to make sure that Josh wasn’t putting a high bar for Erica, just leaving that for her because I know — well, she’s been by his side for a long time. But Okay. And I guess…

Matt Cohen: I don’t know that Josh has ever found a high bar. I think he always is putting the right bar out there prudently. That’s why I love Josh.

John DiFucci: That all makes sense. And you guys, like I said, have executed well. But I guess ARR was strong this quarter, my follow-up here. And it was in the range of what we thought you could do like — and that’s great. But just curious if you saw any influence on this last quarter due to the US election? And if you did, how do you see this influencing business going forward, if at all?

Matt Cohen: Yeah. So we definitely didn’t see anything materially different than what we’ve seen in other quarters. I think we continue to see, like we say, a tough macro out there, one in which, though we continue to perform well. Security being at the top of the list, our security — identity security being at the top of that list. You’ve heard me say that before. I don’t think we saw anything measurable or change there. I think as we look towards Q4, we’re not anticipating some large budget flush out there as people kind of figure out maybe what the implications of the macros in the environment is. So our guide doesn’t assume that. But no, I don’t think we’re seeing anything different in the environment as a whole, and we’re kind of in a wait-and-see approach as it relates to the election itself.

John DiFucci: Great. Thank you, and congrats to the team.

Matt Cohen: Thank you.

Operator: That concludes our Q&A session. I will now turn the conference back over to Matt Cohen, CEO, for closing remarks.

Matt Cohen: Thank you. And we are excited to deliver another strong quarter that showcases our leadership in identity security and that our vision of delivering the right level of privilege controls for every identity is working. We’re thrilled to welcome the exceptional Venafi team to CyberArk. I want to congratulate Erica on joining the leadership team, and I want to save my heartfelt thanks to Josh for being such a strong partner to me as I came into the CEO role and for helping to guide CyberArk for all these years to our success. Thank you, everybody.

Operator: This concludes today’s conference call. You may now disconnect.

Follow Cyberark Software Ltd. (NASDAQ:CYBR)