Transcript : Varonis Systems, Inc. Presents at 53rd Annual JPMorgan Global Technology, Media and Communications Conference, May-15-2025 08
VRNS
Published on 05/15/2025 at 10:20 - Modified on 07/17/2025 at 16:52
All right. We'll get started. Good morning, everyone. My name is Brian Essex. I'm JPMorgan security software analyst. And I'm delighted to have with us today Guy Melamed, the CFO and Chief Operating Officer for Varonis Systems. And at the end is Brian Vecci, the company's Field CTO. So thank you all for joining us.
Guy, maybe it would be a great place to start for -- particularly for those that may not be super familiar with what you do, just a brief overview of the company, what you do and where the company's origin came from?
Sure. Iâll start. So, Varonis was founded because enterprises, organizations, public, private, big, small, but especially big ones really struggle with protecting data, especially in a world where data can live in on-premises data stores, databases and file systems. It lives in cloud applications, the hyperscalers, Azure, AWS and Google. Everything is connected together. People are creating and accessing more data, organizations really struggle with protecting it.
So the core of Varonis technology is to help organizations understand what data they have, where it is, what's sensitive and important. How it's being used and then we build useful safe automation so that without requiring a lot of effort or people, they can ensure that, that data is properly protected. And when anything happens, whether it's an insider threat, an outside attack, a cybercriminal group, a nation state, a ransomware group, they know about it quickly and they can effectively respond to it. And so we've built a technology platform designed to do that with very little effort for our customers.
And just to add that for the nontechnical people, the best way to think about us as a SaaS company. We've announced the transition to SaaS in 2023 and we're way on our way to complete the transition at the end of this year.
But the best way to visualize what we're trying to do is just think of a bank. And there's a lot of ways to protect the bank. You need the cameras outside. You need the guards. You need -- there's so many things that you need in order to protect your most valuable asset. We sit on the Vault. We protect the vault, we protect the data, the sensitive information that sits there and whoever finds a way to get in, we will try and access that most sensitive information. So through very sophisticated algorithms, we can identify if there's any abnormal behavior.
And with one of the new offerings that we came out with last year, which is the MDDR, which I'm sure we're going to talk more about, MDDR basically allows us to go to the customer and say to them, we will do everything for you. All you need to do is pay. We have a team. And through the software and the algorithms, we can identify if anything is happening that shouldn't happen.
And the other component to think about is that when you have a bank, people from the outside want to steal money but there's also people from the inside that might have access to that vault that shouldn't have access to the vault. And that's exactly what we do. We can identify who within the organization has access to information they shouldn't have access to, clear -- clean it in an automated way and help the organization be better protected.
Great. Great. And maybe you mentioned data. I've heard a lot about data security at RSA. Can you talk about how the market opportunity for data has changed and for Varonis has changed over time?
I think what -- the biggest thing that has changed is that organizations are now realizing protecting data is priority #1. Traditionally, in security where a company has spent money is on what we think of as perimeters. So they've spent money to protect the endpoints, the devices, the laptops, the workstations that people use or they spend money on the perimeter of, say, a data center like a firewall or they spend money on network protection.
But as Guy said, nobody breaks into a bank to steal the pens, they're after money. Data is what's really important. And data security, especially in a world of generative AI, which is all about data. AI security is a data security problem. So data security is -- has rocketed to the top of the priority stack for basically every organization from the CIO or the Board on the way down. We're in a unique position in that we've been building data security from the very beginning. This is what we do. This is in our blood.
At RSA, every single security company is talking about data security, but they're all coming at it from different angles. They're coming out of trying to protect data by protecting the endpoint or trying to protect data by protecting the network. Everybody is talking about data security. We're in a unique position in that. We're the only ones that protect data in the way that we do because we protect data from the inside out.
Any sense why -- I've been kind of doing surveys for 20 years. And it's always been in this -- not necessarily in this order, but identity, network security, endpoint or endpoint identity network security, data has always been a little bit lower. Why do you think that is? I mean...
It was a very, very hard problem to solve. Identities and network, it's a much simpler problem. You can control identities with what we call role-based access. If I just know the people that are in HR and the people that are in finance and the people that are in legal and the people that are on our R&D team, I can do a pretty good job of protecting the identities. If I understand the geography, I can do a pretty good job of protecting the network.
But data is, by its nature, cross-functional. There's data that Guy and I use together, but we're in different departments. We do different things. We have different roles. Data is much harder to protect. There's more of it and the complexity, especially in a world where everything is in the cloud, and all of this infrastructure is connected together. And everybody is expected to work on anything from anywhere from any device, it's a much, much harder problem to solve for.
I want to add from -- again, from a slightly different angle, we went public in 2014, and we had roughly about $100 million of sales at the time. And I remember there were a lot of people that were talking about, you're only covering a niche problem. And then at $200 million and $250 million, we still kept getting that niche problem. It's not a niche problem where roughly -- when you think about kind of the run rate for the year, approximately, I know the guidance is precise, but roughly $750 million of ARR, and we laid out the plan on how we get to $1 billion.
So if that's a niche problem, I'll take the niche going all the way to $2 billion. But seriously, when you think about kind of where Yaki and Ohad, the 2 co-founders, they had the foresight to identify an issue that was way before it became at the forefront of everyone's discussion. So we have the experience and we have kind of the expertise that allows us to take advantage of the opportunity.
And I think, Brian, you mentioned that starting -- data is starting to get more attention. And certainly, everyone at RSA was talking about, and it's now the fuel for AI. I think people are realizing that. How do we think about the competitive environment and other vendors that might be competing to secure that data, what do you see in the environment from a competitive perspective?
I think the fact that the -- there are many more players in the space validates what we're saying that data security is the single most important problem from a security perspective that companies are facing. What's interesting is that all of the investment in the space is basically coming from 2 different directions. One are what I think of as adjacent product categories, the endpoint vendors, the network security vendors. They are talking more and more about data because they -- of course, they want to capture some of that market. But fundamentally, their technology is different.
The other side of that is there's been a lot of investment in the space in a category that what's now called DSPM or data security posture management. And there's a lot of new players there, but what's interesting about them is that they tend to solve the easier problems and the easier places to solve them, where there is low barriers to entry. So they're doing basic discovery. And by that, I mean, they'll help you find where sensitive data is, typically, in cloud databases.
What they won't do is actually provide real security. They won't help you actually fix any problems that you find. The number of CISOs that I've met who have said, we get lots of findings but findings aren't a solution. Findings are just lots of problems that I need to go try to solve, and I don't have the people to do it either. So none of them offer the kind of automation that we do, and none of them monitor all of the various data sets that we do.
With Varonis, you monitor not just databases, you also monitor applications and you monitor files, you monitor data on-premises, you monitor data in the cloud. You monitor the identities, you even monitor how data is being used by all of the human and nonhuman accounts, all of the people either using AI or AI applications. We offer a much broader and deeper set of capabilities, which means our customers actually secure data rather than just getting lots of findings.
Great. And you mentioned nonhuman identities, and I wanted to talk about GenAI and copilots. I think, quite a while ago, I think you flagged rightly so that there should be demand in front of that. I mean enterprises need to get their data state in order and understand what they have and control it before they go and adopt the new...
They should. They don't always...
So maybe touch on that, where are we in that adoption life cycle? And where do you slot in, in terms of the timing of when enterprises engage with you so that they can adopt copilots or generative AI securely?
Sure. When we talk about copilots and other agent-based AI tools that organizations want to leverage, what we've been saying for a couple of years now is unless they address the privacy and security concerns of all of their data, unless they make sure that people and the agents that they're going to be using, like Copilot or agent force and Salesforce only have access to what they're supposed to, they will introduce a lot of new risk, and that's exactly what we've seen happen.
Every Copilot pilot got stuck in pilot because as soon as they turned it on, people would search for things like what's the CEO salary or what's -- where is our source code or show me information about employee data or show me information about M&A activity, and it would just pop up because these companies had data in places that they didn't know about, accessible to either everybody or people that they weren't supposed to have access to it.
What's happened over the last year is, first of all, that has borne out in every co- pilot we've seen. We've seen a lot of organizations now use Varonis to automatically and very quickly secure their data and now go wide and deploy Copilot and agent force and other AI-based tools to their user base, and they're seeing the benefits there. You asked about kind of when this tectonic shift, when will this -- when will everybody be using this?
I think it's probably not in the next few weeks. It's going to happen in the next few years. We don't know exactly when. I think a lot of companies are being very careful about both the privacy and security concerns as well as measuring the ROI of some of these capabilities because they're not cheap. So it has been shifting exactly as we predicted. It is still relatively early.
I think what Copilot and all of the AI functionality is actually doing is putting a huge projector on a problem that always existed. And what -- when you think and kind of visualize kind of hackers coming into the organization and trying to find that sensitive data, you kind of visualize them trying to and finding where they can get it and what's the easiest path to do it, and they have to spend time and all of that shenanigans.
But with Copilot, all they need to do is go into the box and ask what -- where is the sensitive information? And kind of think about it, if you have kind of a list of your best ideas to invest in long and short that you worked months on. And now you have a competitor that logs in and they don't even need to look, all they'll do is click in the box, what are the best ideas to invest in and all the work that you've put in goes to waste.
So Copilot really makes everything becomes simpler on kind of the hacking side. And even from people within the organization that don't have any malicious intentions but now have access to information, they shouldn't have had access to. So the Copilot and GenAI, in general, it doesn't matter what platform it is, really generates a significant risk for the organizations if they don't take care of it in advance.
Got it. Super helpful. Would love to hear about any kind of quantification you can provide on Copilot AI adoption or insight that we may be moving out of that kind of like hype phase that you kind of alluded to, we saw last year into more rubber hitting the road, actual investment being made, actual adoption. Anything with regard to like the level that you're seeing in the business of Copilot influenced revenue or ARR?
So I'll start. I think we started getting questions from investors about Copilot in Q4 of 2022. And investors wanted it to take off within hours, not even within days. And we were very, very consistent in our messaging saying, this is going to change the world, it's pretty obvious to us. And this will have a tailwind contribution, but we just don't know exactly to quantify when this takes off. And we've been extremely consistent since in our messaging, saying co-pilot is -- we still believe is going to change the world, and it definitely poses a significant risk on the organizations.
And what we've started to see is that it actually is helping in our sales, and we started seeing it in the last couple of quarters. We, for years, sold single SKUs when we had on-prem subscription. And one of the moves -- one of the best things we did when we moved to SaaS is literally consolidate and sell packages. We're selling the platform as one SKU.
And one of the best selling platform sales that we have is Copilot together with MDDR on the Office 365, and we have it as a package. And we're definitely seeing that both on the new customer front, the conversation is much simpler because we're doing everything for the customer, and we're offering that protection without necessarily the customer having to have a high number of headcount to actually monitor what the outcomes are.
So we do that for them through the platform and the MDDR offering. And the Copilot as part of that package is definitely one of the more interesting sales that we have and it's definitely helped us over the last couple of quarters. But I really think it's in the early innings. We're not even close to that point where we believe this takes off. So definitely started to see a contribution, very helpful and it is part of the conversation with customers, but very early innings from our end.
Yes, I would agree. It's -- customers are certainly piloting it and testing it. When they -- once they have overcome the privacy and security issues, which they need us to do, we're basically untouched in that space. There's no one that can solve the problem in the ways that we do it as quickly as we do it without requiring effort or services in order to achieve that outcome.
We're still seeing a lot of organizations that are -- I don't want to say wait and see, but they're being careful about how widely they start deploying Copilot just because of they're measuring the value and which roles and which capabilities are going to benefit most from it.
Got it. While you take a drink of water. You mentioned MDDR and maybe this is one that Brian pick up if you want to take a drink. You mentioned MDDR a few times, and it's become a meaningful driver of the business. Can you give us a little bit of insight into what it does, why it's taking off, why it's resonating and what you expect for contribution to the platform going forward?
Sure. So core to what Varonis does is we're monitoring every data touch every time someone logs in, we understand the devices that they use and which accounts and identities are human and application. We know what data is relevant for AI. We know what data is sensitive. If you put all that together, we have more context than anybody. We also have telemetry behavior.
We're monitoring data in a really useful way. So core to what Varonis does is we know what's normal for users, for data, for applications, for devices, and we know what's abnormal. So if you got Varonis, you get a very small number of alerts that have a lot of context that tell you when something is going wrong. Brian's account is now behaving like ransomware or this application is now suddenly behaving like a human being. Or it looks like you have the indications of either ransomware or a nation state act or whatever it might be.
So that's core to what Varonis does. We've been doing that almost since the beginning. With SaaS, with relaunching Varonis as a SaaS platform, those alerts that get generated, we see them. We see them because we see the behavior and the telemetry for all of our customers. And that means we've got a team, a 24/7 global team that's looking at this. And when we see something that you need to know about, we call you.
So MDDR is a service that takes all of the people that we've got, this global team that's looking at the alerts for every customer that's a SaaS customer for Varonis. And when we see something they need to know about, we give them a call and we say, listen, it looks like you've got ransomware. It looks like you've got an insider threat. It looks like there's a nation-state actor. It looks like we see the indications of compromise that we see at these other customers happening in your environment too. Let us help you. Let us make sure that no damage is done. It's a no-brainer. You deploy Veronis software, now you've got eyes in the sky that are going to ensure that you never miss anything, and you get the benefits of the visibility that we have across our entire customer base. Basically, every new Varonis customer is taking that as part of their package because it is an absolute no-brainer.
Why wouldn't you want that force multiplier. The number of organizations that have a 24/7 even internally is very, very, very small. The number of organizations that can benefit from not only our technology, but the people making sure that they never miss anything is everybody.
Super helpful. I think you alluded to Guy that you're going through a bit of a transition. Maybe could you give us an overview of the transition from on-prem to SaaS that the company is going through? And how does that affect your business model?
I wouldn't say it's a little bit of a transition. It's reinventing the organization. That's the way I would phrase it. We announced the transition from on-prem to SaaS at the beginning of 2023. We laid out a plan in an Investor Day that we did in Q1 '23 that we said initially, we expect it to take 5 years. We cut it to 4 a year ago. And a quarter ago, we actually announced that we're cutting it by another year, and we expect to complete the transition at the end of this year.
The way we define completing a transition is when we get to ARR, that anywhere from 70% to 90% of it is coming from SaaS. We finished Q1 with 61% of ARR coming from SaaS, and we raised our full year number from 78% to 80%. So we expect to be at the end of this year with 80% of our ARR coming from SaaS. We took the history of Varonis and all the experiences that we had with customers and all the lessons learned and took all the goodness, put it as part of the SaaS and took all the hardship and the challenges and the customer challenges of them having to do the stuff themselves and kind of eliminated that with a SaaS offering.
And the MDDR is not offered on the on-prem subscription. It's only offered with SaaS. And I think that those who follow Varonis for a long, long time, remember, when we talked about DatAlert in 2016 is kind of changing the organization completely. DatAlert at the time was kind of the abnormal discovery of what's happening within the organization on any abnormal behavior related to data, and it changed the organization.
At the time, I talked about the fact that we believe that every single customer should have DatAlert, and that's obviously now a given. I think MDDR is another one of those. We believe it's the glue. It allows customers to understand the benefit of being protected on the platforms that they have. We believe that it should be with every single customer is going to take a while, obviously, it's not overnight.
But I can tell you that MDDR has been, by far, the fastest adopted platform we have ever come out with. And people forget it's only 5 quarters. We came out with it at the beginning of last year. So we're very happy with where it is right now, still ways to go, and we definitely want to provide that value to the customers that don't have it yet.
We also believe that it generates a tremendous opportunity of upsell because if you go to a customer and you say, we discovered an attempt or a ransomware attack or abnormal behavior on the platforms that you purchased. And by the way, just so you know, we don't follow the other platforms that you haven't purchased yet. That conversation becomes much, much simpler than if they don't have the MDDR.
Got it. Super helpful. And so what is consumption like when a customer adopts SaaS? What's the uplift to revenue and ARR when they're on the SaaS platform versus like an on-prem solution?
I'll start with kind of the numbers and what we're seeing so far. When we look at the NRR for SaaS, not the NRR for the company, but NRR for SaaS, which means doesn't take into consideration any of the conversions. We have seen that the NRR is significantly higher than the reported NRR for the company, which last quarter, we reported as 105%.
So we've seen the SaaS NRR be significantly above, and that's part of the reason that I get a lot of questions about how do we feel about going back to 20-plus percent. And U say, well, we're at 19% today. If we can continue with the growth of the new customers, which has been phenomenal with the SaaS offering, because of the simplicity of the conversation and the fact that the whole implementation is much simpler and kind of the offering of the MDDR and the Copilot is something that's very appealing.
So if we can continue with the new customer growth, and the SaaS NRR is higher than the reported NRR, that simple math gets you to the above 20%. So that's part of the reason that we feel good about kind of the statements that we provide on going back to that 20-plus percent growth rate.
So when you look at kind of the offerings that we have, it's not just the MDDR. We have significant platforms that we haven't even scratched the surface with, whether it's the Salesforce offering, whether it's the S3, whether it's Google Docs, there's plenty of more.
All 3 hyperscalers, yes, the collaboration platforms all the massive SaaS platform. Salesforce is an absolute monster from a security and a data protection perspective, that we are so far ahead of anybody else. So there's much more in front of us than behind us, but we have so much to sell to our existing customer base.
Got it. Super helpful. And maybe just one of the points of pushback I've gotten and I'm sure you've heard it, too, is the focus that your sales force is having on converting existing customers to SaaS versus going out and selling more new logos. Maybe help us understand for what the sales organization looks like?
And then how should we understand the dynamics of what your sales force has to do to convert customers and how that might take away from new logo productivity on the platform?
But what is exactly the pushback? I just want to make sure I address it heads on.
Well, that...
Focused on the conversion...
Growth is coming from conversion not new logos, right? So -- and your...
So the numbers don't support that, to be honest. When you look -- especially when you look at the reported numbers at the end of Q4, we had ARR growth of 18% and NRR of $105 million. So you could see that the growth actually came from the new customers, which is something we were very vocal about throughout 2024 because we saw how the SaaS offering really opened up kind of our ability to go out and sell to new customers that weren't able to go and sell to them before when they didn't have the SaaS offering. So the numbers absolutely don't support that.
There's definitely time consumption on the conversions that reps are putting time to get customers to convert. That's why we want to be done with it at the end of this year. We want to be a SaaS company, and we want to go back to the base and sell to them the additional platforms that we have to offer and then have continued to sell to new customers in the way we've done so far. There were definitely lessons learned that we implemented in Q1 of 2025 on how to simplify the whole process of the conversion.
And when I talk about simplifying it, it's not the technological challenge. It's a documentational challenge, of getting the right documentation and checklist and the paperworks. So we definitely learned a lot throughout 2024 and implemented that in 2025. The results in Q1 of 2025 actually show that we continue to sell very strongly to the new customers and the conversions were very healthy.
We were able to accelerate our growth to ARR of 19%. And I can tell you, there is nothing we want more than to be a SaaS company. If we -- if that theory was correct, we would milk this transition for years to come and just benefit from the conversions. We want to be done with it. We want to be a SaaS company. That's why we shortened the length of the transition from 5 years to 4 years and completing a transition in 3 years is -- it's not that easy.
It sounds easy, trust me. It's been -- there's so many components to it. I think we've done a good job so far, and we definitely want to execute and do well this year as well.
Got it. And I think one of the really interesting things is you already have good SaaS contribution to the platform and already generating healthy free cash flow for a company that's still in the process of its transition, I think, earlier than many expected. How are you able to deliver that profitability and cash flow relative to maybe other transitions that you might have studied?
It's one of the things that we're most proud of. I think we were able to start the transition and still focus significantly on the cost structure and keep it intact. There's a lot of leverage in the SaaS model. I can tell you that the margins that we have seen on SaaS have been better than what we initially expected.
So we are definitely happy with that component. And there's other departments that could leverage from kind of the SaaS platform, and we're seeing that on the number of tickets that customers kind of handle on the on-prem subscription, it's much higher than what we have on SaaS because obviously -- for obvious reasons, and there is additional leverage on the sales and marketing department, we're seeing sales cycles on SaaS being shorter than the on-prem subscription.
We're seeing -- we're still managing 2 types of code. I think there will be additional significant leverage in the R&D front once we don't have to support on-prem subscription in the same way we've done so far. So there's additional leverage components that give us the comfort and the confidence to believe that we can do better on the ARR contribution margin.
But just to note, when we did the Investor Day in 2023, we talked about a 20% ARR contribution margin when we get to $1 billion of ARR and get in there in 2027. And when you look at the ARR contribution margin, I think everyone that looks at the numbers in that 16%, 17% range, you can see that we're literally already there.
And what we're doing right now is actually putting some money to work in order to ensure that we can continue to grow post that $1 billion ARR number because we see this as a tremendous opportunity, and we want to make sure that we capitalize on it in the years ahead.
Got it. I'll ask one more, then I'll ask the audience if we have time, if there are any there. But I wanted to just touch on the results for the quarter. You increased your ARR guidance and SaaS mix despite an uncertain macro environment. I mean how would you characterize the macro environment as you see it? Are you seeing any pressure? How does that affect your business? Because I think some companies have more -- are seeing more pressure than others?
So there's definitely uncertainty on the macro front, and I think everyone sees that, obviously. We didn't see anything in the Q1 results that were impacted by macro and we haven't seen it so far when we look at kind of the pipeline and when we look at where we're headed, that gave us the confidence with everything that we track to raise guidance. I know many of the companies haven't done that, but we felt confident in raising it.
And at the same time, I think that the philosophy of guidance has stayed the same. We started with the same net new ARR from last year as the starting point for this year. And we did the same in 2024 when we took the net new ARR from 2023 as the starting point for the guidance for 2024. And we were able to update the numbers throughout the year.
So from a philosophical perspective, our guidance has stayed in that same framework, but we felt good with the numbers, and we felt good with where we are and kind of the pipeline to raise guidance for the full year.
Great. Thank you. Any questions from the audience?
So when do you anticipate, what would be the conditions to which you would stop writing dual code and maybe withdraw all your legacy product and go only one direction and get rid of those costs? And who do you most often bump into and challenges when you're selling any products?
So in terms of maintaining the on-prem subscription code, what we have done, and again, to keep in mind, it's only 2 years in the making of the transition. So it's still -- it's not like we're going to announce anything in the next couple of months. But if we get to a point where in the 80-plus percent SaaS mix, and I can say that the majority of the non-SaaS sales relates to state and federal, and we are working on FedRAMP certification, which should arrive very shortly.
One of the things that we want to make sure is that we work with our customers to find the best solution that would make sense for them, but would also make sense for us. So I wouldn't say that it's anything in the near future, but definitely something that as we gradually move way more towards the SaaS being the vast majority of our sales, it will make more and more sense.
As for competition, what's interesting is, traditionally, we haven't faced any direct competition. We've been facing competition from point tools or other adjacent categories, as I mentioned earlier. What's interesting in the last 12 to 18 months is that we are being brought into far more RFPs than we ever were.
And that's the result of the fact that we've expanded our coverage to the point where there really are no types of data, structured, unstructured cloud on-premises application data. There's nothing that we don't cover anymore, which means that if a company is putting out an RFP for privacy or classification or compliance or data security posture management or AI security, we're invited to all of those now.
And it means that we're facing more competition because we're in more fights. The competitors that we do face our adjacent product categories, network security, endpoint security. In many of these, we face discovery or classification-only products like DSPM, data security posture management. There still are no competitors in particular that we see in more deals than others, but we're in a lot more competitive deals now.
Great. With that, I think we're out of time. So Guy, Brian, thank you so much for joining us, and thank you all as well.
Thank you.
Thank you. Take care.