Okta - Q3 2024

Transcript

Dave Gennarelli (SVP of Investor Relations)

Hi, everybody. Welcome to Okta's Third Quarter Fiscal Year 2024 Earnings Webcast. I'm Dave Gennarelli, Senior Vice President of Investor Relations at Okta. With me in today's meeting, we have Todd McKinnon, our Chief Executive Officer and Co-founder, and Brett Tighe, our Chief Financial Officer. Today's meeting will include forward-looking statements pursuant to the Safe Harbor Provisions of the Private Securities Litigation Reform Act of 1995, including but not limited to, statements regarding our financial outlook and market positioning. Forward-looking statements involve known and unknown risks and uncertainties that may cause our actual results, performance, or achievements to be materially different from those expressed or implied by the forward-looking statements. Forward-looking statements represent our management's beliefs and assumptions only as of the date made.

Information on factors that could affect our financial results is included in our filings with the SEC from time to time, including the section titled Risk Factors in our previously filed Form 10-Q. In addition, during today's meeting, we will discuss non-GAAP financial measures. Though we may not state it explicitly during the meeting, all references to profitability are non-GAAP. These non-GAAP financial measures are in addition to and not a substitute for or superior to measures of financial performance prepared in accordance with GAAP. A reconciliation between GAAP and non-GAAP financial measures and a discussion of the limitations of using non-GAAP measures versus their closest GAAP equivalents is available in our earnings release.

You can also find more detailed information in our supplemental financial materials, which include trended financial statements and key metrics posted on our investor relations website. In today's meeting, we will quote a number of numeric or growth changes, as well as discuss our financial performance, and unless otherwise noted, each such reference represents a year-over-year comparison. Now, I'll turn the meeting over to Todd McKinnon. Todd?

Todd McKinnon (CEO and Co-Founder)

Thanks, Dave, and thank you everyone for joining us this afternoon. We want to kick off this call by addressing what's top of mind for everyone, so we're trying a new format this quarter. In light of the new security blog we posted this morning, we felt it was important to get the earnings release and guidance out before the market opened as well. At around the same time that the earnings press release hit the wire, we posted prepared remarks to the IR website, which contained some of my typical commentary around customer wins and other notable news from the quarter.

This new format allows me to spend more time discussing the new information while also leaving more time for Q&A. I want to start by summarizing the update we shared in a blog post this morning related to the October security incident involving our support case management system. Upon deeper analysis of the event, we determined that the threat actor obtained the contact information of our support portal users across a significant portion of our customers, including the names and email addresses of all Okta admins, except customers in our FedRAMP High and DoD IL4 environments.

While this information cannot be used to directly access an Okta environment and does not include user credentials or sensitive personal data, a threat actor may use the information for targeted phishing attempts. With this more detailed information, we felt strongly that sharing this information will help our customers better protect themselves against an increased risk of phishing and social engineering attacks. We have engaged a digital forensics firm to validate our findings and currently expect that they will complete their analysis in mid-December. Once finalized, we will share the report with customers and publicly.

Now, let me address what Okta is doing to better protect ourselves from security threats. Over the years, we have dedicated significant resources towards securing our product environment. Given recent events, we recognize that we need to do more to improve the security architecture of our broader operations. That includes the applications we use, the hardware we deploy, and the vendors we work with. Over the past few weeks, we have taken several steps to further strengthen our security posture. We've initiated a hyper-focused security action plan by rallying the entire organization, as well as engaging with third-party security firms to fortify our team's efforts. The stakes are high, and we will do whatever it takes to protect our current and future customers. Bolstering our security environment is, by far, the highest priority for Okta.

The job of securing the Okta ecosystem will never be done, but during this hyper-focused phase, no other project or even product development area is more important. In fact, the launch dates for the new products and features that we highlighted at Oktane last month will be pushed out approximately 90 days. The exception being Okta Privileged Access, which becomes generally available this week. Now, turning to our Q3 results. Top-line metrics were strong. We continue to experience particular strength with large customers. Similar to the past few quarters, our fastest-growing cohort was customers with $1 million-plus ACV, with growth of over 40%.

It was also a strong quarter for new and upsells across our public sector vertical. We also produced record non-GAAP operating profit and record free cash flow in the quarter as we continue to demonstrate the leverage in our model. In other news, we're thrilled that Jon Addison, who has been our interim CRO since the start of this fiscal year, has been appointed to the permanent position.

With Jon's appointment as CRO and our continued confidence in the go-to-market leadership team, we have closed the search for a president of worldwide field operations. Okta is driven by our vision to free everyone to safely use any technology. The measures we're taking to increase the security of Okta and our ecosystem gives us confidence in our ability to move forward. We will come out of this even stronger because Okta is the only modern platform for neutral and independent identity access management, governance, and now privileged access.

Before turning it over to Brett, I want to thank our employees for their tireless efforts. I want to thank our customers and partners who put their trust in Okta every day. I also thank everyone who supported us at Oktane last month, where we had over 4,000 people at the live event in San Francisco and over 19,000 viewing online. Now I'll turn it to Brett to walk you through more details of our financial results and forward outlook.

Brett Tighe (CFO)

Thanks, Todd, and thank you everyone for joining us today. The actions we've taken over the past few quarters to drive efficiencies in our cost structure continue to yield impressive results. I'll review our third quarter results and our outlook, but first, I'll start with some commentary on the macro environment. Macro headwinds, while stabilized, continue to impact our business. Metrics that we use to gauge the macro environment, such as contract duration, average deal size, and pipeline mix, were largely consistent with what we experienced in the first half of the year. Separately, we published the advisory regarding the recent security incident on October 20th, which was 11 days ago in the quarter. While business at the close of the quarter slowed somewhat, our overall financial performance in Q3 was strong.

Turning to Q3 results, total revenue growth for the third quarter was 21%, driven by a 22% increase in subscription revenue. Subscription revenue represented 97% of our total revenue. International revenue grew 20% and represented 21% of our total revenue. FX had a minor impact on total revenue growth, but was a 2-point headwind to international revenue growth. RPO, or subscription backlog, grew 8%. The general shortening of contract term lengths signed over the past several quarters has impacted total RPO growth. Our overall average term length remains just over two and a half years. Current RPO, which represents subscription backlog we expect to recognize as revenue over the next 12 months, grew 16% to $1.83 billion. Turning to retention. Consistent with prior quarters, gross retention rates remained strong in the mid-90% range.

Our Dollar-Based Net Retention Rate for the trailing 12-month period remained strong at 115% and was driven by both upsell and cross-sell activities. Similar to the past few quarters, macro-related pressure resulted in smaller seat expansions than in previous years. We believe this trend will persist in the current environment. The net retention rate may fluctuate from quarter to quarter as the mix of new business, renewals, and upsells fluctuates. As I've noted previously, we've experienced a macro-related shift in our business mix to more upsell and cross-sell versus new business. Before turning to expense items and profitability, I'll point out that I'll be discussing non-GAAP results unless otherwise noted. Looking at operating expenses, total operating expenses for the quarter were lower than expected.

The better-than-expected profitability is due to the combination of revenue overperformance and our continued focus on spend efficiency measures. Total headcount at the end of Q3 slightly increased sequentially to approximately 5,900. Q3 free cash flow was a record $150 million, yielding a free cash flow margin of 26%. Free cash flow was significantly better than expected, driven by billings and strong collections. During the third quarter, we opportunistically repurchased $150 million of our 2026 convertible debt notes. This resulted in an $18 million GAAP-only gain. Over the past three quarters, we've repurchased $900 million of debt, resulting in a $91 million GAAP-only gain. We will continue to regularly evaluate our capital structure and capital allocation priorities. Our balance sheet remains strong, anchored by $2.13 billion in cash, cash equivalents, and short-term investments.

Our cash, cash equivalents, and short-term investments position, net of remaining convertible debt, is $820 million. Now, let's turn to our business outlook for Q4 and FY 2024, and a preliminary look at FY 2025. As always, we take a prudent approach to forward guidance. We are factoring in a stable but still challenging macro environment. We're also factoring in the recent security incident. For the fourth quarter of FY 2024, we expect total revenue of $585 million-$587 million, representing growth of 15%. Current RPO of $1.875 billion-$1.880 billion, representing growth of 11%-12%.

Non-GAAP operating income of $102 million-$104 million, which yields a non-GAAP operating margin of 17%-18%. And non-GAAP diluted net income per share of $0.50-$0.51, assuming diluted weighted average shares outstanding of 180 million. For FY 2024, we are raising our revenue outlook by $30 million at the high end of the range. We now expect revenue of $2.243 billion-$2.245 billion, representing growth of 21%. We are raising our outlook for non-GAAP operating income by $65 million at the high end to $283 million-$285 million, which yields a non-GAAP operating margin of 13%.

Non-GAAP diluted net income per share is raised to $1.47-$1.48, assuming diluted weighted average shares outstanding of 179 million. We are raising our free cash flow margin outlook for FY 2024 to 19% from 15% previously. On a dollar basis, that's a raise of over $90 million and sets us up to close the year achieving the Rule of 40. While we are still in the early phases of financial planning, we would like to provide a preliminary view of FY 2025. I'll reiterate that we are prudently factoring in a stable but challenging macro environment, as well as potential impacts from the recent security incident. We continue to focus on expense control and estimated non-GAAP operating margin of approximately 17%. We're also targeting free cash flow margin to be at least 19%.

From a revenue perspective, we estimate total revenue to be in the range of $2.460 billion-$2.470 billion, or growth of approximately 10%. We are applying a static 26% non-GAAP effective tax rate for FY 2024 and FY 2025. To wrap things up, we are confident that we've set the path of profitable growth for years to come. We continue to focus on initiatives to drive the top line, while making significant progress to drive improvements to our operating and cash flow margins. With that, I'll turn it back over to Dave for Q&A. Dave?

Dave Gennarelli (SVP of Investor Relations)

Thanks, Brett. I see that there are quite a few hands raised already, so I'll take them in order. In the interest of time, please limit yourself to one question so that we can get to everyone, and then you're welcome to queue back up for additional questions. With that, we'll go to Brian Essex at JPMorgan.

Brian Essex (Executive Director and U.S. Software Equity Research Analyst)

Great. Thank you, and thanks for taking my question. You know, I guess I'll start off with the easy one, and that's the preliminary fiscal 2025 outlook. And I just want to ask you in the context of, I guess, taking into consideration two issues in particular. One would be the impact, as you guys alluded to, of the most recent breach on your pipeline, close rates, customer relationships. And the other would be, I guess, the need for you to improve your relationship with channel partners in order to drive better growth.

So with regard to that preliminary outlook, how should we think about assumptions baked in, baked into that outlook, particularly as it relates to traction or churn with customers and contribution from partners considering these issues? And where in the spectrum of guidance being "kitchen sink," do we consider this forecast to be?

Todd McKinnon (CEO and Co-Founder)

Hey, Brian, thanks for the question, and thanks for jumping on the release this morning early before the market. That was a little bit atypical given the situations of the customer advisory, but we appreciate you covering it and everyone else that covered it as well. We know it's extra, you know, something you weren't planning for, so we appreciate it. I'll comment just on the business strategy behind the guidance.

First of all, I think that might be helpful. It's very important, and it's very clear to everyone at Okta that security is the top priority. We've prioritized security at some level over the years, and, you know, it's been balanced with other priorities, growth, new product development, and various things to run the business. And those efforts, I'm simplifying a little bit, but often have gone into product security, infrastructure, making sure that was, you know, very, very solid.

We know now that, you know, that's not good enough. We have to do more. We know that Okta is, you know, one of the most targeted companies in the world because of the leadership position we have in this important market of identity access management, and that makes us a, you know, along with other cybersecurity companies, extremely targeted and relentlessly attacked. We have to raise our game to be able to defend ourselves and our customers against those attacks. We're really upping the level of priority, and it's very clear to everyone at Okta that, at the end, for the end of this year and going into next year, that the number one priority is securing Okta and securing our customers, full stop. Everything else is prioritized after that.

And the second most, you know, the number two priority is, after security, is, is growth and profitable growth, profit- profitably growing the business. And I think you, you see that reflected in the business strategy in terms of the direction we're giving teams, that we have a 90-day, all-hands-on-deck in terms of focusing on bottoms-up, ideas and security efforts across the company, getting help from outside industry experts, tops-down, to bolster our own experts. We've done this in various degrees over the years, but we're really aggressively doing more of this to get all the best minds and best input on these opportunities and problems for us. We're making sure that it's a, it's not just a, a one-year or one-quarter change, it's a, it's really a, a continued accelerated evolution of our cultural change to really being.

Having the culture of one of the most secure companies in the world. Remember, Okta started as a. It was our focus enabling technology and, and making it easy to adopt the cloud. It wasn't necessarily started 15 years ago as a cyber company. Now, that changed a few years into the company, and it's very clear to us now that, and it has been for the last few years, that the bar is the most secure company in the world, full stop. And so that's the number one priority, and that's what we're focused on. And then part of that, of course, is kind of the last pillar that we're really focused on now, which is making sure the products themselves, as customers use them, the actual security use cases on those products are prioritized incredibly highly.

A great example of that is making sure that when we think about managing access to privileged resources, we with our new privileged access management product, making sure we prioritize and make it work great with our own Okta administration console, because attackers are going after that because that's such a valuable target. So it's a wholesale, clear communication to customers, and to employees, and to partners, and investors that security is the top priority, full stop. And we will stop at nothing to make sure we become one of the most secure companies in the world, because it's kind of clear to everyone that we're short of where we need to be now, and we will fix that.

Brett Tighe (CFO)

I'll just add a couple of comments there, Brian. Thanks for not... One, nice to see you. Thanks for the question, but,

Brian Essex (Executive Director and U.S. Software Equity Research Analyst)

You too

Brett Tighe (CFO)

in terms of the guidance philosophy, really no difference from what we've done before. You know, I think we all know for years now, we give this early look, it's a prudent look. We've got five quarters ago, we've got a big Q4 ahead of us. And so, you know, we're factoring in two major factors, like I said, a few minutes ago, which is, you know, around the macro and then also around the security incident, and making sure we're being prudent about the guidance at this point, given, you know, how far out we are from the end of FY 2025.

Todd McKinnon (CEO and Co-Founder)

You asked a question, too, Brian, about the channel partners. I think that's a continued thread and a continuation of what we've been doing this year with our enhanced partner program, and clarifying the partners we're working with, and investing on the ones that are really moving the needles, the things you've heard us talk about in previous calls. That's an ongoing thing, and we're continuing to execute on that and seeing benefits from that in the business.

Brian Essex (Executive Director and U.S. Software Equity Research Analyst)

Do you have the pipeline internally to hit that number without incremental improvement and partner contribution? Or, you know, how confident you are that-

Todd McKinnon (CEO and Co-Founder)

We're very happy with where the pipeline is.

Brett Tighe (CFO)

Yeah, we're confident in what we've given you guys today. Like I said, no change in the guidance philosophy.

Brian Essex (Executive Director and U.S. Software Equity Research Analyst)

Yeah. Thank you.

Dave Gennarelli (SVP of Investor Relations)

No problem. Let's go to Rob Owens at Piper.

Rob Owens (Senior Research Analyst)

Great. Thanks for taking my question. I appreciate the transparency and disclosure around the breach and realizing these things can take on a life of their own, as time passes. But I was curious more so what you're doing for customers to assuage concerns around the breach itself, aside from pushing out some launch dates here, and any proactive steps that you're taking to help future retention? Thanks.

Todd McKinnon (CEO and Co-Founder)

Yeah, I've had, you know, many, many conversations with customers over the last few weeks, as you can imagine, and the reactions vary. Some are from, you know, "Thanks for the update, we appreciate the communication," to the other extreme, which is, you know, a lot of frustration and concern. The common thread or the common theme is that we're incredibly important to our customers, and they're relying on us for their critical infrastructure of their customer identity or their workforce identity, so it really matters. And the first thing they want to know is that, do we know how important this is? And are we taking these things seriously, or do we have the right plan in place to react to these things and get better going forward? And the...

When I talk to them, the themes that resonate are really, you know, clear priority, comprehensive look at all the threats and all the opportunities across product and infrastructure, making sure the cultural tone from the top is set appropriately. And I can do that in a way no one else in the company can do, so I'm very clear about that. And then the last thing I talked about before is how the products can help them be more secure, because this all is about the foundation for their security, and once that foundation is solid, then they can use our products to be, you know, to further enhance their own security. So I think to your specific question about what we're doing specifically, I think it's part of it is being open and transparent.

One of the reasons why we thought this most recent disclosure, the one we did yesterday and then publicly this morning, is that when we talk to customers, the number one thing they want is transparency. And they wanna know, as soon as possible, what is the risk increase, what are the threats? And our commitment as on our journey to be one of the most secure companies in the world, is to make sure we fulfill that commitment and make sure we're open and transparent, and disclose all the information we have. So, I know it seems a little strange right now, but in some ways, what we did yesterday and today are executing on this plan and this commitment we've made to them.

And then I think there's many more things we can do in terms of just making sure customers understand what happened and what we're doing about it, and you'll see us do more about these things toward these communication efforts, going forward. But at the end of the day, you know, one of my conversations was with a CISO of a large manufacturing company that's been, you know, heavily adopted on Okta. And he and this is common to how these things go. He said, "You know, Todd, you, you are the position you are in the ecosystem, the industry, you are one of the most attacked and focused on from an adversarial perspective, companies in the world.

We know that if you take this as seriously as you're saying you do, and you have these plans and these priorities in place to make sure you're one of the most secure companies in the world, that's, that's gonna be, you know, more than enough for what we need, because you're gonna be attacked way more than we ever will. And so, I think they, they see it as once we communicate the details, and once they can understand our plans and our priority, and our focus, they come away with more comfort. But again, at the end of the day, what they really want is no issues like this, and that's, and that's ultimately our goal, to try to prevent these whenever possible.

Rob Owens (Senior Research Analyst)

Thanks for the color, Todd.

Dave Gennarelli (SVP of Investor Relations)

Yeah. Let's go to Adam Tindall at Raymond James.

Adam Tindall (Managing Director and Senior Equity Analyst)

Thanks, Dave. Hey, Todd, I wanted to ask a little bit more about the renewal process in light of the security incident. Brett mentioned that contract duration continues to shorten, so the thought would be the renewal process is likely happening more frequently moving forward. Wonder what kind of processes you have in place to retain customers, and any ideas that Jon brings to the CRO role to this process? Brett, if you could just touch on the assumptions on gross retention and NRR embedded. I know you're factoring in the security incident, but I would imagine that's where it's gonna hit the most. So that would be really helpful to understand what the assumptions embedded are. Thanks.

Todd McKinnon (CEO and Co-Founder)

The renewals process and the execution of that is something where it's a very mature part of our company, and we're very good at it. I think it leads to our, as we've talked about several times, the gross retention in the mid-90s, a healthy level. And it's a strong muscle we have. Contract durations, as Brett mentioned, have been shortening. I think it's, you know, they're still, on average, two and a half years. And the reason they're shortening is, you know, this started happening during some of the more economic slowdowns last year. You know, it's just, I think across the board, people are not signing up for as much as they in terms of length of subscription, as they wanted to.

So I think that the renewals conversation will continue to be addressed effectively by our existing motion, that we don't need some kind of new motion or some sort of new conversation. I think it comes down to making sure that the adoption of the product is high, which we're very good at getting our products adopted, and making sure that the value is being delivered and that the price they're being charged for is fair. So there'll definitely be some... As we just communicate to customers about our prioritization of security and our focus on it, and our execution across that plan, that'll be funneled down to the renewals team as well. But I don't see any big changes to the overall renewal motion because of this.

Brett Tighe (CFO)

Yeah. I can also add onto that, Adam. Thank you for the question. So first, on the contract duration, just to be clear, there's been a general shortening of contracts to what Todd was talking about, but part of the reason is actually the success we've had in public sector, which typically is only a one-year contract. So that business doing well is gonna put a headwind on our contract duration, so I guess that's a good issue to have in terms of contract duration. So, in terms of what we baked into the guidance for, you know, specifically NRR, or net retention rate, or gross retention rate in FY 2025, we haven't gotten to that level of detail, given we're so early in the planning process.

But what I would say is, we do believe, you know, both the macro puts a headwind on growth, and also the security incident. And so where each of them comes through, I mean, macro, you know, we've talked about new business, seat expansions being impacted there. From the security incident perspective, we think growth is impacted. I can't give you exactly, you know, is it more upsell or is it more gross retention in terms of FY 2025? But what I can tell you is, in terms of FY 2024, like we've talked about in the past, we did expect that number to tick down. Net retention is going to tick down throughout the balance of this fiscal year.

You know, we had a nice quarter in Q3, 115%, flat with Q2, so we do still expect it to drop in Q4 based on those macro headwinds we've talked about with seat expansions. But that hopefully helps you with a little bit more detail on how we're thinking about, you know, FY 2025, as well as that net retention rate in the very near term, next quarter.

Next, go to Rudy Kessinger at D.A. Davidson.

Rudy Kessinger (Managing Director and Senior Equity Research Analyst)

Great. Thanks for taking my question and appreciate the candor as it relates to the breach. Todd, at Oktane, it seemed pretty clear that, you know, you were hinting that you guys were close to hiring a new president of worldwide field operations or head of sales. And today, I know you're closing that search. You're moving Jon into the permanent role. So I guess I've just a couple clarifications. Did the breach impact your ability to land a new head of sales at all? And secondly, just understanding the current structure, is Jon gonna be taking on both the Head of Sales and Chief Revenue Officer roles, or will you be remaining, I guess, the Head of Sales for the time being?

Todd McKinnon (CEO and Co-Founder)

Yeah, thanks for, thanks for asking for clarification. On the previous question, I forgot to answer the part about John. The decision for the go-to-market structure was finalized before October 20th, so it was finalized in early October. So it had nothing to do with the security incident. I think since the search started in January of this year, late January, the timeline on it was, we were gonna make a decision to finalize things by October, and we hit our timeline. So we didn't want to have an interim structure going into planning for FY 2025, so the goal was to finish it by the end of October.

I can't remember exactly the order of operations in terms of when the final decision was made versus when I made those comments, but what I knew at the time for sure is that we were gonna finalize one of our finalist candidates, and John being one of those finalist candidates, we were gonna finalize it soon and be ready to roll on our original schedule, which was, like I said, to wrap it up in October. The decision came down to a few things. One is that I think that John is... I talked to dozens and dozens of candidates, and interviewed, and looked everywhere, and different levels of experience and backgrounds, and every person I talked to, the person doing the job was outperforming them. John was doing a great job.

I was with him in customer meetings around the world. I was, more importantly, talking about strategy going forward and understanding his strategic vision and his familiarity with the market and areas around the world, and with the product segments and the identity industry, and he would just really shine brightly. It's like the, you know, the nine-month job interview, and it really—it kind of made it hard for other candidates to compare. And I think, so once I made the decision that he was the right guy to be the Chief Revenue Officer, I also made the decision that I really liked the current structure of business operations under Eugenio, Eugenio as the President of Business Operations, Global Business Operations.

The marketing function under one of our strongest operational executives, Eric Kelleher, and then Jon running sales and pre-sales and partners reporting directly to me. So basically, the flatter organizational structure where I have direct the business operations, customer success, chief customer officer, marketing, and then chief revenue reporting directly to me, was the best thing for us going forward. So it was really two decisions. It was: Who's the best Chief Revenue Officer in the world? And then, do we need that extra layer of a president? And the best thing for Okta for the future is to finish out the search for president and have these talented, capable people in place to drive us forward.

Dave Gennarelli (SVP of Investor Relations)

Great. Let's go to Hamza at Morgan Stanley.

Hamza Fodderwala (Executive Director and Senior Equity Analyst)

Hi, thanks for taking my question. Todd, on a high level, could you speak to the switching costs of your products? And based on your very early conversations, would you anticipate, you know, some customer churn as a result of this incident?

Todd McKinnon (CEO and Co-Founder)

I think the switching costs vary, and it's one of the great things about both the customer identity products and the workforce identity products are that you can... They're very flexible. You can implement them very quickly and easily, and then you can also implement them in a way that's quite comprehensive and connected to everything and very complete and cover every technology and every resource in the customer's environment. So the switching costs vary. I mean, there are companies that have a relatively light implementation, and the switching costs are pretty low, and then there are implementations that are very deep and broad and lots of custom integrations and so forth, and the switching costs are higher. So I think it varies.

I don't, I think there's various reasons why people switch off, and I think it's pretty hard, and it's always in the customers that are, you know, less likely adopted and have lower switching costs, which seems pretty obvious, but that's true. And I think that, you know, I think we've seen some people switching off, you know, for various reasons. Sometimes it's, you know, like, like we've said, our gross retention is mid-90s%, but so that means, by definition, there's some percentage that are switching off. Various reasons for doing that. And I think, at the end of the day, it's gonna be hard to directly ascribe it to one thing.

So I think we're just trying to make customers successful and provide huge value in the products and our strategy of a converged platform on the workforce side and covering every identity use case with customer and workforce. And, you know, we have, I think, prudent assumptions in the forward guide about what is baking in security incident or baking in macro. We're comfortable with that guidance and we're gonna go out there and execute our plan, and I think it's gonna be... In the long term, we're gonna show a lot of success and deliver a lot of value to customers, and that's gonna drive success across the board.

Hamza Fodderwala (Executive Director and Senior Equity Analyst)

Thank you.

Dave Gennarelli (SVP of Investor Relations)

Go to Joe Gallo at Jefferies.

Joe Gallo (SVP)

Hey, guys. Thanks for the question. Impressive margin performance this quarter and guidance next year. Can you just further unpack the drivers of leverage there, and then just talk through whether that inhibits the growth algo at all? And then just maybe whether, you know, does how you think about longer-term growth, do these margins kind of reflect a new reality of potentially a lower long-term sustainable growth? Thanks.

Brett Tighe (CFO)

Thanks, Joe. Nice to see you. So, in terms of the how we're achieving this, this is really something we've been working on for, probably about 18 months at this point. I don't know if you remember, last year, we started this, you know, cost structure efficiency, whether it be from, you know, moving headcount to lower-cost regions or rationalizing software or rationalizing real estate. It's been a long time, a long-time effort for us to be able to really set up this structure, to be able to deliver these types of margins. I'm really excited, that actually we can talk about Rule of 40 this year, because that's how we look at the business and manage the business and, you know, kind of think about it from a, you know, the lens of growth versus profitability.

But ultimately, all this hard work is allowing us to offer up and guide with confidence these margins that you see in the FY 2025 guidance. You know, 17% non-GAAP operating margin, at least 19% free cash flow margin. And so, you know, that's a really good shift for us. We've set up that structure to be able to drive that efficiency, drive the leverage in the business. And, you know, as far as, you know, growth versus, you know, margin, we're always gonna balance the two and ultimately look to balance the two.

So I can't give you anything beyond FY 2025, but we're always gonna manage the business through that lens of the rule of 40, something we're very proud of, that we feel we can achieve this year. We'll always target as we move forward into FY 2025 and beyond. It's something we really kind of pride ourselves on doing overall.

Joe Gallo (SVP)

Thank you.

Dave Gennarelli (SVP of Investor Relations)

Next up, we're actually gonna go to Madeline Brooks at BofA. She got knocked out of the queue, and we're putting her back in the spot here.

Madeline Brooks (Senior Research Analyst, VP, and Software Equity Research)

Thanks so much, Dave. Appreciate it. And just appreciate the transparency of your remarks. I know a few people have said that, but just really want to emphasize that. So the question is, you know, if I, if I look at what happened this quarter, my quick math implies that roughly 99% of net new cRPO came from the existing base. And it's a two-parter. Across peers, as numbers begin to kind of turn positive again, with contribution from net new customers increasing post-macro. So the first part is, why do you think the trend in your numbers is different than other cyber peers?

And the second part is, is there any concern that heading into next year, the existing customer base will already be saturated, leaving less room for upside, especially with this 90-day push out of new products and that potential headwind from the new bids, given the recent security event?

Brett Tighe (CFO)

Sorry, Madeline, you broke up a little bit on me, but I think you were saying the mix on cRPO was related more to, upsell versus new business. Is that-

Todd McKinnon (CEO and Co-Founder)

She said, she said she calculated 90% of the cRPO came from existing customers.

Brett Tighe (CFO)

Yeah, okay. Yeah, that, I can't say that I have that number at hand, Madeline, but what I will say is, as we've talked about in the past, you know, our mix of business has shifted more toward upsells. We believe that's related directly to the macro side of the house, you know, really putting pressure on new business. And so I think that's why you're seeing those numbers. I think we had a nice quarter from a new customer adds.

Net, net, adds was up 400. You heard Todd talk about the million-dollar customers. Greater than 100K customers had a nice addition as well, an increase, you know, sequentially versus Q2. So we, you know, we do see new business helping us out, but we do see a headwind there due to the macro headwinds that, although have stabilized, still are a headwind to our growth in the business.

Todd McKinnon (CEO and Co-Founder)

Yeah, and one thing I can add there, hopefully it's helpful, is the new products. We have, you know, with... We have three amazing products to sell our existing customers. I mean, some customers have customer identity, but we still have a lot of customers to sell customer identity to. And then we have many, many customers to sell Okta Identity Governance to. That thing is just starting to roll. It's had some early success, but, you know, it's been GA a little over a year now, starting to get a ton of traction. We had a couple of really important deals, with one I mentioned in my comments that we posted to the site was a global pharmaceutical company had a big OIG upsell, and then the new GA of PAM.

So I don't think we have a ton of new products from the pipeline to sell our customers, and that's what we're making sure we operationalize those newer products and execute well on selling those. And I think, you know, the 90-day delay on some of the new products could potentially be impactful at some point, but we're not short of products for FY 2024, for sure. Or sorry, FY 2025, for sure.

Madeline Brooks (Senior Research Analyst, VP, and Software Equity Research)

Got it. Thanks so much.

Dave Gennarelli (SVP of Investor Relations)

Yeah, let's go to Eric Heath at KeyBanc.

Eric Heath (VP and Equity Research Analyst)

Hey, Dave. Thank you. So Todd, it's great to see PAM's getting rolled out this week. I guess kind of two parts to the PAM, PAM opportunity. So one, just what learnings can you draw from OIG to relay that into some similar early success into PAM? Number one, and then number two, just given PAM can be used to protect a customer's own Okta environment, is this something that you could potentially make available to customers at no extra charge, just as it relates to protecting their own Okta environment?

Todd McKinnon (CEO and Co-Founder)

I think there's... We're really excited about Privileged Access, and I think the biggest, I think there's a couple lessons from OIG that are just, I would call them, independent of any product area, so just new product introductions across the board. Things like best practices to when to enable broadly, when to enable different segments of the market. Like, one of the learnings from OIG was that, you know, it's having much more success in larger enterprises than we expected. And so I think we'll, we'll roll that learning to PAM, and we'll enable the larger enterprise sellers sooner than we, we did with OIG, 'cause we anticipate that it could have the same phenomenon and exceed our expectations in, in larger enterprise.

Another interesting phenomenon from OIG was that OIG has exceeded our expectations in, kind of, call them brownfield environments, where they already have an existing governance solution. So we'll bring those learnings to the PAM product as well. On the product direction, one area that is, you know, through the early access phase and now that we move into GA, one of the learnings on the product directions is that customers- the product's main focus has been through the early access, has been on servers, so Linux and Windows servers, Kubernetes clusters, managing access to these things, these kind of infrastructure-type resources. Customers find a lot of value in having us manage the privileged accounts in SaaS apps.

So we're connected to Salesforce, we're connected to Workday, we're connected to GitHub, manage the privileged accounts in there. So that's an exciting direction, as you mentioned, you know, what is one of the most critical, privileged account systems in the world? It's Okta Admin Console. So we're exploring ideas to better integrate that, and that's gonna be a big focus. And your idea about offering it for free to every Okta customer is a very interesting one, and this might be the first time ever I've taken product input on an earnings call, but I do take it.

Dave Gennarelli (SVP of Investor Relations)

Great. Next, let's go to Gray Powell at BTIG.

Gray Powell (Managing Director and Security and Infrastructure Software Analyst)

Okay, great. Thanks for taking the questions. So yeah, I guess, kind of a modeling question here. Normally I would expect sequential growth in CRPO in Q3 to be at a similar level to that of what you've seen in Q2. At least that's what you've seen the last couple of years. This year you added $54 million in net new CRPO. Last quarter you added $71 million. So I know this is kind of rough, but, like, is it safe to say that the main difference there was the breach happening with, like, 10 or 11 days left in the quarter, and then customers just taking a pause? Or is there something else that I should be thinking of?

Then the other part of the question would be as we think of Q4 trends, like, how much of a hangover is there? How much should we expect the lingering impact of the breach to be on conversations with customers?

Brett Tighe (CFO)

Yeah. Thanks, Gray. So from a sequential perspective, I think I wouldn't do that math in terms of backing into the impact associated with the incident. I would more think about renewals timing. That can have a heavy impact on CRPO quarter to quarter. So, you know, we feel we had a really nice quarter in terms of Q3, you know, growing 16%, you know, $1.83 billion in current RPO. So yeah, I wouldn't read too much detail into that. In terms of Q4, all of it's baked in, all of what we think the potential impact is associated with the security incident, that is in the guidance that we've given you here today, you know, 11%-12% and, you know, $1.88 billion at the top end of the range. Yeah, that's, that's kinda how we think about things.

Gray Powell (Managing Director and Security and Infrastructure Software Analyst)

All right. Fair enough. Thank you.

Brett Tighe (CFO)

No problem.

Dave Gennarelli (SVP of Investor Relations)

Go to Peter Weed at Bernstein.

Peter Weed (Director, Senior Analyst, and SMID-Cap Software and Emerging Tech)

Thank you. You know, it looks like, you know, the change in your anticipated growth in quarter four, you know, came down, you know, relative to what you implied last quarter, you know, by almost 3 percentage points. And, you know, I think you've said that this is the impact of the outage. Is that experiential? In other words, like, there are some things that you've already seen occur, that are leading you to believe that you will, you know, definitely see that. And is that, you know, turning up in customers that are kind of showing that they're gonna leave? Is that, you know, people are, you know, failing to upgrade, you know, at the pace that they had been, before? Is that, you know, it's harder to win new customers, so you anticipate...

You know, you had a really nice quarter actually, you know, getting new customers, you know, sequentially up. You know, do you anticipate that to take a dive? I'm trying to figure out, like, where that shows up kind of in the stack of where you would've normally thought that kind of sequential growth quarter-over-quarter that seems to have been kind of eliminated, as a result of the outage or not the outage.

Brett Tighe (CFO)

Yeah, the, the incident. So, you know, if, if you look at every quarter, Peter, there's always deals that push from quarter to quarter. It's just a natural part of our business. We saw an elevated level of that, and we ascribe that, that potentially could be related to, to the security incident, so we're taking that into our guidance when we think about Q4 and, and, thinking about it from a prudent perspective, especially given how big the number can be in Q4, and, and, you know, setting the trajectory for fiscal year 2025. So that's how we're thinking about things.

Peter Weed (Director, Senior Analyst, and SMID-Cap Software and Emerging Tech)

So it's actually more just... There are deals that stayed in the pipeline, but you just anticipate they may push out of this quarter into the next quarter.

Brett Tighe (CFO)

Yeah, I mean, we did see-

Peter Weed (Director, Senior Analyst, and SMID-Cap Software and Emerging Tech)

Already from Q3 into Q4, wouldn't that, like, give you deals that would be closing in this quarter that should plug some of that gap? So you'd have to really push out a lot of deals out of Q4 and to Q1 at that point.

Brett Tighe (CFO)

Yeah, and you're right. We actually have already seen some of those deals close in Q4, which is a good sign, but we're being prudent given the environment out there today, given both the macro and the impact associated with the security incident, so we're just being thoughtful.

Todd McKinnon (CEO and Co-Founder)

Yeah, I mean, if you think about the chronology of it, it's 11 days left in the quarter, and then, you know, we're only, you know, just a month into the fourth quarter. So, in terms of the window to see the impact, we're a little bit limited on a window to see the impact, so I think that drives some of the pragmatism in the guide.

Dave Gennarelli (SVP of Investor Relations)

Yep. All right, let's go to Adam Borg at Stifel.

Adam Borg (Managing Director)

Awesome. Thanks so much for the question. Maybe a bigger picture question here. So international is still about 20%-21% of the mix, and just given the size of the company, just seems like there's a lot of international opportunity ahead. So just as you think about the channel investments, and you think about the new CRO and CMO in place, what are the thoughts about kind of accelerating opportunity in the international theater, to potentially help accelerate growth? Thanks.

Todd McKinnon (CEO and Co-Founder)

I think it's a big opportunity. I do think from a macro perspective, in terms of the stabilized macro, but still a challenging macro, I think the macro impact internationally has probably been more pronounced from my observation than in North America, over the last year or so. We also have, in terms of the interim to permanent CRO with John, that also gives us the opportunity to backfill John as the General Manager of Europe, and we have some candidates in the late-stage pipeline for that, so that's more leadership stability internationally.

Couple that with a great leadership team in Asia Pacific, which is performing well, you have a really good opportunity for a solid performance internationally, which has to be an important part of our future if you just look at the numbers. The market is half the market's probably outside the U.S. over time in terms of identity management, using rough numbers, and so over the next five to 10 years, we're gonna make sure we get that mix higher than it is now in terms of a percentage of revenue.

Brett Tighe (CFO)

And I'd also add, just John being an international person himself, like, he brings that lens, right? And so we're really excited about that, and the opportunity out in front of us, 'cause I agree with Todd, we've got a lot of opportunity internationally.

Adam Borg (Managing Director)

Awesome. Thanks so much.

Okay, next up is Matt Hedberg at RBC.

Matt Hedberg (Managing Director and Software Research Analyst)

Great. Todd, a product question. You know, in your prepared remarks, you noted you're pleasantly surprised, I think, by the size of organizations adopting your identity governance product. You know, I think a year ago, that probably would've surprised a lot of us. I think we would've thought maybe some of the traction would've been from smaller organizations or mid-sized organizations. So I guess-

Yeah, maybe, you know, why the success upmarket, do you think, at this point? And then, you know, Brett, when you think about, you know, the impact to from governance in your 2025 outlook, I assume you're taking a very modest approach, but just thoughts on how you're thinking about that product next year.

Todd McKinnon (CEO and Co-Founder)

I just think that large organizations have—it's, there's a lot of complexity, and I think maybe we underestimated the ability. I think we looked at some of these large, larger organizations and what they were doing with the existing governance solutions, and we assumed that they were—these solutions were covering the SaaS, the Oracle apps, the legacy apps, and assuming that they would also be covering all the cloud stuff and all the new stuff. I think that assumption is just proving to be maybe not as accurate as we thought. I think a lot of these legacy products aren't covering where the center of gravity is moving, which is cloud-centric application workloads and cloud infrastructure. And, so the product is, you know, a better fit for these large companies than we thought.

I think also just our overall the last, you know, call it five or six quarters when the macro environment changed, you're just seeing, you know, more success for Okta in the bigger companies. So I think it's, I think OIG has a big future in, you know, mid-enterprise and SMB, but I think that segment is just the slower segment right now, so we're not seeing the attaches with OIG there that we could over time. So I think you're it looks better because more people are have the problem and are finding value from it in the large enterprise.

And also, large enterprise is just doing so well, with 40% growth in that cohort, both in ACV of those deals and in customer count of those deals in Q3. I think attaching OIG to, there's more opportunities to attach there, relative to the entire business, so I think that's influencing the perception as well.

Brett Tighe (CFO)

Yeah, and I would add, you know, although we're very excited about the progress so far, Matt, I mean, yes, we are being modest with our expectations in the guidance we've given you here today. One thing that I know you guys have asked in the past is how much. And we've told you, you know, we keep telling you we're gonna update you every time we get a new number, but that third of workforce spend being IGA continues to hold steady through the end of Q3. So that's the number we've given you in the past, and it continues to be that. So the upsell associated with it is significant, and we're very pleased with how things are going, just like Todd said.

Dave Gennarelli (SVP of Investor Relations)

Great. Next up, Jonathan Ho, William Blair.

Jonathan Ho (Partner)

Hi, good afternoon. With regards to the breach, can you give us a little bit more detail on maybe what's still left in the third-party validation and investigation? And how confident are you that, you know, this is going to be the last finding that comes out of this investigation? Thank you.

Todd McKinnon (CEO and Co-Founder)

Yeah, it's a great question, Jonathan. When in my many, many conversations with customers, this comes up like, speed of disclosure, and they wanna know all the information as fast as possible, and why does disclosure take time, and what else is left to disclose, et cetera. So it is on everyone's mind, obviously. I think the general philosophy we're taking is that we're trying to disclose as much as we know as quickly as possible. I think a couple weeks after, a couple weeks after the incident, when we had our first disclosure, we disclosed everything we knew at the time, and we just kept looking. Like, you know, you're talking about the log files from our support system were quite voluminous, and the team went over them click by click, row by row, line by line.

Kinda took a first pass and looked at all the things they thought were incredibly sensitive and took a quick run of some of these reports and found that it wasn't much interesting data. And then published the first RCA and remediation steps, and then, you know, like a good security company would, kept looking and kept digging and made sure we had everything covered and found more. And we were more thorough about these reports and ran them completely and saw the data that was there, made the decision to do a further disclosure based on risk of phishing, like we've, well, like we've outlined. And so I think the way I characterize it is now our internal team has gone over it many, many times, and our internal investigation is done.

Like, we don't think there's anything else productively we can look at. We've worked with the vendor and got supplemental logs, we've combed through it, we've done everything, you know, 3, 4, or 5x to check it. But we're still wanna make sure we cover all the bases, so we brought in this firm that is started a couple weeks ago, and they're looking at it. I think we, we're doing it obviously to be very thorough and clear. I think it's a relatively low priority that they'll find anything additionally, but we'll have to wait and see in mid-December when they're done with their analysis.

Dave Gennarelli (SVP of Investor Relations)

Okay, I'd like to welcome back Fatima Boolani from Citi.

Fatima Boolani (Co Head US Software Equity Research and Managing Director)

Thank you. I appreciate the question. Todd, you were very categorical about securing Okta, so your customers are secure as being the number one priority. So the question for you is, is that a people process or technology, or maybe all of the above conversation? And then maybe to Brett, it's not immediately apparent in your margin guidance that you're going to be taking and making these investments. So can you just sort of help us understand and kind of what envelope a lot of this upleveling and reinforcing of your internal security architecture, what shape or form is that gonna take?

Todd McKinnon (CEO and Co-Founder)

Yeah, it's a super insightful question, Fatima. It's, and as you guessed, it's all of the above, and I think we, the program internally is called Program Bedrock, Building the Bedrock Foundation, and it has four pillars. I'll call them pillars. The first one is, there's just bottoms up get all the ideas on the table of everything we know that the team thinks would be great ideas to make us the most secure company in the world. And like a good example of something from this pillar is, like this thing that we're advising customers to do with the latest notification around having MFA for all administrator accounts, that really should be required. There, there shouldn't be an option to not.

Again, over the years, we, we in some cases, made the choice for convenience and, speed of implementation or frictionless adoption instead of security. But as we march toward being the most, or one of the most secure companies in the world, that's gonna change. So we have to make that required and gotta work through that. Because there's a reason sometimes customers don't have MFA required. Maybe it's a service account, maybe there's a specific workflow, but, you know, everyone, as we do this bottoms-up effort, it's like a lot of good ideas on how we can make that better.

And that, and that whole bucket of bottoms up, we have a lot of awesome, smart people on the team that have the time and space now to let those ideas come out, and they're gonna- we're gonna have time and space to implement them as well. So that's the bottoms-up track. The second track is really call it tops-down, which is, making sure from an internal security architecture perspective, specifically in overall business operations and IT operations, as, you know, inclusive of obviously product and infrastructure. But, getting the top experts in the world and to give us their opinion on how we should be architecting our- this part of our security posture and architecture.

And there's people that do this for the most secure companies in the world, and we wanna take those experts and combine them with our experts internally to make sure we have the best security blueprint from an architectural perspective. So we have bottoms up, we have tops down, and then the third pillar is really cultural, and that starts with me and the leadership team, in setting this clear priority and setting the expectation that we are gonna be the most secure companies in the world.

You know, our goal is to be one of the most secure companies in the world, and we're gonna prioritize that, number one. When you think about executing well, it can be pretty straightforward. You know, it's like you have to make sure you have a clear vision. We wanna be one of the most secure companies in the world. We want to, you gotta set clear priority and get the right amount of resources on it, and that kinda sets up this cultural component to be successful.

And then the last one, I think I mentioned before, is in the product. We have to make sure that the products themselves are beyond just being valuable and powerful for our customers. They have to be built in a way that ensures the security of our customers as well. And the best example for this is, after the notification of this incident in October, we quickly implemented this feature, which actually cryptographically binds an administrator console session to a specific network. So this is the kind of thing that you know, is very valuable for customers and keeps them secure.

As we think about it more and go through the entire product, architecture, and overview, there's many more of these things that can put us closer to being, from a product perspective and products that protect our customers and their use of it and their deployments of it, the most secure company in the world, and that's the fourth pillar. So it's quite comprehensive. I think the 90-day focus gives everyone space and clarity to have no confusion about this being the priority.

I think after 90 days, what you'll see is you'll obviously, these kind of efforts have they've been going on in some shape or form for many years, and they will continue after this 90 days, but right now, we just need this real clear alignment on getting ourselves closer to that goal of being the most secure company in the world.

Fatima Boolani (Co Head US Software Equity Research and Managing Director)

I appreciate that. Thank you, Todd.

Brett Tighe (CFO)

And then, for the second part of your question, Fatima, it's really, there's two things. One, we're already investing a good amount in FY 2024, so to step up in the margin, it's not like we're starting at zero. So we're investing a good amount right now. We're gonna invest more in Q4. But this is one of the benefits of the structural efficiencies that we found and driven over the last 12-18 months.

It allows us to expand the non-GAAP operating margin from 13%-17%, while also investing more into these critical areas like security. And so, we've invested a lot already, but we're gonna invest even more in FY 2025, but while also being able to balance it with the margin that you mentioned. So, it's one of those benefits of us doing what we've been working so hard on for the last 12-18 months.

Fatima Boolani (Co Head US Software Equity Research and Managing Director)

Thank you, Brett.

Brett Tighe (CFO)

No problem.

Dave Gennarelli (SVP of Investor Relations)

Okay, we're gonna try to get to a couple more. Let's go to Josh Tilton at Wolfe Research.

Josh Tilton (Director)

Hey, guys, can you hear me?

Brett Tighe (CFO)

Loud and clear, Josh.

Josh Tilton (Director)

All right, great. I wanted to clarify a previous question. Does the guidance for Q4 embed some conservatism around the recent incident because you are anticipating to see something, or because you are already seeing an impact? And then just a follow-up is, Todd, you mentioned that, you know, you spoke to customers, and they kind of understand why, as an identity provider, you guys are being targeted by hackers so much. Is that raising any questions from the customer base as to whether or not it makes sense to go all in with all of your identity needs from one provider?

Or given that you guys are the center of the security ecosystem and the number one, you know, target for hackers, does it maybe make sense to diversify some of your identity risk across a different PAM vendor and a different governance provider?

Brett Tighe (CFO)

Thank you, Josh. I'll take the first part. So anticipating is the answer, short answer, since we're running out of time, because we did see, like I said earlier, an elevated amount of pushes or deal pushes from Q3 into Q4. And so we're just anticipating that as we go through the quarter, because as a reminder to everybody, we do not have a linear bookings quarter. It is very back-end weighted, and so we're just taking into account what we saw at the end of Q3 and looking and making sure we are-... put that into our expectations for Q4.

Todd McKinnon (CEO and Co-Founder)

Yeah, and on the question on you know, getting everything from one vendor versus spreading out your risk with different vendors, I think it comes down to at the actual physical layer of how the products are implemented, how you mitigate that risk of getting everything from one vendor.

Then the second thing is, the product, there has to be a lot of value in getting it from one vendor, like in terms of decreasing risk, you know, the operational simplicity, the power of how you can secure things 'cause things are better integrated, so that's the equa- In fact, I was having this exact conversation with a customer just a few days ago about the risks and reward of consolidated around one vendor versus the, you know, spread things around, spread the risk perspective, and I think that's the- those are the variables in the equation that people think about.

Dave Gennarelli (SVP of Investor Relations)

Let's go to John DiFucci at Guggenheim.

John DiFucci (Senior Managing Director)

Thanks, Dave. So Todd, my question is a follow-up to Fatima's question. I gotta remember to try to get ahead of her, 'cause she, it's hard to follow her, but I thought that was a really good question. And thank you for all the detail you gave around that, the program Bedrock. But in the end, still, like, how long is it gonna take to get to, as you say, raise your game, to get to a point of, I don't know, you're never gonna be comfortable, but relative comfort, when you can actually sit down with a customer and tell them that you're there? You're never quite there, but you're there.

Don't... You know, listen, we worry, we worry about it every day. We don't want this to happen ever again. That's not to say it never will, but how long do you get to a point where you have that relative comfort through that?

Todd McKinnon (CEO and Co-Founder)

It's a super smart question. Super smart question. I think the... I would add color this way. This has been something we've been very focused on for several years, particularly since the Lapsus breach a couple years ago. We've been very focused on it, and actually made quite a bit of progress to make us feel comfortable about our progress toward being one of the most secure companies in the world. I think the reason for the 90-day sprint and focus are there is a calculation of I and the management team think that there are enough things that will decrease the risk at a significant level. Not that the risk is incredibly high, but there's enough things that'll decrease the risk at a significant level that we think it's worth a sprint here.

But probably more importantly, John, it's kinda cultural. It's execution requires clear priority, and nothing makes the priority clearer for everyone than a full focus and a 90-day sprint. So beyond the decrease in risk and getting us closer to this, you know, area, as you describe it, where we feel real comfortable, as we progress toward being one of the most secure companies in the world, there is just a cultural tone-setting thing, which I think is very important for customers and for investors and for employees as well.

John DiFucci (Senior Managing Director)

It's the 90 days, and then just keep, just keep going

Todd McKinnon (CEO and Co-Founder)

[audio distortion] it's not like we've never been focused on security, because we've absolutely had a huge focus on it. Like I said very, very specific and mature in the areas of the product and the infrastructure. I think we're, you know, not as mature and we haven't had the comprehensive approach on the overall IT operations and overall company operations.

But it's something we've been doing for a long time, and we're gonna have this sprint, and then we'll keep doing it for a long time after, because we have to be, you know, like I've said it many times, we have to be one of the most secure companies in the world, given the position we're playing and the critical role we fill for our customers, and that's what they expect from us, and that's what we expect from ourselves as well.

John DiFucci (Senior Managing Director)

Thank you very much. And listen, I just have to add one last thing, something I never say: actually, I think you're- you guys did a good job. I mean, this quarter, the numbers look good, and even, you know, some... Given everything that's going on, I guess, nice job.

Todd McKinnon (CEO and Co-Founder)

Yeah, appreciate it. A lot of hard work from the team.

Dave Gennarelli (SVP of Investor Relations)

Great. I know we're into overtime here. We're gonna take, Fred and then Shrenik, and we're gonna have to cut it off at that point. But, Fred Havemeyer from Macquarie, go ahead.

Fred Havemeyer (Head of US AI & Software Research)

Hey, thank you. I think many good questions have been asked. So I think, Todd, what I'd like to ask is, as we from the outside are looking at what you are doing at Okta, what sort of concrete checkpoints might we expect to see to understand what progress you're making here towards improving your overall security posture? Understanding also that no news is kind of good news with respect to data breaches. And secondly, on that one, with the upcoming SEC disclosure timeframe requirements, do you feel that you have the reporting frameworks in place to comfortably meet all of those requirements? Thank you.

Todd McKinnon (CEO and Co-Founder)

Yeah, on the second question, feel really good about that, the disclosure frameworks and so forth. Something we... I think in some ways we're the role we play in the industry and the tone and the transparency we're trying to set with customers, we have a lot of things in place that put us in good standing there in terms of our ability to execute on those disclosures. The first question you asked is, I think there's, we have a really good answer on the product visible things. We're gonna be reporting those out, like, as we would do product releases or feature capabilities. These, you know, like the two examples I mentioned are the network binding for session tokens and the required MFA.

That's gonna be published in a... So you'll see the roadmap for those things, and you'll see that thing published publicly to customers. I think the internal stuff, you know, the things that the team comes up with in terms of improving our operational security and comprehensive look at the security and taking in outside experts, we have to think more about how to, how to communicate that broadly to customers. But I think it's just as important, because not only is it just give customers confidence in how seriously and how aggressively we're taking this, but also it can help them learn.

Because every customer I talk to, they're thinking, like, "What can we learn from Okta?" Because Okta's on this journey to be one of the most secure companies in the world. I can learn from that. I think there's value in sharing that, not just from the trust perspective, but also from the learning and the helping customers, through that, through that education.

Fred Havemeyer (Head of US AI & Software Research)

Thank you.

Dave Gennarelli (SVP of Investor Relations)

Okay, last question to Shrenik Kothari at Baird.

Shrenik Kothari (Senior Research Analyst)

Hey, yeah, thanks, Todd, for taking my question, and, appreciate the transparency, Todd and Brad. Just to follow up on your point, Todd, on product security focus and customer security focus, in light of the recent hack incident, you know, the role of PAM is seem to be elevating and becoming even more kind of broad-based. So great to see that you guys are focused on PAM. You just had the only product which GAs on track versus other product features, maybe relatively deprioritized. Can you, can you elaborate, how are you positioning PAM in your customer conversations?

More importantly, how are customers responding, and how is the customer feedback evolving, given post this hack incident? On one hand, of course, everybody knows PAM is going to be a key piece of puzzle in this threat landscape, while the incident perhaps leading to customer perception of perhaps not adequate implementation of poor PAM solution within your internal environments, on the other hand. So if you can provide your thoughts there, appreciate it.

Todd McKinnon (CEO and Co-Founder)

Yeah, no, it's a good. I think every specific incident is different, and PAM, and the definition of PAM addresses some of them better than others. So I won't comment specifically on this recent incident and what our PAM product does or doesn't do, but broadly speaking, what you say- what you're saying is right. All of these attacks, whether it's, are highlighting the need for very strong phishing-resistant access management, identity governance, and then privileged access management and control. And I think the reception that we've seen with customers is basically, it's very simple. Our positioning is very simple.

It's like, you're using Okta to manage the user life cycle and the access for many business applications, you should use the same engine and the same access control for your privileged servers and containers, and as I mentioned earlier, in a future release, coming relatively quickly for your SaaS applications and for the Okta admin console itself. So that's the pitch. And what customers like is that they get this, you know, comprehensive, integrated workflow across all of the access points they're trying to secure, whether that's servers, apps, or business applications, different kinds of applications, and that's what resonates. And then they can report that back to their auditor, and they get complete visibility from a global, you know, governance, risk, and compliance assessment, and that's the value prop for them.

So, it is, it is, you know, the market we serve and the opportunity for our products is only getting bigger and bigger, and the threat landscape is part of that. There's many other drivers of the market size we're going after, and it's one of the reasons why we're so optimistic and bullish about the long-term future, given all the work and focus we're putting into the products and the company and the team, and it's, there's some bright, sunny future ahead of us, and we're excited about it.

Shrenik Kothari (Senior Research Analyst)

Got it. Thanks, Todd. Thanks a lot, Todd.

Dave Gennarelli (SVP of Investor Relations)

Okay, thanks, everybody. That's it for today's meeting. If you have any follow-up questions, you can email us at [email protected]. Thanks.