Palo Alto Networks - Q1 2024

Transcript

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Good day, everyone, and welcome to Palo Alto Networks' fiscal first quarter 2024 earnings conference call. I am Walter Pritchard, Senior Vice President of Investor Relations and Corporate Development. Please note that this call is being recorded today, Wednesday, November 15, 2023 at 1:30 P.M. Pacific Time. With me on today's call to discuss first quarter results are Nikesh Arora, our Chairman and Chief Executive Officer, and Dipak Golechha, our Chief Financial Officer. Following our prepared remarks, Lee Klarich, our Chief Product Officer, will join us for the question and answer portion. You can find the press release and other information to supplement today's discussion on our website at investors.paloaltonetworks.com. While there, please click on the link for events and presentations to find the Q1 2024 earnings presentation and supplemental information.

During the course of today's call, we will make forward-looking statements and projections regarding the company's business operations and financial performance. These statements made today are subject to a number of risks and uncertainties that could cause our actual results to differ from these forward-looking statements. Please review our press release and recent SEC filings for a description of these risks and uncertainties. We assume no obligation to update any forward-looking statements made in the presentations today. We will also refer to non-GAAP financial measures. These measures should not be considered a substitute for financial measures prepared in accordance with GAAP. The most directly comparable GAAP financial metrics and reconciliations are in the press release and the appendix of the investor presentation. Unless specifically noted otherwise, all results and comparisons are on a fiscal year-over-year basis. We also note that management is participating in the UBS conference November 29th.

I will now turn the call over to Nikesh.

Nikesh Arora (Chairman and CEO)

Thank you, Walter. Good afternoon, everyone, and thank you for joining us today for our earnings call. Q1 was the first quarter of our three-year plan we presented in August. If I were to summarize the quarter, I would say the following: We continue to execute amazingly well in what is a volatile environment. On the geopolitical front, we've been contending with what's happening in Israel and Ukraine. On the hardware or product front, as you see, there has been normalization in the industry, which is something we've been indicating for a while. Backlog has been shipped, supply chain issues are behind us, and product growth is normalizing in the industry. We continue to see normal strength, as we indicated in prior quarters in that category. On the macroeconomic front, business practices continue to adapt and adjust to new normal, with higher interest rates for longer.

Internally, on the product side, we've had one of the strongest starts to our fiscal year. In addition to various recognitions, we have delivered strong innovation across all three platforms. We launched an AI-enabled cloud manager and network security to continue our consolidation and platformization efforts towards Zero Trust. In SASE, we announced our intent to deliver enterprise browsers, the Talon acquisition, which will solve one of the critical issues with remote access, which is not addressed today by any SASE vendor. We released the industry's first integrated UI for code-to-cloud in Prisma Cloud and announced the acquisition of Dig Security to double down on data security for generative AI in Prisma Cloud. Last but not the least, in Cortex, we launched XSIAM 2.0 with Bring Your Own AI

On the go-to-market side, Q1 is seasonally a slower start as we kick off the new year, but the team delivered superior revenue and profitability, and we had our highest cash collection quarter in our history. We continue to see steady execution, excuse me, in our firewall, cloud, and endpoint businesses. In SASE, we continue to position ourselves in larger and more strategic deals, and XSIAM, while it, in its early days, continues to garner tremendous interest, giving us more comfort around our long-term intentions. So in summary, a strong start in Q1 towards our three-year journey. Early days, but confidence is fired. Let's dig into the details. Our Q1 revenue grew 20%, and our billings grew 16%, while our RPO growth of 26% exceeded both of these and was driven by our next-generation security capabilities.

I would like you to pay particular attention to RPO versus billings. Dipak will talk about the difference in, at length and explain why the street might be confused with our future billings guidance. Our Q1 non-GAAP operating margins expanded by 760 basis points, driving $1.38 in non-GAAP earnings per share, and we generated record $1.5 billion adjusted free cash flow in Q1. If you look at what's going on from an overall cybersecurity perspective, we have never seen as much adversarial and consistent activity at scale as we have seen in the first quarter. Unfortunately, we don't expect this to abate anytime soon.

As a consequence of this increased activity, and in recognition of our customers' commitment to us, this week, we announced a Unit 42 Rapid Incident Response Retainer at no cost to all of our strategic customers, aimed at providing additional support during this escalating threat landscape. Ransomware attacks are increasing in frequency and severity. The ransom amounts being paid are also increasing. Bad actors are doing damage in a much shorter amount of time. As an example, in a recent engagement of our Unit 42 team, we saw an instance where bad actors extracted 2.4 TB of data in just 14 hours. There's also some evidence that the adversaries are beginning to leverage generative AI as a tool to make attacks more sophisticated.

Not just that, based on what we are seeing in Unit 42, most attacks are now happening on the back of vulnerabilities in widely used software and APIs, such as a widely exploited MOVEit file transfer software. Unfortunately, these bad actors remain elusive, with no apparent significant increase in convictions in high-profile attacks, and therefore, not surprisingly, this malicious activity continues. At the same time, U.S. publicly listed companies and their boards are confronted with new SEC disclosure requirements around prompt public reporting of material cybersecurity incidents and the enhanced oversight responsibility that comes with them.

This result is a continued focus across organizations on understanding security posture, cybersecurity risk, and how to mitigate this risk effectively. This increasingly involves not only the CISO, but the entire IT organization, legal, finance, and the CEO, and the full board of directors. This space of malicious activity and the board-level focus on cybersecurity risk is fueling a strong demand environment. Customers often have multiple strategic priorities in cybersecurity, and our broad portfolio enables us to align with these priorities. In Q1, the cost of money remained a constant discussion, and customers' significant focus on this topic is becoming the new normal. The way it manifests itself in our business is that there's always a payment and duration discussion in final deal negotiations. Given our strong balance sheet, we can use a mix of strategies to navigate the environment.

This includes annual billing plans, financing through PANFS, and partner financing. Whilst this does not impact our business demand or the impact to annual revenue or annual metrics, it does create variability on total billings more than before, depending on financing used or the duration of contracts. I am not concerned about the demand for cybersecurity for this quarter and upcoming quarters, nor am I concerned about our ability to execute. The billings variability is a pure consequence of the payment conversations that we're having with our customers, and this is validated by the fact that we continue to see strong RPO and low churn, suggesting this is a cosmetic impact to our business. We continue to see strong interest across our next-generation security portfolio, and we're making progress on our platformization journey.

I want to highlight a few deals to talk about the diversity of opportunity, cross-platform buys, as well as the geographical distribution of our deals. For example, a federal government agency signed a $25 million expansion transaction, including adding Cortex XDR and Prisma Access in highly competitive situations and expanding their network security footprint. This customer has now spent over $100 million over its lifetime across our three platform. A large global SaaS provider signed an $18 million Prisma Cloud transaction to consume modules across the portfolio. The customer is already a customer of our network security and Cortex platforms. A large educational organization expanded its relationship with us in the first quarter, a $15 million transaction, adding XSIAM, Prisma Cloud, and an expansion of its network security footprint.

Lastly, a nation state signed a $28 million deal that is a first of its kind, standardizing on both SASE and XSIAM. This is a long sales cycle and represents our systematic approach to platformization. The story in these deals has been playing out across our large customers. As of Q1, 56% of the Global 2000 has transacted with us across Strata, Prisma, and Cortex. This continued focus on customer cyber transformation has fueled the 53% growth in NGS ARR we report this quarter as we broke through the $3 billion milestone. Another exciting news, as of Q1, recurring revenue across Palo Alto is 82% of our total revenue from 77% a year ago. Let's turn to updates from our three platforms that are the engine driving our success. First, in network security.

We continue to drive innovation across our portfolio and see momentum as customers drive towards Zero Trust architecture. This month, we unveiled PAN-OS 11.1 or Cosmos and Strata Cloud Manager, unifying the management of all of our three form factors and all security services in a single pane of glass, and also leveraging AI to analyze security policies, reduce misconfigurations, and predict and prevent disruptions. Customers who have invested in our platform by deploying all three form factors continue to grow rapidly, up 34%. Of our top 100 network security customers, 60% have purchased all three form factors, up from [53]% a year ago. On average, these platform customers spend more than 15 times of the rest of our network security customers spend. The story is similar in SASE.

Having just seen our innovations gain multiple industry recognitions in SASE in the second half of our fiscal year, we've continued to invest to build on our leadership position. We're seeing strong momentum in SASE, with ARR growth of approximately 60% in Q1. We also saw 35% of our 5 million or greater network security transactions include SASE, up from less than 10% a year ago. Today was the first day of our event called SASE Converge, where we unveiled several enhancements. We have enabled SASE to access applications with performance faster than the internet. We added visibility and control over interconnected SaaS applications and enabled safe access to Gen AI tools to ensure data isn't inadvertently leaked. Lastly, we added remote browser isolation technology for an extra layer of security. M&A has always been an important part of our strategy.

Last week, we announced our intent to acquire Talon Cyber Security. We see an opportunity to expand the addressable market for SASE and solve an important customer problem. As many as 36% of workers classify themselves as independent workers, who often use unmanaged devices for work. In addition, employees increasingly use personal devices for accessing business applications. To enable access of these devices, security teams have an impossible trade-off. They're forced to either ignore security entirely in favor of flexibility and user experience, or to adopt cumbersome technologies like VDI. Talon is a pioneer in the emerging enterprise browser category, and when combined with Prisma SASE, after closing, we will enable users to securely access business applications from any device, including mobile devices and non-corporate devices, with a seamless user experience.

We intend to include this capability with Prisma Access after closing, and customers will be able to extend the same best-in-class security to unmanaged devices. Moving on to Prisma Cloud. We continue to see a strong endorsement of our integrated platform strategy. This traction is evident in the strong growth of our multi-module customers. We have seen particular success here with modules released over the last 2.5 years. There has been a consistent pattern of seeing 100+ customers for new modules in the first full quarter of launch and rapid growth after that, as the benefits of these new modules are broadly understood. This enthusiastic adoption has driven our strong conviction in adding key new modules, including some through acquisitions. Our IaC scanning capability, which came through the Bridgecrew acquisitions, and CI/CD security, which came through Cider, are two such examples.

This new module traction is helping to accelerate Prisma Cloud new business ACV in the last quarter. In Q1, we also unveiled a major new Prisma Cloud release, Darwin. Darwin further differentiates our unique position across code, cloud infrastructure, and cloud runtime. Darwin enables a view across all elements of cloud applications, including cloud services, infrastructure assets, compute workloads, API endpoints, data, and code. Darwin can also help customers understand risks with deep context and overlay active attack attempts in near real time. Our full coverage from code to cloud enables fixes to be applied immediately, versus the months most vulnerabilities take to be patched. About two weeks ago, we announced our intention to acquire Dig Security, which will bring an award-winning data security posture management capability to Prisma Cloud.

With almost 70% of organizations having data stored in the public cloud, the sprawl of new cloud data services and the adoption of generative AI, we see an increased need to identify sensitive data, effectively manage user access, and implement robust security measures to prevent unauthorized internal and external access to this data stored in the cloud. After the close of proposed acquisition, Dig's capabilities will be integrated into Prisma Cloud platform to provide near real-time data protection from code to cloud. Moving on to Cortex. We continue to invest across our product portfolio and expand our customer count as we see continued adoption of XDR, XSOAR, Xpanse, and XSIAM. In Q1, we had several industry recognitions of our innovation. Cortex XDR was the only product in the industry to achieve 100% protection and detection in the Round 5 MITRE evaluation.

Additionally, XSOAR, Xpanse, and XSIAM were all named leaders by third parties this quarter. We grew our Cortex active customer count by 25% to over 5,300 customers. Our traction overall in Cortex is essential as it allows us to sell our transformational offering, XSIAM. XSIAM has had a very fast start since we released the product just over a year ago. After a strong FY 2023, XSIAM's first year of release, which included over $200 million in bookings, we followed up with a strong Q1. We saw our first expansion purchase of XSIAM, an eight-figure deal, and in Q1, our largest XSIAM customer to date was deployed with over 300,000 endpoints. We're seeing XSIAM transform customer security operations and significantly improve their security outcomes. This includes significant reductions in the meantime to detect and resolve security incidents.

On the back of potential customers hearing about early XSIAM success, our pipeline for XSIAM is over $1 billion, of which $500 million was created just in this past quarter. As I began my remarks, Q1 was the first quarter of us delivering on the three-year plan we presented in August. We're driving profitable growth, investing in innovation, next-generation security, and the industry's largest dedicated security go-to-market organization. At the same time, leveraging the scale of Palo Alto Networks. Demand for cybersecurity is strong, given the backdrop of attacks and the ever-increasing focus and scrutiny around cyber risk. Execution continues to be paramount, given the macro conditions, and we will continue to be adept in responding to changes in the environment. We will manage for long-term growth, operating margin, and free cash flow, and ensure we continue to transform the business and build revenue predictably.

You will also see this through RPO and, most importantly, our current RPO. Our long-term forecast thesis remains intact. Whilst we expect short-term variability in billings, we don't expect this to have a meaningful impact on our ability to deliver our three-year targets. With that, I will turn it over to Dipak.

Dipak Golechha (CFO)

Thank you, Nikesh, and good afternoon, everyone. I'll cover the specifics of our Q1 results, additional details on drivers behind the results, and our Q2 and fiscal year 2024 guidance. For Q1, revenue was $1.88 billion and grew 20%. Product revenue grew 3%. Total service revenue grew 25%, with subscription revenue of $988 million, growing 29%, and support revenue of $549 million, growing 17%. We saw consistent revenue contribution across all theaters. Americas grew 20%, EMEA was up 19%, and JAPAC grew 23%. The strength of our next-generation capabilities continues to drive our results, with NGS ARR exceeding $3 billion for the first time and growing 53%. We saw strong contributions across this portfolio in Q1.

We delivered total billings of $2.02 billion, up 16%. Total deferred revenue in Q1 was $9.4 billion, an increase of 32%. Remaining performance obligation, or RPO, was $10.4 billion, increasing 26%, with current RPO just under half of our RPO. As Nikesh mentioned, we saw the rising cost of money have an important and incremental impact on customer behavior in Q1. We are responding to this in the ways we have discussed previously, including using annual billing plans, financing through PANFS, and partner financing. In Q1, this had a negative impact on our billings, although as you can see, we saw strength in NGS ARR and revenue. Our non-GAAP earnings per share were significantly ahead of our guidance, growing 66%.

This was driven primarily by the significant increase in our non-GAAP operating margins, which expanded 760 basis points year-over-year. We continue to benefit from the scale inherent in our business, especially as some of our next-generation security offerings scale. We again delivered strong cash flow in Q1, with trailing 12-month adjusted free cash flow of $3 billion, achieving trailing 12-month free cash flow margins of 41%. Moving beyond the top line, gross margin for Q1 of 78% increased 370 basis points year-over-year. We again saw year-over-year improvements in product margins with the normalization of the supply chain environment. Service gross margin improved to 78% as our newer offerings continued to gain scale.

Our operating margin expanded by 760 basis points in Q1, as we saw higher gross margins and efficiencies across our three operating expense lines. We are pleased with our operating efficiency progress against our medium-term targets. We continue to make significant investments to support our top-line growth expectations, including investments in product and engineering, building sales capability, and supporting our ecosystems and our go-to-market organization. Turning to the balance sheet and cash flow statement, we ended Q1 with cash equivalents and investments of $6.9 billion. Q1 cash flow from operations was $1.526 billion, with total adjusted free cash flow of $1.489 billion this quarter. As is typical for our Q1, this cash flow performance was primarily driven by strong collections in the prior quarter, based on the strength of our Q4 bookings.

Sorry, collections in the quarter, but based on the strength of our Q4 bookings. Over the last several weeks, we announced that we have entered into definitive agreements to acquire two companies. On October 31, we announced our intent to acquire Dig Security Solutions for approximately $232 million in cash, excluding the value of replacement equity awards. On November 6, we announced our intent to acquire Talon Cyber Security for approximately $435 million, excluding the value of replacement equity awards and inclusive of cash on Talon's balance sheet at closing. We expect both transactions will close in our second quarter of fiscal year 2024. During Q1, we repurchased approximately 300,000 shares on the open market at an average price of approximately $227 per share, for a total consideration of $67 million.

As a reminder, our share repurchase program is opportunistic, and we're committed to returning cash to shareholders over the medium term. Stock-based compensation expense declined by 250 basis points as a percent of revenue year-over-year. As expected, stock-based compensation ticked up slightly as a percent of revenue quarter-over-quarter, with the issuance of a portion of our fiscal year 2024 grants. On a year-over-year basis, we continue to manage our SBC down as a percent of revenue in line with our long-term plans. Before turning to guidance, I want to frame some of the impacts that we're seeing on our billings. As Nikesh noted, we see strong demand in the market and continue to see customers make the technical selection of offerings across our portfolio.

From here, we see more customers asking for deferred payment terms, either with annual billings, financing through PANFS, or pursuing external financing. Some customers are looking for additional discounts for upfront payments as they grapple with the cost of money. Our strong financial position, which includes $7 billion in cash, cash equivalents, and investments, combined with our many options in dealing with this dynamic, gives us significant flexibility. This can impact our billings trends quarter-to-quarter, and we're reducing our billings guidance to account for this through the fiscal year 2024. RPO and CRPO have more of a direct impact on future revenue. This quarter, with duration towards the low end of the range we've seen over the last several quarters, we saw strong trends in CRPO.

As we see low customer churn, we're confident that independent of specific billing terms and contract lengths, we can continue to grow RPO at levels that support our forward revenue growth ambitions. Now, moving on to our guidance for Q2 and the year. For the second quarter of 2024, we expect billings to be in the range of $2.335 billion-$2.385 billion, an increase of 15%-18%. We expect revenue to be in the range of $1.955 billion-$1.985 billion, an increase of 18%-20%. We expect non-GAAP EPS to be in the range of $1.29-$1.31 per share, an increase of 23%-25%.

For the fiscal year 2024, we expect billings to be in the range of $10.7 billion-$10.8 billion, an increase of 16%-17%. We expect NGS ARR to be in the range of $3.95 billion-$4 billion, an increase of 34%-35%. We expect revenue to be in the range of $8.15 billion-$8.2 billion, an increase of 18%-19%. We expect our fiscal year 2024 operating margins to be in the range of 26%-26.5%, up 190 to 240 basis points versus fiscal year 2023. We expect our non-GAAP EPS to be in the range of $5.40-$5.53, an increase of 22%-25%.

We expect adjusted free cash flow margin to be 37%-38%. Additionally, please consider the following modeling points. We expect our non-GAAP tax rate to remain at 22% for the second quarter and fiscal year 2024, subject to the outcome of future tax legislation. We also expect cash taxes in the range of $230 million-$280 million. For the second quarter, we expect net interest and other income of $55 million-$60 million. We expect second quarter diluted shares outstanding of 339 million-342 million shares. We expect fiscal year 2024 diluted shares outstanding of 338 million-343 million shares.

We expect fiscal year 2024 capital expenditures of $175 million-$185 million, and $40 million-$45 million in Q2. With that, I'll pass it back to Walter for the Q&A portion of the call.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Thank you, Dipak. To provide as broad of participation as possible, please limit yourself to one question. Our first question will be from Saket Kalia with Barclays, followed up by Hamza Fodderwala from Morgan Stanley. Go ahead, Saket.

Saket Kalia (Managing Director)

Okay, great. Hey, guys, thanks for taking my questions here. Dipak, maybe the question is for you. Appreciate the revised billings guide in this macro backdrop, and to your point, the higher cost of money. I'm curious how you've maybe thought about factors like pipeline, like close rates, and very importantly, billings duration for the rest of the year, as we just try to get comfortable with how much that billings guide has maybe been de-risked?

Nikesh Arora (Chairman and CEO)

Saket, thanks for your question. I'm gonna take this one, because it's more about demand function. I think, repetition doesn't spoil the prayer, so I will repeat. The billings difference is not a change in demand for us or not a function of our pipeline. The billings change is a consequence of negotiations with customers, and the customer says, "You want me to pay you for three years upfront? You gotta give me a bigger discount. You want me to do a three-year deal? You gotta go finance it in PANFS. Now, I could do that, but I could say, 'Just pay me on an annual basis, I'm okay. I'll collect my money every year.' If I go in that direction, my billings changes. It does not change anything in my pipeline, in my close rates, or in my demand function.

Does that sum up my point?

Saket Kalia (Managing Director)

Yeah.

Nikesh Arora (Chairman and CEO)

So, so we're just keeping, giving ourself flexibility, because this quarter we saw a lot more negotiations around those topics. We just don't wanna be held hostage to those kick-out negotiations, where we have to go finance deals to get TCV in there, because billings is a TCV metric. TCV is important if I'm concerned about churn. I have very low churn across my product categories. So I'm very happy to collect my money on an annualized basis, if that's what's needed to make sure that I don't get pressure on financing, I don't get pressure on having to give larger discounts. It... I retain flexibility. I do do a lot of TCV deals, I do a lot of financing, but this allows me the flexibility. So all I wanna make sure is, there is no change in the demand function in the market.

There is no change in our revenue forecasts.

Saket Kalia (Managing Director)

Got it. Very helpful. Thank you.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Thanks, Saket. Next up is gonna be Hamza Fodderwala from Morgan Stanley, followed by Brian Essex from JPMorgan. Hamza, go ahead.

Hamza Fodderwala (Executive Director)

Hey, good evening. Thank you for taking my question. And I just wanna start by offering my thoughts and condolences to all your employees in Israel. You know, kind of similar vein to Saket's question, I mean, 16% billings growth is certainly not bad in the context of, you know, many of your peers growing, you know, single digits, if at all. I'm just curious, because your guidance is still assuming that growth will sustain for the full year. So what's giving you that confidence, given the cost of money, given the hardware digestion, that you can sustain that high-teen billings growth, given what you're seeing in the market?

Nikesh Arora (Chairman and CEO)

So Hamza, as you know, Saket mentioned to our pipeline, we have visibility to our pipeline, so we know there's business out there. We have not seen customers walk away from deals in Q1. It's not like people don't wanna do business. We've been very consistent on hardware and our hardware expectations for the last 12 months. We're retaining our consistent expectations around hardware. We don't expect any lumpy movements up or down. We expect it's gonna go steadily in the 0%-5% range, as we've always been talking about. So I think from that perspective, I think to use Saket's word, we feel reasonably de-risked on what's out there in the future. Q1 is the first quarter, allows us, you know, we have lots of pipeline we have visibility to. I think, I wanna reiterate again, we are retaining flexibility.

Can I go finance a deal? Of course, I can. Can I go finance a three-year deal through PANFS with $7 million of cash? I can, which will have a cosmetic impact of giving me better billings. But what I don't wanna do is finance bad deals. This allows me the flexibility of not having to finance them. Nothing changes. I still get my revenue for the year. I still get my CRPO. I still get my annual billings. I just don't get year two and year three billings, which changes my total billings forecast for the year. It's cosmetic, it's mathematics, but it's interesting to see how the street interprets it.

Hamza Fodderwala (Executive Director)

Thank you.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Thank you, Hamza. Next up, we have Brian Essex from JPMorgan, followed by Gabriela Borges from Goldman Sachs. Brian, go ahead, please. You're muted, Brian.

Brian Essex (Executive Director and Equity Research Analyst of Software)

Thanks, Walter. Yeah, thank you for taking the question. Nikesh, I was maybe wondering if I could dig in on M&A a little bit. Pretty meaningful volume of M&A from a dollar spent perspective this quarter, after not having done some for a while. How would you describe the overall environment, and how would you, I guess, message to investors the level of M&A that you might do over the next, I don't know, couple of years? Was this more of a one-off IP and acqui-hire that you saw a great opportunity to pick up, or might there be something meaningful in terms of a longer term trend or, or, you know, even, dollars put through your sales pipeline as you, you know, scale this over your platform or scale both of them over your platform?

Nikesh Arora (Chairman and CEO)

So Brian, thanks for the question. Look, we have not changed our point of view. We have always maintained that we're gonna sustain M&A at a level close to $1 billion a year. So we haven't done one for a while, or two. And if you see, if you split the two, we did a cloud security one, and we've been pretty consistent in that rough range, in the $150 million-$250 million range in terms of adding cloud capability as we see the market evolve. So I think that's kind of consistent where we are. We saw a unique opportunity. As I mentioned, 36% of workers are independent workers. They don't get a SASE, a more access, sort of, solution.

We saw more and more discussion in the market where RBI was not covering every use case and managed devices were not. Like, all your mobile phones don't have management for security, the last few hacks that happened to mobile devices. So from that perspective, customers are asking: What is my solution? And now what we didn't want them to do is to have to deploy yet another independent solution, which is disconnected from our overall SASE capability. And like we do, we always pay attention to the market. We figured Talon had the best tech in the space, and they were just about to go raise, to go to a go-to-market sort of implosion or explosion [audio distortion] the other companies. So, and from that perspective, we saw an opportunity, and we think, it's a great fit.

It actually makes us the most comprehensive SASE solution. We are going to integrate them deeply into our SASE solution, where customers will be able to use enterprise browsers, RBI, or our Prisma Access client. So, it's, I don't want to call it a one-off, because one-off sounds it'll never happen again, but I think it just happens to be the time where we did two at the same time. But they're in two different platforms, two different teams integrating them, so it's not overhead to the organization. But, you know, we're gonna keep our cautious approach towards, eating what we can digest. You shouldn't expect anything that is off the regular pattern we've sort of shown in the last timeline.

Brian Essex (Executive Director and Equity Research Analyst of Software)

Got it. Helpful. Thank you.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Great. Thank you, Brian. Next question is gonna be from Gabriela Borges at Goldman Sachs, with Roger Boyd at UBS on deck. Go ahead, Gabriela.

Gabriela Borges (Managing Director and Head of US Software Equity Research)

Good afternoon. Thank you. I want to ask about the two dynamics that you're talking about in your business, the firewall cycle on the one hand, and the cost of money impacting billing duration on the other. How do you think about the potential that these two dynamics are actually connected, meaning product mixes also having an impact on billing duration? And how do you think about the risk that cost of money dynamics get worse before they get better, thereby impacting the full year guide for billings again as we go through the year? Thank you.

Nikesh Arora (Chairman and CEO)

So thank you, Gabriela. Look, the firewall business is actually a one-shot business. You sell a piece of hardware, and you get paid for it. It's not a ratable business, right? The ratability comes from our subscriptions and services. But, it's usually there. We have to look at it from an NGS perspective. Our duration this quarter was on the lower end of duration. It reduced. It went down because we took more annual billing deals, or we took shorter duration contract with our customers. So from that perspective, I think, we feel comfortable, given the visibility to our pipeline for the rest of the year, that we've created flexibility for ourselves on billing. You know, I think we're gonna keep having this debate where you keep calling it guiding down on billings. I'm gonna keep calling it flexibility.

You're gonna keep calling it guiding down on billings. I'm gonna keep telling you, it doesn't change my numbers. So we should just agree that we're going to be saying that because I don't... nothing has changed the prospects of Palo Alto from three months ago.

Gabriela Borges (Managing Director and Head of US Software Equity Research)

Thank you.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

All right, thanks for your question, Gabriela-

Dipak Golechha (CFO)

Well, maybe just to build on that, Walter, I'd say, like, just recognize that we're also maintaining our cash guidance, which, you know, would be the other area where you may get concerned, and we're not concerned on that front.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Great. Thanks, Gabriela, there. Next question is from Roger Boyd at UBS, followed by Brad Zelnick at Deutsche Bank. Go ahead, Roger.

Roger Boyd (Executive Director)

Great. Thanks for taking the question. Just looking at the XSIAM pipeline, that $1 billion is a pretty impressive mark. Just any, any color you can provide on the size or the length of those deals as we think about it from an ARR perspective. I know you've talked about the 3x ARR upsell or expansion potential, but just any color on the size of those deals and how we should think about that kind of flowing into opportunities over the course of fiscal 2024?

Nikesh Arora (Chairman and CEO)

Yeah, I'm trying to make sure Lee gets to answer some questions otherwise he doesn't want to show up-

Lee Klarich (Chief Product Officer)

Next time?

Nikesh Arora (Chairman and CEO)

Yeah, exactly.

Lee Klarich (Chief Product Officer)

I will. Yeah, we're—look, we've obviously, over the last few quarters, talked about XSIAM, and the interest we're seeing from customers is very strong, and it's been the fastest sort of growth of a new product that we've ever seen. I think it speaks to a couple of things. One is just the need in the market from customers to go through the SOC transformation. Nikesh talked about the speed of attacks increasing relative to disclosure requirements and things like that, and obviously, the number of attacks simply going up as well. That's driving the technology need to have a different solution, a better solution, one driven by AI and automation. That's exactly how XSIAM was built, and that is what was fueling the interest.

The second part of this is, with XSIAM, we're able to replace several of the customer's legacy, point solutions in the SOC. So we are consolidating multiple independent piece parts with a single XSIAM deployment. And third, with each deployment of XSIAM, this is, this is a significant, investment the customer is making in us. So invariably, both these investments are three-year investments, in some cases even longer, because they are standardizing their stock on a new platform, and they want that long-term runway with us. It's not a-- this is not a short-term, decision they're making. So all of those factors are what are fueling the, the strong pipeline that we shared and the, the early customer success we're having with XSIAM.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Great. Thank you for the question. Next question from Brad Zelnick at Deutsche Bank, followed by Fatima Boolani at Citi. Go ahead, Brad.

Brad Zelnick (Managing Director)

Great. Thanks very much for taking the question. I wanted to ask about your new hardware lineup and the release of PAN-OS 11.1. I noticed some of the newer features, like quantum security and advanced WildFire patient zero prevention. Just wanted to get your take on the extent to which the new platform can catalyze demand as customers try to look to take advantage of the innovation, and, and maybe if you could, you know, help us compare and contrast versus prior product cycles. Thanks.

Lee Klarich (Chief Product Officer)

Yeah, thank you. I always get excited about the next-gen firewall releases, of course. Look, what we announced was a new high-end chassis, so one that scales beyond a terabit per second. And so there's obviously this is for the largest, highest performance networks out there, service provider, and in some cases, large enterprise environments. At the same, we announced ruggedized platforms, platforms that can go to +50 degrees Celsius, -40 degrees Celsius, 'cause there are harsh environments out there that also need to be protected, right? So this is expanding the use cases that we can support with our hardware next-gen firewalls. The other pieces you mentioned are also equally exciting from a software perspective.

You know, quantum is still likely a ways off, but there's a lot of companies that are starting to prepare for that, thinking about what happens in post-quantum cryptography in the advent of potential quantum computers and what that will mean. And so, this is the start of a set of quantum security capabilities that we're launching for our customers. You mentioned Advanced WildFire. We added proxy capabilities. We added ADEM capabilities. There's a lot of innovation that's in this release. Generally, meaning that what this drives is customers to look to be on our latest Gen 4 or newer hardware architectures, which over time means hardware refreshes and upgrades. And so all of that is good and helps our customers get to the most secure state.

Brad Zelnick (Managing Director)

Cool. Thank you.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Great. Thank you for that. Next question is Fatima Boolani at Citibank, followed by Joel Fishbein from Truist. Go ahead, Fatima.

Fatima Boolani (Co-Head of US Software Equity Research and Managing Director)

Good afternoon. Thank you for taking my questions. Either for Nikesh or Dipak, some of your pipeline commentary is what I wanted to unpack. As you think about the composition of NGS ARR for the remainder of the year, and bearing in mind some of your product pillars are, you know, I, I'm not going to say maturity, but certainly they're more penetrated than others. So I wanted to get a sense of how you're thinking about a contribution by pillars to your ARR expectations for the year, and to the extent anything there has, has changed. And I recognize that you love all your product pillars equally, but any distinction or-

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

[crosstalk] where I was gonna stop.

Nikesh Arora (Chairman and CEO)

Well, Fatima, it's very kind of you to remember prior answers, but I tried to give a preview of that in our prepared remarks, where I said that we continue to see steady execution in hardware, endpoint, and cloud. So they're following an expected trajectory. We see the pipeline, and I said the excitement and upside is coming out of SASE and [Cortex] XSIAM. And we see that there are large SASE network transformation deals out there, which, you know, these things have anywhere from six months to 12 months closing cycles. So we would have to know what's in the pipe for the rest of the year to have some sense of comfort. We also said we grew that business 60% in the first quarter on SASE.

We already, you know, cannot gush enough about XSIAM, as you know so far. The billion-dollar pipeline we're hoping will close in that six-nine months. Interestingly, XSIAM pipeline closes faster than SASE pipeline, or deals close faster because in SASE, it's often very competitive. There are POCs involved. There are feature comparisons between us and one or two other companies. In the case of XSIAM, you're really competing with the incumbent.

Fatima Boolani (Co-Head of US Software Equity Research and Managing Director)

Helpful. Thank you.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Great. Thank you, Fatima. Next question is from Joel Fishbein at Truist, followed by Joe Gallo at Jefferies. Joel, go ahead with your question.

Joel Fishbein (Managing Director)

Thanks for taking the question. This is for Nikesh and Lee. Nikesh, you called out the recent ransomware attacks and also the SEC new requirements. I'm curious, number one, is there... Is that helping to drive business, and what products essentially would that be driving, you know, Palo Alto and why you're sort of in a unique position to sort of address some of these issues?

Nikesh Arora (Chairman and CEO)

Yeah, so it's interesting, Joel. Let me connect that to something we announced yesterday. So first of all, I said the activity is at an all-time high. Every day you read about ransomware attacks. Now, the SEC regulations are actually not kicked in yet. I think they kick in December.

But you're seeing some companies go out there and start to sort of self-report in anticipation because they're all petrified, of course, when you get attacked. So I think you're going to see more and more disclosure, and we've been trying to parse, is it more activity or more disclosure? That's, that's a good question. I think it's more activity. We've seen more and more activity. Our team does the research. We've had the maximum number of inbounds to our incident response team in the last month than we've had before. So clearly, anecdotally also, it's sort of come true that this is what's happening.

Now, typically, the anatomy of an attack for us, from our vantage point, is that when we get engaged on incident response, typically we go in and we deploy a protection sort of suite, or we go in and put XDR everywhere, and we'll go run a bunch of analytics to make sure we understand what happened and where the bad actors may still be resident in a customer's infrastructure. Now, typically, when we do that and we leave, they don't want us to leave with our stuff. They want us to leave our stuff back in case the guys come back.

So from that perspective, you know, the incident becomes a lead, unfortunately, because of the, the attack, but it becomes a lead for us, and that creates a whole bunch of product conversations around whether we're going to deploy endpoints, whether we need to upgrade their firewalls, or they need to go down a cybersecurity transformation. I'll tell you, nine times out of 10, every one of those customers ends up in a cybersecurity transformation because they discover that they have a lot of stuff that they should have upgraded or, or changed in that process. So that's kind of what happens, and those are the products which typically end up in those customers.

Lee Klarich (Chief Product Officer)

Maybe I'll just add one point. Nikesh described the multi-extortion ransomware attacks being on the rise, 37% increase. The key to that is a lot of companies have sort of become used to, call it, normal encryption-only ransomware attacks. So they had invested in backups so that when that happens, they just back up from a clean backup and they're back and operational. These multi-extortion attacks actually steal data and then extort the target, and so this can't simply be dealt with with backups. And this is driving a need for better and greater investment in prevention of the attacks, and not just the recovery side. And so it-- that connects the sophistication to the investment needed as well.

Joel Fishbein (Managing Director)

Thank you.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

All right. Great, next question from Joe Gallo at Jefferies, followed by Gray Powell at BTIG. Joe, go ahead.

Joe Gallo (Senior VP)

Hey, guys. Thanks for the question. You've made several acquisitions, further bolstering cloud. Congrats on that twelfth module. Nikesh, when do you think the platform message truly cements itself in that market, as it currently feels like the Wild West? And then, has the pricing environment stabilized there at all?

Nikesh Arora (Chairman and CEO)

Great questions. Yes, the pricing has stabilized. You know, we saw tremendous pricing pressure in the last fiscal year with the emergence of few competitors who were willing to do whatever it takes to try and dislodge our platforms or our solutions. So I think that it's fair to say that pricing is beginning to stabilize. I think what's interesting is we are seeing customers come the second time around and start looking at the platform. I think the first wave so far, and there's still part of the customers are still in that wave, first wave is still very module driven.

I want a CSPM solution, I want a CNAPP solution, and I want to look at SCA." So you'll find that there are different people in the customer's organization who are responsible for different pieces of the cloud security pie, and end up trying to look for best of breed, kind of like replicating what happened in enterprise security. But as soon as they start putting big deployments of scale, of any kind, they have to start having a platform. And we, and I just told you, we had an $18 million deal for a platform for a large SaaS company. Now, we don't have every large SaaS company which is deployed on a platform. I'll tell you, every large SaaS company needs a platform because they have eight different tools that they're not able to stitch together.

So I think it's gonna be sort of a, a sort of recursive journey, where we'll show that we'll land in some customers, in some customers, other people will land with their modules, but eventually each of those customers has to go through a platform conversation. So we're sort of focused on our platform story. We're focused on making sure we make our platform more and more robust. I was at a CIO event before this, this morning. There's 30 of them there, and the first question was, "It was interesting you guys bought Dig for data security posture management. How does that integrate into the following five things we have running?" I'm like, "Well, the following five things won't talk to each other for you.

Joe Gallo (Senior VP)

Thanks.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

All right. Thanks for the question, Joe. Next question from Gray Powell at BTIG, followed by Ben Bollin at Cleveland Research. Gray, go ahead.

Gray Powell (Managing Director)

Okay, great. Thank you very much. Yeah, so maybe a broader question. It's pretty clear that the firewall space or that there's headwinds across, you know, the firewall client space, this year is impacting everyone. But you're still guiding Q2 billings to about 17% growth. Your closest competitor is guiding to -5%. Historically, you've been fairly correlated with them. So I know you can't speak to their business, but can you talk about what's different on your side, why you're more insulated? Is it more the NGS portfolio? Is it data center exposure? Is it share gains? Is there just anything you can kind of help us to think through those dynamics?

Nikesh Arora (Chairman and CEO)

Yes, all of the above. Sorry. I'm trying to... I mean, I can't even process which competitor he's talking about, but okay. Look, we are in multiple businesses. In our firewall business, as we said, on the hardware business, we see that 0%-5% as being where the market is, and some of that we achieved through refresh, some of that we achieved through our own customers expanding, some of that we achieved through replacement of other people's firewalls. We've... In the last, I'd say 18 months, we've been very diligent about making sure we normalize for the effects of backlog or supply chain in that guidance and in that thinking, and you see that in our numbers. So I don't think that's gonna change much for us. I can't comment on other people's billing variability.

We just saw the impact of billing variability to our numbers this quarter, so I'm sure they have their reasons for billing variability. In terms of SASE, as I've said, you know, where we compete with a different set of people, not with the hardware people, we saw 60% growth this quarter, and we have visibility into pipelines the rest of the year, which gives us comfort that there is business to be had there. We told you about XSIAM, which is again, a category which is more in the SOC management space, which is a different set of competitors. We told you about XDR, it's a different set of competitors. And then cloud security, where, you know, our competitor is more startup.

So I think the portfolio allows us to look at different growth rates and different pipelines across the spectrum. As I said, the demand function is not going down for cybersecurity across the board. The only thing that's changing is people saying, "I'll do a two-year, one-year deal, or a three-year deal, or a five-year deal. I'll pay you later. You finance it, or I'll pay you every year." That's the only, that's the only confusion you're seeing, and I think if you de-dupe all of that in the market, you'll figure out the underlying growth rates are strong for some people in certain categories.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Thanks for the question, Gray.

Gray Powell (Managing Director)

Okay, thank you.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Follow-up or our next question comes from Ben Bollin at Cleveland Research, followed by Ittai Kidron from Oppenheimer. Go ahead, Ben.

Ben Bollin (Analyst/Partner)

Good afternoon, everyone. Thanks for taking the question. I wanted to piggyback Gray's question a little bit. When you look at the underlying product revenue, how much of that is physical appliance versus the software form factor? And then, a follow-on would be interested in your thoughts on how the trajectory of branch firewall looks over time as customers adopt, you know, more VMs and SASE to get that scale. That's it. Thank you.

Dipak Golechha (CFO)

Yeah. So let me, let me take the first part of the question. I mean, our, our product revenue, when Nikesh talks about 0%-5%, is actually across hardware, virtual firewalls and, and another software that's counted in product revenue. We, we talked about that a lot last time, Ben. Like, I think it's very customer specific in terms of what their actual needs are. So again, rather than trying to pass through each of them, I think it's looking at the aggregate, and we feel pretty comfortable in that 0%-5% range. So software is about 30%, 35%, or about 30% this quarter, right? And it's-

Nikesh Arora (Chairman and CEO)

You can see that in the gross margins. Our gross margins continue to improve for product because software is obviously a higher gross margin product for us.

Lee Klarich (Chief Product Officer)

Then I think your second question was around what is the impact of this on the branch deployments? There's really primarily two models for the branch. One is a SD-WAN only branch. That tends to be for smaller branches, where all of the security, or just about all the security, moves into SASE and is cloud delivered. And the second model is a next-gen firewall, typically with SD-WAN built-in branch, which is still often connected back to SASE for global network connectivity, et cetera. So this, the shift to software in SASE doesn't replace the need for the branch to have that local intelligence and to be an extension of the customer's network and ultimate extension of the network security posture, Zero Trust posture everywhere.

Ben Bollin (Analyst/Partner)

Thank you.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Next up, Ittai Kidron from Oppenheimer, followed by Patrick Colville from Scotiabank. Go ahead, Ittai.

Ittai Kidron (Managing Director)

Thanks, Walt. Dipak, I just, not, not sure I got the answer for Ben's question quite right. On hardware, can you tell us exactly hardware, what % of revenue that is? And Cisco, in conjunction to you right now, reported also results, and they've, they've talked about they've significantly took down their next quarter guidance in the view that for the last two, three quarters, a lot of hardware was sold but not installed, and so there'll be some digestion period in there. My question to you, when you sell firewalls, how much visibility do you have into how much of that is actually goes and sit on a shelf versus actually gets deployed in the field?

So, is there a risk, or is there a blind spot here where you might not know exactly how your customers are handling hardware, firewall hardware, and could that catch up somehow with your business as well?

Nikesh Arora (Chairman and CEO)

Okay, so I don't... I did not listen to the Cisco call because we're here. And even if I had the time, I wouldn't. So, I don't understand. It's a very large hardware business. Remember, hardware is a small part of our business, A. B, we only, we only report in revenue what we sell and ship to the customer. So there's nothing. If it's sitting on the, on the shelf at a customer, then, it's still sold from our perspective.

Ittai Kidron (Managing Director)

Yes, but you [crosstalk] into it. But you have visibility [crosstalk]

Nikesh Arora (Chairman and CEO)

Yes, every firewall that is deployed has to be registered with us, so we have reasonably good visibility into firewalls that are sold and deployed. At any point, I would say, it's fair to say there are specific issues where a customer may have bought extra firewalls because they want me to deploy them, but there's no, I say there's no uncharacteristic or different activity we've seen in the last three months that has been away from the normal. So we don't have suddenly the last quarter, a lot of customers bought a lot of firewalls. I think I'm going to try and guess, but there was this whole backlog situation and supply chain problem where people may have bought ahead because of expecting supply chain crisis to continue, and now they got a bunch of stuff that is ordered, sitting around that they can deploy.

They don't have to order more. We don't have that situation. We never went down that path. We didn't create a lot of backlog. We shipped... You know, we never went past 12 weeks of shipping in our product, so we didn't... I know that in the industry, some people are up to one year in terms of shipping backlog. We had 12 weeks. We're back to four-six weeks. So it really is not an impact for us from that perspective. So I think that should give you some better sense of what the spread is. We have reasonably decent visibility into our pipeline. Can it be up or down on the margin? Yes, but nothing as substantive as what you might have seen from other people.

Ittai Kidron (Managing Director)

Thank you.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

Thanks, Ittai. We'll take our last question from Patrick Colville at Scotiabank. Patrick, go ahead.

Patrick Colville (Lead Equity Research Analyst of US Software Equity Research)

All right. Thank you, Walter, for squeezing me in. I've got a bit of a sore throat, so sound a bit like Jason Statham. So forgive me for being a bit quiet. To me, the standout metric was the non-GAAP operating margin, which was 28%. Typically, 1Q is like the low water mark for margin, but based on your guidance, it's actually kind of predicted to be the, you know, the high water mark. So I guess, you know, I presume Talon and Dig are gonna be dilutive, but Dipak, are there any other puts and takes that, you know, we should consider around operating margin?

Dipak Golechha (CFO)

No, I mean, I think, I think you obviously talked about the Talon and Dig, which is part of the rationale for the annual thing. We did have some expenses that we expected to incur in Q1, but that will now come later in the year, some around the marketing areas as well. But I would say it's just normal course of operating business, and fundamentally, I think Dig and Talon explains the majority of the rest. I will just say on a year-on-year comparison, we did have, you know, hiring that had a different, you know, level of hiring activity. You know, this year it's a lot more normalized in terms of how we're ramping. There, there's just a little bit of base factor calculation in there, but nothing really out of the norm.

Walter Pritchard (Senior VP of Investor Relations and Corporate Development)

All right. Thank you, Patrick, for your question. Thanks, everybody, for participating. And with that, I'll pass it over to Nikesh for his closing comments.

Nikesh Arora (Chairman and CEO)

Well, thank you very much again, everyone, for taking the time to attend our earnings call. I would be remiss if I did not use the opportunity to thank all of our employees across the world, and the ones in Israel, especially, given what's happening in that part of the world. I also wanted to thank all of our partners and customers for trusting Palo Alto Networks.