Palo Alto Networks - Earnings Call - Q4 2025
August 18, 2025
Executive Summary
- Q4 2025 delivered solid top-line and non-GAAP profitability: revenue $2.536B (+16% YoY) and non-GAAP diluted EPS $0.95; GAAP diluted EPS was $0.36.
- Results beat S&P Global Wall Street consensus on both revenue and EPS; consensus EPS $0.885 and revenue $2.502B vs actual $0.95 and $2.536B; 46 EPS estimates, 44 revenue estimates. Bold beat on both metrics. Values retrieved from S&P Global.*
- NGS ARR reached $5.6B (+32% YoY) and RPO hit $15.8B (+24% YoY), signaling strong multi-year demand and platform traction.
- FY26 guidance introduced: revenue $10.475–$10.525B (+14% YoY), non-GAAP operating margin 29.2–29.7%, non-GAAP diluted EPS $3.75–$3.85, adjusted FCF margin 38–39%; Q1 FY26 revenue guided to $2.45–$2.47B and EPS $0.88–$0.90.
- Strategic developments: agreement to acquire CyberArk to add Identity Security as a core platform and retirement of founder/CTO Nir Zuk with Lee Klarich appointed CTO and to the Board—narrative catalysts highlighting AI-era platformization.
What Went Well and What Went Wrong
What Went Well
- Strong execution with platformization driving customers to integrated outcomes; CEO: “customers understand that a fragmented defense is no defense at all… platforms are designed to work in concert”.
- NGS ARR and RPO acceleration underpin multi-year visibility: NGS ARR $5.6B (+32% YoY) and RPO $15.8B (+24% YoY).
- Profitability momentum: CFO reiterated “Rule-of-50” status and focus on profitable growth; set FY26 non-GAAP operating margin at 29.2–29.7% and adjusted FCF margin at 38–39%.
What Went Wrong
- GAAP EPS declined YoY due to tax and non-cash items: GAAP diluted EPS $0.36 vs $0.51 in Q4 2024; tax provision included a one-time deferred tax provision adjustment (“One Big Beautiful Bill”).
- Elevated share-based compensation and acquisition-related adjustments continue to be material recurring exclusions in non-GAAP results ($372.7M SBC in Q4).
- Q4 call transcript was unavailable from source due to retrieval error, limiting access to call-specific qualitative color and Q&A clarifications (see Q&A section note).
Transcript
Speaker 3
August 18th at 1:30 P.M. Pacific Time. With me on today's call to discuss fourth quarter results are Nikesh Arora, our Chairman and Chief Executive Officer, and Dipak Golechha, our Chief Financial Officer. Following my prepared remarks, Lee Klarich, our Chief Product Officer, will join us for the question and answer portion. You can find the press release and other information to supplement today's discussion on our website at investors.paloaltonetworks.com. While there, please click on the link for quarterly results to find the Q4-25 supplemental information and Q4-25 earnings presentation. During the course of today's call, we will be making forward-looking statements and projections regarding the company's business operations and financial performance, as well as the company's proposed acquisition of CyberArk. These statements made today are subject to a number of risks and uncertainties that could cause our actual results to differ from these forward-looking statements.
Please review our press release and recent SEC filings for a description of these risks and uncertainties. We assume no obligation to update any forward-looking statements made in the presentation today. This presentation contains non-GAAP financial measures and key metrics relating to the company's past and expected future performance. Non-GAAP financial measures should not be considered a substitute for financial measures prepared in accordance with GAAP. The most directly comparable GAAP financial measures and reconciliations are in the press release and the appendix of the investor presentation. Unless specifically noted otherwise, all results and comparisons are on a fiscal year-over-year basis. We also note that management is scheduled to participate in the Citi Global TMT Conference this quarter. I will now turn the call over to Nikesh.
Speaker 0
Thank you, Hamza. Good afternoon. Thank you, everyone, for joining us today for our earnings call. As you can all see, we had a strong finish to the fiscal year. We've just closed a landmark quarter, capping a year of disciplined execution and strategic acceleration. Our results this quarter are a direct reflection of a strategy we have been architecting for years, anticipating where the market is going and building the future of cybersecurity before it arrives. This is a moment of conviction, both for us and for our customers. We're proud to be the first dedicated cybersecurity company to surpass a $10 billion revenue run rate. While this milestone is significant, it is not the ultimate goal. Our focus has already shifted to leveraging the scale to define the next decade of cybersecurity.
The very fabric of technology is being rewoven by AI, creating a vast, new, and complex attack surface. In this new era, security is no longer a bolt-on, it is a foundational enabler of transformational success. The record-breaking number of platformization deals this quarter demonstrates that customers are not just buying products, they are buying into a strategic partnership. We believe that integrated, best-of-breed platforms deliver superior security outcomes, and our customers are validating this conviction by making larger, more strategic commitments with us than ever before. During Q4, many of the deals our teams had been working on during our fiscal year came to fruition. We saw robust activity across the board. In Q4, our bookings growth turned a corner and was the highest we've seen in two and a half years.
This growth is driven by deals across our platforms and also as a result of strong renewals and upsells across our existing portfolio. The robust booking growth was coupled with strong next-generation security ARR and revenue performance. This, coupled with prudent financial management, allowed us to exceed our full-year guidance metrics across the board. RPO grew 24% year-over-year in Q4, an acceleration versus the prior year. It was early days, but we see the quality of revenue, ARR, and retention is consistently higher across our platform customers. This bodes well for our long-term targets for Palo Alto Networks' platform business. Next-generation security ARR grew 32%, and net new ARR for the quarter was also up double digits year-over-year. We have strong contributions across our portfolio, particularly SASE, XSIAM, and software firewalls. Our investment in software firewalls and SASE are bearing fruit.
As our customers end up in a hybrid compute environment across multiple clouds, we expect to continue to see strength in our software firewall business. These offerings, each with very large TAMs, continue to gain momentum and reinforce our conviction in achieving $15 billion in next-generation security ARR by FY30 on a standalone basis. This top-line growth, coupled with scale effects and our prudent financial management, has allowed us once again to expand our operating margin. Additionally, continued deft management of our deferred payments client portfolio has allowed us to deliver 38% plus free cash flow margins for the third consecutive year. Not just that, we now believe that structurally we have visibility to go even higher on our free cash flow margins. More from Dipak on this later. Demand for cybersecurity remains strong. Our customers are looking to us to help them secure their cloud and AI transformation journeys.
We continue to see generative AI conversations as it becomes imperative for our customers to deploy productivity tools, coding tools, or revamp their customer systems to enable natural language conversations. All these use cases for AI need to be protected. No pun intended, our timely acquisition of Protect AI, which we completed this quarter, coupled with our native abilities around our AI firewalls, are driving conversations across many platform customers and prospects around securing the AI infrastructure. Adoption of GenAI is happening faster than any previous technology trend. A recent internal study amongst our customers showed GenAI traffic is up over 890% in 2024. Following this, data security incidents related to GenAI more than doubled since last year.
With this rapid adoption of AI comes a new and complex attack surface. That is why in early Q4, we introduced Prisma AI, industry's most comprehensive AI security platform. Prisma AI is a unified platform that empowers organizations to deploy AI bravely by providing end-to-end security across every AI app, agent, model, and dataset. It closes critical blind spots and secures AI deployments everywhere, ensuring confidence and compliance. Securing the AI you build is only half of the equation. The other equally critical side is securing how employees use third-party AI. Our AI access solutions provide the deep visibility and granular control needed for the safe adoption of those services. We are unique in providing a strategy for both sides of the AI landscape, each with integrated DLP controls to protect our customers' most sensitive data.
This complete vision is resonating, and we have a strong combined pipeline for our AI security offerings. The chart you see here tells a powerful story. It's not just a graph of numbers going up. It's a visual representation of our customers' growing conviction in our strategy. The question is, why is this happening? It's because we made a promise to our customers that when they partner with us, they're investing in platforms that are constantly evolving, and we are going to stay ahead of the threat landscape. Time and again, we've seen the future first. We saw it with the tectonic shift to the next-generation firewall, which we pioneered 17 years ago. We saw it with the move to the cloud and with the rise of SASE, where we're now the clear leader.
We saw the inevitable shift from reactive SIEM to proactive AI-powered SOCs, as well as in XSIAM, a platform that is now our fastest growing offering ever. We saw the market's ultimate shift towards the word we define "platformization." Integrated platforms that deliver superior security outcomes, a framework our peers once again are now rushing to imitate. We continue to evolve our platforms, and this quarter was no exception. In our network security platform, we announced PANOS 12.1 Orion, which includes new appliances designed to provide an easy path to quantum readiness and multi-cloud security. We are anticipating the threats of tomorrow so our customers don't have to. This commitment to future-proofing their investment is why we're seeing robust interest in integrated subscriptions like CASP and DLP.
Building on the launch of Cortex Cloud in Q3, we delivered powerful new capabilities like Application Security Posture Management, or ASPM, helping to redefine application security to meet the demands of the AI era. Natively built into our Cortex Cloud platform, ASPM provides a single source of truth, correlating data from our native scanners and third-party tools to secure the entire AI development lifecycle. This allows our customers to break down the silos between their teams and focus on remediating the critical vulnerabilities that truly matter. Our XSIAM platform continues to expand beyond its core wartime mission with new peacetime modules like exposure management that proactively identify and fix security gaps before an attack can ever happen. That confidence is translating directly into the platformization traction you see here. These platformizations are driving superior financial outcomes for us and better security outcomes for our customers.
In Q4, our net retention rate amongst platform customers was an impressive 120%, with nearly zero churn. This is the ultimate proof of the value we deliver and the deep strategic partnerships we are building. As we aim to more than double the number of platformizations in the next five years, we believe our foundation for sustainable growth becomes stronger. This underpins our confidence in achieving $15 billion of NGS ARR on a standalone basis by FY30. The clearest validation of our strategy is in the landmark deals we're signing. These are not product sales. These are deep partnerships with the world's leading organizations to transform the security posture. We had one of our strongest large deals quarters ever. Customers with over $5 million and $10 million in ARR were up approximately 50% year-over-year, and $20 million plus ARR customers were up nearly 80% year-over-year.
These types of large multi-platform deals hardly existed a few years ago and showcase our customers' growing commitment to us. Let's look at a few examples. Leading global consulting firms signed a deal for over $100 million in Q4 on cloud security and SASE, including a purchase of our new AI access security product. The customer lacked identity entitlement controls over AI in cloud environments and also required a comprehensive secure access offering that could scale globally across its employees, contractors, and clients. Our deep relationship with the company's C-suite was also critical to landing a deal of this size. With this deal, this customer is now fully platformized and provides us an ARR of $50 million. Next, a leading European bank signed a $60 million plus deal.
This customer is going through a significant digital transformation and adopted XSIAM with multiple goals in mind: to address an expanding attack surface while simplifying their security stack and keeping costs under control. Platformization was a competitive edge as part of this deal, and we have become a true security partner as now they have three platforms with us. Finally, a leading U.S. An insurance company purchased $33 million across NetSec SASE, SecOps, and cloud security. This customer needed to improve their security posture, level up their SOC analysts, and drive further automation to reach their goals of 15-minute mean time to contain. This involved using AI machine learning to assist their analyst teams while also reducing their false positives. In addition to their existing Palo Alto Networks spend, this customer is now platformized on network security, cloud, and security operations. There's a common theme developing across these platform deals.
While customers are consolidating and simplifying their security stack in part to optimize costs, the larger benefit comes from their improved security outcomes. This includes faster incident response times, a better user experience, and removing the operational burden of stitching together point products. As our customers recognize the value of platformization, they're increasing their commitments to us, thus reaffirming our strategy and vision. Now shifting to network security, which had a strong Q4. Network security continues to account for over 75% of our bookings, although over the last five years, we have transformed the nature of this business, and now over 60% of our network security bookings are driven by software form factors across SASE and virtual firewalls.
In addition to having an integrated platform that allows for a consistent pane of glass policy and more than 10 software subscriptions, we also continue to lead the market and gain share across the capabilities as a singular best-of-breed solution if our customers so desire. As enterprises look to secure increasingly hybrid workforces and IT environments in AI, we believe our platform's well-positioned to allow our customers of any of our products to consolidate on our platform. Our growing mix towards software form factors once again drove better-than-expected growth this quarter. Our software firewall business had another strong quarter in Q4, with ARR up nearly 20% year-over-year and almost double the total contract value.
As a result of the strong showing of our software firewalls and with our steady growth in hardware, slightly ahead of industry growth, we saw product revenue growth of 19% year-over-year, which is market-leading in its category at scale. Our software firewall market share is nearly 50%, and our product is native in all major public clouds. This quarter, we signed a $60 million deal, significantly expanded our partnership with a leading U.S.-based cloud provider. All in, we generated nine figures in deals across the major cloud service providers in Q4. As I shared earlier, we're also building momentum in AI runtime security with Prisma AI as customers look to secure the growing AI attack surface. In Q4, this included an eight-figure deal with a global professional services company. With a strong pipeline, we see an opportunity for AI to become a growing contributor in the next five years.
We also continue to gain share in hardware firewalls. As mentioned earlier, this past week, we launched PANOS 12.1 Orion, a new appliance designed to provide an easy path to quantum safe and multi-cloud security. We saw modest improvements in hardware demand in Q4, but expect this will continue to be a mid-single-digit grower in FY2026. All in, our next-generation network security business, which includes software form factors like SASE and software firewalls, reached $3.9 billion in ARR, up approximately 35% year-over-year. We believe this makes us the largest and fastest growing next-generation network security player at scale. Speaking of SASE, this continues to be our fastest growing product in network security. As customers transform their networks to keep pace with delivering first-class security capabilities for remote users and branch offices, we continue to see strong growth for SASE.
Many SASE projects are large and transformational, which is well suited for our comprehensive enterprise-focused expertise. This quarter, we won our largest SASE deal ever, a $60 million contract with a global professional services firm covering nearly 200,000 seats. This was in addition to a record number of eight-figure SASE deals. We're gaining share. Over the last year, we displaced incumbent SASE vendors in over 70 accounts, exceeding $200 million in TCV. Our SASE ARR grew 35% year-over-year, more than twice as fast as the overall market. We now have over 6,300 SASE customers and account for one-third of the Fortune 500. Meanwhile, the drivers of our SASE growth are broadening. This quarter, we once again saw particular strength in Prisma Access Browser. The browser is becoming the new operating system for the enterprise, the primary interface for AI and cloud applications. Securing it is not optional.
We sold over 3 million license seats in Q4 alone, resulting in our cumulative seat count more than doubling on a sequential basis to over 6 million. Notable deals include an over $3 million transaction with a leading U.S. pharmaceutical company who purchased Prisma Access Browser for over 80,000 seats. We are beginning to see browser wars as we see the adoption of AI. This is a requirement as we march towards agent. Interestingly, it will become impossible to allow employees access to non-secure browsers in the future. As more and more critical applications and data reside within the browser, it naturally becomes a target for cyber attacks. Prisma Access Browser's built-in controls and real-time visibility are designed to help ensure that sensitive data remains safeguarded during browsing sessions, regardless of the user's location or the application they're accessing.
We believe it is strategically positioned to be the future OS in enabling secure and productive work in an AI-driven world. We expect to see browsers become an integral part of the SASE stack for all of our customers. Moving on to Cortex and Cloud, we saw broad-based strength in Cortex and Cloud as well, with combined ARR up nearly 25% year-over-year in Q4. For years, the industry has been stuck in an old SIEM paradigm, collecting logs, writing rules, and overwhelming analysts with alerts. We saw the writing on the wall. This model is not sustainable in the age of AI-powered attacks. It's a battle that humans alone cannot win, and our customers are seeing it too. XSIAM, our autonomous SOC platform and our fastest growing product ever, is modernizing and disrupting the SOC market with AI, and we continue to see amazing milestones.
This includes reducing customers' mean time to respond from weeks to minutes. Today, over 60% of deployed customers cite mean time to respond in under 10 minutes. We ended Q4 with approximately 400 customers in XSIAM, and the average ARR per customer continues to be over $1 million. Nearly a quarter of XSIAM customers are represented in the Global 2000, creating a marquee list of referenceable customers across a number of major industries. Beyond XSIAM, Cortex XDR saw deals over $1 million grow 30% year-over-year. As we continue to build on our industry recognition, we are seeing opportunities in larger accounts. I also want to highlight the growing significance of Cortex Cloud. As the market shifts from static posture management to the urgent needs for real-time runtime security, our thesis on the convergence of cloud security and security operations is proving correct once again.
This is where we are fundamentally different from the competition. While others may offer a strong cloud posture tool or a separate SIEM, we're the only ones to natively unify a best-in-class SIEM app with our AI-powered SOC platform. This allows our customers to move beyond simply reporting on misconfiguration, instead actively stopping cloud attacks in real time. Cortex Cloud allows our customers to not only shift left to secure applications during development but also shield right, protect them in production. The platform is already gaining significant validation. It was recently praised for its ability to fully secure the entire lifecycle of cloud-native applications and has achieved federated API authorization, a critical credential for our public sector customers. This product set is resonating with the market, and early interest has driven a strong pipeline, spanning hundreds of customers who understand the need to stop cloud attacks in real time.
Our platforms are a powerful data-centric engine for organic innovation. Our core thesis is that the integrated data we capture from across network, cloud, and security operations is the ground truth needed for a whole variety of security use cases. For AI to be effective, it needs this complete contextual data, a capability unique to our platform approach. This massive data stream is what makes our XSIAM platform so effective in its primary wartime mission of stopping active threats. As the slide illustrates, we're now leveraging the same powerful data to expand into new peacetime missions. By applying our AI to this rich dataset, we are organically creating new modules and expanding into new TAMs like exposure management and email security. This represents an $18 billion opportunity for us in fiscal year 2026 and beyond. We see significant upsell opportunities from these modules as they attach to larger XSIAM deals.
We're encouraged by the early customer feedback on these new capabilities. This is our data-to-market engine in action, allowing us to explore new frontiers in security and deliver continuous value to our platform customers. To close, we're exiting FY25 with strong organic momentum as we march along our path to that $15 billion target. Our bookings and RPO accelerated this quarter, driven by large deal traction and a sharp focus on excellence in execution. The results of our customer-centric strategy are clear. We're seeing more customers platformize with us than ever before, not just to save money, but achieve a level of security that a fragmented approach simply cannot provide in an AI-driven world. This realization that platformization is the way forward is also the engine behind our strong Q4 results and our confident outlook.
We see broad-based strength across our network security, cloud, and SecOps segment, and a strong pipeline as a majority of core sellers are now equipped to sell across multiple platforms. We have strong early traction with Prisma AI, and with our relentless focus on innovation, we believe Palo Alto Networks can be the ideal partner to help organizations achieve and secure their AI transformation goals. However, before I hand over to Dipak, let me also talk about what we see for FY2026. Looking ahead, we have multiple tailwinds driving our business in FY2026 and beyond. In network security, we have growing demand for software firewalls and SASE, which continue to grow well above the market. The higher mix of software gives us confidence in the sustainability of double-digit product revenue growth in FY2026.
We have multiple newer products contributing to our growth, including Prisma AI, secure browsers, each with large pipelines. In Cortex, XSIAM continues to deliver rapid growth at scale. AI is transforming the SOC, and we believe we are well-positioned to capitalize and win. Our migration to Cortex Cloud continues to progress. We believe we are well-positioned to capitalize as the market evolves from posture management to real-time security for AI. Of course, we've heard the market, and it's clear our customers are asking for comprehensive security platforms. Over the last seven years, I have been asked often, why are we not a player in identity? For the longest of time, I believed that identity was not at an inflection point.
As we saw the emergence of agentic AI, as we saw AI getting mass adoption, we're beginning to reach conviction that the identity market will inflect in the next 12 to 24 months. If you believe that we have been able to identify inflections in a good way at Palo Alto Networks, it is important for you to believe that we have this one right as well. Similar to our roots in network, identity is a key enforcement point for enterprise security. Unlike most of the forms of security, like network firewalls, identity is also a real-time product. Because of this, we believe that the future for identity will actually be owned by somebody who is well-prepared to take on the challenges of identity going forward, as opposed to a new player.
Hence, we have diverged from our original approach of going and buying first-in-market best-of-breed products to go and own market or categories. Instead, we believe the future in this category is going to belong to somebody who has already established a strong reputation and is a leader in identity security. As the widespread deployment of AI agents makes privileged access more important, we believe security, not SSO-focused identity vendors, are best positioned to address emerging needs, and that growth in PAM data and sensors will further solidify category leaders like CyberArk. Second, with 90% of our breaches involving stolen or mismanaged credentials, every user machine and AI agent should be considered a privileged user rather than just a small set of IT administrators. CyberArk's reach extends to over 8 million privileged end users and over 50% of the Fortune 500.
With the right product strategy and go-to-market acceleration from Palo Alto Networks, we believe CyberArk will be able to both deepen their penetration in PAM and target a significantly larger base of global IAM users and machine identities. Thirdly, the identity industry is lacking a broader platform. Today, over 100 vendors are vying to capture the customer's attention across multiple functional domains. These domains are converging as the complexity of stitching together disparate solutions and the rise in identity-related breaches push enterprises to favor better integration. We believe Palo Alto Networks can accelerate CyberArk's platform vision as they look to expand across multiple identity domains. By combining their leadership in identity security with our industry-leading AI-powered security platforms and our platformization approach, coupled with our go-to-market, we will be able to offer the most complete integrated security solution in the market.
We're building an evergreen security company that will define the industry for decades to come. After many detailed conversations, we have strategic alignment with the CyberArk team and a common culture of innovation. Following the close of transaction, we will optimize our combined go-to-market resources and continue to lead innovation. To provide some context, we have nearly 10 times the number of core sellers, and we see an opportunity to expand CyberArk's presence into our much larger 75,000 customer base. Overall, we believe this accelerates our mission to double the value of our joint businesses over the next five years. We are strategically entering this category now to define the next chapter of cybersecurity for the AI era. We look forward to providing more details on our strategy once we close the transaction.
Before I hand over to Dipak, I want to take a moment to speak from the heart on the important leadership announcement we made today. Our founder, our first innovator, and a true titan of this industry, Nir Zuk, has decided to retire after more than 20 years. When you think of Palo Alto Networks, you think of Nir. It is impossible to overstate Nir's impact. He didn't just start a company; he started a revolution with the next-generation firewall, forever changing the security landscape. Personally, it has been a privilege to call him a partner and a friend. The relentless competitive fire that defines our culture, that is his legacy. It is in our DNA. His legacy isn't just in our products; it is in our people. To Nir, on behalf of every single one of us, thank you.
This marks a seamless and natural transition as we pass the torch to Lee Klarich, who will now serve as both Chief Product and Technology Officer and as a member of our board. For years, almost as many as Nir, Lee has been the chief architect of our product strategy, masterfully turning our vision into the industry-leading platforms we have today. Appointing him as both CPO and CTO and to our board of directors is a reflection of the profound trust we have in his leadership. This ensures the soul of our innovation not only continues but accelerates into the future. With that, let me pass on to Dipak. Thank you, Nikesh, and good afternoon, everyone. To maximize our time spent on Q&A, I will provide you with financial highlights of Q4.
You can review the detailed results in our press release and in the supplemental financial information on our website. In Q4 2025, total revenue was $2.54 billion and grew 16%, above the high end of our guided range. Within total revenue, product revenue grew 19%, driven by growth in software form factors, while total services revenue grew 15%. Within total services, subscription revenue grew 17%, and support revenue rose 11%. In the fourth quarter, 56% of product revenue was from software form factors, a significant driver of product revenue growth year-over-year. On a trailing 12-month basis, the proportion of our product revenue from software surpassed 40%, driven by growth in our software firewalls form factors and PANOS SD-WAN. We continue to see firewall appliance growth in line with the ranges that we have described in past periods, namely 0% to 5%.
Moving on to geographies, we saw double-digit growth across all theaters, with the Americas growing 15%, EMEA up 19%, and JPAK growing 13%. We saw strength across our major verticals and saw a year-over-year bookings growth improvement in our public sector business. Remaining performance obligation, or RPO, grew 24% to $15.8 billion. This was our highest RPO growth in seven quarters at a significantly larger scale. Our current RPO was $7.0 billion, growing 17% year-over-year. As Nikesh noted, we saw customers making significant commitments to our platforms in Q4, as reflected by a large deal volume, net new platformizations, and RPO growth. Contract duration in the quarter increased slightly on both a year-over-year and a quarter-over-quarter basis, but remains within our historical range at approximately three years. Turning to next-generation security ARR, where we continued to see very healthy growth.
We ended the quarter at $5.58 billion in NGS ARR, which grew 32%. Q4 NGS ARR included approximately $17.5 million in support, where customers also purchased Strata Cloud Manager. For context, this AI-powered unified management platform, which utilizes rich telemetry to deliver deeper insights into threats, has significantly improved user experience and much faster mean time to resolve issues for our customers. We expect this to be a growing contributor going forward, but remain immaterial to total NGS ARR. We added approximately $490 million in net new NGS ARR in Q4, up 12% from a year ago. Our momentum was broad-based this quarter. Notable growth drivers included software firewalls, SASE, and XSIAM. AI ARR is now approximately $545 million in Q4, up over two and a half times year-over-year. Moving down the income statement, total gross margin was 75.8%. Product gross margin was 76.8%.
As we closed fiscal 2025, we undertook a comprehensive review of our inventory, leading to Palo Alto Networks taking a reserve for excess and obsolete inventory and spares. This was a deliberate and prudent step, taking a disciplined and conservative view of our product lifecycle. This action solidifies our balance sheet and ensures we're well-positioned into fiscal 2026 and beyond. That being said, we expect product gross margins in fiscal year 2026 to increase relative to 2025 and be in the high 70% or low 80%. As I have mentioned in prior quarters, we've been transitioning our primary manufacturing and fulfillment center to a contract manufacturing facility in Texas, to provide us with the benefit from scale and innovation, as well as to take advantage of a foreign trade zone that can help us mitigate the impact of any potential tariffs on products we ship to international customers and destinations.
We continue to believe that we differentiate ourselves in the industry by being the only pure-play cybersecurity firm to assemble all of our hardware in the U.S. at scale. As a result, the impact to tariffs of our business have been immaterial. Total services gross margin was 75.5%, a slight sequential increase from Q3. We are pleased by the sustained growth in our SaaS offerings and are executing on cloud cost efficiencies, including engaging with our cloud service providers to negotiate favorable procurement arrangements as the scale of our cloud-hosted products continues to grow. We continue to deliver profitable growth through the expansion of operating margins, which encompasses the gross margins that I just discussed. In Q4, we expanded operating margins by 340 basis points and delivered operating margins above 30% for the first time in the company's history.
On an annual basis, operating margins of 28.8% came in above the high end of our guided range as we drove scale and efficiencies across sales and marketing, R&D, and G&A. Diluted non-GAAP EPS was $0.95 and also came in ahead of the high end of our guided range. Turning to the balance sheet, you will see that our debt balance came down by $383 million as our 2025 convertible notes reached maturity in June of this year. These notes were settled in cash and equity in Q4. We did not repurchase any shares in Q4, and our buyback strategy remains opportunistic. We have $1 billion in authorization remaining through December 2025. As many of you have heard from me in the past, we are focused on delivering profitable growth, and every decision we make is made within the context of maximizing long-term total shareholder return.
For that reason, I'm extremely proud that Palo Alto Networks has delivered results that were above the rule of 50 for the last five years. We are unique in our ability to deliver top-line growth with leading free cash flow margins at a level that is best in class among scaled enterprise software companies. As you will see shortly, we expect to once again be above the rule of 50 in fiscal year 2026. As Nikesh discussed, our ability to deliver sustained growth can be attributed to both our continued focus on innovation and our platformization strategy, which is driving bigger deals for us and better outcomes for our customers. On the free cash flow side of the equation, we've been able to expand our operating margins, providing a higher floor for our free cash flow while improving our visibility to said cash flows.
Critical to our ability to be a continued rule of 50 company has been the scalability of our business across every line item of the P&L. Since fiscal 2022, we've expanded our operating margins by almost 1,000 basis points, and we expect to continue to deliver expanded operating efficiencies in fiscal year 2026 and beyond. Our ability to expand operating margins has enabled us to deliver sustained high free cash flow margins while steadily managing an increase in demand for deferred payments. We've been moving through this transition since fiscal 2021, and as we lap deals with deferred payments from prior periods, we have an increased visibility into our future free cash flows. As I mentioned earlier, we delivered $3.5 billion of free cash flow at 38% margin in fiscal year 2025.
We had visibility to approximately 40% of that free cash flow from deferred payments on deals signed prior to the fiscal year. We continued through this transition to deferred payments in fiscal 2025, and we expect about half of our fiscal 2026 free cash flow to come from deferred payments deals signed in fiscal 2025 or earlier. Looking forward, we continue to see future free cash flow supported by ongoing operating margin expansion and a continued smooth transition to deferred payments. Specific to that topic, we continue to see increasing demand for annual payments, particularly on larger deals. We're absorbing this transition whilst maintaining our best-in-class adjusted free cash flow margins and guiding 2026 adjusted free cash flow margin of 38% to 39%. With that, let me turn to guidance.
The Q1 2026 and fiscal year 2026 guidance I will provide is for Palo Alto Networks on a standalone basis and does not include any anticipated impacts on the proposed acquisition of CyberArk, announced on July 30, 2025. For the fiscal year 2026, we expect NGS ARR to be in the range of $7.00 to $7.10 billion, an increase of 26% to 27%. Remaining performance obligation of $18.6 to $18.7 billion, an increase of 17% to 18%. Revenue to be in the range of $10.475 to $10.525 billion, an increase of 14%. Operating margins to be in the range of 29.2% to 29.7%. Diluted non-GAAP EPS to be in the range of $3.75 to $3.85, an increase of 12% to 15%, and adjusted free cash flow margin in the range of 38% to 39%.
For the first fiscal quarter of 2026, we expect NGS to be in the range of $5.82 to $5.84 billion, an increase of 29%. Remaining performance obligation of $15.4 to $15.5 billion, an increase of 23%. Revenue to be in the range of $2.45 to $2.47 billion, an increase of 15%. Diluted non-GAAP EPS to be in the range of $0.88 to $0.90, an increase of 13% to 15%. We've included our modeling points in the presentation for your review, but I would like to highlight two areas. Firstly, we expect Q1 2026 product revenue growth to be approximately 20%, and we expect fiscal year 2026 product revenue growth to be in the low teens. This is largely driven by strength in our software form factors within product revenue.
Furthermore, we expect our top-line seasonality to continue to be second half and Q4 weighted as we continue to platformize with our customers. Finally, I'd like to give an update around our financial expectations for the combined Palo Alto Networks and CyberArk. As you can see, we are pursuing this acquisition from a position of strength and are excited about our integration efforts post-close. Based on our continued operating margin expansion and visibility to free cash flow and our continued smooth transition to deferred payments, we're targeting adjusted free cash flow of 40% plus for the combined company in fiscal 2028, the first full year post-integration. This target assumes the impact of M&A-related synergies. We intend to provide more details on the full scope of synergies post the closing of the transaction, which we continue to expect will happen in the second half of fiscal year 2026.
We are excited about the outcomes that the combined Palo Alto Networks and CyberArk businesses will deliver from a security perspective, as well as from a TSR perspective for the shareholders of both companies. With that, I will turn over to Hamza for Q&A. Sorry about that, slight technical difficulty. To allow for broader participation, I would ask that each analyst ask only one question. The first question will be from Rob Owens from Piper Sandler, followed by Brad Zelnick from Deutsche Bank.
Thank you, Hamza, and good afternoon. Thanks for taking my question. I was hoping to get a more strategic view on security consolidation, both from your perspective, where we're at now, as well as any anecdotes you can share from customers. As you well know, security is one of the most fragmented IT markets of scale, with Palo Alto Networks as the independent leader, but still only kind of a mid-single-digit share relative to spend right now. While platformization in your SecOps strategy was clearly aimed at playing to this convergence, can you speak to the rise of agentic right now and how it's catalyzing this market need? Thanks.
Rob, thanks for your question. I guess we should be more strategic in our answers. The consolidation is 99% perspiration, and you see that. That is why we've set ourselves on this plan of platformization. I think the reason we highlighted a $50 million ARR deal, that's a big number in technology, whether it's cybersecurity or anything else. That tells you the art of the possible. If one was able to consolidate the entire security spend of a large customer, you can get up to $50 million in ARR. If you look around our landscape, many companies are still reporting million-dollar customers, right? If the art of the possible is $10, $20, $50 million in ARR, that shows you that's where consolidation is headed. Now, historically, whether it's CRM, whether it's ERP, whether it's HR workflow, it's ITSM, all these markets have started as fragmented markets.
They've just been around 25 years longer than we have. If you play this movie 10, 15 years out, there's no reason why our install base of platform customers should not continue to rise at the pace we're trying to predict it's going to rise. Can I see ours going from 6% to 8% market share to 15%, 20%? Yes, I can. Is it going to happen in one quarter? Unfortunately not. It's going to take us this sort of deft art of convincing our customers to platformize with us, giving them good experiences on one platform, evolving them to the next one. I'll tell you, the benefit of AI is we're down to a 25-minute attack, right? It's no longer how much money are you spending to protect yourself. The question is how quickly are you going to find it and how quickly are you going to stop it.
If the answer is more than 25 minutes, I got news for you. These wonderful agents are going to come and make sure they're able to exfiltrate data and breach your enterprise. It doesn't matter how much you're spending in under 25 minutes. To get there, the only way to get near real-time is to have some consistency in your platform where data talks to each other and you're able to run agents on top of it. We can't run agents on top of disparate infrastructure. There's no agent out there that understands three different firewall vendors in your infrastructure, two SASE vendors, a browser vendor, and seven other vendors on top. If there's one, we'd love to hire it. I think agentic is only going to make this worse because there are agents that bad actors can deploy to try and breach you.
I think from our perspective, you know, AI is going to act as an accelerant towards the desire to consolidate. Customers are beginning to feel the value of consolidated data, not just in security, in other areas as you can see. I think it's all good, but you know, it's going to have to be heads-down execution. In that light, and I'm sorry for taking so long to answer your question, like, you know, that's what's driving us to say, look, we need to get identity as part of the fold because identity is, you know, I sort of have a word in my script which I didn't say. Maybe it's time for an identity firewall. Why is there no real-time clearing of identities in an enterprise? It's disparate and spread across seven or ten different identity providers. Thanks, Rob.
Thank you. Thank you, Rob. Next question will be Brad Zelnick from Deutsche Bank, followed by Saket Kalia from Barclays.
Speaker 2
Great. Thank you very much for taking the questions, and congrats on a monster near $5 billion bookings quarter. Nikesh, if you reflect back on the underlying drivers, how much of this is strong execution versus maybe improved macro since April versus seeing the fruits of platformization play out? Is the platformization benefit still very much ahead of us?
Speaker 0
Thank you. First of all, thank you, Brad, for your positive note on our stock most recently. You found a low point to reestablish your credibility with us, so thank you. That notwithstanding, I want to say it's the platformization story. I think it takes a while to take our thousands of sellers out there, get them to understand that the value is in platformization and being able to multiply and deploy all of our products in a consistent fashion. I don't think the macro is bad. I think the macro is fine. I think the challenge that you've been seeing is something that Rob just talked about. We still have fragmented players in the industry. You get trapped in a hardware-only business. If you only have a hardware business, you don't have a software firewall where you have 50% market share.
You're not going to have double-digit product growth on a consistent basis. If you're not taking share in SASE and you only have SASE to deal with, then you're stuck in a situation where you're losing share in SASE and you're still fighting three vendors in every SASE, sort of, you know, POC or SASE deal. If you're not innovating, you're not out on the browser game, then you got to watch out because the world is moving towards browsers. I think it's a combination of the innovation roadmap, the conviction of the customer that we have now demonstrated over the last five years that we will rush to deploy and embrace a technology that's out on the market. Two years ago, we didn't have a browser. A year ago, we didn't have an AI firewall.
Our customers see that and say, look, I know that if I commit to your platform, I will see a path to the next technology out there. I think it's partly us building conviction with our customers that we will provide them an evergreen path. I think it's partly the fact that people feel that there is a need to consolidate to get a better security outcome. I think macro is still what it is. I think the Fed is finally coming out of its machinations of a new administration trying to figure out how to keep business as usual going and how to make sure that we continue to protect the nation. I think from all those perspectives, macro is fine. I think there's no big step up or step down in macro.
Now we'll see what happens moving forward, but I don't see anything different in the market going forward. I think we can continue to see the benefits of consolidation. As always, there's always the Q4 magic, as you all know. There's no magic to July 31st, but there is magic to Q4. I think part of what you're seeing is our team saw that they were executing really well, and they put their foot in the accelerator.
Speaker 2
Very helpful. Thank you.
Speaker 0
Thank you, Brad. Our next question is from Saket Kalia from Barclays, followed by Gabriela Borges from Goldman Sachs.
Okay, great. Hey guys, thanks for taking my question here. Nice finish to the year, and congrats to Lee and Nir on their respective next steps. Nikesh, maybe for you, I'd love to dig into the network security ARR a little bit more, particularly the form factor shift in firewall. You've talked about sort of more of a move to software there driven by cloud transformation. Maybe the question is, why do you think Palo Alto Networks is taking share in the software part of the firewall market? How do you think about lifetime value there versus appliances, if that makes sense?
Let me have our new board member first answer the form factor shift from a technological perspective. You have to do a little bit of visionary stuff as Chief Technology Officer. I'll talk to you about the numbers. Go ahead.
Speaker 2
Thank you, Saket.
Hey, Lee. Congrats.
Thank you very much. Look, if you think about the hardware space, it started in 1994, 1995, just to give you a sense of like how long that space has been around, whereas the software network security market is much more recent. As customers made their shift toward the cloud, a lot of the sort of incumbent vendors sort of treated it as a secondary market, possibly defeatured something that was hardware-based, put a little spit and shine on it. The reality, though, is the cloud environments require a lot more focus than that. It's not just someone else's network and you put a software firewall into it. There's a lot of unique innovation that has to be driven. You saw this over the last few years from us. We launched Cloud NGFWs, which are designed to be sort of native cloud-native firewalls. They're not just a virtual appliance.
They're actually designed to fit seamlessly in the cloud. With the PANOS Orion launch from last week, we talked about cloud networking and building out a whole cloud networking fabric that connects into that, not only for our Cloud NGFWs, but also for our AI firewalls that run the cloud as well. I believe our traction and success in software firewalls is the amount of dedicated attention we put on them to drive unique innovation that's specific to their deployment needs. We see it. We see it in the numbers, and we see it in the customer traction we get.
Speaker 0
Look, I think part of what you're seeing from a why now is originally the view was that people will go with one cloud service provider, make that the mainstay of their cloud migration, and that's where you're going to get some of this network security capability. Today, if you look at a Fortune 500, I'd say it's 80%, 90% of the customers are multi-cloud. It's hard to find a single cloud customer out in the market unless you're the cloud provider yourself. Even they have sometimes too because they make an acquisition with somebody else who's using a different cloud provider. The moment you start having multiple cloud providers, if you want a single pane of glass, you need to go off one of them and come to something like Palo Alto Networks.
We're the only player in the market which has native embedded software firewalls in all of the cloud providers. You want one pane of glass, and as a native firewall in all cloud providers, you come to us. That's one reason. Two is what you've noticed now, more and more production applications are in the public cloud. When they get there, there is no excuse not to have a firewall protecting that instance. I think from both those vantage points, it's that software firewall time has come now. The good news is, as you'd appreciate, hardware, we ship a firewall, customers sandbox it, test it, deploy it, takes six months. Software firewalls can get turned on overnight. You can provision them in under 24 hours. You can scale them as soon as you want. There's no lag.
You can upgrade them from a software perspective instantaneously, as in when we deploy an upgrade, it gets deployed to all of our customers. I think from all those reasons, it's a much more efficient security appliance, in a way, software appliance, than you could ever get with hardware. You're seeing that. I think from a lifetime value perspective, it's kind of interesting. We announced a $60 million deal with one company for software firewalls, TCV, this quarter. It's been a long time since we did a $60 million hardware firewall deal from a TCV perspective because that would require you to buy, I don't know, at least 3,000 firewalls. Nobody's buying 3,000 firewalls.
Very helpful. Thank you.
Speaker 2
Just to build on that, Saket, we'd said multiple quarters ago that the transition from a hardware firewall to software firewalls is roughly the same in terms of revenue. Nikesh talked about how it's much easier to deploy. On SASE, actually, the lifetime value ends up being about 2.5 times larger than it typically is on a hardware firewall.
Appreciate it. Thanks, guys.
Speaker 0
Thank you. Up next is Gabriela Borges from Goldman Sachs, followed by Matt Hedberg from RBC.
Hey, good afternoon. Thanks for taking the question. Dipak, I wanted to follow up on some of the mixed commentary within NGS ARR from last quarter. Give us a little bit of a sense as we look through this year on how you're thinking about the advanced attached subscription versus the emerging portfolio mix in NGS ARR. To Saket's question on software firewalls, do you think we can see similar step-ups in growth in software firewalls such that they contribute similar amounts to the growth algorithm for NGS ARR? How durable is that as a growth driver? Thanks.
Speaker 2
Yeah, so I think, Gabriela, maybe just the meta point is we're pretty much over a lot of the transitions of our advanced subscriptions at this stage. Like we alter the definition really based on feedback from you to make sure that it's easier what's excluded at this stage, which is really just hardware firewalls and legacy subscriptions and support. We will continue to see step-up from those things that are legacy that we can transition over. The reality is we're now more and more as the growth is coming from fast, durable next-generation products, whether it be software firewalls, whether it be SASE, whether it be XSIAM, and some of the newer products that we're launching, like Prisma AI, that will also be significant contributors to growth.
Thank you.
Speaker 0
Thank you, Gabriela. Next question is from Shaul Eyal at Cowen, followed by Joe Gallo from Jefferies.
Speaker 5
I'm glad. I think you had Matt ahead of me.
Speaker 0
Oh, I'm sorry. Matt, please go ahead. Then Shaul Eyal from Cowen.
All right. Cool. Thanks, Hamza. The top-line results are super impressive. I have a question for Dipak. The 40% free cash flow margin by 2028 is also equally impressive. Maybe a question for you or even Lee from a product integration perspective. Can you talk about some of the underlying components of how you get there and sort of your confidence level on that? That is obviously, I think, well above what a lot of us thought post-integration.
Speaker 2
I mean, we wouldn't be guiding to it if we didn't have confidence in it, Matt. I think it's really underpinned by the operating margins. You've seen a lot of operating margin expansion occur over the last three years. We feel very confident that we have a business model that scales at every single line item of the P&L. I've talked through that before. We're a low capital, you know, like business model, which always helps from a free cash flow point of view. I'd say a pretty high degree of confidence. I think the meta point is when the strategy is to platformize and customers are buying into it and we're cross-correlating the data, that really helps us scale well as a company. That helps scale very well from a cash point of view as well. That's effectively what we're seeing as we guide into the future.
Speaker 0
I'd add to what Dipak just said. I think he's also, he showed you a bit of a slide about how we feel like some of our free cash flow has been sat upon because of the transition from, you know, effectively, yeah, and towards annual billings. Now, given that a majority of our business has shifted towards annual billings, we know that the rest is still going to be upfront cash. Given that, we get a sense that we'll get some relief on the free cash flow margin in the next 24 months. I think putting all those together in a box and mixing it, we believe we definitely can achieve more than 40% margin. Of course, it'll require some degree of work with our CyberArk colleagues and partners when we get this deal done.
We feel confident that they're equally aligned in terms of what we want to achieve.
Thanks, guys.
Okay, great. Up next is Shaul Eyal, and we'll wrap it up with Joe Gallo from Jefferies.
Speaker 5
Thank you. Good afternoon, everybody. Congrats to everybody. Nikesh, enterprise browser momentum and also browser wars. These wars, are these with privates? Are these with some other players out there? What's the thinking along these lines?
Speaker 0
Good question. Look, if you look at what's going on, it's kind of sometimes it's better to be lucky than good, right? We bought the browser because we felt there were certain use cases like VDI or third-party contractors or mobile devices which are not covered by SASE. We literally bought the browser business thinking we were going to cover these edge use cases, and life will go on as normal for regular employees of VPNs or SASE clients. We built that strategy, and we see a lot of adoption from a third-party contractor as well as VDI perspective, and we continue to make progress there. What happened about six to eight months ago, you started hearing that the only way to deploy agents successfully for many consumer use cases is a browser.
If you want to make a reservation on booking.com and book an OpenTable reservation, or you want to, suddenly, to run agentic tasks, you need to control the browser. That's what Anthropic is figuring out. That's what OpenAI is figuring out. That's what Perplexity is figuring out. That's what Google is figuring out. Now, suddenly, you're beginning to see these, let's call it consumer browser wars that are beginning to start. Microsoft's going to come back with more agentic features of browsers. Effectively, you deploy a browser in your device, which is going to start doing agentic tasks for you. What's great for the consumer is dangerous for the enterprise, right? No enterprise is going to love a do-as-you-please browser which can run agents without control. How do you control agents in a browser for an enterprise employee? You need a secure browser.
You literally will come to a point where companies will say, you cannot use a consumer version of this product. Think about it. It happens in enterprise all the time. You're not allowed to use a consumer version of DocuSign. You're not allowed to use a consumer version of Dropbox. You're not allowed to use a consumer version of a SaaS app in enterprise because it's missing the enterprise controls. If you believe that agentic true future is coming through browsers in the future for the desktop, then you have to believe that that case for a secure browser just became a mainstream case in the enterprise use case. That's what I meant by the browser wars in consumer are going to drive the acknowledgment that we need to solve the browser problem in enterprise. It's going to become a critical part of your SASE stack.
Understood. Thank you so much. Appreciate it.
Thanks, Shaul. Our last question will come from Joe Gallo from Jefferies.
Hey, guys, thanks for the question. Saw the blended Cortex and cloud numbers, but can you just talk more about cloud security specifically in detail? How's that doing? Are customers gravitating towards that runtime agent architecture, and then any changes in the competitive landscape post the Wiz acquisition?
Look, I think the thesis we had with cloud security when we decided to make the change and launch Cortex Cloud was that the different elements of cloud security are all interconnected, from application security to cloud posture security to runtime security and cloud SOC. I would say, six months since the Cortex Cloud launch, our belief and conviction in that thesis is even stronger. It is very clear that attacks are happening faster. We know that as more and more enterprises move into enterprise-critical applications of cloud, that means cloud runtime protection becomes even more important than ever before. Nikesh made the comment of sort of both shift left and shift right. There's the shift left aspect, which is how do we shift left all the way to the beginnings of code writing and application security.
You saw us a couple of weeks ago launch application security posture management, which is our approach to making sure that everything developed for the cloud is done in a secure way, such that what is deployed in production is as secure as it can be. With exposure management, we can then tie that across not only cloud, but enterprise, tie into runtime, etc. Our conviction in that is still very, very strong. We're seeing the response from our customers of being aligned with that strategy. Now it's a question of a lot of execution to take our customers through that transformation, that journey over to Cortex Cloud.
Thank you.
Okay. With that, we'll conclude the Q&A portion of the call, and I'll turn it back to Nikesh for his closing remarks.
Speaker 2
I'll add to that. Thank you again, everyone, for joining us today. I also want to once again say thank you to Nir for all his visionary leadership at Palo Alto Networks, and congratulations to Lee Klarich, our newest Board Member, who will continue our technological vision going forward. I look forward to seeing many of you at future conferences. I also once again want to thank our customers, employees, and partners for helping us deliver a wonderful quarter and at the end of the year. We look forward to FY26. Have a great day.