Palo Alto Networks, Inc. (PANW) Goldman Sachs 2023 Communacopia & Technology Conference (Transcript)

Palo Alto Networks, Inc. (NASDAQ:PANW) Goldman Sachs 2023 Communacopia & Technology Conference September 7, 2023 6:45 PM ET

Company Participants

Nikesh Arora – CEO

Conference Call Participants

Gabriela Borges – Goldman Sachs

Gabriela Borges

Good afternoon. And thank you for joining us at the Palo Alto Networks keynote at the Goldman Sachs Communacopia & Technology Conference. I’m Gabriela Borges, I cover emerging software here at Goldman. And I’m delighted to have on stage with me, Nikesh Arora, CEO, of Palo Alto. Thank you for your time.

Nikesh Arora

Thank you for having me. What did you pay all these people to stick around?

Gabriela Borges

Yes, it’s a great reason to anchor the end of the conference.

Question-and-Answer Session

Q – Gabriela Borges

I wanted to start on the milestones of the last five years. And I think about the learning curve that you talked about when you first joined the Company, the technical debt and building up the product portfolio going from one platform to three platforms. And I want to ask a forward-looking question, which is, what do you think the one or two milestones are that will define the next five years of the Company?

Nikesh Arora

That’s a good question. You say you’re going to ask me questions that haven’t been asked before that has not been asked before. Look, the way I see it, and five years ago, when we got — when I got in this business, it was fascinating to see there’s only 1.5% share that the largest cybersecurity player had in the space, which is unlike any other tech sub vertical. There are players who have much larger shares in most verticals. You said that and analyze there are 3,000 cybersecurity companies and the largest has 1.5% share. There is something structurally wrong or different about the industry. And what you realize is that the bad actors are constantly innovating. Every time we figured out how to fix what they have used as a threat vector, they’re busy chasing the next threat vector. So it’s bizarrely enough the most innovative industry in the world because the bad guys move on to the next thing when you’re blocking the last thing. And you’re busy selling the last thing to bunch of customers for 10 years and they’re on to the next thing. So if you look at the history of cybersecurity, it’s littered with companies that are amazing for 10 years and then they sort of stick around and sort of stabilize or stall at a certain place. I think you realize that part of the reason is that most of these companies are winning in their swim lane don’t think about the new swim lanes that are being created while they’re there. So we did that and the general pushback from investors and customers was, I don’t want to put my eggs in your basket just because you have multiple products.

So we said, what convinces them? We looked and said what normally convinces them is if people are in the top right quadrant in enterprise, the Forresters and Gartners of world. So we said about saying, let’s create our products in the swim lanes, but the benchmark has to be [indiscernible] we have to be in the top right quadrant. So now we’re in 17 top right quadrants in five years, this has not been done in tech before. There’s possibly two companies, possibly because I haven’t done all the research, but I think Microsoft might have done it and IBM might have done it some point in time. There’s no fourth tech company who has 17 top right leadership quadrant position. So, we established that we can build best-of-breed cybersecurity products and then we started to platformize. We have three platforms, network security, cloud security and SOC transformation. I think in the next five to 10 years, it is not infeasible that there will be consolidated platforms in cybersecurity and eventually the equivalent of a Workday or a Salesforce or a ServiceNow starts to develop in security, that’s our aspiration. We want to be that company, which has double digit market share, if not more, in the space that should be the milestone we aspire for.

Gabriela Borges

Do you think you can get there with the three platforms that you have today?

Nikesh Arora

Yes. Yes, I think our newest platform around the SOC is — has tremendous potential. I think that’s kind of the integrated platform. Most of our competitors in that space are 15 year old tech. I think it’s the CrowdStrike, Palo Alto, SentinelOne moment that happened to endpoints, which is happening to SOC except to standard SOCs.

Gabriela Borges

Let’s stay on the theme of SOC. And I want to think through a little bit how the data set that you have is differentiated because you are collecting telemetry across the three platforms. So maybe as the first part of that, talk to us about the R&D synergy that occurs from being able to connect the dots across the different types of data that exist in an enterprise.

Nikesh Arora

Great. So let’s step back for a second. The traditional approach to security is there is this thing called SOCs. You try to protect an enterprise by buying a whole bunch of security software and every piece of security software, either block something bad or sends an alert saying, hey, here’s a problem, go figure it out yourself to your customer because you have 40 different security vendors, and I don’t know what do with that, and this thing went into a thing called SOC and you had a bunch of analysts who would figure out what happened and you store a lot of data. And the bad actors were taking on average 20 days to breach you and steal data. So you had 20 days to go figure out what happens. And people would analyze the data in Splunk or ArcSight or QRadar and prioritize stuff and figure out what happened. Well, guess what? Now that is happening, the fastest we’ve seen is 5 hours. Getting in, stealing a terabyte data, going out of the enterprise in 5, 11, that’s the spread, between 5 and 11 hours. The mean time to fixing a SOC is still six days because this is a problem that is not going to fix itself. The only way to fix the problem is stop collecting data and analyzing it later is to start analyzing it as you collect the data.

So we’ve spent five years building that tech. 45% of data in most companies is firewall data from Palo Alto. 40% of your data comes from the endpoint, that’s 85% of data. You can cross curate all the other 15% across 700 vendors against that 85% data. We built the tech even just within Palo Alto, we analyzed 76 terabytes of data per day. We’re the largest user of BigQuery in the world, that’s just with the customers we have today. We have 35 customers where we do the software. We have 62,000 customers with firewalls. So I’m talking we have the most amount of data in security. We use that cost correlation — our first 10 customers, we’ve taken them down from six to seven days to an average of 5 hours of fixing security. Our aspiration is to get them to under 1 minute, which is where we are. So eventually, security has to become real time. We are running 1,300 machine learning models in our product, which is what I like to call precision AI. So this is not ChatGPT or OpenAI, this is precision AI, 1,300 machine learning models, the models you’d want to drive your car. You don’t want ChatGPT driving your car, if it hallucinates, the bad idea.

Gabriela Borges

The technology that you’re using, the drinking your own champagne, so to say, to get your own SOC operations down to a minute in response time. Are there other vendors that you still need to leverage in order to be able to make that happen? Okay. And so then the question for your installed base is, where do you think customers are in embracing the evolution from endpoint to XDR to — or to XSIAM to full SOC transformation?

Nikesh Arora

This is early days. We just launched this product about nine months ago. We did about $200 million of booking the product in the last nine months, which was a surprise to me and most of my colleagues in the Company. We were amazed and surprised that how well it did for us in the early days. So we’re really sort of trying to scale it up across the board across every part of our company. What’s fascinating is this is the first time in the history of security I can show up with an outcome based product. Every other time it is, can your product do the following 200 things? I say, why are you worried about what 200 things I can do? What I can do, which nobody else is willing to offer you, I can take your SOC from six days to 5 hours. And we’re running case studies every one of our customers that we have sold, our aspiration event is to walk in and say, we can promise that we’ll bring you to hours. If you have enough data, I can prove that I can bring you to hours. And I don’t know if many of you might have noticed this, September 1st, it’s a red letter day in security. The SEC has required that every company has to disclose a breach in four days. That’s kind of interesting. You have to disclose in four days, it takes you six days to figure out what’s going on. For two days, you’re exposed, which means every bad actor in the world is going to be looking for SEC notification saying company X is breached, they’re still working on the fix.

Gabriela Borges

So we’ve seen examples before where regulation changes. And in theory, there is a hope that it changes the urgency on SOC transformation or on security transformation, and sometimes it doesn’t happen. Are you at a point where customers are paying enough attention that you’re seeing a change in the urgency because of something like SEC regulations?

Nikesh Arora

So Gabriela, that’s just kind of like the — that’s a conversation we’re having in the context of the next five to 10 years. You said, where does this miles don’t happen. So this is early days over there. We still do $9 billion of bookings and everything else that we do $7 billion of revenue there. So there’s a whole bunch of other stuff going on, too.

Gabriela Borges

Fair enough. So I’m curious, you mentioned a unique way in which SOC transformation is differentiated because of the outcomes based results. Are there other observations that stand out to you in how SOC transformation is different from network transformation and the types of network transformation that you’ve seen at Palo Alto Networks with SASE, for example?

Nikesh Arora

Yes. I think what’s interesting in network transformation and the SASE product is actually both a networking product and a security product. We’re actually running an operating service now for the first time as a company. We have north of 14 million users that we run operations for every day across possibly 2,000 companies in the world. So we’re slowly in-sourcing the network operations for companies. And basically, what’s happening out there from a network transformation perspective is that there is — without going through all the details, there’s a cost neutral transformation most customers are embarking upon, whether they place MPLS with SD-WAN, and they put security on top, in the middle. It’s still early days. I think about 15% of the market is transformed. There’s probably 85% more to go in the next 10 years. This is going to be $20 billion, $30 billion market. And I think as I’ve always said, there’s two and half players.

Gabriela Borges

So it’s interesting that you started this conversation with talking about the fragmented nature of security and 1.5 points of share are going to something that more accurately represents what we’ve seen in all those software markets. The other piece of this is what’s happening at the TAM level. And if I think through the evolution of security being tied to digital transformation and security bunches up into the right. The question I have for you is, do you think that the security TAM could grow faster over the next five years than what it has done over the last five years because of the next phase of, let’s say, AI catalyzed digital transformation?

Nikesh Arora

Possibly, but honestly, like it’s a 200 — our addressable TAM is north of $200 billion, and we have nine or seven in a year. Like I don’t need the TAM to grow faster. I just need to take more of the TAM. And that’s why we think we have so many more swim lanes now that we play in. And it’s highly efficient from a sales go-to-market perspective. It’s highly interesting from a customer interest perspective, from a partner interest perspective that we have. I think we have critical mass now as a security company. We actually are of interest to every customer, out of interest to every partner more so than most others. So I think it’s an execution question. Can we actually go out there and get more of the TAM. Is the TAM going to grow? Of course, it’s going to grow. You can find estimates between 5% to 15% but lots of smart people like yourself will tell you what the security TAM is going to grow in the next five to 10 years. It’s going to grow between 5% to 15%.

Gabriela Borges

So as you level up the conversation you’re having beyond just one piece of the security architecture to what I would describe as more of an architectural conversation or strategy conversation at the highest levels of your customer organizations. How do you think about someone like a Microsoft as a competitor, or even we had Google on stage earlier talking about their security business standpoint of security to their road map, how does the competitive environment evolve at the strategy level?

Nikesh Arora

The good news is when you start off with 1.5% share, there’s 98.5% you don’t have, right? You wake up every morning knowing you’re going to get — somebody is going to show up and punch you in the face and take business away from you. You wake up in the morning saying, every deal is going to be price competitive. You get a deal where nobody competes. You’re like, that was fun. How do I make that happen? So there’s going to be competition all over the place. And there are many people who compete with Microsoft or partner as well with Microsoft. I’d say there are some swim lanes where we’re possibly a few years ahead of them. And I think our task is can we run as fast and keep our competitive lead in that space? Hopefully. I mean, think about it. Security is approximately 5% of cloud spend and 10% of enterprise spend. So I think Google is too busy chasing AI and cloud, they should not be spending as much effort and time on the 5%, that’s where they’re focused. Microsoft possibly is going to do the same. We’re possibly three years ahead in SASE than most people. We just are the only one now in the leadership quadrant in SASE that Gartner just published. So our task is to make sure we don’t lose on innovation. We’re not going to. We’ve demonstrated that in the last five years. As long as we keep winning on innovation, I’m less worried about competition.

Gabriela Borges

Does the same level of commentary apply innovation versus competition equally across all three platforms? And the reason I ask is because network security, the market leadership there is in order of magnitude measurable in market share data, for example, relative to something like Cortex or cloud where it’s harder for us from the outside and to look at market share data.

Nikesh Arora

Yes. Look, on network security, we have the largest market share in hardware and software firewalls where we did $1 billion in bookings in SASE, which I think makes us the second largest player in SASE. Together, we are the largest player in network security. On cloud security, we’re the only multi-cloud vendor, which came to us 11 modules that give you cloud security. We did $500 million in ARR. Look the cloud providers have their own security tools. If you are multi-cloud, you’re going to have to use all those tools to give you one pane of glass. I think it’s early days in cloud and I said this to some of the investors earlier. I said, we’re possibly one of the top 10 users of GCP. If I was paying myself for my cloud security products I use to protect my cloud, I’d be spending $200 million a year. And we’re 500 on revenue on Fortune 500. There’s 499 other companies which possibly spend more money on cloud over the next 10 years. And if all I need is 5% of their cloud spend, I just need to make sure I’m there. I need to make sure they’re using my platform. And I need to make sure as they move to the cloud, this is the platform they use. So I think that’s a huge market in the future. It’s early days. It’s not a fully formed market yet. We’re not going to give up our innovation lead. We’ll see how that evolves. The SOC side, we’re the challenger, right? It’s a $30 billion market, which I think is going to be an $80 billion to $90 billion market because of AI in the next 10 years. And our question is, can we go maintain — create the momentum we have in XSIAM over the next 10 years and try and be the CrowdStrike of the SOC what CrowdStrike did to the endpoint market, I think we should be able to.

Gabriela Borges

Absolutely. So I want to focus the discussion now on to fiscal year ’24. And I remember you made a comment on stage last year on every year has a degree of unpredictability to it.

Nikesh Arora

Yes. Yes, I have not seen a normal year yet.

Gabriela Borges

And so my question to you is, how did the fiscal ’24 process planning compared to fiscal year ’23, are there are one or two things that stood out to you? I know you’ve talked about how cost of capital is impacting customer purchases. What was different this year?

Nikesh Arora

I think customers and companies are still absorbing the change in behavior. I think the idea that money was free for 10 years, you walk up to a customer and saying, here’s a three year deal. And the guy said, oh, what do you want me to pay you for three years, $10 million? Yes, I need $10 million now. Well, give me a discount, here’s 5%. No problem, $10 million here, like I’m making 25 basis points in my treasury. Now the guy is making 500 basis points on treasury. He wants a 15% to 20% discount to pay your cash upfront. Suddenly, people understand the cost of money. So suddenly, you have a choice. You can take the 20% discount, take a hit on bookings and revenue or you can take payments every year. That changes all the math that all the wonderful analysts are used to tracking, and they’re all like trying to figure out, is demand going away. Well, demand is there. Cybersecurity demand is growing. It’s a secular demand. It’s not cyclical. People are getting more petrified. The attackers are moving faster. The plant of cybersecurity has been chronically underinvested in. So this is a continued demand story. The question becomes an execution question, can companies execute in this market. What’s happening is you’re seeing all these sort of confounding effects which talk about cost of money, which is causing every — possibly every person who sat up here on stage has said, longer deal cycles and more scrutiny and hard to get deals done in 90 days, right? That’s all. We’re just absorbing that change in customer behavior. Demand is not changing, it’s execution is shifting.

Gabriela Borges

Why not make a more active shift towards one year billings duration where you can maximize annual billings as opposed to total contract value?

Nikesh Arora

Why?

Gabriela Borges

Because then you solve the value of money equation…

Nikesh Arora

I’m not trying to solve it. I’m trying to get — build great products and have my customers use it. I don’t — like 70% of my customers still pay me cash upfront. It’s good. It’s called cash flow. I like cash flow. So that’s fine. 30% just started paying me on an annual basis for getting financing. It’s transitioning beautifully. I still have mid to high 30% free cash flow margins. I think over the next 10 years, we can keep transitioning them to more and more annual buildings softly. While we do that, we’ll continue to maintain high free cash flow margins, much better transition. I’ve seen [CEOs] that do financial transformation, they get stuck in the middle, it’s a very horrible place to be.

Gabriela Borges

Okay. So in the context of the change in the buying environment. What were the key takeaways from sales kickoff? I know you spent a little bit of time previewing with us things like Cortex being sold through the core sales…

Nikesh Arora

Well, sales kickoff, the number one takeaway was don’t have it on a Sunday and have an earnings call on a Friday. But other than that, what did we learn in sales kickoff? Look, our big doubling down at this year’s sales kickoff is we’ve built our best-of-breed amazing products. We’re now pivoting to demonstrate the value of integration. For five years, people didn’t believe that integrated products need to exist in security. Now they’re beginning to — sort of beginning — many of our customers, they’d much rather have integration because not having the integration hasn’t made their breaches stop or hasn’t made bad actors go away. So they’re beginning to understand the value of integration. Our job now is to demonstrate the value of integration to UI. We showed some examples in our Analyst Day, our analyst call, if you will, how we’re going to make security be more useful from an indicative perspective. We’re going to keep doing that. Our sales team saw those screens. They were extremely excited because security companies are not known for beautiful UI. So we’re working hard on that, making sure we can demonstrate the value to our customers. Our sales was really excited about XSIAM. Our salespeople are in the right way economically motivated. And when they see you can do $20 million, $30 million, $40 million deals, that gets them more excited than doing $2 million to $5 million deals. So they were really excited that there’s a product now that’s hot, people want it, it’s got big dollars associated with it. So that was good. And people generally like the idea of hanging out together, who would have thought.

Gabriela Borges

Talk to us about the change that happens when you take a specialized product like Cortex this year or SASE last year and you introduce it to your broader sales force. Order of magnitude boots on the ground, how does that change the number of conversations your broader team is having?

Nikesh Arora

Yes, I think for context, for people, as we’ve — in five years, we’ve built three businesses of $1 billion each, right? And when you build a brand new business, you need people who understand the business really well. So you have a specialist sales force because you don’t want to pitch it wrong and you don’t want to disturb the existing business, because then you guys get all nervous that we’re losing sight of the core business. So you have to have your core team, you build a specialist team. Somewhat inefficient from a salespeople perspective, they end up sort of meeting with the same customer a few times, they end up causing a few — like some friction, but you do it because you want to make sure you can improve the product market fit. I think $1 billion is ample product market fit, that’s the bookings of many companies out there in cybersecurity. So once we get there, we think it’s time to now introduce that back into our core team because that’s part of our core business. And in the last five years, we’ve gone from 5,000 people to 14,000. 86 when company was new. We’re making sure that people we hire actually have the capability of being able to represent a much broader portfolio. So they usually come from places where they were selling a different portfolio. Firewalls are a lot easier to sell than SASE is, than cloud is, than Cortex is. So they can reverse into understanding firewall. So we’ve managed to get people out in the field who understand multiple products. And then last year, we merged SASE. We did $1 billion in SASE this year despite merging them with the core team. This year, we’re merging Cortex, we did $1 billion in Cortex this year. We’ll see if we can do better next year, because now 80% of our sales team can sell all these products.

Gabriela Borges

What is the milestone you’re looking for to be able to do the same with the cloud, or do you already have cloud training and enablement…

Nikesh Arora

So cloud is a — you like an annual billing ACV business, the one you want, right? It did $500 million in ARR, that’s more of a consumption driven business. We want to make sure people are consuming more and more cloud security, because it’s more certain education. You have to make sure cloud works end-to-end. They don’t like the dollars associated with monitoring every part of the cloud environment. So we have to keep educating on that process. Cloud is a substantially different persona in a company compared to traditional enterprise security and IT. So we’re going to hold off on trying to merge cloud with our core sales team. Having said that, when the core sales team or I get all the way to [CIRC], so we tell — I said everything. I don’t call my specialist to say, buy cloud. So at some level, we are able to sell the entire portfolio. But as you get down in the organization at a practitioner level, the whole sale is very different. It’s very hands-on, very demonstrative, it’s very — looking — show you how I spin up code here and here’s how it needs to get monitored, so more hands on.

Gabriela Borges

And based on the success that you’ve already had with Cortex, do you already have the buying relationships that you need with the key personas of the enterprise to be able to cross sell Cortex into the firewall space?

Nikesh Arora

We’re still working our way up there. Five years ago, we didn’t have products. We spent a lot of time building the products, started — a lot of time, doing product market fit. I think the next five years will be scaling our relationship with customers, both directly and through a lot of the partners. A lot of GSIs, a lot of service providers are interested in now working with us because we’ve become a sort of must have part of the portfolio. One of our products has to be there in most customers. And the SIs are recognizing that they much rather work with Palo Alto who has multiple products in the category, which are industry leading, then go find 17 companies to work with to find those 17 products.

Gabriela Borges

Yes. It leads to a nice question about the system integrator ecosystem, because we know that SIs have relationships with multiple point products to your point. So how do you go about converting or bringing over more SIs over to the platform approach? Can they collectively make the same amount of money or more money selling the Palo Alto platform versus the point products? What are the selling points that you communicate to them?

Nikesh Arora

Look, at the end of the day, the SIs are very often involved with large scale technology transformation for customers. They’ll do very large amounts of business, either they’ll build, they operate, they’ll run it. Sometimes, they’ll advise. So they are involved in multiple parts of this. Now the moment they get in the build and operate mode, they actually don’t want to deploy 17 products, they don’t deploy one, because it’s more sort of efficient it is for them to deploy one product, the more profitable possibly it is for them, the less error prone it is, the less amount of skills they need to learn 17 different products and deploy them. So it actually is a good thing for them to partner with a single vendor on multiple certain lanes as opposed to multiple vendors as long as the products are good and they will meet the requirements of the customer. So that is a prerequisite. You can’t go with bad products and security because they work together. You have to have a good product. So I think it’s a proposition, they continue to warm up to. There are some of them like Deloitte just launched an SSDL called secure software double life cycle. The whole thing is on Prisma Cloud and the Deloitte train their entire sales force on how do we go do better software development and make it secure, and the way you do it is by using Prisma Cloud as part of the underlying sort of the product solution, because eventually, the customer is looking how do I deploy this in my environment. So we deploy Prisma Cloud and that’s how you get a secure software at the life cycle or something similar to the SOC transformation, well, here’s the way to do it, what am I measuring in the end? Well, we need to figure out how long it takes to solve the security problem. Well, are you SI going to guarantee with that? Well, I don’t know. Well, I will.

Gabriela Borges

Absolutely. All right. I’m going to pause and go to questions from the audience. So I’ll come back to one of the older debates in the firewall space, which is physical versus virtual. And I’m curious, as you’ve had more success with virtual firewalls, how do you think about that TAM being substitutive versus additive?

Nikesh Arora

So I’d say the way to think about firewalls is basically any time a bit travels into your organization, outside your organization, you have to look at it. If you don’t look at any bit that comes in and out, it could be malware, it could be a bad IP address that your employees are going to, you need to inspect every bit. Traditionally, you call it a hardware firewall that inspected every bit that came into your data center and went out. Now your bits are going to the public cloud, you got to inspect them, but they can’t be inspected by your hardware firewall, you got to inspect them with the software firewall. You’ve got bits going into your 5G network, got to inspect them with the 5G firewall. You have bits from a laptop going into your data center or going to Workday or Salesforce or SAP, you’ve got to inspect that bit. I’ll tell you one thing. The amount of data that is floating is increasing way faster than any IT TAM or cybersecurity TAM. It doubles every year, so you have to inspect every bit. As long as you have to inspect bits, this concept of a firewall will exist. How you manifest the firewall doesn’t matter. It’s either hardware or software or SASE, that’s what it is.

So I would say the network security market is robust, it will stay robust for a very long time. Actually, software is much easier to maintain, it’s much easier to upgrade. I have customers who haven’t upgraded software for 12 months because they’re still testing it. In software, I don’t wait for them. I upgrade them anyway. My SASE customer is up to date every day. My hardware customers can be one year delayed on upgrading. One year old software is not as secure as current software. So you want me to be more software, you want it for better security outcomes as a company and every bit has to be inspected. So if you’re only a hardware firewall company, you’re going to miss the software bits, you’re going to miss the SASE bits.

Gabriela Borges

Do you find that customers that the network transformation piece of this towards more distributed network security is still tied to the classic three to five year firewall refresh cycle or has it leveled up into something that’s independent?

Nikesh Arora

No, I think the SASE transformations have overtaken this idea of hardware refresh cycles. Like hardware refresh cycles are the most boring thing customers do today. One thing we didn’t talk about is margins and operations. I want to make sure we talk about that.

Gabriela Borges

Yes, absolutely. Here’s my question on margins. So your FY ’26 operating margin targets 28 to 29 points. If I think about the best software businesses that we know that are doing north of 40% with scale, and I think about the comments that you’ve made on cross-selling into the installed base and how accretive that is from a cost of acquisition standpoint because the cost of acquisition is lowering and selling all of this really [indiscernible] revenue. How do you think about the limit to where your margins can go over time?

Nikesh Arora

If you think about most enterprise companies, if you’re a traditional enterprise company, you’re not blessed like Adobe or Atlassian, which have quasi user led or other consumer business as part of it. The biggest cost to enterprise is sales and marketing. If you look, a $1 billion companies spend 60%, a $7 billion company spends 35%, a [$200 billion] company spends 18% to 20%. So the maximum leverage is in sales and then there’s cost of operations and customer support. So these are three buckets, right, broadly customer support, sales and marketing, and cost of regular operations. Regular operations, this 100, 200 basis points. Most companies are within 200 basis points of operating margin operation in those areas at scale. Sales, you can get lots of leverage, we’re doing $200 deals, it’s a lot more fun and a lot cheaper than if you’re doing $20 million deals. So one metric we track is how big can our deals get with each customer. The bigger they get, the more efficiency we get from a cost of sales perspective. The other thing we’re going to track is customer support. I think most companies should be looking hard at that cost. I think AI is going to cut that cost by half for the next five years. I think in operations, you probably get 100, 200 basis points. So if you add it all up, if AI lives up to its promise in the next five or eigt years, you should probably be able to get the best-in-class margins you talk about in the next decade.

Gabriela Borges

How do you reconcile that with this idea that security is one of the most innovative or fast paced product cycle industries? And maybe that’s more of an R&D leverage question.

Nikesh Arora

Yes. Again, 12% to 16% of $20 billion is a lot more than 12% to 16% of $1 billion, mathematical speaking. So I say the bigger we get the more leverage we have from an R&D perspective, because we have cross leverage across all of our platforms, right? If I find a threat in the network side, I can make sure I can protect in the cloud, I can go cross reference that in the SOC. But if I’m only running one vertical I have to spend the R&D to understand the other verticals on our platforms. So from a priority perspective highly scalable, highly useful.

Gabriela Borges

I’ll end with a capital allocation question, which is you’ve talked about the volume start-ups that your [corp dev] team meets with. Any interesting observations to share about the types and qualities of companies your team is finding interesting today versus a year ago or three years ago?

Nikesh Arora

Look, the good news is the bad actors keep innovating, which means we have to keep innovating at our end to make sure we understand new threat vectors and treat problems. One year ago everybody sitting here, nobody knew about AI and what the threats of AI are. Today, I have AI models in-house generating malware. We’re actually using all publicly available models to generate malware to see how good they get. They can get pretty good. Then we’re building anecdotes tools malware that we’re creating using generative AI to protect ourselves, right? So what’s happened is now there’s tons of innovation going on. AI is a new threat vector. Every company wants to put data into all these public clouds, in data stores to be able to leverage for AI. You need to hold new data security paradigm. So there’s constant innovation going on. You have two choices, you can build or you can buy. But it’s harder for us to buy because now we have three integrated platforms. We have to look at every acquisition thought, every company and say, what is the cost of integrating this versus what is the cost of building it ourselves in terms of time and competitive advantage, not economically. As I’ve said before, I’m interested in buying great tech, I don’t need to buy revenue. I know how to generate revenue, I need to make sure I buy great tech, which is what we’ve done, we did $2.9 billion in NGS ARR, the majority of that was from acquisitions.

Gabriela Borges

Absolutely. Fantastic. Please join me in thanking Nikesh for his time.

Nikesh Arora

Thank you very much.

Gabriela Borges

Thank you.