Palo Alto Networks, Inc. (PANW) Q4 2019 Earnings Call Transcript
Published at 2019-09-05 06:06:28
Please welcome, Vice President of Investor Relations, David Niederman.
Hello. Thanks for coming, we really appreciate it. Good afternoon, I am David Niederman Vice President of Investor Relations at Palo Alto Networks. Thanks for joining us today to discuss our Fiscal Fourth Quarter and Full Year 2019 Results. This meeting is being broadcast live over the web and can be accessed on our Investor Relations section of our website at investors.paloaltonetworks.com. Earlier this afternoon, we issued a press release announcing our results for our fiscal fourth quarter and full year ended July 31, 2019. We also provided a script of certain fiscal fourth quarter and full-year 2019 financial results and operating metrics along with applicable reconciliations as exhibits to a current report on Form 8-K filed with the SEC earlier this afternoon. Copies of these materials can also be found on the Investors section of our website. I'd like to remind you that management will be making forward-looking statements, including statements regarding our near and long-term financial guidance and strategy as well as modeling points for Q1'20 and full year fiscal 2020. Please kindly take a moment to review the Safe Harbor language provided with the meeting materials, also please note that certain financial measures we use on this call are expressed on a non-GAAP basis, and have been adjusted to exclude certain charges. For historical periods, we provided reconciliations of these non-GAAP financial measures to GAAP financial measures in the supplemental financial information that can be found at the end of the presentation and the investor section of our website located at investors.paloaltonetworks.com. On stage with us today will be Nikesh Arora, our Chairman and Chief Executive Officer; Kathy Bonanno, our Chief Financial Officer; Lee Klarich, our Chief Product Officer; and Nir Zuk, our Chief Technology Officer. We will have a Q&A forum at the end of the financial presentation. And with that, I'll turn it over to Kathy.
Hi everyone, thank you so much for coming today, oh look! a splattering of applause, how nice, I appreciate that. Thank you. Thank you all very, very much for coming today, we appreciate your interest in Palo Alto Networks. We have a lot to cover today, and so I'm just going to get right into it. I'm going to start by providing a quick overview of our fiscal Q4 results for the fiscal year 2019 and full year results. Nikesh will then come up and he'll walk you through our strategy and our operating framework for the next three years, and then Lee Klarich and Nir Zuk will take you through our product strategy and I'll return to cover forward-looking guidance at the end. So let's turn now to fiscal fourth quarter 2019 which capped-off another great year for Palo Alto Networks. In the quarter, we grew revenue 22% year-over-year to approximately $806 million. Quarterly billings crossed the billion-dollar mark, a first in the Company's history. And our performance in Prisma and Cortex or as we refer to them collectively as next-gen security was especially strong. Our next-gen security billings were approximately $192 million in the quarter, this represents a $768 million annual run-rate to approximately -- and accelerated our growth to approximately 180% year-over-year. For the full fiscal year, we also delivered strong top line results and full-year free cash flow was approximately $924 million. If we adjust for the cash charges associated with our headquarters in Santa Clara and the retirement of our 2019 convertible debt free cash flow for the year was $1.1 billion at a margin of 36.7%. So let's turn now to some of the product highlights for the quarter. In Q4, we completed the acquisitions of Twistlock and PureSec, and we are actively integrating them into our Prisma cloud offering. We also released significant updates to Prisma access including providing over 100 network on-boarding locations around the globe and providing clean pipe for service providers, along with several other unique capabilities in that release. In addition, we released Traps 6.1, which included expanded support for Mac OS and Linux, further strengthening our endpoint and XDR offerings. And we received FedRAMP certification for WildFire cloud, a huge milestone towards shifting government wildfire usage towards the cloud. And as you probably just saw earlier this afternoon, we announced our intent to acquire Zingbox, an enterprise IoT security company. As Nikesh will discuss a bit later, this acquisition is yet another example of our ongoing strategy to consolidate new technologies into our next generation firewall platform, making it easier for customers to protect their complex enterprise environment. In addition to product releases, we had several notable wins during the quarter. We displaced Symantec and Zscaler at a Fortune 50 U.S. retailer to secure their data center and network of more than 2000 retail outlets. We displaced Zscaler and beat Fortinet at a major European national healthcare provider in their digital transformation project. They're securing their hundreds of hospitals, along with all of their patients and employees. It was a great win for us in the quarter. We beat CrowdStrike and displaced Symantec with our Prisma and Cortex platforms at a global insurance company with more than 25 million policyholders and we beat Fortinet and displaced Cisco to become the standard security platform for the government of one of the most populist regions in Asia Pacific. In summary, there was a lot of great news in the quarter. We continue to have high win rates against our competition and add thousands of new customers every quarter. In Q4, we added nearly 3,000 new customers and are now privileged to have won nearly 65,000 customers. We're looking forward to another great year in fiscal 2020, and we'll now move on to the rest of the presentation. Please welcome, our CEO, Nikesh Arora.
Good afternoon. Thank you very much for joining us, and thank you, Kathy. Normally when I get up on stage, I usually ask the audience, what can I answer that you leave here happy. Now many of you are so kind you've written me very long notes about what you want me to tell you, which are going to make you happy. It's very helpful. It’s like I have my marching orders, you've given me the script. So Keith Weiss from Morgan Stanley, yes, we will talk about product evolution, M&A. Keith Bachman talks about depth and duration of depressed cash flow, sounds very depressing, but we'll talk about that, they're not depressed. We will go down to the details of our next generation security business and explain the financial models around you, they don't get spooked by duration issues. And yes, Brad, no hardware company of this size have made a transition like this, but hopefully we just need to keep growing and not make the transition. You do notice that we're displacing your favorite company Zscaler in many situations. So, but I'm scared today, we had changes or recommendations, something is going to happen to the rest of you guys. So for now, and I'm happy with Brad where he is? So it's about 12 plus months, I've been at Palo Alto Networks and I know you guys have been asking for us to come about and explain how we're thinking about this Company going forward. So, hopefully in the next 75-80 minutes me, Nir, Lee and many of my management colleagues will share our plan for the next three years with you, in terms of where we want to take this Company. Before I go there, I thought I would do is quickly walk you through what I've learned over the last 12 months. Now unfortunately there is going to be no earth-shattering secrets. And what I'm going to tell you in the first section -- but hopefully, you'll get a sense that I’ve been studying this industry for a while and the problems are obvious, right, this is $140 billion industry, and we have too many vendors. I've gone to over 300 customers in the last one year. The winner so far is 212 cyber security vendors deployed under one customer. That's a lot. What that happens is when you have 212 cybersecurity vendors and cybersecurity is only 8% to 10% of your spend, it's way too many vendors for the amount of spend you do on IT compared to the rest of the vendors we have. What that results in, is people are deploying too many tools, one of these customers, not the 212 vendor customer, has nine endpoints deployed. You are going to have nine CRM systems, you’re going to have nine HR systems, have nine endpoints in one financial services organization. We think that model is broken, it's wrong, it cannot be the path of securing that enterprise for the future. If you think what we do in the industry is we give you the tools, and say now, you can write policy against it, you can spin-up a bunch of alerts and we'll give you all the alerts and you can figure out what to do with them. So we have tremendous amounts of alerts being generated in many of our customers and Lee and Nir will talk more about this. On average a customer can get 175,000 alerts a week, it's a lot of alerts. And then you spent a lot of time and effort manually going through your issues in investigating which can take anywhere from 4 to 57 days. We have an industry where we have too many vendors, too many tools, too many alerts, and too much manual labor. We think at the same time while we are busy complicating the industry, our friends -- the adversaries have gotten more and more sophisticated. The days of malicious software, the days of key loggers are gone. Now we're talking about AI based bots, ML based attacks and people are really addressing your entire enterprise infrastructure, trying to figure out how to get it. The amount of breaches have actually gone up. Last year is about 3,800 breaches and mostly the breaches were automated attacks. So it's got an interesting situation in the industry. We have a situation where people are spending more and more money on cybersecurity and they're feeling less secure. This is a problem. This problem needs to be fixed. So we believe we need a new paradigm for security and much of what we're going to talk about is what that new paradigm is going to be or needs to be. We believe we need to go towards lesser number of vendors. We believe you need to go towards more comprehensive security. We believe this has to be more of an automated industry as opposed to an industry that is full of -- lot of manual labor. So a lot of what Lee and Nir are going to talk about is going to be how our products are going to enable that going forward and we will talk specifically about some of the things we're working on which will be unveiled over the course of next few quarters and years, and how we intend to make this happen. At the same time we are at an inflection point in the industry, in my travels over the last 12 months, and my time at Google, I haven’t met a customer who is not thinking about going to the cloud. Almost every customer I met, approximately 300 of them is in some way, shape or form on their journey to the cloud, some of them are evaluating the cloud, some of them are sort of deployed some application in the cloud, some of them are in a hybrid cloud environments -- going to go to multiple clouds, but there is not a customer who is not talking about the cloud. Interestingly, we don't believe that cloud security has matured as fast as the cloud platforms have. So the best security, you can get is some cloud data security offered by an individual platform provider, but you actually don't have comprehensive cloud security that allows you to make that journey to the cloud in a more comfortable and happy fashion. So our belief is, as we see this cloud market go to potentially $1 trillion over the next five years, there is a huge opportunity for cloud security to play a relevant role in allowing these customers to make that cloud journey over the next three to five years. It's a big opportunity and the big opportunity we have here is to make sure we don't make the same mistakes we've made in enterprise security. We need to get cloud security, right. We anticipate in cloud security, there is an opportunity for us to become a platform of choice and customers not have to deal with the problem of too many tools, too many vendors, too many alerts and too much manual labor. I won't talk more about that when Lee and Nir come and talk about what we've been doing in the last 12 months for cloud security. So before I walk, before I have them come up on stage and talk about the opportunity ahead of us, I want to make sure I give you a sense of what we're doing for the last 12 months and you guys have been writing all these notes, I'm trying to figure out what we love to, as a company. Let's take a look at where we've come from. 12 months ago when I came to Palo Alto Networks, we had a phenomenal Company, the Company that has built an amazing firewall had a great brand, tremendous amounts of trust with our customers in all 50,000 customers in the market. There is a lag between when click this when this slide shows up. This is Palo Alto Networks. We were -- are primarily a firewall company. We've made a few acquisitions and we had done a bunch of projects in the side. But despite the way we had implemented and we have managed to get 8% of our billings from not at our services outside of our firewall business. The worrying thing was though, I noticed we would acquire companies and decouple them and merge them into our hardware-based business. So that's a bad thing if you start taking the software businesses and start making the workload hardware businesses. Hardware has a certain [indiscernible], cycle has certain deployment cycle, software as a slightly different cycle. It's very important for us to make sure we were going to get this right. We spent the last 12 months, focusing. Now I may not know enough about cybersecurity, but having spent as many of you know I spent 10 years at Google, the one thing I did learn at Google is the first and foremost, you have to get your product strategy right. So poor Lee Klarich, our Head of Product; Nir, our CTO, and many of our product colleagues has spent many a nice sitting with me, writing and rewriting product plans, looking at competition, looking at our strategy, looking at whether we are set up to win or not. And literally re-architecting many of our products and our strategy is to make -- we set ourselves up to win. Please spend -- ours there are written documents and probably on their 15th the durations, we went through every product categories in that, why do you make this acquisition? What is the way to win in this category? How are you going to -- when do we have enough resource to deploy it against that? And once we get the product right, do we have the go-to-market capability, to go make this happen in the market. It wasn't simple. It wasn't easy, but some of it is also very exciting. In our firewall business, we had been selling subscriptions, four subscriptions against our firewalls. I mean, sat and talk about why cannot the firewall become a platform? Why cannot we take or we have the firewall and instead of having 20 different network appliances in a customer's infrastructure like on our firewall become the platform of the future for enterprise security. So as Lee and Nir will talk about, we are going to go from four to potentially 10, maybe more subscriptions over time, because we believe once our customers trust us to be part of their enterprise infrastructure, we have the ability to go and deploy more and more capability into that infrastructure. And we will talk about our latest acquisition of Zingbox, the whole intent is to make that another subscription on firewall. We believe our customers will deploy that firewall, just the way, they've deployed DNS security, which we launched a few months ago. So on our firewall side, we have built, we have continued to build the next generation firewall into a faster, better firewall. But really when we went back to the drawing board we sat back and said, Nir if you were starting a company and building firewalls so that we wanted to. Although some of you believe the firewalls are not going to be interesting. We'll talk about why they're going to continue to be interesting. We sat down and thought, how would you re-architect the firewall business and how do you build it going forward. So what you will see as part of our enterprise strategy firewalls is our expectations of how this market is going to evolve and how do we need to be in the top right of that Magic Quadrant continue to go further in that direction as opposed to not continue the innovation. Not only that, on our cloud front, we had one acquisition called Evident, we've made 12 months ago. Over the last 12 months, we've examined the cloud security space very, very carefully. We believe there needs to be a comprehensive multi-cloud, multi-technology platform available for cloud security. We have made two acquisitions in that space with Twistlock and PureSec and we hope to be able to integrate them very swiftly, hopefully before the end of this calendar year and be able to provide the best cloud security platform to our customers. Prisma cloud, I'm not confusing this would VMs or any other product, has over 1,000 customers already. We do not believe there is any cloud security company in the world today with over 1,000 customers securing the public cloud, none. And we've been able to achieve that over the last 12 months. Not only that, we looked at our products called GPCS, which is effectively Prisma access, which is, I shouldn't talk about competition just yet. So it's a product with real security that helps you secure cloud native architectures, unlike some of the things in the market. I think is a popular -- today's Lexicon. So we took Prisma access, we resource that we moved to Google Cloud we on-boarded 200 plus locations and you saw the results. We had the biggest quarter over Prisma access in Q4 than we ever had in the Company. We have our first over $10 million deal for Prisma access where as we highlighted we've displaced Zscaler. So feel very confident in our ability to keep building Prisma access as one of the future architecture for securing the cloud. On securing the future, we looked hard at the SOC industry. And Lee and Nir will talk about it. We weren't comfortable with the way the industry is going. We're not comfortable where the solution needs to be that you take all the data, put it in a very large data repository, run a bunch of analytics against and spin-up more alerts. These alerts get them to the SOCs analyst thing that you had 174,000, I've got another 100 really good alerts for you take a look at. That's not the right answer. We looked at the market, we acquired Demisto, Demisto has done really well for us, and we believe the future of SOCs is going to be more towards automation and Lee and Nir will talk about more about what we're able to do in that space. We also took what was our [indiscernible] acquisition and our like severance IVR acquisitions and looked heart of the EDR space and said, where is the endpoint industry going to evolve to, how are we're going to win. We launched XDR four months ago, we've had our first full quarter of XDR and we're delighted with the fact that 250 customers have already been acquired by the XDR team. Now this wasn't done without our ability to run, not just the product focus, but also a focus in our go-to-market capability. Over the last 12 months, we have taken our Prisma and Cortex teams from 500 people 1,500 people. We did that by hiring new people and acquisitions and effectively redeploying resources from what would have been part of our core business into our new business, which is what has allowed us to accelerate our Prisma and Cortex growth rate from approximately 70% odd to 180% as Kathy highlighted. But we feel very confident that is a number or set of numbers we can really focus on and drive further and we'll talk more about where we expect those numbers to go over the next three years. So what does it, was it look like today? We've been able to grow our billings from our next generation security services to $452 million, approximately 13% of our total billings in FY'19. And we feel very, very confident that we have our product portfolio cleared up and we believe we are actually in the process of delivering and deploying three different platforms in the market, one around our firewall, one around our cloud security and one around securing the future where both the firewalls and our cloud security capabilities come together in the slot. We believe our opportunity in the enterprise is to be able to simplify enterprise security and reduce the number of vendors, and that alliance our customers have with vendors. And it's fascinating as Kathy highlighted one of our very large retail customers we acquired in Q4 has gone to a single vendor solution. A single vendor across all forms of firewalls, firewalls and the data center, virtual firewall against our cloud instances and Prisma access against their network security needs. So we are noticing customers re-architecting the security as I think about going to the cloud, that rethinking to the need multiple vendors to secure them across these various form factors across these various technologies and many of the smarter ones of course I'm going to say that are making the choice towards consolidating into a single vendor platform. Not only that, on the cloud front we've had customers off we acquired Twistlock and RedLock, who are in evaluation mode have signed multi-million dollar multi-year deals with us, because now they believe where Twistlock and RedLock and PureSec with Palo Alto Networks, we are going to keep building and investing in these products and continue to grow them further and they're delighted with our vision in terms of how we plan to deliver cloud security to them. We believe we have an opportunity to keep being ahead of the curve of cloud security and it was funny. When we acquired RedLock, the RedLock team kind of means that we're going to go, build continues security for you. That just sounds wonderful. I came to New York and I went to about 10 to 15 customers in the financial services and said, look you're using our Prisma cloud security, we're going to build the container security in nine months. So like, we don't have time. We're going to take what's out there, the best of you continue to secure, we're going to use it. It's interesting, our customers want best of breed, but they don't want to wait for integrated platform to appear and be available across multiple technologies. So we have been able to take RedLock and Twistlock and PureSec and put them together and offer best-of-breed across container serverless and public cloud to our customers as a platform. We believe our opportunity is to stay ahead in that space and deliver comprehensive multi-cloud, multi-platform integrated security solution for a cloud. Last but not the least, in the future, we believe we have the opportunity of taking good data as opposed to all data. Taking that and applying analytics to it and being able to provide tremendous amounts of automation to allow our customers to be able to secure the future. So I had an option of standing up here and regaling you with my product capability and my product knowledge, but I figured one of the highlights of today, it could be for you guys to hear from our Founder, who is promised to give you an unfiltered version of what he thinks about the industry and how things need to go from there. And then we'll have Lee [indiscernible] and moderate him to make sure he doesn't go off the rails. But before I invite them, I'm delighted to say, last time, we had an Analyst Day, we pointed you to a Palo Alto Networks stands at about $19 billion. We believe with all the product investment and product capability have developed, we now have the opportunity of addressing those, close to 70 people in dollar term in FY '22. The magic of FY '22 is you will notice when I come back after Lee and Nir have talked about our product investments, I'm going to give you guidance for the next three years in terms of what we expect our billings to be and what we expect our next generation security capabilities to get to our cash flows and our operating margins. So hold your breath, don't hold your breath, just hang in there. With that, let me welcome Lee and Nir up on stage.
I've been working with Nir for a very, very long time almost 10 years. And I think this is the first time that he and I are actually sharing a stage together. So here we go, and that should be fine. I guess there should be fine. So what we'd like to do a share with you our product strategy and how we think about things. And we will fit that into the contracts that Nikesh has walked through in terms of the three pillars, securing the enterprise, securing the cloud and securing the future. Now I've been in the security industry for a very long time. I've been in Palo Alto Networks for very long time and I can't definitively say that I've never been more excited and confident in our ability to deliver these platforms in a very unique and differentiated way. Now to kick us off, no better person than Nir to talk about securing the enterprise. Nir?
Thank you, Lee. So let's talk a little bit about securing the enterprise, specifically about network security. I know that some of you would like to believe that the firewall is going away, and there is no role for network security in the future. In reality, there are things that have to be done through the network -- through network security and there is just not a place to do them. And so things like looking for command and control connections. Things like combining access control, user identity and authorization systems. And most importantly, more than half of the devices that enterprise use today cannot be protected by running something on the device itself, have to be protected from the network. Mobile phones, we've locked down operating systems or limited battery life, routers, switches, printers, network-attached scanners and all other kind of IoTs like IP phones and things like that. The only way to protect them is through the network because you can't run anything on it. So network security is here to stay, it's always been the core of cybersecurity and will continue to be the core of cybersecurity, but changes have to be made, because over time applications have been moving from the corporate data center into the cloud with our SaaS or public cloud and users have been moving from corporate networks into smaller offices, branch offices they have been moving of the network completely in the form of being mobile users and network security has to follow them and network security has to follow them wherever they go because again there are things that network security is the only thing or there things that network security has to do, like so on cybersecurity functionality, like access control and supporting again devices that can only be done from the network. The challenge is how you do that, how do you follow the user when they're off the network, how do you follow the application when it's running in the public cloud, and more importantly, like Nikesh said, customers are asking us to consolidate more and more functionality that would deploy in the network separately from the firewall into the single next generation based platform that we have created. And to talk about that and the innovation around it, we'll go back to Lee.
So there is lots of innovation is going on in next-gen firewall. There is two areas in particular, I want to talk through with all of you today that are -- of particular importance. The first is sort of piggyback off when Nir was talking about the importance of form factors, okay. How do we take all the same capabilities and make sure that they can be deployed everywhere, the in-line security as needed. And this is something we started driving several years ago when we expanded from hardware appliance form factors to software form factors with the VM series. Since that time, VM series has turned into the leading virtual next-gen firewall in the market. And then from there and we're recently we expanded into delivering these capabilities as a service with Prisma access, which allows us to extend security out to mobile users branch offices, retail environment, et cetera. Now with particularly powerful about this, in addition to be able to provide consistent security everywhere, is the ability to have a single control plane to be able to manage this consistently as well. As Nikesh mentioned earlier, one of our very large customer acquisitions in the previous quarter was a customer who had been with us for a while with hardware and the data center. And in the quarter as they extended that using VM-series and Prisma access into a complete solution, and what was particularly exciting and relevant to them was the ability to get that consistent security consistent control plane, we can't get anywhere else. Now, going hand in hand with us, is the ability to use of firewall as a platform for delivering more and more capabilities. If you look -- if you think about the enterprise security market, it is actually insane. The number of different security vendors that customers have to deal with is crazy. We have a running tally of the most number of security vendors that customers deal with when they come to our -- or you'd to be see hear about what we can do for them. I think the latest record is now up well above 200 different security vendors for a single customer. They have to deal with and manage. Now we have been, from the very beginning, starting consolidate these through integrating best-in-class capabilities into our next-gen firewall. We did this with IPS, we did this with filtering and we really substantially change those markets. We took a bit of a hiatus but we're back. The DNS security launched earlier this year, our fifth subscription for the next-gen firewall and we intend to extend this more rapidly going forward to be able to integrate, what would otherwise be standalone capabilities and be able to consolidate those into our firewall platform. Importantly to do that across all form factors as well. Now, you saw the announcement earlier today, our Zingbox for IoT security, I'll talk about that a little bit more detail in a second. But just to give you some flavor for the security services, we're looking at. We're also actively working on and building SD-WAN, as an example, that we will be able to integrate across the different form factors, in order to be able to again both simplify as well as provide better capabilities to our customers across their network environments. Now, to talk about IoT the, this is becoming a very much a growing issue within the enterprise, as you can see from some of the things here, even fish tanks can be used to break into enterprises and move laterally. Hackers are using IoT devices as both initial insertion points as well as the ability to move laterally across networks. Now, why is this? IoT devices are -- have become very ubiquitous across the enterprise. By our estimation what we've observed in both our own environment as well as others for every employee, there is about three different IoT devices in the typical enterprise. In many cases IoT devices they're unpatched, they're unmanaged, they're connected by definition, there is a security risk. I believe that every single one of our 65,000 customers hasn't growing IoT security needs. And we will be unique in being able to deliver that as an integrated service to our next-gen firewall, obviating the need to deploy yet more hardware, in order to get a very relevant and important new security service. Without us the options are looking at a handful of small vendors and trying to figure out which one to invest in and which one you're going to take the operational burden of trying to deploy throughout your network. That's a very powerful approach that we are able to take by delivering necessary integrated service. And so with that combination of the evolving and expanding form factors, the ability to then deploy multiple and additional security services to those form factors, we see a great opportunity to address the network security TAM, as well as an opportunity to replace what today is often outsourced manual labor with product and automation. You'll see that theme as we talk about the different areas. This ability to look to leverage automation to replace outsource manual labor is one of the large opportunities we have in consolidating the products around us. So switching gears from enterprise to the cloud. Okay, now, when we talk about cloud, we're going to talk about two distinct aspects of the cloud. The first, just about every enterprise is on some journey of moving some of their applications to the cloud. Typically, multi-cloud they're often still keeping the data -- part of the data center for some of the applications. So it's hybrid that is one opportunity, very significant opportunities you saw before. The second is to leverage the cloud to deliver security to the end users, those are mobile branch office, et cetera. So let's start with securing the cloud. Now a concept that all of you have seen, probably a million times. But just an important concept is a shared responsibility model. Customers are responsible for the security of everything they deploy in the cloud. And as we've seen many of these applications that we deploy are mission critical, have incredibly sensitive data and they need the best security solution across multi-cloud and hybrid cloud. Now to put this in context, the world has moved beyond lift and shift to large extent and we'll continue to move toward more cloud native application architectures, which will require a cloud first approach to security. You cannot simply take on-prem data center capabilities and simply move them, you have to take into approach. What you're seeing here is a typical application that is multiple different components, which is very standard. Each of those components often running in a different technology stack. So how do you secure an application like that? All right, so it requires a lot of the same security functions wherever the application is, but those security functions have to then be applied across all the different technology stacks. For example, you need to vulnerability management of course and you need to apply that to VM's. The typical industry answer to this would be say, that's a product. The problem is you're going to get to that. Every line representing a different product. Now if you're an enterprise looking at that, -- that's a lot. We are at risk of repeating the sense of the past, if we let that happen. I firmly believe the Palo Alto Networks is the only Company in a position, and with the focus of preventing that from happening. With Prisma cloud, our intention and what we are delivering to our customers is the most comprehensive cloud security platform that they can get. Taking these different capabilities, applying them across the different technology stacks, multi-cloud and even hybrid cloud to help secure our customers journey to the cloud and to be clear, there is a lot that is yet to be done. I anticipate that there are a number of cloud security technologies that haven't been invented yet, but we will have to be thinking about. And we will continue to be very decisive and purposeful about building out this platform and continue to maintain its position as the most comprehensive solution. Now to talk about the other kind of cloud and for that Nir.
Thank you, Lee. Maybe before that I'm very excited about Prisma Cloud. When we started the company and Lee has been with me, since the beginning. When we started the company, we are going to build an acceleration firewall and we had a bunch of very large vendors that we have to go and displace which we've done. But we're today by far the largest network security vendor out there. It was a lot of work displacing them. I think that with cloud with public cloud security and generally with cloud security the market is open. There is the need, I don't see any other vendor in a position to do this. And I think that the numbers that you've seen and the numbers that you will see speak for themselves. Because to do this, you have to first have the firewall because there is no way to secure the cloud without a firewall, you have to look at the things that only the firewall can look and there are things that's running in the cloud, that you need a firewall, because you can't run endpoint security on them. And then on top of that, you need all the different technologies that we've been building and acquiring and integrating over the last few years, that I just don't see anyone out there that's even thinking about it nevertheless, someone that has the different components that are required in order to go after the cloud security market. So very excited about that, at least as much as much as we're excited when we started Palo Alto Networks and went after the enterprise security market. Now once applications start moving to the cloud, which they are, enterprise network architectures and access architectures are changing. And the reason for that -- oops we are missing a slide here. Sorry. Okay, yeah, so the reason for that is that traditionally the way users have been accessing enterprise applications, which were running in enterprise data centers was through remote access solutions like GlobalProtect for example and through MPLS, IPVPN MPLS links, and those links were offering guaranteed bandwidth and guaranteed performance that they were great way to access enterprise applications. Once applications start moving to the cloud whether it's SaaS or public cloud and once users are moving into smaller offices into branch offices and of course, become mobile, it doesn't make sense anymore to run all the traffic through the data center and then go out to the Internet. You want to have direct Internet access from wherever the user is, whether it's in the branch office or whether the user is mobile. Of course with the tradition of the cybersecurity industry, the way we're doing it or the way the industry is doing it is by offering more and more and more solutions to try to do it, try -- we have mTLS and then side to side VPNs. And then some traffic goes -- SaaS traffic has to go a CASB proxy, then we have a bunch of CASB companies. And of course our favorite topic, the cloud delivered security VI proxy. And maybe a side note here, and if I have seem a little bit angry then maybe because it is I am, because I feel like I'm playing a whack-a-mole game, because about 24 years ago, I had to kill the first generation of proxies with [indiscernible] inspection. If you remember, companies like Secure Computing anyone here cover them? You'll probably responsible for them having a higher market cap than checkpoint at the time. I'm not sure where they are today and companies like Raptor and others, and of course proxy is always had the issues with proxies, they are slow, they break applications, they break networking, they break network optimization, network routing and so on. So hard to kill them the first time. And then 12 years ago in 2007, when we started selling our products here, we had to kill the next generation of proxies, the Blue Coat and the Websense's of the world, which again didn't make any sense. Proxies have never made sense, they are slow, high latency, they break applications, you can't run everything to them, they break networking. And so on, which we have, we all know our Blue Coat is today right part of Broadcom and I'm not sure Websense is. And now it's measureful right, third time and other mole is popping, we have to deliver security from the cloud, how we're going to do it? Guess what, we're going to do it with a proxy. Now, why would you do it with a proxy and not with network security, because it is easy, it's very difficult to become a network security company, it's very difficult to build something that can go into the infrastructure, whether it's physical or virtual and provide the networking and security the pocket based security at the application level. So vendors are taking the easy way out, right, let's put a proxy, so we break applications, so we break the network who cares, customers are going to pay for it anyways, and they are trying to use proxies to solve the issue. So first I think proxy is the wrong way to -- and I'm not think, I'm sure proxies are boring. If I were here six months ago, I would say we're going to kill the proxy after what you've seen and what I've seen in the last two quarters, we have killed the proxy. But again -- but I really think that it's not just a proxy, it's this -- it's this mess that the industry suggesting in order to fix the access challenges that are associated with the move to the cloud. And of course there is a much better solution, and that by better solution is what Prisma access is about. The Prisma access takes mobile users, and it takes branch offices in a single cloud delivered firewall -- through firewall base our firewall-based solution, it provides access to SaaS applications with our CASB, to public cloud applications to on-premise applications and whatever comes next this platform is going to do. And the reason this platform has been so successful in the last couple of quarters and is going to continue to be so successful is because when customers see this versus the mess that today is called access, again a mess driven by the cloud, the choice is very, very clear. This is the way to do it. And if I look at our position in the market there are not many firewall vendors out there. There are probably four firewall vendors that sell today, the other three vendors are busy trying to figure out why they can't sell hardware against our hardware. I just don't see anyone else today in a position to go and capture this huge access to the cloud market. I really like our position, I really like where we are today and I certainly like where we are taking it into -- in the future. Sorry, I'll continue. So now that we've covered. [Video Presentation] Can you imagine trying to access X-ray data through a proxy, they tried, and they have to throw out the huge deployment of that proxy. So going back to TAM, we think that cloud security in 2020 represents a very large TAM, a very large opportunity. And like I said, I personally just don't see much competition over there and anyone that has the components to compete against us, in cloud security. And then if you look at the automation that's needed in order to drive that security automation that today is done by people, and we do that with software and analytics, the opportunity becomes even larger, okay. So now that we cover the first two pillars, let's move to secure the future. So let me cash that, both enterprise security and cloud security are here to stay with us for a long time. And we have to do both and we have to be good at both and we are going to be continuing doing both and be the market leaders in both. At some point, these two converge in the security operation system, because the security operation system needs to run both enterprise security and cloud security and it all comes to one place. And they are big issues in the security operations today that just aren't that basically make this security persons that are not prepared for the future. And we've decided a couple of years ago to go and fix that to prepare the security operation center for the future. So let's just talk about what's not working in the security operation center. Most security operation centers are based around a technology called SIEM, Security Incident and Event Management, by the way -- nothing to do with incident and event management, but whatever we'll call them that, that basically collect as much log as they can from network devices and endpoints and applications and servers and wherever they can get logs from and then to have a bunch of static rules and or manual labor looking at this data and guess what they do, they generate alerts based on the data. Now of course, the data that's coming in, already includes alerts, because if the firewall or the IPS or whatever found something bad or something bad was found, bad was found in the public cloud, and so on. On top of the alerts, that's the SIEM collects and displays with the user, the SIEM has rules, we call them correlation rules that generate even more alerts. Some theme have some filtering mechanism to filter out alerts, usually they filter out alerts that needed, going -- target why they had been alert, I told them about the breach and only looked at it nine months later. And then all of that leads to reactive investigation. And what the industry is trying to do to fix that, ask any customer, they will tell you that the SIEM is broken. Right now, the solution to the SIEM broken is we're going to switch to another broken SIEM, with the hope that, that out of broken SIEM is going to be better, and it's not. And the more advanced companies in the industry, I figured out that something has to be done. And what has to be done is you have to collect much more meaningful data from the network or from endpoints and so on, and provide much more meaningful processing using machines of that data, right. So the SIEM doesn't work. So why don't we create a new industry called EDR, we're going to ask customers to put yet another agent on the endpoint. We're going to collect a lot of data from the endpoint, we're going to process the data with whatever machine learning static accruals maybe we'll put some people on it. We're going to find that things generate even more alerts because there aren't enough alerts already, and maybe sometimes we're going to respond back to the endpoint. Now that's not enough. We have to do the same thing with the network. So there is a whole industry called NTA network traffic analysis that's doing that on the network stenting the collect deeper data from the network using separate into in other data lake process that with rules and whatever and machine learning and then maybe respond back usually they generate just more or less in the same thing happens for IoT is and the same thing happens for public cloud. And the same thing happens for South and I'm sure that with every new challenge. The industry is going to generate yet in other vertical that's going to collected another separate set of data and all of that because the doesn't do anything. Okay. We think that this doesn't make sense like specifically doesn't make sense like why would you limit yourself to collecting they’re the only from the endpoint process data just on the endpoint and respond back, to the endpoint. We think there has to be something much better than that and that's what Cortex is about, okay. Now maybe before that this is a survey that Demisto company we acquired which late year. Before we acquired them, you've heard it before an average enterprise has to do with $174,000 per weeks. Usually they have the capacity to handle may be 12,000 and even that gives them a few seconds for each alert. It doesn't make sense that leads to at least four days of investigating the alerts, so they figure out that they need to investigate and some alerts that just don't touch are the real alerts that they need to handle and we have to fix that and that what Cortex XDR is about. And to do that, I'll go to my product guy, tell you how we're --. So if we think about securing the future, we're really talking about collecting good data, [indiscernible] analytics against it, leveraging as much automation as we can, because manual work can be error-prone obviously it takes too much time et cetera. But ultimately, we're trying to get to a proactive outcome, trying to get away from the reactive something bad has happened, let me figure out how bad it was and when it happen and things like that to proactive, how do we actually prevent the bad things from happening. So using that as a framework, it all starts with good data. There is a massive amount of money that is being spent on collecting logs and alerts, but not on selecting good data. You have to collect good data in order to drive good analytics AI machine learning and things like that. Now, to get the good data we of course started with the best sources we know. Our next-gen firewall crops in the endpoint, so our cloud services, we know, because we can control those as sources. The kind of data, the rich detail we can get in order to drive analytics. So that is where we started. But now we are starting to extend that out to third-party sources as well. As far the start of -- starting point for that, it will be other network security devices. We're going to start with checkpoint and probably on the Cisco and other things like that. Because again in the enterprise, there is still a bit of a mess, there is lots of different things, and so while we try to move everyone to a better state we can help by at least taking in that data correlating et cetera. So we are starting to now pull in third -party data to augment our data sources to be able to drive good analytics. So what is good analytics look like? Well, good analytics, first and foremost, should be capable of detecting attack that otherwise can't be detected, Cortex XDR does that for sure. In addition to that though, analytics is very powerful in being able to reduce the amount of noise and alerts enterprises have to deal with. We have seen in certain environments up to 50x reduction of alerts by being able to just simply group them into incidents to be able to then investigate incidents as opposed to lots of alerts. We've also then seen the ability to reduce the amount of time significantly and how long it takes to investigate an incident by pre-stitching data together and showing the full view to the analyst it is much, much more powerful and easy for them to go through the investigation get to conclusion and ultimately provide automation. Our aspiration here is to get orders of magnitude improvement even from this, which by the way to the SOC, this is a massive improvement for they otherwise are. And we're going to keep focusing on driving these better outcomes. Now, good data to good analytics, ultimately two really good automation. Automation is where we can take a lot of the noise out of the system and really lead the SOC counts, with just what they need to be able to have to focus on. And again you can see the level of alert reduction by simply automating the investigation response that humans don't have to do the work. Improving the risk, the meantime to respond some environments well north of 90% improvement, and how long it takes to respond to incidents. That is massive benefit to an enterprise to the SOCs. And going forward we have a view that we can even make this automation predictive in nature. But based on everything that we see across this growing ecosystem, we can build the network effect, as we have done in many other areas. So that we actually will be able to tell customers, this is what you should do in order to achieve these outcomes. The security industry, the cybersecurity industry needs to get more opinionated about how to achieve the right outcomes as opposed to simply providing tools and that customer is kind of do what they want with them. Automation is a key area for this. Lastly, to bring this together, we are ultimately trying to get to a proactive response footprint where again instead of re-active or proactive. This is why traps on the endpoint is so important to have Cortex function. Not only does it provide really rich deep data in order to drive analytics and other things like that, but it can actually prevent attacks from happening in the first place. Every attack that is prevented upfront means fewer and fewer alerts that even have to be analyzed on the back end. Additionally, this is the footprint that allows us to when we do finish -- when customer does finish investigation, we can actually then automate the response back to an enforcement point to take action. So we prevent on the front end, provide rich data and then ultimately prevent on the back-end as well. So we can automate that entire sequence. So we bring this together, each one of these components is in itself best in class. But importantly, integrated together to form the foundation of a platform, they can solve a lot of the challenges that Nir talked about, that the SOCs currently deals with, and are growing. So let's hear from one of our customers as they talk about their adoption of Cortex and what would have meant to them. [Video Presentation] Always cools and you can secure a state. And, of course, all of this adds up to a large and growing town. The combination of endpoint protection, analytics, automation and, maybe most obvious, in this case, the ability then reduce the manual outsourcing and pull that into product automation analytics as well is the substantial opportunity we see it as well. And for that -- with that, like to invite Nikesh back up to talk about execution. Nikesh?
Well, thank you, Lee and Nir. So, as I mentioned, we spend a lot of time making sure we get our product strategy right, and Lee and Nir, have highlighted where we plan to go. I hope you didn't miss the fact that Lee is committed publicly to deploying a lot of subscriptions in our firewalls and potentially applying SD-WAN across every form factor. I'm just trying to make sure he hears me, safe to use, so that I can make sure I can hold him too. And we also talked about ingesting third-party data into Cortex, which is an extension of our vision of our Application Framework from the past. But product is just part of our solution. Once you get product right, you've got to make sure you have the execution capability to put the product out in the market. And, as I've analyzed enterprise companies, it's very interesting, there is very few very large enterprise companies and many small enterprise companies. And it's interesting, if you look at them, there is a distribution engine that needs to be created just commensurate with your product capacity. Companies get started, they get into a very good state with one set of products and then either you have to keep innovating and adding more product to the portfolio with the salespeople or you have to acquire product and be able to ingest it in a way that your salespeople are going to sell it. There is only one way to double revenue, it's a double number of salespeople and make sure there is enough capacity in the market, or make sure you double the amount of product that a salesperson can sell and is able to sell to be able to do that. Our intent is to do a little bit of both. And what I wanted to highlight is, in addition to product capability, we've also been working on our execution capability and making sure we have the go-to-market. As Lee and Nir just highlighted, and I ended my last session with saying, we can address the $73 billion market. This is how that market breaks out, we think there is a $27 billion opportunity in network, approximately $8 billion in cloud, $13-odd billion in SOCs and endpoint protection, and about $25 billion in the automation, which needs to be deployed across all of those categories. It's a slightly different view than you will see in the industry. The industry still believe that it's going to be a very large services market. We, on the contrary, believe that the services market is important for the architectural pieces to get cybersecurity, right, but if you need a lot of people to be able to manage security for large enterprises on a long-term, that is not going to give you the automation and the right outcomes and it's going to require way too much time, while the adversaries are working on automating their ability redact you and get to your precious data. So, as you see, we have 65,000 customers and we have an amazing brand which people trust. Just to highlight, one of the first subscriptions we launched early this year, we've been able to deploy it to over 500 customers in a very short period of time. So our sales teams know how the moment when you deploy a subscription they're able to add it to our firewall capability and get deployed in the market. As Lee talked about our IoT capability, we want to make that available to every one of our enterprise firewall customers, and one of you asked me, why wouldn't to go acquire a more complex IoT company, there are some larger companies in the IoT space that solve complex used cases. I understand why as a start-up, you would go after a complex used case because that's probably where the large deals are. But the enterprise IoT is a need for every customer. Our salespeople know how to sell it. We know how to attack the store of firewall. And our aspiration is that, for every subscription that we deployed, we should be able to get to thousands of customers, if not, tens of thousands of customers in a two- to three-year timeframe, which allows us to keep expanding both TAM and our revenue in a leveragable way with our customer base. If you look at our current capabilities, we have 4,000 partners, we operate across 150 countries and we have 3,000 people out in the field, which makes us the largest pure play cybersecurity sales team out in the field. We want to turn that into a large distribution capability. We also believe that we have built the best execution team in cybersecurity. I know many of wrote in your notes about the management turnover at Palo Alto Networks. Palo Alto Networks have build a phenomenal company, which is firewall-centric, and we had done some stuff in the cloud and some stuff in the SOCs. It is very important as we go through this transition of building a multi-product, multi-platform cybersecurity business that our management team represents our capabilities which are required to be able to sell multiple platforms in the market. And what we have done over time is we've made sure that we are managing the transition and upgrading our skill set for our team to make sure that we can actually go sell cloud, we can go sell automation, we can go sell AIML, we can go sell firewalls. I joined Google when there were 450 people in Google Europe. We took that team from 450 people to 5,000 and we quintupled revenue in five years when I was there. I left Google. Google is now in its fourth generation of management today and they far surpassed the quintupling of revenue from the early days. There were 100,000 employees. So, as you go through evolution, you have to make sure you bring your management teams and locks them. And we're very comfortable that the transitions we are doing on the management front are the continuation of our desire to build the best execution. Rest assured, most of these management turnover you're seeing, they're all managed transitions, they're all towards the purpose of building this multi-capability cybersecurity sales team. And you can see that we did our first $1 billion billing this quarter in Q4, while we were going through these transitions, which tells you that it would be a very strong field sales force and they're all on-board with our desire and ambition to build the best cybersecurity player in the world. In the last year, we've hired over 2,000 cybersecurity professionals. We have expanded our hiring limit, we now hire from 19 cloud and next generation companies as opposed to purely enterprise hardware businesses, which had been a lot of our core sales team in the past. And we built technology, which allows us to cross train our teams in cloud and in automation techniques. This allowed us to train 3,000 people in a week to be able to sell cloud. Why this is interesting is, this is an important slide. This is what we anticipate in terms of how we are going to take this and build this into the larger enterprise security business. There we do it is, we ingest or innovate and build technology, we put them in speedboats. We have a speedboat for cloud, we have a speedboat for automation. We also started training our core sales team out in the field. And this gives you a sense of what proportion of our field sales force is able to sell our various products. So we've taken Prisma Access and 60% of our sales teams out in the field is now able to sell Prisma Access. This gives us huge amplification and leverage, Prisma Cloud is closing in on 30%, 35% of our sales force. And by the end of the year, we will have integrated Twistlock and PureSec, allowing it to be part of the Prisma Cloud platform, which will integrate seamlessly both from a contractual and from a usage perspective. So every Prisma Cloud customer will automagically have container and serverless capability and we believe that leverage is going to allow us to address 40% of our customer base. Our plan is to get our speedboat teams to be able to sell to 90% of our entire -- through 90% of our core sales force to our customer base, allowing us to leverage and the distribution we need to become the biggest player, both in cloud, as well as automation and SOC. No other player in our space has over 3,000 people in the field out there selling. Not just that, we want to make sure we do this while we continue to delight our customers. So we have been able to maintain the leadership position and customer happiness and customer success out of the market. Not only that, we are not going to rest on our laurels. We have just announced to our field team, we are introducing an industry first security incident assurance service, whereby, if any of our customers unfortunately is in a breach situation or any customer in the industry, we're going to be there available until their breach is resolved, irrespective of other what proportion of their products of Palo Alto products. So, we continue to want to be at the forefront of customer success and customer happiness in our ability to execute. So with that, I now -- yes, there has been other conversation about the channel. I think there was one meeting we had with the Channel Advisory Board, which I think every analyst has feedback on, anything for team, I have said that we've been tweaking our channel ball with just causing consternation. But this is just to give you comfort that 99% of our business still comes from the channel. And as you can see in Q3 and Q4, because we revamped our channel programs to create more capability, training and incentive for our channel, the channel sourced business that we're doing has never been greater than we've had in the last two quarters at Palo Alto Networks. So, any noise around the fact of channel and us are not together in this journey to building the best cybersecurity business is just noise. We believe the true signal is that, it's shown in the results. They're actually allowing us to amplify our capability and they're really excited about our newer acquisitions and the direction we're taking with the various platforms. Okay. All right. This is all [indiscernible]. Sorry, he has taken us a long to get here. But until we give you a context, it's very hard for us to take you to what do you're here for. So with that, as you know, we've had a long history of success. We have increased market share network security despite popular belief that we're not going to be able to grow our security business at twice the rate of the industry. The team and I spent a lot of time over the last three or four months, looking at do we need to go through our financial model transition at Palo Alto Networks and have -- many of your notes about the two these depression of cash flows duration what is Palo Alto going to do, vis-a-vis ARR versus the term license or perpetual license. We tested the market we talked to many of our customers. We talked to many of the customers -- many of the company is going through a transition and we're not going through any major financial transition. Our customers like the way we sell our products for them, our sales people understand how to sell products to themselves. We are going to be selling firewalls the way we've been selling them so far. We are not going to go to any term license model, we're going to stick with the perpetual license model. And some of our star perform factors with sale and replaced firewalls are going to be sold like firewall has sold. So based on all the analysis, [indiscernible] we will be building, a huge capability to sell our next-generation security, we feel very comfortable that we will be able to maintain the 20% billings growth rate over the next three years, as well as a 20% revenue growth rate over the next two years. I had the privilege over the last three weeks of looking at every one of your models. I read almost every one of your notes, and I can safely say, that this 20% guidance is above the average of most of the models out there on the Street, both in revenue and billings. But we stand behind the commitment that we believe we can grow our billings and revenue at roughly 20% growth rate going forward. An important part, I'd like to highlight one of the shifts we are seeing, I'm sure you guys pay attention to product revenues for the [indiscernible]. We are seeing a shift where we're replacing our competitors firewalls boxes with software form factors of Prisma access. So what we've done is we've taken our VM's, our Prisma access sales and our firewall sales and said, what would it look like if we consider them all as an upfront sale and how would our revenues or how would our billings look like in the firewall category. So this is a combination of VMs, Prisma Access and firewalls. We feel very comfortable that we will be able to grow the firewall as a category billings by 23% over the next two years. Which we believe is still 2.5 times the industry growth rate vis-a-vis our firewalls are sold, then we think about product. I will sure point you to the fact that because we anticipate a large proportion of future firewall sales to be in the software form factor. There will be a revenue recognition mix shift, which will come through. But we still believe the category will grow at 23% over the next three years. Talking about the part, that we're really excited about, really excited about our next generation security billings. We were able to achieve $452 million in billings in Prisma and Cortex. So, what we call next-generation security. We're guiding to $800 million to $810 million of billings for FY ' 20 and we believe we will get to $1.75 billion by FY '22, resulting in revenue of approximately over $1 billion for next generation security revenue by FY '22. This is the part it takes some spending to drive that fast revenue growth but FY '20 -- FY '19 we've been able to manage the acceleration of our Prisma and Cortex revenues by being able to reallocate from our core business. We believe that we need to invest between $100 million to $125 million next year to keep driving that revenue growth at the pace we're committing to. But we believe thereafter, we will be able to keep getting operating margin leverage by 150 basis points in '21 and '22 and we believe the long-term operating margin for our business should be 25%. I know you've been discussing cash flow a lot about us. We feel comfortable, despite these investments, despite the shift towards more services like software-based services and Prisma access and VMs as well as cortex. We believe we will safely be able to generate $4 billion of free cash flow over the next three years, guiding to a long-term free cash flow margin of 30%. So before I talk about how we think about this, I thought it would be important also to tell you how we intend to use the cash. What we've done on M&A, as you've seen, there was a fear when I came to a month ago that this guy comes from Google is going to spend a lot of money and buy a lot of big stuff. Let me highlight the key tenants of my M&A philosophy. First and foremost, I prefer avoiding overlapping products. Overlapping products are dangerous. We have products in most categories. I'm not interested in buying other endpoint company, I'm not interested in buying the firewall company, because that requires [indiscernible] basis, two sets of customers and is no leverage for me, it's much more interesting for us to create innovation in the category and displace those competitors as opposed to acquire them, and just create scale. We believe we have scale in most of our categories, hence we don't need to acquire customers of overlapping product categories. We prefer targeting Blue Oceans. We like areas where there is not enough people, we like areas where we can ingest technology and deployed through our large distribution base, as opposed to go and participate in valuations, where there is a lot of blood and not enough profitability. We seek technology that will integrate across our platforms. If you look, we acquired RedLock or emerging RedLock and Twistlock into a common platform. We acquired PureSec, which is serverless to be integrated as well. We would acquiring IoT which will be integrated into our firewall capabilities, we acquired Demisto and which is being integrated into Cortex. So we prefer acquiring technologies we believe fill an important gap and also provide leverage to our go-to-market engine, because if you acquired disparate products, then you have to go train your sales forces on different go-to-market capabilities and different USPs for our customers. We prefer acquiring product excellence versus revenue, because they have to be at large multiple for revenue, that rather not, rather acquire, somebody has built a great product and it has good early customers exhibiting product market fit. Every one of our companies that we've acquired and I will talk about the slide in a second. And last but not the least, we focus on large TAMs. We're not interested in small towns unless there can be subscriptions, which can be added to our firewalls, which allows us to consolidate the enterprise. So with that strategy in mind, our approach in the first nine months, we force our teams to right integrated product lens in fact Zingbox, and Asheem already started talking about what the product integration could look like, because our first and foremost intent was to make sure that integration is done ASAP. We see as soon as we acquire -- one of these good technology best of breed companies are able to improve their business plan by approximately 40%, which is what we've been able to do with the Demisto pure sectors -- RedLock and many of our acquisitions. And we let their teams run their plays in the market with go-to-market support from our speedboats. Beginning month 9 and 24, we start introducing them through our speedboats to our core business, allowing us to get more leverage and more scale across the acquisitions and we target doubling their plans. Because of that, past 24 months, they become multiple accretive to us as a business, that's a M&A philosophy, that should give you a good sense of how we intend to use some of that cash flow and as Lee and Nir have talked about, we are going to constantly make build versus buy decision, so we can deliver best of breed to our customers. And if you believe that we [indiscernible] not going to get there fast enough we'll make acquisitions, but the acquisition will be guided by the philosophy I just laid out, in terms of smart product teams. And what is delightful is, I was just sitting early, I'm trying to count. Of all the acquisitions -- we have over 12 founders working in our company in our product organization from 12 months ago and they are all committed to be here over the next two to three years as part of Palo Alto Networks, so we make that a condition of our position. So they're supposed to stay there and we actually let them run their products, because we believe the fact that they were able to go out against all odds and build the great product and build a great business, it is incumbent and imperative that we let them run that product for us at Palo Alto Networks and to create the right circumstances, the right capabilities for them to make that happen. So that's our plan in M&A. So I thought what I would do is -- I would do what you guys would do and see how do we compare against the industry. We believe we are already the largest cybersecurity company and we're growing faster than anybody else in our space. But this is only half interesting. I find us even more interesting. If you take Prisma and Cortex which is our next generation security business. In the last 12 months, we grew our billings by 89%. The next 12 months we're forecasting a 78% growth, which we believe makes us the largest next generation security company, compared to all the people out there who enjoy robust valuation. I will leave the word robust. If you look at our forecast for FY'22, we believe we'll be almost twice as big as any next generation security company in our Prisma and Cortex category, whilst we're able to maintain our firewall business generating huge amounts of cash flow. So, I like to call this a ServiceNow slide. I also reviewed many Analyst Day presentations, and ServiceNow is kind enough to build this slide and I understand this is where analysts geek out, where this is something called the Rule of 40. You add your cash, free cash flow margins and revenue growth and for some interesting reason, over 40% is good and below 40% is bad. The only problem is, ServiceNow left us out of this slide. Probably we're not the -- we're the old 40 [indiscernible] firewall company, we're not the next generation security company, but we decided to make our own version of the slide, so at least we feel happy only look at this. And we're delighted to see that we rank second from the left based on our last 12-month performance, and we hope to stay far above that median of 38% over the next three years. So with that, this is what we expect from our Company in FY'22. We expect a 20% CAGR for total billings and total revenue over the next three years. We expect to get to $6 billion in total billings and $5 billion in total revenue by FY'22. We expect that $1.75 billion of that total billings will come from our next generation security services and approximately $1 billion of that will be revenue in FY'22. We expect to get back to our current operating margins by FY'22 with a long-term target of 25%. And we expect to generate $4 billion of free cash flow by FY'22. So from here simple matter of execution. With that, let me call my friend, Kathy, who can give you more specific guidance for FY'20 and for Q1.
Okay. Thank you, Nikesh. All right. So that's a lot, talked a lot about fiscal 2022 and about what we see in the coming years. Let me just put a finer point on what we expect for fiscal 2020. So, am I moving these slides or somebody else? Okay. Since it's a lot of data and information on the screen and these slides will be made available to you, I'm going to focus primarily on talking about the year-over-year growth rates. We will make these slides available to you following the call. So for fiscal Q1 FY'20, we expect billings growth to be between 15% to 17% year-over-year. We expect revenue growth of 16% to 17% year-over-year. We expect non-GAAP EPS to be in the range of $1.02 to $1.04, which incorporates net expenses related to acquisitions, including the Zingbox proposed acquisition, which we've just announced. For the full-year of fiscal 2020, we expect billings to increase between 17% to 19% year-over-year and we expect revenue growth to be in the range of 19% to 20% year-over-year. As Nikesh mentioned, next-gen security billings growth is expected to be in the range of 77% to 79% year-over-year. We expect fiscal 2020 non-GAAP EPS to be in the range of $5 to $5.10, which also includes net expenses related to our recent acquisitions. And finally, turning to free cash flow, we expect adjusted free cash flow margin of approximately 30% for fiscal 2020. In this slide presentation, you will also find some additional modeling points related to CapEx estimate, share count, tax rate, the impact of M&A on EPS. I'm not going to read them to you, but once again we'll make that available to you. So finally, we've summarized our fiscal 2022 guidance for you as well on the screen, Nikesh already covered this, but hopefully the format for fiscal 2022 will be easy for you to digest. And I don't think it's on the screen, so perhaps -- yeah, perhaps I should move it since I'm holding the clicker in my hands, sorry. So, while we are investing to capture significant market opportunity and we do see a gradual shift in durations, we expect it to be gradual associated with changing mix of our products towards more cloud and SaaS delivered products. As Nikesh mentioned, we're not anticipating a big bang event. And so, for the years beyond fiscal 2022, we're targeting our operating margins to be above 25% and free cash flow margins at least 30% or greater. So that hopefully will put some of your minds at ease. That concludes our prepared remarks. And now we'll turn up the lights and be happy to address any of your questions. Nikesh?
Are you guys happy yet? Come on give her a round of applause. Tough crowd.
Okay. We have people running mics. So I see some questions. A - David Niederman: Please state your name and your firm before you state your question, please.
Thank you. This is Jonathan Ho from William Blair. One of the questions I had is regarding the next-generation growth, can you unpack for us a little bit of the components that you see from that next-gen side? And maybe how much that ties to the investments that you're making? Thanks.
Yeah. Look, we're not going to break down the individual components just yet. But in terms of the investment, we -- as I mentioned, we've moved 1,000 people through acquisitions or through organic hiring. We've taken our Prisma and Cortex or next-generation security team to about 1,500 people out of 7,000 people, the highlights we ended FY'19 with. We anticipate adding more people into those categories, both for R&D and for sales. We feel reasonably comfortable that our core team is robust in the size. So we'll be making small additions to our core team but mostly we're focusing some of our newer hires into Prisma and Cortex. Some of that spending is also a full year impact of what we already invested going into Q3 and Q4 of this year. So some of it is a follow on from Q3 and Q4 investment, which we were able to manage with our budget for this year. But some of it is incremental hiring for Prisma and Cortex. In terms of across the board, I can give you color that Prisma Cloud is doing phenomenally well for us. It's really -- we need to be out there in front of our customers a lot more. There is over 20,000 -- 30,000 people selling public cloud between AWS, Azure, GCP and Alibaba. There's probably a few hundred cloud security salespeople in the world. So when we show up and customers and we show them a demo and saying, look, this is what you're not doing. They're, oh, yeah, I got to go cover my security needs and when I write applications, they're just not able secure themselves. So we're seeing really good traction for Prisma Cloud. I think Nir made it abundantly clear how excited we are about Prisma Access and how proxy style securing cloud-native architectures is not a good idea. So Prisma Access is the huge focus. Demisto has done well. Post acquisition it has followed the M&A slide I showed you in terms of expecting to double their business plan from where they are. So -- and XDR for us has done really well, because we got 250 customers in the first full quarter of operation and we continue to see more and more -- with the addition of third-party data ingestion. And the way we think about the ingestion, just to clarify, we just don't ingest data, we make sure analytics engine can ingest that data and provide analytics and suppress bad alerts and give you good signal and do data stitching. So, our ingestion philosophy is more a philosophy which works in building analytics around the data and then ingesting the data [indiscernible]. So I think across the board we anticipate robust growth, that's why we're comfortable guiding to an $800 million to $810 million number.
A lot of hands going up. Okay. Amber?
Hi, Ken Talanian, Evercore ISI. When I look at that $6 billion billings number, how much of that is from your existing product set? And what are your assumptions around kind of current acquisitions going into that and then maybe some of the future acquisition assumptions that build-up to that?
Look, as Lee mentioned, that we believe many of the cloud security products are not fully built in the market from a maturity perspective. If you look at serverless, serverless we think is 50% built, we bought PureSec, they have a product roadmap, which is a robust product roadmap in front of them for six to nine months. So we believe there will be interesting cloud security based acquisitions we might have to do in the future, which will fall in the M&A philosophy we highlighted. So, some of those bolt-on technology, which haven't been developed or anticipated, and our desire to build a cloud platforms for the future. But there is no major plug in that number for us to go out and acquire revenue to reach that $6 billion number. We feel we should be able to get there with the majority of the products we have in place with small bolt-on acquisitions as we see the industry [indiscernible].
Thank you. Shaul Eyal with Oppenheimer. Nikesh, you have put many concerns to rest over the course of the past hour, so.
So, one question I had in mind is...
But still have one. So go -- everything before the but is to be ignored. Yeah.
As we think about your targets heading towards fiscal 2022 and above, have you taken into consideration any changes with respect to channel compensation, partners, anything with a go-to-market? Or pretty much from our perspective, we should be thinking about it mostly at a status quo going further?
There are no major assumptions in there in changing any channel behavior in the process. We are seeing more activity in the channel by telcos and by SIs like the Accentures and the Deloittes of the world or AT&Ts of the world or Telefonica's of the world, they are becoming more active in cybersecurity. If you look at most of the landscape, every telco, every consulting organization is building very large cybersecurity practices because they're trying not only [indiscernible] they're building cloud practices. So if you go, this is the biggest fastest-growing segment of the SI and SP space. So, yes, we anticipate they will have a bigger role to play in how we are able to deploy some of our products in the future. But to us, that's just evolution of channel. If they end up doing more business, bring us to customers, we'll be there with them just the way we are with the [Optiv's] [ph] and WWT's of today.
Thanks. Saket Kalia from Barclays. Nikesh you talked about no transition to a term license model, for example, for the firewall business, which was good to hear. But you also even suggested that maybe some cloud products could be priced similarly to the firewall. I think we mentioned that quickly. Could you just give some examples of that and when that could actually start to happen?
So what I -- sorry, thank you, first of all, for asking the question. I want to make sure I clarify. Sometimes our sales teams bundle our annual products into three-year deals and sell them like they would sell it upfront cash payment, which allows us to get the cash flow just the way we get the cash flow for our firewall products and roughly -- three years is roughly the term for our hardware business in terms of contract durations. So that's all I'm saying that, some of the cloud deal end up being three-year deals instead of annual deals. So we still get the benefit of the cash flow, so which is why Kathy alluded to the fact that we're not anticipating large duration declines over the next three years. We believe -- I haven't said this yet, but I'm going to say it, we believe that the duration decline will be approximately 10% over the next three years and hence, we believe we are able to deliver -- we will be able to deliver the $4 billion of cash flow over the next three years.
Hi. It's Imtiaz Koujalgi from Guggenheim. Kathy, if I'm doing my math right, based on your billings guide for next year and your billings guide for the next-generation products if I back that out, it looks like you're guiding to the core business growing at about 8%, the firewall business, which is a big step down from the 24% product growth we had this year. Is that the right way to think about product growth next year in the high-20s?
Yeah. I think it's a little bit higher than that, but yes that's close. The reason that we are looking at this firewall technology as a group is because we're very excited about what we're seeing from our customers in terms of demand for both Prisma Access and our VM series. And so, that security category, which Nikesh showed up on the slide earlier, we are expecting to continue to grow at very rapid rates. Now, the mix may change a little bit in between there, but I think our forecast still holds regardless. And the firewall security itself, that in line security, that network security is still a very important component for all of our customers, but we are seeing great demand and great excitement about what Prisma Access can do by delivering that security in a cloud form factor really security-as-a-service. And so, we're very jazzed about our possibilities going forward in terms of being able to win deals that would have normally been one with firewalls, hardware with that particular product and we think that we're the only competitor that can really offer these various form factors to our customers. And so, we see a really terrific opportunity.
Just to elaborate on that for a second. You saw two examples, one Lee alluded to a very large retailer and we had a video from another. In both cases we were competing with firewall boxes. And we went in with Prisma Access with a differentiated strategy. These are very large deals, as I've mentioned, one of them was over $10 million, the other one was close. But in both cases, we were able to displace the hardware form factor for competitors because competitors did not have a software form factor. The good news is, the software form factor deployment is a brief. If you try and deploy a box in 2,000 locations in a retailer, it takes them a year and a half or two years. The software, we can get there in three to five months. So, part of what we are trying to do is, we're trying to actually force that shift towards the software form factor because as Nir mentioned, we don't believe our competition has the capability to deliver the solution via the software form factor, which allows us both to be differentiated, reduce speed of deployment, allow it to run across hundred on-boarding points from -- for our customers. So that's part of the assumption, which you rightfully captured. We're actually trying to engineer that bigger shift and trying to drive our business more towards the software form factor.
Thanks. So, one more follow-up, Kathy. On the long-term target, comparing what you gave us last time in 2017, you had free cash flow margins long-term below operating margins. This time you reversed it, your operating margins long-term are actually lower than your free cash flow margin targets. What is driving that reversal? Is it just more recurring revenues?
Yeah. Can I just clarify? When we're talking about long-term and I'm glad you asked this so I can get it out there for everyone to hear. We're talking four to five years, right? And the previous guidance that we had given, our long-term was much, much further out when we're sort of growing at the rate of the market is the way we described it. And at that point in time, we assumed that we'd be a much greater cash taxpayer. And so, that was the reason for the lower free cash flow margins. But we're talking right now long-term for us is about four to five years out. Okay? Thank you. And I said four to five, not 45. I need to be very clear and enunciate.
45 would be great guidance. All right. Somebody has the mic? There's question on this slide. David behind you.
And I saw a woman with her hand up. I want her to get a question, Fatima. Just don't ask us a hard one now. Just kidding.
I'll go easy on you. I'm Fatima Boolani from UBS. Just a quick point of clarification on the mix shift dynamics you're seeing in the core firewall business, is that a displacement dynamic or are you seeing the mix shift within the refresh of your own installed base? I just want to clarify...
It's more of a displacement dynamic. I give you one specific use case, but there are similar use cases in many places where -- whether it's a retailer, whether it's multi-branch situation or multiple mobile user situation. We have customers with 100,000 employees or more who want to go to a Prisma Access type solution for the mobile users. So, it's more -- it's mostly a displaced -- mostly a displacement of competition dynamic than it is a refresh of our data center firewall business.
Understood. So my real question is...
I know where you're going, don't worry.
I've spent three months pouring over every one of these numbers of Kathy, so I know exactly where you're going. Please go.
You talked a lot about automation in each one of the pillars of your corporate strategy. And so, if I think about your top 25 or your 25th largest customer spending close to $40 million per annum with you. I mean, how should we think about that with the automation opportunity and the fact that you expect to double the size of your business in the next four to five years? I mean, what are some of the dynamics there if your 25th largest customers already spending $40 million with you?
So, let me use Cortex XDR as a use case, right. We have thousands of customers who deployed Traps. The version of Traps four months ago was not collecting data, sending it to a central data lake, allowing us to do insights and analytics against it. We are able to go back to every one of those large customers and allow them to ingest data from there and give -- and upsell them to Cortex XDR. So this is a use case for us where we take their firewalls, we take their endpoints and say, why don't you collect the data across the board, we'll analyze it to you, we'll reduce the signal-to-noise ratio and we'll couple Demisto with it and be able to give you automation going forward. So, that's the use case, for example, we can take our firewall customers, our endpoint customers, add automation to this and that budget comes out of their SOC budgets, because every one of our customers is building SOC. SOC is the fastest-growing category with about 20%-plus growth year-over-year, where people are deploying more people and more data ingestion and more data logging spend.
And do you foresee that more coming out of the wallets of traditional managed security services providers you sort of offer these Tier 1 type capabilities? And are those dollars coming from essentially?
Those dollars are coming from both SOC dollars, if you will, there is such a category, but they are also coming from efficiencies we're able to drive for those SOC owners, we are saying, we can come in and instead of we put up some interesting numbers up there, you out 8 times and 50 times in terms of alert reduction. Traditional approach to alert reduction is hire more SOC analyst. If he can walk and say, I can reduce the number of alerts by 8 times and I can the reduce the number of alerts by 50 times, that's a huge amount of savings, which is coming out of the SOC analysts that people have to hire and very few of our customers are able to scale up their SOC to hire 300 SOC analysts because it's kind of very interesting. One thing I learnt, which I can talk about, very few customers delete policies. They are scare of deleting seven, eight of firewall policies because somebody wrote them with some wisdom in mind and the new guys says, oh, I'm not going to delete it. So there is the poor SOC analyst trying to interpret, why is that an alert? And the problem is, the alert keeps coming back because they have no ability to go out and remediate that and fixed that policy. So part of what Demisto is doing is, okay, we understand you don't like alerts, so let's automate this so you can start focusing on stuff that's important. That's why you end up with that 174,000 alerts and not that I'm a hacker or a bad guy, but if I understand how you prioritize the important alerts you should look at, I'll spend my time trying to figure out how to be under the radar. So part of our philosophy is, we want to look at every alert out there and the only way he can get there is through automation. Automation that works in the endpoint, automation that works in your firewall, automation that works in your SOC, so that's why if you notice, every one of our products has a large automation TAM because we believe we're going to take away from this services is the labor TAMs and put that into automation.
Hi, Sterling Auty with JPMorgan. So, one question for Nikesh and Kathy, and if possible, can I throw a follow-up question to Nir, if he still has his microphone?
Yeah. Our entire management team is here, of course.
All right. Fantastic. So Nikesh and Kathy, Nikesh you mentioned the 10% reduction in duration over the next three years, how much of that is actually going to be what you're managing that duration to versus what customers want? Because one of the positive feedback items that we received through the channel over the last quarter or so is, finally, Palo Alto being flexible on payment terms. And if God forbid, we do roll into some tougher macro economic times, I could see more and more customers perhaps wanting to only pay a year at a time instead of three years upfront.
Yeah. We are going to be very thoughtful about those trade-offs in terms of what sort of financial incentives do we have to provide in order to have our customers commit to us for a longer period of time. We talked about last -- that issue last quarter, and we talked about the fact that we were paying very close attention to the economics of deals like that where our customers really wanted to only pay us a year at a time. And we're going to continue to do that. And if our customers demand more and more of that, obviously, we will adapt to what our customers are wanting. But we actually find that there are a lot of customers who are very comfortable with the way they pay us today very comfortable with our billing practices to date. And so, we're not seeing this huge surge of demand. It tends to be occasional request that we handle on a one-off basis. Potentially it could become larger in the future and, of course, we'll adapt to that over time. But the big shift that we've been talking about -- I'm sorry, Nikesh, is really driven more by the mix shift of the products and primarily the growth of Prisma Cloud, which we talked a little bit about last quarter having shorter contract durations, which we talked about.
And sorry, just to add to that, I've discovered over the last 13 months, the industry has certain compensating mechanisms already in place. And there are customers who want to pay on an annual basis and the industry -- the channel wants to facilitate it. They figured it out with some sort of financing and they show up at our doorstep with the entire contract durations worth of cash flow. So, it's been around for a very long time, and there are many enterprise companies which have financing arms and all different kind of tactics to enable that cash flow generation. So we haven't assumed any of that stuff, we believe that life will go on as normal. But I have the inevitable Nir here, you wanted to question.
Exactly. The follow-up, Nir, when you were talking about proxies, you did Gen 1 kind of Gen 2, but when we're thinking about Prisma and the competition going forward, you didn't really kind of call out the name. So I want to be very specific in terms of understanding who you think...
You think we didn't call out the name. Okay.
Nikesh, you touched upon. Who do you think is going to be the core competition in terms of Prisma Access moving forward? I mean, we all think probably Zscaler is going to be part of it. But what about the Akamai and the other companies that are in that space? And what do you think happens to kind of the traditional firewall vendors, do they all get squeezed out or do they come up with offerings as well? Thanks.
Yeah. I -- so I think the competition is Zscaler. However, I strongly believe that the right architecture and the right products at the end of the day win. And we've been told that may be multiple times, right? FireEye, for example, right? A long time ago, FireEye came out of the market and they had this idea of running sandboxes and signatures are dead and the entire world is going to ship to FireEye and some of you even bought that story, but it was the wrong technical solution. First, sandbox is not going to replace everything and second, from a technical perspective, a sandbox needs to do prevention, no detection. It has to be in line and it has to be across entire infrastructure, which means it needs to run off the firewall. And that's why they went their way, we went our way and we all know how it ended up for both of us. So, I think that we're facing the same situation right now. There is the right technical way of doing something and the right way to deliver a product to the market, then there is the wrong way. And proxies have always been the wrong way and firewalls have always been the right way, being in the network, part of the network, being a packet-based device, participating in routing, participating in network optimization, and being able to support all applications, not just few applications, not breaking applications. I don't know if you know, if Microsoft recommends that when you use Zscaler, you turn -- you don't use Zscaler when you go to Office 365. Why? Because it breaks Office 365. Because that's what proxies do. And it's their own technical solution and I strongly believe that the right technical solution will win. Now, if you look at what's involved in Access in the modern access into the cloud and back into the infrastructure -- into their corporate infrastructure for mobile users and branch offices, you need to do a lot of different things. And our competition today, different competitors do different things. I don't see a single competitor that does both the application security part of it, the firewall side of it, the CASB side of it, the SD-WAN part of it, they are back to corporate side of it, I just don't see anyone that has the complete portfolio to be able to do what we're talking about. Yes, there are the firewall vendors, the firewall vendors, like I said, are still busy figuring out why they can't sell their hardware against ours. While we've been spending the last several years building our virtual firewall and building our cloud-delivered firewall to a point where I just -- it's just -- they are three to five years behind at least, plus the amount of time they are behind our hardware firewall is, I just -- I don't see competition from them.
What Nir means to say is, we respect our competition and we are glad that we're able to build amazingly large businesses and serve the customers' needs with cybersecurity. I think that's what he said.
Matt Hedberg, RBC. It seems like every other question of investors is macro, you guys delivered strong results, obviously, some very large deals this quarter and the guidance on a multi-year view is very strong. I guess, Nikesh, when you're out talking to executives, what is the pulse of buying behavior out there right now? And then I have a quick product question for Nir as well.
Yeah. What's interesting and maybe I'm going to ask our President, Amit Singh, who you have not seen in this context. He can talk more because he has been out there on the road grinding away. So you guys get to tell the good stories, I get to go out there in the field and grind. So, let's have you come up. So...
Hello, everyone. The climate for cybersecurity is quite strong, the acquisitions. It's driven by all the challenges you see in the papers and buying behavior is actually quite solid. The movement towards software and software-delivered is a real one, so -- and we are actually very, very excited about the products that we have, both on the product side, as well as the service delivery side of it, because these are cloud-delivered solutions, it's a backdrop that I come from. And interesting, when you look at any trend, whether it's how many software startups were funded, cybersecurity startups, all the way to the actual market spending, it's very, very solid. Your question was, I think, on the macro picture. We haven't seen any slowdown. We haven't seen slowdown, you saw some of that numbers we shared around pipeline, pipeline growth, partner generation pipeline and clearly, our Q4 performance is a measure testament of being able to hold the core business, while being also able to generate brand new businesses and scale them.
And then maybe just a quick product question. Nir, when you think about consolidating security spend, what's sort of your view on identity? It's -- obviously, it's a hot category out there. What role is identity have in the Palo Alto platform?
Sure. So first, most of our customers integrate our network security with identity, because identity needs enforcement, and in most cases, the firewall is going to do a bit of thing that performs the enforcement. Actually, the only case where it's not the firewall is when you access SaaS applications. In all other cases, it's the firewall that enforcing the identity, sometimes the applications themselves as well. So that's the rough identity. Now, if you look at the market today, I think most of the market is focused on what's called hygiene, meaning who can connect and who cannot connect to an application, which is interesting but it's becoming commodity. I think the most interest -- the more interesting part of Identity is identity analytics. So being able to take identity events and figuring out attacks from the identity. So that's -- I think that's one area that's not being addressed today by the market and is an opportunity. I think that's the other side of identity that is still yet to be decided by the market is, how do you do machine-to-machine identity, especially in the cloud. And I think the jury is still out on that and that's -- that could be one day an interesting thing to look at.
Hi, Phil Winslow, Wells Fargo. Just wanted to focusing on the firewall platform billing slide and there you break out your firewall hardware versus Prisma and the VM series, we already -- so we talked a lot about Prisma Access here today, but wanted to focus my question on the VM series. One of the questions I get a lot from investors is attach rate of VM series and attach rate of firewall in the public cloud environment. And so, it's kind of question to the whole team here is that, one, how are you thinking about contribution VM series to the forward billings? But also, where are we in terms of increasing attach rates of VM series and call it your hybrid cloud, multi-cloud security?
Quick clarifying question, what you mean the attach of the VM series?
The -- instead of call it like the out-of-the-box firewall that you got -- get from a cloud vendor, Azure, AWS attaching actually VM series to that workload and the like.
So we're very pleased with the VM series and how it's done. The -- when it first came out, we were focused on the private cloud use case because at the time that was the first generation of cloud, and then it's evolved really well as more workloads have shifted into public cloud infrastructure. VM series today supports all of the major cloud vendors in US Azure, GCP, Alibaba. It's evolved in a number of ways that are very specific to cloud in terms of how we integrate it with different orchestration platforms, how would do automation. We're the only security vendor, for example, especially supported with Terraform, which is one of the main sort of multi-cloud automation orchestration tools out there. We are sellable to all the marketplaces. And we actually have a very nice business and growing business with VM series being consumed through the marketplaces. So, there is a lot of really good things that are happening there. The -- I'd say, the only sort of challenge that -- may not the only challenge, but big challenge relative to your question is, a lot of companies will first try to get by without real security. And the -- through various mechanisms and often is through unfortunate events where something bad happens to a company that triggers the people to actually really go back and pay attention. But that's the only challenge is sort of getting people over the hump of trying the thing that they think might be good enough before they realize that what they really need is best-in-class security and understand that we can do the cloud integration aspects that they also knew. Okay? A question here.
Great. Karl Keirstead at Deutsche Bank. First of all, Nikesh for a guy who a year ago said that you no longer giving annual guidance only next quarter, thank you for the reversal.
Appreciate it. I'll -- adaptive dynamic earn. Yes.
I wanted to, let's say, stress test your confidence in 20% billings and revenue growth over the next three years. And, I guess, I'm saying this in the context of you having just put up a quarter where you grew both metrics by 22%. So you just put up 22% and you're saying you're going to grow 20% for the next three. At first that sounds a little bit optimistic, especially given that you're on stage as well talking about a hardware to software form factor shift, which if we look at firms like F5 and others that are going through this. It tends to be quite dilutive to your overall growth rate. So, is it that that form factor shift you expect only to be quite gradual and you can kind of skate around it? Or is it that you're emerging products are just growing so damn fast, but despite that you can still get to 20%? Thank you.
First of all, thank you, Karl. If I'm allowed to clarify, I was not comfortable giving guidance when I walked in because I didn't understand the levers of the business. Nor did I understand the industry and nor did I understand the levers of the Company, and I hate to stand up on stage and comment on behalf of 7,000 people without having some degree of confidence and comfort in our ability to deliver. So, I appreciate you guys and during the last one year of our quarterly guidance, but I think hopefully we have given more guidance and put a large news around our necks. Now, we have to go out and deliver this stuff. So, thank you for reminding me of that. In terms of our comfort level, I want to parse your question into two or three parts. One part is, we are seeing unabated growth in cloud, generally and I alluded to the fact that there is not enough cloud security out there and there has not been enough people enumerating the need for cloud security. I will not take the name of the customer but there has been a recent breach, where it was a cloud breach. And I can tell you that got the phones ringing because people suddenly realized that you can have cloud breaches, even though you are using a public cloud provider, security cannot be used as an open source set of tools. You have to go find a security product to secure cloud instances as you start putting more and more important crown jewel data out there. So, we believe that that's going to drive more of the VM use case, we believe that's going to drive a lot of the Prisma cloud use case. We're also seeing -- as the question was asked and then Amit answered. We're also seeing a lot of re-architecting going on as people go through their re-architecting of enterprise. If you look at companies, right, there is no CIO out there who is not thinking about how do I go to the cloud. So this is very important. So if I'm going to the cloud what do I do with my enterprise IT, what do I do with my security? How do I rethink it? And as they're rethinking it, they're rethinking their branches. You go to a retailer, retailer needs to put a lot of bandwidths into their branches. In the past, there was little bandwidth, you needed your POS systems to work, all that's you needed. Today, they want AR and VR in the store. They want to move customer data back and forth, suddenly they need security in the store. So we believe there is some degree of new use cases being created, which is driving some of the confidence we have in some of our newer services. And we believe our core business continues to be strong. The underlying core business and the customer base continues to be strong. We fully realize that we are going roughly from, let's say, $3.5 billion number to a $6 billion number, which means we have to kind of double, as I've said, there's only one way to double, have more product or have twice as many salespeople, I hope that there is twice many customers out there that you can get. So we think the balance is right and we should be able to execute. We've done a lot of investing in FY'19 in Q3 and Q4 and ramping up both our core capability as of some of our speedboat capability, now we're stretching our team has got to deliver. We'll give it our best shot.
Pierre Ferragu, New Street. Nikesh, first of all --. Pierre Ferragu, New Street. Nikesh, first of all, thank you very much for not changing your business model. It took me a very long time to figure it out and I spent…
It taken me 12 months to figure out, then I had to go figure out what the other guys…
What have done so far. That's great. And it gives me the opportunity to ask more of a product question to Nir. And so, you explained very well how you plan to completely crush all proxy-based competitors. And I was wondering, and you've defended it very well all the -- all what you have already in your development in the next-generation firewall and all what you've done from there. But I was wondering how you transfer that benefit to technologies you're acquiring. So, for instance, if we look at the components of Prisma Cloud, when they came in first day what did you do? How did you integrate their technologies with your existing technology? How did they benefit from that? And then your clients using it, how does it benefit from having a Palo Alto Networks firewall and having Prisma Cloud in the same environment?
Yeah. Thank you for the question. So, Nikesh mentioned a couple of the principles that we now apply more vigorously in terms of the incoming companies, level responsibility we give them, the expectations we put on the founding teams of these companies to continue to execute, as well as to build an integration plan. And it's interesting you asked about Prisma Cloud, that was formed out of the basis of two acquisitions, Evident.io and RedLock. The integration of those two together took us about four months. Four months to integrate two products into a single platform. It now forms the foundation where we'll be able to then further integrate Twistlock and PureSec into that platform continue to extend it out. Again, pulling the leadership teams of the companies into this together in order to make sure, and then building an execution plan that includes the integration that we all agree on very quickly after the acquisitions happen. And we're very much in the midst right now of executing on that with an expectation that by the end of this calendar year those will now be new modules in the Prisma Cloud platform. So, a lot of this is around giving the right people the right responsibility, the right accountability and then executing. And we're showing that we can do this a very good success. On the customer side then, what they're seeing is, very easy adoption of additional cloud security capabilities showing up in the same platform that they're already used to. They simply get to consume and deploy against our cloud workloads, which is a very powerful a go-to-market and adoption aspect that the products are enabling.
Yeah. Another example will be XDR. So we bought an EDR company, we bought in NTA company, right, Secdo and LightCyber and integrated both together. Nobody believed we can do that. Nobody believed we can take network data, take endpoint data, combine them together and generate meaningful analytics based on that. And we're the first one to do it, and like I said, EDR, NTA as their -- and they're don't make sense and now we're going to integrate -- we plan to integrate more and more things into it. Now, the other type of integration that we have, which I think we partly ask about is, when we buy someone like Zingbox, or we develop something like DNS security, it becomes a service that is attached to our firewall. And all the customer has to do to use it is to flip a switch. You flip a switch and you use the service, and you test it for a week, a month, whatever, you like it you buy it, you don't like it, you don't buy. And most customers, they're turning to and they see things that they just can't not buy the product. And the interesting thing is that, those services apply to all form factors. So if you have a physical firewall, you do that, if you bought Prisma Access, you turn in and you do that. If you went with a competitor, with a proxy competitor and you want to do IoT security in the branch, which you do, like you need to secure printers and you probably have IP phones and video cameras and other things connected to the network in the branch, what do you do? You have to go to an IoT security company, you have to the buy their product, you have to deploy it in the branch and you have to do deploy it in 2,000 branches, if you have 2,000 real points and somehow operationalize it. With Palo Alto Networks, if you are a Prisma Access customer already, you turn on a switch, immediately it applies to all your branches, you like it you buy it, you don't like it you don't buy it. It's that simple. Okay?
There are other question right next to the gentlemen.
Hi, it's Keith Bachman from Bank of Montreal. Nikesh and Kathy for you, is M&A inclusive or exclusive of what you just put up on the board? And what I mean by that is, as we think about the revenue outlook and billing outlook, I assume that the context of that is mostly smaller deals probably don't move the M&A, but I just wanted to see if you could clarify. And it relates to you as well Kathy on the margins, this year you're suggesting that margins go lower but thereafter, they'll move higher. And so, is that again M&A neutral? So if you do some deals you might ask for forgiveness for the margin growth that you're suggesting in the outer years if in fact you do pursue M&A even some smaller deals that might pressure those margin. So, inclusive or exclusive is the shorter question of M&A?
So to give you a framework, it's exclusive of any large M&A, which has a significant revenue acquisition component. So, if you go buy a company for $100 million of revenue, where -- that's not part of our plan, as I said to the gentleman earlier, there is no plug in these numbers that we're going to be acquiring $200 million, $300 million revenue growing at 50% right, that is not a bad stuff. We're not looking for M&A as a strategy. We're looking as platform as a strategy. Now, in the platform context, if you think about, are we better off going back and, for example, we built Cortex XDR from the acquisitions. We've put it -- we got the teams to integrate. We didn't sell it for six months. We got them to integrate and sold it after. They put it together. Twistlock, RedLock, PureSec, we integrated and we're deploying it across our platform. So if you find there is a product need and a product market fit that needs to be integrated across the platform that stuff will have to be acquired and we'll keep you posted as we acquire them, what the impacts of those are financially. We have not built any expectation saying we're going to be doing $500 million of acquisitions every year and it's going to have certainly EPS impact, we're going to take that and take into these numbers. These are raw numbers, organic, Kathy has told you FY'20 has a $45 million M&A for this year, after one year we roll that into our organic numbers. So FY'21, 2022 there's no -- there'll be unless we do something between now and then there is -- those will become organic numbers. One thing I think there was a clarification question which I want to announce publicly, somebody asked a question about the duration of 10%, is that every year or across three years? The answer is over three years, not every year. I'm trying to keep my friends out of jail, I heard that broadband is poor in Jail, so. And still on MPLS.
Sounds good idea. My wife just watching the [indiscernible] black last night. So I don't want you there. Michael Turits from Raymond James. Question on -- for Nir and Lee, you guys talked about SD-WAN and SD-WAN is big and a big part of what Fortinet has been talking about for some time. So I'm trying to think about, first of all, how do you become an SD-WAN player? What are you going to do with it? Is it similar I think to what Fortinet is doing and saying, hey, we can do this too and function the SD-WAN? Or are you going to use it to help improve GlobalProtect cloud services networking component, because that's also a big place for Zscaler wins is by doing networking that they say salespeople money?
Yeah. Doing networking with a proxy, that's interesting, but...
He doesn't need any more encouragement.
I just want to get him proud -- I have seen him perform for a while.
Yeah. So SD-WAN, SD-WAN -- so maybe 30 seconds on what SD-WAN is. So, just a word on same page. As applications move to the cloud and it stops making sense to the MPLS, you want to -- you start using regular Internet connection through IDSL, cable modems, whatever, D3s, E3s, whatever you can get. The challenge with that is that, they don't provide you the same reliability and performance guarantees that MPLS does. So, all of the sudden, you start relying on applications in the cloud like Office 365 and G Suite and Salesforce.com or your own applications in public cloud, but you cannot get the same guarantees. So SD-WAN is about taking multiple Internet connections like a DSL from one provider and a cable modem from another or 2DSL or a DSL and LTE or 5G, so on and so on, and somehow doing some kind of networking tricks on them such that with the tool or more links you can get to the same reliability and the same guarantees more or less that you get from MPLS, of course, at a much lower cost, much higher bandwidth, which is what those applications in the cloud need. Now, there are multiple ways of doing that, you can do it in the branch itself, meaning you can take the firewall that is in the branch and you can add SD-WAN to that firewall and do that -- those networking tricks to make those multiple Internet connections appear much more reliable. And we're doing that, meaning we are building that and that's going to become a subscription on top of the firewall, that's like Lee said, where if you deploy our firewalls in the branch, we do that and in that respect, it's somewhat similar to what other SD-WAN vendors are doing, of course, with a differentiation being much better security. Right? We always weigh in on security. The other option to do it -- and which we do today as well with SD-WAN partners and we'll continue to do is to use SD-WAN to bring the traffic to Prisma Access. Prisma Access, which is a bunch of firewall deployed in the cloud, need the traffic together. Now, you can do it with traditional IT sector or something like that, a much more efficient way to do it is with SD-WAN. So your program your SD-WAN your software-defined WAN to bring the traffic to Prisma Access and then you do all the security work in Prisma Access. The advantage of that is that you don't have to deploy a new security box in the branch every few years, because technology goes fail and you need to upgrade, which is kind of like painting the Golden Gate Bridge, right? You start, you deploy 2,000 branches, by the time you finish the 2,000, you have to start from the beginning, with Prisma Access you don't have to do it and that's what the real differentiation is. So doing SD-WAN in the cloud rather than doing SD-WAN in the branch and using SD-WAN just to bring the traffic to the cloud is the right way to do SD-WAN but for that you need to have something like Prisma Access, and you need to have a networking Prisma Access, not something that breaks the TCP connections and restarts them, which is not networking based. It's called a proxy.
Do I need to acquire? No like Lee said, we're building SD-WAN.
Erik Suppiger, JMP. Couple of questions, one on the free cash flow margins. Is the primary cause for the decline this year duration or what should we think of as the primary hit on the margin front? I'll ask the second question after that.
Yeah. The primary reason for the decline is the same primary reason you see for our operating margin decline, and that's the investments that we're making, not only organically to drive the new areas of our business, but also the M&A investments that we've made.
Which is why we expect it to turn around.
Okay. Then for Nir or Lee, XDR, is that product production-ready? How much of that -- how can we gauge the success of XDR from here? Because we've had Traps out there for a while. Is this something that's going to be a viable competitor to CrowdStrike at this point? Or how should we be thinking about that? And how much of that is getting sold outside of your installed base?
So, as we mentioned earlier, we're actually very happy with how XDR has done. Now, it's early. We announced it about -- and released about four and a half, five months ago. You saw the results for the first full quarter, number of customers we added. So, very excited about the initial market reception, customer reception to XDR. And the messages that we talked about here are things we're hearing from our customers. Very powerful -- the ability to integrate the -- and stitch the endpoint data with the network data. No one else can do that, no one else can give the end-to-end visibility, reducing the number of alerts, reducing the amount of time it takes them to actually investigate incidents. So all the things we said here are -- they're here because that's what we're hearing from our customers that have adopted XDR. Okay? The -- and the interesting aspect of this is, that is enabling us to really sort of change the conversation with our customers to one that is a very strategic conversation about the shift toward, not just endpoint protection, but the shift toward analytics and ultimately toward automation and tying that with Demisto. Okay?
So going back to the theory…
Proxy, almost similar. No. This is another case where I think that the right technical solution will win. EDR doesn't make any sense. It really doesn't make any technical sense to limit yourself to collecting data just from endpoints, limiting yourself to processing data just from endpoints and then responding back to the endpoints, where we all know that the Traps happen across the entire infrastructure. They can start in the SaaS application and then take over an endpoint and then propagate through the network and end up in the public cloud, where your data is. It -- the right technical way of doing it is to collect data from multiple parts of the infrastructure into one place, use your analytics, all your people or whatever it is to go through the entire data, find the attacks-based information in the entire data and when you find an attack, it doesn't matter where the signal came from, you want to respond back to the entire infrastructure, which is kind of where Demisto comes in, responding back to the entire infrastructure. And I just don't see the competition doing that. I don't see the competition doing more than just basic endpoint data collection and response. So, assuming we get the right marketing and the right sales and marketing around it, go-to-market and there are some missing product features, I think that next time we'll be able to talk much more about where we are versus the competition.
If I may elaborate on that from a market activity perspective, and given that we've only had 4.5 months worth of great experience with the product in the market against the competitor you mentioned, we -- remember 12 months ago, we didn't have a dedicated sales force that could compete in terms of on a point-by-point basis against some of these competitors because we had a core sales team, which was aren't as fully adaptive selling this product. Now that we have speedboat teams out there, it's fair to say, we saw CrowdStrike in between 25 and 30 deals, which were in our installed base, because that's why we went after first, and I think the number is we were able to beat them in 75% of the deals we saw them in our installed base. Again, it's one data point. But we're slowly getting our act together and getting better at this stuff. But six months ago, we didn't have a product. Traps would not compete against EDR because Traps endpoint protection did not do an XDR. We launched XDR, we've made Traps free. We have thousands of customers using Traps. Our first target is go to the customers who already have Traps, they already have a Firewalls, who better than them to make sure that they can buy an XDR and we're delighted that 75% of them were CrowdStrike [indiscernible] more deals than we do because they have a larger sales force, but we're delighted that we were able to beat in 25% -- 75% of those deals.
Thank you. Shaul from Oppenheimer again. Maybe question for Amit or Kathy. European performance were as -- it has been quite stable over the course of the past probably two years now. I think this quarter and last quarter, not as strong as we have seen before. So, is it a macro issue? Maybe a UK-specific issue? Maybe tightening -- tying it to a former macro related question that was asked? Thank your.
It's just a great opportunity. Really -- it really is. Europe strong adopter of -- cybersecurity is actually on the headlines and there is national legislation in countries to go fix it. And we're just investing in the team, giving them resources, we love the leadership team there. So it's actually a growth opportunity for us to do -- continue to do well and actually do better in EMEA.
All right. We got one in the front and then two in the back on the right.
Thanks. Andy Nowinski with Piper Jaffray. So, the question with regard to Prisma Access. At the Gartner Security Conference, a few months ago Zscaler was on stage at the keynote and they had a few customers on stage as well, that said, they tried your GlobalProtect cloud service, which you're now calling Prisma Access and didn't get the performance that they were looking for. It wasn't scalable. I guess, can you just talk about how you've changed or fixed the performance in the architecture?
We -- it was a company, it was not existing customer. And they had actually selected said competitor. So we had an opportunity to get in one last chance and they told us the same thing. And we said, can you share with us the test that you're doing? And it was provided by the competitor and it was a flawed test. We were able to show them how it was a flawed test and after they readed the test to no longer be a flawed test, Prisma Access performed wonderfully. And that was before the most recent update to Prisma Access where we now have over 100 on-boarding locations around the world. So, we are very pleased with the performance of -- performance capabilities of Prisma Access as a globally deployed cloud solution.
And as the video you saw, which talks about a million employees and hundreds of hospitals, they ran a full POC against the same competitors. So hopefully --. Sorry, which is already deployed. Yes. All right. Question in the back and we're coming to the end of our Q&A session. But we will take a few more questions some there and then, let's go to Brad first. I don't want to end on Brad.
This is a fantastic presentation today. My question is actually really simple. Three months ago, if we listen to your remarks in your earnings call, you talked about a transition.
There is not much of a transition.
Good question. I'm glad you asked it. Four, five months ago we were going full speed ahead analyzing every which way we can make this transition to a fully ratable model. And when we sat down and looked at it from an accounting perspective, a legal perspective, a go-to-market perspective, we would have to impact the channel, our salespeople, we all step back and said, okay, why are we doing this. Our customers are buying billions of dollars of products from us. They have a motion. Our salespeople know how to record it. How to sell it. And we sat down and said, we're doing it because the industry likes our models, our software models. I personally like money upfront. Cash flow is a good thing. You go out and hunt, use some this year, rest of them you put in a cold store and use it in year two, and year three. Why do I have to go hunt every year if I'm going to go to analyze model? So, we just felt that we were trying to unnaturally change the Company's business model and transition to a place, which is more akin to a pure software SaaS ARR-based model and we are -- it's kind of a hybrid business. We have a firewall business very strong, and we're building the next-generation security business, which we believe is going to be very strong and some of the characteristics of this we really like. We like the upfront cash, we like the cash flow that this brings us. We like the fact that it gives you long-term deferred revenue, which allows you to be amortized. So we decided that we're better off going this way. So this is why we're here. And then we were comfortable that we've analyzed everything -- every Sunday. This Analyst Day has been in the making for six months. Right? We've been trying to look at what we want to come and tell you, what's important, what's not important. As I said, I probably will never read as many research notes that I've read in the last six months from all of you guys, apologies to you, but I have a day job. But I did read most of them, and I did read, but you guys have concerned about, and I understand why you like those models. But if you got to run the Company, you'll be the owner [ph] of the company and the way the customers want us to deliver the product. So that's why.
Srini Nandury, Summit Insights Group. Nikesh, recently VMware acquired Carbon Black and...
Yeah, yeah. I know VMware very well.
Okay. So the question is this, we are trying to make sense of how the landscape is going to be evolving, It looks like VMware is going to be acquiring more companies in this space and what does this mean for the whole security landscape going forward?
I can't comment on VMware strategy. There are lot of people who believe security is important, right? And they're all stepping up their acquisitions and security. And I think that's probably accurate. You will see a lot more acquisition in this space, because I don't think 2,500 vendors are going to survive. One of the questions early gentlemen asked was buying behavior. I firmly believe in the next five years, you will see more consolidated single vendor buys than you will see multi-vendor buys. 800 EBCs at Palo Alto Networks where customers show up and I haven't seen a customer who's actually espouses desire that he wants -- he or she wants multiple vendors to be able to secure their environment. They're looking for a solution which integrates across multiple solutions. So, if any company out there, whether it's VMware, or whether it's Microsoft, whether it's Broadcom can actually take products and integrate them. I think they're going to win. So, the question is not acquiring, we can all acquire companies. Acquisition is the easiest part. The question is, can you actually integrate them? Do you actually get leverage from integrating them into your platform? Acquiring a customer, putting them in an ELA and making them free or being part of your large, what is that, I hear that platform level. So there is a new term you will hear soon in the security space from ELAs to PLAs because people have disparate products security and consulting and chips and you could put them into a PLA now, it does not have to be an ELA anymore because it's more than an Es to P. But those are interesting parts. I think the true need of the customer is an integrated platform. So people can deliver integrated platform more part of them. Again, as Nir just articulated, you need firewalls and endpoint to be able to work together to be able to do next-generation security, similarly you need container serverless public cloud workloads to do it together. And I will tell you, the anecdotal and I apologize if it doesn't apply. When I worked at Google, one of the businesses we started to go after was display advertising, it has nothing to do with security. And Google had no horse in the race. They didn't want a display property. Microsoft had one, Yahoo had one. And they're both very good at selling their own display properties, but they were not good at cross market selling because typically they defaulted their own product. And my concern is when you start looking at cloud native players, like AWS or Azure or GCP or VMware with their own sort of hybrid solutions, you default to better integrations and better alignment with your core product and you don't do as good a job of across industry security solution, across industry products. So, our hope is we'll be the platform of choice across multiple platforms as opposed to platforms that integrate security and trying to bundle it when you buy their platform. So, if I don't want to deploy VMware, would I be deploying Carbon Black today? I would have. I may have. Tomorrow, I suspect the integration is going to be stronger. I'm not sure which strategy gets me more revenue, maybe gets me more revenue given the scale but I think the long-term outcome is that, you want a multi-platform solution, which is somewhat platform agnostic. So it can actually make it work better for you across multiple cloud platforms. All right. Last one or two questions. Wow, I want to make sure you guys don't leave here with questions and answers. Go ahead. Up front. I'm sure I read about it tomorrow or the next week, like why didn't they ask the question guys.
We'll do that out in the field not here.
So, I'll give you some data point and then I'll have our product leadership answer that. I went back and as part of preparing for the Analyst Day, I looked at the enterprise IT spend of the last seven years, right? Because it's typically the end-of-life for most IT infrastructure between seven to 10 depending on what it is and where you buy it. There is approximately $1 trillion, $1.2 trillion a year, that's been spent on enterprise IT. The reason I go to track that is because I think security is 3% to 8% of that number, right? In financial services, the government goes to 8% because they're very security conscious, others go to 3%. So if you think about it, there is approximately $12 trillion to $15 trillion of plant out there in enterprises, which is IT infrastructure plant. I just put a slide up there, which is a Gartner slide or Goldman Sachs slide, I don't remember those, Goldman Sachs, maybe it's from this morning, which talks about the cloud disruption opportunity of $1 trillion in 2023, right? So, either you're telling me that we're going to stop spending an enterprise IT and the IT entire is going to go down and all we're going to do is, we're spending in the cloud. Or are you telling me, people are still going to spend $1 trillion to it, growing at 3% and a lot of that is still going to go to enterprise IT. So, I suspect this transition is going to take longer than we think that people are still going to be spending enterprise IT. Now, not in the margin, it may be smaller number because people are shifting to the cloud and what it doing is two things, one, it's making people reevaluate as I'm going to make that shift to the cloud, what do I want to buy that allows me that transition, and that's why one of the large retail as we talked about, they're going to the cloud. They don't want to just buy hardware firewalls, they want to make sure they can get VM, so the cloud instances they can get a cloud-delivered architecture to Prisma Access. So the question is, we expect this transition to happen in the next five to seven years, a lot of it. Do you have products that satisfy the three use cases? So data center use case, the transition use case to the cloud and then the new architecture towards the cloud. So we think that's why the product strategy is aligned towards this transition. We think that shift is going to happen. It will happen on a customer-specific basis depending how ready they are. It will happen on a industry basis. So shows us on the moving parts, but we think firewalling is around for a while for the people who are still investing in data centers. But I'll let my product colleagues elaborate on the...
Sure. So from a product perspective, the firewalls get deployed in lots of different places, they get deployed in the datacenter, they get deployed at headquarter gateways, regional sites, branch offices, and the -- some of those use cases are more attractive to shift the form factor. So, for example, applications moving to public cloud, the form factor toward would be software for lots of different technical reasons that are mostly sort of straightforward to understand why you want to do that. For example, you can't shift a hardware device to Amazon and ask them to deploy into your AWS account. You have to use software form factors. As we talked about for branch offices, retail, mobile users, there is a shift that we are driving with Prisma Access that we believe is a very good shift, both in terms of the customer outcome, as well as what they need and want to be able to accomplish. But there is still -- as Nikesh was saying, this investment in the enterprise infrastructure over the last seven-plus years, there will continue to be a lot of investment in that infrastructure has to be protected. So, particularly in the larger central sites, regional sites and the world will be hybrid for a long time, meaning datacenters there will still be a lot of hardware that will need to be deployed against that. And one thing we didn't talk about today, but it is very important is, in a lot of those places that I just mentioned, the performance of hardware starts to become really important, right? If you think about a large headquarters with 10 gig connectivity growing, you want to do internal segmentation or do segment of IoT devices and things like that, which that would be 100 gig, some of the larger datacenters, hardware still has a very important role to play in a lot of those core use cases.
All right. I think with that we'll call an end to the Q&A session. I want to say thank you to my management team here, who has been part of the journey and getting us here so far. I also want to use the opportunity to shout at our 7,000 employees around the world who worked hard to deliver the results that we are able to deliver and hopefully we'll keep working hard for the next three years to achieve the targets and beyond, to achieve the targets we've outlined. With that, it's my pleasure to invite you downstairs for some cocktails and some demos, instead -- in case you want to geek out in some of the products.