Operator: Thank you for standing by. My name is Kate, and I will be your conference operator today. At this time, I would like to welcome everyone to the Q1 2025 CyberArk Software Ltd. Earnings Conference Call. All lines have been placed on mute to prevent any background noise. After the speakers' remarks, there will be a question-and-answer session. [Operator Instructions] Thank you. I would now like to turn the call over to Srinivas, VP of Investor Relations. Please go ahead.
Srinivas Anantha: Thank you, operator. Good morning. Thank you for joining us today to review CyberArk's strong first quarter 2025 financial results. With me on the call today are Matt Cohen, our Chief Executive Officer, and Erica Smith, our Chief Financial Officer. After prepared remarks, we will open up the call to a question-and-answer session. Before we begin, let me remind you that certain statements made on the call today may be considered forward-looking statements, which reflect management's best judgment based on currently available information. I refer specifically to the discussion of our expectations and beliefs regarding our projected results of operations for the second quarter, full year 2025 and beyond. I also refer to our expectations and beliefs regarding the integration of Venafi and Zilla Security into our operations. Our actual results might differ materially from those projected in these forward-looking statements. I direct your attention to the risk factors contained in the company's annual report on Form 20-F filed with the US Securities and Exchange Commission and those referenced in today's press release that are posted to CyberArk's website. CyberArk expressly disclaims any application or undertaking to release publicly any updates or revisions to any forward-looking statements made herein. Additionally, non-GAAP financial measures will be discussed on this conference call. Reconciliations to the most directly comparable GAAP financial measures are also available in today's press release as well as in an updated investor presentation that outlines the financial discussion in today's call. A webcast of today's call is also available on our website in the IR section. With that, I would like to turn the call over to our CEO, Matt Cohen.
Matt Cohen: Thanks, Sri, and thanks everyone for joining the call today. We're excited to kick off 2025 with a strong first quarter that exceeded all of our guided metrics. This performance highlights not only the critical role identity security plays in the broader cybersecurity landscape, but also our team's unwavering focus on excellence and execution. In Q1, we achieved total ARR of $1.215 billion, revenue of $318 million, an 18% operating margin, and generated $96 million in free cash flow, a great quarter all around. Our results continue to demonstrate that identity is the new perimeter and that demand remains robust. With more than 90% of organizations experiencing identity-related breaches, security leaders recognize that identity security is a mission-critical imperative. CyberArk is at the forefront of this imperative, offering the most comprehensive and most effective platform for securing every identity, human, machine and now AI. Before I dive into the quarter, let's touch on the broader macro environment. As you can see from our results, demand for our solutions is increasing, and we continue to deliver strong growth. Despite ongoing macro uncertainty, we have not seen any impact on our business. Given the elevated threat landscape, cybersecurity remains a top priority for organizations. And within that, identity security is a non-discretionary investment. It is a foundational to business continuity, customer trust and regulatory compliance. Of course, we are carefully monitoring the economic situation and its potential impact. And as we have always done, if we see any negative trends, we will be disciplined in our execution and make the necessary strategic adjustments. We have successfully navigated similar conditions before by staying close to our customers and infusing even more rigor into our go-to-market execution. Importantly, we believe times like these push customers towards our platform and consolidation and, specifically, consolidation of trust. Our confidence in the underlying demand trends was further reinforced recently with thousands of customers in attendance at the recent IMPACT and RSA conferences. At these conferences, I had the opportunity to engage directly with hundreds of customers and partners in one-on-one meetings. The feedback was clear and consistent: identity security continues to be a top spending priority. Organizations are actively seeking to consolidate fragmented security tools, modernize legacy systems, address the growing challenges of machine identities, and get advice on how to integrate security from day one into their agentic AI initiatives. The level of strategic discussions we are having with the C-suite at our customers and prospects has never been more constructive and underscores the growing demand for our unified identity security solutions. I come away from these events more confident than ever in our vision and ability to win and drive long-term durable growth. I want to center our discussion today around three key pillars that anchor so many of these one-on-one conversations I have been having: first, the identity security imperative; second, our unified platform for every identity; and third, our relentless innovation. Starting with the identity security imperative. As I mentioned at our IMPACT conference last month, we are living and operating in an exponential era, an age where the speed of change, the scale of threats, and the complexity of digital ecosystems are compounding at a pace we've never seen before. The threat landscape continues to intensify with state-sponsored actors, cyber criminals and emerging threats like AI-driven exploits increasing in both frequency and sophistication. Identity is the connective tissue of every digital interaction across every user, system, cloud, and application, making it foundational to any modern cybersecurity strategy. With identity at the center of virtually every breach, it's crystal clear that if you don't have a strong identity security, you simply don't have security at all. We are seeing the identity security imperative proliferate across the three different identity groups that our platform is purpose-built to protect: human, machine and AI. For humans, privileges have proliferated across the entire spectrum of identities, including IT admins, CloudOps, developers and SaaS admins. In today's dynamic work environment, every employee interacts with sensitive data or critical systems. Identity security requires us to reimagine privilege as a dynamic, contextual and tightly-controlled concept delivered across the workforce without friction. We're bringing layered, in-depth defense to every human identity without compromising user experience. Applying privilege controls against all identities is among the most complex cybersecurity challenge and our deep expertise and leadership position sets us apart from the competition, which you see in our results. When it comes to machine identities, a year ago, you heard us talk about a 45 to 1 ratio of machine to human identities. Today, it's over 80, and that number is still rising rapidly. These machine identities are granted access to critical infrastructure and sensitive information, yet they often operate without oversight. Without an identity-first approach to securing machines, organizations leave a massive blind spot in their defenses. Identity security is the only way to bring visibility, control and governance to this rapidly-growing attack surface. With the addition of Venafi, our machine identity solutions are setting a new standard on how to address this challenge. And turning to AI, we are seeing AI everywhere, embedded in organizational workflows and opening the door to new use cases. It's challenging how privileges are assigned, creating new identities and becoming a force multiplier for both defenders and attackers. The need to secure AI agents, both autonomous and human-directed, is becoming increasingly top of mind. And as we dive deeper into the depths of agentic approaches, it's increasingly understood that securing AI agents is an identity security problem, not a data problem. The identity security imperative is clear, rise to meet the exponentially increasing threat landscape by securing every identity with the right level of privilege controls, which takes us to our second pillar, our unified identity security platform. Our platform starts with the idea that discovery and context is critical. Understanding what identities exist across human, machine and AI, their associated access rights, risk profiles, and appropriate privilege controls is foundational to any effective identity security strategy. Once discovered and onboarded, applying industry-leading privilege controls is the most essential step and cornerstone of our differentiation. Privilege controls that cover credential management, authentication management, session management, and entitlements management are the secret sauce of our platform and create a deep competitive moat against all competitors. Next comes policy automation, which is also crucial. Given the scale and scope of modern identity security, it's no longer enough to merely impose policies. They must be automated. We offer automated enforcement of contextual security policies to eliminate manual overhead, reduce time to value and support rapid scalability across complex environments. Along with policy automation, you need to automate life cycles, which is the ability to onboard and offboard dynamically provisioned entitlements and provide just-in-time access with the goal of streamlining security to reduce risk and ensure continuous compliance. And lastly, governance and compliance are essential for meeting the growing oversight, both within organizations and increasing regulatory standards being imposed by government organizations. As we'll talk about later, with Zilla's modern IGA, we are setting out the free organizations from the long-standing challenges of legacy IGA. These components are the building blocks and the unique differentiators of our platform. They are the blueprint for how we talk with our customers and partners. More importantly, they enable us to deliver measurable customer outcomes, reducing cyber risk, strengthening business resilience, satisfying audit and compliance, all while increasing efficiency and automation. This is why while customers may come to us hoping to solve one use case, instead, they often expand to secure additional identities across our solutions and consolidate on our platform over time. Moving on to our third pillar, which is innovation. At IMPACT, we introduced new solutions and capabilities across human, machine and AI identities. And I want to highlight a few of them one more time today. For securing human identities, we announced the availability of Zilla provision and compliant modules. Since we closed the acquisition, customer feedback has been overwhelmingly positive, especially around how CyberArk and Zilla can simplify access reviews and automate provisioning across modern environments. Both customers and partners recognize the powerful combination of having modern IGA on our platform and the synergies we are confident we can realize. On the machine identity side, we announced our secure workload access solution, which combines modern workload identity management with CyberArk's Secrets Management capabilities for the industry's first and most comprehensive protection for all non-human identities that matter, giving security teams visibility and control throughout the machine identity life cycle. I did want to pause to quickly mention another key development in machine identity security around the lifespan of certificates. The Certification Authority/Browser Forum, which sets guidelines for certificate life cycles, recently voted to significantly reduce certificate lifespans from 398 days to just 47 days. Major industry players, including Apple, Google and Microsoft, supported this change, emphasized the growing need for automated management of short-lived certificates. In an increasingly complex security environment, this is top-of-mind for our customers. At the recent RSA conference, this industry change drove more traffic to our booth than any other topic. Customers are realizing that the time to get this part of the machine identity security under control is now. The final major innovation we talked about was in the field of agentic AI. Agentic AI sits at the intersection of human and machine identity security. AI agents are machine identities that act like or on behalf of humans, proliferating at machine scale, gaining access to and granting privileges over critical infrastructure. As a result, they will require the same security principles as human identities and soon, billions of AI agents will require robust access controls, governance, and privilege management frameworks. To address the security challenges of AI agents, we introduced our Secure AI Agent solution, which integrates our platform capabilities with AI-specific discovery and context, privilege controls, policy automation, life cycle management and governance. We expect this solution to be widely available to customers later this year. Additionally, we announced a strategic partnership with Accenture, integrating our identity security platform with Accenture's AI Refinery. Together, we'll offer customers out-of-the-box security for AI-driven agents, ensuring secure adoption of emerging AI technologies at an exponential scale. Beyond these highlighted announcements, we also launched major innovations across workforce, IT, developer and machine solutions that deliver incremental value and real-world security controls to meet the demands of the current and future threat landscape. The product and engineering team at CyberArk continues to amaze me in their ability to lead the market. As I said, Q1 was a great way to start the year, and I did want to quickly highlight just a few deals from the quarter to illustrate how we are delivering valuable customer outcomes across our platform, as well as an early Zilla deal. In a deal that showcases the power of our full platform, a leading US enterprise software company replaced a competing PAM vendor, prioritizing CyberArk's ability to deliver a complete identity security platform. They are boldly focused on just-in-time access and zero spending privilege to secure IT and developers, and a complete solution for the machine identities in a multi-figure, six-figure ACV deal. In another full platform deal focused solely on modern use cases, a leading US healthcare company wanted to secure modern cloud workloads for developers, protect their entire workforce, both the user and at the endpoint, and secure machine identities with Secrets Hub in another multi-figure -- multi-six-figure ACV add-on deal. We continue to see great momentum with Venafi, and this quarter, a Fortune 100 financial services company, who is a long-time CyberArk customer on the human identity side is now deploying all of our certificate lifecycle management and PKI offerings in a competitive multi-six-figure ACV deal. And in a great Venafi deal that demonstrates our cross-sell motion, PDS Health, a leading integrated healthcare support organization, who has been a CyberArk customer since 2019, built on that long-standing relationship, expanding further on the machine identity side with our Certificate Manager and Zero Touch PKI and a six-figure Q1 ACV deal. The excitement around Venafi deals continues to build across our go-to-market teams and stories like this are becoming commonplace as the business begins to scale. Finally, in a Q1 Zilla deal, we saw early success after the acquisition closed with a financial services company who landed as a new logo with a six-figure ACV deal, replacing a competing legacy IGA vendor. The customer highlighted that the acquisition by CyberArk gave them strong confidence in closing out this deal and starting their modern IGA journey. In summary, I want to leave you with the following takeaways today. First, the identity security imperative is real and accelerating. As the digital ecosystem grows more interconnected and decentralized, the threat landscape is not just expanding, it's evolving at an unprecedented pace. Organizations must respond. Second, CyberArk is uniquely positioned with the only unified platform for securing every identity and addresses a critical pain point for overburdened CISOs by simplifying identity security. Third, our relentless innovation is strengthening our competitive moat as we solve our customers' problems of today and the future. Fourth, cybersecurity spend and certainly identity is defensible in all macro environments as organizations realize the importance of protecting their most critical assets, particularly in this escalating threat environment. And finally, we are executing with discipline and confidence. Our go-to-market teams are an exceptional differentiator for us. Our continued execution and strong demand environment positions us to deliver strong growth and profitability. Now, I'll turn it over to Erica to walk through our strong financials and updated guidance.
Erica Smith: Excuse me. Thanks, Matt. We're off to a strong start in 2025 with our first quarter results exceeding all of our guided metrics. We delivered solid top-line growth, expanded operating profitability and generated robust free cash flow. As we review our results, please note that Venafi, which closed in October 2024, and Zilla, which closed in February 2025, contributed to our Q1 results of this year, but were not part of the comparable period in 2024. Moving to our results. Annual recurring revenue reached $1.215 billion. Net new ARR was $46 million, up from $37 million in Q1 of last year. As a reminder, Zilla brought to CyberArk approximately $5 million of ARR when we closed the acquisition. Lastly, fluctuations in the euro and pound created about a $1 million headwind to ARR in the first quarter. As Matt mentioned, the Venafi integration is progressing ahead of expectations. Pipeline continues to build and we are executing on the cross-sell synergies. Momentum in our machine identity business overall, including Secrets Management was strong in the first quarter, with Venafi and Secrets included in nine of our top 10 deals. As we noted on our last earnings call, we don't plan to break out Venafi's contribution separately, given that customers are increasingly buying across our platform and our machine identity solutions can include both Venafi and Secrets Management. The value proposition we outlined at the time of the Venafi acquisition is being validated by strong cross-sell into existing customer base, new customers being added and growing activation of our channel partners with several hundred certified since we closed the acquisition. Subscription ARR grew to $1.028 billion, with subscription net new ARR of $51 million compared to $39 million in Q1 of last year. Our maintenance ARR was $188 million. Like-for-like conversion activity remains a single-digit percent of our year-over-year ARR growth. As you saw in the release we posted this morning, we are now reporting revenue in two lines, a Subscription line, which includes SaaS and self-hosted subscription, and a Maintenance, Professional Services and Other line, which includes perpetual maintenance, services and perpetual license revenues. Given that nearly 95% of our business is recurring revenue and we expect our perpetual license revenue to represent about 1% of total revenue, we changed the P&L to better reflect the value we provide to our customers and to represent the way we look at our business. Total revenue significantly beat our guidance, reaching $317.6 million in Q1. For the first quarter, recurring revenue reached $298.2 million, representing 94% of total revenue. Our subscription revenue reached $250.6 million or 79% of total revenue. The outperformance in Q1 was from two primary factors: the strength in our overall business compared to our guidance and in a slightly higher-than-expected mix of self-hosted subscription. Maintenance and Professional Services and Other revenue was $67 million in the quarter. The business remains geographically diverse. Americas revenue was $193.5 million, EMEA revenue came in at $93.8 million, and APJ revenue was $30.4 million. We had strong organic and inorganic revenue growth across the platform in all regions. In addition, we're leveraging the strength of our salesforce to drive Venafi demand and experienced healthy overall growth, particularly in EMEA. In the first quarter, we signed about 200 new logos. Consistent with prior periods, we continue to see strong momentum in multi-solution adoption, with approximately half of new logos purchasing two or more solutions at land. This contributed to a year-over-year double-digit percent increase in new business deal sizes in the first quarter of 2025. All P&L line items will be discussed on a non-GAAP basis. Please see the full GAAP to non-GAAP reconciliation in the tables of our press release. First quarter gross profit was $269 million or an 85% gross margin. The expansion of our gross margin was in part due to the higher self-hosted subscription revenue in the quarter, as I mentioned earlier. Our operating income was $57.5 million or 18% operating margin, well ahead of our guidance. Our operating margin expanded by 3 percentage points from Q1 of last year, even as we absorbed over 400 employees from Venafi and incurred approximately six weeks of expenses from the Zilla acquisition. We ended March with approximately 3,930 employees worldwide, including adding approximately 60 employees from Zilla. We had approximately 1,590 employees in sales and marketing at the end of the quarter. Net income came in at $50.3 million or $0.98 per diluted share, also ahead of our guidance. We generated strong free cash flow of $95.5 million or a margin of about 30% in the first quarter. This performance reflects the power of our recurring revenue model, our disciplined execution, and the continued operating efficiency. We continue to maintain a strong balance sheet and ended the quarter with approximately $776 million in cash, which takes into account the approximately $165 million of consideration paid for the Zilla acquisition in Q1. Before moving to our guidance, I want to comment on the macroeconomic environment. As you can see from our strong Q1 results, the recent macroeconomic conditions have not impacted our business. Demand remains robust across our platform and our solutions. Execution is strong and Venafi is performing ahead of our expectations. As Matt discussed, identity security continues to be a top priority for CIOs and for CISOs, and we believe spending on security is resilient across macroeconomic environments. That said, despite the strength in our pipeline and the strategic importance of identity, we are taking the current macroeconomic environment into consideration in our full year 2025 outlook. Now, turning to our guidance. For the second quarter of 2025, we expect total revenue to be between $312 million to $318 million. We expect non-GAAP operating income to be in the range of $41.5 million to $46.5 million for the second quarter. That includes the seasonal increase in marketing expenses related to our IMPACT Customer Event, as well as our IMPACT World Tour. It also reflects a full quarter of costs related to the Zilla acquisition. We expect our non-GAAP EPS to be in the range of $0.74 to $0.81 per diluted share. Our guidance assumes 51.5 million weighted average diluted shares outstanding. It also assumes about $8.5 million in financial income and a tax rate of 24% in the second quarter. For the full year, we are increasing our total revenue to be in the range of $1.313 billion to $1.323 billion, representing 32% year-over-year growth at the midpoint of the range. Keep in mind, the 2025 growth rate includes a full year of Venafi contribution in 2025 compared to just one quarter in 2024. We are increasing our full year non-GAAP operating income to be between $221 million and $229 million. We expect our non-GAAP EPS to be between $3.73 and $3.85 per diluted share for the full year. That assumes 51.6 million weighted average diluted shares and approximately $32 million in financial income. We are now assuming a tax rate of 24% for the full year. We expect our annual recurring revenue to be in the range of $1.410 billion and $1.420 billion at December 31, 2025, representing about 21% year-over-year growth at the midpoint. Turning to cash flow. We expect adjusted free cash flow for the full year 2025 to be in the range of $300 million to $310 million, representing an adjusted free cash flow margin of 23% at the midpoint. As outlined in our press release, adjusted free cash flow excludes the estimated one-time tax payment of $42 million related to the migration of Venafi SaaS IP to our Israeli entity, and about $15 million of capital expenditures associated with leasehold improvements to our new US headquarters. We signed a lease for this office space in the second quarter. We expect to incur a $15 million in capital expenditures, primarily in the third and fourth quarters of 2025. Accordingly, we are raising our CapEx forecast to be between 2.5% and 3% of revenue. I also want to comment on taxes. The reduction in our estimated IP transfer tax payment from approximately $70 million to $42 million is in part due to the certain tax credits and the strong growth in our US business. As a result of this growth, CyberArk is now subject to approximately $17 million to $20 million of US-based erosion taxes under the Tax Cuts and Jobs Act, also referred to as BEAT tax. This tax expense was not anticipated in the initial February guidance and it is part -- and it is in part related to the IP transfer. The BEAT tax will be an ongoing expense and, as a result, we've absorbed it within our reported free cash flow guidance. To sum up, we're pleased with our strong first quarter results, which underscores the continued prioritization of identity securities by enterprises around the world. As a market leader, we are well-positioned to capture greater share of security spend as customers consolidate around strategic platforms. Our solutions continue to deliver significant value by addressing critical security challenges, improving resiliency and driving operational efficiencies. With that, I will turn the call over to the operator for Q&A. Operator?
Operator: [Operator Instructions] Your first question comes from the line of Saket Kalia with Barclays. Your line is open.
Saket Kalia: Okay, great. Hey, guys, thanks for taking my questions here and nice start to the year.
Matt Cohen: Thanks, Saket.
Erica Smith: Thanks, Saket.
Saket Kalia: Sure. Matt, maybe for you. I'd love if you could just talk a little bit about customers' willingness to buy multiple products here as you become more of an identity platform. I mean, you had some great customer examples, right, that you spoke about in prepared remarks. Erica, I think, threw out some stats in her prepared remarks as well. But maybe you could just bring that home for us, and maybe also touch on what are you doing to drive that multiproduct sale more?
Matt Cohen: Yeah, sure, Saket. And listen, when -- I shared a little bit of some examples of the conversations I was having at IMPACT and the conversations I had at RSA, and frankly, the conversations I have every day here at our visit center, and I would tell you that there's not one conversation I have, not one that isn't multi-product or multi-solution based. Customers want to engage in a conversation that is specifically around how do they tackle their entire identity security problems or opportunities there. It can be that they want to talk about human and machine, and we're talking about PAM plus machine identity either in the form of Secrets and Venafi or both. It can be on the human spectrum, how do they actually get all of their human identities coverage from IT to developers back into the workforce, and we're talking about not only our IT solutions, but also our endpoint solutions as well as our access solutions. It's really across the board and it's the foundation of our entire discussion. It's our entire strategy at this point. So, what are we doing? We continue to elevate the team's ability to talk platform versus individual areas. We go in and we talk about three-year roadmaps, and really around value, around architecture, and then ultimately, how do you build that into a plan. Even customers that want to get started with one solution, Erica mentioned that about 50% or so of new logos land with multiple solutions, but even the ones that don't are working with us on that roadmap, on that architecture, about where they're going to go over time. And ultimately, that lends itself to our confidence in what we're going to be able to get from a lifetime value out of our customer base.
Saket Kalia: That makes a ton of sense. Erica, maybe for my follow-up for you, obviously, a smaller and smaller part of the business, but can we just talk a little bit about the maintenance business? How do you think about that sort of decline or shift this year? And how are you thinking about that conversion opportunity?
Erica Smith: Yeah, Saket, that's a great question on that maintenance business. We're at about that $188 million. And I think all of the things that Matt just talked about really do apply to that maintenance business as well, meaning that the customer base is now more willing to move to our SaaS and our subscription solutions. We saw a little bit of an uptick in the conversion activity in Q1. As I mentioned in the prepared remarks, it was still a single-digit percent of our overall growth, but we did see a slight uptick. I think as we progress through the year, our expectation is that the readiness of our customer base is increasing, and we do think we'll see an increase of that maintenance ARR coming down. Think about it in the tune of about $15 million roughly, but I think really there is a tremendous opportunity for us there to continue to execute on that maintenance ARR, and the customer readiness is moving in that direction. We don't expect it to be a meaningful change in what we've seen in the past, and still a single-digit percent to the overall growth, but there should be an uptick as we move through the year here.
Matt Cohen: And maybe just one add for me, just again back because it's so fresh in my mind, all the customer conversations we've been having. At IMPACT, I got a chance to meet with several customers who have been customers of ours for a long time, think financial institutions. And we're having conversations with them about migration and conversion. Now, it takes a while to plan those things out, but the number one comment I heard coming into those conversations was, "I'm excited by what you guys are talking about on stage. I want that platform, help me figure out how to get there." And I think that sets the stage for the next couple of years as we think about the migration and conversion opportunity.
Saket Kalia: Super helpful, guys. Thank you.
Erica Smith: Thanks, Saket.
Operator: Your next question comes from the line of Joe Gallo with Jefferies. Your line is open.
Joe Gallo: Hey, everyone. Thanks for the question. Erica, I wanted to circle back to what you said regarding guidance. Have you seen macro headwinds or you're just embedding that it gets worse in your updated guidance? Can you just walk us through any changes to your process versus 90 days ago?
Erica Smith: Yeah, it's good question. We have not seen any macro headwinds. Our Q1 results were strong, pipeline continues to be strong, close rates were consistent. I think we just wanted to, as we looked at the macro volatility we were seeing in the market, we wanted to make an assumption in the guide that took a bit more conservatism than certainly we were seeing in the trends in the data. And so, when you think about that guidance, if the macro holds and the trends we saw in Q1 persist as we move through the year, there's room for us to move that guidance up. But given that we were in the first quarter, there were a lot of moving parts around the tariffs and around the broader macro, we thought it best to take a more prudent approach to those very strong metrics we were seeing coming out of the first quarter and apply that to the guidance as we move forward here.
Joe Gallo: Crystal clear. And then, maybe as a follow-up, how should we think about sales capacity, sales comfortability selling Venafi in this ever broadening portfolio and where your go-to-market investments are going?
Matt Cohen: Yeah. I'll jump in there. I mean, we see an uptick of Venafi pipeline at a really strong rate. We see sales across not just Americas where they were traditionally strong, but actually into EMEA and APJ running Venafi and kind of machine identity as a whole, cross-sell campaigns, we see a real exceptional reception from the customers. In fact, actually, while we talk here, the European IMPACT events are going on this week and I got notes this morning about the level of attendance in our machine identity sessions that are going on there. So, I think across the board, we see a go-to-market organization that's poised to attack that opportunity. I think they're also extremely excited about the Zilla opportunity in the IGA space, and they continue to see momentum in just our core business around human identity security. And so, across the board, it's a good time to be in go-to-market at CyberArk, and we feel that when we're out there in the field meeting with the teams.
Joe Gallo: Thanks, and nice job, guys.
Matt Cohen: Thank you.
Operator: Your next question comes from the line of Brian Essex with JPMorgan. Your line is open.
Charlotte Bedick: Hi, this is Charlotte Bedick on for Brian Essex. Thank you so much for taking the question, and it was nice to see great results. Now that we're still in early days of Zilla and Venafi, can you talk about if you've seen any trends of adoption across segments or even just like size of customers? Is there anyone that's particularly looking to adopt on those types of technologies? Thank you.
Matt Cohen: Sure. So, let me start. They're obviously in different points of maturity of absorption within the company. So, Venafi, we've got a couple of quarters under our belts. We've been out there training, enabling, working with our customers, working with our sales teams, working with our partners. And ultimately what we're seeing is kind of universal interest. And I mentioned that little story about our RSA booth around this 47-day mandate around certificate life cycles because it was really remarkable. It was remarkable to see customers come in and basically from all segments, big and small and say, "Can you help us with this problem?" And I think that's what we're seeing across the board is a shift. I think we talked about it when we acquired Venafi that we were seeing that shift in the market where the time for a machine identity security was now, where certificate life cycle management was becoming top of mind. And even though it had been a long process to get here, we felt like we could really amplify the success that Venafi was going to be able to have in the market. Well, that is what we're seeing across the board. We see it in our sales reception, we see it in our customer reception and ultimately, we see it in the pipeline build. Zilla is earlier days. Zilla, we're starting the conversations. But I would say there, it's been an interesting set of dozens and dozens, if not hundreds of conversations where customers are coming to us and they're really leaning into the thesis of the acquisition. They're saying, we've deployed a traditional IGA provider out there in the market. We've spent a lot of money deploying that, and the time to value has taken a very long time. Can you help us get started on managing the governance and administration of our modern environments, because we need to move faster. We need to be more efficient, more effective. We need to have apps online in days and weeks, not months and years. And that type of discussion is what frames our early discussions around Zilla, and ultimately, it gives us the optimism that as we get into the back half of this year and certainly into 2026 that Zilla can start to contribute as we get past the sales cycles that we need to build.
Charlotte Bedick: Thank you so much for the color.
Operator: Your next question comes from the line of Matt Hedberg with RBC Capital Markets. Your line is open.
Matt Hedberg: Great. Thanks for taking my question, guys. Matt, I had a question on pricing. In your prepared remarks, you noted that the number of machines to humans has increased pretty significantly. I think you said it was 45 to 1, now it's 80 to 1. I can imagine a similar dynamic will play out for agents as agent proliferation continues. I guess the question is, how do you think about pricing longer-term from these non-human identities, especially as the numbers increase? I mean, do you kind of think that it has to evolve over time?
Matt Cohen: Yeah, Matt, great question. I think as we look forward, the lens we should look through is the machine lens even when we're applying it against the AI agent space, which is the idea that it becomes a curve, right? As you get exponential numbers, the price per agent or in the case of machines, the price per application or workload starts to come down. And in some cases, it comes down dramatically. I don't think anyone is going to be -- if they have hundreds of millions of agents running around, they're not going to be paying us top dollar for every agent. But you're going to start to see the deals as the deal size continue to increase. Already, we see the average deal size on the machine side is often 2x or 3x what we see if we're just going out there and selling PAM. And I expect that to be similar on the AI agent side even at the scale we're talking about. So, I think it is a slightly different pricing model, in that you're able to scale the cost effectively or efficiently as the numbers become really large, but ultimately, it's the total deal size that matters and we're optimistic about what those average deal size will look like as we scale that piece of the business.
Matt Hedberg: Very clear. Thanks a lot. Well done, guys.
Matt Cohen: Thank you, Matt.
Operator: Your next question comes from the line of Keith Weiss with Morgan Stanley. Your line is open. Mr. Keith Weiss, your line is open.
Keith Weiss: Sorry. Thank you guys for taking the question, and congratulations on a good quarter. Two questions, one kind of more strategic one, one more tactical. On the strategic side of the equation, definitely heard and felt the excitement around identity and identity security at RSA. A lot of vendors are running around trying to tell their new identity stories. Have you been seeing any change in the competitive environment? I'm sure you do to some extent now that like Venafi and Zilla are part of the equation. So, perhaps you could talk to us about the evolution of your competitive environment, who you see yourselves coming up against more so as you sell the broader set of solutions into the customers? And then, on more tactical side, and this is I think one of the debates that's going on in our email boxes right now, you haven't spoke specifically to the contribution of ARR from Venafi or Zilla. But if we think about that $51 million in net new ARR, is that still growing on a year-on-year basis if we take out the incremental contributions from Venafi and Zilla?
Matt Cohen: Yeah. So, why don't -- Erica, why don't you jump in on the second one and then I'll come back around on the first.
Erica Smith: Yeah. So, I think the way you should really think about the contribution and the growth of net new ARR, we are seeing their growth on the subscription net new ARR side. And so that would be where we would anchor. We aren't going to break out the various component parts. I think that the reality is that there's a lot of customers that are buying -- are beginning to buy the combined SKUs. And then, when you kind of think about the broad platform selling motion, you are seeing some very strong synergies across the broader platform, but you should think of that as being a net new ARR is growing, but we aren't going to break out in more granularity.
Matt Cohen: Net new ARR organic subscription is growing.
Erica Smith: Yes, 100%.
Matt Cohen: Yeah, exactly. Okay, I think...
Keith Weiss: Okay. Super helpful.
Matt Cohen: On the more strategic question, I was at that RSA conference as well, and I like to do it too, I do it to myself, I walk the booths and I walk around the floor and I feel out what's going on. And at one level, you're right, it's like identity, identity, identity in every booth. And on the other side, it's what is the message that they're trying to tell. And I think what you see with those kind of upstart competitors is that they're trying to solve a small slice of the identity security problem. They may be talking a big message, but when you actually pin them down and ask what's the use case, they're solving a very narrow use case. I think what differentiates us in the market and is the reason for our strong results and our outlook going forward is identity security can't be solved in small little increments. In fact, CISOs are overwhelmed with all the tools they already have. They don't need more tools to go do small levels of solutions. They need a tool that actually can solve human and machine. We are the only one in the market that's able to do that. They need one that can apply privilege controls effectively, not only in a standing access motion, but also in this just-in-time zero standing privilege access. We're the only ones who can do that. And ultimately, those are the conversations we're having with customers where, yeah, of course, they hear the noise and they see some of these other providers. And then, we sit down and we do these, again, value architecture, roadmap workshops. And coming out of that, they see that actually their best path forward for actual coverage and ultimately consolidation is to come on to our platform. So, ultimately, the answer -- the short answer to that is we don't really see a strong change in the competitive positioning, our competitive situation. We don't see somebody growing in competitiveness at the moment. And ultimately, we find the market to be the same market that we were operating in from a competitive positioning last year and the year before.
Operator: Your next question comes from the line of John DiFucci with Guggenheim Securities. Your line is open.
John DiFucci: Thank you. I want to go back to Joe Gallo's question. Erica, you said you're being -- just being more conservative with annual ARR guidance, but just trying to gauge that a little bit more. Matt talked a lot about conversations with customers for machine identity that make CyberArk feel good about the future there. I mean, even though the quarter was strong and it was and pipeline is good, are there -- is it customer conversations that give you pause on that guidance or is it just the press? Because that could change day-to-day.
Erica Smith: Yeah. No. I mean, it's a great question, John. And it really -- customer conversations, as Matt outlined, have been incredibly positive. And so, if you think about IMPACT, our IMPACT event, where we had very constructive conversations with the customers, not just about machine identities, but across the broader platform and our offerings, it's been very consistently positive. So, really when we provided the guidance, it was more around the fact that we weren't sure of what the impact would be on our customers if there were things around tariffs that had moved forward. So, we wanted to be more prudent in the guidance and really take a haircut against some of the metrics that we saw in the first quarter to ensure that if something were to happen in the back half of the year that we accounted for that in the guidance. At this point, it just didn't seem like there was much benefit to us being more aggressive on the guide despite the positive feedback we were getting from the customers. So, nothing to make us pause at this point, but we thought that it was the right approach for us to take, given what the noise that we were hearing in the broader macro.
Matt Cohen: Yeah. Maybe just because I'm in those customer conversations and I'm generally talking to C-suite there and, in some cases, even higher a Board or two, what is on their mind is the macro. Like let me be clear, like our customers, when you meet with an auto OEM in Germany, they're worried about the tariffs. When you meet with manufacturing organization here in the US that's planning out their strategy, they're worried about the economics and the tariffs. We get into a conversation about that and I notice the worry. We then get into a conversation about their cybersecurity strategy, what they have to go do and where identity security ranks on their list and my worry kind of moves away for a while. But when you're having those conversations about the overall macros with customers, you have to take that into account from where you sit, and you're watching carefully to understand if it's ever going to come into your space and have impact on your business, that's the smart thing to go do. So, I think what Erica is really emphasizing is we sat down and we said, listen, based upon that uncertainty that our customers have around the broader macro is not specific to us, do we pass our BEAT through or not? And the thought process was it's Q1 and there's a lot going on and we probably shouldn't pass our BEAT through because that's the responsible thing to go do. So, just taking it down to that level there for you.
John DiFucci: That makes total sense to me, Matt and Erica, but I think the confusion out there with the investment community is that not everybody has done what you've done and -- but thank you for all the explanation. It makes total sense.
Matt Cohen: Great. Thank you.
Erica Smith: Thank you, John.
Operator: Your next question comes from the line of Roger Boyd with UBS. Your line is open.
Roger Boyd: Great. Thanks for taking the questions, and yeah, congrats on a great quarter. Matt, I appreciate your comments on identity consolidation. I think maybe just to play devil's advocate, when we talk to CISOs, there's generally an admission that projects around identity can be lengthy, complex, expensive. And to your point around IGA, in some cases have significant -- some costs. It sounds like you're seeing very good momentum on that consolidation kind of play. But as you think about kind of the next couple of quarters, what are you contemplating from a sales cycle perspective? Have you seen any sort of expansion to date? And when -- Erica, when you think about kind of a more conservative outlook, is that the primary way that's manifesting? Is the sales cycles taking longer? Thanks.
Matt Cohen: Yeah. So, no, I mean, we haven't seen any change in sales cycles actually. Q1 was, if anything, a little bit of a tick-up improvement, but overall, they've been pretty consistent. They've been pretty consistent over the last -- more than several quarters. So, I don't think we see any changes there. In general, our sales process is to talk, as I said, about longer-term roadmaps to design out how somebody might take advantage of the platform, but to get them started where they are. So, if they're not ready to make a full platform purchase, then get started with one or two solutions, and you see that in some of the new logos that come in. And then, over time, we'll expand your footprint and we'll expand you across the whole platform. Most cases, we have a roadmap, a plan for that already, even if they're getting started with less of the platform. That being said, as Erica mentioned, if you look at our top 10 deals in the quarter in Q1, almost all of them, actually nine out of the 10 were multi-platform deals, I mean multi-solution deals across the platform, and it speaks to the ability we already have to be able to drive that conversation with our customers. So, no, I don't think it changes the sales cycle because our go-to-market team is excellent at understanding where the customer is and to keep them moving on their buyer's journey, if you will. I think what you will see is, as you try to bring in some of these displacement opportunities, those will take a little bit longer. And so, we're not building that into our guidance, the idea that we're going to go in and disrupt legacy IGA rather than sit alongside of it. We've built in an idea of how we sit alongside of it. We're not going to build in disruption because that will take a little bit more time to materialize. But in a lot of cases, when we're talking about our platform, they don't have in place the machine side yet. And so, it's a pure expansion, not a replacement. When you're talking about going into the access or the workforce side, the EPM side, in a lot of cases, we're layering security controls on top of what they already have, so they don't have to replace. And that allows them to efficiently get onto our platform quickly even in a tougher macro environment.
Roger Boyd: Super clear. Thanks, Matt.
Operator: Your next question comes from the line of Gregg Moskowitz with Mizuho. Your line is open.
Gregg Moskowitz: All right. Thank you very much for taking the question. In your recent identity survey, we found it interesting that 42% of machine identities have access to sensitive data, which is a little higher than it is for human users, and yet only 12% I think consider machine identities to be privileged users. Matt, you mentioned that Venafi is performing ahead of expectations so far, but the data here also shows that there is clearly still an awareness gap. So, how do you go about closing this?
Matt Cohen: Yeah. Listen, I think that's the moment of now, right? And I think we've been talking about it when we acquired Venafi. By the way, we're talking about it beforehand with our Secrets business and kind of the take-off we've seen in the Secrets business. The moment is now that security is getting involved in the discussion. And I think we've talked about that before, right, which is a lot of these machine identity security decisions were left to the DevOps teams to the local developers to choose on their own, which left no visibility to central security on what was actually happening. That's the fact that comes out in that data. So, what happens now is the CISO and the security team is saying, no way. No way are you making those decisions without us. No way are you having localized vault sprawl throughout your organization. No way are you doing certificates on spreadsheets anymore, and they're coming with a central authority. When the CISO gets the right to have central authority, CyberArk wins. And that's what we're seeing today in the market. And so, it's really a matter of helping the CISO get control rather than it is us educating the market on something.
Gregg Moskowitz: Very helpful. Thank you.
Operator: Your next question comes from the line of Shaul Eyal with TD Cowen. Your line is open.
Shaul Eyal: Thank you. Hi, good morning. Congrats on a great quarter all around. I wanted to go back to Matt Hedberg's question on machine identity and pricing. I understand the ratio of 80 to 1. Specifically on pricing, SailPoint, for example, they indicate that pricing of their machine identity is going to come at about one-third of human identity. And I understand you guys are different companies yet operating in the same broader arena. What's the thinking along these lines? And maybe just as a follow-up, been getting some emails, some questions about the commentary about the certificate life cycle change. Is that a recommendation, or is that a decision being supported by some industry regulations? Thank you, guys.
Matt Cohen: Yeah, sure. So, to your pricing discussion, and again, specifically around what we see, I think it's -- and I bring it back, I know it's the same answer I gave Matt, but I bring it back to the idea of it's a deal size that matters, not the individual cost per identity. I think you should expect to see a fully deployed customer on the machine side to basically 1.5x to 2x on the secret side and 1.5x to 2x on the certificate side to what we are able to do on the human side. Ultimately, when you're fully deployed on the machine side, we're talking about somewhere between 3x to 5x the size of the base that we can go sell to, and it's a big deal. It's an enterprise sale. And ultimately, over time, it will continue to grow. I think that's what we see. Listen, I don't think SailPoint is really in the machine space. So, I'm not sure where their pricing is coming from, but it's not really covering the type of machine identity that we're talking about. The second part of your question around certificate authority, it is a mandate. So, it's actual -- it's called the CA/Browser Forum. It is a kind of governing body and it's mandated that it go down to 47 days. That mandate is for 2028 or 2029. But basically, it indicates that the Google 90-day mandate, which was a kind of a Google-specific thing, didn't go far enough. They want to go even farther and they want to push the envelope there. It basically wakes people up to the idea that certificates are a thing that's going to change. Their world of certificates and long-lived certificates are not going to exist for long. And I think enterprise companies are coming in and saying, "What can I do about it?" And we've got the perfect solution to solve that problem for them.
Shaul Eyal: Thank you so much. Super helpful. Great color.
Matt Cohen: Thank you.
Operator: I will now turn the call back to Matt Cohen, CEO, for closing remarks.
Matt Cohen: So, thanks everybody for the questions today and the dialog, it was fun and appreciated. I want to conclude by thanking our customers and our partners for their support and trust. And most importantly, our employees here at CyberArk who wake up every day and make sure we can deliver strong quarters like we did today. When we think about a world where identity security is an imperative, we feel ready to respond, continue to grow and drive durable growth for the future. Thanks, everybody.
Operator: Ladies and gentlemen, that concludes today's call. You can now disconnect. Thank you, and have a great day.
