Cyberark Software Ltd

NASDAQ:CYBR

Good morning. My name is Dennis, and I will be your conference operator today. At this time, I would like to welcome everyone to the CyberArk Software Fourth Quarter and Full Year 2023 Earnings Conference Call. [Operator Instructions] I would now like to turn the conference over to Erica Smith, Senior Vice President, Finance and Investor Relations. Please go ahead.

Thank you, Dennis. Good morning. Thank you for joining us today to review CyberArk's strong fourth quarter and full year 2023 financial results. With me on the call today are Matt Cohen, our Chief Executive Officer; and Josh Siegel, our Chief Financial Officer. After prepared remarks, we will open the call up to a question-and-answer session.

Before we begin, let me remind you that certain statements made on the call today may be considered forward-looking statements, which reflect management's best judgment based on currently available information. I refer specifically to the discussion of our expectations and beliefs regarding our projected results of operations for the first quarter, full year 2024 and beyond. Our actual results may differ materially from those projected in these forward-looking statements.

I direct your attention to the risk factors contained in the company's annual report on Form 20-F filed with the U.S. Securities and Exchange Commission and those referenced in today's press release that are posted to our website. CyberArk expressly disclaims any application or undertaking to release publicly any updates or revisions to any forward-looking statements made today. Additionally, non-GAAP financial measures will be discussed on this conference call.

Reconciliations to the most directly comparable GAAP financial measures are also available in today's press release as well as in an updated investor presentation that outlines the financial discussion in today's call. A webcast of today's call is also available on our website in the IR section.

With that, I'd like to turn the call over to our CEO, Matt Cohen. Matt?

Thanks, Erica, and thanks, everyone, for joining the call today. We had an amazing fourth quarter to round out a momentous year for CyberArk. Early in the year, we were nimble and adjusted our selling motion in light of the macroeconomic backdrop. And in the fourth quarter, it continued to pay off resulting in another great growth quarter. We entered 2024, a fully recurring revenue company with over 95% of our bookings coming from subscription. . Demand for our Identity Security platform accelerated in 2023, and we end the year having solidified our leadership position in the market. We delivered a record-breaking fourth quarter, beating our guidance across all metrics. Subscription ARR reached $582 million, growing 60% year-over-year. Total AR reached $774 million, growing 36% year-over-year. We were thrilled to add record sequential net new subscription and total ARR and we exceeded our guidance range across revenue, operating income and EPS.

Total revenue growth accelerated to 32%, reaching $223 million. Non-GAAP operating income came in at approximately $35 million, and we generated non-GAAP earnings per share of $0.81. We also consistently outperformed throughout the year, and delivered total revenue of $752 million with growth accelerating to 27%, non-GAAP operating income of approximately $33 million or a 4% operating margin well above the breakeven we guided for at the beginning of 2023.

Non-GAAP earnings per share of $1.12 and while we did not guide for cash flow, we were thrilled to generate $51 million in free cash flow or a 7% margin for the full year 2023. Our performance speaks volumes about our execution. We fine tuned our go-to-market motion, including platform selling, channel strategy and customer success. We improved the alignment between sales and marketing, generating record high-quality pipeline across all our solutions.

And lastly, R&D delivered against our mission to secure all identities with the right level of privileged controls to our groundbreaking identity security platform. In addition to strong execution, we're benefiting from durable demand trends driven by the proliferation of new identities, new environments and new attack methods. Throughout 2023, organizations were reminded yet again that there is one constant in cyber attacks. All roads lead to identity.

In the context of these urgent trends, the mission-critical nature of our platform becomes apparent. CyberArk is the only vendor with a platform that can effectively and securely address the new world security requirements, which center on controls. Given our groundbreaking innovation, and the changes in our business over the last few years, I'm going to break from our typical quarterly call cadence to outline how our identity security solutions are helping customers solve these challenges, which also speaks to the massive growth for CyberArk.

Every organization today has a spectrum of identities from core IT to developers to machines and across the entire workforce. And the number of identities is increasing at an exponential rate. Access for each of these identities has its own unique level of risk and complexity, requiring different levels of controls. Let me take you through this spectrum of identities and what we are seeing from customers and how that has expanded our addressable market.

A CyberArk customer typically starts with core privileged access management and is focused on securing standing access for IT users who have high levels of privileges like a database or application administrator or maybe a cloud operations team. As they deploy, they follow a road map that brings a growing number of users within central IT, but also third-party vendors and even shadow IT organizations under PAM security controls. As a result, there's a continuous expansion of the number of users leveraging PAM.

Adoption begins to accelerate when PAM is delivered as a service, given an easier adoption path and lower cost of ownership. It accelerates even further when we help customers tackle new use cases through revolutionary new access methods like just-in-time or dynamic access. Just-in-time access cuts the adoption curve down even further by allowing federated access to databases, cloud workloads and other modern targets, while also increasing the security controls by signing entitlements dynamically at the time of access.

The modern TAM program has evolved dramatically in the last few years and has opened up a significant expansion opportunity for CyberArk even within the extended IT organization. You see this in our healthy PAM ARR growth rates that have continued to persist. But moving beyond IT for a second, one of the fastest growing areas for human identities is the expanding developer community. Our Secure Cloud Access solution brings privileged controls to the cloud and has meaningfully expanded our TAM to include developers as well as engineering teams and data scientists.

We provide native access for developers with a zero standing privilege approach. This innovative solution greatly and measurably reduces risk and organizations can quickly go from dabbling in discovery to actual control of developers as they access their cloud environments. Always on entitlements to cloud environments are a security nightmare, yet innovation speed is the true promise of modern cloud programs.

Secure Cloud Access or SCA ensures that our customers never have to choose between security and innovation speed. While SCA is one of our newest offerings, we had a strong quarter in Q4, and pipeline continues to build. This is one of the areas we are most excited about as we enter 2024. But as these developers work in the cloud, they are focused on creating or extending applications, workloads and APIs that need access to critical data infrastructure and other cloud workloads. This results in the rise of machine identities.

Machine identities represent one of the riskiest and most complex components of the modern enterprise to protect these machines and the secrets that they use customers turn to our secrets management solution. Our secrets management solution securely and centrally manage secrets at enterprise scale, all while avoiding Vault sprawl. It satisfies the CISO's requirements while never impeding the developers' workflows, machine identities are exploding and our ability to bring together human and machine elevates the conversations with our customers.

As we think about our fourth quarter results, Secrets Manager was included in 6 of our top 10 deals, and we are pleased with the early success of Conjur Cloud. We have covered IT. We've covered developers and machines, but now I want to move on to the part of the enterprise that is in need of an entirely new approach to identity security, securing workforce identities. Legacy approaches of MFA and SSO are workforce requirements. But on their own, they provide limited security, evidence time and time again in major breaches.

Any identity can become privileged, causing CISOs to reconsider the way they secure the workforce. Leveraging intelligent privileged controls, CyberArk has reinvented workforce identity by building on top of traditional MFA and SSO with market-leading innovations like Secure Web sessions, Workforce Password Manager, and CyberArk Secure Browser. When combined with MFA and SSO into one unified solution we have created a more holistic and comprehensive approach to securing the workforce, where intelligent Privilege controls once again are making the enterprise more secure. This approach is paying off and we had a record fourth quarter for our workforce solutions.

It's worth pausing for a moment to discuss our CyberArk Secure Browser. Our Secure Browser is built with native integrations to all of our workforce capabilities, and will help customers protect against one of the fastest rising attack methods, which is cookie harvesting and browser-based attacks. It's also built to be the gateway to all our solutions, allowing easy access to all enterprise targets and providing a seamless user experience to our entire Identity Security platform.

Our workforce solutions, however, do not stop there. The modern workforce logs into desktops, laptops and servers every day as part of their regular workflow. These endpoints need their own form of intelligent Privilege controls. Endpoint Privilege Manager or EPM, is seamlessly integrated with our workforce solutions and our Browser as well. We are doing this to implement lease privilege and secure the endpoint. Lease privilege access is a foundational security control. Every endpoint needs EPM to be truly secured.

Despite the great growth over the last few years, we still have a tremendous opportunity within our installed base to further cross-sell EPM. And we also see EPM as a strong landing spot for new logos. As we kick off 2024, I wanted to make sure our investors understood how we are setting the pace of innovation, how our solutions work together and how our identity security platform delivers value by dynamically adjusting the level of controls based upon complexity and risk. We are delivering a game changer in the market. We are driving operational efficiency and at the same time, focusing on Privileged controls that help customers to save from cyber threats and move their business forward.

If we move back into the fourth quarter for a second. On the new business side, we signed about 340 new logos in the fourth quarter. As customers prioritize in-depth security controls in this severe threat landscape, new logos are increasingly landed with 2 or more solutions. In fact, in Q4, a number of our largest new customers landed with 5 or more solutions, contributing to the significant increase in new business deal sizes.

A few of the new logo highlights in the quarter include as the education sector continues to be targeted by bad actors, evolving practices to align with industry-leading security controls are top of mind. This quarter, the London School of Economics, a leading business school globally was looking to significantly and measurably improve its security posture. In this new logo win, they went broad across the platform with PAM, EPM and Secrets Management.

In an example of the power of our ecosystem, a partner introduced a Fortune 100 financial services customer to CyberArk. This all SaaS 7-figure ACV deal was closed through the AWS Marketplace. We are thrilled to see this customer applying a CyberArk everywhere approach out of the gate securing Privileged access, Secrets, Endpoint, third-party vendors and workforce identities. Our focus on moving from land into expand motion is built into our platform strategy and is contributing to our outperformance.

A few examples of expansion deals from the quarter include a government agency that landed with CyberArk last quarter, returned this quarter for more users and more products across our platform, buying PAM, EPM, Secrets, Identity Flows, Identity Compliance, Secure Web session and a 7-figure ACV deal. A major Fortune 100 U.S. retailer chose CyberArk as their trusted strategic adviser in 2020, looking for defense and depth, they are consolidating spend with CyberArk. And in another 7-figure ACV deal extended their protection with more Privileged users, Secrets Management, workforce and customer identity, remote access and secure cloud access.

To summarize, all the land and expand deals demonstrate that every vertical, every business across all sizes have identity security challenges that our platform can help address. Touching briefly on profitability, throughout the year, we demonstrated leverage in our business with each operating expense line improving as a percent of revenue. For the year, we grew revenue over 27% while our non-GAAP operating expenses grew just over 15%. We are striking the right balance between investing in growth and innovation and driving profitability and cash flow.

With our stellar performance in 2023 and the strong guidance you will hear from Josh in just a few minutes, I remain very confident in the long-term targets we have set. As we look ahead, our top priorities for 2024 are expanding our leadership position in driving identity security growth, delivering cutting-edge innovation and strengthening our industry-leading platform, leveraging data and analytics to scale our business, including the use of artificial intelligence and machine learning and delivering outstanding customer experience and value across the customer journey.

I'm also very excited to welcome Eduarda Camacho as our Chief Operating Officer. I have worked closely with her for more than 20 years and have tremendous respect for her and her ability to drive customer outcomes and to lead our go-to-market strategy and field execution. I also want to thank Chris Kelly for his contribution to CyberArk. He'll stay with CyberArk through the end of March to ensure a seamless transition, and we wish him well for the future.

We are in a position of strength as the leader in identity security and our competitive position is incredibly strong. We are addressing a critical customer need with our platform and the threat landscape is keeping Identity Security a top priority at our customers. As I reflect on our accomplishments in 2023, I am even more enthusiastic about CyberArk's future coming into 2024. I did want to pause here to talk about October 7 and how we responded. I am so very proud of our global team and how they team together after the October 7 [ mass attack ]. As families, friends, colleagues and entire communities continue to navigate through great tragedy, loss and increased stress, our culture and team are what drive our success.

I will now turn the call over to Josh, who will discuss our record financial results and provide you with our outlook for 2024 in more detail.

Thanks, Matt. We posted outstanding results in the fourth quarter and beat our guidance across all metrics. Total revenue growth accelerated again this quarter to 32%, coming in at a record $223.1 million and significantly exceeding our guidance. Our Identity Security platform continues to drive momentum of upsell, cross-sell and new logos. This allowed us to meet the strategic financial objectives we set for ourselves at the beginning of the year, durable top line growth, improved operating leverage and strong free cash flow generation.

Demonstrating the continued momentum in our business, ARR reached $774 million at year-end, growing 36% year-on-year and coming in above the high end of our guidance range. The subscription portion increased 60% and reached $582 million and is now 75% of total ARR. We added a record $78 million in net new subscription ARR as customers are consolidating on CyberArk and continue to land and expand with more of our platform. In addition, we had a record quarter for SaaS bookings, both in absolute dollars and mix of our bookings. Compared to year-end 2022, we added an impressive $218 million of net new subscription ARR, also a record.

The maintenance portion of annual recurring revenue declined slightly to $192 million at December 31, which was in line with our expectations. We continue to see strong renewal rates and like-for-like conversion activities still only represents a single-digit percent of our year-on-year ARR growth. Our strong execution is also demonstrated by the 30% increase in customers with more than $100,000 in annual recurring revenue to over 1,700 at the end of the fourth quarter. The cohort of customers with more than $500,000 in ARR also grew over 45% to now being nearly 300 customers.

The biggest driver of this cohort is the upsell of additional users and cross-sell of new solutions across the platform. Matt touched upon our strong execution, and I wanted to briefly touch on the macro. Our solutions continue to be prioritized and budgets allocated, close rates remain strong, productivity improved and deals progressed nicely as we converted our pipeline, including several 7-figure ACV deals. We continue as well to build a strong new pipeline to support our future growth.

Moving into the details of the revenue lines for the fourth quarter. Recurring revenue reached $201.5 million, again, making up 90% of total revenue. That's compared to 84% in the fourth quarter last year. Recurring revenue growth accelerated to 41% year-on-year, showing the momentum in our SaaS portfolio continues to gain steam. With total subscription bookings mix of 95% on the full year and our recurring revenue reaching 90% of the total in each of the quarters of 2023, it is safe to say we are now a fully recurring revenue company.

Digging into the specifics, our subscription revenue line reached $150.3 million with growth accelerating to 70% year-on-year and representing 67% of total revenue in the fourth quarter. Our maintenance and professional services revenue was $64.8 million. Of that, $51.2 million coming from recurring maintenance and with professional services revenue at $13.6 million for the quarter. Geographically, each of our major territories grew revenue faster than 30% in the fourth quarter. The Americas revenue was $130.3 million, that's growing 31% year-on-year, and the Americas had a record with SaaS reaching over 70% of bookings in the quarter.

EMEA grew by 33% year-on-year to $68.7 million in revenue and APJ grew by 35% to $24.1 million in revenue. Diversification has always been a foundation of our strategy, and it is great to see the strength across all of our geographies in the fourth quarter. We also see that universal strength reflected in the full year with the Americas, EMEA and APJ each growing 27% year-on-year. All line items of the P&L now will be discussed on a non-GAAP basis. Please see the full GAAP to non-GAAP reconciliation in the tables of our press release.

Our fourth quarter gross profit was $189.7 million. That's an 85% gross margin compared to the 83% in the fourth quarter last year. The expansion of our gross margin is due to revenue outperformance and tight management of our cloud costs. Our operating income of $34.7 million significantly exceeded the top end of our guidance. Our operating leverage was driven by disciplined investments and our revenue outperformance. Net income came in at $38.1 million, that's $0.81 per diluted share, also significantly outperforming our guidance.

Moving on to review the full year 2023. We began the year expecting 29% growth in ARR, 23% revenue growth and hitting breakeven operating margin. We finished a great year. ARR grew 36%, revenue came in at $752 million, with growth accelerating now to 27% and we returned to meaningful profitability, delivering non-GAAP operating income of $33.5 million or about 4% operating margin for the full year, and we continue to march towards Rule of 40. Our EPS came in at $1.12 per diluted share.

We ended December with approximately 3,000 employees worldwide, including over 1,320 in sales and marketing. For the full year 2023, free cash flow was $51.3 million or a 7% free cash flow margin. As a reminder, we still consider free cash flow to be the last piece of our model to inflect after the subscription transition, and we are confident that we are just at the beginning of this expansion with our 2023 results. Turning to our guidance.

For the first quarter and the full year 2024, our guidance reflects the momentum we're seeing in the business, combined with our confidence to meet the 2024 priorities that Matt outlined earlier. For the first quarter of 2024, we expect total revenue of $209 million to $215 million which represents 31% year-on-year growth at the midpoint, and we expect non-GAAP operating income in the range of $7.5 million to $12.5 million for the first quarter. We expect our non-GAAP EPS to range from $0.21 to $0.31 per diluted share.

Our guidance assumes 47.8 million weighted average diluted shares and about $10.5 million in taxes. For the full year 2024, we expect total revenue in a range of $920 million to $930 million, representing 23% growth year-on-year at the midpoint of the range. Reflecting our continued commitment to operating leverage, we expect our full year operating income now to be in the range of $75.5 million to $84.5 million. We expect our EPS to be between $1.63 to $1.81 per diluted share, we expect about 48 million weighted average diluted shares and about $46.5 million in taxes for the full year 2024.

We expect annual recurring revenue to be between $968 million and $983 million at December 31, 2024, or about 26% year-on-year growth at the midpoint. We are also issuing guidance for free cash flow for the first time and expect free cash flow to be in the range of $85 million to $95 million for the full year 2024, and we remain confident about the long-term target that we outlined at Investor Day. I also want to provide a few pointers to help model our expenses for the year. While we expect to continue to invest in our innovation engine and in sales and marketing in absolute dollars, we do expect to see an improvement in both line items as a percentage of revenue.

We will once again hold our impact customer event and our IMPACT World Tour in the second quarter in 2024 begin our IMPACT World Tour in the second quarter of 2024, increasing our marketing expenses for that quarter. Our CapEx is expected to be 1.5% of total revenue. So to sum up, we are thrilled to deliver another stellar quarter and amazing full year results showing continued demand for our platform. The execution of our land and expand motion and durable tailwinds that have made identity security a must have. As a recurring revenue company and the leader in Identity Security, CyberArk is well positioned to drive leverage in our model across all areas, and deliver the expanded profitability and cash flow levels in 2024 I just discussed. I will now turn the call over to the operator for Q&A. Operator?

[Operator Instructions] Your first question is from the line of Saket Kalia with Barclays.

Matt, maybe to start with you. I'd love to dig into your prepared remarks on the workforce or single sign on market, very helpful, by the way, prepared remarks. The question is, given some of the noise in that market competitively, how do you think CyberArk is positioned? And what are you seeing in the pipeline there for just the broader identity platform? Does that make sense?

It does, and it's a great question. And I think the first thing I would say is independent of the competitive environment and some of the things that are happening there, we feel really strongly, as I kind of outlined that our approach to workforce security is differentiated that is actually unique in the market. And that -- while MFA and SSO as I said in the prepared remarks, are important. You must have them. They're no longer sufficient for how you actually cover the workforce from an identity security perspective.

And so our notion of a holistic or a unified solution that brings together but also brings in our workforce password management, our layers of security that sit within secure web sessions and the browser as the access point, actually, for us, kind of reinvent that space and puts us in a place where we can take some of the -- what we would consider kind of legacy approaches that are out there in the market. and put them on their heels in terms of our ability to have a conversation there. Then when you connect that back to the identity security platform and the idea that you can actually manage those users in the same way or at the same time as you do your highly Privileged users, it takes a differentiation even further.

So we feel like we're in kind of entering a sweet spot in terms of our ability to compete in that market. We see it building in our pipeline. And certainly, the competitive atmos out there for us hasn't really ever been better than we're seeing right now as we go into 2024.

Got it. Got it, very clear. Josh, maybe for my follow-up for you. Great to see the free cash flow inflect this year, and I appreciate the guide. And I know it's early to talk about that metric beyond 2024. But maybe anecdotally, what are some of the puts and takes for free cash flow beyond 2024 structurally that you want us to think about with that metric?

Yes. Thanks, Saket. I think it's mostly around puts as we think about the next couple of years, and it's really the expanding leverage that we're getting in the operating income that we're seeing at each of the years on our road to Rule of 40. And then, of course, it's the flywheel effect that we are going to increasingly get this year. And then again in 2025, which is really reflecting the renewals, the full-blown renewals of having already gone through round tripping the SaaS and subscription bookings that we built up in the last couple of years. And so that gives us the strong confidence that we're on track to hitting our medium goals there.

Your next question is from the line of Shaul Eyal with TD Cowen.

Thank you. Congrats on results and guidance. Matt, let me also echo my congrats on those kind of well prepared remarks, taking us through a customer journey as it pertains to CyberArk's expanding platform. maybe building on that journey. You just put out a press release on Indiana University Hospital, expanding relation with CyberArk maybe a good opportunity here to share with us what is it that they're doing with CyberArk on top of their core PAM deployment? And where else can they expand with you guys in the coming years? And I have a follow-up?

Yes. Thanks, Shaul, and thanks for the comments on the remarks. And what I really do want to do is help everybody understand the full market opportunity that's before us as we go after the spectrum of identities, and we kind of move beyond where people have traditionally thought of us, which is in IT, it just opens up such a remarkable opportunity for us to expand as we cover the overall enterprise. When we think about that particular customer example, it's a good indicator of what we see the board when a customer starts to partake of our SaaS platform. It kind of fits the bill, if you will, of the descriptions that I was walking everybody through.

And the idea here is the more solutions people get started on the more identities they can start to bring into the platform. But even when customers like that get started with multiple solutions, there's such an expansion opportunity as we build out the longer-term road map for them as they bring on more identities. I think a good way to think about the market for us is every proliferation of identity, whether it be human or nonhuman or machine equals another point for us here at CyberArk, another area that we can secure. And so if you take a customer like that, that's also sitting in health care, that's definitely under attack day in and day out by ransomware and other really kind of terrible threats they can expand for years to come as we start to help them bring all aspects of their enterprise all their identities into the platform.

So it's a great example actually for us and health care certainly is a vertical that we see exploding for us in the coming years.

Got it. Got it. And for my next question, either you or Josh, a macro-driven one. I haven't heard you mentioning the term elongated sales cycle. I think maybe you're like amongst a handful of companies implying, stabilizing or a better than period stabilizing macro environment rather than alluding to elongated sales cycle. Why is that? Are things actually becoming better and you guys, unlike other companies are not covering your behind them as kind of adding those elongated sales cycle commentary?

Yes, I'll take that one. And it is something that we're particularly both proud of and excited about. And throughout the whole year, you've heard us kind of talk about that, which is -- listen, it is a tough macro. There is no question about it. When I talk with my colleagues and talk to the C-suite at our customers, they're living through tough budget cycles. That being said, everybody has money to spend on what's most important. And generally speaking, cyber is more important than the rest of the kind of tech stack. But within cyber, there are areas that actually are prioritized.

And we've been lucky to be one of those areas throughout the year, where when customers are putting together their budgets, they don't have the luxury of really avoiding spending on Identity Security and when they're going to spend, they're going to spend with us. And so that opens the door, if you will, for a much more fertile ground for us to go harvest in within our customer base and even out into the broader market. Now what we also are, as I said, proud about is that we actually adjusted our execution arm to make sure that we were checking the extra boxes.

We trained the team early on to bring the CFO into the discussion to make sure the Joshes of the world were actually part of the discussion early. Don't avoid them. Bring them in so they understand the value statement. We help them understand how to structure deals more appropriately for these macros. And so between the mission-critical nature of our solutions and the phenomenal execution of our teams, we've been able to navigate a tough macro throughout the year but do it much more effectively.

Now I would say we start to see some shoring up of those macros as we get towards the back half of the year here as we look forward. So that's encouraging for us as we look out. But generally speaking, I think it is a testament to the role of Identity Security and the security stack today.

Your next question is from the line of Fatima Boolani with Citigroup.

Matt, just to start with you, talked a lot about the momentum you're seeing with the new customers coming into the CyberArk installed base family and landing with multiple solutions. But what I wanted to peek your brain on is we're now essentially going to anniversary between's mark yout of when you did the massive SaaS transition. So I'd love any high-level commentary from you on potential wave or renewal cycle name could look like in terms of buying behavior and patterns. >And then I have a quick follow-up for Josh, please.?

Yes. So great question. I think what we see, first of all, is that as we go out and we are landing these logos that the time to next purchase continues to compress. So we can land somebody into Q1, and we can get a follow-on deal in Q3. or Q4. And so even before we get to the first anniversary of a renewal date, we're able to drive the land and expand motion. And to be honest, that's one of the things that gets us most excited because the flywheel of the sales process continues to accelerate.

Now that being said, as you mentioned, all of these contracts as they start to come up for renewal also creates a compelling event for an expansion play. And we think of that as a prime opportunity to not only upsell on the existing suite they have, but to introduce the new solutions and to cross-sell into the base. And we see that kind of sales methodology change kind of kick in more and more over the last couple of quarters, where we're actually enabling our sales team on the conversation of -- it's a different conversation at the point of renewal of just understanding what have they consumed, read the telemetry, get the upsell in there because that's a basic motion you should be able to do always.

And then understand through adoption curves and road maps that we've seen with other customers, what's the next best solution to introduce and make sure it's part of the renewal cycle when the wallet is already open. And again, that's something that the sales team has really improved at the -- becoming more profession and we'll continue to improve that as they become even more proficient in this SaaS selling motion.

I appreciate that. Josh, on a related matter, as we work through the maturation, if you will, of the base as it relates to converting some of your customers on the predecessor perpetual form factors and you get any prior customers sitting on perpetual maintenance. I'm curious if you can help characterize what proportion of ARR growth is going to be coming from simply converting the prio-perpetual maintenance customer and customers? And any impact that had in this quarter to growth .

Yes. Thanks, Fatima. I think as we look at conversions and we go back already a whole bunch of quarters into '23 and even into '22. We're still seeing it really reflecting single digits, mid-single digits of our ARR growth coming from conversions. I think as we look into 2024, We're not really changing that view. We think it should behave similarly to what we saw in '23 and already at the end '22.

And I'll just add on top of that, just one element from a strategy perspective, if you will, which is -- when you analyze this base of customers and you try to understand, okay, what's their buying patterns, the first thing you're looking at is while they're still on maintenance, are they buying other solutions? Is there any less expansion that we're seeing in that base versus the rest of the base? And the answer was yes.

Then you're really wanting to push them as hard and fast as possible to get them to move because otherwise, you're gated yourself on your expansion in those accounts. When we actually analyze the maintenance paying base, their expansion sales, the rate at which they're buying the new solutions is not that much different than people who are sitting in a subscription model or on the SaaS platform. And so that gives us a little bit more leeway to be flexible with that customer base to keep them happy on that self-hosted or perpetual product and move when they're ready and in fact, move them to SaaS when they're ready, not move them over to an on-prem subscription because when we move them to SaaS, the upsell is significantly higher.

So strategically, as Josh said, I don't think you're going to see us be that aggressive in 2025. I think you'll see customers start to migrate because their own plans call for SaaS. But we're really excited by our ability to be able to drive NRR out of any base that we have.

Your next question comes from the line of Rob Owens with Piper Sandler.

Matt, when you speak to the full identity market opportunity, what are your thoughts around IGA? Is it an IGA light approach? Or is it something that you're going to look to dive into more fully?

Rob, great question. And I think we still see fundamentally that the siloed nature of PAM access and is at the detriment of customers in their security posture. And that organizations that implement kind of in that silo are not taking the most robust security posture that they can. So we increasingly focusing in on adding to our identity management stack and being able to manage the modern IGA workflows that sit out there in combination with our SEA solution, even in combination with our PAM customer base. And so I think you'll see us continue to invest in that. Now again, if somebody needs to go and do a large-scale IGA deployment across all legacy assets that sit in the data center, we have a great partnership with SailPoint and we're fine with SailPoint taking that bigger business. But as you move these workloads to the cloud, as you move into a modern real estate, we increasingly believe that in order to win that we need a hybrid approach.

And every solution that we bring to market from this point forward, and the team knows they hear from me all the time, has to have components of governance, components of access and components of privilege controls, that is what makes us unique. That's what makes our platform unique. And I think you'll hear us talking more about that in the days to come.

Your next question is from the line of Jonathan Ho with William Blair.

Congratulations on the strong results and guidance. Yes, I just wanted to understood a little bit more about your secure cloud access product. And what is going to give us some additional detail on how big of an opportunity you think this could become?

Thanks, Jonathan, and thanks for asking about my little favorite area here, so he gave me a chance to pontificate a little bit about it. But listen, we believe fundamentally that the idea here in the cloud that customers have moved fast and for good reason into their cloud real estate. And as they moved, they granted unfettered access to all of these users out there in the developer community in order to facilitate speed. And that leads to a world of over entitlement and frankly, lack of control.

Now we have a lot of vendors out there that really look at discovery and trying to understand what that cloud real estate looks like, even presenting ways of managing posture and managing the overall cloud environment. And we think that's important, by the way, and we partner with some of them to make sure that we can tap into the great data that they're able to harvest. But ultimately, like the on-prem world, security comes back to control.

And so our [ SCA ] solution is built on the idea that you need to have the same levels, the same concepts of control in your cloud estate as you did on-prem. You need to make sure that you're actually isolating sessions. You need to make sure that you understand and controlling entitlements, you need to actually make sure that there is the ability to be able to record, especially in audited industries. And so our SCA solution takes all the principles of PAM. But then what it does, it says, actually, in that environment, you don't need standing access. You can actually have entitlements or privileges assigned at the point of access.

So a cloud user, a developer can use their federated access, their personal accounts, they can log into the cloud console, they can start to work in the cloud services, and we can apply the right level of entitlements and privileges right at that time for a period of time. And the minute they log out, we can remove those entitlements so that when that account is sitting inactive, it is actually a 0 Privileged account, and we can drive a least privileged approach. We believe, fundamentally, and as you can hear, I get excited when I talk about it, that moving into this control area of the cloud is an underrepresented piece of the market. It's not actually represented in the TAMs of all these other cloud security vendors that are out there and that we're uniquely positioned to actually capitalize on that.

So while it's early days, and while we're a couple of quarters into the market, I would tell you that at our enterprise accounts, the numbers of conversations that are actually leading with, how do we secure our cloud is remarkable to me, and that then sets up a long-term TAM for us in this area that I believe can be a meaningful -- significantly meaningful contribution to our ARR growth.

Your next question is from the line of Tal Liani with Bank of America.

A few questions. The first one is, can you take us through a journey of a client? You spoke a lot about it, the journey of a client from a point of view of synergy with existing customers. I'm assuming that customers first land with the PAM. What happens when they want to go to different products? Where is the synergy? Is there any synergy in terms of products or sales motion or management, et cetera. What's the incentive for them to continue with you with your other products? Let's take it one by one. .

Sure. So I think when we think about that synergy or we think about that expand motion, if you will, it really depends on the priorities of the organization, and I'll give you like 2 different examples. You might be sitting in an organization where they have invested heavily in their nonhuman identities and their machines and their ability to build out a modern application environment. And in that case, if that's the priority of the organization, it's the most likely next step from someone who secures IT and their PAM users to actually move over and secure the nonhuman identities.

And the synergy is, hey, we can take a least privileged approach, we can help them understand how to create these controls that I'm talking about but we can do it in a developer friendly or a native way, especially with our Secrets Hub product and our easy to deploy Conjur Cloud product. And so you see some customers where that might be the first path they go towards expansion. An alternative is you might be sitting in an area of high attacks around ransomware. And you might be health care, it might be financial services. And in those areas, okay, they've locked down their core controls and IT. Now they need to secure their end points. They need to secure their servers.

And the natural extension is to move into EPM. And in that case, that's the next expand motion for that customer. And then there's a third type of customer, to be honest, that actually buys a little bit of everything, and they start to deploy in pockets in different work groups, in different areas of the enterprise, and then they look to upsell or expand over time within a broader set of 3, 4 or 5 solutions. So the other way to answer the question is there is no one typical pattern the underlying element though that drives the success is a unified platform with single shared services, a unified audit an ability to be able to run identity across all of that.

The ability to run threat analytics across all of that. And so the idea being these customers, although they're not fully consolidating day 1 across the platform, they're future-proofed in terms of the consolidation aims they have for the longer term. I think there was another question.

And in these cases, do you replace an existing vendor? Or is it kind of a greenfield where you bring new features to areas where there's no such features You have to compete with a legacy vendor or an existing vendor that is already there?

Yes. I think, again, it depends. When you move into access in general, we're competing with something that's there. In a lot of cases, it's legacy and it's things that are outdated and not ready for the modern stack. When you move into EPM, sometimes it's greenfield, actually, the concept of lease privilege on the endpoint is a new concept for them. And they're sitting with their endpoints unprotected, maybe just having invested in EDR or XDR, but not understanding yet the power of the EPM agent.

When you move into the secret space, generally speaking, they're working at the work group level, maybe they're using some open source tools. At the work group level, but now they're trying to make an enterprise buy. So you're replacing or you're sitting on top of that open source or for example, you're sitting on top of the cloud services providers and the native secret stores. In the cloud space, for sure, you're going in greenfield, this idea of control and the developer themselves, that's something that's new.

So I took you around really quickly there, the real estate, but I think that represents the kind of things that we see out there in the market.

Your next question is from the line of Joshua Tilton with Wolfe Research.

Matt, I thought it was very interesting you talked a lot about new identities in your prepared remarks. How do you see the potential for copilot accounts to maybe act as a tailwind to either PAM or just the broader identity market is organizations pilot to secure what feels like a pretty big wave of incremental credentials that's about to hit the market?

Yes, Josh, it's a really good question, and it speaks to the larger point, which is any identity needs the level of identity security, right? And we believe that we can bring all of them into our platform. So if we take the co-pilot example, it's almost like a hybrid of a human identity and a machine identity all in one. With, generally speaking, granted large swaths of privilege that mirror the human machine that it's meant to augment or in some cases, replace.

And so as AI technology kind of takes off, it creates a lot of vectors for growth. It creates vectors as we kind of compete our bat against the attack vectors fueled by AI. It allows us to be able to build AI into our products to make them more effective, to make them better able to secure environment. And then also is the tools themselves that need to be secured. And co-pilot is a great example of that where we're going to end up with multiple new identities.

And we're going to need to secure it just as if it was a new developer coming on or if it's a new member of the workforce coming on and I think that speaks to the market we're in, where if you're in the identity security market, the number of identities is your market and any increase is a good thing.

Your next question is from the line of Hamza Fodderwala with Morgan Stanley.

Sorry about that. I had 1 question around distribution for Matt. It seems like you're going after a really broad opportunity in the prepared remarks were really helpful. I'm curious how you plan to continue to improve on the sales velocity to go from 9,000, 10,000, 20,000 customers over time? Or do you feel like there's more opportunity still within the installed base, and that's going to be driving the majority of growth going forward?

Yes. Hamza, thanks for the question. And I wanted to highlight the opportunity within the base because I think it's important that everybody understands how the expansion happens, but you can get me equally excited about our ability to be able to go and grab new logos. And if you were talking with our wonderful CMO, he walks around with a new logo T-shirt on every day because that's what he's going off and trying to drive for us and build up that channel.

Now as you said, it's not just about what we do direct. It's about our channel partners in that space. We have the best channel partners in the world, whether it's the CSIs. You heard an example of where one of them was able to bring us into a Fortune 100 account this quarter, whether it's the reselling partners that are out there that are increasingly turning their attention to driving new logos or if it's an area which I'm even more excited about, which is the MSP programs.

And as you start to embed your entire platform into the MSPs and you start to be able to have them represent you within their vast customer base, even in the enterprise and down market, that becomes a flywheel of its own in terms of the ability to be able to go after new logos and to be able to go after new logos with all of the product set. So I do think you're hitting on a key point here, which is the channel and the force multiplying effect of our channel is a critical ingredient of driving the productivity growth that we want to see, and we continue to want to see more productivity and then also our ability to be able to get outside of our base and really capture this opportunity in the broader market.

Your next question is from the line of Ray McDonough with Guggenheim Securities.

Maybe one for Matt, if I could get a follow-up for Josh after. But Matt, I wanted to follow up on your answer to Hamza's question around the MSP opportunity. What specifically are you doing to enable the channel from a product perspective to help them -- help you attack that market? And then how much of the demand and the need for cyber insurance plays into the roll down market and what those MSPs can help you achieve in terms of penetration?

Yes. Great follow-up by the way. And I think there is investments in the product to make it serve the MSP market better. We've got a whole wing of product management that's actually just thinking about the MSP market and what needs to happen. And some of that we've built and some of it is still being built.

The idea of easier reporting, the ability of easier way to manage tenancy within the platform. The idea of even on the finance side, which is in the product, but in the organization to be able to bill more effectively and more flexibly. All these things are part of our MSP program holistically. We think of it as a market for us, and we run it like that where we're tracking the contribution and what do we need to do throughout the entire parts of CyberArk concluding product to serve that market.

And so I think that's one of the big shifts we've made in the last 18 months is to think of it that way. It's not just a little bit of an offshoot of the channel partner program. It's its own thing. I think to your point, there is intersections all the time between the growth drivers of our business. On one end, you've got cyber insurance with absolutely in the lower end of the enterprise and in the mid-market, is a driver of people towards PAM, towards Identity Security. It's a factor in whether somebody can get cyber insurance.

And by the way, it's a factor in what their premium would look like. Then those companies are looking for an easy way to procure it. They might be procuring it, by the way, not even only through MSPs, they might be procuring it through their AWS marketplace and leveraging some of those lubricated routes to market. But in addition then, MSPs can manage the whole system for them obscuring them from any of the complexity and make sure that they're able to stand it up quickly and meet the cyber insurance requirements.

And we could take any one of the tailwinds that we talk about and routes to market that we talk about, and there's always that juxtaposition and the one you're picking on is a particularly nice one for us as we move forward.

This concludes the Q&A session. I will now turn the call back to the CEO, Matt Cohen for any closing remarks.

So thank you to everybody. I want to finish up here by thanking our employees for their hard work and dedication. It's only because of them that we're able to talk about the success we had in 2023 and our optimism for the future. I want to thank our customers and partners for their support and partnership.

And personally, I also want to thank Udi for his mentorship and support over the last year. I look forward to continuing to partner with him on the long-term strategy in his role as Executive Chair. But personally, I have a big thank you to him to add into the talk track here.

With that being said, we look forward to seeing you all and talking to you all real soon. Take care.

This concludes the CyberArk Software Fourth Quarter and Full Year 2023 Earnings Conference Call. Thank you for joining. You may now disconnect.