Matt Cohen: And I’ll just add on top of that, just one element from a strategy perspective, if you will, which is – when you analyze this base of customers and you try to understand, okay, what’s their buying patterns, the first thing you’re looking at is while they’re still on maintenance, are they buying other solutions? Is there any less expansion that we’re seeing in that base versus the rest of the base? And the answer was yes. Then you’re really wanting to push them as hard and fast as possible to get them to move because otherwise, you’re gated yourself on your expansion in those accounts. When we actually analyze the maintenance paying base, their expansion sales, the rate at which they’re buying the new solutions is not that much different than people who are sitting in a subscription model or on the SaaS platform.
And so that gives us a little bit more leeway to be flexible with that customer base to keep them happy on that self-hosted or perpetual product and move when they’re ready, and in fact, move them to SaaS when they’re ready, not move them over to an on-prem subscription because when we move them to SaaS, the upsell is significantly higher. So strategically, as Josh said, I don’t think you’re going to see us be that aggressive in 2025. I think you’ll see customers start to migrate because their own plans call for SaaS. But we’re really excited by our ability to be able to drive NRR out of any base that we have.
Operator: Your next question comes from the line of Rob Owens with Piper Sandler. Please go ahead.
Rob Owens: Yes, thanks for taking my question. Matt, when you speak to the full identity market opportunity, what are your thoughts around IGA? Is it an IGA light approach or is it something that you’re going to look to dive into more fully?
Matt Cohen: Rob, great question. And I think we still see fundamentally that the siloed nature of PAM access and IGA is at the detriment of customers and their security posture. And that organizations that implement kind of in that silo are not taking the most robust security posture that they can. So we increasingly focusing in on adding to our identity management stack and being able to manage the modern IGA workflows that sit out there in combination with our SCA solution, even in combination with our PAM customer base. And so I think you’ll see us continue to invest in that. Now, again, if somebody needs to go and do a large scale IGA deployment across all legacy assets that sit in the data center, we have a great partnership with SailPoint and we’re fine with SailPoint taking that bigger business.
But as you move these workloads to the cloud, as you move into a modern real estate, we increasingly believe that in order to win, we need a hybrid approach. And every solution that we bring to market from this point forward, and the team knows, they hear it from me all the time, has to have components of governance, components of access and components of privileged controls. That is what makes us unique. That’s what makes our platform unique. And I think you’ll hear us talking more about that in the days to come.
Operator: Your next question is from the line of Jonathan Ho with William Blair. Please go ahead.
Jonathan Ho: Hi, good morning and congratulations on the strong results and guidance. I just wanted to understood a little bit more about your secure cloud access product and whether you can give us some additional detail on how big of an opportunity you think this could become? Thank you.
Matt Cohen: Thanks Jonathan, and thanks for asking about my little favorite area here. So you gave me a chance to pontificate a little bit about it. But listen, we believe fundamentally that the idea here in the cloud that customers have moved fast and for good reason into their cloud real estate. And as they moved, they granted unfettered access to all of these users out there in the developer community in order to facilitate speed. And that leads to a world of over entitlement and frankly lack of control. Now we have a lot of vendors out there that really look at discovery and trying to understand what that cloud real estate looks like, even presenting ways of managing posture and managing the overall cloud environments. And we think that’s important by the way, and we partner with some of them to make sure that we can tap into the great data that they’re able to harvest.
But ultimately, like the on-prem world, security comes back to control. And so our SCA solution is built on the idea that you need to have the same levels, the same concepts of control in your cloud estate as you did on-prem. You need to make sure that you’re actually isolating sessions, you need to make sure that you understand and controlling entitlements. You need to actually make sure that there is the ability to be able to record, especially in audited industries. And so our SCA solution takes all the principles of PAM, but then what it does, it says actually, in that environment, you don’t need standing access. You can actually have entitlements or privileges assigned at the point of access. So a cloud user, a developer, can use their federated access, their personal accounts, they can log into the cloud console, they can start to work in the cloud services, and we can apply the right level of entitlements and privileges right at that time for a period of time.
And the minute they log out, we can remove those entitlements so that when that account is sitting inactive, it is actually a zero privilege account and we can drive a least privileged approach. We believe, fundamentally, and as you can hear, I get excited when I talk about it, that moving into this control area of the cloud is an underrepresented piece of the market. It’s not actually represented in the TAMs [ph] of all these other cloud security vendors that are out there, and that we’re uniquely positioned to actually capitalize on that. So while it’s early days and while we’re a couple of quarters into the market, I would tell you that at our enterprise accounts, the numbers of conversations that are actually leading with how do we secure our cloud is remarkable to me.
And that then sets up a long-term TAM for us in this area that I believe can be a meaningful – significantly meaningful contribution to our ARR growth.
Operator: Your next question is from the line of Tal Liani with Bank of America. Please go ahead.
Tal Liani: Hi. A few questions. The first one is, can you take us through a journey of a client? You spoke a lot about it. A journey of a client from a point of view of synergy with existing customers, I’m assuming that customers first land with the PAM. What happens when they want to go to different products? Where is the synergy? Is there any synergy in terms of products or sales motion or management, et cetera? What’s the incentive for them to continue with you with your other products?
Matt Cohen: Sure.
Tal Liani: Let’s take it one by one.
Matt Cohen: Sure. So I think when we think about that synergy or we think about that expand motion, if you will, it really depends on the priorities of the organization, and I’ll give you like two different examples. You might be sitting in an organization where they have invested heavily in their non-human identities and their machines and their ability to build out a modern application environment. And in that case, if that’s the priority of the organization, it’s the most likely next step from someone who secures IT and their PAM users to actually move over and secure the non-human identities. And that the synergy is, hey, we can take a least privileged approach, we can help them understand how to create these controls that I’m talking about, but we can do it in a developer friendly or a native way, especially with our Secrets Hub product and our easy to deploy Conjur Cloud product.
And so you see some customers where that might be the first path they go towards expansion, an alternative is you might be sitting in an area of high attacks around ransomware. And you might be health care, it might be financial services and in those areas, okay, they’ve locked down their core controls and IT. Now they need to secure their end points. They need to secure their servers and the natural extension is to move into EPM. And in that case, that’s the next expand motion for that customer. And then there’s a third type of customer, to be honest that actually buys a little bit of everything, and they start to deploy in pockets in different work groups, in different areas of the enterprise, and then they look to upsell or expand over time within a broader set of three, four or five solutions.
So the other way to answer the question is there is no one typical pattern. The underlying element though that drives the success is a unified platform with single shared services, a unified audit, an ability to be able to run identity across all of that, the ability to run threat analytics across all of that. And so the idea being these customers, although they’re not fully consolidating day one across the platform, they’re future-proofed in terms of the consolidation aims they have for the longer term. I think there was another question.
Tal Liani: And in these cases, do you replace an existing vendor? Or is it kind of a greenfield where you bring new features to areas where there’s no such features You have to compete with a legacy vendor or an existing vendor that is already there?
Matt Cohen: Yes. I think, again it depends. When you move into access in general, we’re competing with something that’s there. In a lot of cases, its legacy and its things that are outdated and not ready for the modern stack. When you move into EPM, sometimes it’s greenfield, actually the concept of lease privilege on the endpoint is a new concept for them. And they’re sitting with their endpoints unprotected, maybe just having invested in EDR or XDR, but not understanding yet the power of the EPM agent. When you move into the secret space, generally speaking, they’re working at the work group level; maybe they’re using some open source tools at the work group level but now they’re trying to make an enterprise buy.
So you’re replacing or you’re sitting on top of that open source or for example, you’re sitting on top of the cloud services providers and the native secret stores. In the cloud space, for sure, you’re going in greenfield, this idea of control and the developer themselves, that’s something that’s new. So I took you around really quickly there, the real estate, but I think that represents the kind of things that we see out there in the market.
Operator: Your next question is from the line of Joshua Tilton with Wolfe Research. Please go ahead.
Joshua Tilton: Hey guys. Thanks for taking my question. Matt, I thought it was very interesting you talked a lot about new identities in your prepared remarks. How do you see the potential for co-pilot accounts to maybe act as a tailwind to either PAM or just the broader identity market is organizations pilot to secure what feels like a pretty big wave of incremental credentials that’s about to hit the market?
Matt Cohen: Yes, Josh, it’s a really good question, and it speaks to the larger point, which is any identity needs the level of identity security, right? And we believe that we can bring all of them into our platform. So if we take the co-pilot example, it’s almost like a hybrid of a human identity and a machine identity all in one. With, generally speaking, granted large swaths of privilege that mirror the human machine that it’s meant to augment or in some cases, replace. And so as AI technology kind of takes off, it creates a lot of vectors for growth, it creates vectors as we kind of compete or combat against the attack vectors fueled by AI. It allows us to be able to build AI into our products to make them more effective, to make them better able to secure environment.
And then also is the tools themselves that need to be secured. And co-pilot is a great example of that where we’re going to end up with multiple new identities. And we’re going to need to secure it just as if it was a new developer coming on or if it’s a new member of the workforce coming on and I think that speaks to the market we’re in, where if you’re in the identity security market, the number of identities is your market and any increase is a good thing.
Operator: Your next question is from the line of Hamza Fodderwala with Morgan Stanley. Please go ahead. Hamza, your line is open.
