Mandiant, Inc.
Q2 2017 Earnings Call Transcript

Published: 2 Aug 2017

Operator:

Good day, ladies and gentlemen, and welcome to the FireEye Second Quarter 2017 Financial Results Conference Call. At this time, all participants are in a listen-only mode. Later, we will conduct a question-and-answer session and instructions will be given at that time. As a reminder, today's program maybe recorded. I would now like to introduce your host for today's program, Kate Patterson, Vice President of Investor Relations. Please go ahead.
Kate Patterson:

Thank you, Jonathan. Good afternoon, and thank everyone on the call for joining us today, to discuss FireEye's financial results for the second quarter of 2017. This call is being broadcast live over the Internet and can be accessed on the Investor Relations section of FireEye's website at investors.fireeye.com. With me on today's call are Kevin Mandia, FireEye's Chief Executive Officer; Frank Verdecanna, Executive Vice President, Chief Financial Officer and Chief Accounting Officer; and Grady Summers, FireEye's Executive Vice President and Chief Technology Officer. After the market closed, FireEye issued a press release announcing the results for the second quarter of 2017. Before we begin, let me remind you that FireEye's management will make forward-looking statements during the course of this call, including statements relating to FireEye's guidance and expectation for certain financial results and metrics, FireEye's priorities, initiatives, plans and investments, FireEye's path to profitability, drivers and expectations for growth, the expansion of FireEye's platform, and the capabilities and availability of new and enhanced offerings, market opportunities and go-to-market strategy. These forward-looking statements involve a number of risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. These forward-looking statements apply as of today and you should not rely on them as representing our views in the future, and we undertake no obligation to update these statements after the call. For a detailed description of the risks and uncertainties, please refer to our SEC filings as well as our earnings release posted a few moments ago. Copies of the documents may be obtained from the SEC or by visiting the Investor Relations section of our website. Additionally, certain non-GAAP financial metrics will be discussed on this call. We have provided reconciliations on these non-GAAP financial measures for the most directly comparable GAAP financial measures in Investor Relations section of the website as well as the earnings release. Finally, I'd like to point out that we have posted the supplemental slides and the financial statement on the Investor Relations section. With that, I'll turn the call over to Kevin.
Kevin R. Mandia:

Thank you, Kate. And thank you to all the investors, employees, customers and partners who are joining us on this call. We all appreciate your interest and support. Before we begin our discussion on our Q2 performance, I would like to comment briefly on reports that began and appeared yesterday about an alleged breach of Mandiant. Based on information posted online by this anonymous person, shortly after midnight on Monday morning, we began an immediate investigation into the matter. This is an ongoing investigation and it is too soon to discuss all the findings to-date, but so far investigation has first, found no evidence that our corporate network has been compromised; second, has found no evidence that our employees' personal systems were compromised. Rather, the evidence we have found shows that our employees' online accounts, including LinkedIn, Hotmail and other services were compromised. Thus far, it appears that at least two customers were impacted and we have addressed this situation with each customer directly. The documents exposed were labeled with these customers' names, but they did not contain any customer confidential information. Our top priority is to make certain that customer data is secure. To that end, and because we were able to investigate and arrive at our preliminary conclusions very swiftly, we are confirming our findings through a second-level review. We will continue to have our people look into this matter to ensure there has been no additional exposure and we'll do our best to keep you all updated. Now let's get back to the reason you are all here with us today and our Q2 earnings. In the last several quarterly calls, we have described a number of transitions FireEye has been executing through. This includes our transition from disparate products to a single platform; from APT prevention to comprehensive prevention, from an on-premise appliance to more cloud and hybrid solutions; from product revenues to subscription revenues. As we execute through these and other transitions, we remain focused on two overarching priorities. First, right-sizing our cost structure to support a balance of growth with profitability, and evolving our product portfolio to a comprehensive security platform delivered as a service on-premise in hybrid environments or in the cloud. I feel we have done an excellent job right-sizing our cost structure while emphasizing innovation. I believe fiscal responsibility and innovation are now embedded in the FireEye culture. Now it is time for us to take advantage of the significant innovations we have delivered and to focus on growth and refining our go-to-market strategies. Therefore today I'm going to discuss three things
Grady Summers:

Great. Thanks a lot, Kevin. So Kevin spoke about few themes I'm going to elaborate on, specifically our innovation engine, our recent product developments and how Helix help the customers deliver on their most pressing needs. I should note we have incredibly exciting innovation taking place across all of FireEye, including in our Global Services and Intelligence team, that's FireEye as a Service, Mandiant and iSIGHT. However, today I'll be speaking specifically about our product technologies. In his comments, Kevin talked about the four transitions that we've been executing through. We still have much work to do and really no product is ever complete, but I'm pleased we delivered on the three product related transitions that Kevin set out a year ago. First, we now have one unified platform that unites all of our spoke product into a API-driven single interface. Second, with our new ability to detect broader types of undesirable threats such as adware and spyware and email, all of our core products can now detect or prevent a comprehensive spectrum of threats. And third, as Kevin mentioned, with last quarter's release of HX for Linux, we now have virtual, cloud-based, and physical form factors for HX covering Windows, Mac, and Linux operating systems. So in a year, we've gone from a single platform and a delivery model, Windows and a physical appliance, to being able to provision the form factors that customers desire with the operating system coverage they need and we view those as all big accomplishments. So you've heard Kevin talk about a unique combination of consulting and technology and the innovation that it powers and I've tried to depict that innovation engine here. This is something we get a lot of questions about is, how does consulting work together with product. So innovation does come from a lot of different places within FireEye, but some of the best innovation we believe starts in the frontlines. So, with our Mandiant instant response practice, we do learn more about attackers than other companies. Our consultants share what they're seeing in the field. They provide requirements for a new product functionality and they look to us to deliver those. Now one thing that we've learned is that a consultant need to tweak the product much more quickly than our product customers would ever want to upgrade. Consultants also have a higher tolerance for pain. By this I mean they're willing and able to put up a functionality that has rough edges. This is why we established the Innovation and Custom Engineering or ICE team, which includes our data science organization and a rapid response development team. This team can iterate on consultants' requirements at a much faster pace than we would ever push new features out to customers. I've indicated this on the slide with a two-way arrow, of course, as these teams constantly work together to fail fast as they innovate. This is really important for a data science team in particular. There are many good companies in the security analytics space who have smart people trying to solve problems. However, I've noticed that most of them lack a real-world training ground for their analytics modules. This is a real distinction for FireEye. Our data scientists aren't working on academic problems in isolation, but rather they're applying analytics to catch evil and real-time for our customers. These new technologies and algorithms then flow to our engineering R&D team to productionize this code. Of course, requirements also flow in via our product management team, our customers, and the field, in addition to the innovative ideas that engineering comes-up with themselves. In fact, the big data analytics and malware research labs within engineering have done tremendous works lately, as we're on pace to find more zero-day vulnerabilities this year than any year since 2013. Our innovation cycle isn't complete there though, because we didn't have an opportunity to put new features into the hands of our FireEye as a Service analyst. So at this point, the technology is relatively stable and tested, but it might need a few iterations to ensure that it's user friendly and properly tuned and working as we expect. So since our FaaS users are experts, they can push these new features to their limits providing yet another source of validation. So the results of this cycle are really been seen in our products; our endpoint product HX has been a key beneficiary of it. Over the last year, we've improved stability and performance. We've improved our exploit detection capabilities to recognize and block new threats. We've integrated the investigative features that our Mandiant consultants needed. Our new ransomware prevention module, for example, also grew out of the ICE team and it will be productionized in early 2018. Our Threat Analytics Platform or TAP has also benefited from ICE, as a multiple modules that were originally developed by the ICE data science team are now productionized in TAP. Overall, we had 10 different analytics modules graduate, so to speak, from the data science team and moving into our products this year. So as highlighted on this slide, these areas have really set us apart. I really believe that developing cyber security software is different from most other types of software development. There is an active adversary that's always testing security software and looking for ways around it. There are very few companies I can think of with Mandiant caliber consultants that push our products' pass-through limits, a rapid development team to quantify their needs, a data science team that gets to hone their algorithms on the ground of an investigation, and a team of experts like (17
Frank E. Verdecanna:

Thanks, Grady. Let me start by framing my comments by saying that from a financial perspective, I believe our business has made significant progress on our path to deliver year-over-year growth and non-GAAP operating profitability in Q4. The year-over-year decline in product and total billings moderated. Sequential growth rates returned to levels consistent with our historical results, and we are positioned to exit the year with Q4 year-over-year growth in both billings and revenue. We continue to improve on our execution, and as a result, I'm pleased to report that for the second consecutive quarter, we have met or exceeded expectations on all our financial metrics, including billings, revenue, gross margin, operating margin, expenses, EPS and operating cash flow. On today's call, I will focus on some additional color on our Q2 results, our guidance, and the key business drivers for Q3 in the second half of the year. And since we'll be adopting ASC 606, the new revenue guidance, in Q1 2018, I will give you an update on that process. Before we begin, let me remind you that when discussing gross margin, expenses, operating income and EPS, I will be referring to non-GAAP measures, which exclude stock-based compensation, amortization of intangibles, non-cash interest expense on our convertible debt, and other non-recurring items. Starting at the top, billings of $172 million were near the high end of our guidance range, as we continued to execute well on the NX refresh migration opportunity and posted strong growth in the Mandiant consulting business, which operated near capacity in Q2. We also closed 10 new Helix transactions and posted year-over-year growth in FireEye as a service. Looking at the details, we booked two transactions greater than $5 million. The first transaction was with a regional transportation authority that includes a multi-year Mandiant services component, which was the primary driver of the difference between our professional services billings and professional services revenue. The second $5 million plus deal was for our traditional NX and EX appliance-based solutions, which contributed to our strong performance on the product line. This transaction also included a subscription to our iSIGHT Intelligence. Overall, we closed 27 transactions greater than $1 million, compared to 40 a year ago. The average transaction size of $1 million plus deals was constant on a year-over-year basis at just under $2 million. Transaction velocity continued to increase, with total transactions up year-over-year and sequential – on a sequential basis as well, as our existing customers continued to renew and expand their deployments of FireEye solutions. Our renewal rate, which represents our customer retention rate, was consistent with Q1 at approximately 90%, with a dollar base yield above 100% on a rolling four-quarter basis. The average contract length was 22 months, consistent with Q1 and down from 27 months in the second quarter of 2016. As you can see from the product subscription waterfall slide, we have included the decrease in contract length accounted for approximately $15 million of the year-over-year decline in product subscription billings. The year-over-year decrease reflects the mix within product subscriptions, which includes more renewals and unattached subscriptions. We added 221 new customers in the quarter and ended the quarter with more 6,000 total customers. On the revenue side, our strong performance on product and professional services relative to our initial expectations resulted in a total revenue of a $185.5 million, exceeding the high-end of our Q2 revenue guidance by more than $6 million. Just a couple of notes on the components of revenue. Product revenue of $31.2 million increased 31% sequentially from Q1. Although product revenue was down year-over-year, the decline of 23% was less than the 30% to 40% we guided on our Q1 call. This was partially due to the large NX/EX deal with a financial services customer mentioned earlier, but product sales were stronger-than-expected across the board with both refresh customers and new customers. Product subscription revenue of $86.3 million increased 13% from a year ago, but was essentially flat with the first quarter of 2017. The majority of product subscription is recognized from current subscription deferred revenue on the balance sheet, which was flat with the prior quarter. We believe this trend is the lagged effect of the decline in product subscription billings that came with the decline in product billings that began in 2016. This also explains why our Q3 guidance implies relatively flat product subscription and support again in Q3. Mandiant professional services posted a record quarter of $33.7 million in revenue, up 19% from Q2, 2016. The results reflect the completion of several milestone projects as well as record chargeability and rates per hour in the quarter. Historically, strong Mandiant billings have resulted in pull-through of additional product and FireEye as a Service billings in the future quarters. And this is one of the reasons I believe we are on-track to achieve our second half objectives. Our strong revenue performance was accompanied by continued discipline and improvement on the cost and expense side. Gross margins of 73.5% improved sequentially and year-over-year as we become more efficient delivering our subscriptions or services. In Q2, we consolidated our services, support and threat intelligence organizations into a single organization with a more streamlined cost structure. Total operating expenses were a $141.7 million, decrease of nearly $35 million or 20% from Q2, 2016. Sequentially from Q1, sales and marketing and G&A both declined, while R&D expenses increased slightly as we continue to invest in innovation. Headcount increased by 30 people from Q1, 2017, the first sequential increase since Q1 of 2016. Our strong revenue performance, coupled with continued expense discipline, resulted in a better-than-expected operating margin of negative 3%. Our Q2 operating losses decreased by $43.7 million to just $5.3 million or 3% of revenue. This was the second-best operating margin in our history, second only to the Q4, 2016. On a year-to-date basis, we've reduced our operating losses by more than a $100 million compared to the first half of 2016. I believe we achieved a cost and expense structure that balances the need to invest in future growth with the achievement of our non-GAAP profitability targets. Improved operational efficiency allowed us to outperform against our operating cash flow guidance as well. Operating cash flow of negative $11.5 million was better than the midpoint of our guidance range by more than $10 million. Although we added approximately $4 million to our accounts receivable balance, DSOs measured on billings of 58 days was below our target range of 60 to 65 days. Those are the highlights of our Q2 performance. Let's turn to, like, over the second half of the year. For Q3, we are now expecting billings in the range of a $190 million to $205 million and revenue in the range of $183 million to $189 million. Although history has shows us it's difficult to predict the mix in any given quarter, with our strong execution on the refresh opportunity, we are expecting product sales to remain consistent with Q2 or in the range of $30 million to $32 million. We also expect to see modest sequential decline in professional services revenue. This is due to normal seasonality associated with Q3 vacations and holidays as well completion of several milestone projects in Q2 we mentioned earlier. We're targeting a non-GAAP operating margin of negative 4% to negative 6% for the quarter. This includes modest expense growth of a few million dollars primarily due to higher commissions as well as a full quarter of expenses associated with the head count additions in late Q2. We expect to generate positive operating cash flow of between $1 million and $10 million in the third quarter. The increase relative to Q2 reflects the slightly higher receivables balance at the end of Q2, as well higher Q3 billings. Using shares outstanding of approximately 179 million for Q3, we expect loss per share in the range of $0.06 to $0.09. For 2017, we are reiterating our billings guidance in the range of $745 million to $775 million and increasing our revenue guidance range by $10 million to $734 million to $746 million. We continue to target non-GAAP operating profitability in Q4, along with renewed billings and revenue growth. We are reiterating our operating cash flow guidance of $1 million to $10 million and capital expenditures of $40 million to $50 million for the full-year 2017. To sum up the quarter, I was very pleased with our Q2 results, and as in Q1, we delivered at or better than all guided metrics. As we move into the second half of the year, I am encouraged by the continued improvement in our ability to execute. And I'm excited by the opportunities represented by Helix and our enhanced endpoint, as well as our efforts to hone our go-to-market approach. That's it from my prepared remarks on Q2. Before I turn the call back over to the operator to begin Q&A, I wanted to give you some comments on our adoption of ASC 606. As you know, we will be adopting ASC 606 in Q1 of 2018. Our preliminary view is that the majority of our product revenue will be recognized ratably under the new guidelines. This is because the appliance and subscriptions are viewed as a single unit for accounting purposes. The change has an implications for our supplemental metrics and the breakouts of billings and revenue, that we will discuss as we are closer to adoption. We continue to make very good progress on the ASC 606 project and expect to be able to provide some additional information on the P&L impact later this year. We will also try to give you some advanced warning on any change in metrics and breakouts. With that, I'd like to turn the call back over to the operator for Q&A.
Operator:

Certainly. Our first question comes from the line of Ken Talanian from Evercore ISI. Your question please.
Ken Talanian:

Hi, guys. Thanks for taking the question.
Frank E. Verdecanna:

Hi, Ken.
Ken Talanian:

So, you've talked a lot about the large amount of NX appliances due for refresh in the back-half of the year. I was wondering if you could give us an overview of how you're tracking that process for those deals.
Frank E. Verdecanna:

Sure, Ken. So basically, if you look at the full year of the NX renewals, Q3 and Q4 have the majority of renewals just based on historic seasonality. And, if you look at what we've done for the first half of the year, we've executed really well on the refresh opportunity. We've reached refresh basically every dollar we're expecting a refresh, plus additional dollars from expanded deployments in additional products and subscriptions sold into that renewal.
Ken Talanian:

Okay. And, I guess along those lines, could you discuss what portion of the NX space or even your entire installed base is facing, essentially an end of life by year-end?
Frank E. Verdecanna:

So, we don't have a formal end of life process. If you look at our appliances, they can last anywhere from three to five years. We have a significant number of appliances that are up for renewal this year, but again the customers can just renew products subscriptions and support or they can refresh to our hardware that have some additional functionality and additional bandwidth capabilities.
Ken Talanian:

Great. Thanks very much.
Frank E. Verdecanna:

Thanks, Ken.
Operator:

Thank you. Our next question comes from the line of Michael Turits from Raymond James. Your question please.
Michael Turits:

Yeah. So some broader question on the second-half ramp which is still quite strong on the billing side. So you would just talk about the refreshment? Also, and especially there were couple of large projects, it sound like they would have some pull-through and then the availability of new product projects. I may have answered the question myself already, but I really want to make sure that we have it down in terms of how we can get that confidence and that's strong ramp-up in billing that goes into the second half?
Frank E. Verdecanna:

You know, Michael, I think you hit it on the head. So, the three real growth drivers there are the NX refresh opportunity that – we have significant number of renewals coming up in Q3 and Q4. Also the timing of endpoint with antivirus being released at the end of the third quarter is the big growth drivers for the fourth quarter, especially, and then Helix, which we did see progress in Q2, but if you look at the pipeline from the start of Q3 versus the start of Q2, our pipeline is up 6x on Helix, and one of the things we're really encouraged by on Helix is that every dollar of Helix has been kind of pulling through $2 of additional subscription and support.
Michael Turits:

Right. And if I could ask one slightly broader question regarding the outbreaks of ransomware with NotPetya and WannaCry as well as GDPR, been a lot of discussion about whether or not in general it seem to be a good long-term driver, but is that causing a pause or an acceleration of spend right now?
Kevin R. Mandia:

Well, I think people have to pay attention to it. Right now, traditionally ransomware is, what I call, an indiscriminate attack. It's not very targeted, and a lot of folks might make the argument that if you do good hygiene, you shouldn't have to deal with those sorts of issues. However, the targeted attacks that are more advanced and more complicated to prevent, we haven't seen ransomware kind of appear in those very frequently. But the bottom line is WannaCry, Petya and other types of ransomware attacks keeps cyber security top of mind.
Michael Turits:

Okay. Thanks very much, Kevin.
Kevin R. Mandia:

Yes.
Operator:

Thank you. Our next question comes from the line of Gur Talpaz from Stifel. Your question, please.
Gur Talpaz:

Great. Thanks for taking my questions. So I wanted to ask on Helix endpoint, specifically with regard to Helix. Can you talk about your thoughts regarding the product as a mechanism for up-sell to additional FireEye products? You touched on it a bit in the call, but as Helix continues to grow, our customer is starting to see you as a more holistic security vendor?
Kevin R. Mandia:

Well, that's why we spoke so much about it on this call. I mean, we got to get the message out there, Gur, and we got to let people know, let people see. There's no question as we go to what I'm calling and we're calling the hub-and-spoke model, the products that originate this company are now spokes. If we get people to Helix machine control, we have many ways and many other products to up-sell at that point. So, Grady's non-verbal communication is that he really wants to talk right now. So, I'm going to pass over to him.
Grady Summers:

Okay. I was just going to mention, this year is very much about getting customers onto platform and getting the platform to the state we needed to be in. We know there's significant up-sell and cross-sell opportunity going in next year. We've got a long roadmap of subscription up-sells we know we can layer into the platform, I touched on iSIGHT premium Intel for example. So, there's a lot more to come, it's just important for us this year to focusing given the customers move to that platform.
Kevin R. Mandia:

And then Gur, since you opened up the door, I'll say this and it's indirectly answering your question, but our intellectual property at FireEye has always been, we know how to stop bad stuff from good stuff in my opinion better than anybody, and we build system that knows how to do that. Our first-generation as a company as we took that IP and we put it in a network appliance. Now we pull it out of the network appliance and we want to make it available to our endpoint, our e-mail, our network and everybody else's network e-mail and endpoint products, because their true IP is telling good from bad, and that's what we want to make more widespread and more available. So, we're taking the walk with Wall Street with our customers, with all our stakeholders on, we said what was good and bad on the network, so now we're more of an analytics organization that helps your products and our products defend your network.
Gur Talpaz:

That's great color. And then maybe one question on endpoint. I'll take a different angle here. It feels like you're tailoring this product specifically for the channel. What are you seeing with regard to early commentary from your channel partners and from customers, and then give an endpoint proliferation, how noisy the endpoint market is right now, how do you differentiate from other players in this space that are going after the market with similar messaging? Thank you.
Kevin R. Mandia:

So, we went through the channel with some things. We're going back with another campaign. So, here is how we differentiate. I've made a whole carrier out of responding when endpoint technology fails. And, so we're still doing that. We've got hundreds of people deployed, responding to breaches behind the latest AV updates and next-gen endpoint software. So, I see it as we differentiate in the following way. We have a layer of defense that I'm wholly unaware of other endpoint technologies having. Table stakes on endpoint protection is you've to detect what AV detects and we have that. So, that's a check in the go box from a compliance standpoint, and that's coming out this quarter. But then you want to also detect what AV misses with next-generation capability like machine learning models and some heuristics. We have a check in the go box there, and so do other vendors. But there's still attacks that get through all of this, and we are the best position to respond to those with what I call an adaptive layer. And that's not the most fancy marketing in the world, but I'm going to go with it. It's an adaptive layer. We can learn something today, and push the heuristics and rules required to defend our customers from it today into the endpoint technology. And, that picks up where most pure product companies have a model that doesn't learn, and I'll expound for another 20 seconds. Most pure product companies, how do they learn when their products are evaded? How do they learn how one of their customers was compromised? The answer is they actually don't usually learn how. They don't get first-hand experience to see how their tech was evaded, how the bad guys got in, how they took things. And we see that firsthand all the time and that adaptive layer can respond to that. Now, that being said, we also want to rely on the technologies that are emerging, machine learning models, heuristics, rules, analytics, all of that to productize what we learn, because, quite frankly, if technology can automate what humans do, technology will do it better. So we'll always strive to do that. So anyway. It's a longwinded answer to say we differentiate by having a third layer of defense that is unique, because it's unique in my opinion to FireEye, because we're responding to dozens of breaches at any time behind the other endpoint technologies.
Gur Talpaz:

Kevin, as always appreciate the color and Grady, I appreciate the enthusiasm. Thanks a lot, guys.
Operator:

Thank you. Our next question comes from the line of Rob Owens from KeyBanc Capital Markets. Your question please.
Rob Owens:

Great. Thanks and good afternoon, guys.
Frank E. Verdecanna:

Hi, Rob.
Rob Owens:

With regard to the upside that you showed in the quarter on revenue, we see the guidance uptick, but relative to billings, holding it the same, is that a function of duration or are there other puts and takes at play there?
Frank E. Verdecanna:

Yeah. I think Rob, if you look at the year-over-year decline in total billings, you can almost attribute the entire decline to average contract length going from 27 to 22 months.
Rob Owens:

And in your purview, should it stay at this level moving forward or do you expect further declines?
Frank E. Verdecanna:

I think it'll probably stay right around where it is today. I think the significant move from product to subscription had an impact on contract length, but if I look at most of our subscriptions right now are anywhere from one to three years, so I think leveling off around two years is reasonable.
Rob Owens:

Okay. And then number two, I apologize if I missed it. Did you disclose what international revenues were during the quarter and how Europe trended? I know there was some broader commentary Kevin made around ransomware, but just curious where it wound up for the quarter.
Unknown Speaker:

Historical...
Frank E. Verdecanna:

Yeah, so we did disclose in our historical metrics and basically U.S. was 67%, which was pretty consistent with Q1, Q1 was 66%.
Rob Owens:

I'm sorry, you said 67%?
Frank E. Verdecanna:

Yeah, for U.S.
Rob Owens:

Okay.
Frank E. Verdecanna:

So 33% International.
Rob Owens:

Thank you.
Frank E. Verdecanna:

Thank you, Rob.
Operator:

Thank you. Our next question comes from the line of Keith Bachman from Bank of Montreal.
Keith Frances Bachman:

A little bit of static on the line. I wanted to ask about the pricing comments that you made and I understand that it's a bit difficult. But historically, FireEye has been known as the premium product for premium capabilities. And you did make a number of comments around – you didn't use these words, but want to get more competitive as pricing. So how should users and investors think about A, at the spoke level, if you will to use Grady's term, but then also Helix; how do customers think about the pricing of Helix relative to the other capabilities that they could buy? Thank you.
Frank E. Verdecanna:

So I think it's a good question. Yeah, we've been looking at pricing, I think, both from our historic legacy products, but also more importantly for our newer products. And if you look at Endpoint with antivirus, for example, our cloud version is very competitive to the market and historically our products were premium-priced and really challenging to go through the channel on some of the legacy products. But we feel like with Helix and Endpoint with antivirus, we're much more price competitive now with our cloud versions of those products.
Keith Frances Bachman:

And just so philosophically, do you anticipate being very competitive with the other products and then taking share through features or would you still think you'll be at a premium relative to the other products that you're competing against in the market?
Frank E. Verdecanna:

Well, I can tell you a couple things. When you look at small-to-medium enterprises, they have a different price point, pain and threshold than a lot of the enterprises we're used to selling with. So in order to expand the base that we sell to, I would like to get the pricing down and when you bundle different things, the pricing gets a little bit more complex. We were largely pricing each one of our products as if they were going to market independently.
Keith Frances Bachman:

Right.
Kevin R. Mandia:

That's no longer the case anymore. So, as we sell Helix, we're selling a system, system that learns, a system that can do a lot of different things and we want to make sure we get that pricing right. And it's also, it can have product pool sales in it, but it's a subscription as well. So this is something that's combining many stakeholders within our organization, some that were used to go into market, almost like a company within a company. And so, we got to have a holistic pricing review. We're working that with external consultants and working it at speed, but we want to have a value-based pricing too. This is a company that grew up shipping appliances and units, and now we're shipping a subscription to an outcome. So...
Keith Frances Bachman:

Okay. Well, many thanks for taking the question and best of luck.
Frank E. Verdecanna:

Thank you.
Operator:

Thank you. Our next question comes from the line of Melissa Gorham from Morgan Stanley. Your question please.
Melissa A. Gorham:

Great. Thanks for taking my question. So, Kevin you were just talking about the changes you have made from a product set perspective as well as the pricing. But I'm just wondering if you can maybe provide a little bit more detail on the changes you guys are making from a go-to-market perspective and particularly if you feel like you need to do some sort of change to the sales force to better address what would be perhaps a bigger opportunity with Helix, and if that is the case, where we are in that process?
Kevin R. Mandia:

So I could probably go on for quite a bit, but one of them, at the highest level I talk about we got to simplify our messaging. We have menu EX, HX, FX, AX, NX, EX and you go through all of these things, can't we just have network, e-mail and the Endpoint, because that's actually what we have. I can give you five more products that have NX on the end of it. So those are my opinions. But we still want a holistic approach to this and we have a roundtable folks discussing it. But I believe we have five to six ways into our customers and I want to go-to-market that way. And then we an endpoint route, we have an email route, we have a network route or we have somebody wanting to get us – our whole technology suite with Helix. So the bottom-line is, we want to simplify how we go-to-market. I am looking at how we're branding everything with Xs at the end and thinking that maybe here today and gone tomorrow. Second, you look at our channel, it is my opinion and I always work with, is that, we're going to stay consistent in the positives we have and I actually think it's pricing. I think, if we can get our endpoint priced right, it might be our first channel-ready product from a pricing and capability standpoint. You don't have to hire experts to run it, you just put it in and it's safeguarding your network, it's an endpoint fortress for you. So bottom line, Melissa, I could talk to you about this for a lot longer and hopefully we'll get a chance in the next day or so. But those are just two examples. Now we can simplify our messaging and simplify our go-to-market and give our channel better tools and simpler products to sell.
Melissa A. Gorham:

Okay, got it. And then just one follow-up on the refresh opportunity or the renewal opportunity. Frank, maybe this is for you. So when an appliance is up for refresh, it's fully depreciated and it needs to be replaced, how much visibility do you have in terms of what the customer buy behavior is, such as if they're going to buy perhaps another appliance, or they're going to go more of the subscription or virtual appliance route?
Frank E. Verdecanna:

Yeah. I think, our focus is really on providing the right solution for their environment. If they're not ready to move to the cloud, we have great new appliances that are Intel based, have more bandwidth, are Mac supported. If they're ready to move to the cloud, we have both, our just traditional cloud offering with NX or we have kind of a hybrid approach, where they can actually get used of their existing appliances, sensors and then that can speak to our cloud offering as well. So the good news is, we're now in a position on everyone in this folks to offer both on-prem, in the cloud or hybrid environments.
Melissa A. Gorham:

Got it. Okay. Thank you.
Operator:

Thank you. Your next question comes from the line of Sterling Auty from JPMorgan. Your question please.
Sterling Auty:

Hey, guys. Thanks. So, can you just tell me what drove the decline year-over-year of new logo customers?
Frank E. Verdecanna:

So, Sterling, I think one of the things that we talked quite a bit about – this is Frank, it was the go-to-market approach and the changes to some of the pricing. I think, if you look at what we've done a really good job on is, continued deployments within our existing customer base. The new logos, I think are really going to be more related to endpoint, Helix and some of our cloud versions of our older products. And so how we go to market with those and how we start working with the channels with those are really important, and that's why we've really engaged on kind of holistic pricing review, because we believe that's an area where – significant upside for us.
Sterling Auty:

That makes sense. And then, just to level set, you talked about the 10 Helix customers, but can you give us a sense of what portion of the business was Helix in HX versus let's say a year ago, just so we can see how that trends from here?
Frank E. Verdecanna:

So, we haven't actually broken out by products, but if you look at obviously, we didn't have Helix last here, so that 10 net new customers are all upside to that. Endpoint has been progressing nicely and if you look at the endpoint pipeline we feel really good about where we're at for the second half of the year. But again, the endpoint with antivirus comes out the end of Q3. So I would expect much of the year-over-year progress to be in the fourth quarter and to a certain extent a little bit less in the third quarter.
Sterling Auty:

Yeah. Thank you, guys.
Frank E. Verdecanna:

Thanks, Sterling.
Kevin R. Mandia:

Thanks, Sterling.
Operator:

Thank you. Our next question comes from the line of Anne Meisner from Susquehanna. Your question please.
Anne M. Meisner:

Hi, thanks. So, just a quick follow-up on the go-to-market strategy, in terms of the changes you are making there, could you give us an update on what you're doing differently as it relates to channel engagement in general just beyond kind of getting pricing right and not specific to any product? And then, on a related note, it seems like the first iteration of Helix may lend itself more to a mid-market sort of sale. Is there a way to better leverage the channel there again beyond just getting the pricing right, is there a way to better sort of educate or motivate the channel, compensate them to really get out there and sell it?
Kevin R. Mandia:

Yeah. So when I talk about the go-to-market in the past, I've always talked about process, product, price, and policy. And in the past, I thought our products at a premium price weren't always perfect for the channel, and sometimes they were perceived as expert systems. If you bought our products, you actually have that somebody run them, look at them. And so, I think we got the policy right, it's unambiguous, and if we keep enforcing it, we're going to win the channel over in time. So now it's more about the simplicity of the products and their price, and we're trying to get both those right. When you look at Helix, I'd agree with you. Helix, to me, has a simplicity and grace to it. If you buy Helix, we're telling you what matters most, and we're leveraging all prior spend, from a small, medium enterprise, or on the channel reseller moving this stuff, I see its relevance very broadly. And we're going to try to price that competitively to garner interest in net new logos. Endpoint, it's same thing, you can feel it in the market, and you can see with our endpoint pipe increasing, and I've seen it personally for years. We started our endpoint endeavor in 2004, when I started Mandiant. We knew there needed to be something to replace AV that was far more effective and signature-less. The time is now and we've got a product with multiple layers of defense, that I think is really perfect for the channel. It's simple. If you buy, you're protected. If you need extra help, we can send our expertise. Those are things that are messages that go with Helix and endpoint together. So the bottom line, both of those products have a simplicity that is channel-friendly and we're going for a price that is channel friendly.
Anne M. Meisner:

Okay. Perfect, and Kevin, maybe just a quick follow-up, could you share any additional detail on the strength that you saw in professional services in the quarter. It's stronger than it had been in a number of quarters, and I was wondering if any of that was driven by the ransomware headlines and also did you find yourself capacity constrained in that business?
Kevin R. Mandia:

On the capacity side, it's kind of tough, because over any week, you can get a bunch of inbounds and chaos and sues, and you can't say yes to every job that week. So, capacity constraints do emerge from time-to-time. But looking at it as a whole, yeah, we were pretty close to full-bore the whole quarter. I don't know, if I can simplify it as well, it was Petya or it was WannaCry, it was just – there is a certain amount of breaches. Again, we handle most britches quietly and discretely and the public never finds out the about them, nor should they need to. And, it's just we're real busy, it's that simple.
Anne M. Meisner:

Okay.
Kevin R. Mandia:

Some of that – I guess another expounding there though is the brand is getting just more noticed internationally, so I'm speaking anecdotally here. It feels to me, we're busier internationally than we have in the past, so some of the growth might be just as the brand kind of propagates internationally.
Anne M. Meisner:

Okay. And just a quick follow-up, have you seen a pickup in the pro-active side of the professional services business as well or is it mostly being driven by the -sorry go ahead.
Kevin R. Mandia:

Yeah. We have a pretty good balance here, like people think well, all you do is to respond to breaches, we do that, but what it makes you uniquely capable to say what do you do about it, meaning strategic consulting holds pretty steady. I don't have the numbers sitting right in front of me, but it's always been – it feels to me like more than a third of what we do over there, if not higher. And it will fluctuate quarter-over-quarter, if it's not more breach work, our folks are doing more strategic consulting work. So bottom-line, we're well positioned to do it and I think the balance between the two is pretty good, between response work and in fact the strategic proactive work.
Anne M. Meisner:

Great. Thank you very much.
Kevin R. Mandia:

Thanks, Ann.
Operator:

Thank you. Our next question comes from the line of Gregg Moskowitz from Cowen and Company. Your question please.
Gregg Moskowitz:

Okay. Thanks very much. Just a follow-up on a previous question. Kevin, wondering by roughly when you expect that the holistic pricing review might be completed and then implemented?
Kevin R. Mandia:

Completed? Well, we have a work plan. It's somewhere around 11 weeks or 12 weeks left in that work plan, is that correct? I'm looking at people nodding to me, and we're working with external consultants there, and then, after that I want to see where it lands. It's a great way to corral many independent and strong-willed individuals and get to a solution that's best for the company at large, and that's why we're doing it. So I would say it's 11 or 12 weeks out.
Frank E. Verdecanna:

(01
Kevin R. Mandia:

Yeah. The channel is tough, some of the things we're doing faster than that, like our endpoint pricing is going into the channel this quarter. The training for the channels already occurred and we're doing another round of endpoint training for the channel this quarter. So some of it, we're not waiting for completion and we're moving out, but some of it, we're looking for completion and we'll learn from it.
Gregg Moskowitz:

Okay. That's helpful. Frank, just wondering, Frank, what sort of mix you saw or any commentary you have on attached versus unattached product subscription this quarter? Thanks.
Frank E. Verdecanna:

Yes. So, Gregg, we haven't been disclosing the attached and unattached, but, yeah, it's been pretty consistent. We're seeing an increase in unattached and then obviously with the decline in product, we're seeing a decline in the product attached.
Gregg Moskowitz:

Right. Okay. Great. Thanks.
Kevin R. Mandia:

Thanks.
Frank E. Verdecanna:

Thank you.
Kate Patterson:

Time for one more question, please.
Operator:

Certainly, our final question then comes from the line of Gabriela Borges from Goldman Sachs. Your question please.
Gabriela Borges:

Great. Good afternoon. Thanks for taking the question. Maybe to follow up on the pipeline you're seeing in Helix, when you engage with some of the new customers in Helix, are you able to demonstrate to them ways in which they can save money through either consolidation of products or efficiency in a security operations center, and maybe just a little on the steps to get that product to go-to-market and scale? Thank you.
Grady Summers:

So this is Grady. I can talk about the value piece. I mean, that was one of the key premises we've been talking about Helix for a long time is, because our customers get entitlement to endpoint network, and TAP, we've additional discounting built into that. So it's been good, we're seeing some customers, one of our customers this quarter shared with us that they saw a 25% TCO reduction, by moving the Helix from the point products they've been at. So you can always hit every customer at the same point in the refresh cycle and we're looking to swap out a lot of products, but in this case, they did, and they sell substantial savings. The next part of your question was about scale, I can just tell you where we're working really hard in getting training out there to all of our sales engineers in the field as well as our account reps. So we'd love to get out there even faster, get them 100% to speed, but that process is happening and everybody should be fully trained on it here within the next few weeks.
Gabriela Borges:

Great. Thank you for call, and a follow-up for Kevin, if I could. You mentioned all of the areas in which the company has changed over the last year, as you look to the strategic plan for the next 12 months, what are the two or three things that you're most focused on?
Kevin R. Mandia:

It's a great question and it's taking that walk from what is our intellectual property? It's our ability to tell good from bad. And that it comes in many format. So you're going to see us constantly upgrade and innovate. I think I want people when you think FireEye, think innovation. I think we know more about what bad actors are doing than anybody else, I think we have an adaptive system. And I want to move the needle on those from a technology standpoint. And that's the easiest way to say it, keep our IP available, keep our analytics available to our products, and quite frankly, why not make them open and integrate them with other people's security products as well, so that everybody can benefit. So that's where we're moving. It's a long endeavor, but I anticipate enhancements happening ever quarter.
Gabriela Borges:

Make sense. Thank you.
Operator:

Thank you. This does conclude the question-and-answer session of today's program. I'd like to hand the program back to Kevin Mandia for any further remarks.
Kevin R. Mandia:

Yes. Real quick wrap up. In Q2, we said what we – we did what we said we'd do. And I want to thank everybody that joined us on this call. While we have driven positive changes, our mission and our focus remains the same, as does our commitment to our customers, our employees, our partners and our shareholders. So, again, I thank all of you for your support and I look forward to providing regular updates on our progress in the future. Thank you.
Operator:

Thank you ladies and gentlemen for your participation in today's conference. This does conclude the program. You may now disconnect. Good day.

Mandiant, Inc. Q2 2017 Earnings Call Transcript

Other Mandiant, Inc. earnings call transcripts:

Mandiant, Inc.
Q2 2017 Earnings Call Transcript