Mandiant, Inc.
Q2 2016 Earnings Call Transcript

Published: 5 Aug 2016

Operator:

Good day, everyone, and welcome to the FireEye Second Quarter 2016 Earnings Results Conference Call. This call is being recorded. With us today from the company is Chief Executive Officer, Kevin Mandia; Chief Financial Officer and Chief Operating Officer, Mike Berry; and Vice President of Investor Relations, Kate Patterson. At this time, I would like to turn the call over to Kate Patterson. Please go ahead.
Kate Patterson:

Thank you, Candice. Good afternoon, everyone, and thank you for joining us on today's conference call to discuss FireEye's financial results for the second quarter of 2016. This call is being broadcast live over the Internet and can be accessed on the Investor Relations section of FireEye's website at investors.fireeye.com. With me on today's call are Kevin Mandia, FireEye's Chief Executive Officer; and Mike Berry, Executive Vice President, Chief Financial Officer, and Chief Operating Officer of FireEye. After the market closed, FireEye issued a press release announcing the results for the second quarter of 2016. Before we begin, let me remind you that FireEye's management will make forward-looking statements during the course of this call, including statements relating to FireEye's guidance and expectations for the third quarter of 2016 and the full year 2016, changes in the threat landscape, the security industry and customer buying preferences; FireEye's priorities, initiatives, plans and investments; FireEye's path to profitability; expectations regarding FireEye's restructuring plan and reduction in workforce, the size of the cost reduction and the amount and timing of the related restructuring charges; impact of FireEye's restructuring and changes in sales leadership; the expansion of FireEye's platform and the capabilities and availability of new and enhanced offerings, growth drivers, market opportunities, and opportunities with partners; customer demand for and adoption of FireEye's offerings; and FireEye's competitive position in the market. These forward-looking statements involve a number of risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. These forward-looking statements apply as of today, and you should not rely on them as representing our views in the future. And we undertake no obligation to update these statements after the call. For a detailed description of the risks and uncertainties, please refer to our SEC filings, as well as our earnings release posted a moments ago to our website. Copies of these documents may be obtained from the SEC or by visiting the Investor Relations section of our website. Additionally, certain non-GAAP financial measures will be discussed on this call. We've provided reconciliations of these non-GAAP financial measures for the most directly comparable GAAP financial measures in the Investor Relations section of the website, as well as in the earnings release. Finally, the slides and historical financials are posted to our Investor Relations site as well. With that, I'll turn the call over to Kevin.
Kevin R. Mandia:

Thank you, Kate. And thank you to everyone for joining us on my first call as CEO today. In my remarks, I will provide a brief commentary on our second quarter performance, and then turn to a discussion of our plans to reinvigorate growth. Mike will then provide the details on our financial results, updated 2016 guidance and discuss ongoing efforts to align our cost structure with FireEye path to profitability. For the second quarter, billings came in at $196.4 million up 10% from Q2 of 2015, but below our guidance range of $200 million to $215 million. Revenue was up – our revenue was $175 million up 19% year-over-year, but also below our guidance range of $178 million to $185 million. Our continued focus on cost optimization generated $17 million sequential decline in our total non-GAAP cost and allowed us to deliver earnings per share that was $0.06 better than the midpoint of our guidance range. Although our billings and revenue were below our expectations, we continue to dwell on – with our core enterprise customers and we showed fundamental strength in several areas in Q2. HX Endpoint billings were up more than 65% year-over-year. We have strong renewal rates resulting in year-over-year growth in NX platform billings, which include both the appliance and related subscription billings. We added 308 new customers including several high-profile global 2,000 companies in many different verticals. Finally, we closed 40 transactions greater than $1 million, up from 37 figure transactions in Q2 of 2015. Now, I believe there are three primary reasons why our Q2 top line performance fell below our expectations. The first two reasons are related to changes in the threat environment. While our services personnel are responding to more attacks this year than prior years, the scope and scale of these attacks is simply different. The average duration and size of each incident response engagement was smaller than in years past. And as a result, we saw lower services growth than expected, and the change in incident response engagement also lessened the amount of pull through of new FireEye subscriptions and products. The third landscape is also impacting the sales of our other products and subscriptions. As the current threat environment shifts to smaller scoped breaches, some organizations may be opting for good enough over best-of-breed detection. However, I believe the threat landscape still presents significant risks, that are as, if not more severe than in the past. The biggest difference with the incidents we are responding to, and I think FireEye had a big influence in this factor, is the scale and scope went from hundreds of compromised machines by attackers who wanted to maintain and keep access to more of the ransomware type attacks and extortion attack that are simply easier to remediate at times. The final reason was sales execution, which we are addressing in a number of ways. Now, that was a quick summary of what happened in Q2. So, let's turn to what we're going to reinvigorate our growth. I believe that going forward, we will address a larger market by offering solutions in multiple form factors that allow our customers to protect their assets wherever they are, whether they're on-premise, in the cloud or both. We'll also address a large market as we drive towards Security as a Service, allowing customers to benefit from our technology, expertise, and intelligence seamlessly and on-demand. This has been our strategy all along. And we are currently focusing on three key product development initiatives; first I am excited that we've expanded FireEye as a Service to encompass alerts from third-party security vendors. We've capabilities available today to apply our threat intelligence and analytics to all alerts, so our customers are better protected. This allows customers to leverage our platform and expertise as well as their other security investments, providing greater value and opening new markets. Until now, FaaS has been tightly coupled with the FireEye technology stack and focused primarily on advanced attacks. Now we can address a broader range of threats, all leveraging the FireEye platform and scaling our expertise and knowledge to automation. The strengths of FaaS are significant, and we have seen tremendous growth over the last two years. We believe that the reason growth slowed after we became $100 million business was because we did not expand the threat coverage. We are now doing that in a big way. FireEye as a Service can now manage the entire detect-to-fix process. We can process all of our customers' alerts, prioritize them, provide the context, and then work on the fix. Next, we will deliver new cloud-based and hybrid security products that leverage our MVX detection engine. This is the MVX separation we discussed at Analyst Day that extends our core business from on-premise app appliances to a versatile form factor. The private cloud on-premise version is currently in beta and should be released on schedule later this month in August. This on-premise capability is powerful and I believe, it's essential for organizations that do not intend to rely on the public cloud based on regulations, privacy concerns or risk profile. To properly defend your network, you need to inspect documents, PDFs, other types of documents that contain sensitive information and many industries and organizations do not want to send that private data to a public cloud. MVX detection in the cloud, which will allow us to reach smaller more price-sensitive customers is on track for general availability in Q4. We believe that these solutions will open new markets as we have greater price flexibility and multiple deployment options. And finally, we will continue to extend our Endpoint product by adding real-time threat detection. Our HX Endpoint already offers rapid search, exploit detection and correlated threat intelligence with our NX and email solution. With a new release is expected in the first half of 2017, we will take the next major steps to replacing traditional AV solutions and we are moving aggressively here. By focusing on these three initiatives, we can address large markets that are right for disruption. Just as importantly, we will be able to extend our capabilities to provide investment protection for our more than 5,000 customers, as we evolve our platform. These initiatives can also help our channel partners and we believe that by broadening our threat coverage and offering competitively priced cloud-based solutions that our products become better suited to distribution through our reseller channels and our channel partners can play an important role introducing our new solutions and expanding our customer base. And finally, we were bringing on a new head of worldwide sales and a new leader in EMEA. We recognize that these new offerings and leadership teams alone will not be enough to achieve our goals, as we transition to balanced growth and profitability as an organization. We must simplify our business and operate more efficiently. I believe the restructuring and workforce reduction that we announced today is absolutely necessary to balance growth and profitability. We're a business on a mission to protect our customers from the impact and consequences of the cyber attacks. We've been on this mission for a long time, and in order to best protect our customers from threats today and in the future, we need an intelligence led approach. I am utterly convinced that the cyber security channels cannot be stopped by technology alone. The solution requires a combination of technology, knowledge and expertise that we have here at FireEye, and I believe we have a more effective cyber intelligence capability than any company in our industry and it's even more effective than many governments. Our cyber intelligence is derived from our network of millions of virtual machines deployed around the world, as well as our global network of threat analysts, researchers, malware analysts and incident responders responding to dozens of incidents every quarter, and that number keeps going up. I believe we know more about what bad guys are doing on the Internet than any other security company, and this knowledge is very important. It enables FireEye to develop products and services to our customers that adapt as the threat environment adapts. It drives our innovation, and it is leveraged by our service, and as a service offerings to better do their jobs. I believe no competitor is positioned to counter our intelligence-led security strategy. Now, I have been doing security since the early 1990s, when I was in the military, and I've responded to many of the most severe cyber security breaches, and have seen firsthand the impact these breaches have on real people. Now, I'm committed along with the FireEye team to protecting our customers from cyber attacks. I would like to thank all the hardworking and exceptional employees at FireEye dedicated to our mission. I also want to thank all our customers who entrust us to protect them. We are honored, and I feel privileged to have our solutions as core component to the security of many of the world's largest organizations and governments. And we strive to offer the most effective defense, at the lowest cost of ownership to protect all organizations, both large and small. Now, I will now turn the call over to Mike to discuss the details of our financial performance and walk you through our revised guidance for the rest of the year. Mike?
Michael J. Berry:

Great. Thank you, Kevin. Welcome aboard. So, very good afternoon to everybody on the call. On today's call, I will provide some additional color on our second quarter 2016 financial results, including revenue, gross margin, operating expenses and cash flow. I will also provide some high level commentary on our path to profitability, and I will spend quite a bit more time on our assumptions for the second half of 2016 and our revised guidance. Before jumping into the results, I want to summarize the key themes of my remarks to set the stage for our discussion. As Kevin just discussed, we are focused on leveraging our core competencies in threat detection, intelligence and security operations to enhance our products, reduce our customers' overall total cost of ownership and help them operationalize security. Within our current platform, we are expanding our threat coverage, introducing new form factors, and adding features that will reduce customers' reliance on legacy solutions. We are targeting market segments with large TAMs, Endpoint, cloud-based detection, and Security as a Service, which Gartner has defined as the managed, detection, and response market. Historically, FireEye has done well with large enterprises, and this continued to be true in the second quarter, as exhibited by the year-over-year increase in the number of deals greater than $1 million, consistent multi-product attach rates and a strong first half in our core product renewal business. As we execute on our strategy throughout 2016 and into 2017, we expect to continue to do well with large enterprise customers through new sales, cross sell and renewal activity. We also expect that our increased threat coverage, new cloud and hybrid form factors, and expanded FireEye as a Service offering will appeal to a broader range of customers and this to drive new customer acquisition and top line growth. Looking at the second quarter at a high level, continued adoption of the FireEye advanced threat management platform by enterprise class customers drove growth in revenue and billings. Some highlights included strong growth in our Endpoint platform with Q2 year-over-year growth in HX platform billing of greater than 65%, and first half HX platform billings growth greater than 75%. We also had a stronger quarter than expected with our NX or network product as strong renewals plus incremental purchases by both new and existing customers resulted in year-over-year growth in NX platform billings. The total number of transactions was up 18% from the second quarter of 2015 with approximately one in three purchasing multiple products and over 90% of our greater than $1 million deals included multiple products. Our trailing 12-month renewal rate remained above 90%, again in the second quarter of 2016. We had a very strong quarter in terms of progress on our path to profitability, as our non-GAAP operating margin exceeded expectations, and our non-GAAP loss per share came in at $0.33 versus our guidance range of $0.38 to $0.40. However, we did have a few challenges that ultimately resulted in us coming in below the billing and revenue ranges we provided in May. As Kevin mentioned, the threat landscape continues to evolve, and the impact can be seen in our results in several areas, including lower average transaction sizes in our consulting and consulting-related product revenue that came in well below expectations. We certainly understand that we need to continue to respond to the changing landscape, and hopefully you heard our plans to reinvigorate growth during Kevin's prepared remarks. Okay, let's look at our second quarter financial results. As Kevin said, billings came in just over $196 million for a year-over-year growth rate of 10%. We completed 40 transactions greater than $1 million, up from 30 transactions in the same period of 2015. We did not complete any transactions greater than $10 million in the second quarter of 2016, and as a result, the average transaction size of the $1 million dollar plus deals was 13% lower in the second quarter of 2016 compared to the same quarter 2015. We have discussed the grow over effect of large deals in the first half of 2015 on previous conference calls, and I think the best way to illustrate the impact of the smaller transaction size is to say that if we had the same average transaction size from last year across our greater than $1 million deals this year, our total billings growth would have been approximately 15% versus the 10% growth experienced in the second quarter. Year-over-year transaction growth was approximately 18% in the second quarter 2016, and we saw particular strength in not only the greater than $1 million deals, but also saw transactions between $500,000 and $1 million grow by greater than 35%. We continued to see strong multi-family sales as our customers adopt our platform, and 15 of the top 20 transactions in the quarter included more than one product. Overall while the percentage of customers with just one product family remains at about 50% of the installed base, the number of customers with three or more product families increased by more than 50% from Q2 of 2015. The addition of iSIGHT threat intelligence subscriptions, as well as strong renewals contributed to the continued shift in the mix of billings to recurring subscription. Recurring subscriptions and support accounted for 64% of total billings, up from 58% a year ago. Our total contract length finished at 27 months (19
Operator:

Thank you. And our first question comes from Karl Keirstead of Deutsche Bank, your line is now open.
Karl E. Keirstead:

Thanks. First question is for Kevin. Kevin, I just wanted to get a little bit more on the root cause of this miss. You mentioned the smaller breaches, but other players in the security space, Check Point, Palo Alto, Fortinet, several have seen a product appliance rev slowdown, and the fortunes of those companies really aren't tied, I don't think, to breach size. So it feels like something else broader is going on in the enterprise security space, and I was hoping you could add your thoughts.
Kevin R. Mandia:

Sure.
Karl E. Keirstead:

And then my follow-up for Mike is, Mike, I know you don't want to give 2017 guide, but just given that the second half billings growth will be about flat to the prior year, revenue growth is probably going to be about 10%, should we be thinking of something in the order of 10% revenue growth for 2017? Thanks so much.
Kevin R. Mandia:

Yes, Karl, this is Kevin. Thank you for that question. When you look at, first Mandiant services is a critical component of our business. It's strategically important. And we want to respond to every breach, because that's how you learn what the bad guys are doing on the Internet, and that's also how you get that trusted advisor status with a lot of customers, when you help them through those tough times. And it does have an impact on our business when the scale and scope of those incidents goes down. I can't speak for how that influences other organizations, but for us when we're responding to only five compromised machines and the type of breach, it doesn't require a full-court press for remediation, meaning the attackers don't need to reenter. Their breach was about money. They got what they needed. They don't need to maintain access to the victim networks. The remediation drills are simpler. So for what we do in that arena when we see a smaller scale and scope of breaches, it does impact our tech-enabled services. We don't have to do forensics on thousands and thousands and thousands of machines. Suddenly, we're doing forensics and deep-diving four machines or five machines. We used to have the complexity of answering what happened and what should we do about it as a victim company. That complexity isn't that high in ransomware attacks where it's obvious how you scope it, and what you do about it is sometimes less complex than the tenacious attacks by state-level actors and folks who want to maintain access. So it does have an impact on our product pull-through, and it does have an impact on our services revenue and that impacts our services-led go-to-market motion.
Michael J. Berry:

Hey, Karl. It's Mike. On your question, yes, you're right, I don't want to guide for 2017, but here is what I would give you for things to think about as you look at your model. So to your point, yes, second half revenue growth rate, right around 8%, and I did talk about that we firmly expect to be able to reinvigorate growth. Couple things to think about there as well. As our revenue becomes more ratable, and a bigger percentage of it is recognized over time, I think that will also help with the consistency and the growth. The big wildcard there, quite frankly, is the product revenue side of it, and at this point, we're guiding call it somewhere around mid-25% drop this year versus last year. Hopefully that will modulate next year, and I do think that the on-prem portion of MVX separation will help. So those are things I give you to think about as you take a look at the model.
Karl E. Keirstead:

Awesome. Thank you, both.
Kevin R. Mandia:

Hey, and, Karl, I was just passed a piece of paper that said I may have misunderstood your question. I think you were asking about the industry-wide slowing in appliance sales. It will be, in my opinion, one of the biggest things as you see that Infrastructure as a Service proliferating and people going to the cloud and having hybrid structures, I think that will have an impact.
Karl E. Keirstead:

Okay. Thank you, Kevin.
Kevin R. Mandia:

Sure.
Kate Patterson:

Next question.
Operator:

Thank you. And our next question comes from Gur Talpaz of Stifel. Your line is now open.
Gur Talpaz:

Great. Thank you. So with the EX headwind effectively lifting here after Q2, how should we think about the product billings and the appliance billings going forward here? In the past you talked about maybe improving sequentially from Q2 into Q3. Kind of sounds like they may be getting a little bit worse. So you did talk about NX improving. So, Mike and Kevin, how should we think about the pace of appliance going forward here?
Michael J. Berry:

Yes. So, Gur, it's Mike. I'll take this and Kevin can jump in. So a couple things on product revenue, and I know this was something new that we added. What we saw in Q2 from a dollar perspective is the largest drop on a year-over-year basis was actually related to the tech fees from the services engagement. So assuming that that stays relatively consistent and that's baked into guidance, for the second half that's going to continue to be a drag. NX actually had a good quarter in terms of platform billings, so we're excited about that. Endpoint continues to do well, and I think as you look at it, EX we continue to actually sell new EX, absolutely, and the renewals are very important. So, as you look at product revenue, I think you'll see in the second half, we've actually thought – guiding for it to be about 25% or 30%, and that really adds in now the trends we've seen in tech fees. That's the largest contributor to that change. We expect Endpoint to continue to do well; PX, which is our forensics offering, as well; and candidly I think going into next year MVX separation, hopefully, will help because keep in mind the on-prem portion of that does have appliances. And I think the big driver there Gur is going to be how fast does our cloud solution get adopted and do we sell more of that versus appliances and that goes to Kevin's earlier answer in terms of the movement of the industry.
Kevin R. Mandia:

But the key there as to give optionality to the customer, so that if they need on-prem, we can deliver it; if they need cloud, we can deliver it; if they need a hybrid form factor, we can cover both situations. And we're working to do that.
Gur Talpaz:

That's helpful.
Michael J. Berry:

Thanks.
Gur Talpaz:

If you look at subscription billings, product subscription billings, they were actually down sequentially here quarter-on-quarter, not a lot, a small amount. Is that primarily a function of the decline in durations? Is it FireEye as a Service? Can you talk about what's happening there and what gives you confidence that starts to improve a little bit going forward?
Michael J. Berry:

Yes, absolutely. So, Gur, there's two big drivers to that. So FireEye as a Service, as we talked about, continues to grow; didn't grow as nicely as we wanted to in Q2. So on a sequential basis that was part of it. The biggest driver, though, there was ETP. We had a very large transaction in Q1 that was largely ETP and that really helped drive that product subscription. So you're going to see that jump around a little bit. On the 27-month contract length, it was relatively consistent with last year. Yes, it was down from Q1, but that was really due to that large transaction that I just referred to. We do expect that growth to reinvigorate, if I could use that phrase, as we go into the second half because of FaaS. We do think that the movement to cloud continues, but you're going to get some of that big deal impact, which really drove that sequential drop that you refer to.
Gur Talpaz:

Okay. Thanks, guys.
Michael J. Berry:

Thank you.
Operator:

Thank you. And our next question comes from Melissa Gorham of Morgan Stanley. Your line is now open.
Melissa A. Gorham:

Great. Thanks for taking my question. I just want to put maybe a finer point on what happened in the quarter. So I'm just wondering if you can maybe talk about exactly what's changed since we last talked three months ago. I know you noted there was maybe a lower level of breach activity driving lower level of incident response, but was there something else like a macro-driven weakness that potentially impacted the quarter or did execution maybe get worse this quarter than what you saw in Q1?
Michael J. Berry:

Hey, Melissa. It's Mike. So, yes, as we looked at Q2, from an execution perspective, we felt good going into the quarter in terms of where the pipeline was across the different regions. As it turned out, we did have some challenges in some of the groups as we talked about. We expected some really nice growth in FaaS. We still expect that for the full year, but Q2 was a little bit lighter than we had expected. The appliance/product business largely was what we expected. We were very close to that. And really the big impact was as the threat environment changed related to a lot of the breach and incident response. That brought down services revenue significantly and it affected tech fees. That was probably the largest impact. From a geographical perspective, the U.S. was pretty much what we thought, federal did a little bit better, APJ was pretty much what we thought, EMEA was a little bit lighter than we had expected in the quarter.
Melissa A. Gorham:

Okay. That's helpful. And then if I could just follow up with what you're seeing in terms of a refresh activity. So when the appliances are up for refresh, what are you seeing from your customers? Are they purchasing like the same level of boxes that they had before on the appliance side? Are they upgrading it or potentially downgrading it? And what does that, like, refresh pipeline look like for the rest of the year?
Michael J. Berry:

Okay. So on refreshes, so we're a little bit different than the other folks, and it's actually an interesting conversation. So when those come up for a refresh, we typically will see them add additional box, as we talked about the cross-sell, upsell opportunity, and the tremendous number of multi-family products that we have. And that typically occurs, Melissa, during the life of that agreement. Keep in mind that we have a lot of multiyear contracts and those have started to come up. That's why we're really excited about the MVX separation and the ability to expand the usage of the sensors. But we don't really have that – I hate to even use this phrase – that firewall refresh process. When they have those appliances, they're still fine. They will upgrade if they need more capacity, more throughput, they'll typically buy a bigger box. But it's not a big driver of growth. The bigger driver of growth is us adding subscriptions and intelligence and services on top of those implementations.
Melissa A. Gorham:

Okay. Got it. Thank you.
Operator:

Thank you. And our next question comes from Jonathan Ho of William Blair. Your line is now open.
Jonathan F. Ho:

Good afternoon. Just wanted to start out with some of the changes in sales management that you guys are implementing and maybe where you see opportunity for the sales management to have an impact on results.
Kevin R. Mandia:

This is Kevin speaking. I think first off, we've got a lot of new products coming to market. It was a good time for me to make a change. I believe FaaS is coming to market now. We've got to get our muscle memory around how to move that into the market better, grow the pipe better. MVX separation is entering the market in the very near term. I want to see the same expected execution and results. Endpoint is changing. We're adding features and expanding that platform rapidly. So I feel I want a team that is ready to get this go-to-market simplified, and I want to operate more efficiently. I actually believe, with some of the recalibration that we have in front of us, there's a lot of positives for the sales force that we have there. We should see more efficiency. We will see an expansion of account ownership by our unique account reps on the front line. This provides them an opportunity to grow our business as they get from maybe 40 accounts to 45 accounts or from 20 accounts to 27 accounts. So these are the changes I want to do as I am focused on balanced growth and profitability.
Jonathan F. Ho:

Got it. And then just talking a little bit about the guidance that you gave. What gives you the confidence that you've now set the guidance conservatively enough. And what are some of the puts and takes that could maybe cause results to be better or worse than your expectations?
Kevin R. Mandia:

Hey, Jonathan. It's Mike. So let me just back up for a second in this – for everybody on the call just to level set where we are. When we entered the year, we were we grew billings in Q4 at about 21%. We expected about 20% organic growth in billing plus iSIGHT. We grew at 23% in Q1. We felt good going into Q2 and 90 days made a big difference and we grew billings about 10%. As we looked at the second half, we spent a lot of time looking at our pipeline, where it was in different stages, talking with our sales management team, our product teams, our data analytics team, which does tremendous work for us, to try to model what we thought the second half looked like. Candidly, we're coming out with about 10% growth on Q2. We tried to be prudent and estimate what we thought the impact of the restructuring and change of sales management would be. And we also did, call it, decrease the product revenue or increase that percentage drop, because as we look at the second half, Q3 is a big Fed quarter and those are big deals. We didn't want to take a big risk on those. Q4 is typically a nice product quarter, so we tried to be a little bit conservative there. So that's everything that kind of baked into the guidance. Again, we're going to set it to be more prudent, try to estimate the distraction factor, but at the end of the day, this is where we feel the best in terms of setting the level of growth. And again, we think it's a temporary growth in terms of being flat, and we do expect to reinvigorate that as we roll into 2017.
Jonathan F. Ho:

Great. Thank you.
Kevin R. Mandia:

Thank you.
Operator:

Thank you. And our next question comes from John Lucia of JMP Securities. Your line is now open.
John A. Lucia:

Hey, guys. Thanks for taking my questions. Kevin, you said customers are opting for good enough versus best-of-breed because of the scale and scope of breaches has reduced. Does that suggest there is an opportunity for vendors with good enough lower-price solutions to take share from best-of-breed or – just want to get some color there? And then how long do you expect the threat landscape to be at these levels?
Kevin R. Mandia:

So, threat landscape, we're always going to be on top of that one with our iSIGHT capability and that asset with, I call that, the human intelligence gathering aspect of our business in response, but I cannot predict that. And then my exact comment is some folks are actually looking at instead of best-of-breed, what I'd call, good enough. And the bottom line is if you want great protection and you're security-conscious, you do the right things for what your risk profile is. And I may have missed part of your question, John. I felt like there was a third thing there.
Kate Patterson:

Taking share (53
Kevin R. Mandia:

Absolutely. That's why we're doing MVX separation. We feel that we can take, what I think, is the best threat detection and we can bring it to customers. When we do the MVX separation, we can bring it down to, call it, the customers that have more of a price sensitivity. So we want to meet that head on and we're doing that. That's why we're going to open up that market.
John A. Lucia:

Are you seeing a different pricing environment than you've seen in the past?
Kevin R. Mandia:

What's your thoughts on that, Mike?
Michael J. Berry:

I think in the enterprise market, John, we really haven't seen much of a change. When you're dealing with larger enterprises, that's what you deal with and then you get to talk to purchasing, and we need CFOs like myself and that has not changed. So I think that pricing pressure in that has been relatively consistent. To Kevin's point, again, we think that that kind of just good enough is something you see in that mid-market. We're excited about being able to offer those solutions and be able to really disrupt that as well as we go into next year.
John A. Lucia:

Okay. And then are you guys seeing a shift in terms of the types of security technologies that are gaining wallet share due to this changing threat landscape? Maybe a year ago you were seeing good demand for APT security and things like sandboxing. But now are you seeing more demand for other types of security technologies like next-gen Endpoint and cloud solutions like CASB, I would just be curious to get your thoughts on how budgets are shifting between the different types of technologies.
Kevin R. Mandia:

Yes, this is Kevin speaking. Yes, I think that there's always trends in security, first off, right. And those trends change over time and evolve. I think that there's a trend on the Endpoint. I think there's a need to detect what antivirus misses. The signature-based legacy technologies of the past haven't been sufficient. Everybody knows that, including the AV companies, it seems. And so people are looking for new Endpoint protection. So I think that's one. And I think, obviously, with the CASB market, it's important as people migrate to the cloud that there's security built into those migrations. We've assisted and advised companies that are doing those sort of things. And sometimes, it's pretty complex, depending on your infrastructure, your industry, your risk profile, to migrate from on-prem to the cloud. So you can see CASB. And I've always felt, when I look at the industry as well, identity. You look at identity on-prem, identity off-prem, how do you track employees, what they're accessing, when they're accessing it. And then I think there'll always be a need for what we do. This threat detection and response. You can see that as something where – the bigger difference there is people don't know what alerts matter. And even when they know an alert matters, they don't know what to do about it. Is it the guys in St. Petersburg hacking me and they're after credit card data? Is it somebody from a nation-state? And you don't know how to sign your resources. And I think another whitespace is, I call it the orchestration space. I think that there's a whole generation of software that came out that said, 'We'll help you manage your alerts and your security operations. We'll help you go from 4 billion events a day down to here's a couple of hundred based on analytics and correlation rules and all of these things.' But what's next? You've got to fix the problem. And that's what I think is the orchestration thing where you can take the alerts that matter and build an infrastructure where you can go from an alert that matters to orchestrating a countermeasure, perhaps, even without human intervention, and defend your network at network speed. So those are just some of my thoughts on. When I talk to CISOs, and I get to meet a lot of them, that's sort of the things they're thinking.
John A. Lucia:

Okay. Thank you.
Kevin R. Mandia:

Thank you, John.
Operator:

Thank you. And our next question comes from Shaul Eyal of Oppenheimer. Your line is now open.
Kevin R. Mandia:

Hey, Shaul, are you there?
Kate Patterson:

Next question?
Operator:

And our next question comes from Walter Pritchard of Citi. Your line is now open.
Walter H. Pritchard:

Hi. Thanks. So, Kevin, I think you talked quite a bit some of the product things that make you optimistic. You can sell into the guys in mid-market with MVX separation...
Kevin R. Mandia:

Right.
Walter H. Pritchard:

...and with FireEye as a Service. Can you talk about from a sales and go-to-market perspective, how do you feel about your channel strategy, your sales organization and some of the things on that end that will enable you to get into that part of the market?
Kevin R. Mandia:

Yes, I think the products and the price points are going to help the most, Walter. I think that when you look at MVX separation and it's cost to us, we can offer our great threat prevention and threat detection, at that point, at a price point that I think will open that market for us. So we've got to make sure we do the appropriate training, and we've got to make sure that our channel and resellers are framed to move that to that cloud version where we have the MVX sensor separated, means we can get the sensor out to people and have the brains via subscription in the cloud. I think that is a powerful model, and I think that helps. So it's that price sensitivity and the ease of deployment. It just gets easier to deploy it. So I'm very bullish on that helping us in the channel. I also think Endpoint. If we get that real-time threat detection. Now we have some realtime threat detection capability now, but we have improvements to make there, and we're working hard at them. But I think Endpoint, with the market right now, that's also a very channel-friendly type of product. And FaaS, we're making real changes to FireEye as a Service that are available today that I think open up new markets. And particularly, I think it's a big deal that we've opened it up to third-party alerts. We can now apply our threat intelligence and knowledge not just to our high-fidelity alerts that come in to FireEye as a Service, but we can look at the alerts from other devices and other vendors and help our customers prioritize which ones matter and help them go through the process of going from alert to fix. I think that opens up markets we have not been in, in the past as well.
Walter H. Pritchard:

And then, Mike, just on your end, I think you were pretty clear on the guidance for Q3. As we look at the $80 million run rate, is there a head count number associated with that? And as we think about 2017, does part of that $80 million start to come back in terms of hiring? Or should we think of $80 million as actually potentially a net reduction in OpEx as maybe anniversary those or, I guess, before you anniversary those cuts in restructuring?
Michael J. Berry:

Yes, Walter, great question. So on that, we'll certainly look at all infrastructure cost, we'll look at all of discretionary expenses, but unfortunately we do expect this to probably affect 300 employees to 400 employees. As I talked about, it's a reduction of about 9% of our, call it, controllable costs. We will try to go after as much as we can non-head count, but, yes, we do expect it to probably be about that level. And then as we go into next year, here's what I would tell you is I expect to bank all of that savings. If you look at your 2017 model, it's important for us to be able to have that savings as we go into the end of the year, not only for profitability, but very importantly for cash. So if the growth is higher than we expect, then some of that will come back. If the growth isn't, then it won't, quite simply.
Walter H. Pritchard:

Okay, great. Thank you. That's clear.
Michael J. Berry:

Thank you.
Kevin R. Mandia:

Thank you.
Operator:

Thank you. And our next question comes from Michael Turits of Raymond James. Your line is now open.
Michael J. Berry:

Hey, Michael, are you there?
Operator:

Michael, please check your mute button.
Kate Patterson:

Next please.
Operator:

And our next question comes from Gabriela Borges of Goldman Sachs. Your line is now open.
Chelsea Jurman:

Hi. This is Chelsea on for Gabriela. Thanks for taking the question. You talked a bunch about restructuring, and can you just give a little more detail about what are the different buckets that you expect to be taking out of and what are some of the redundant areas where you think you can find the costs or head count reduction?
Michael J. Berry:

Sure. So Chelsea, this is Mike. So in the prepared script, I did talk about we're still working through it. So I don't want to go into too much detail until we finalize. But in general, I will rewind back to what we talked about at Analyst Day and as we look at our cost structure. For all the right reasons, we as a company, we're growing very quickly. We invested to support that growth, and that investment happened in our geographical expansion, our expansion in sales, marketing, G&A, R&D, everywhere. We have a lot of products that we need to support. And as we look at the future, we want to become more focused. We'll look candidly at all of our costs, but I don't want to go into details now until we finalize it, other than to say as a management team, everybody is fully onboard. We're very engaged, feel very good about being able to get the $80 million, and I'll update you, Chelsea, on the Q3 call in terms of where that comes out specifically.
Chelsea Jurman:

Got it. And then, as a follow-up, you mentioned that FireEye as a Service is coming in a little bit weaker than you'd been expecting. And so can you give a little more detail about which customers are taking these or if you have any insight into why it has come in weaker?
Kevin R. Mandia:

Yes. This is Kevin speaking. I think that we had about four or five renewals in Q2 that we didn't get that based on what I would call the legacy Mandiant managed defense, and I think that one of the biggest factors was, and what I've heard from our customers, buyers and people in the marketplace, is that they wanted us to take third-party alerts into FireEye as a Service, and we just started doing that. I think that with the addition of that feature and capability, it was very important and it increases our relevance. So I think that we listened, we heard what the market wants. They've spoken, and we've adapted. So we have the capability that they were asking for now.
Chelsea Jurman:

Great. Thank you.
Michael J. Berry:

Thank you.
Operator:

Thank you. And our next question comes from Ken Talanian of Evercore. Your line is now open.
Ken Talanian:

Hi, guys. Thanks for taking my question, and apologies if you already addressed this in the call. I've been hopping between calls. I guess this question is for Mike. Mike, you've had a focus on cost since you arrived, and on a few occasions you've mentioned the parts of FireEye are operating in silos. When you think about where you are with cost, the introduction of a restructuring program, where do you think you are in regards to building out really the cost-sensitive processes and changing the culture within the organization to think with that in mind?
Michael J. Berry:

Ken. So that's a great question. So my answer to that would be that one of the things that really impressed me when I came to FireEye, and still does today, is all of our employees are very conscious of how we perform and in terms of how the investors in turn respond to that performance, and they understand we need to be a profitable company and generate cash flow. So as we look at it, I think from that I think the awareness is very high. It obviously entails some tough decisions, which all of us look at it. It's not easy personally. So I think from a culture perspective, we're making great progress. I think as we look at our cost structure, as we go through 2017, you're going to see us continue to focus on areas where we can really combine what we have done in the past, and this is really from an acquisition. So, for instance, iSIGHT, Mandiant, FaaS, there's a lot of common back-office processes and departments within that group. Within R&D, we have what we call virtual business units. There's a lot of the same processes and infrastructure build. Wonderful people, doing all the right things, but when we're chasing growth, it was absolutely the way to do it. So, as we go forward and as we really focus, I think that's where you're going to see it, and I think that the efficiencies are going to be our ability to leverage growth more than continue to cut, so that as we grow, we don't need to invest like we did in the past. Did that answer your question?
Ken Talanian:

That does. And if I may follow up. When we think about the productivity levels for FireEye as a Service, I think when you first talked about that service, you said that you could maybe service 25 customers with one threat analyst or something along those lines. What do those productivity levels look like today and where do you think you can go with that?
Michael J. Berry:

Yes, so let me answer that question. I'm not going to go to the 1-to-25, but let me talk at a little bit of higher level. As we have introduced FaaS 2.0, especially going to market with TAP, which is our SIM, and we've been able to model out the cost structure. The original things that we talked about in terms of our efficiency when we were at Analyst Day, we feel even better about today for a couple reasons
Ken Talanian:

Great. Thanks very much.
Michael J. Berry:

You bet.
Kate Patterson:

I think we have time for one more question please.
Operator:

Thank you. And our final question comes from the line of Brent Thill of UBS. Your line is now open.
Brent Thill:

Thanks, Kevin. Just on the sales leadership changes, I'm just curious if you could further go down that road and talk through with what you'd like to do here with what needs to be done, how long it's going to take to settle those changes in?
Kevin R. Mandia:

Well, I've got candidates in mind, I've got people I'm going to talk to and we're going to vet hard to do that. We've got a transition plan. We're going to stay focused on as we forward. But I'm very homed in to make sure we simplify our go-to-market plan.
Brent Thill:

Okay.
Kevin R. Mandia:

Yeah. And then I could expound – go ahead next.
Brent Thill:

No, I didn't want to – please continue.
Kevin R. Mandia:

That's all right.
Brent Thill:

And just secondarily on EMEA, you were, I believe, flat sequentially. Is that more go-to-market related or is there something competitively that's going on?
Michael J. Berry:

Hey, Brent, it's Mike. A couple of things too, I would add to the wholesale thing. So, Travis Reese, the new name, President as well. He's really jumping and he is really a big part of that integration plan with Kevin or that transition plan on sales, so we feel good about that piece. And then looking at EMEA, I mean, candidly they had a pretty tough grow over, they did some big – bit larger transactions last year in Q2. I don't think it's so much of a marketplace issue, as us just being able to make sure that we're getting those leads, we're inspecting them, and we're bringing them to closure. From a pipeline perspective, we felt good going into Q2 and we got to the end and didn't perform quite as well as we would like, that happens but we are not worried about EMEA geographically or on a macro.
Brent Thill:

Okay. Thank you.
Michael J. Berry:

Thank you.
Kate Patterson:

I think that's it. Thank you very much. We'll turn back to Kevin.
Kevin R. Mandia:

Yeah, I have some closing remarks I'd like to say. I've met over the years hundreds of customers since joining FireEye, and I've heard over-and-over again that they depend and rely on our ability to detect the advanced threats and to provide context about the motivation and technical capability of the attackers at a level that I don't think any other security provider can do. We are a trusted advisor to the strongest brands in the world and this is not a role that we take lightly. We're committed to leveraging our advantages, and I have the right three new initiatives. I've spent the last 20 years in security. I've gotten on the front lines. I've met the (1
Michael J. Berry:

Thank you.
Operator:

Ladies and gentlemen, thank you for participating in today's conference. This does conclude the program, and you may all disconnect. Have a great day, everyone.

Mandiant, Inc. Q2 2016 Earnings Call Transcript

Other Mandiant, Inc. earnings call transcripts:

Mandiant, Inc.
Q2 2016 Earnings Call Transcript