Mandiant, Inc.
Q1 2015 Earnings Call Transcript

Published: 1 May 2015

Operator:

Good day, ladies and gentlemen and welcome to the FireEye first quarter 2015 financial results conference call. At this time, all participants are in listen-only mode. Later we will conduct a question-and-answer session and instructions will follow at that time. [Operator Instructions]. As a reminder, this conference maybe recorded. I would now like to introduce your host for today's conference, Kate Patterson, Vice President of Investor Relations. Ma'am, you may begin.
Kate Patterson:

Good afternoon and thank you for joining us on today's conference call to discuss FireEye's financial results for the first quarter of 2015. This call is being broadcast live over the Internet and can be accessed on the Investor Relations section of FireEye's website at investors.fireeye.com. With me on today's call are Dave DeWalt, FireEye's Chairman of the Board and Chief Executive Officer and Michael Sheridan, Senior Vice President and Chief Financial Officer. After the market closed, FireEye issued a press release announcing the results for the first quarter of 2015. Before we begin, let me remind you that FireEye's management will make forward-looking statements during the course of this call, including statements relating to FireEye's guidance and expectations for the second quarter of 2015 and the full year 2015, growth drivers, market opportunities and opportunities with partners, customer demand for and adoption of our FireEye's products and services, continued growth and momentum in FireEye's business and the ability to expand growth opportunities, trends in FireEye's business and operating results, customer wins and partnerships, FireEye's competitive position in the market, expectations regarding path to profitability and achievement of long-term targets and the expansion of FireEye's platform and other development initiatives. These forward-looking statements involve a number of risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. These forward-looking statements apply as of today and you should not rely on them as representing our views in the future. We undertake no obligation to update these statements after the call. For a detailed description of the risks and uncertainties, please refer to our SEC filings as well as our earnings release posted a few moments ago to our website. Copies of these documents may be obtained from the SEC or by visiting the Investor Relations section of our website. Additionally, certain non-GAAP financial measures will be discussed on this call. We have provided reconciliations on these non-GAAP financial measures for the most directly comparable GAAP financial measures in the Investor Relations section of the website as well as in the earnings release. With that, I will turn the call over to Dave.
Dave DeWalt:

All right. Thank you, Kate and thanks to everyone. Hello on the phone as well as on the webcast and thank you for joining us to discuss our first quarter financial results. Okay. FireEye had a very strong start to the year. I am proud to announce, since the Mandiant acquisition last year, our momentum has accelerated every single quarter, culminated in exceeding expectations on all major financial metrics including billings, revenue, gross margins, operating margins and earnings per share for the first quarter of 2015. Our growth was balanced across all major business segments, including our products, our product subscriptions, support and professional services. In addition, we experienced strong momentum and expansion across our geographic regions, across all major industries and now scaling into the mid-markets as well. Our new customer acquisition increased year-over-year significantly as did our partner enabled bookings. Our percentage of non-PoV deals, the number of large deals over $1 million and add-on business to our installed base. All-in-all, a very strong quarter across the board. I would like to thank everyone at FireEye for their dedication and determination as we worked hard to build FireEye into the fastest-growing cybersecurity company at scale and one of the most important security companies in the world. I would also like to thank our more than 3,400 customers and our more than 1,100 partners for their commitment to FireEye as their strategic trusted advisor and partner. Today, I would like to discuss three important topics. First of all, the evolution of our powerful advanced threat management platform that now spans across the network, endpoint and cloud solutions tightly integrated with the industry's best security professionals, our 24x7 around the clock, around the world security operation centers and our advanced threat intelligence capabilities. Secondly, how this powerful platform has helped create an accelerated momentum scenario in our business and helped us get off to a great start in 2015. And lastly, how this platform will help pave the way to increase monetization and our progress towards our profitability goals. So first, the power of our platform. Today's threats are evolving quickly. As corporate architectures absorb new technology such as smartphones, cloud-based applications and increased mobility in their employee basis, traditional security models such as firewalls, IPS and DLP devices and endpoint antivirus-based security have become much less effective. FireEye's approach to an advanced threat management platform is much different and much more effective. The combination of Mandiant experts, leading edge technology and real-time intelligence spanning from networks to endpoints to cloud, all integrated and delivered proactively and adaptively on-premise or as a service has proven very efficient at stopping threats, including those from nation-state actors. By delivering the entire lifecycle of threat management from detection and prevention to analysis and response, the FireEye platform stands apart as the future of security and risk management. And the results speak for themselves. FireEye discovers more zero-day threats than all the other security vendors combined. FireEye has the highest fidelity of detection rates with the lowest percentage of false positives. When combined with the fastest conversion times from true negatives to true positives in the industry, this creates a powerful return on investment tool for our customers. Then when combined with near real-time response and remediation, risk reduction becomes central to customers adopting our complete platform. Moreover, the Mandiant affect has created an even more powerful on-ramp for our platform adoption. Now with nearly 300 consultants in 18 countries, we are responding to nearly 100 engagements a quarter. And with 80% of the attacks seen exactly one time, the intelligence gathering via Mandiant's incident responders and subsequent automation for FireEye's products has enabled FireEye to accelerate the speed of response like no other vendor in security. This was validated in our first quarter with awards for the Best APT Security by readers of SC Magazine and the Best Security Company of the year overall by its editors. We were also recognized as the best advanced threat detection and the best threat intelligence by SANS Institute and we received the number one ranking in the Cybersecurity 500 list of security companies to watch. Additionally, the Department of Homeland Security certified FireEye under the SAFETY act. This is the first certification of cyber security products under the SAFETY act ever. Beyond the endorsement of our technology by the Department of Homeland Security, this certification represents a huge benefit for our global enterprise customers in potential savings on both insurance and legal expenses. So the power of the platform in Q1 was evident. The breadth of our platform has created many opportunities for FireEye. In Q1, we experienced strong billings growth of $151.6 million, accelerating to 53% growth year-over-year from 41% in Q1 2014. In Q1, we express a record 28 deals over $1 million, most of which included multiple elements of our platform. In Q1, we experienced record upsell and cross sell deals such as IPS, advanced threat intelligence, full packet capture, email and file network services. I am also pleased to report that the attach rates of IPS for NX sales nearly doubled again this quarter. And we are seeing good early interests by customers in upgrading their threat intelligence to our ATI platform subscription. Now with eight different subscriptions and product add-ons to our flagship network prevention platform, we are seeing a strong path to monetization and profit as we expanded attach rates for each of these eight offerings. Also in Q1, we experienced strong adoption of our endpoint platform as many new customers sold both through product led sales as well as service led sales. And with the localization of our endpoint products in Japanese and German, we are announcing international expansion as well. One large customer this quarter has fully rolled our endpoint solution on over a 100,000 machines across three major comments. The first quarter also was very strong for our cloud offerings and FireEye-as-a-Service solution. Now we have full operations in Asia and Europe, our FireEye-as-a-Service solution was the fastest growing product of scale for us. With more than one-third of our 28 large deals adopting FireEye-as-a-Service, we now have a very strong base of global customers using this capability. For example, one large North American financial services customer purchased FireEye-as-a-Service after being an EX customer. With hourly proactive hunting delivered from our advanced cyber operations center, this customer has significantly reduced the risk of a sustained breach at a fraction of the cost of prior solutions. Turning to the future of our platform monetization. The combination of products, services intelligence creates multiple entry points for new customers and enables significant cross-platform sales. This has created a strong demand for FireEye. To meet this demand, we are using our technology to automate as much of the early investigation and compromise assessment process as possible. In one engagement this quarter, for example with a large hotel chain, we were able to deploy our technology through one of our security operation centers and we didn't need to send a consultant on-site for several weeks into the process. We see lots of opportunities to deliver services through a cloud to reach a larger customer base more efficiently. Our ability to offer a platform of integrated products, intelligence and services is also expanding our partner ecosystem in unexpected ways. Organizations that have typically remained vendor neutral are approaching us with proposals to offer FireEye technology and expertise to their customers. For example, we are partnering with law firms now and insurance brokers to educate and deliver solutions to their clients on cyber security risk management. This more friendly initiative is in its early stages. We are already starting to see incremental business as a result. Another very significant example is our global alliance with Hewlett-Packard to deliver incident response and advanced threat services to some of their most strategic customers worldwide. This partnership recognizes FireEye's differentiated approach and has the potential to extend FireEye technology and expertise to some of the largest organizations in the world. We have already begun developing the process of working with HP to identify opportunities and educate their consultants on our processes and methodologies and we are excited to see how this opportunity develops over time. We also added British Telecom and Telefonica to the roster of MSSPs offering FireEye technology and services as part of their cybersecurity managed services. So far six of the top 10 telcos worldwide have chosen FireEye technology and threat intelligence to protect their customers from cyberattacks. These relationships expand our growth opportunity. We also went live with the joint SingTel FireEye advanced security operations center in both Singapore and Sydney in February. And in less than 60 days, I am happy to report they closed their first over $1 million deal. Finally, we announced a partnership Check Point to share threat intelligence between our NX platform and Check Point's firewalls. Joint customers of FireEye and Check Point will benefit from the near real-time distribution of newly discovered threat intelligence between the two platforms as well as enabling VARs to bundle the two solutions that can help FireEye reach new markets. These partnerships, which are unique to FireEye are still another data point validating our leadership in advanced security. So to summarize, the combination of FireEye and Mandiant creates a pretty powerful platform to deliver advanced threat management to customers on a global basis. Our leadership is validated by our customers, our partners and our strategic relationships. Innovation is core to the platform and we continue to widen our competitive moat through our investments in R&D, expertise and security operations. At RSA, we gave you a preview of the multiple ways we are extending our virtual machine technology to the endpoint and into the cloud. Our investments in automation and remote investigation are improving efficiency and the effectiveness of our services business. And our ongoing commitment to threat research combined with being close of the breach through our incident response practice, keeps our threat intelligence at the leading edge. These are just a few of the many development initiatives. Our results is quarter confirm our ability to monetize these investments and make substantial progress on our path to profitability. With that, I will hand the call over to Mike for the financial details in Q1 and our Q2 outlook. Mike?
Michael Sheridan:

Thanks, Dave. First, I would like to join Dave in thanking you for your ongoing support and interest in FireEye. Before I go into detail on Q1, let me remind you that I will be discussing our non-GAAP financial results and metrics, except for revenue which is a GAAP metric, our guidance ranges are also non-GAAP. As Dave mentioned, our Q4 momentum carried forward into Q1 and we reported better-than-expected results across all of our key financial metrics. I would like to start out by highlighting what I believe are the key takeaways from a financial perspective. First, we are making steady progress with our path the profitability. With year-over-year revenue growth of 69% compared to operating expense growth of 32% and a gross margin improvement from 68% to 71%, we achieved significant progress in our financial model leverage. Second, this is the second consecutive quarter of year-over-year improvement in our cash flow. Driven by year-over-year billings growth of 53% and strengthening operating leverage, we improved our year-over-year operating cash flow from negative $23 million to negative $3 million and our year-over-year free cash flow from negative $37 million to negative $16 million. And third, we accomplished these improvements while maintaining our focus on growth. We improved leverage in sales and marketing expense through greater sales force productivity and continued reduction of PoV deployments. We also improved leverage in R&D while we continue to lead the entire security industry in aggressive investments in critical technology like endpoint. We believe this balance between positioning ourselves for continuing our dramatic market share gains in APT and achieving profitability is the correct strategy for long-term success. Turning now to the details of our Q1 topline results. Our billings grew to $151.6 million from $99.2 million, a 53% increase year-over-year. Our growth was achieved through growth in multiple products, geographies and customer segments. There were several key drivers to the billings growth we achieved in the first quarter. First, we continued the rapid expansion of our customer base. Our worldwide customer base grew to more than 3,400 customers in Q1 from approximately 2,200 customers in Q1 of last year. With the breadth of our solutions and the success of our land and expand model, the expansion of our installed base creates a large and growing upsell and cross sell opportunity. A majority of our Q1 billings were from customers that purchased more than one product family in the quarter, with a growing number of customers purchasing multiple products across our technology, intelligence and service platforms. Attach rates of email and FireEye-as-a-Service were particularly strong in Q1. We also had 28 transactions in excess of $1 million, which is approximately twice the number of seven figure deals a year ago. Our increasing number of $1 million plus transactions is an indication the customers are experiencing the value of our solutions and are increasing the breadth of their deployments as a result. About half of these greater than $1 million transactions were brand-new customers and the balance between new and existing customer growth is another encouraging data point for us. Finally in terms of growth drivers, I am happy to report that again in Q1 more of our transactions were closed without a proof of value trial than with one. This is an indication that our technologies are transitioning out of an early adopter phase as well as the strength of the FireEye brand. Because sales cycles are shorter with no PoV involved, we believe this is a trend that will continue to increase sales productivity and leverage. Within total billings, our product platform billings which we define as product and product subscription billings grew to $102 million from $65.5 million in Q1 of last year, a 56% increase year-over-year. Within product platform billings, appliance-based product billings grew to $38.2 million, a 47% increase year-over-year and product subscriptions grew to $63.7 million, a 62% increase year-over-year. As expected, our billings mix continues to shift gradually to subscription based solutions as our renewals increase and customers adopt our subscription based solutions, including FireEye-as-a-Service. The recurring subscription base portion of our business includes product subscriptions attached to appliances as well as our cloud-based product subscription offerings, FireEye-as-a-Service and customer support. Historically, product subscriptions have been driven by a 100% attach rate for DTI threat intelligence and customer support to our appliances and this continued in Q1. We saw strong growth in FireEye-as-a-Service subscription billings as customers recognize the value of our advanced security expertise. The threat analytics platform and mobile threat prevention solutions also added incremental billings to the subscription billings in the quarter. As a result, subscription and support billings, which are recognized ratably, grew 57% year-over-year to $86.6 million and mix of recurring subscriptions and support billings increased to 57% of total billings, compared to 56% in Q1 of last year. Turning to revenues. Our total revenues grew to $125.4 million in the first quarter, a 69% increase over $74 million in the first quarter of 2014. Our product platform revenues which include appliances and product subscription revenues grew to $83.6 million in Q1 of 2015, a 78% increase year-over-year. Appliance product revenue were $40.2 million, up 66% year-over-year and this represented 32% of total revenue, near the midpoint of our guidance range for product mix. Product subscription revenues were $43.4 million, up 90% year-on-year. Our total subscriptions and support revenue grew to $62.5 million in Q1 of 2015 and 86% year-over-year increase. Our professional services revenues increased to $22.7 million in Q1 of 2015, an increase of 40% from $16.2 million last year. We experienced high demand for our Mandiant incident response services throughout Q1, as the market continues to recognize our IR consultants as best-in-class in this market. While professional services make up a relatively small percentage of our total revenues, these services are critical to our growth and strategy. In terms of growth, we have a greater than 90% attach rate of all along product and subscription sales for IR engagements which often results in seven figure transactions. In terms of our overall strategy, our IR consultants continue to respond to breaches that matter and therefore have near exclusive access to critical threat intelligence that continues to drive the industry-leading efficacy of our products and value of our subscriptions like FireEye-as-a-Service. We believe this expands our competitive differentiation as none of our competitors have industry-leading IR capabilities and therefore they do not have timely access to the critical threat intelligence that drives efficacy. Excluding professional services, our geographic mix in Q1 included approximately 67% of revenues coming from U.S. accounts and 33% coming from international accounts compared to 71% and 29% respectively in Q1 2014. Revenue from international customers from 98% in Q1 as our investments in localization and sales capacity continue to generate new business. In Q1 of 2015, the average contract length for new subscriptions and support was 32 months, which is flat compared to 32 months in Q1 of 2014. The growing mix of subscriptions in our business model continues to improve our revenue visibility going forward. The increase in our appliance-based product sales, which generate new threat intelligence, URL and support subscriptions was augmented by the growing success of our FireEye-as-a-Service and other subscription only offerings. As a result, deferred revenues increased 78% year-on-year to approximately $379 million at the end of Q1. Our combined renewal rate remained above 90% for Q1 and remained a strong contributor to our billings growth. The continued high renewal rate is another indication of the high level of our customer satisfaction and the value provided by our solutions. Our billings and revenue growth in Q1 resulted in strong progress on our path to profitability. Gross margins increased to 71% in Q1 of 2015, a three point improvement from 68% gross margins in Q1 of 2014. More specifically, product gross margins improved compared to Q1 of 2014. Our product gross margins increased to 71% in Q1 of 2015, compared to 68% in Q1 of 2014. This improvement relates to better leverage of our manufacturing operations as well as declining product costs. Gross margin for our product subscriptions and support also increased from 73% to 79% year-over-year. This increase relates to better leverage of our global support infrastructure. Gross margin for our professional services was 48% in Q1 of 2015, compared to 59% in Q1 of 2014. In Q1, we had stable billing rates and higher utilization rates in the U.S. The decrease in overall service gross margins relates to expanded international capacity with ramping utilization. Our total operating expenses increased to $159.4 million in Q1 of 2015, a 32% increase from $120.3 million in Q1 of last year. While will continue to increase our investments in research and development, sales and marketing and global infrastructure, our operating expenses as a percentage of revenue decreased 163% in Q1 of 2014 to 127% in Q1 of 2015. Each of our operating expense categories improved as a percentage of revenue in Q1 of 2015, compared to Q1 of 2014 and most notably our investment in sales and marketing as a percentage of revenues decreased from 88% in Q1 of 2014 to 70% in Q1 of 2015. This improved leverage is resulting from the continued expansion of revenues in our domestic and international markets, the increasing productivity of our sales force as they ramp, the more highly leveraged sales that we are generating for our inside sales reps and increased business through our channel partners. Continued topline growth coupled with slower expense growth resulted in a non-GAAP operating loss of $70.8 million, just $600,000 more than $70.2 million reported in Q1 of 2014. In terms of FX impacting Q1, the strengthening dollar did not impact our billings as they are all denominated in U.S. dollars. However, we believe there is some increased pricing pressure in certain international markets where the dollar has strengthened relative to the local currency. In terms of international operating expenses, we experienced some benefit in Q1 related to the stronger dollar, but this benefit was less than $1 million. In terms of our financial condition, we exited the first quarter with approximately $397 million of cash and investments on hand. Our operating cash flow improved year-over-year from negative $23 million in Q1 of 2014 to negative $3 million in Q1 of 2015. In addition, our free cash flow improved year-over-year from a negative $37 million this year to negative $16 million in Q1 of this year. We believe we have sufficient cash on hand to fund our growth until we reach cash flow breakeven. Our accounts receivable decreased to $160 million at the end of Q1 from $193 million at the end of Q4. Our aging and collections remained strong and the increase in our days billings outstanding reflect linearity within the quarter. Turning to guidance. We are raising our full year guidance to reflect our Q1 performance, as well as the continued strength and momentum we see in our business. For full year 2015, we expect our billings to be in the range of $825 million to $835 million. In terms of full year revenue guidance, we are raising our guidance range for total revenues to $615 million to $635 million. For the full year, we continue to expect product revenues to make up 35% to 40% of total revenues, subscription and support to comprise 45% to 50% of total revenues and professional services to comprise 10% to 15% of total revenues. For the full year of 2015, we expect gross margins to be in the range of 71% to 75%. For operating expenses as a percentage of revenue, we expect R&D spending to fall in the range of 35% to 38%, sales and marketing spending to fall in the range of 64% to 68% and G&A spending to fall in the range of 14% to 17%. We expect to record a tax provision of approximately $4 million to $5 million or approximately $1 million to $1.25 million per quarter in 2015. Based upon our estimated weighted average shares outstanding of 155 million shares, we expect a net loss per share in 2015 of negative $1.75 to $1.85. Finally, we expect for 2015 that our operating cash flows will be negative $65 million to negative $80 million compared with negative $131 million in 2014. Turning to Q2 of 2015. We expect second quarter billings in the range of $165 million to $170 million, representing approximately 20% of our updated 2015 billings guidance at the midpoint. We expect total revenue to be in the range of $140 million to $144 million. Seasonality impacts of the mix of our revenues with appliance products representing a smaller percentage of revenues in Q1 and Q2 than the annual range and representing a higher percentage in the seasonally larger Q3 and Q4. Accordingly in Q2, we expect product revenues to make up 32% to 37% of total revenues, subscription and support to represent 475 to 52% of total revenues and professional services to represent 14% to 18% of total revenues. We expect our Q3 gross margins to be in the range of 70% to 73%. For operating expenses as a percentage of revenue in Q2, we expect R&D spending to fall in the range of 36% to 40%, sales and marketing to fall in the range of 66% to 70% and G&A to fall in the range of 15% to 18%. Based upon our estimated weighted average shares outstanding of 154 million shares, we expect our loss per share in Q2 to fall within the range of $0.47 to $0.50 per share. Viewing our 2015 guidance in the context of our long-term financial targets, I believe we remain on track to achieve cash flow breakeven in two to four years and our long-term operating margin target of 20% to 25% in three to five years. That completes my prepared comments. I will now return the call to Dave for some closing comments and Q&A.
Dave DeWalt:

All right, Mike. All right. To sum up the quarter and the journey ahead for a moment before we open it up for Q&A, a year ago we combined the strengths of FireEye and Mandiant to create a powerful new model for advanced threat management, one that reduces our customer's cyber risk and helps them build a more resilient security architecture. Our Q1 results, our growing ecosystem of partners and the recognition of the cyber security professionals who use our platform everyday all validate our leadership. Our mission is to stop advanced attacks and we will continue to leverage the strengths of the combined company, innovate and extend our platform to new customers and new regions. This will drive our growth as well as our progress on our path to profitability. With that, I will say thank you. This ends our prepared remarks. And I will hand it over to Amanda and Kate for some questions.
Operator:

[Operator Instructions]. Our first question comes from Rick Sherlund with Nomura. Your line is now open.
Rick Sherlund:

Yes. Thank you and great quarter. I wondered if you could just talk about pipeline, kind how the rest of the year looks like? I got you guidance. I presume that's a positive direction but also if you could address your sales capacity, where you stand in terms of all the demand, what kind of capacity do you think you have? Or are we going to need to see something more in terms of leverage or expansion of the sales organization?
Dave DeWalt:

Yes. Rick, this is Dave. So thank you. So obviously we feel pretty good about the business. This has been a bit of a journey here with this post the Mandiant FireEye integration. And so it feels each quarter we have picked up some momentum. We are continuing to get better and better. This service led model, this product led model is beginning to pay some dividends and you can see that in the results that we have got, 69% revenue and the customers and the number of large deals. And one or two facts, just as we look at the outlook, what I see is really strong opportunity internationally for the company. We are up 98% in revenue internationally. We are seeing more and more verticals come online. I mentioned a little bit healthcare areas, retailers, hotelers, media, bunch of what I would consider laggard industries beginning to see pretty significant cyber problems. And many of those are in our pipeline and many of those are either incident responses we are engaged in or new product led sales we are involved with. So we feel pretty good about kind of what we are seeing there. Something that we didn't give on the prepared remarks was the number of partner registrations. We actually saw an acceleration in growth of our partner registrations, from the mid-70s to the upper-80s in percent overall. We also saw well over triple digit partner enabled assistance in our business. And then when you combine that with the SingTels and the HPs and the BTs and the NTTs and some of the big service providers we are going to market with, it creates opportunity. And we saw that with SingTel with $1 million deal. Within 60 days, they closed once we went operational. And HP has been very, very aggressive already building pipeline for us. So we don't want to get ahead of ourselves, we feel good that the sales capacity and the partner leverage model are going to keep incrementally improving for the company. And as Mike said, we saw strong leverage, 69% on revenue and only 32% growth in operating expenses. That's the kind of leverage we want to continue to do. And hopefully we will build or perform to that. Mike, do you want to add on?
Michael Sheridan:

Yes. Just one thing I would add, Rick. In that 32%increase in operating expenses, that did include expenses that were on track with our growth of sales capacity for 2015.
Dave DeWalt:

Good point. Next question.
Operator:

Our next question comes from Aaron Schwartz with Macquarie. Your line is now open.
Aaron Schwartz:

Hi. Good afternoon. Thank you very much. I appreciate the comments and also the results here in terms of the path to profitability. But it also looks like with the increase in the guidance that you are planning to spend that incremental upside. And so I was just wondering if you could reconcile the two or just speak areas that you are investment in a little bit more than you talked about last quarter? Thanks.
Dave DeWalt:

Yes. I can take the first part of that. Obviously we see a huge market opportunity here in cybersecurity. It's fast becoming the biggest IT segment out there. White hot in a lot of areas. FireEye is well positioned to continue to leverage that. We see a lot of demand for solutions. So we want to continue to invest to make sure we have the opportunity to take market share like we are doing. But also be balanced towards the path to profitability and in their lies the fine line. But we see a lot of opportunity here and we see a lot growth potential for the company. Our R&D investments, our sales and marketing investments, but also now the ability to leverage partners more and more, hopefully as we really go forward creates even additional leverage for the company. But the guidance is what it is. Mike, do you want to add on?
Michael Sheridan:

Yes. I would add a couple of things. Aaron, one is that if you look at our guidance for 2015, we did improve our operating cash flow guidance and we did improve our EPS guidance from what I had stated last quarter. And in addition to that, if you look at the guidance for Q2, you will see that the leverage in the operating stack improves, continues to improve as well.
Dave DeWalt:

Thank you. Next question, please.
Operator:

Our next question comes from Rob Owens with Pacific Crest Securities. Your line is now open.
Rob Owens:

Great. Thanks for taking my question. Dave, I wanted to drill down a little on the MSSP opportunity. I think you mentioned six of the top 10 telcos. Can you talk a little bit about the different revenue models that you might have there? And at point do you hope this becomes a significant percentage of revenue? And then as you are building up partnerships with the HPs of the world and the IBMs out there that also have big MSSP practices, what type of opportunities that present?
Dave DeWalt:

Yes, Rob. Very perceptive. I think you are right on. I see three or four pretty substantial opportunities with the service providers. Number one, we clearly see our technology being used in their current MSSP model. So just layer one is our alert monitor detection capabilities sort of added into their current framework. We get additional business with our network and endpoint products as a result of just being included in their frameworks or even being premier in their frameworks. So that's a good step. Many of them now are actually taking it to a whole another level which we are excited about, which is they are creating an advanced threat service that sort of augments and adds on to the existing layers of managing firewall rules or doing compliance, which is traditional MSSP kinds of things and now doing proactive hunting, proactive monitoring and really using FireEye technology as an integrated part of an advanced threat service that can add on. This was an exciting area for SingTel. We mentioned HP has nine major security operation centers at the RSA event. We are upgrading those advanced operation centers to include FireEye-as-a-Service and advanced threat service. So it's another add-on kind of Product-as-a-Service through their current MSSP, including the technology. And it gets even better from there, I think over time, because we can then engage Mandiant incident responders as part of responding to a problem that we see. We can proactively do hygiene checking as part of compromise assessments. And then overall, a lot of clients then want to build their SOC or do something more strategic, we can help them with that with other services. So combinations of tech, Security-as-a-Service, professional services and then I think as time will show service providers have the greatest reach for ability. We have seen SingTel has 550 million smartphones and phones connected to their network. When you start to see the opportunity for expansive reach to new endpoint devices, new service providers, the art of the possible is nice there. So we see strategic relationships not just using our tech but also using our services, Security-as-a-Service and then some of the new horizons like mobile. Hopefully I answered your question.
Rob Owens:

Great. Thanks. And then as a follow-up, with the endpoint market, I think you announced a large customer, what you seeing overall there? And what's the competitive landscape look like? There is lot of different methodologies in terms of next generation endpoints and ultimately where do you think you guys win or where do you think you guys to lose on that front? Is this a function of protective capability? More holistic approach with the platform? Thanks.
Dave DeWalt:

Yes, Rob. So the endpoint is, I think, one of the biggest total adjustable markets we are seeing right now. We participate in three big components. We compete in the network area. We are in the MSSP sort of as-a-service model, which is a $10 billion plus depending on who you want to count there. And now we see this multibillion-dollar endpoint addressable market opening up. We are coming at it a little unique, I think, in the landscape of the endpoint providers. We come at it with automation of incident response which was Mandiant's main strength, things like validation of malware, containment of malware, forensics of malware, quick remediation of malware, response to malware. These are features that the traditional antivirus models really didn't have and we are finding augmentation of those models in our first phase, which is really nice. When you look at the number customers we are winning and the types of customers and the expansion of customers, typically what they are doing is putting our center down to really be much better at response and much better at manageability of a breach when it happens. We have then added detection now, kernel based detection and we are adding a prevention ultravisor layer that we talked about it at the RSA event. These I think really extends the next generation endpoint platform to be much more comprehensive in stopping attacks. And as we pointed out, this hypervisor layer is a very, very difficult to disarm, very, very secure in terms of this environment, very lightweight. We even talked a lot about how we can validate the features of it. So we think we are heading in the right direction. The market is opening up and of course endpoints include mobile, which we are delivering aggressively on. Mike alluded to some big wins there in incremental billings we got from the mobile threat platform. So put together, the endpoints, traditional PC, Macs, then put together the mobile, put together the new features and I think we were pretty good angle on this market, at least disrupting the incumbents and really at scale beating the other vendors. Time will tell. But we are investing hard and I think we can deliver on it. Good question. Thank you. Next question.
Rob Owens:

Yes. Thank you.
Operator:

Our next question comes from Sterling Auty with JPMorgan. Your line is now open.
Sterling Auty:

Yes. Thanks. Hi, guys. Wondered if you could comment a little bit more on the linearity? You pointed out that the jump in DSOs. Any cause behind it? And any thoughts that we should be concerned about?
Michael Sheridan:

Hi, Sterling. No, I don't think there is anything of concern or frankly anything that is very different than prior years. I think what we tend to experience at the beginning of a year is now we are seasonal. So our pipeline is a little less mature. So we use a bit more of the quarter to mature it and close deals. So we tend to have a little bit more of a waiting at the end of the quarter in Q1 to maybe other quarters. I think it sets us up for a good cash flow quarter in Q2. But that's really what it is. We didn't see anything out of the ordinary and the strength of our receivable aging remain very consistent.
Dave DeWalt:

And certainly I would want to add on to that, maybe just to finalize like Mike said the receivables have been very, very strong for us. The renewal rate have been very strong for us. The net promoter scores and quality of the product is very strong for us. So we feel really comfortable with sort of that DSO number that's there.
Michael Sheridan:

Did you another question?
Sterling Auty:

Yes. One quick follow-up. The 200 to 220 new customers that you added, can you talk to us about the mix of business between new customers and existing customers and how you talked about the number of customers that were added in the quarter?
Dave DeWalt:

Well, I will start with the color and Mike maybe can add on there. But yes, we were pleased with the number of new customers, particularly for a Q1 quarter. The transaction volume was strong with 28 deals over $1 million was very strong compared to year prior. And it really kind of showed the power of these kind of three models that we have going on. This product led model was contributing to a lot of large deals. Mike alluded to half of them were new customer, brand-new customers of the $1 million deal category. That was encouraging, customers going from zero spend with us to over $1 million and half of them being brand new. The service led model working well, meaning incident response, compromise assessment converting 90% plus of time. That's been quite positive for the company. And then I mentioned the FireEye-as-a-Service was very strong as well. That was the fastest growing percentage basis at scale of a product or solution for us. So we kind of got all three going and the customers were positive. So Mike, do you want to add on it?
Michael Sheridan:

Yes. Surely, as you know, we have to achieve growth in both new customers as well as all follow along and I think Dave summarized it pretty well. We had good contributions from both. And again whenever you are in first quarter seasonally, having some of the penetration, especially with new customers making large purchases was something that was very encouraging to us.
Sterling Auty:

Great. Thank you.
Dave DeWalt:

Thank you. Thanks, Sterling.
Operator:

Our next question comes from Keith Weiss with Morgan Stanley. Your line is now open.
Keith Weiss:

Excellent. Thank you guys for taking my question. I guess if we take a step back and listen to the commentary on how large deals are doing a good job of attaching more services like FireEye-as-a-Service. I know when you look at the big deal metrics being very strongly on a year-on-year basis, those 28 large deals. It sounds like your business is gearing more towards large deals, towards larger and more strategic deals. Is that the correct impression that we should we taking away? Is that the broader portfolios enabling you to this growth with fewer and larger deals?
Dave DeWalt:

I am not sure I would take that away, Keith. I think, obviously we are pretty balanced across a lot of different areas of our product lines. Q1 tends to be a little larger in number of deals and even in some cases the size of them. But the blend was very strong for us. A lot of them are Global 2000. That's our primary market. We look at the enterprise of the Global 2000 as our main market segment. We are still less than 30% penetrated into the Global 2000 environment. We think there is a lot of greenfield to go in that size. So making progress in the hundreds of customers towards that direction is pretty positive, especially when combined with the land and expand model that we are seeing. We didn't put the chart up this time, but the amount of repeat business of our top 25 customers or so is phenomenal and we keep seeing them spend more and more with us. So the follow-on was strong. The number of new Global 2000 logos was strong. And being our main market, we feel like we are winning there. We are winning strong in that market. And we have even created more defensible moat from the competition with, as you said, services, Security-as-a-Service, network endpoint, cloud, all delivered as a threat management platform to that market. We think we can really continue to grow just focused primarily on that space and then over time you come down a bit mid-market, but I feel pretty good about what I have seen. Mike, did you want to add on anything here?
Michael Sheridan:

Yes. Keith, what I would add to that is, I think there is couple of things in our business. It is maturing at a positive direction, I believe, to some more of larger deals. One of which is, as I mentioned in my comments, if you go back over the last couple of years, pretty recently we were in a very early adopter phase, where most any customer would purchase an initial small deployment without budget to see how of the technology works. What we are seeing now is a reputation and the product is more well-known. The brands is more well-known. We have customers now being willing to make larger initial purchases. That coupled with the fact that we are seeing it with the growing part of our business coming from what Dave refers to as the service led model, where we are following up IR services, for example, we are seeing that in those environments and that didn't exist prior to the Mandiant acquisition, those customers are willing to also step up to larger initial purchases. So those are some positive developments in our model that I think are to some of those types of transactions.
Keith Weiss:

Excellent. And maybe if I could throw in one follow-up. Is there any kind of rules of thumb that you could give us in terms of how the various elements of the portfolio relate to each other on a dollar basis? So like when you do an incident response versus a deal starts with incident response, $1 of incident response tends to yield how much appliance sale or product sale on the follow-on which yields how much FireEye-as-a-Service when it does gets attached to the product? Is there any kind of modeling dynamic you could walk us through with that?
Dave DeWalt:

Keith, I would tell you that it could be pretty tough to boil all of that down into a consistent metric because every situation is so very different. I think just in prior comments, trending wise you will see some of those elements what lead to larger average initial deal sizes, but trying to bring it down to a modeling metric for you at this stage I think will be really difficult. There is a lot of variability.
Keith Weiss:

Got it. Excellent. Thank you. Nice quarter, guys.
Dave DeWalt:

Next question, please.
Operator:

Our next question comes from Walter Pritchard with Citi. Your line is now open.
Walter Pritchard:

Hi. Thanks. Dave and Mike, I am wondering if you could talk about it, it really sounds like on the call that your sales cycles are shortening. You talked about being able to close more deals without full PoCs and so forth. And I am wondering, then do you think you saw that benefit during Q1? Or is that more of a forward-looking comment around what you see in your pipeline and things progressing through the pipeline?
Dave DeWalt:

No. Walter, we saw it in Q1 and it was actually improving. Q4 was the first quarter if you recall where we actually had more business coming from non-PoVs than we had PoVs which was very encouraging and then that increased going into Q1. So a lot of this is our ability to keep cross-selling in our network platform. For example, I mentioned IPS attach rate nearly doubling again. I mentioned full packet capture, email attachments, we now have eight different blades or product or product subscription add-on just to our flagship network products. So we are getting those nice cross-sells and upsell there which in many cases don't require us to do a PoV. And other cases, the endpoint has been very nice in terms of the work we have done. We can demo it in the cloud. We can begin to shorten sales cycles there. so I like the trend that happened in Q1 and happened in Q4 and hoping that trend continues to grow that way and I think it will.
Walter Pritchard:

Could you quantify in any way your hiring on the incident response side? I am wondering how fast you are hiring people there and how easy is it to find people?
Dave DeWalt:

We are certainly hiring. If you notice, we had pretty strong growth in our professional services year-over-year. We are hiring a lot of international consultants at this point. We have gone into 18 different countries and surprisingly we have been seeing the utilization and billable rates in sort of the overall chargeability quickly ramp. Now it's not quite where the U.S. model is and Mike alluded to a little bit of degregation on the overall margins, mostly related to just ramping consultants. But we are getting up to 300 of them in 18 countries. A big part of our model here, which I think will pay dividends, Walter, over time is our partnerships with government. And when you look at what we have been able to accomplish so far, we have become a bit of an extension to the government for incident response. We have become partner to them when there is a breach scenario. We have been building that out in a number of new countries as well. We have been training their agencies. They have been leading with us as well outside the United States now. So it doesn't happen overnight, but we have been hiring former government official type people, agents as well and bringing a man, ramping them up and it's been so far so good with the growth percent, the hiring, the ramping and of course if can we get the government partnership, I think it creates tremendous leverage for us globally. So, so far so good. Thanks for the question.
Walter Pritchard:

Thank you.
Operator:

Our next question comes from Matthew Niknam with Goldman Sachs. Your line is now open.
Matthew Niknam:

Hi, guys. Thank you for taking the questions. Just two, if I could. One on FireEye-as-a-Service. You have talked about that in the past, helping expand the addressable market into the mid-market. I am just wondering if you can talk about any progress made towards that goal in the quarter? And then secondly on endpoint, are you seeing more uptick among your existing base for that product? Or is that actually helping bring in new logos? Thanks.
Dave DeWalt:

Yes. Matthew, this is Dave. So both parts, the first part, FireEye-as-a-Service just continues to expand. So this quarter was a pretty big accomplishment just getting the Asia online. So if you recall, we did not have any FireEye-as-a-Service capabilities really outside of North America going into this quarter. So we were able to bring on Sydney. We were able to bring on Singapore. For the first time, we could start to deliver that in that market, in Singapore and Malaysian markets and good news there, we have got some transaction starting to happen with SingTel, some pipeline happening. So I feel like in mid-markets that are larger outside the U.S., the progress is being made. Same is true with our SOC in Dublin, Ireland that we built. And now through HP, we will be building even more SOCs in more countries with them as part of the arrangement that we have. So I think we will see more and more mid-market opportunity for the company outside the U.S. And so you have to build it first to get the pipeline and then you have got to close the pipeline. But so far so good, coming from where we were just two, three quarters ago, where we barely had the service at all. And only had in North America. So now going global, building the pipeline, fast-growing solution kind of thing. And then to your comment on the endpoint. I think this is a real opportunity, as I said in Rob Owens' comment. I think the market is very dissatisfied with current solutions on the market today. They are poor performing from an efficacy point of view. High false positive rates, difficult to manage and any antivirus, host intrusion any spyware, host DLP, all the suites that are on those hosts are very cumbersome. So I think the market is sort of looking for solutions here. It's bringing us in to a lot of opportunities. We are now starting to show our scale. I mentioned one of the clients that we now have over 100,000 endpoints deployed in three continents, which as you know you have got to get localization in place in multiple arenas. You have got to deploy a pretty scalable architecture to build that out. So getting there and I think this endpoint market will be a pretty fast-paced market in the coming quarters to a year. So we are hoping to take our percentage of that. Good question. Thank you.
Operator:

Our next question comes from Brent Thill with UBS. Your line is now open.
Brent Thill:

Thanks. John McGee joined. He has got roughly two quarters under his belt since joining. And I am just curious in terms of what you have seen from his arrival? And also one of the concerns from investors is, when you bring a new head of sales on, you make changes to the go-to-market and sales structure. And I am just curious, in Q1 did you make any overlay changes to the broader sales force under John's leadership?
Dave DeWalt:

Hi, Brent. So, yes, good question. It's been three quarters not two. I am sure he would tell you that it feels like three years not years, because they measure themselves in years and quarters. But we have been making slow but steady changes just as we assault on the $1 billion plateaus of company. Some of those are just optimizing our model. I think John's done a really nice job managing productivity, managing capacity, making sure we balance that capacity across the globe, creating more out of what we have already have invested in, leveraging the partners, the channels, things like that. So we feel strong operationally now as we have grown under John's leadership. That's been great. We have changed out a few leaders slowly but surely over the last three quarters, just to up level them as a business, but no fundamental changes. Most of it is just expansion of our field model, our inside model, our partner model and our service led model and integrating them a little bit. So off to a good start and slow but steady as we grow.
Brent Thill:

Great. Thanks.
Operator:

Our next question comes from Gur Talpaz with Stifel. Your line is now open.
Gur Talpaz:

Great. Thanks for taking my question. So I was hoping you could elaborate a bit on the cloudwall technology you announced at RSA conference? Is the goal here to augment what you are doing with FireEye-as-a-Service? Is this really more of a standalone product to open up new market opportunities? Thank you very much.
Dave DeWalt:

Hi, Gur. I think you are hitting on some pretty interesting opportunities here in the cloud. Certainly we are seeing a lot of adoption of cloud applications. And certainly as we see that, more and more personnel are logging directly from whatever IT consumer kind of product that they want right to the cloud. We feel there is a real opportunity for us to put sort of a cloudwall in place, if you will, that really cleanses and detects and prevents threats in the cloud before it reaches gateways or reaches endpoint. So we have delivered on three or four solutions already. We are working on some more. We have a full-blown email threat prevention in the cloud services that sits in front of Office 365 and Google Mail. We have even seen good uptick in that. We now have full mobile threat prevention cloud that we have been delivering on for endpoint security in the cloud. We now have a threat analytics platform in the cloud, which is kind of cloud sim. We have been seen good uptick on that technology and really a way for us to aggregate events from the edge in to a cloud format, sitting in AWS and offering solutions there. And then we are building the same capability for the web. So over time, you will just see as a threat prevention platform, we are going to have flexibility to deliver it on-premise as a network appliance, on-premise as an endpoint, or hybrids of the two premise and cloud or entirely as a cloud and then completely wrapped as a service model or as a complete technology that customers can run. So our goal here is to be a broad leader of advanced threat prevention, regardless of the types of implementations and how clients may do it, on-prem or cloud. And we have been assaulting on that platform and delivering on it. And you will see even more from us as we go forward. Next question.
Operator:

Our next question comes from Gray Powell with Wells Fargo. Your line is now open.
Gray Powell:

Great. Thanks for working me in. Just a quick question. So a lot of our reseller and private company contacts talk about how APT detection and IPS market seem pretty closely related. Do you see these markets and product sets converging over time? And then also, I know you said it doubled, but any like hard stats you can provide on your IPS subscription, either penetration or attach rates? Thanks.
Dave DeWalt:

Yes, Gray. Good question. Certainly what we see is the need for advanced threat prevention obvious. Over time, we have often times seen that perimeter solutions, firewalls, next-gen firewalls are highly inadequate for stopping advanced threats. That's not going to change anytime soon. So the need for intrusion detection, prevention, advanced threat solutions is obvious as well. So our goal here is to really create an advanced threat capability that really empowers and enforces capabilities that firewalls have and the firewalls begin to help us in terms of what we are doing. So I think as we are seeing this, IPS is just a feature now of what we consider advanced threat solution and the ability to put signatures in place, verify them with virtual machines is something I think you will see going forward. Blacklisting and signature based solutions fading out. Customer still wanting that kind of capability, but really wanting the best of both worlds, APT and IPS together. So we went from sub 5% growth to over 10% growth, doubled it again in attach rates and we are feeling good that the direction there for the company to consolidate IPS functionality into our solution is going to occur. So, so far so good.
Gray Powell:

Okay. Thank you very much.
Kate Patterson:

I think we have time for one more question.
Operator:

Our final question comes from Andrew Nowinski with Piper Jaffray. Your line is now open.
Andrew Nowinski:

Great. Thanks for squeezing me in. So just two quick questions for you. First, on Mandiant. In Q4, you said it operated at full capacity and I know you said you were hiring this quarter, but was Mandiant at full capacity again in Q1? And did you have to turn any deals away this quarter, just not having enough staff to keep pace with demand?
Dave DeWalt:

Andrew, yes, if you were to talk to the Mandiant consulting teams, I think they would say they are very much at capacity right now. We are we are very heavily engaged in a lot of scenarios. Although domestic is really at capacity, international is ramping a little bit. Although we saw a lot of utilization out of them as well. I would just say, we have a lot of demand for Mandiant at this point and maybe not comment on how much we turned away. But the good news here is, the market is vibrant for both compromise assessment and incident response. Mandiant is the leader and we will continue to expand that business segment.
Andrew Nowinski:

Okay. And then just a last question real quick. I was just wondering if you could provide any color as to whether most of your new customers you are seeing are still starting with your flagship NX product or whether they are starting with something else like TAP? Thanks.
Dave DeWalt:

Andrew, this is a little bit of the power of our platform now, in that we have a lot of routes to work with clients with. NX continues to be a very strong grower for the company, just in terms of the needs of the web gateway-based advanced threat management capability. But now we are seeing email sales as leader. We are seeing endpoint sales as the lead. You mentioned threat analytics as a lead. We are seeing services as the lead. So it just depends. We have a lot of different tools to kind of work with the client on, depending what their needs are. And I think that that diversification and flexibility will be powerful for us as the market dynamics change in security over time. And the more tools you have, the more flexibility you have, probably the more resilience you have for growth, both in upturns and downturns. So we will see again but good question.
Andrew Nowinski:

Thank you.
Dave DeWalt:

Okay. So Amanda, thank you. This does conclude our first quarter 2015 financial results. Thank you everyone for coming and joining us and on the webcast as well as over the phone and look forward to talking to you. We will be at several financial conferences here this quarter and look forward to seeing everybody. Hope you have a wonderful weekend. Thank you.
Operator:

Ladies and gentlemen, thank you for participating in today's conference. This does conclude today's program. You may all disconnect. Everyone have a great day.

Mandiant, Inc. Q1 2015 Earnings Call Transcript

Other Mandiant, Inc. earnings call transcripts:

Mandiant, Inc.
Q1 2015 Earnings Call Transcript