Mandiant, Inc.
Q4 2021 Earnings Call Transcript

Published:

  • Operator:
    Welcome to the Mandiant Q4 2021 and Full Year 2021 Financial Results Conference Call. My name is Sam and I’ll be your operator for today’s call. I will now turn the call over to Barry Stern, Senior Vice President of Finance at Mandiant. Barry, you may begin.
  • Barry Stern:
    Thank you, Sam. Good afternoon. Thanks to everyone on the call for joining us today to discuss Mandiant’s financial results for the fourth quarter and full year 2021. This call is being broadcast live over the Internet and can be accessed on the Investor Relations section of Mandiant’s website at investors.mandiant.com. With me on today’s call are Kevin Mandia, Mandiant’s Chief Executive Officer, and Frank Verdecanna, Executive Vice President and Chief Financial Officer of Mandiant. After market closed today, Mandiant issued a press release announcing the results for the fourth quarter and full year 2021. Before we begin, let me remind you that Mandiant’s management will make forward-looking statements during the course of this call, including statements relating to the Company’s guidance and expectations for certain financial results and metrics, the Company’s priorities, initiatives, plans and investments, drivers and expectations for growth and business transformation, expectations, benefits, capabilities and availability of new enhanced offerings, market opportunities, go-to-market strategies, and strategic partnerships. These forward-looking statements involve a number of risks and uncertainties, some of which are beyond our control and could cause actual results to differ materially from those anticipated by these statements. These forward-looking statements apply as of today, and you should not rely on them as representing our views in the future. And we undertake no obligation to update these statements after the call. For a detailed description of the risks and uncertainties please refer to our SEC filings, as well as our earnings released posted an hour ago. Copy of these documents may be obtained from the SEC or by visiting the Investor Relations section of our website. Additionally, the financial measures that will be discussed on the call are non-GAAP metrics, except for revenue and operating cash flow. Our non-GAAP measures exclude stock-based compensation, amortization of intangibles, non-cash interest expense on a convertible debt and convertible preferred equity, restructuring charges, accretion of Series A convertible preferred stock and other non-recurring items. We provided reconciliations on the non-GAAP financial measures for the most directly comparable GAAP financial measures in the Investor Relations section of the website, as well as in the earnings release. In addition, the financial measures that’ll be discussed in the call are for Mandiant continuing operations. With that, I will turn the call over to Kevin.
  • Kevin Mandia:
    Thank you, Barry. And thank you all the investors, employees, customers, and partners joining us on the call today. As always, we appreciate your interest and support in Mandiant. We entered the fourth quarter as FireEye and we exited the quarter as Mandiant. With the divestiture of the FireEye products business behind us, we are now laser focused on the following four objectives
  • Frank Verdecanna:
    Thanks, Kevin, and hello to everyone on the call. Before we move on to details of our Q4 results and our guidance for Q1 and full-year 2022, let me remind you, I’ll be referring to non-GAAP metrics except for revenue and operating cash flow. I’ll also only be talking about Mandiant continuing operations. Now, let’s look at our reported results. Billings increased 54% from Q4 2020 with the strong performance in platform, cloud subscription and managed services; and our professional services. We ended the quarter with record deferred revenue of $410 million, which was up nearly $95 million sequentially. The platform, cloud subscription and managed services category grew billings by 83% year-over-year in the fourth quarter, bringing full-year 2021 growth to 66% over 2020. Growth was driven by solid demand and record billings across all Mandiant Advantage platform modules and our Managed Defense solution. While we encourage you to look at revenue as the best metric to evaluate our professional services performance, it’s still worth noting that professional services billings were up 25% year-over-year in the fourth quarter. Our ARR ended Q4 at $279 million or 23% year-over-year growth. We did see less translation from billings into ARR in Q4 as it was the last quarter of total contract value or a booking’s based comp plan for both Mandiant and FireEye sales reps that were still selling Mandiant solutions. As a result, we saw a significant increase in average contract length, moving from 22.1 months in Q3 to 24.9 months in Q4. In addition, we had a higher mix of renewals, including two renewals in the $15 million range, one of which was a multiyear. In Q4, we added 225 new logo customers, up 2% from Q4 2020, and closed 32 transactions greater than $1 million compared to 28 in Q4 of ‘20. Turning to the translation of our strong billings and ARR performance into revenue, Mandiant revenue increased 21% from Q4 of ‘20 with a strong performance in platform, cloud subscription and managed services; and our professional services category. Our revenue of $133 million was at the top end of our guidance range we’ve provided in last quarter’s earnings release. The platform, cloud subscription and managed services category grew revenue 18% year-over-year in the fourth quarter. Professional services revenue increased 23% year-over-year in the fourth quarter, capping a very strong year of consistent 20-plus-percent year-over-year growth across all quarters in 2021. We ended the year with $139 million in services deferred revenue. Now, let’s look at gross margin, operating margin and cash flows. Our gross margin for the fourth quarter was 63%, up from 60% last quarter, and 59% in fourth quarter of 2020. The platform, cloud subscription and managed services gross margin was 72% in the fourth quarter, up from 70% last quarter and 57% from Q4 of 2020. Driven by increased scale and our subscription business and reduced allocations of IT and facility into COGS as a result of reimbursements from the Transition Services Agreement or TSA to support the FireEye products business. Professional services gross margin was 54% in the fourth quarter, up from 51% last quarter and 49% in the fourth quarter of 2020, primarily due to reduced allocations of IT and facility into COGS as a result of reimbursements from the TSA. Our operating margin for the fourth quarter of negative 17% was an improvement from last quarter’s negative 27% and from negative 22% in Q4 of 2020. Improvement in the fourth quarter operating margin was primarily driven by leverage from our revenue growth and the start of the TSA reimbursements beginning on October 9th, which has the effect of offsetting some of our IT facilities and G&A expenses. Operating cash flows for the fourth quarter were negative $10 million, compared to negative $40 million last quarter and compare to negative $2 million in Q4 of 2020. Now, let’s turn to our current outlook for the first quarter and full year 2022. As a reminder, beginning in January 2022, our validation deals are recognized 100% ratably as a result of changes to on-premise validation deployments, which now enable customers to receive real-time intel updates as part of the Mandiant Advantage platform. For Q1, we expect ending ARR to be in the range of $291 million to $297 million, which implies a year-over-year growth rate of between 23% and 26%. We expect revenue to be in the range of $128 million to $131 million. On a year-over-year basis, the midpoint of our guidance range implies revenue growth of approximately 13%. We expect a year-over-year growth rate for the subscription revenues to be in the range of 3% to 5%. Given Q1 ‘21 included approximately $8 million in upfront validation revenue, the change to ratable rev rec had an impact of approximately 15 percentage points of year-over-year growth in our subscription revenue category, and 7 percentage points in our total revenue year-over-year growth rate. We expect a year-over-year growth rate for services revenues to be in the range of 20% to 22%. We expect gross margins of between 59% and 60% in Q1, which is down year-over-year primarily due to the validation rev rec change. We expect an operating margin of between negative 22% and negative 24%, implying a slight increase in operating expenses from Q4, primarily driven by an increase in payroll taxes that normally occurs in Q1, offset partially by less marketing and branding costs in Q1 versus Q4. We expect earnings per share of between negative $0.13 and negative $0.15. For 2022, we expected an accelerating ARR growth rate throughout 2022, ending Q4 at a year-over-year growth rate of 30%. We expect revenue of approximately $560 million at the midpoint of our guidance range, representing growth of approximately 16% for the year. We expect a year-over-year growth rate for SaaS revenues to be in the range of 14% to 16%. We estimate the headwind from the validation rev rec change to impact the subscription growth rate by approximately 13 percentage points. We expect a year-over-year growth rate for services to be in the range of 16% to 18%. We expect gross margin of between 61.5% and 62.5%, as a subscription portion of our business continues to scale up partially offset by the headwind from the validation rev rec change. We expect operating margin of negative 13% to negative 15%. These ranges result in non-GAAP earnings per share of negative $0.36 to negative $0.38 based on weighted average shares outstanding of 240 million. Embedded within our annual guidance are several assumptions. Our operating margin range assumes the TSA reimbursement as a result of the divestiture continues through approximately the end of Q3 of 2022. Our operating expenses include non-recurring branding costs in the amount of approximately $10 million. Operating expenses include approximately $20 million in stranded costs relating to legacy facilities, systems consulting, personnel costs and contracts required to provide ongoing support of the TSA that are not expected to be reimbursed. I realize there’s a lot of detail here. But to summarize, we expect to exit 2022 with Q4 ARR year-over-year growth rate of 30%. We expect 2022 revenue growth of approximately 16% at the midpoint of our guidance, which would have been approximately 6 percentage points higher were not for the validation rev rec change. We expect the validation rev rec change to dissipate for 2023 and expected acceleration in 2023 with revenue growth at 25% or more over 2022. We expect to deliver operating leverage by improving our operating margin loss in 2022. And we expect to achieve non-GAAP operating margin profitability for the year of 2023. We achieved a significant milestone in Q4 divesting the FireEye products business, which I believe puts us in a stronger position to consistently deliver accelerating growth and improved operating leverage. We look forward to discussing our strategy and long-term model in more detail at our Virtual Analyst Day on March 10th. I will now turn the call over to the operator for questions.
  • Operator:
    We will now take our first question from Jonathan Ruykhaver of Baird. Jonathan, your line is connected. Please proceed.
  • Jonathan Ruykhaver:
    So, I’m wondering if you could touch on just the ARR expectations that you’ve talked about for fiscal ‘22. When you look at it, it implies net new ARR that’s basically more than what you added over the last couple years. So, just talk about your confidence in that target, maybe what you see in the pipeline, sales capacity it gives you that confidence?
  • Kevin Mandia:
    Yes. So, couple of thoughts there. First and foremost comp plan absolutely matters. When you look at our billings in Q4, I remember going, wow, that’s eye popping billing. That’s fantastic. And then when you peeled it back, it came to 22% ARR growth. And that is because our comp plan was based on billings. And you see that in the extended contract length. So, one of the things we are doing is everything that Mandiant does that scales, you can buy through subscription is make sure that our comp plan marries to driving ARR growth. So, that’s the first change we made that will make a difference, period, in a positive way. It may shorten the contract length, Jonathan, but it will increase ARR a few points. So, we do get a look right there. And the second thing is we’re launching several new offerings like active breach intelligence, and then a very simple lightweight and affordable Ransomware defense validation that I like. I believe the partnerships matter. When you look at -- that’s a hot market to say, hey listen, Mandiant’s got your back. You give security telemetry from supported products, and we’ve got you covered. You know, I call it the shields up. Others call it probably more professionally extended detection and response market. I believe in that market. I believe that’s a way our Mandiant people can be a seamless extension, even though can be 90% test behind it. It allows people to use our experts as a virtual extension of their team. So, as we expand to partnerships like SentinelOne, like Microsoft, those partnerships matter. We want to go in and say, you get the Mandiant brain, the Mandiant analyst to defend you, regardless of the technology you’re using. And I buy that. So, that to me is what we’re betting on. And I can tell you, it resonates when I talk to folks. So what we’ve got to do is continue the innovation to support it. And I think we got Microsoft done, we’re getting SentinelOne done, and we’re going to have others, and that’s why we’re excited about that strategy.
  • Jonathan Ruykhaver:
    That’s helpful, Kevin. I wanted to ask as my second question, just touch on channel sales. I know you hired new leadership last fall. Can you just update us on your thoughts regarding channel opportunity beyond just fulfillment? And curious on the role you might see for SI, systems integrators and the public cloud providers.
  • Frank Verdecanna:
    Jonathan, this is Frank. I think, what we’re -- one of the things that we really pivoted to with some of the newer offering is really making it fit the channel much better than some of our previous offerings that were more focused on the security professionals. I think, we’re trying to build products that fit the channel that can go down market that are easier to demo, easier to deploy. And so, I think some of the new offerings that Kevin mentioned, I think will fit the channel a lot better. And if you look at where we’re at from a channel leverage perspective, we only have a significant opportunity ahead of us. That’s not area that we’ve done great in the past on, but I think we feel pretty good about some of the new offerings and some of the new focus areas there and some of the investments we’re making in the channel.
  • Kevin Mandia:
    And Jonathan, even I’m going back to revisit your question, because I’ve thought about it as well. And one of the -- it was without a doubt, the largest reason why we were losing Managed Defense customers was they were choosing a different endpoint technology, literally by going to Microsoft or SentinelOne and other endpoint techs that we’re going to be working with. We saved those. And people are making decisions based on tech alone. So, we’ll be able to grow it faster and at the same timeframe, we’ll be able to protect our base far better by working with other endpoint technologies and quite frankly, other security technologies endpoint.
  • Operator:
    Our next question is from the line of Hamza Fodderwala of Morgan Stanley. Hamza, your line is open. Please proceed.
  • Hamza Fodderwala:
    So, I thought for my first question, just real quickly, wanted to address the elephant in the room. There are obviously some reports around a potential acquisition by Microsoft. Any comment on that whatsoever?
  • Kevin Mandia:
    Yes. Hamza, as a matter of policy, we’re not going to comment on rumors or speculation.
  • Hamza Fodderwala:
    Just for a second question for Frank, when you think about the puts and takes around the acceleration of 30% ARR growth, how should we think about sort of the underlying drivers behind that? So, between things like net expansion rate, which I think is a little bit above a 100% now, or like customer count growth or larger deal sizes upfront, like how should we think about the path to 30% ARR growth exiting this year?
  • Frank Verdecanna:
    Yes. I think, Hamza, we feel really good about that. If you look at our guidance for Q1, we’re expecting AAR to grow between 23% and 26%. And if you look at the new offerings that we’re launching in some of these partnerships, they only benefit each quarter thereafter. So, if you think about like the SentinelOne partnership, the real traction and new deals that will come for that will likely be in the second half of the year, and so, again, acceleration there. The Attack Surface Management acquisition we did in August had a great Q4, and we’re really excited about kind of launching that in the year. And then, if you think about kind of the stage and maturity of validation and automated defense, all those subscription offerings kind of move forward in 2022, which should provide a pretty big boost. And Kevin did mention earlier that we do feel that we’re going to have better retention on the Managed Defense side, as we continue to add new endpoint players.
  • Hamza Fodderwala:
    Got it. So just to clarify, so it sounds like customer count growth, module upsell, that’s sort of in that order of -- is how we should think about, the path to 30% ARR growth.
  • Frank Verdecanna:
    Yes. And I think if you look at where we sit today, less than 20% of our customers have more than one module. So we have a huge cross-sell opportunity just going from one module to two modules to three modules.
  • Kevin Mandia:
    And Hamza, you got me realizing when I wrote my first earnings script, it’s all about all the reasons why ARR is going to go to 30%, and then I went some other direction. Here’s the reality. We have more to sell. We have focused on selling it. We have compensation alignment to sell for ARR. We have partnership alignment now because we’re not an endpoint network, cloud SIM and email security anymore, like FireEye when we were all one company. So, we get real partner leverage and we can go and get that. With that, you get better retention. And then we’ve already done the unglamorous integration of every module. So, you can now have the platform and all the modules and it’s one experience. And that’s something that doesn’t sound like a big deal, it absolutely is because as we deploy now, we’re working towards, instead of just deploying a module, we deploy full platform with one module activated, it makes it very easy for us to scale. So, it’s a small thing, but it has a tremendous influence on the buying patterns, just having it all integrated into a single experience.
  • Operator:
    Our next question is from Brian Essex of Goldman Sachs.
  • Brian Essex:
    Kevin, maybe if we could start by just touching on now that you’ve spent some time operating with the ability to sell with the control diagnostic platform, I guess the endpoint -- endpoint partnerships not outstanding, but outside of endpoint, where have you seen the most success selling in other platforms, or should we expect to see similar partnerships with broader, like network security vendors, like maybe a Palo Alto with better integration there? Like how should we think about that strategy going forward?
  • Kevin Mandia:
    Yes. So, Brian, I’m going to do everything I can to not nerd out and then Frank’s going to fix this. Network security integrations are easy. It’s that simple. And the true differentiation for us usually is endpoint interrogation. That’s where Mandiant doesn’t just say, hey, you may have a problem. We like to have that premium experience of, "Oh, you have a problem, and we can fix it for you." That usually requires endpoint technology to verify. So with the network stuff, it’s just all the formats are similar. The telemetry data from PAN versus Fortinet versus other technologies, for the most part, we can already absorb those and work with those. So, technically, we can already work with the network-based security organizations. Where we like to go deep and apply our expertise just happens to be more differentiated on the endpoint. And finding the new and novel, usually, what you’ll get is on the network security platforms, you see the smoke. But to see what’s actually causing this fire, you got to go to the endpoint and figure it out. So that’s a long-winded way of saying this. With the network security stuff, we can already leverage it for the most part. And we just got -- we have a new leadership in charge, Marshall Heilman, our CTO, is leading those technical partnerships and he used to lead our Managed Defense. So, he’s going to go out there. And we’re going to get -- in my opinion, we’re going to pursue partnerships with the security vendors that our customers are relying on to defend themselves. And then, what we provide with the Mandiant Advantage is that Mandiant analyst automated. All are intel, all our expertise and, quite frankly, a big button saying, hey, what do you think about this? We want to become part of the workflow for the security operations that are using all these different technologies. So, network security will happen. Endpoint security will definitely happen. And even over time, I could see us figuring out, hey, how do we work with some of the e-mail security folks as well to make sure we can test and kind of quote that. And then, by the way, obviously, cloud -- got to have cloud visibility, know your assets in the cloud and be able to defend at the big infrastructure providers.
  • Brian Essex:
    Got it. That’s helpful. And maybe kind of if we can dovetail into your SentinelOne partnership. How practically should we think about your ability to leverage Mandiant Advantage? How is it integrated with Singularity? And is there any overlap there with what you may have had left over versus what they come to the table within Singularity that kind of makes it maybe more complementary in certain situations?
  • Kevin Mandia:
    So, the biggest thing we want to do with this is really enable our consultants to respond to breaches with it. That means to be able to deep dive and interrogate a box when whatever security programs folks had just didn’t work or process failed or the attackers were that good. So first and foremost, we like endpoint security companies like SentinelOne where we can do incident response with it. They’ll like that, because we’ll get the phone call, we’ll go respond and maybe we use their tech to do it, and they get -- wow, that’s a nice introduction into a new customer. And we also want to be able to do compromise assessments. And there’s going to be other security providers that we’re going to look to partner with to do the same things. So, from the incident response and consulting standpoint, we do want to work with the endpoint providers that allow us to successfully carry out our mission of being the best in the world at responding to breaches. In regards to Managed Defense and the Mandiant Advantage, we want to be able to take telemetry in. And the first thing to do with any technology is, can we get great detection capability with that technology, hey, you’ve got a problem. The second step is a deeper integration to verify, hey, it’s not just detection, but we have confirmed problem. And that’s where we want to go with the endpoint tech. So, it’s a little bit more than just getting an alert from SentinelOne. And okay, SentinelOne thinks this is bad. Let’s tell a customer that SentinelOne thinks this is bad. It’s going to -- we get an alert from SentinelOne an interrogate box and say, "Oh, it is bad. It worked. We got a problem. We’ve got a threat on the network." And I’ll leave you with this thought, Brian. Historically, people have always said, "Thank God, my endpoint triggered on this piece of malware. It saved the day." What it didn’t do is trigger on three other things that the bad guy happened to be doing. And so, it gave people a false sense of, "Oh, we’re good to go." When in reality, they missed other things the attacker was doing. So long-winded way of saying, we’re going to go deep on the endpoints. We want to be able to inspect and confirm incidents on the endpoint. We may not get there overnight, but the reality is that’s our intention.
  • Brian Essex:
    Got it. And have you seen a lot of traction with Defender, with just referencing another partnership?
  • Kevin Mandia:
    Yes. You said a lot. Here’s what I have seen. When we -- first off, in regards to defense, when we go in, we’ve had customers say, "Hey, we’re going over to Defender." And we didn’t have to say, well, okay, surrender the account. We support that, too. And every endpoint is a little bit different. There was a time when we used the FireEye endpoint for everything, but -- so we’ll get different things from different endpoints, but we absolutely are defending Microsoft Defender, the Defender endpoint customers.
  • Operator:
    Our next question is from Rob Owens with Piper Sandler.
  • Rob Owens:
    I just want to focus on, obviously, a busy fourth quarter with the divestiture. Anything else logistically that you guys need to get done, or do you have all the pieces in place? You’ve got the new compensation as well to move forward from here. Just thinking of the risk profile around execution.
  • Frank Verdecanna:
    Yes. Rob, I think our biggest risk, I think, was Q4 when we were kind of finishing out the year as two separate sales forces, but still trying to sell both sides of the fence. As we enter 2022, we feel really good because we’ve got one comp plan aligned with kind of the corporate goals of really maximizing and increasing ARR. So, yes, I think the divestiture, kind of the risk of any disruptions behind us. We obviously have ongoing TSA that is going well that will carry through the good part of 2022. But yes, I don’t see any real challenges that we’re facing. I think we’ve got the right team to go tackle what we’re trying to do. And I think we’ve got a lot more laser focus on really driving the things that are going to take this company to the next level.
  • Rob Owens:
    And then on the services side with the guidance for 2022, any governors on growth or maybe intentionally there that’s kind of holding that back? Because it would appear that you probably got as much business as you can address from an incident response perspective?
  • Kevin Mandia:
    Yes. Rob, I always wonder if I should answer it this way, but I’m going to anyway. We’re not growing services as fast as we can. We’re not a services company. We don’t wake up every day and go, let’s maximize services growth. We wake up every day making sure we have the right people to do the right things. And I think growing between 20% and 22% like we have for years is actually really performing. But you’re right. I mean, I guess, we could look to inorganically grow or hire faster. We have it. We like the component we have because it’s doing very strategic work. Does that mean we say noted in balance? Yes, it does. Does it mean could we grow it at higher? Yes, we could. It is not -- for us, services is strategically important as we build our platform and our XDR capabilities. And we just -- we’re happy with how it’s performing. That’s the best way to answer it.
  • Frank Verdecanna:
    Rob, I think one of the things we’re really excited about is the fact that we have been building up a services deferred revenue and ending Q4 at $139 million. It does give us a lot better visibility and gives us a little bit more opportunity to hire a little bit ahead of the curve because we have a pretty good view into upcoming engagements. So similar to 2021, we typically overachieved a little bit on services just because we target kind of to grow at the high teens, but we tend to grow a little bit over 20%. So, as we look at 2022, I think we feel really good about the demand environment, and I think we feel really good about our ability to hire and ability to retain.
  • Rob Owens:
    And what typically drives that over? Is that pricing, or is that utilization, or you’re actually getting more headcount towards the end of the year?
  • Kevin Mandia:
    It is bursty chargeability when you do IR. Sometimes you’re in the emergency room, doctors. So what you see is a spike in what I call chargeability, the hours that people work that they’re working them. So that’s traditionally it. I think our rates are very competitive, meaning for an elite services core, we charge the right amount. But -- and Rob, I’m the old school when it comes to like the fastest way to have a morale hit in services to have anyone on a beach, you know what it means. So I have to admit, we probably run them hot a little bit.
  • Operator:
    Our next question is from Jonathan Ho of William Blair.
  • Jonathan Ho:
    I just wanted to maybe start out with Log4j and maybe what you’re seeing out there in terms of either pipeline build or just opportunity set as we expect to think about this vulnerability.
  • Kevin Mandia:
    Yes. Jonathan, first and foremost, I remember when it happened, I knew it was like December 8 or 9, it was a Friday. And the whole security community, both private and public sector, jumped on this thing in a fashion that probably preempted a lot of problems. But, at the same time frame, what it brought to the forefront is an immediate need to figure out where are your assets and where are the applications that your applications actually depend on. And so many of us have third-party providers that may have actually used Log4j that it created complications at scale that we just weren’t used to solving. So I can tell you that from our business standpoint, yes, in the first two days of Log4j, the exact number, I think we could track was over 70 inbound, "Hey, we need some help here," and we couldn’t respond all those. When you look back on Log4j 1.5-month later, I take my hats off to the security community, both the private sector and the public sector, because we preempted an avalanche of significant compromise and we got everybody thinking where are assets that matter, what are their dependencies, what’s in our supply chain. So, I think right now, that’s what the problems it brought to bear were. And so that would be a tax service management, asset management, third-party provider management or vendor supply management, those sort of things came to the forefront. And every once in a while, we’ll probably see a long tail of an incident or two from this. Log4j was a big vulnerability. It seems like in our industry, every few months, one of these pops up. So, you always get what I would call an indirect lift to the business. You just -- all of a sudden executives, it’s like free marketing for cybersecurity at large. Hey, cybersecurity matters. And so obviously, there’s more attention on it based on Log4j. So that’s kind of how it impacted the industry from my lens. You can talk to other vendors, get different answers. But our customers, most of -- almost all of them went through without a significant incident, and they probably are a heck of a lot faster right now in determining third-party and software dependencies.
  • Jonathan Ho:
    Got it. And just one for Frank. Can you maybe help us understand or just remind us if you’ve given us this before what the margin structure will look like after we sort of get past these post transition costs as well as stranded costs and maybe the time frame that you’re thinking about to get through either the TCA or the stranded cost.
  • Frank Verdecanna:
    Yes, Jonathan. So, we expect right now we’re estimating in our guidance that we would provide most of the TSA services through the end of Q3 of ‘22. And so, we will have some stranded costs because it will take a little bit of time to take some of those costs out even after the TSA ends. But that’s why if you look at what we gave for guidance for 2022, you do see some leverage beginning in 2022. But the most important thing, I think, is given the onetime costs that are hitting 2022 and the headwind from the validation rev rec change, we’re very confident that we could be operating margin profitable in 2023. So, pretty significant kind of move. And when we get to Analyst Day, we’ll kind of give you that walk from our 2022 guidance to our long-term model.
  • Operator:
    Our next question is from Doug Bruehl of JP Morgan.
  • Unidentified Analyst:
    Hey. This is Doug on for Sterling Auty. Thanks for taking my questions. Congratulations on the quarter. So, I guess, the biggest question would be what do you see in terms of demand from the government vertical this quarter?
  • Kevin Mandia:
    Yes. Now, I’m sitting here going through every interaction I had with the government. I’m going to have to go back to my traditional answer, Doug. I mean, quite frankly, Mandiant’s always had a great relationship with a lot of different governments. We are a security company, and we recognize the responsibilities that that brings, and governments were formed to provide security to their citizens. So I mean, we’ve always had a strong relationship there. And we always want to be interacting with the folks that have the same mission that we have inside of government. But Frank, I can’t really give much more color than generic.
  • Frank Verdecanna:
    Doug, in my prepared remarks, I did talk about a couple of $50 million deals and one of which was with the government. So I think we started their new fiscal year off really strong, and we’ve got a really strong pipeline with the government. And I think, as Kevin mentioned, we’ll continue to kind of strengthen those ties and continue to actually embed new products into the government. We’ve always obviously been really strong on the services and intel side, but I think we’ve got some pretty big opportunities on the Managed Defense, automated defense and validation side as well.
  • Operator:
    Our next question is from Saket Kalia of Barclays.
  • Saket Kalia:
    Frank, maybe just to start with you. I was wondering if you could just talk a little bit about net new ARR in the quarter. Very clear, the comp plans on billings versus ARR feels like the driver, but I’m wondering how net new ARR kind of compared against your expectations for Q4. With it being down versus Q3, I wasn’t sure if there was anything with just a seasonality perspective that we should keep in mind?
  • Frank Verdecanna:
    I don’t think it’s anything to do with seasonality. I think it really is to do with the last quarter of a comp plan for both the Mandiant sales reps and the FireEye sales reps that are no longer going to be selling Mandiant Solutions. So I think what you saw was the maximization of the total contract value and not a maximization of ARR. So clearly, we believe that had we been on the ARR comp plan in Q4, that ARR growth rate number would have been much higher. It’s hard to tell exactly what it would have been, but probably pretty similar to Q3’s growth rate of 26%. And as we look into Q1, we’re right kind of in that zone of 23% to 26% going forward. And a lot of the new offerings we’re talking about, I think, will continue to gain traction throughout the year. So we feel really good about the ending the year at 30%. And Q4 was a great billings quarter, yet it didn’t translate as well as we would have liked to in ARR.
  • Saket Kalia:
    Okay. Got it. That makes sense. Kevin, maybe for you. It sounds like the better alignment with endpoint vendors here is very helpful, right? To your point, Microsoft SentinelOne, maybe there’s some more down the road. But I was wondering how you sort of think about the competitive dynamic with some of the managed offerings that some of those endpoint vendors offer themselves as well as their own sort of XDR integrations. And maybe this is -- maybe this touches on an earlier question, but is this complementary, or is it competitive?
  • Kevin Mandia:
    There may be times when there’s overlap and that there’s some competition there, and there may be some vendors that we work with on an endpoint where there’s far less competition. So here’s what I can tell you. With some, we can have memorandums of understanding and have a go-to-market alignment. But here’s how we’re different. The global intelligence -- and that’s actually, Saket, you walked into it to some extent. I was going to go with the ARR theme or the intel theme and I wanted the intel theme today. No one’s going to rebuild the global intelligence capability that we have, and it does matter. You combine that with us responding to over 1,000 breaches a year, and our intel baked into our XDR capabilities is something that I don’t think controls provider or platform provider is going to have because we have the privilege of showing up when their stuff didn’t work. I mean that’s what incident response is. So if there’s a way to circumvent a platform, we’re the first ones to see it. And in security, I call it popping the balloon. When a needle hits the balloon, you got a problem. One of fact that works against the platform is a significant problem for those users of that platform. And you have to think of compensating controls. And the fastest way you’re going to get those is Mandiant. Second is our validation component. We absolutely went vendor-agnostic so that people can trust the Mandiant brand to validate what works and what doesn’t work based on these new attacks. Let’s run them in a safe and simple way and say, "Hey, the XDR is working." So imagine somebody went with an endpoint vendor and their program to manage it. That’s fine. Use us for validation and use us to find stuff that maybe they don’t detect. And then our services go beyond scope because they’re bespoke at times anyway. So, there’ll always be services room there. So yes, not all -- with each partner, we’re going to have to explore how we can best work together and jointly defend the customers.
  • Saket Kalia:
    Got it. If I could squeeze just a third kind of housekeeping question in here for you, Frank. I think, it was asked in a different way earlier, but can you just talk about sort of what the expense, either annually or rather for 2022, is there on a quarterly basis is for ‘22 in terms of how much expense Mandiant incurs to fulfill those TSAs. I know they start to roll off after Q3, but can you give us a sense for what the dollar amount is that you kind of keep as stranded, right? And that will eventually go away. Does that make sense.
  • Frank Verdecanna:
    Yes. It’s roughly in the $20 million range.
  • Saket Kalia:
    Is it $20 million for the quarter or $20 million for the year?
  • Frank Verdecanna:
    No, for the full year. So, various work streams wind down throughout the year. On balance, we’d expect most of the work streams to go through the end of Q3.
  • Operator:
    There are no additional questions waiting at this time. So, I’ll pass the conference back over to Kevin for closing remarks.
  • Kevin Mandia:
    Thank you very much. I believe our biggest near-term market opportunity is to offer the most preferred controls-agnostic XDR solution. With our threat intelligence, our validation and our services serving as our differentiator, third-party integrations will be critical to our growth in this component of our business. Therefore, we intend to roll out a steady cadence of important partnerships to better protect Mandiant customers. And I look forward to speaking with all of you and updating on the partnerships as well as our long-term model at Analyst Day meeting on March 10th. Thank you very much.
  • Operator:
    That concludes the Mandiant fourth quarter and full year 2021 financial results conference call. Thank you all for your participation. You may now disconnect your lines.

Other Mandiant, Inc. earnings call transcripts: