Palo Alto Networks at Citi’s 2025 Conference: Strategic AI and Cybersecurity Insights

On Thursday, 04 September 2025, Palo Alto Networks (NASDAQ:PANW) participated in Citi’s 2025 Global Technology, Media and Telecommunications Conference. CEO Nikesh Arora shared insights into the robust cybersecurity landscape, emphasizing AI’s influence on spending and strategic direction. While Palo Alto Networks positions itself as a leader in consolidation amidst flat budgets, it also faces challenges in maintaining growth and managing risks associated with vendor consolidation.

Key Takeaways

• Cybersecurity spending remains strong, driven by AI’s impact.
• Palo Alto Networks aims to reach $15 billion in ARR within five years.
• The acquisition of CyberArk is pivotal for enhancing identity management.
• A shift from hardware to software and SASE solutions is underway.
• AI advancements are integrated into existing products rather than creating new ones.

AI and Cybersecurity Landscape

Palo Alto Networks highlighted the ongoing strength in cybersecurity spending, fueled by the AI wave. CEOs are eager to explore AI applications, leading to stable IT budgets with growth potential through share acquisition. The company distinguishes between consumer AI, AI applications, and enterprise AI, with security concerns primarily focused on the latter.

The company is enhancing its AI security portfolio by integrating AI capabilities into existing products. It is developing an AI discovery product to manage AI models within enterprises. Palo Alto Networks’ R&D strategy focuses on subscription-based services, allowing experimentation without significant capital expenditure.

CyberArk Acquisition

The acquisition of CyberArk is a strategic move to position Palo Alto Networks as a multi-swim lane cybersecurity company, with identity management as a critical component. With 89% of breaches occurring due to credential theft, the integration of CyberArk’s capabilities aims to make privileged access management (PAM) more accessible and efficient.

CyberArk’s customer base of 8,000,000 endpoints offers significant expansion opportunities for Palo Alto Networks’ existing user base. The acquisition is expected to enhance management of both human and non-human identities, crucial for AI-driven environments.

Firewall Business

Despite concerns about the cyclicality of the firewall business, Palo Alto Networks emphasizes the importance of traffic inspection across all digital sources. The company is transitioning from hardware to software and SASE solutions, which offer improved product development, quality, and margins.

While the hardware business grows at 5-8% annually, the software and SASE segments are more efficient and secure, aligning with the company’s strategic shift.

Future Growth and Financial Outlook

Palo Alto Networks has set a goal to achieve $15 billion in ARR by 2029-2030. This growth is expected to be driven by platformization and customer consolidation, with platform customers showing a 120% net revenue retention rate.

Nikesh Arora projects that achieving the ARR target and maintaining the current operating profile will elevate Palo Alto Networks to a $100 billion market cap company. The CyberArk acquisition is anticipated to significantly contribute to this growth, with the potential to double or triple its market cap.

In conclusion, the insights from the conference call underscore Palo Alto Networks’ strategic focus on AI integration and identity management as key drivers for future growth. Readers are encouraged to refer to the full transcript for a detailed understanding of the discussion.

Full transcript - Citi’s 2025 Global Technology, Media and Telecommunications Conference:

Fatima Boolani, Software Research Head, Citi: think we’re ready to get started here. Very rowdy. Alright. Ladies and gentlemen, I think we’re ready to get going for our half time show here day two of Citi’s Give

Nikesh Arora, CEO, Palo Alto Networks: her give her give her some pay attention to Padma.

Fatima Boolani, Software Research Head, Citi: I should I should use my outdoor voice, right, not my indoor voice. There we go.

Nikesh Arora, CEO, Palo Alto Networks: Your mommy voice.

Fatima Boolani, Software Research Head, Citi: My mom voice. There you go. My disciplinarian voice. I have a four month old at home, so I have a lot of practice and a two year old. Good afternoon, everybody.

Thank you so much for being here day two of Citi’s Global TMT conference. I am excited for our halftime show today with our our starring keynote with the CEO of Palo Alto Networks, Nikesh Arora. Thank you so much for being here.

Nikesh Arora, CEO, Palo Alto Networks: Thank you for having me, Faiza.

Fatima Boolani, Software Research Head, Citi: Well, we have lots to talk about, so I will dispense with the formalities. For those of you who don’t know me, I’m Fatima Boolani. I jointly head up our software research franchise, and I’m very excited to delve into all matters of cyber and beyond. With Nikesh.

Nikesh Arora, CEO, Palo Alto Networks: Let’s go.

Fatima Boolani, Software Research Head, Citi: Excellent. Alright. I think a a good place to start, would be at the stratospheric level, very big picture, a state of the union, if you will, of the industry at large. Nikesh, I’m hoping you can opine on the budgetary climate, the budgetary competition, and, actually, most importantly, talent acquisition both from a sales and a technology perspective. And you know where I’m going with this because of the underpinnings of the the AI wave, which we’ll, of course, talk about.

But I think that’s a the great place to start from from your perspective.

Nikesh Arora, CEO, Palo Alto Networks: Alright. Well, good afternoon, everybody. I hope you’re enjoying your meal. Look. Every time we get worried about cyber spending, a new thing happens in technology, and suddenly we all get very excited.

I think twenty four months ago, we were not excited about tech spending, and then this AI wave came about, and we can’t all of you are excited when you see another tech company trying to spend tens of billions of dollars to build AI clusters. So so I think from a spending perspective, the environment continues to be the same. I do think that AI spending has a bit of a free pass right now that every CEO wants their companies to experiment on AI, figure out how AI is gonna impact their lives. And, you know, as long as we can call it cybersecurity AI, it’s fine with us too. But, no, in all fairness, like, I think the AI wave is getting a bit of frantic behavior that everybody’s trying to figure out.

So I don’t think, generally, broadly speaking, the the hammer is coming down on IT budgets, let alone cybersecurity budgets. And cybersecurity budgets kind of like more often than not end up being part operating, part transformation. The operating budgets are impact are intact. I think it’s fair to say that cost you’ll always find a CIO and procurement team which wants to not have I cybersecurity ongoing budgets go up. They like them flat.

They like them growing a little bit, not a lot. And there’s obviously net new budget for new ideas. And in that environment, because we are positioned ourselves as a consolidation play, we’re fine as flat budgets because we expect to take share from other people and maintain our growth. So that’s kind of where we feel from a spending environment perspective.

Fatima Boolani, Software Research Head, Citi: You know, as a $10,000,000,000 player in the cybersecurity market, you were largest

Nikesh Arora, CEO, Palo Alto Networks: 120 more than 10? Can you use that?

Fatima Boolani, Software Research Head, Citi: The 100 and bill 120,000,000,000 on the market cap asset with 10,000,000,000 in revenue. Yes. Largest pure play cybersecurity vendor in in the market and in

Nikesh Arora, CEO, Palo Alto Networks: the

Fatima Boolani, Software Research Head, Citi: space. You naturally have a seat at every single large important organization in the world across verticals. So as a probably not a fly on the wall, but with, you know, a lot of talking points sitting at these tables with these very large companies, what have you determined are and have been becoming the most common patterns and pain points and discussion threads on how some of your largest customers are tackling cyber hygiene against and in preparation for operationalizing an AI strategy. And I wanna go back to something you said. There is a frantic AI spending frenzy right now.

Everyone’s throwing spaghetti on the wall as to how AI is gonna, you know, improve their business and and work for their business. So your seat at that table, what implications does that have from a cyber hygiene perspective?

Nikesh Arora, CEO, Palo Alto Networks: Alright. So I think let me break that down in two parts. Let’s first talk about where we see AI and what I see how I see the AI landscape evolving because that actually dictates how we prepare for that environment from a cybersecurity perspective. I think if you look at the global AI reality or traffic, 80 to 85% of traffic is in consumer right now. Right?

People building the next version of ChatGPT, the next version of Gemini, Grok, Lama, Deep Research, all these things. And the way they manifest themselves is consumers getting excited. The reason OpenAI raises it half a trillion or Anthropic rates, $182,000,000,000 is because there’s a lot of people using these models to ask questions whether they’re search type questions, they’re, you know, videos they’re making, asking questions on Grok, they’re asking questions on Meta AI. That’s where 85% traffic is. That’s where the training is happening, and that’s where, quote, unquote, the arms race is on AI models.

That’s fine. We understand that. You can see the direct application. There’s large distribution, billions of users who use some version of Meta’s products or Google’s products. They’re all becoming natural users.

My Gmail is summarizing things for me now. You know, it’s like in product I mean, last this past quarter, we have a secure version of Gemini deployed Apollo Auto. I ran my earnings script through Gemini and asked this how many times am I repeating something? You told me stop using the word momentum so many times. So, you know, it does stuff like that.

It’s kinda useful. Shift

Fatima Boolani, Software Research Head, Citi: step seven, the source. There

Nikesh Arora, CEO, Palo Alto Networks: you go. So it does a bunch of stuff like that, and that’s you’ve seen the consumer use case. That’s where 85% traffic is. That’s why more GPUs will be sold and more models will be trained. So we get that.

I think the second category which is fully emerging is, let’s call it, the AI application category. This This is is where where you you see see the cursor of the world. People doing vibe coding. You see Harvey, the legal sort of application stuff, Grammarly’s of the world. There’s about 1,200 applications which are using some version of a wrapper around the AI models to make some tasks, some workflow better.

Right? You’re seeing that, and they’re also kinda like the best way to sort of create an analogy is it’s like the drop boxes or the box of the world where they are generic for every enterprise. They’re not specific to any one enterprise. There’s a lot less of customizability, but they’re generic enough that they apply to a standard use case for all enterprise. So you’re seeing some traction there.

Wanna I say that’s five to 7% volume right now, including coding in the market. And the remaining 5% is enterprises experimenting with AI to see how can I make my application useful to my customer, which I think still weighs off? In that context, security only applies to the third category. If you’re gonna deploy on LLM in your company, you want to secure it. You want to make sure there’s a firewall around it.

It applies to the enterprise deployment of the Greetings of the world or the Harvey’s of the world, which they’re slowly getting their arms around, but it’s slow. It’s like, you know, there are not many customers asking for a secure enterprise. That’s how kind of cybersecurity plays into it. But I think the anxiety is more around AI deployment and cybersecurity. People all hear about agents saying, oh my god.

If I have agents running around in my enterprise, who’s gonna manage them? Who’s gonna control them? How are we gonna do give them credentials? How are we gonna track them? Because these are nonhuman identities floating on my enterprise.

So people want to hear the story. People want to hear the story of how am I gonna protect my AI deployment with an AI firewall. So the conversations as it relates to AI are mostly about securing models, securing my deployment, securing my employees from not sending my corporate data outside, and making sure agents don’t take over my enterprise without some version of a guardrail or a kill switch. Right? If I go to the regular discussion around cybersecurity, I think there’s a growing understanding that some version of interworking consolidation commonality needs to start coming into play because the infrastructure is too disparate, too fragmented.

And it’s kind of interesting. It’s not coming from an economic consolidation perspective. It’s coming from, holy shit. I’m gonna have to respond faster to cybersecurity events. And with a fragmented architecture of 30 or 40 vendors, I can’t do that fast enough, and I know these AI agents will be used against me who are gonna come chase me down and try and attack me.

And then a week doesn’t go by where somebody doesn’t get breached. In fact, as you might have seen in the last week, even some of our Salesforce data got compromised, and so did that of six hundred nine nine other companies. So 700 companies got breached in some way, shape, or form because of an API or an agent of a third party app that had too much access to our data. And that’s gonna happen more and more.

Fatima Boolani, Software Research Head, Citi: Nikesh, what I’m hearing from you is and and by the way, I think this is one of the most fervent debates in the investor community right now, specifically with the software investor community on who gets paid on AI. I mean, certainly, is a case to be made on the application software side where maybe there’s not that much inspiration on that side right now, but certainly a ton of debate that’s fomenting on who is actually gonna get paid on AI. And what I’m hearing from you is that there is a lack of maturation and, frankly, critical mass of productionized AI environments for you to step in to wrap guardrails around that. Right? So with with that precursor and that preamble in mind, you said something interesting, and and I I think I can go on that thread.

You always say interesting things. So you know? Is there necessarily a prerequisite of an art IT infrastructure and IT architectural evolution for you to then step in to, you know, provide the safeguards from an AI perspective. Kind of like how we saw in COVID where, you know, the SASE transformations begot network transformations, happened because of COVID, which created this this impetus because all of us ended up working from home. Right?

So a long winded way to ask you, is there a chicken and egg situation where we have to wait for the underlying infrastructure at most large organizations to evolve and modernize before AI security can be, you know, a juggernaut on its own?

Nikesh Arora, CEO, Palo Alto Networks: You said a lot of things. Let me break it into two or three parts. One part is, I think a lot of us have the impact of AI on software wrong. Right? And we can talk about that if you want to or we can talk about security.

There’s gonna be whole revolution need over there, and it’s not simple copilot that sit next to your product. I think products will fundamentally need to be reinvented. And what I mean by that is most software for enterprise is designed in the end resulting in series of dashboards, which then humans are supposed to look at and say, what’s my problem? How do I solve the problem? What do I do with it?

If you have the data structured right and you’re able to create the dashboard, you should be able to now with some version of AI, figure out the anomalies. The next step is you should be able to fix it. So I think you’ll see a lot more software get reengineered where it’ll be more do this task for me either at the prompt of a user or by itself, and that requires a full transformation of the software stack in a way to make it AI ready and make it work. So, you know, picking our book, we’re working hard in every one of our products to see how can we turn from a dashboard and discovery product into a fix it product so our customers actually get the benefit of the outcomes we can create as opposed to the analytics only. So I think that that’s gonna happen across every space.

And it’s gonna happen to most fast software that we use, and that needs to happen. It’s not gonna be Copilot from the long term. So let’s put that aside. I think your question around when does the AI security wave hit, I think it there’s already an awareness and realization that if I don’t get my infrastructure modernized, I will not be ready for AI based attacks. So I don’t need we don’t need AI to productionize for people to start feeling the pain that, oh my god.

If I don’t get my shit together, now they are beginning to understand everything in IT is a data problem. Even security is a data problem. How do I transform myself? How do I get myself into a happy data space solve the security problem? In terms of AI security itself becoming a thing, the day you tell me that look at this cool AI app Home Depot has and look at this cool AI app JPMorgan has, look at this cool AI app Goldman Sachs have, trust me, they’re gonna have buy a lot of security.

Fatima Boolani, Software Research Head, Citi: Look at the school apps app Citigroup has?

Nikesh Arora, CEO, Palo Alto Networks: That’s right. Right. Right. Right. Yes.

That one too.

Fatima Boolani, Software Research Head, Citi: Yes. You know, I think you’ve had very strong and prescient views on the impact of AI. That’s very apparent. You’ve also made very bold and early bets with Prompt AI, which was a deal you did earlier this summer.

Nikesh Arora, CEO, Palo Alto Networks: Protect. That’s a different company than Prompt, but same difference. Sykes City, Goldman, Palo Alto, Cisco. You go. Yes.

Fatima Boolani, Software Research Head, Citi: Tomato is tomato. What does Palo Alto’s portfolio look like from an AI security perspective? And is the ultimate vision to own the entire AI value slash supply chain from a protection standpoint?

Nikesh Arora, CEO, Palo Alto Networks: So two schools of thought. One school of thought says that everything will have to transform with AI, so it’s gonna be sort of it’ll be across the entire enterprise. It won’t be a separate thing, in which case your SaaS app will have AI in it. Your email will have AI in it. So we can’t take it out and say, AI, sit over here.

Everybody else is here. Everything that you do do in enterprise will have AI. Today, my Gmail is summarizing using Gemini, I need to make sure that Gemini is secure when it runs in Gmail. I don’t have to wait for, say, oh, Gemini, you sit here. So I think there’s gonna be AI features built into every product that we have that will check if AI is not doing something different.

So that’s gonna happen. Everybody has to enhance our products to take advantage of AI use case. For example, we have a firewall that works on the data center. It works at the edge. Now our software firewalls has AI traffic inspection capability.

It’s not a new product. It’s sitting in the product of software firewall called AI firewall. Or if I write code using cursor versus humans, do I have different product that checks the code that cursor writes, or do I have the same product that checks the code humans write and apply that product towards cursor? More likely the lattice than the form. Right?

So every product that we do will have to make sure that it anticipates and inspect for the AI use case. In addition to that, the net new part will be every enterprise is gonna build an AI stack. I’m gonna have my LLM. I’m gonna have my VectorDB. I’m gonna have some sort of prompt engineering or inference engine.

And at last count, we discovered, to our amusement and Dismay. Dismay that within Palo Alto, we have 37 models being used. We didn’t know that until we built an AI discovery product saying, go discover the models we have. Holy shit. 30 seven’s a lot.

I mean, if you’d asked me, I’d say two, maybe three. I think that story will play itself out in every enterprise that enterprises don’t know. A developer can go to Hugging Face and download an LLM and deploy it in their laptop and be doing an experiment and use your corporate data in that LLM. And you have no idea if the LLM was made in unfriendly countries, which is has a backdoor to the country with your data in it. So if I’m a chip designer, I say, you know what?

My boss said don’t use a public LLM, but I can always go look at an open source LLM from Hugging Face, download my laptop, run my chip design against it. You just don’t know that it has an open connection in Internet in the back. You just cut, copy, paste your chip design and do some database in some other country that you don’t want it to go to. So at some point in time, when you start building your AI stack, you will have to ring fence at the security. You have to make sure that it has guardrails.

And that’s where I feel the AI security opportunity is. In addition to transforming everything you do and ensuring that you’re inspecting the AI use case.

Fatima Boolani, Software Research Head, Citi: Now imagine the very incipient and embryonic stage we are at with every single day we have these mammoth innovations coming out of the the foundational model companies. And, you know, you you alluded to Anthropic, and they’re they’re around. So, clearly, a lot of value creation happening there. But how does that A

Nikesh Arora, CEO, Palo Alto Networks: lot of spending happen.

Fatima Boolani, Software Research Head, Citi: And spend and and spending happening. How does as an allocator of research and development capital around AI AI security and all of sort of the niches that you talked about, how does that complicate or empower your r and d strategy where you might be chasing innovation that might prove to be a flash in the pan in six months or becomes commoditized very, very quickly because we’re having these very shallow cycles. Right? So how are you thinking about that? And, ultimately, from a dollars and cents perspective, driving yield and leverage from your r and d investments because you’re obviously trying to skate to where the puck is going with respect to AI.

Nikesh Arora, CEO, Palo Alto Networks: Yeah. It’s a good question. So let’s break it down. The good news is we’re not in the model business. And the best news is the people building the models are putting the tens of billions of dollars required to train them and letting us pay by the drink, which is great, which means somebody else has the capital intensive model.

We have the subscription model. So if I don’t use it, I don’t end up spending a lot of money. That’s a good thing. We like that because that allows us to experiment and not have to go deploy a billion dollars to build a stack that allows us to train our LM. So let’s leave it there.

That’s one part. I think there are two big transformations every enterprise will have to make. One is data, the other is talent. On the data front, most companies are not collecting AI friendly data. And let me explain what I what I mean by AI friendly data.

If you take the example of a self driving car, GM was not collecting mapping data on every street that GM drove. Like every GM car drove, they were not taking pictures of everything around the street, saying, is the tree? What is the plant? Where is the plant? Where is the tree?

You had something like scale dot ai that was labeling, you know, $10,000,000,000 worth of data for every car company for five or seven years before they actually got an AI friendly data environment to be able to build self driving cars on because you had to know the true case and the false case from a data perspective. You need the same thing in every AI application you build. If you wanna use customer support, you need to know what a good solution looks like versus the wrong solution. You collect the data in such a way. So one, every company will have to go through some version of a data transformation or data collection strategy.

That is nonregrettable. You can invest money in that, and you will get a return when you get the data right. You can do it now. You can do it tomorrow. You can do it in six months.

My data is no use not no use to Jay Chaudhry. His data is no use to me. He’s got his own products on my own. I have to do my own data collection, my own, you know, true case and Mhmm. Wrong case.

So that is a non regrettable problem. You can solve the problem. 75% of our employees are not AI ready. They think traditional first. Right?

And I’ll compare and contrast. So you’re writing a software application today, working at Palo Alto, Salesforce, Workday, you write it a certain way. If you’re working at Cursor, you write it a different way. Cursor doesn’t have traditional UI. It has a UI, which is the AI UI.

It’s a prompt you ask, you talk to it. And the good case, the bad case, all built into that interaction. In our case, we get a dashboard. And sometimes the dashboard will say, here’s the conclusion. Here’s how you solve it somewhere.

I don’t know. So there are AI ready talent out there, which we need to make sure everybody in our company’s AI, which is, I think, the hardest problem. Getting four, five thousand people who are in decision making situations to start understanding the new technology and start getting ready is a big challenge. Outside of that, I think the third place is you gotta watch out is don’t start building internal AI productivity apps. There will be third party apps like SaaS was.

Let them do it for you. When they’re ready, use them. So we don’t want to spend money in building applications we think the market’s going to build. We are focused on the data transformation, the product development, mental transformation and the people transformation.

Fatima Boolani, Software Research Head, Citi: And what about the M and A process? Because you haven’t been shy about being acquisitive in, again, very bleeding edge areas. I mean, you were

Nikesh Arora, CEO, Palo Alto Networks: With CyberArk?

Fatima Boolani, Software Research Head, Citi: Oh, we’ll get to that. Don’t worry. You know, you’ve you’ve definitely taken a very strong stance on acquiring bleeding edge assets to drive velocity around category creation and category absorption. Right? So how does, again, the rate and pace of innovation in the broader AI industrial complex influence the way you think about m and a from here?

Nikesh Arora, CEO, Palo Alto Networks: I think

Fatima Boolani, Software Research Head, Citi: because the obsolescence again, the to to emphasize the fact that the obsolescence factor, and risk factor is so much higher.

Nikesh Arora, CEO, Palo Alto Networks: Yeah. If you if you subscribe to what I said that the harder problem in AI to be useful in the enterprise is a data problem and a people problem. I don’t know if a third party startup in the enterprise software space can, in twelve to twenty four months, come up with such an amazing product that I feel that I must have it because they will need to build their product with access to my data. And by the way, anyone’s data, not just mine. Right?

So if you wanna build a better Salesforce or better Workday or a better whatever have you, you need access to data. You need to be able to come in and plug it in and to understand all the use cases. So I think the the anxiety is misplaced that all this stuff is gonna go away very soon. I think it’s gonna stick around for a long time. They have to build real value as a startup ecosystem to be able to actually be useful.

A lot of the startups you see in the AI space are solving a very small point problem. The risk is you just perpetrate the same fragmentation you had in the industry, which you’re trying to get out of back again because you have this paranoia. This AI is gonna fix it for me. There are some cases like data security where you might have some techniques which are never available before, but that’s more innovative as opposed to an AI read app or rewrite of of yeah. I think the opportunity is still have to be in systems that manage, process, understand large amounts of data from an AI perspective, let’s so peep let’s so peep for holding workflow sitting on top of my data.

Fatima Boolani, Software Research Head, Citi: I know investors like to and and certainly, I do as well, like to think about, transformations with some historical precedent and analogs. Right? So as you think about the evolution within the AI security space, both security for AI and AI for security, so with both those lenses, how much of what we saw in the cloud realm and cloud security realm where there was so much alphabet soup of CSPM, CWPP, CIEM? How much of that are you seeing repeated in kinda this this gold rush for AI security? And you kinda said that yourself.

Right? We’re, you know, going down the path of sprawl before we consolidate it again. How much how valid of an analog do you think that is?

Nikesh Arora, CEO, Palo Alto Networks: I think a lot of the things that we built for the cloud world will be applicable in the AI world, so you’ll have to expand your product. But you still need, let’s say, a new product called AISPM, AI security posture. And you need to understand the AI artifacts, your models, your databases, etcetera. So you’ll need some of that. We’ll need an AI firewall, which is an extension of a cloud firewall.

So you can call it a cloud firewall with AI capabilities. You can call it AI firewall. Depending if you’re a startup, you’ll probably call it AI firewall. If you’re an incumbent, you call it cloud plus AI firewall. Right?

So, yeah, I think that’s where all the action is. I don’t think there’s there’s gonna be agentic AI security, which I it’s a whole different conversation. We can take forty five minutes. I don’t I’m not there yet on agentic AI. I think there’ll be nonhuman identities that need to be managed.

That’s more of an identity problem, and we’ll talk about that in the context of cyber work, than an agentic security problem. And I’ll do a segue here because I did that with a with a smaller group. Look. I’m pretty sure everybody in this room is convinced that with tens of billions of dollars being spent every month in AI, something’s going to come out of this thing. You can all see the impact on the consumer space.

Yesterday morning, we launched an ad campaign. The entire ad campaign was built using AI. We built one last year with Keanu Reeves over six months. We built this in thirty days. Last time was Keanu Reeves because we need a live person.

This time, it’s Benjamin Franklin, Marie Curie, Alexander Graham Bell. You know what is consistent about these people? They are no longer alive. We brought them all back to life using AI. They were kind of free.

We didn’t have to pay them $5,000,000 like we had to Keanu. And they did not want artistic control about what they said, interestingly enough, which we had to do with Keanu. So we got it done in thirty days instead of five months. It cost us less than $100,000. The last one cost us millions of dollars, and we didn’t have to build a set and shoot in LA for thirty days, and then nor did we have to go to the Actors Guild and get involved with them.

This ad campaign so this stuff’s gonna happen. There’ll be tons of use case in the consumer space, the enterprise space they’re gonna build. We believe that. If you believe all the hype around agentic AI, and you can imagine that, you know, Dario from Anthropic is building an agentic browser, Google is gonna turn Chrome into one, Perplexity is building one, and there’s gonna be a few more. I think Atlassian just bought a browser company this morning.

We bought one one year ago, a year and a half ago now. So if you can imagine a scenario that your agentic browser is gonna book you your next airline ticket and get your restaurant reservation and get DoorDash delivered to your house and your groceries done and pick your favorite activity, that agentic browser can only do that with your credentials in your browser. It’ll have to borrow your credentials to go do it. Log in to Uber Eats, log in to OpenTable, log in to DoorDash. You know, one constituency that hates that idea is CIOs.

They don’t want your credentials being used by any automated piece of software within the browser. So this is a tough prediction, and we’ll see if I have egg in my face. But I think if agentic browsers become real, they will be banned in enterprises.

Fatima Boolani, Software Research Head, Citi: Well, speaking of credentials

Nikesh Arora, CEO, Palo Alto Networks: Yes.

Fatima Boolani, Software Research Head, Citi: We gotta talk about CyberArk.

Nikesh Arora, CEO, Palo Alto Networks: There in a second, but I’m telling you let me finish the last sentence. That one, Vagintic consumer browsers get banned in enterprises, a whole series of secure enterprise browsers will be needed. We bought one eighteen months ago or one of two players in the market. Now we can talk about CyberArk.

Fatima Boolani, Software Research Head, Citi: We’ll come back to that. So Okay. It’s actually refreshing to hear you’re less hyperbolic about agentic AI. But in the context

Nikesh Arora, CEO, Palo Alto Networks: But it’s great talking point. It gets into a lot of meetings. Yes.

Fatima Boolani, Software Research Head, Citi: It gets everyone all excited. There’s so much sizzle. Right? But, you know, let’s get down to brass tacks. You announced your intention to acquire CyberArk this summer.

You know, by all accounts, it is your single largest, most transformational transaction in your seven and change years at the company. Now, look, I I can fully appreciate that you’ve bucked con wisdom time and time again. But, you know, I think there is a lot of, sort of trepidation on a number of different facets as to what this means for you. What bets are you making that CyberArk is better under, you know, the the the Palo Alto umbrella than independent? So just sort of help us understand what the the bulls are maybe not bullish enough on and what the bears are totally getting wrong with with a a $25,000,000,000 check to CyberArk.

Nikesh Arora, CEO, Palo Alto Networks: Bulls and bears? Oh, people in your industry who don’t like it and people like it. Got it.

Fatima Boolani, Software Research Head, Citi: Alright. There’s more bears than bulls.

Nikesh Arora, CEO, Palo Alto Networks: Okay. Well, good for them. That makes it a opportunity for the bulls. Exactly. That’s how you make money.

If everybody saw the same thing, we have a problem. Right? It’s good. It’s good for the market. Anyway, look, seven years ago, when we were probably sitting on a stage similar, there were more bears than there were no bulls when I took the job.

And at that point in time, we decided we want to be a multi swim lane cybersecurity company. The last seven years, we have anticipated and built four swim lanes. And in three of those swim lanes, we have built a billion dollar ARR businesses in under seven years. Not a bad thing. Not a bad shit if you can get it.

And we have stayed away from identity for the entire period of time because we’ve said every time we want to enter a market and be big in it, if there’s an inflection point. And we didn’t see an inflection in identity until about eight or nine months ago. We’ve been analyzing the market and understanding it. We believe with the conversation around agents and the fact that agents will start taking over credentials and start doing things is going to create a relook at the credential and identity infrastructure in a company model. Two, eighty nine percent of breaches still happen because of credential theft.

Somebody’s credentials get stolen and used to extract or exfiltrate data. Three, the way the identity industry has operated is in this world of what is called identity access management, IAM, think Okta, or PAM, privileged access management in CyberArk. The fundamental difference is if you work in a company, which I think all of you do, many of you get a badge. When you use it on your first day of work, the badge allows you to enter the building. Once you’re in the building, you pretty much go everywhere except perhaps a few rooms which have another badge against them, but everywhere else you can go.

That’s called identity access management in the digital world. You can log in, then you can do whatever you want in your enterprise systems. Nobody tracks you. Nobody keeps follows you. Nobody has a video of what you’re doing.

You just do what you want. It’s called I’m That’s what single sign on I’m is called. And if an IT administrator, everything you do is logged and kept track of because you have access to the crown jewels. So you probably go into your server room. There’s probably a camera in your server room in your company.

You’re probably the CEO’s office has a camera to make sure nobody goes in there. But everything else, you can go everywhere. We think that model is broken that needs to be changed. We think every identity needs to be tracked and followed and logged in the digital sense, which means we think everybody needs to become a privileged access user, not an IAM user. Let’s assume why did they start that way?

They started that way because the cost of deploying these two models was one is to 10. It took 10 times more to deploy privileged access management and one tenth cost to go deploy identity access management. So you can buy an IAM seat for $8 to $10 you have to pay $100 to buy a privileged access seat. Interestingly, you have two different players in this space. It takes CyberArk anywhere from six to nine months to deploy a customer.

They have to build special connectors to every room, every server, every data room to make sure that you have the privileged access available. So they’ve already done the hard work. The question is, can we get them to be able to do all the work required to be an identity access user in addition to being a privilege? We think we can. So we think CyberArk allows us to have a product that satisfies the user employee identity use case, not the type of user use case, which is where the fragmentation comes in.

I walk in, you follow everything I do. If I go to a privileged area, you have more controls than privilege. Otherwise, you’ll keep track of me as an employee. The breaches happen because there’s a guy in finance who has access to SAP system who’s not a privileged user, but he can take your earnings and release them two weeks before. Is that a breach?

It’s a breach. But in the traditional sense, not a privileged user. So we think every user should be followed within the next twenty four months. That is what’s going to happen in the market. It’ll happen to every agent, every nonhuman identity for which we need an identity play.

Then the question is why don’t you buy a startup and do it like you did the last 24 times? Why buy an incumbent? Because the value or the disruption in trying to replace a company’s entire identity infrastructure is too high. CIOs will not replace their identity yeah, architecture infrastructure because they don’t know what’s going to break. And if you break identity, you shut down the company, right?

If you broke the identity system in a trading system, identity got dislodged and your trading systems go down in company, the CIOCs don’t have a job. It’s worse than a breach. So nobody wants to touch the identity infrastructure. So you have to go in as an identity player in the market who’s doing the harder job of identity, not the easier job. So long story for sure, we bought CyberArk because we think, and by the unequivocally every customer we’ve talked to of CyberArk is delighted we bought them.

CyberArk is delighted to be part of Palo Alto. So it’s a good move from a customer perspective. They have 8,000 users with 8,000,000 endpoints, you have 100,000,000 endpoints recover. We think we can take that 8,000,000 endpoints and try and expand them into our user base and to their own user base. We think we can build incremental products.

We think financially, we can gravitate them to our margins on cash flow and operating margins. So all in all, it’s I think the industrial logic is very strong. I think time will tell if we got the inflection right. And then you have to trust that in seven point five years, we have one of the better track records in M and A in cybersecurity and software across the industry. And you have to trust management that will do our job.

Fatima Boolani, Software Research Head, Citi: I don’t know if you can

Nikesh Arora, CEO, Palo Alto Networks: speak For those who don’t trust, they should sell their shares to the bulls. And then they can buy them back and we can grow stock from the bulls.

Fatima Boolani, Software Research Head, Citi: How we make market.

Nikesh Arora, CEO, Palo Alto Networks: That’s exactly right.

Fatima Boolani, Software Research Head, Citi: I don’t know if you’re conspicuous in not mentioning this, but how does CyberArk advance the AI strategic roadmap and the agentic AI product roadmap? And maybe you can put Lee Klaritch’s hat on. You don’t have a sideburn, so I don’t know if you can fit the bill.

Nikesh Arora, CEO, Palo Alto Networks: Look. The other part of CyberArk’s business, bought a company called Venafi, which is the nonhuman identity part, the certificate lifestyle management. I think at the end of the day, you know, if you believe everything can’t believe everything Mark Vanian and McDermott say, but if you believe the idea that agents are going to get more prevalent in organizations and they will be fungible between humans and agents, then everything becomes an identity of either a nonhuman kind or a human kind. The question is, you still have to understand credential across both those instances and see how identities mesh and work with each other. So I think the identity needs a platform approach.

It needs an approach where every identity is managed from the beginning till the end and needs to understand that it needs to be tracking both human and nonhuman identities. So today, this is fragmented across four different products in the industry, four different categories. We think they all need to become one, and that’s where the opportunities with the Venafi acquisition, with the Zilliqa acquisition, identity governance, that CyberArk did with their PAM product and the I’m product that they have.

Fatima Boolani, Software Research Head, Citi: Let’s talk about keeping the lights on at Palo Alto. And what I mean by that is, you know, all this AI opportunity and the secular tailwinds are great, but you’re running a core business that is a stalwart. Right? And I think one of the pieces that gets a lot of investors hot and bothered is the the firewall franchise. Right?

There’s you know, there is absolutely cyclicality in that business. I think you’ve not been shy about expressing that. But in in terms of the whole notion of the death of the firewall being greatly exaggerated, where are we on this curve of disillusionment after several years of, you know, atypical and aberrant trends? And when you think about, again, AI, what does that do to the medium and long term trajectory of how all of us should think about the the firewall business?

Nikesh Arora, CEO, Palo Alto Networks: Look. I I think thinking about the firewall business in piece parts is the wrong thing to do. Mhmm. And I’ve said this before, I apologize. I’m repeating myself.

The amount of digital traffic in the world continues to compound every year. AI is only going to compound it further. To deliver security, all traffic has to be inspected by a security product, Whether it’s traffic coming from your laptop going to your company, whether it’s traffic coming from a nonhuman identity, whether it’s traffic coming from hardware, all traffic has to be inspected. It gets either inspected in a through a hardware firewall, a software firewall, or SaaS. That’s how traffic gets inspected.

Even AI traffic will be inspected by any industry. If you believe that the traffic is going to continue to compound even faster with AI and all the data going in the cloud, you have to believe that inspection will continue. There’s no other solution. Inspection doesn’t go away. Like there will always be security scanners at the airport, unfortunately, if you’re traveling.

They’re not going to go away. We’re kind of like the same thing. We cause latency. We make it slow. It’s a little irritating, but we’re going to be around for a long time.

So if you believe that, then the question is, where does the money come? Does it come in hardware? Does it come in software? Does it come in SASE? From a product development, quality, delivery, margin perspective, my software and SASE business are way better than my hardware business because hardware, got to go produce it.

I got to get chips from some different parts of the world. I got to go do quality control. If it doesn’t work, I have bring it back. I have to send you a new one. It’s hard to upgrade software because customers decide when to upgrade the software.

In software and SASE, I do the upgrades. You can’t touch it. So it’s a much more efficient operating model. It’s a much more secure model. So the more the business moves from left to the right, the happier I am.

In seven years, we have taken our hardware 100% hardware business and 60% of it, that has been migrated to software. And a hardware business still grows at 5% to 8% on average a year. So I’m happy. I don’t know why people are not happy.

Fatima Boolani, Software Research Head, Citi: I’m I’m pretty happy.

Nikesh Arora, CEO, Palo Alto Networks: That’s good. It’s only you and I are happy that these guys are happy.

Fatima Boolani, Software Research Head, Citi: And what I’m happier about is using that as the linchpin to build what is a $5,600,000,000 next generation security business. This was, by my count a three quarter one quarter of a billion dollar business seven years ago when you came.

Nikesh Arora, CEO, Palo Alto Networks: So zero when I came.

Fatima Boolani, Software Research Head, Citi: So virtually zero. We’ll round down to zero. So sub $300,000,000 closer to zero, you’ve 20 x to this business in the last seven years in excess of 30% growth pretty consistently. You’ve got goals to two and a half x this franchise in the next five years. Right?

And this is as a reminder completely on an organic footing. This

Nikesh Arora, CEO, Palo Alto Networks: is you know Not including CyberArk.

Fatima Boolani, Software Research Head, Citi: Not including CyberArk. These are big numbers. So I I wanna get a better sense from you on the the micro, the bottoms up factors that are going to help you achieve these objectives are going from roughly six to 15 in the next five years.

Nikesh Arora, CEO, Palo Alto Networks: Yeah. I think, look, if you go back in 2018 when we first met, we had zero in this business. If I told you in ten years, we’ll be a 12,000,000,000 to $15,000,000,000 ARR business, you’d laugh me off the face of the whatever, right? So what we’ve come to realize is that, like every enterprise business, you want to sell more to the same customer. The scale of Salesforce is such that they sell more to the same customer.

Look at every platform business and software, whether it’s Salesforce, Workday, ServiceNow, the idea is to build more functionality, sell it to the customer, add value, create value, and that’s what drives your outcomes. Cybersecurity did not have such a player. So we, after five to six years of product development, being number one in 24 Magic Warden and Gartner, became to the conclusion that integrating these much better from a technical perspective, giving the outcomes is what the customer needs. So we have them available in their own form factor, but also more effective than integrated form factor. We started tracking the integrated customers, integrated sales.

We’ve discovered that, a, these customers pay us a lot more than sliver customers because they have more products from us. They have the best NRR. Our NRR for our platform customer is 120%. We’ve never had Hunter x NRR in any of our product categories because we’ve never been a platform business. So if I can maintain my NRR in the 15 plus percent range, 115% plus range, take my number of platforms from fourteen fifty, which we announced last quarter, take them to 3,000 or slightly more, we can take this business to that $15,000,000,000 range in the next five years.

And we’re very focused on the platform business. It’s land one product, expand that into a platform, deploy the platform, show up and ask customers to give you more consolidation.

Fatima Boolani, Software Research Head, Citi: Platformization was a new vocabulary word you coined about a year and a half ago and really shook everybody up a little bit. So you got eighteen months of platformization selling underneath your belt. The sales org is better, faster, stronger, more mature in articulating that vision to the customer. But I’m gonna I’m gonna pause it to you that, you know, does that potentially come as a double edged sword because what you are championing is a lot of your very large customers continue to incrementally consolidate their foot their product footprint with you, but also your their risk footprint with you. Right?

So on the one hand, how are you mitigating some of the natural, maybe, pushback you’re getting on? Well, I can’t have one vendor do so much of my cybersecurity because that’s a systemic risk issue just from a cyber hygiene perspective. And and please feel free to disagree. And then secondarily, from a financial model perspective, these are potentially multiyear, very large deals that you’re doing. Right?

You know, $50,100,000,000 dollar plus deals. Just from a a financial model volatility standpoint, how do you mitigate some of the effects of, hey. You’re gonna have some renewal cliffs happen every three to five years where you have these big chunky customers due for $100,000,000 plus renewal?

Nikesh Arora, CEO, Palo Alto Networks: So many questions. Let me start from the last one, that’s the one I remember. We’ve discovered once you platformize a customer, there is no road back because you have a software power from Palo Alto, 100 power power power power power power power If you ever decide to rip us out, you’d have to replace us with three vendors and build the entire control pane between the three and make the integration happen. And like I was talking to the customer, it took them three years to replace 500 firewalls we put them in. You you have to decide at your last renewal that you don’t intend to renew with me, and you have to start there.

You can’t replace a network security platform from Palo Alto in under three years if you are fully platformized across the board, or you can’t replace a SIM platform in less than twelve to eighteen months if you are fully platformized. So I don’t know what a renewal is. I think it’s a renewal opportunity to give them more functionality and sell them more as opposed to renewal cliff. So the NRR at 120% is that’s the reason it’s 120%. We don’t see churn.

So I don’t think there is a renewal risk. You did say there’s a, let’s call it, the consolidation risk. I I was trying to find the best analogy. I guess perhaps the best analogy, which is old, is I started my career at Fidelity in the technology team, and we had 23 applications which made up what is today called CRM. And over time, you know, three or four vendors emerged between Oracle, Microsoft, Salesforce, and others who provided you a single platform did 23 functions that allowed you to consolidate those 23 applications.

I’m pretty sure somebody had a conversation, oh my god, we’re consolidating our risk, but the value of that being together is so high that you say that’s the right answer. This is was the wrong answer. And that same movie is played out in HR systems, same movie is played out in financial systems. Cybersecurity is the youngest industry in technology. We only came about when connectivity came about.

Until your iPhones were connected to the Internet, there’s no need for cybersecurity. It was all data center driven, all terminal driven in the office. You walked in, IBM gave you a frame, mainframe, but terminals, you need security. Who did security then? You did client server architectures, you did liberal security, and did firewall inspection.

Now with the sprawl of the technology infrastructure, you need security every juncture. I think it’s just the stage of the industry where it is. I think ten years from now, you will not be buying sliver products, which are small products business based out of startups. I think that consolidation is happening. And I will say, look at our industry.

Seven years ago, everybody played in the swim lane. Today, everybody’s trying to cross swim lane. You take a look at the top 10 cybersecurity companies in the world, they are trying to get a product in the other swim lane, and you can ask, I’m pretty sure you have every I think that’s the trend. I don’t think that’s a risk the customer sees. The customer sees the value of these things being on one control plane, and then I’m go back.

Fatima Boolani, Software Research Head, Citi: Nikesh, my last question for you is, three years ago, you made a prediction that you’re going to be $100,000,000,000 market cap company. That’s absolutely come to a fruition, and I think it’s worth mentioning you were a $20,000,000,000 market cap company seven years ago. So I wouldn’t be a tiger mom if I didn’t ask you, where is the next 100,000,000,000 of market cap going to come from? And what things absolutely have to go right to have that outcome?

Nikesh Arora, CEO, Palo Alto Networks: Look, you guys do the math. I don’t think we need to change our financial profile from a more operating margin, free cash flow margin perspective, I’m talking just organically for us without the CyberArk piece. I don’t think we need to change anything in our operating profile financially to achieve our 15,000,000,000 ARR target in 02/1930. So twenty five and five years from now, we are 5,600,000,000.0 today on the next generation security, you get a 15,000,000,000. You guys are better multiple multipliers than I am.

You can figure out what that does. If you keep the multiple the same, I don’t know what the math says. You depress on multiple little bit what the math says. I don’t think there’s no math you can do which gets you less than a $100,000,000,000 going from 5,600,000,000.0 to $15,000,000,000. Just what organically we can do.

Then the question is what can we do with CyberArk? Can we do the CyberArk what we did to Palo Alto? Of course, they don’t have the option to go into multiple swim lanes. They can be the identity platform in the future. Even five years from now, we can make CyberArk of identity platform of the future as part of Palo Alto and take their 20 plus billion market cap and double or triple it.

That’s gravy on top of the $100,000,000.

Fatima Boolani, Software Research Head, Citi: Well, we’ll be watching from the sidelines.

Nikesh Arora, CEO, Palo Alto Networks: $2.50.

Fatima Boolani, Software Research Head, Citi: I like it. Wait. Make it 300.

Nikesh Arora, CEO, Palo Alto Networks: No. No. I’m not. I’m not investing in data centers in The United States.

Fatima Boolani, Software Research Head, Citi: Alright. Fantastic. And I think that’s a great place to put a pen in it. Thank you so much for an awesome conversation.

Nikesh Arora, CEO, Palo Alto Networks: Thanks, Latina. Nice to see Thank you, everyone.

This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.