Okta, Inc. Q3 FY2024 Earnings Call

Hi, everybody. Welcome to Okta's Third Quarter of Fiscal Year 2024 Earnings Webcast. I'm Dave Gennarelli, Senior Vice President of Investor Relations at Okta. With me in today's meeting we have Todd McKinnon, our Chief Executive Officer and Co-Founder, and Brett Tighe, our Chief Financial Officer. Today's meeting will include forward-looking statements pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including but not limited to statements regarding our financial outlook and market positioning. Forward-looking statements involve known and unknown risks and uncertainties that may cause our actual results, performance, or achievements to be materially different from those expressed or implied by the forward-looking statements. Forward-looking statements represent our management's beliefs and assumptions only as of the date made. Information on factors that could affect our financial results is included in our filings with the SEC from time to time, including the section titled Risk Factors in our previously filed Form 10-Q. In addition, during today's meeting, we will discuss non-GAAP financial measures. Though we may not state it explicitly during the meeting, all references to profitability are non-GAAP. These non-GAAP financial measures are in addition to and not a substitute for or superior to measures of financial performance prepared in accordance with GAAP. A reconciliation between GAAP and non-GAAP financial measures and the discussion of the limitations of using non-GAAP measures versus their closest GAAP equivalents is available in our earnings release. You can also find more detailed information in our supplemental financial materials, which include trended financial statements and key metrics posted on our Investor Relations website. In today's meeting, we will quote a number of numeric or growth changes, as well as discuss our financial performance. And unless otherwise noted, each such reference represents a year-over-year comparison. Now, I'll turn the meeting over to Todd McKinnon. Todd?

Thanks, Dave, and thank you, everyone, for joining us this afternoon. We want to kick off this call by addressing what's top of mind for everyone, so we're trying a new format this quarter. In light of the new security blog we posted this morning, we felt it was important to get the earnings release and guidance out before the market opened as well. At around the same time that the earnings press release hit the wire, we posted prepared remarks to the IR website, which contains some of my typical commentary around customer wins and other notable news from the quarter. This new format allows me to spend more time discussing the new information while also leaving more time for Q&A. I want to start by summarizing the update we shared in a blog post this morning related to the October security incident involving our support case management system. Upon deeper analysis of the event, we determined that the threat actor obtained the contact information of our support portal users across a significant portion of our customers, including the names and email addresses of all Okta admins, except customers in our FedRAMP High and DoD IL4 environments. While this information cannot be used to directly access an Okta environment and does not include user credentials or sensitive personal data, a threat actor may use the information for targeted phishing attempts. With this more detailed information, we felt strongly that sharing this information will help our customers better protect themselves against an increased risk of phishing and social engineering attacks. We have engaged a digital forensics firm to validate our findings and currently expect that they will complete their analysis in mid-December. Once finalized, we will share the report with customers and publicly. Now, let me address what Okta is doing to better protect ourselves from security threats. Over the years, we have dedicated significant resources towards securing our product environment. Given recent events, we recognize that we need to do more to improve the security architecture of our broader operations. That includes the applications we use, the hardware we deploy, and the vendors we work with. Over the past few weeks, we have taken several steps to further strengthen our security posture. We've initiated a hyper-focused security action plan by rallying the entire organization, as well as engaging with third-party security firms to fortify our team's efforts. The stakes are high, and we will do whatever it takes to protect our current and future customers. Bolstering our security environment is, by far, the highest priority for Okta. The job of securing the Okta ecosystem will never be done, but during this hyper-focused phase, no other project or even product development area is more important. In fact, the launch dates for the new products and features that we highlighted at Oktane last month will be pushed out approximately 90 days. The exception being Okta Privileged Access, which becomes generally available this week. Now, turning to our Q3 results. Top-line metrics were strong. We continue to experience particular strength with large customers. Similar to the past few quarters, our fastest growing cohort was customers with $1 million-plus ACV with growth of over 40%. It was also a strong quarter for new and upsells across our public sector vertical. We also produced record non-GAAP operating profit and record free cash flow in the quarter as we continue to demonstrate the leverage in our model. In other news, we're thrilled that Jon Addison, who has been our Interim CRO since the start of this fiscal year, has been appointed to the permanent position. With Jon's appointment as CRO and our continued confidence in the go-to-market leadership team, we have closed the search for a President of Worldwide Field Operations. Okta is driven by our vision to free everyone to safely use any technology. The measures we're taking to increase the security of Okta and our ecosystem give us confidence in our ability to move forward. We will come out of this even stronger because Okta is the only modern platform for neutral and independent identity access management, governance, and now privilege access. Before turning it over to Brett, I want to thank our employees for their tireless efforts. I want to thank our customers and partners who put their trust in Okta every day. I also thank everyone who supported us at Oktane last month where we had over 4,000 people at the live event in San Francisco and over 19,000 viewing online. Now, I'll turn it to Brett to walk you through more details of our financial results and forward outlook.

Thanks, Todd, and thank you everyone for joining us today. The actions we've taken over the past few quarters to drive efficiencies in our cost structure continue to yield impressive results. I'll review our third quarter results and our outlook, but first I'll start with some commentary on the macro environment. Macro headwinds, while stabilized, continue to impact our business. Metrics that we use to gauge the macro environment, such as contract duration, average deal size, and pipeline mix, were largely consistent with what we experienced in the first half of the year. Separately, we published the advisory regarding the recent security incident on October 20th, which was 11 days ago in the quarter. While business at the close of the quarter slowed somewhat, our overall financial performance in Q3 was strong. Turning to Q3 results. Total revenue growth for the third quarter was 21%, driven by a 22% increase in subscription revenue. Subscription revenue represented 97% of our total revenue. International revenue grew 20% and represented 21% of our total revenue. FX had a minor impact on total revenue growth, but was a 2-point headwind to international revenue growth. RPO or subscription backlog grew 8%. The general shortening of contract term lengths signed over the past several quarters has impacted total RPO growth. Our overall average term length remains just over two-and-a-half years. Current RPO, which represents subscription backlog we expect to recognize as revenue over the next 12 months, grew 16% to $1.83 billion. Turning to retention. Consistent with prior quarters, gross retention rates remained strong in the mid-90% range. Our dollar-based net retention rate for the trailing 12-month period remained strong at 115% and was driven by both upsell and cross-sell activities. Similar to the past few quarters, macro-related pressure resulted in smaller seed expansions than in previous years. We believe this trend will persist in the current environment. The net retention rate may fluctuate from quarter-to-quarter as the mix of new business, renewals and upsells fluctuates. As I've noted previously, we've experienced a macro-related shift in our business mix to more upsell and cross-sell versus new business. Before turning to expense items and profitability, I'll point out that I'll be discussing non-GAAP results unless otherwise noted. Looking at operating expenses. Total operating expenses for the quarter were lower than expected. The better-than-expected profitability is due to the combination of revenue overperformance and our continued focus on spend efficiency measures. Total headcount at the end of Q3 slightly increased sequentially to approximately 5,900. Q3 free cash flow was a record $150 million, yielding a free cash flow margin of 26%. Free cash flow was significantly better than expected, driven by billings and strong collections. During the third quarter, we opportunistically repurchased $150 million of our 2026 convertible debt notes. This resulted in an $18 million GAAP-only gain. Over the past three quarters, we've repurchased $900 million of debt, resulting in a $91 million GAAP-only gain. We will continue to regularly evaluate our capital structure and capital allocation priorities. Our balance sheet remains strong, anchored by $2.13 billion in cash, cash equivalents and short-term investments. Our cash, cash equivalents and short-term investments position, net of remaining convertible debt, is $820 million. Now, let's turn to our business outlook for Q4 and FY '24 and a preliminary look at FY '25. As always, we take a prudent approach to forward guidance. We are factoring in a stable but still challenging macro environment. We're also factoring in the recent security incident. For the fourth quarter of FY '24, we expect total revenue of $585 million to $587 million, representing growth of 15%; current RPO of $1.875 billion to $1.880 billion, representing growth of 11% to 12%; non-GAAP operating income of $102 million to $104 million, which yields a non-GAAP operating margin of 17% to 18%; and non-GAAP diluted net income per share of $0.50 to $0.51, assuming diluted weighted average shares outstanding of 180 million. For FY '24, we are raising our revenue outlook by $30 million at the high-end of the range. We now expect revenue of $2.243 billion to $2.245 billion, representing growth of 21%. We are raising our outlook for non-GAAP operating income by $65 million at the high-end to $283 million to $285 million, which yields a non-GAAP operating margin of 13%. Non-GAAP diluted net income per share is raised to $1.47 to $1.48, assuming diluted weighted average shares outstanding of $179 million. We are raising our free cash flow margin outlook for FY '24 to 19% from 15% previously. On a dollar basis, that's a raise of over $90 million and sets us up to close the year achieving the Rule of 40. While we are still in the early phases of financial planning, we would like to provide a preliminary view of FY '25. I'll reiterate that we are prudently factoring in a stable but challenging macro environment as well as potential impacts from the recent security incident. We continue to focus on expense control and estimate a non-GAAP operating margin of approximately 17%. We're also targeting free cash flow margin to be at least 19%. From a revenue perspective, we estimate total revenue to be in the range of $2.460 billion to $2.470 billion or growth of approximately 10%. We are applying a static 26% non-GAAP effective tax rate for FY '24 and FY '25. To wrap things up, we are confident that we've set the path of profitable growth for years to come. We continue to focus on initiatives to drive the top-line while making significant progress to drive improvements to our operating and cash flow margins.

Thanks, Brett. I see that there are quite a few hands raised already, so I'll take them in order. And in the interest of time, please limit yourself to one question so that we can get to everyone, and then you're welcome to queue back up for additional questions. And with that, we'll go to Brian Essex at JPMorgan.

Great. Thank you, and thanks for taking my question. I guess I'll start off with the easy one, and that's the preliminary fiscal '25 outlook. And I just want to ask you in the context of, I guess, taking into consideration two issues in particular. One would be the impact, as you guys alluded to of the most recent breach on your pipeline, close rates, customer relationships. And the other would be, I guess, the need for you to improve your relationship with channel partners in order to drive better growth. So, with regard to that preliminary outlook, how should we think about assumptions baked into that outlook, particularly as it relates to traction or churn with customers and contribution from partners considering these issues? And where in the spectrum of guidance can we consider this forecast to be?

Thank you, Brian, for your question and for joining the release this morning before the market. It was a bit unusual given the customer advisory situation, but we appreciate your coverage and that of your colleagues. We understand this was something you weren’t expecting. I'll begin by discussing the business strategy behind our guidance, which I believe will be helpful. At Okta, it is very clear that security is our top priority. Over the years, we have emphasized security, balancing it with other priorities like growth and new product development. Historically, our efforts have focused on product security and infrastructure, ensuring they are robust. However, we've realized that what we have done is no longer sufficient. Okta is one of the most targeted companies in the world due to our leadership in identity access management, placing us alongside other cybersecurity firms that face relentless attacks. Therefore, we must elevate our defense capabilities to protect ourselves and our customers. As we move into the end of this year and next year, everyone at Okta recognizes that our number one priority is securing Okta and our customers, above all else. Following security, our second priority is achieving profitable growth. This is reflected in our business strategy and the guidance we provide to our teams. We are currently engaging in a 90-day all-hands initiative focused on generating ideas from the ground up about security efforts across the company, while also seeking insights from external industry experts to support our internal talent. We've implemented this approach in varying degrees in the past, but we are now intensifying our efforts to involve the best minds in addressing these challenges. It’s important to us that this is not just a temporary change but an ongoing evolution of our culture towards being one of the most secure companies in the world. It's worth noting that when Okta started, our primary focus was on enabling technology and facilitating cloud adoption, rather than being a cybersecurity company. However, that perspective shifted a few years into our journey, and we now recognize that the standard we must meet is to be the most secure company in the world.

I would like to add a couple of comments, Brian. It's nice to see you, and I appreciate your question. Regarding our guidance philosophy, it remains consistent with our previous approach. For several years now, we have provided this early look, which is a cautious assessment. We are looking ahead to a significant Q4, and we are considering two major factors: the macroeconomic environment and the security incident. It is important for us to be careful with our guidance at this point, especially given how far away we are from the end of FY '25.

No, you raised the question about the channel partners. I would say that this is an ongoing effort and a continuation of what we've been doing this year with our enhanced partner program. We're clarifying the partners we’re collaborating with and focusing our investments on those that are truly impactful. This has been an ongoing topic in previous calls, and we are actively executing on it, seeing benefits in the business as a result.

Do you have the pipeline internally to hit that number without incremental improvement in partner contribution? Or how confident you're with that 10%...

We're very happy with where the pipeline is.

Yeah, we're confident in what we've given you guys today. Like I said, no change in the guidance philosophy.

Let's go to Rob Owens at Piper.

Great. Thanks for taking my question. I appreciate the transparency and disclosure around the breach and realizing these things can take on a life of their own as time passes. But I was curious more so what you're doing for customers to assuage concerns around the breach itself aside from pushing out some launch dates here? And any proactive steps that you're taking to help future retention? Thanks.

I've had numerous conversations with customers recently, and their reactions have ranged from gratitude for the updates to significant frustration and concern. The key takeaway is that we are crucial to our customers and they depend on us for their critical identity infrastructure. They want reassurance that we understand the importance of this issue and that we are taking it seriously with a solid plan to improve moving forward. When I communicate with them, they emphasize the need for clear priorities, a thorough assessment of threats and opportunities, and an appropriate cultural tone set from leadership. It's clear that I have a unique role in conveying this. Furthermore, I discuss how our products can enhance their security, as our solutions lay the groundwork for their security efforts. In response to your question about our specific actions, part of our approach is to be open and transparent. This is why we've chosen to publicly disclose the recent information—to meet our customers’ desire for transparency regarding risks and threats. Our commitment is to be one of the most secure companies in the world, and we aim to fulfill that by sharing all pertinent information promptly. While the current situation may seem odd, what we did recently aligns with our plan and commitment to our customers. We recognize that there is more to be done to ensure they understand the situation and our response, and we will be improving our communication efforts in this area. A significant conversation I had was with a CISO from a large manufacturing company that heavily uses our services. He highlighted that, given our position in the industry, we are often a target for adversaries. He expressed confidence that if we genuinely take security seriously and have priorities in place to strengthen it, it will meet their needs, as we face threats that far exceed what they encounter. Once we share the details of our plans and focus, it tends to give them more comfort. Ultimately, however, what they desire most is to avoid issues like this, and that is our goal as well—preventing problems whenever possible.

Thanks for the color, Todd.

Let's go to Adam Tindle at Raymond James.

Thanks, Dave. Hey Todd, I wanted to ask a little bit more about the renewal process in light of the security incident. Brett mentioned that contract duration continues to shorten. So, the thought would be the renewal process is likely happening more frequently moving forward. I wonder what kind of processes you have in place to retain customers. And any ideas that Jon brings to the CRO role to this process? And Brett, if you could just touch on the assumptions on gross retention and NRR embedded? I know you're factoring in the security incident, but I would imagine that's where it's going to hit the most, so that would be really helpful to understand what the assumptions embedded are? Thanks.

The renewals process is a very mature aspect of our company, and we excel at it. Our gross retention in the mid-90% range reflects a healthy level, showcasing our strength in this area. As Brett noted, contract durations have been shortening but remain an average of two-and-a-half years. This trend began during last year's economic slowdowns, as many customers are opting for shorter subscription lengths than they previously desired. Nevertheless, we will continue to effectively manage renewals without needing to implement a new approach. It’s crucial to ensure high product adoption, which we are good at, and to deliver value while maintaining fair pricing. Our commitment to security and execution will also be communicated to our renewals team, but I do not anticipate significant changes to our overall renewal strategy as a result of this.

Thank you for the question, Adam. Regarding contract duration, we are experiencing a general shortening of contracts, as Todd mentioned. This is partly due to our success in the public sector, where contracts typically last for one year. While this is a positive development, it does impact our contract duration. As for our guidance on net retention rate in fiscal year 2025, we haven't finalized those details yet since we are early in the planning process. However, we believe that both macroeconomic factors and the recent security incident will pose challenges for growth. We have discussed how new business seed expansions are affected by the macro environment, and we expect growth to be impacted by the security incident as well. I can't provide specifics on whether the impact will come more from upselling or gross retention regarding FY '25. Looking at FY '24, we anticipate that net retention will decline throughout the year. In Q3, we achieved a net retention rate of 115%, which remained steady from Q2. We do expect this rate to decrease in Q4 due to the macro headwinds affecting seed expansions. I hope this gives you a better understanding of our outlook for FY '25 and our near-term net retention rate for the next quarter.

Next, we'll go to Rudy Kessinger at D.A. Davidson.

Great. Thanks for taking my question, and appreciate the candor as it relates to the breach. Todd, at Oktane, it seemed pretty clear that you were hinting that you guys were close to hiring a new President of Worldwide Field Operations or Head of Sales, and today, I know you're closing that search, you're moving Jon into the permanent role. So, I guess I have a couple of clarifications. Did the breach impact your ability to land a new Head of Sales at all? And secondly, just understanding the current structure, is Jon going to be taking on both the Head of Sales and Chief Revenue Officer roles or will you be remaining, I guess, the Head of Sales for the time being?

Thank you for seeking clarification. Regarding the previous question, I overlooked the part about Jon. The decision on the go-to-market structure was finalized before October 20, specifically in early October. Therefore, it was unrelated to the security incident. Since the search began in late January of this year, our timeline was to make a decision by October, which we achieved. We wanted to avoid having an interim structure while planning for FY '25, so we aimed to complete the process by the end of October. I don't recall the exact sequence of events concerning when the final decision was made and when I made my comments, but I was certain we would finalize one of our finalist candidates, with Jon being one of them, soon and adhere to our original schedule of wrapping things up in October. The decision was based on several factors. Throughout my conversations with numerous candidates, Jon consistently outperformed them. He was excelling in his role, and I observed him in customer meetings globally. More importantly, I engaged in discussions about strategy and recognized his strategic vision, understanding of the market, and familiarity with product segments within the identity industry. His performance truly distinguished him in what was essentially a nine-month job interview, making it difficult for other candidates to compare favorably. Once I decided that he was the right choice for the Chief Revenue Officer position, I also concluded that I appreciated the current structure of business operations under Eugenio as President of Global Business Operations, with the marketing function led by one of our strongest operational executives, Eric Kelleher, and Jon overseeing sales and pre-sales, directly reporting to me. Essentially, this flatter organizational structure, where business operations, customer success, the Chief Customer Officer, marketing, and Chief Revenue all report directly to me, is optimal for our future. Therefore, the two key decisions were identifying the best Chief Revenue Officer and determining the necessity of an additional President layer. The best path forward for Okta is to complete the search for President and have these talented individuals in positions that will drive our progress.

Great. Let's go to Hamza at Morgan Stanley.

Hi. Thanks for taking my question. Todd, on a high level, could you speak to the switching costs of your products? And based on your very early conversations, would you anticipate some customer churn as a result of this incident?

The switching costs can vary. One of the advantages of both our customer identity and workforce identity products is their flexibility, allowing for quick and easy implementation. They can also be integrated comprehensively, connecting to various technologies and resources within a customer's environment. Therefore, while some companies have light implementations with low switching costs, others have deeper, broader implementations with more custom integrations that result in higher costs. Various factors influence why customers switch providers. It's well understood that customers who are less engaged are typically more likely to switch and have lower switching costs. We've observed some customers switching for a range of reasons, even though our gross retention rate is in the mid-90s, indicating that a small percentage are making that switch. Ultimately, it's challenging to pinpoint a single reason for this. Our focus remains on ensuring customer success and delivering substantial value through our products. We are confident in our strategy of a converged platform covering all identity use cases for both customer and workforce, and we are making conservative assumptions in our guidance relating to security incidents and macroeconomic factors. We are committed to executing our plans, and we believe that over the long term, we will achieve significant success and provide considerable value to our customers, which will, in turn, drive overall success.

Thank you.

We'll go to Joe Gallo at Jefferies.

Thank you for the question. We had strong margin performance this quarter and are optimistic about our guidance for next year. Could you elaborate on the factors contributing to that leverage? Additionally, does this impact the growth algorithm in any way? Lastly, how do you perceive longer-term growth? Do these margins indicate a potential adjustment to lower sustainable growth in the long run? Thank you.

Thanks, Joe, it's great to see you. We've been working on this for about 18 months now. Last year, we began restructuring our cost efficiency by relocating staff to lower-cost areas and optimizing our software and real estate. This effort has been essential in establishing a framework that allows us to achieve these margins. I'm excited that we can discuss the Rule of 40 this year because it reflects how we assess and manage the business, focusing on both growth and profitability. This hard work enables us to confidently guide you on the margins in our FY '25 forecast, which includes a 17% non-GAAP operating margin and at least a 19% free cash flow margin. This represents a significant shift for us. We've built the structure to enhance efficiency and leverage within the business. We always aim to balance growth and margins and will continue to do so. While I can't provide specifics beyond FY '25, we will manage our business through the lens of the Rule of 40, a concept we are proud to achieve this year and aim for as we progress into FY '25 and beyond. It’s something we take great pride in overall.

Thank you.

Next up, we're actually going to go to Madeline Brooks at BofA. She got knocked out of the queue. I'm putting her back in the spot here.

Thanks so much, Dave. Appreciate it. And just appreciate the transparency of your remarks. I know many people have said that, but just really want to emphasize that. So the question is, you know, if I look at what happened this quarter, my quick math implies that roughly 99% of net new cRPO came from the existing base. And it's a two-parter. Across peers, these numbers begin to kind of turn positive again, with contributions from net new customers increasing post-macro. So, the first part is why do you think the trend in your numbers is different than other cyber peers? And the second part is, is there any concern heading into next year, the existing customer base will already be saturated, leaving less room for upside, especially with this 90-day push out of new products and the potential headwind from the new bids given the recent security event?

Sorry, Madeline, you broke up a little bit on me, but I think you were saying the mix on cRPO was related more to upsell versus new business, is that...

She said she calculated 90% of the cRPO came from existing customers.

Yeah. Okay. Yeah, I can't say that I have that number at hand, Madeline, but what I will say is, as we've talked about in the past, our mix of business has shifted more toward upsells. We believe that's related directly to the macro side of the house, really putting pressure on new business. And so, I think that's why you're seeing those numbers. I think we had a nice quarter from a new customer adds. Net adds was up 400. You heard Todd talk about the $1 million customers. Greater than $100,000 customers had a nice addition as well, an increase sequentially versus Q2. So, we do see new business helping us out, but we do see a headwind there due to the macro headwinds that although have stabilized, still are a headwind to our growth in the business.

One thing I can add that I hope is helpful is about our new products. We have three outstanding products to offer our existing customers. While some customers already have customer identity solutions, there are still many others we need to reach out to. Additionally, we have a large number of customers to introduce Okta Identity Governance to. This product is just beginning to gain traction after a year in general availability, and we've seen some early successes. Recently, we closed a significant deal with a global pharmaceutical company involving a major upsell for OIG, along with the launch of our new PAM. I believe we have an abundance of new products in our pipeline to offer our customers, and we are focused on operationalizing these new products and executing our sales strategy effectively. Although there may be a 90-day delay on some new offerings that could have an impact later, we definitely have plenty of products lined up for fiscal year 2024 and 2025.

Got it. Thanks so much.

Yeah, let's go to Eric Heath at KeyBanc.

Hey, Dave, thank you. So, Todd, it's great to see PAM is getting rolled out this week. I guess kind of two parts to the PAM opportunity. So, one, just what learnings can you draw from OIG to relay that into some similar early success into PAM, number one? And then, number two, just given PAM can be used to protect the customers' Okta environment, is this something that you could potentially make available to customers at no extra charge just as it relates to protecting their own Okta environment?

We are really enthusiastic about privileged access. There are a couple of lessons from OIG that apply across different product areas. New product introductions involve establishing best practices for broad enablement and targeting various market segments. One insight from OIG is that it has been more successful in larger enterprises than we anticipated, so we plan to apply that knowledge to PAM and enable larger enterprise sellers earlier than we did with OIG, expecting similar results in those organizations. Another key observation from OIG is that it has performed better than expected in environments with existing governance solutions, which we will also incorporate into PAM. Regarding product direction, as we transition from the early access phase to general availability, we discovered that customers have primarily focused on managing access to servers, including Linux and Windows servers and Kubernetes clusters. Customers find significant value in our ability to manage privileged accounts in SaaS applications, as we are already integrated with platforms like Salesforce, Workday, and GitHub. This is an exciting avenue for us. Furthermore, we recognize the importance of the Okta admin console as one of the critical privileged account systems globally, and we are exploring ways to better integrate it. I appreciate your suggestion about potentially offering it for free to all Okta customers; this is an interesting idea, and I value your input.

Great. Next, let's go to Gray Powell at BTIG.

Okay. Great. Thanks for taking the questions. So yeah, I guess, kind of a modeling question here. Normally, I would expect sequential growth in cRPO in Q3 to be at a similar level to that of what you've seen in Q2. At least that's what you've seen the last couple of years. This year, you added $54 million in net new cRPO. Last quarter, you added $71 million. So I know this is kind of rough, but like is it safe to say that the main difference there was the breach happening with like 10 or 11 days left in the quarter and then customers just taking a pause? Or is there something else that I should be thinking of? And then, the other part of the question would be, as we think of Q4 trends, like how much of a hangover is there? How much should we expect the lingering impact of the breach to be on conversations with customers?

Yeah. Thanks, Gray. Som from a sequential perspective, I think I wouldn't do that math in terms of backing into the impact associated with the incident. I would more think about renewals timing, that can have a heavy impact on cRPO quarter-to-quarter. So, we feel we had a really nice quarter in terms growing 16%, $1.83 billion in current RPO. So, I wouldn't read too much detail into that. In terms of Q4, all of it's baked in, all of what we think the potential impact is associated with the security incident, that is in the guidance that we've given you here today, 11% to 12% and $1.88 billion at the top-end of the range. So that's kind of how we think about things.

All right, fair enough. Thank you.

No problem.

We'll go to Peter Weed at Bernstein.

Thank you. It seems that your expected growth for the fourth quarter has decreased by nearly 3 percentage points compared to what you indicated last quarter. You mentioned that this is due to the outage. Can you clarify if this is based on actual experiences? For example, are there signs indicating that customers might leave, or are the upgrades not happening as quickly as they used to? Is it becoming tougher to acquire new customers? You did have a strong quarter with an increase in new customers. Do you expect that to decline? I'm trying to understand where this change in sequential growth appears in relation to what you would typically expect, as it seems to have been significantly impacted by the outage.

Yeah, the incident. So, if you look at every quarter, Peter, there's always deals that push from quarter-to-quarter. It's just a natural part of our business. We saw an elevated level of that, and we ascribe that potentially could be related to the security incident. So, we're taking that into our guidance when we think about Q4 and thinking about it from a prudent perspective, especially given how big the number can be in Q4 and setting the trajectory for fiscal year '25. So that's how we're thinking about things.

Yeah. I mean we did see...

Already moving from Q3 into Q4, wouldn't that allow for deals to close in this quarter and help cover some of that gap? Therefore, you would need to push a considerable number of deals from Q4 into Q1.

Yeah. You're right, we actually have already seen some of those deals close in Q4, which is a good sign, but we're being prudent given the environment out there today, given both the macro and the impact associated with the security incidents. So, we're just being thoughtful.

Yeah. I mean if you think about the chronology of it, it's 11 days left in the quarter and then we're only just a month into the fourth quarter. So, in terms of the window to see the impact, we're a little bit limited on a window to see the impact. So I think that drives some of the pragmatism in the guide.

All right. Let's go to Adam Borg at Stifel.

Awesome. Thanks so much for the question. Maybe a bigger picture question here. So, international is still about 20%, 21% of the mix. And just given the size of the company, it just seems like there is a lot of international opportunity ahead. So just as you think about the channel investments and you think about the new CRO and CMO in place, what are the thoughts about kind of accelerating opportunity in the international theater to potentially help accelerate growth? Thanks.

I believe there is a significant opportunity ahead. From a broader perspective, while the macro environment remains stabilized, it is still challenging. I have noticed that the international macro impact has been more noticeable than in North America over the past year. Additionally, with Jon moving from interim to permanent CRO, we have the chance to find a replacement for him as the General Manager of Europe, and we are currently considering several candidates for that position. This brings more leadership stability internationally. Coupling that with a strong leadership team in Asia Pacific that is performing well, we have a promising opportunity for solid international performance, which is crucial for our future. If we examine the figures, approximately half of the identity management market is likely outside the U.S. Moving forward over the next five to ten years, we aim to increase that proportion in terms of revenue.

I'd also add, just Jon, being an international person himself, like he brings that lens, right? And so, we're really excited about that and the opportunity out in front of us. Because I agree with Todd, we've got a lot of opportunity internationally.

Awesome. Thanks so much.

Okay. Next up is Matt Hedberg at RBC.

Great. Todd, I have a product question. In your prepared remarks, you mentioned that you were pleasantly surprised by the number of organizations adopting your identity governance products. A year ago, this would have likely surprised many of us. We might have expected some of the traction to come from smaller or midsized organizations. So, what do you think has driven the success in larger markets at this point? And Brett, when you consider the impact of governance in your outlook for '25, I assume you're taking a very cautious approach, but what are your thoughts on that product for next year?

I believe that large organizations have a lot of complexity, and we may have underestimated their needs. We looked at what larger organizations were doing with existing governance solutions and assumed those solutions were adequate for SAPs, Oracle apps, legacy systems, and that they would also cover all cloud applications and new technologies. This assumption appears to be less accurate than we initially thought. Many of these legacy products are not addressing the shift towards cloud-centric workloads and infrastructure. Consequently, our product is a better fit for these large companies than we initially realized. Over the last five or six quarters, as the macro environment changed, we've seen more success for Okta among larger companies. While I believe the OIG has significant potential in mid-enterprise and SMB markets, that segment currently appears to be slower. As a result, we're not seeing the same level of engagement with OIG there as we might in the future. It looks promising because more people in large enterprises are recognizing the issue and finding value in it, with 40% growth in that segment, both in annual contract value and customer accounts in Q3. Therefore, there are greater opportunities to attach OIG there compared to the overall business, which is also shaping our perception of the situation.

Yes, I would like to add that while we are very excited about the progress so far, we are being modest with the expectations outlined in our guidance today. One thing I know you have asked in the past is how much we will update you whenever we receive a new number. The third of workforce spending attributed to IGA has remained stable through the end of Q3. That figure has not changed from what we've previously shared. The upsell related to it is significant, and we are very pleased with the progress, just as Todd mentioned.

Great. Next up, Jonathan Ho at William Blair.

Hi, good afternoon. With regards to the breach, can you give us a little bit more detail on maybe what's still left in the third-party validation and investigation? And how confident are you that this is going to be the last finding that comes out of this investigation? Thank you.

Yeah, it's a great question, Jonathan. In my many, many conversations with customers, this comes up like speed of disclosure and they want to know all the information as fast as possible, and why does disclosure take time and what else is left to disclose, et cetera. So it is on everyone's mind, obviously. I think the general philosophy we're taking is that we're trying to disclose as much as we know as quickly as possible. I think a couple of weeks after the incident, when we had our first disclosure, we disclosed everything we knew at the time. And we just kept looking like you're talking to the log files from our support system. We're quite voluminous, and the team went over them click-by-click, row-by-row, line-by-line, kind of took first pass and looked at all the things they thought were incredibly sensitive and took a quick run of some of these reports and found it wasn't much interesting data and then published the first RCA and remediation steps and then like a good security company would kept looking and kept digging and made sure we had everything covered and frowned more. And we were more thorough about these reports and ran completely and saw the data was there and made the decision to do a further disclosure based on risk of phishing like we've outlined. And so, I think the way I characterize it is now our internal team has gone over it many, many times, and our internal investigation is done. Like we don't think there's anything else productively we can look at. We've worked with the vendor and got supplemental logs. We've combed through it. We've done everything three, four, five times to check it. But we still want to make sure we cover all the bases, so we brought on this firm that has started a couple of weeks ago, and they're looking at it. I think we're doing it, obviously, to be very thorough and clear. I think it's a relatively low priority that they'll find anything additionally, but we'll have to wait and see in mid-December when they were done with their analysis.

Okay. I'd like to welcome back Fatima Boolani from Citi.

Thank you. I appreciate the question. Todd, you were very categorical about securing Okta. So, your customers are secure as being the number one priority. So the question for you is, is that people, process or technology or maybe all of the above conversation? And then maybe to Brett, it's not immediately apparent in your margin guidance that you're going to be taking in making these investments. So can you just sort of help us understand and kind of what envelope a lot of this up-leveling and reinforcing of your internal security architecture, what shape or form is that going to take?

It's a very insightful question, Fatima. As you guessed, it's a combination of all elements. Internally, we refer to this initiative as Bedrock, aimed at building a strong foundation. There are four main components I want to highlight. First, we are advocating for a grassroots approach to gather all the ideas from our team about making us the most secure company in the world. An example from this component is advising customers to implement multi-factor authentication for all administrator accounts, which should be mandatory rather than optional. Over the years, we sometimes prioritized convenience over security, but as we aim to enhance our security, that approach will change. We need to enforce this requirement while understanding the customers' specific scenarios that might lead them to forego MFA. Through this grassroots effort, we encourage our smart team members to share and implement their ideas. The second component is a top-down approach, where we focus on our internal security architecture, business operations, and IT operations. We’re bringing in top experts from around the globe to advise us on how to structure our security posture and architecture to align with the standards of the most secure companies. The third component is cultural. This begins with me and the leadership team, establishing a clear priority that our goal is to be among the most secure companies globally. A clear vision and prioritization are crucial, as they provide the necessary resources to build a culture of security within the organization. The final component involves our products. They need to be designed not only to be helpful for our customers but also to ensure their security. For instance, following a notable incident in October, we swiftly developed a feature that cryptographically links an administrator console session to a specific network, providing added value and security for our customers. As we analyze our entire product architecture, we will identify many more enhancements that will help us achieve our goal of being the most secure company. This approach is comprehensive, and the focus on security over the next 90 days will allow everyone to have clarity on our priorities. While similar efforts have been in motion for years, this period will solidify our commitment to achieving the goal of being the most secure company.

And then, for the second part of your question, Fatima, it's really, there's two things. One, we're already investing a good amount in FY '24. So, to step up in the margins, not like we're starting at zero. So, we're investing a good amount right now. We're going to invest more in Q4. But this is one of the benefits of the structural efficiencies that we found and driven over the last 12 to 18 months. It allows us to expand the non-GAAP operating margin from 13% to 17%, while also investing more into these critical areas like security. And so, we've invested a lot already, but we're going to invest even more in FY '25, but while also being able to balance it with the margin that you mentioned. So, it's one of those benefits of us to we've been working so hard on for the last 12 to 18 months.

Okay. We're going to try to get to a couple more. Let's go to Josh Tilton at Wolfe Research.

Hey guys, can you hear me?

Loud and clear, Josh.

All right, great. I wanted to clarify a previous question. Does the guidance for Q4 embed some conservatism around the recent incident because you are anticipating to see something or because you are already seeing an impact? And then just a follow-up is, Todd, you mentioned that you spoke to customers and they kind of understand why as an identity provider, you guys are being targeted by hackers so much. Is that raising any questions from the customer base as to whether or not it makes sense to go all in with all of your identity needs from one provider? Or given that you guys are the center of the security ecosystem and the number one target for hackers, does it maybe make sense to diversify some of your identity risk across a different PAM vendor and a different governance provider?

Hey, Josh, I'll take the first part. The short answer is that we are anticipating changes since we saw a significant number of deal pushes from Q3 into Q4. As we move through the quarter, we are considering what we observed at the end of Q3 to adjust our expectations for Q4, keeping in mind that our bookings are not linear and are very back-end weighted.

On the question of whether to get everything from one vendor or to spread out risk with different vendors, it really comes down to how the products are implemented at the physical layer and how you manage the risk of relying solely on one vendor. Additionally, there needs to be significant value in sourcing from one vendor, such as reduced risk, operational simplicity, and improved security due to better integration. I recently discussed these risks and rewards with a customer regarding the pros and cons of consolidating with a single vendor compared to diversifying vendor sources. These are the factors that people consider in this decision.

Let's go to John DiFucci at Guggenheim.

Thanks, Todd. My question is a follow-up to Fatima's. I need to stay ahead of her because she’s tough to follow, but I thought her question was great. I appreciate the detailed information you provided about the Bedrock program. Ultimately, how long will it take to reach a point of relative comfort where you can confidently sit down with the customer and assure them that you’re there? While we always have concerns and strive to ensure this doesn’t happen again, it’s realistic to acknowledge it could. What’s the timeline for achieving that sense of relative comfort?

That's a really insightful question. I would add that we have been focused on this for several years, especially since the Lapsus$ breach a couple of years ago. We've made significant progress that gives us confidence in our journey to become one of the most secure companies in the world. The reason for the 90-day sprint is that we believe there are enough measures that can significantly reduce risk. While the overall risk isn't extremely high, we think it's worthwhile to have a concentrated effort at this time. More importantly, this approach sets a cultural tone. Clear priorities are essential for execution, and a focused 90-day sprint makes those priorities evident to everyone. Beyond just reducing risk and moving closer to a state of security, this cultural emphasis is vital for our customers, investors, and employees.

So it's the 90 days and then just keep going...

It's not that we've never prioritized security; we have been highly focused on it. As I mentioned, we are very specific and advanced in our product and infrastructure areas. However, we still need to improve our overall IT operations and company-wide approaches. This is something we've been addressing for a long time, and we plan to continue this effort for a long time to come. We need to be one of the most secure companies in the world, considering the critical role we play for our customers. This is what our customers expect from us, and it's what we expect from ourselves as well. Thanks for asking for clarification. Regarding the previous question, I neglected to address the part about Jon. The decision on the go-to-market structure was completed before October 20, specifically in early October, and it was not related to the security incident. Since the search began in late January of this year, our timeline was to reach a decision by October, which we achieved. We aimed to avoid an interim structure as we planned for FY '25. My goal was to finalize everything by the end of October. I can't recall the exact sequence of events concerning when the final decision was made compared to when I made my comments. However, I was certain that we would soon finalize one of our leading candidates, with Jon among them, and stick to our original schedule to conclude this process in October. The decision was influenced by several factors. Firstly, throughout my discussions with numerous candidates, Jon consistently outperformed them. He excelled in customer meetings globally, and more importantly, I discussed our strategic direction with him. His strategic vision, market knowledge, and insight into product segments and the identity industry were impressive; it felt like an extensive job interview over nine months. He made it challenging to compare him to other candidates. Once I determined he was the ideal choice for the Chief Revenue Officer, I also concluded that I appreciated the existing structure of business operations under Eugenio as the President of Global Business Operations, with the marketing function led by our highly competent executive, Eric Kelleher, while Jon managed sales, pre-sales, and partners reporting directly to me. This flatter organizational structure allowed me direct access to business operations, customer success, our Chief Customer Officer, marketing, and the Chief Revenue Officer, which is the best path forward for us. Essentially, there were two key decisions: identifying the best Chief Revenue Officer and determining whether we needed an additional layer of a President. The optimal future for Okta lies in completing the search for a President and positioning these talented individuals to move us ahead.

Thanks, guys. Appreciate you taking my question.

Thank you, everyone, for your questions during today's earnings call. This concludes the meeting. If you have any follow-up questions, you can email us at investor@okta.com. Thanks.