The Tech Sales Newsletter #71: The case for platformization

Nine months ago, I wrote about Palo Alto Networks and how they centered their business strategy around becoming THE security platform of choice.

This was a big statement to make two years ago when they first started talking about it, and it remains one of the most audacious bets the cybersecurity industry has ever seen.

Today, I'll revisit their thesis, take a look at the "polished" version in their recent earnings call, and then go through an intimate conversation with Nikesh Arora at the UBS Global Technology and AI conference that happened two weeks ago.

The key takeaway

For tech sales: If you want to sell in cybersecurity, you have to really do your due diligence on the long-term viability of the company you want to work for. There is a fundamental shift in the market today toward platforms that puts a big question mark on whether new startups can have any real chance to scale beyond their first rounds of funding.

For investors: Palo Alto Networks has been on a 3-year journey toward becoming a cybersecurity platform in the fullest meaning of the word. Their stock performance vs. the competition over the same period tells a sufficient story of whether this bet is paying off, with 130% growth in the same period vs. Fortinet (42%) or Cisco (-2%).

The polished version

Nikesh Arora: I had our teams go back and compare the growth in the mentions of the word platform on cybersecurity earnings calls this year versus last year. We found an overall 50% increase amongst our peers, as they say, imitation is the highest form of flattery. As another point of reference in recent research, Gartner sees 75% of security leaders actively pursuing a vendor consolidation strategy, although less than 15% of large enterprise customers have implemented at least any one security platform solution.

Gartner expects that by 2028, 45% of organizations will use fewer than 15 cybersecurity tools in their product portfolio, up from 13% of organizations in 2023. I do want to reiterate the definition of what we want to achieve as a platform, central to stopping threats of the future is a robust AI and automation platformization strategy and data is at the heart of it all.

While I wouldn't consider Gartner the most reliable source of what customers want or need, the reality is that the platform play is the play right now in cybersecurity. The revenue growth for larger platform players has significantly outpaced the cumulative spend on point solutions, with quota attainment on average in cybersecurity being quite poor. Like all things "average," that reveals an unequal distribution of outcomes, favoring the platform players.

Nikesh Arora: Our approach is to ingest all relevant security data once, stitch and analyze this with precision AI technology, and natively automate end to end workflows. It's a tall order to take data from many different security vendors, analyze it on the fly, and make a decision to stop an attack fast enough. But we're encouraged with the early success of our XSIAM and cloud platform to do exactly this. In network security. We also collect all data across all Palo Alto Networks security products and enable our customers to operate on a single pane of glass with consistent services, which work across all our form factors.

We believe our network security strategy is the most comprehensive platform available in the industry, encompassing a majority of the use cases via a single, consistent interface.

As one of our customers recently said, that's one pane of glass versus many glasses of pane. So while many of our competitors are talking about their platform approach, we don't believe they're equipped to deliver it in the way we can. We feel the cybersecurity industry is embarking into its next phase, where the market will continue to converge towards a fewer set of platformization players over the next 5 to 10 years. Point solutions will continue to get subsumed in these platform plays. Having started this trend, we intend to be one of those few players.

With this being the first quarter of our fiscal new year, we further oriented our go to market enablement around platformization. Our goal is to broaden the effectiveness of our solutions selling across thousands of sellers, and arm them to sell the value of our differentiated security outcomes across network security, cloud security, and security operations. With platform-specific domain consultants and architects, we are able to bring tremendous focus to our go-to-market efforts.

I'm again pleased with the results we're seeing. These came through in our Q1 metrics. We added more than 70 new platformizations with about a third coming from our acquisition of QRadar SaaS, we ended Q1 with approximately 1,100 platformizations.

The practical view of what's going on is that Palo Alto Networks has focused on upselling a multi-product portfolio across its largest install base, and they've been successful in doing so. Whether this is translating into great commission checks for the sales reps is a different topic - quota attainment on RepVue has dropped from 47% to 45% since I first reviewed Palo Alto Networks nine months ago.

Nikesh Arora: Looking at the large platform deals, we see a variety of opportunities across all of our customers. We signed a transaction with a large technology firm for over more than $50 million. This deal was headlined by a SOC transformation, where we both replaced multiple [ph] SIEMs and XSIAM and XDR. (08:13) The customer is facing rising costs in the SOC with little automation and [ph] inadequate (08:21) visibility into the rising number of tailored attacks that leveraged AI. The customer was a QRadar customer and a year ago had platformized with us in network security. In this transaction, they added SD-WAN as well.

Next, we had a deal north of $15 million in value, with a national hospital system platformizing their network security, which include an ELA for our firewalls. The customer is focused on both preventing a breach, after observing the many high-profile incidents in the healthcare industry as well as reducing operating costs. We displaced a legacy firewall vendor and also set ourselves up for future SASE deployments. In SecOps, we also have an initial Cortex footprint in this QRadar customer, with an XSOAR deployment. A financial institution customer standardizing our firewalls, including an ELA in a transaction for over $20 million, after standardizing on our network security platform with SASE in fiscal year 2024.

Looking at LinkedIn, we can put a ballpark estimate of the total number of sales reps at Palo Alto between 1,500 and 2,000. That would mean that between 15% to 20% of them get to be involved in big-ticket deals ($1M+), and less than 3% are behind "the whales."be involved in a big ticket deal and less than 3% are behind “the whales”.

I think that Palo Alto Networks is a good example of what the reality of tech sales will look like in the future:

1. Significant complexity requiring deeper understanding of multiple technical domains

2. The ability to translate an overall strategy into outcomes and benefits

3. Total headcount will reduce, as companies seek to maintain a direct sales force of elite sales reps, pushing all other business toward their channel ecosystem. The days of average reps achieving quota attainment from minimal growth and customers that don't scale is over.

The candid vision

The quotes here are taken from Nikesh Arora’s 30 minute fireside chat at the UBS Global Technology and AI conference that happened two weeks ago. The transcript is AI generated, so not all technical terms come out perfectly, the important thing is understanding the key trend drivers.

Nikesh Arora:  Look, first of all, thank you for having me here. I think the biggest change we have seen so far in terms of any overall macro thesis is that AI continues to become a bigger and bigger topic across the place. So, it seems to be that AI funding will continue, whether it is those in these large hyperscalers or perhaps enterprises trying to figure out. There's a lot of FOMO out there. Nobody wants to be left behind, so they don't want to find out that their competitors got AI right, either if you're an AI provider or an app provider or perhaps an enterprise who didn't adopt it.

That's kind of like one interesting new data point. And the other interesting datapoint is, we're all cautious about what the administration is going to bring in terms of all the big changes we're seeing. There seems definitely to be some degree of technology focus given Elon Musk is camped right by our incoming President. So, you'd expect there'll be a difference in the rhythm or investment focus or perhaps the decluttering of regulation going towards technology. So, generally, I feel more optimistic about technology spending today than I possibly spent about 3 months ago.

One of the biggest arguments for platform consolidation is that a unified platform that shares relevant data from different security domains will lead to significantly more effective AI implementations, whether in terms of improved ML detection or more accurate agentic workflows.

Nikesh Arora: That makes sense. I think if you step back, I think we're all getting too caught up int he short term impact of AI. And I think if you step back and look at what's happened in the last 12 months, 18 months is that think about it, we're building a smarter and smarter brain. If you look at all these new models, whether it's Model 3 or GPT or Gemini with their next model, Llama with their next model, you're seeing these models are getting smarter and smarter or better and better over time. I think the tipping point is going to be inferencing is how do you reason?

Can these models reason? Can they figure out answers to questions which they've not seen before? Today, they're pretty good at answering questions that they've seen before and getting better and better at it, and we're all training around them. Now, if they start inferencing stuff or figuring stuff out, perhaps like you're literally driving in, there's a Waymo with nobody in it, right? So, now you've got a car which is driving itself, and 10 years ago, it sounded like science fiction.

If you imagine yourself 10 years out and think about what the world could look like, from that perspective, we will give up a lot of autonomy to AI, just like the car with the driver. Now step back, I think every company is going to have to give autonomy to some version of computing. If that happens, what is your control system? Where is your kill switch? How do you stop rogue actors from getting had their hands on this stuff?

Just the way you need petabytes and petabytes of data to figure out whether the car should take the risk and drive across traffic and take the turn. You need petabytes and petabytes of data to understand how to block bad things from happening. So, I think if you look back and people say, well, why is it does Waymo have an edge or does Tesla have an edge? Well, they both have a lot of data. Waymo is collecting a lot of data.

Tesla is collecting a lot of data. Let's transpose that to cybersecurity. Who has a lotof data? Incumbents. I can't start a company today and say, I'm going to go collect 20 petabytes of data on cyber activity and go build an antidote to AI.

I think from that perspective, if you think slightly longer term, AI will be relevant and prevalent in most enterprises in many, many, many incarnations and many shapes or forms. And I have I got a 3 d image made on my arteries using an AI product, because it had to analyze 250,000 MRIs. You can't do it without that data. So, if you believe that's going to happen, then the question is how do you control for that? That control is going to require AI applied to cybersecurity as well, which means advantage incumbents.

Now, are bad actors going to tactically in the short term try and impersonate you and me? Of course, they are. They already are. They see an economic opportunity. But I think that's the wrong end of the spectrum.

The bigger question is, are we going to get out of this business of trying to solve small slivers of cybersecurity by funding 2,000 startups a year?

If we expand the data argument to its logical conclusion, the driving force behind making a platform choice today is not just based on cost, efficiency and performance. It's about the customer making a bet that there is a strong direction of incremental improvement driven by accumulating more relevant data.

Every year of your 3-year subscription should lead to improved security posture, purely on improved algorithms, let alone any of the "traditional" directional factors such as people upskilling or iterative process improvement based around a single system.

Nikesh Arora: Sure. So I think it's important to abstract this for a second. So look, the cybersecurity industry has every company, every one of our customers has anywhere from 20 to 70 cybersecurity vendors protecting them, which is bizarre because that means our customers have to understand 70 products and be able to figure out real time how stuff is happening in their enterprise across 70 products, which is technically infeasible. It's just impossible. We barely understand our products well enough that some customers understand 70 products is just hard to imagine, but okay, they do.

If you look at every sub sector of technology, some element of and I'll call it platformization because platformization means that things have gotten integrated, the customers don't have to do the work. Whether you look at the biggest SaaS companies out there, why do they exist, whether it's a Salesforce, Workday, ServiceNow, Adobe, what do these things do? They take 10, 15, 20 solutions, make them work together, so you don't have to buy 15 of them and make them work together yourself. At a most fundamental level, that's what we mean by platformization. Now, six and a half years ago when I started, we were one of those 20 vendors or 40 vendors.

Today, I can consolidate 60% to 70% of my customers' estate by saying you don't need 15, 20 extra vendors, I'll give you one solution that works together across this. Now, it's an early step. This is something we're going to persevere and grind, because the more we persevere and grind, we know 2 things are going to happen. 1, customers are not going to go back. Nobody is sitting in their company saying, let's replace our CRM system called Oracle or Microsoft Dynamics or Salesforce.

Let's go back to the old time when you start 18 cool apps that we used to stitch together. Nobody is doing that. If I can get customers to go from 40 to 15 vendors, from 70 to 25, I have a reasonably large share of what remains, that's a good thing. And that sets us on a path, which means better profitability in the future, better outcomes for the customer. So, we've done that about 1100 times.

Let's ignore the red herring around comparing Palo Alto Networks with SaaS incumbents like Adobe or Salesforce. Cybersecurity has significantly more complex problems to solve; however, investors can't be expected to "get it," so it's easier to associate the platform play with historical performance of other companies they might think were successful.

The important call-out here is the argument around tool consolidation as a way to deal with the technical skill gap - the problem isn't just that customers have 50 to 70 tools in place, it's that they are using them poorly.

Nikesh Arora: So, the way you should think about cybersecurity is that in the past, everybody had a swim lane and this swam in that lane, which is identity management, endpoint security, stock management, network security. And we all stayed in our swim lanes and played in our swim lanes. So, what happens is every 10, 15 years, a big revolutionary change happens that swim lane gets disrupted and new set of vendors are born. Palo Alto was one of those vendors who was born when something called the next generation firewall came out. Before that, people were buying all kinds of different stuff. So we started to play and win in that space.

So, they started trying to play in the network security space. And the network security swim lane has evolved where we now command a lion's share in that space because of the evolution we've had to our company. But then, there's the endpoint swim lanes that got disrupted and Symantec McAfee and the others took a back seat and saw the Crowdstrike’s and the Sentinel One’s take up. We started playing that space too. And that same inflection has now come to SEIM.

In this inflection, the old guard of QRadar, Splunk, all these people are getting challenged by the new vendors. I think this is a $20,000,000,000 to $40,000,000,000 market and the next 7 years, I guess, fundamentally disrupted. We think we should be one of the top 3 players in this market in the next 24 months and sustain that lead, which allows us a bite at a larger TAM over time. So, that's kind of the overarching picture.

The key approach to platformization has less to do with just focusing on a "master platform," but rather to disrupt the next logical parts of an ecosystem that previously was its own "swim lane." SIEM is one of those areas that has great synergy with the existing portfolio and is an already existing market that can be won.

The argument toward those customers is less about "adopt this new piece of technology" and more in line with "you are already spending the money for this, are you getting the same outcomes as if you integrate this into a more holistic tool?"

Nikesh Arora: Like when I worked at Google, Larry used to tell us that 10x is better than 10%. So, if you aim for something big, you aim for 10%, you get to 3% or 5%, that's a better outcome than aiming for 10% and getting 7%. So I'm all in for the heavy lift. The heavy lift allows us to go to customers so you get a real outcome.

Of the cost, we sold 150 of these in the last 20 months. We've deployed north of 60 of these. 50% of them have a median time to remediate a security incident under 10 minutes, which means, so under 10 minutes we find out at a customer that something bad is happening in their security infrastructure across any vendor and we can help them fix it. That's a good outcome. The current standard in the United States is 4 days. Well, yes, it's a heavy lift. It takes 4 months to get that from current 4 days to 10 minutes.

Would you rather have 10 minutes or replace your 4 days with cheaper technology?

Yeah. I'm all in.

The platform approach is useless if it doesn’t deliver significantly improved outcomes. That’s the biggest mind shift compared to traditional “cost and efficiency” pitches.

Palo Alto Networks wants to win on solving the fundamental problem of cybersecurity, rather than just about monetizing a specific swim lane. We can call this too ambitious, but it it is the right mindset (10x matters a lot more than 10%).

Nikesh Arora: Now in many cases, it's hard to see what you are doing, because some of the applications encrypt the data and don't let us in, which is fine, and it gets decrypted at the other end, giving you a secure tunnel. Enterprise browser, which is like using your Safari or Chrome or Microsoft Internet Explorer browser, you can use those or we can see everything.

As you get towards an AI world where you want to watch what people are doing because they're going to be putting company specific information up in the cloud, visibility of that data is more important. And as the world gets to more and more cloud applications, you don't need fat pipes running back to your data center. So we have a different technological view of the world.

If you look at all the consumers, 90% of what consumers do on their laptops is through a browser. Think about your significant others or your kids, 90% what they're doing is in the browser. I have young kids, they're on the browser. They're doing Zoom on the browser, they're doing teaching learning apps on the browser. If you believe that's the consumer use case 90%, that use case will prevail in the enterprise as well in the next 3 to 5 years.

If 90% of what you do is going to be in a browser, browser takes on a very, very important role in how we secure everything that happens in the company. So that's our bet.

Similar logic is applied here for the Enterprise browser piece of the ecosystem.

Nikesh Arora: And again, it's very important, at least from my perspective, for companies like us. Look, in Silicon Valley, tech companies die if you don't focus on product and technology changes. You look at the history of companies that have hit the graveyard of technology companies when companies lost focus on where technology was going, where the product was. We don't intend that to happen to us. We want to be the 1st evergreen cybersecurity company.

From that perspective, we're constantly watching technological trends and making bets. Some are going to work, some are not going to work, which is fine, but portfolio theory. Our bet is that browser is going to be big in the world, which means that security through the browser is going to be a very, very important topic. 

When was the last time you heard your CEO talk about becoming an evergreen company? We can call it delusional or we can see it as the right level of hunger and mission-driven approach to achieve something unprecedented in the industry.

Nikesh Arora: The amount of Internet traffic that we're sending back and forth is compounding. Just that Waymo out there is sending tons and tons of data through the Internet somewhere. And if there is a million of those floating out of those, it's more data. Every train is sending data, every lamp post is sending data, there is more data in the world, right? We all believe data is not slowing down.

Any security that needs to be applied, you have to inspect every bit. Inspecting bits is an overhead. It's like taking off your shoes at the airport is overhead. It costs money, somebody else just slows you down. Security works the same way in the Internet.

So our job is to create low latency, do it as fast as we can without being painful to the process of inspection. That's inspection. That inspection is done by a firewall. Firewall comes in 3 varieties. They come in hardware, they come in software, and they come on your endpoint as SASE.

That's the 3 products that universally work as a firewall. Hardware is still the fastest inspection at lowest cost. Software is next. SaaS is more expensive. I got every laptop, put it on the laptop, and it's more expensive to deploy and maintain because of the spread of it.

So if you believe that, there are still many use cases where hardware is the best way to solve the problem, And that's not slowing down. Now, because a lot of the world is going to the cloud, you don't see it, but Google builds buy some hardware from vendors and Amazon builds its own and Microsoft has a bit of mix in that. So, as you move to the cloud, the data centers are going, the hardware is moving from the data center to the cloud. Some people buy hardware, some people don't. But the amount of inspection need is not stopping.

Any good platform play starts with the fundamental building blocks of the business. For Salesforce that was Sales Cloud, for Palo Alto Networks it's their firewall business.

The approach and mindset between Cisco and Palo Alto Networks here is striking. The firewall business is not going anywhere because it's a mandatory part of the stack. Both companies are expanding their investment into SIEM because it's seen as a good adjacent part of the ecosystem (data goes in and out from the firewall, everything is logged in the security analytics platform).

Palo Alto's future strategy revolves around continuing to blur the lines between firewalling, cloud security, endpoint protection, and overall cyber analytics. By investing in AI-driven detection, zero trust frameworks, and cloud-native security platforms, Palo Alto aims to make the firewall a central policy enforcement point no matter where workloads and users reside.

Cisco's future vision leans toward making network security ubiquitous and invisible—integrating security services into every aspect of the network and application infrastructure. Its firewall products evolve as integral components of Cisco's Secure Access Service Edge (SASE) offerings and zero-trust architectures, but always within the broader strategy of providing holistic IT solutions that unify networking, security, and observability.

So there lies the fundamental bet - do I invest in the next-gen cybersecurity vendor that is solving fundamental problems across the stack, or do I stick with the company that sees security as a logical part of selling you networking equipment and software?

Nikesh Arora: I think it's a fallacy to believe that having 40 vendors allows you diversification. I think the benefit is of consolidating into single stacks where things will move fast. Like imagine, if you like it's a crass example, but between the time you log into your laptop and by the time that connection hits your data center and hits AWS, you run through 7 cybersecurity vendors. Somebody's got to figure out across these 7 vendors what happens and how to protect.

I don't think any company out there is going to have the resident skills to integrate our products at scale, speed and deliver the outcomes as quickly as they're needed. So eventually, you will see this world of platformization that's going to emerge and you will see that smaller vendors are going to be by the wayside because I think that strategy hasn'tworked. It hasn't worked. Like we have history to prove that there's $12,000,000,000 in ransomware that's been paid. But if it was working so well, that sounds like a lot of money that shouldn't have had to be spent.

We’ll end the article with arguably speaking the most important question - does the current approach to cybersecurity works? Arguably speaking, based on purely the outcomes we are seeing in the field, not really.

The revenue and growth of cybersecurity companies has been exceptional; customers have never invested such a large share of their revenue in these products as they do today.

The frequency and impact of security breaches however has only gotten worse. Here is a glimpse of the aftermath at United Healthcare from a recent article by Cyberscoop:

“When I say start over, I really, truly mean start over,” Steven Martin said Thursday at the Mandiant Worldwide Information Security Exchange (mWISE). “The only thing that we kept from the old environment into the new environment was the cables. New routers, new switches, new compute infrastructure, deployed everything from a safe environment, truly started over. I felt like that was the only way that we could really ensure that we ended up with something that we could stand behind for the health care space, because it’s what it deserved.” 

The February attack on the UnitedHealth-owned medical payment processing company roiled U.S. health care providers and threatened some with financial ruin. A criminal group known interchangeably as ALPHV or BlackCat was responsible for the attack. Several cybercrime researchers believe the group earned $22 million in ransom payments as a result. UnitedHealth Group CEO Andrew Witty confirmed the $22 million figure during a May congressional hearing. 

Martin said his team has been working to repair the damage since February, with some of that work continuing to this day. 

“We’re almost complete with the restoration process, but we worked for months — particularly in those early days, incredibly long hours — to restore those services,” he said. 

He further explained the work that his team, along with the help of Mandiant’s incident response unit, conducted after the attack, spelling out the long, arduous recovery process that included dozens of people working 20-hour days for weeks at a time. 

The breach was initiated through stolen credentials (username and password) that were used to access a Change Healthcare server. The attackers were then able to move laterally through the systems, exfiltrate sensitive data, and ultimately deploy ransomware. The most significant security lapse was the absence of Multi-Factor Authentication (MFA) on the compromised server. This basic security measure would have prevented the attackers from accessing the system even with stolen credentials.

Change Healthcare was operating with outdated technology infrastructure at the time of the attack. As a relatively older company acquired by UnitedHealthcare in late 2022, it was still running legacy systems that had not yet been upgraded to modern security standards. The breach ultimately resulted from a combination of outdated infrastructure, inadequate security controls, and the failure to implement basic security measures like MFA during the post-acquisition integration period.

The big question is, would a platform approach have prevented this? Maybe it would have been easier to onboard the acquired company on a modern cybersecurity infrastructure and approach. Maybe some key parts of the stack would have detected the attack at the time when it happened.

Maybe not. But as of today, I don't believe that we fundamentally have a better path to improving the outcomes for our customers than platforms.

Platform play is the play in cybersecurity.