FireEye, Inc. (FEYE) Q1 2021 Earnings Conference Call April 27, 2021 5:00 PM ET
Company Participants
Kate Patterson - IR
Kevin Mandia - CEO
Frank Verdecanna - EVP, CFO and Chief Accounting Officer
Conference Call Participants
Jackson Ader - JPMorgan
Fatima Boolani - UBS
Brian Essex - Goldman Sachs
Erik Suppiger - JMP Securities
Hamza Fodderwala - Morgan Stanley
Saket Kalia - Barclays
Operator
Ladies and gentlemen, thank you standing by, and welcome to the FireEye Q1 2021 Financial Results Conference Call. At this time, all participants are in a listen-only mode. After the speaker presentation there will be a question-and-answer session. [Operator Instructions] Please be advised that today’s conference maybe recorded [Operator Instructions].
I would now like to turn the conference to your speaker today, Kate Patterson Investor Relations for FireEye.
Kate Patterson
Thank you. Good afternoon and thanks to everyone on the call for joining us today to discuss FireEye’s financial results for the first quarter of 2020. This call is being broadcast live over the Internet and can be accessed on the Investor Relations section of FireEye’s website at investors.fireeye.com.
With me on today’s call are Kevin Mandia, FireEye’s Chief Executive Officer; and Frank Verdecanna, Executive Vice President, Chief Financial Officer and Chief Accounting Officer of FireEye. After the market closed today, FireEye issued a press release announcing the results for the first quarter of 2021.
Before we begin, let me remind you that FireEye’s management will make forward-looking statements during the course of this call, including statements relating to FireEye’s guidance and expectations for certain financial results and metrics, FireEye’s priorities, initiatives, plans and investments, drivers and expectations for growth and business transformation, the expansion of FireEye’s products, subscriptions and services, and expectations, benefits, capabilities and availability of new and enhanced offerings, market opportunities and go-to-market strategies.
These forward-looking statements involve a number of risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. These forward-looking statements apply as of today, and you should not rely on them as representing our views in the future and we undertake no obligation to update these statements after the call.
For a detailed description of the risks and uncertainties, please refer to our SEC filings, as well as our earnings release posted an hour ago. Copies of these documents may be obtained from the SEC or by visiting the Investor Relations section of our website.
Additionally, we provide certain non-GAAP financial measures that will be discussed on this call. We have provided reconciliations on these non-GAAP financial measures for the most directly comparable GAAP financial measures in the Investor Relations section of the website, as well as in the earnings release. Finally, I’d like to point out that we have posted supplemental slides and financial statements on the Investor Relations section.
With that, I’ll turn the call over to Kevin.
Kevin Mandia
Thank you, Kate and thank you to all the investors, employees, customers, and partners joining us on this call. I hope all of you are doing well. And I appreciate your interest in supporting FireEye.
We executed well against our plan and exceeded our guidance ranges for all key financial metrics during the first quarter. During the quarter, two themes emerged to me. First, FireEye has made determine our transformation. And second, the need for our frontline expertise and intelligence is accelerating.
Let me speak briefly about these two things before I turn to the first quarter highlights and how we are innovating to meet the best opportunities that are in front of us. First, in regards to making the turn, we are seeing an ongoing mix shift in Billings’ revenue and they are to the faster growing more strategic areas of our business. In 2016, approximately 61% of the FireEye business was tied to our on-premise Sandbox technology reported as product and product related subscriptions. And this category was seeing billings declined in double digits by the first quarter of 2016.
In the first quarter of 2021, our strategic platform, cloud subscription and managed services category combined with our professional services to grow 46% tit in billings, and represented 69% of our total billings. And this is evidence of the turn we have made with our portfolio.
And second, our technology threat intelligence and expertise has never been in more demand. During the first quarter, organizations faced a complex and hostile threat environment, implants in the supply chain, zero day exploits impacting popular products and an onslaught of Ransomware and extortion occurred.
As the threat environment escalates, conventional safeguards are not effective at reducing risk. However, coupled with our expertise and intelligence, commonly used safeguards can adapt faster to the threats and protect customers far more effectively. Therefore, we continued innovating at speed to embed our threat intelligence and expertise into FireEye products as well as the Mandiant Advantage platform.
Now let me discuss some first quarter highlights. Team FireEye delivered a strong first quarter. In addition to our financial performance, we continue to transform our business. Our mix of the platform cloud subscription and managed services category combined with our professional services grew from 56% of our total billings in the first quarter of 2020 to 69% of our total billings in the first quarter of 2021. This substantial mix shift is a testament to the efforts and progress we have made with our transformation.
We also saw this trend in mix shift with respect to revenue and ARR. Our mix of revenues in our platform cloud subscription and managed services category combined with professional services grew from 53% of our revenues in the first quarter of 2020, to 61% in the first quarter of 2021, and our mix of ARR grew from 49% to 55%, respectively. In short, I believe our mix is moving in the right direction.
Demand for Mandiant expertise remains strong this quarter, resulting in 25% year-over-year revenue growth. This was the 12th consecutive record quarter for Mandiant Services, as we continue to scale our capacity and expand our offerings to address emerging market needs such as zero trust, Ransomware assessments, cloud migration and security validation. Our platform cloud subscription and Mandiant Services category had 45% year-over-year billings growth and 26% year-over-year revenue growth. While we saw strength across all the solutions in this category, the acceleration and growth was driven by our threat intelligence, security validation and cloud endpoint solutions.
During the first quarter, we also closed 30 transactions greater than $1 million. More than 70% of these transactions included three or more products or solutions, and 60% of these 30 transactions included consulting services. FireEye continued to prove the value of our frontline expertise and intelligence in the first quarter. We recently published our annual M-Trends report, which contains our observations about threats and effective remediation actions, and it was gleaned from frontline Mandiant investigations performed around the globe.
And here are just a few of our findings. Nearly half of the 294 distinct malware families we observed in investigations last year were new and never seen before. More than 80% of these new malware families were not publicly available, meaning they were privately developed and availability was restricted in some way. And 70% of all the malware families we observed were only found in a single intrusion set.
These observations tell us that threat actors continue to innovate faster than the technologies customers are deploying to protect their networks and organizations are deploying to protect their networks. The attackers are learning new ways to circumvent conventional safeguards that cannot or do not learn from the frontlines in a timely manner. And as a result of this, organizations are re-evaluating the effectiveness of their cybersecurity investments. They're looking for strategies to implement zero trust to protect against Ransomware, to secure their cloud environments. And they want to know how [technical difficulty] processes with XDR and how machine learning and artificial intelligence can improve their security posture. And lastly, they want to validate if they are protected from the latest attacks.
This list of topics and actions aligns well with FireEye’s strengths. We have performed thousands of investigations into security incidents, and considered all the various remediation activities to these incidents. And we have learned how organizations can leverage our threat intelligence and expertise to make themselves more secure. Therefore, we continue to expand our solutions to meet this need.
So first, I'd like to discuss innovations with our Mandiant Solutions. And the first quarter we expanded Mandiant Advantage, our SaaS platform for security operations. By completing our integration with Respond Software, and that's the company we acquired in the fourth quarter of 2020. As Respond became another module in the Mandiant Advantage platform, we renamed it Mandiant Automated Defense, and we launched it in early April of 2021.
This capability automates the discovery and investigation of alerts at machine speed. The models in Automated Defense are trained and continuously updated with our threat intelligence and frontline expertise. So using Mandiant Automated Defense is like having a team of Mandiant experts right there in your security operations center.
Mandiant Automated Defense currently integrates with more than 70 products from other security vendors. So customers with multi-vendor environments can leverage automated defense to better safeguard their networks. We also integrated Automated Defense with our FireEye Network email and endpoint security controls, as well as with Helix.
With the addition of Respond, the mandiant advantage now includes three modules, our threat intelligence model, our security validation module, and our automated defense module. Each of these modules are available as technology or as a managed service.
Second, we expanded Mandiant Security validation with a onetime, paid service to emulate an adversary and answer the question, what is a customer's capability to defend itself against a particular threat? We refer to this onetime offering is validation on demand so our customers can simply and safely test what they need when they need it without an ongoing validation subscription.
In addition to the updates in Mandiant Advantage, our managed defense offering integrated support for customers that use Microsoft Defender for endpoint. This allows our experts to rely on and interact with Microsoft Defender for endpoint to detect and respond to potential security incidents. This also allows Microsoft Defender customers a way to benefit from Mandiant’s intelligence and expertise. This is the first native third-party endpoint integration and managed defense and expands the addressable market for our managed defense capability to more than 1 billion Microsoft endpoints.
The automated defense capability expands the potential for Mandiant-managed defense to support over 70 different security controls. As we deliver a controls agnostic XDR service to the market, we expect to be able to rapidly support additional controls with our managed defense offering. So stay tuned.
And now I'd like to turn to the innovations we accomplished in our FireEye products. Our FireEye Security Suite continued delivering industry-leading detection and protection for our customers through our next generation XDR platform with native endpoint, network and email capabilities. Our strategy of meeting customers where they are continues to be as effective as we deploy our solutions on-premise in the cloud and in the hybrid environments. Specifically, we saw above market growth for cloud endpoints, high network security subscription renewal rates, and a strong quarter for large email security deals.
As you may recall, we hired Brian Palma the first quarter to lead our product team. And he has been particularly focused on four areas. First, improving the user experience across our suite of products. Second, increasing our detection efficacy by integrating our threat intelligence, frontline expertise, and updating our machine learning algorithms. Third, enabling better cloud security. And fourth extending Helix functionality as a correlation engine for enterprise wide XDR, I will mention just a few of recent milestones that we have achieved with our product team over the last quarter.
First, we both did our endpoint extensible framework by adding three additional modules, bringing the total available FireEye endpoint modules to 12. And these modules are available for download on the FireEye Marketplace and incidentally, were responsible for identifying 35% of the threat actions in the recent MITRE attack test. Later this year, we plan to unleash the full power of the endpoint extensible framework by allowing customers, partners, and our consultants and other consultants to leverage our APIs to develop real time modules for combating threats in the wild.
Second, we launched our Ask an Expert capability across our endpoint platform. And this provides customers instant access to Mandiant experts when they need immediate help. And last, we extended our industry-leading network detection capabilities to our cloud native detection on demand solution. Detection on demand can detect malicious files or malicious URLs across CRM, social media, messaging and storage applications. We recently added this capability across the leading collaboration tools, such as Microsoft OneDrive, Slack, Salesforce, G Suite and Box applications.
And now I'd like to wrap up my prepared remarks. With the recent breach headlines as a catalyst, we are seeing customers re-evaluate their security programs and look to us for solutions that deliver better security outcomes. I believe our position of trust, derived from nearly two decades of responding security incidents that matter puts us at the forefront of the changes required to combat the current threat environment.
I am confident 2021 will be a year in which FireEye continues to demonstrate to our customers that we provide the best line of defense. We are off to a great start with our first quarter and I want to thank all the FireEye employees for their hard work and bringing us to this point. And I would like to thank our customers, our partners and our investors for their continued support.
With that, I'll turn the call over to Frank for more details on our financial performance. Frank?
Frank Verdecanna
Thanks, Kevin, and hello to everyone on the call. Thank you for joining us today. To summarize, last quarter, we predicted that the momentum from the second half of 2020 would carry forward into 2021. And this was clearly true.
It’s worth repeating that Q1, 2021 was our best first quarter performance in the company's history. And it follows an equally strong Q4 of 2020. Our Billings, revenue and ARR year-over-year growth rates accelerated from Q4 to Q1 on continued strength in our strategic platform cloud subscriptions, and services categories. The strength in our top-line metrics translate into overachievement on our operating metrics, and allowed us to raise our outlook for the year for revenue, gross margin, operating margin and EPS for the remainder of 2021.
Before we move on to the detail of our Q1 results in our guidance for Q2, and the updated guidance for the full year 2021, let me remind you that I'll be referring to non-GAAP metrics, except for revenue and operating cash flow. Our non-GAAP measures exclude stock-based compensation, amortization of intangibles, non-cash interest expense on our convertible debt, and convertible preferred equity, restructuring charges, accretion on series a convertible preferred stock and other non-recurring items.
Turning to the Q1 details. We delivered revenue of $246 million, $8 million above the high end of our guidance range, and our second highest quarterly revenue ever. Revenue growth of approximately 10% was the highest quarterly year-over-year revenue growth and rate more than three years. Our performance was driven by the growing adoption of our cloud products and controls-agnostic Mandiant Solutions, reflecting the market evolution Kevin discussed, and the ongoing mix shift towards the higher growth areas of our business.
Revenue in the platform cloud subscription in Mandiant Services category increased 26%, reflecting the steady build in deferred revenue over the past two years. This category now accounts for 47% of non-services revenue, compared with just 39% a year ago. Note that both the growth and the mix shift are organic and reflective strength and cloud endpoint, threat intelligence and validation. Services revenue growth accelerated to 25% and reflected a combination of increased capacity from 2020 hires and a higher mix of incident response compared with Q1 of 2020.
Product and related subscription support revenue declined 8% year-over-year, reflecting lower deferred revenue balances at the beginning of the quarter, as higher appliance sales in previous years continue to amortize out of deferred revenue. I expect that the long tail of this trend will continue as hardware sales gradually decline over time, but that the impact on our total revenue and growth rates will diminish.
Total annualized recurring revenue increased 1% sequentially, and 9% year-over-year. Growth in platform cloud subscription and Mandiant Services ARR accelerated to 22% year-over-year and accounted for 55% of total ARR at quarter end, this compared with 49% in Q1 of ’20 and was a result of strong performance in cloud endpoint, threat intelligence and validation
Product and related subscription support ARR declined slightly both year-over-year and sequentially, as we continue to see stabilization in this area of the business. The shift in mix to our higher growth categories offset the typical seasonality we see in the Q1 ARR metric.
We remain focused on annualized recurring revenue and revenue as the most important indicators of our top-line performance and market adoption. The ARR metric provides insight into the expansion of our installed base of recurring subscriptions without regard to changes in average contract renewals of large contracts or hardware refresh cycles. As we've seen any or all these factors can cause volatility in the quarterly billings growth rates, especially within the breakout categories.
However, trended billings, especially when evaluated in conjunction with ARR performance can be useful as a leading indicator for revenue and the underlying business momentum. With that in mind, I'm pleased to report that billings grew 18% year-over-year, the highest billings growth rate in three years and the second quarter in a row double digit growth. Growth was broadly based across geographies, vertical markets and customer size. The weighted average contract length for recurring subscriptions was approximately 22 months, compared to 25 months in Q1 of 2020.
Looking at our billings performance by category, platform and cloud subscription and managed services billings increased 45% year-over-year to $76 million. This was the second consecutive quarter of above market growth and was achieved even though the average contract length declined by two months in that category. The Respond acquisition did not contribute materially in the quarter so the acceleration in Q1 reflects true momentum for our cloud-based products and controls agnostic Mandiant Solutions.
Services billings grew by 47% year-over-year. Although we emphasize revenue as the best performance metric for services. The billings growth in Q1 clearly demonstrates the sustained high level of demand for expertise.
Billing for on-premise product and related subscriptions and support declined by 70% year-over-year. This reflects continued year-over-year declines in appliance hardware sales, and a four month decline in average contract length for recurring subscriptions and support. Adjusting for the shorter ACL, that category would have declined to 6% year-over-year, better than our initial assumptions of approximately 10% to 11%. I believe our Billings, revenue and ARR performance in Q1 demonstrate the underlying strength of our business and the growing momentum for strategic solutions and services.
Before we return to margins, I'd like to make a quick comment about the decline in average contract length in Q1 and our assumptions going forward. Recall that we have been expecting the ACL to decline for quite a while as we increased our emphasis on ARR over multi-year contracts. The trend is healthy for our business and consistent with industry trends, and the higher mix of SaaS Billings, as well as the higher mix of renewals in the product and related category. ACL is difficult to forecast with precision on a quarter-by-quarter basis, but our assumption for the remainder of the year is that remains in the range of 20 to 24 months.
Turning to margins, our strong revenue performance resulted in an operating margin of 9%, above our guidance range of 6.5% to 7.5%. Gross profit margin was 73% compared to the top-end of our guidance at 71% and more than two points above Q1 2020 gross margin.
The increase reflected strong services gross margin due to a high mix of incident response and higher margins for our cloud-hosted products as we continue to achieve efficiencies and economies of scale.
Overall operating expenses declined about $4 million from the first quarter of 2020 and increased about $11 million sequentially. The sequential increase reflects the seasonal impact of employee-related expenses as payroll taxes and other expenses kick in at the beginning of the year, plus a full quarter Respond operating expenses and higher commissions associated with higher sales and incremental marketing programs to drive awareness and growth for our strategic solutions.
Earnings per share was $0.08 above our guidance range of $0.05 to $0.07. The weighted average fully diluted share count of 244 million reflected a full quarter of shares issued for the Respond acquisition as well as higher average share price during the quarter.
Turning to the cash flow on the balance sheet. With the acceleration in Billings growth and DSOs below 50 days for the second consecutive quarter. We generated cash flow from operations of $21 million. Capital expenditures of $10 million were above our guidance range of approximately $6 million. The increase in CapEx is primarily due to an increase in internally developed software as we ramp our investment in the modules of Mandiant Advantage platform, Cloud Endpoint and other strategic growth areas of the business.
Our balance sheet remains very healthy, and we ended the quarter with cash, cash equivalents and short term investments of $1.3 billion. We ended the quarter with accounts receivable of $109 million, the lowest level of accounts receivable since Q1 of 2018. Total deferred revenue at quarter end was $911 million of what 65% was current.
Now let's turn to our outlook for the second quarter and our updated outlook for the full year 2021. For Q2, we currently expect revenue in the range of $246 million to $250 million. For the product and related subscription and support and platform cloud subscription and managed services categories, we expect year-over-year growth rates approximately consistent with Q1. We expect the services year-over-year growth rates to be slightly less than the 25% we delivered in Q1, but still towards the high end of our 15% to 20% target range. This implies relatively flat services revenue with Q1, which assumes the mix of incident response versus other strategic consulting is closer to historical levels instead of the higher mix we saw in Q1.
We expect gross margin of between 72% and 73%. We expect services margins to decline slightly from Q1, assuming and lower mix of IR and return to the 52% to 54% range. We also expect products subscription and support gross margin to remain in the mid-70s. We expect operating margin of between 9% and 10%. This implies operating expenses are approximately flat with the first quarter on dollar basis. Using a fully diluted share count of 247 million shares, we expect fully diluted earnings per share of between $0.08 and $0.09.
For 2021, we are raising our revenue guidance range by $20 million at the midpoint representing growth of approximately 8% for the year. We expect gross margin of between 72% and 73%. We are raising our operating margin guidance range to 10% to 11%. These ranges results in a non-GAAP earnings per share of $0.39 to $0.41, based on a weighted average shares outstanding of approximately 250 million on a fully diluted basis.
Embedded within our annual guidance are several assumptions. Our annual growth rate assumes revenue from product and related subscriptions support to decline by 10% to 11% for the year. Revenue growth towards the higher end of 20% to 25% for our platform and cloud subscription and managed services. And we expect growth for Mandiant Services to continue to grow at around 20% year-over-year for the rest of the year. Please note that we are talking about annual growth rates for each of these categories and quarterly year-over-year growth rates for revenue can vary.
Our operating margin range assumes gradual improvement throughout the year, more heavily weighted to the second half of the year. We have assumed an increase in facilities and travel and entertainment expense in the second half, but at a lower overall expense level as compared to pre pandemic facilities and T&E levels. We also expect to increase investments and marketing to increase awareness for the Mandiant Advantage solutions. Finally, as these expense levels we expect an operating cash flow margin of about 10% for the full year. Given the low level of receivables as we enter Q2, we expect to see slightly negative operating cash flow in the second quarter.
Let me conclude by repeating that this Q1 was a great quarter and our updating outlook reflects our continued confidence in our future.
I'll now turn the call over to the operator for questions.
Question-and-Answer Session
Operator
Thank you. [Operator Instructions] Our first question comes from Sterling Auty with JPMorgan. You may proceed with your question.
Jackson Ader
Great. Thanks for taking our questions. This is Jackson Ader on for Sterling tonight. A couple of questions actually on Mandiant. How quickly do you think you can scale up the headcount that you need in order to kind of support that continued 20% growth through the rest of the year?
Kevin Mandia
That would be approximately 100 heads this year. We did similar number last year, and we anticipate being able to do it.
Frank Verdecanna
And we continue to be tracking to that. It's been very consistent kind of ramping of heads. And so we've been able to continue to deliver on that. And you've seen kind of 12 record quarters of services growth there.
Jackson Ader
And, Frank, I think you mentioned the -- the part of the strength you were seeing capacity expansion for some of those heads that you added in 2020. But just curious where utilization rates are at the moment? And where -- whether things are running a little bit hot relative to what you expected in this first quarter?
Frank Verdecanna
Yeah, I think it's been pretty, pretty much consistent with our expectations, but it has been running hot really for the last couple of years. Yeah, I think the threat environment obviously continues to be very elevated, and that has driven various areas of our consulting to be -- that was chargeable as it can be as a team.
Jackson Ader
Okay, great. Thank you.
Frank Verdecanna
Thank you.
Operator
Thank you. Our next question comes from Fatima Boolani with UBS. You may proceed with your question.
Fatima Boolani
Good afternoon. Thank you for taking my questions. Kevin, I'll start with you. You really quantified for us how much the business has transformed on every single one of your KPIs. So clearly, you've sort of crossed that chasm on the transition. So I'm wondering what's sort of the remaining 30% of the business, that is still in the non-recurring category. What sort of programs incentives, or mandates do you have in place to shepherd the rest of the customer base over to some of your newer solutions, but more importantly, the newer form factors with some of your existing solutions? Just the strategy behind that. And I have a follow up for Frank, please.
Kevin Mandia
Yeah, I think we could probably spend the rest of the call on the strategy there. We got numerous strategies. I think you're referring to our FireEye products, correct Fatima? And what is their strategy as that continues at least on the on-prem side to decelerate? First and foremost --
Fatima Boolani
That's exactly right.
Kevin Mandia
Yeah. First integrate -- I can tell you five years ago, first thing to do is get the IP out of the black box, I think it was literally a black box, by the way the appliance. So we've done that. And so it's focused on cloud, focused on integration of these products so you can get a suite that works together, focus on Helix being a to XDR platform, so that you can bundle email security, endpoint security, network security, and went on the bundling and the value you can get from that, because the folks that do and use FireEye products, rave about the detection efficacy. So now we just got to get that UI and usability improved. And that's something that everybody in software is always trying to do.
So quickly, again, cloudify it, period. And we've done that. So you can subscribe to all our software now. And then there's a cloud version for every single thing integrated and always keep working integration, say a better coordination between the products, make sure Helix is the nucleus of that XDR platform that we can bundle. So it's all integrated nicely and make sure to user experience continues to improve, those four things.
Fatima Boolani
I appreciate that. Frank maybe for --
Kevin Mandia
But I think it doesn’t work.
Fatima Boolani
That's helpful. Now, I appreciate it as a long tail, especially for all the support attached to your on-premise product suite. Frank, maybe the question for you. On Mandiant Advantage, I can appreciate, that you've only had sort of threat intelligence out as the module. Curious if you can share some adoption statistics, or ASP statistics? And what do you expect in terms of contribution from the new modules that have been now added to the family and now available at the full slate? How should we think about that, as it relates to contribution in 2021? And that's it for me. Thank you.
Frank Verdecanna
Yep. So we've seen -- it's obviously very early days of Mandiant Advantage. But, all our Intel offering right now is sold through Mandiant Advantage. And we had another really strong quarter through Mandiant Advantage for Intel, and that not caps-off a really strong year in 2020. So I would say, the new models we've added to it are ramping and going to do really well.
And obviously, if you look at the Mandiant Advantage umbrella, you've got validation in there, you've got threat intel, you've got our new automated defense with the Respond acquisition, and then we'll be launching Managed Defense Module in there. Those are all high growth areas for the business. And so we're pulling it all together and tying it all together with Mandiant Advantage. So that's going to be one of the primary growth drivers of the platform cloud bucket.
Fatima Boolani
Fair enough. Thanks for that.
Kevin Mandia
Thank you, Fatima.
Operator
Thank you. Our next question comes from Brian Essex with Goldman Sachs. You may proceed with your question.
Brian Essex
Great, good afternoon, and thank you for taking the question. Kevin, I was wondering if you maybe can circle back on Mandiant Advantage. Mow that you have like three main products of that modules within that platform? With regard to go-to-market, where are you seeing the most competition? Are these competitive displacements, are these Greenfield opportunities? And how much is driven by kind of the halo effect, if you will, of the solarwinds attack and what you've been able to do on the back of that?
Kevin Mandia
Yeah, so I'm going to peel that backwards. Brian. I think the halo effect from us for most being frontlines. It wasn't just solarwinds, but we find more zero days that I'm aware of than any other security company. And we find them by being on the frontlines responding to breaches. And as we do our investigations, we reach a point where we just don't know how the attacker broke in. So you start peeling back software like in December of a solarwinds and we found an implant. This year there’s others, I don't want to name every single customer we found a zero day at. But at the end of the day, that's what creates the halo effect is the knowledge itself, not the event. And we just happen to be on the front row seat for it.
So that does provide a tailwind for intelligence. Getting to Mandiant Advantage, what I see there is it's Greenfield, I don't believe it's ever existed where you can plug a technology and it's like adding 1000 experts to your network. You have to have to make Mandiant Advantage work. Here's the moat for it, Brian, you have to have a global Intel capability. And we have that we're in over 20 countries who speak over 30 languages. You have to own the front lines. And we have that where we did over 1,000 investigations last year. And a lot of people think, investigations are tactical, they're absolutely strategic.
It's how you get a front row seat to all the threats that are circumventing the safeguards of today, so we can with Mandiant Advantage our international intelligence team, and our breach intelligence that we're getting every single day, we can feed it to products that just don't learn, don't think can adapt to static, which is the majority of security products today because they simply don't have the knowledge and the intelligence that we have, as we clean up the message left behind from a lot of these products.
So bottom line, I think business as a tailwind. I've been in the incident response business for 20 years, it was not a market 20 years ago, it was not a market 15 years ago, it was not a market 10 years ago. It's becoming popular now because people are starting to see the strategic value in having that knowledge. But we've been invested in that for 20 years, almost. So many Mandiant Advantage the Greenfield opportunity is to automate that expertise and that Intel and bring it to you at machine speed. And then it's naturally related Brian to validation, the ability to do safely past your security safely and simply do that.
If you’re to test your security you got to do with real threats and real knowledge. You can't just be hey, I made software that can simulate a threat. Well, where do you get the content for it? We got the content. And so I just love the Intel marries up perfectly with the validation story that we have. So finally got it all together. And then the automated defense component of Mandiant Advantage. We continue to learn with it, we continue to train it. And really it's a -- it's our way of automating finding a needle in the haystack, which we spend a lot of time doing every single bed.
So that's a long-winded answer. But bottom line Mandiant Advantage provides a lot of Greenfield opportunities for us. I don't think anything like this has existed in the past, because no company's done the work to have the Intel international collections capability, frontline expertise, and then the AI and machine learning.
Brian Essex
Got it? That's super helpful. Maybe just a follow up on sales and marketing. Maybe Frank, where you investing now? And how much is channel versus direct? And how mature is that sales force at this point?
Frank Verdecanna
I think the sales and distribution is very mature. But we're investing quite a bit now in areas of brand awareness on the Mandiant Solution side on the Mandiant Advantage side. The other thing we're doing is investing more on inside sales because a lot of the conversions and a lot of the pipeline build on Mandiant Advantage can be handled by an inside sales force. So I think we're seeing more leverage there. And a lot of the work that Brian's been working with the team on product side is really to help usability helping the products easily demo and easily deploy which will ultimately help our channel leverage.
Brian Essex
Got it. Thank you very much, guys. Appreciate it.
Kevin Mandia
Thanks, Brian.
Operator
Thank you. Our next question comes from Erik Suppiger with JMP Securities. You may proceed with your question.
Erik Suppiger
Yeah, thanks for taking the question. On the Mandiant Advantage, can you talk a little bit about ways that you're easing that into the customer base? Have you looked at using a freemium model? Or how quickly is that easily integrated into the customer's environment?
Kevin Mandia
Right now there is a freemium model that we have out there and 1000s of folks have taken advantage of that. And at the same timeframe, all our current threat intelligence customers have been moved on to Mandiant Advantage. We only just added the validation and the automated defense so that now with a single credential, our customers can see the unity and the true integration between all three of these modules in the platform. But that's how we've done it to-date. Converted our hundreds of threat intelligence customers to it. And then we have a freemium model.
And obviously our enterprise sales folks, we just had our second sales kick-off this year is actually last week. Because it's cloud-based software, we updated a heck of a lot faster, a couple updates every single week, even more than that sometimes. So we have to do more sales kick-off. So we just continue to enable the team on more than a quarterly basis. So
Frank, you want to add to that?
Frank Verdecanna
No, I mean, it's definitely a focus area for us. It's also something that we've spent more marketing dollars on because we are seeing a really nice pipeline build and really starting to see a nice conversion.
Erik Suppiger
Is that service lends itself more to a channel sale.
Frank Verdecanna
Yeah, I think one of the things that we really when we were creating Mandiant Advantage that was really focused on making it something that can easily be deployed, easily be demoed and easily be purchased and purchased modules within Mandiant advantage. So we've really worked on kind of that usability and the ease of use and ease of kind of purchasing. And I think that fits the channel really well.
Erik Suppiger
Very good. Thank you.
Frank Verdecanna
Thanks, Erik.
Kevin Mandia
Thank you.
Operator
Thank you. Our next question comes from Hamza Fodderwala with Morgan Stanley. You may proceed with your question.
Hamza Fodderwala
Hey, guys, good evening. And thank you for taking my question. Just two questions on
Mandiant Advantage and now automated defense. Curious for starters, how do you see that potentially perhaps, cannibalizing what was built initially, vis-à-vis helix, like our Helix customer, do you think over time going to be converted towards the Mandiant Automated Defense? I think that a lot of the use cases seem somewhat similar as Helix going to be more of a more of a data lake, that's going to underlie what you guys have here. I'm just curious on that.
Kevin Mandia
Yeah, there'll be an evolutionary, because Helix is the same with a ton of correlation rules and analytics. So what you'll see is there's humans that maintain that we do that though, when you get us you get our rules, you get our analytics, you get our expertise there. The difference is actually in how we provide the minimization of trillions of alerts down to actionable alerts and events is that we're using models in Mandiant Advantage with automated defense.
So to some extent, there's overlap. If you have great correlation rules, you have a mature SOC, you have 15 people maintaining your SIM, you may get the same outcome that you might get from a train system. But we do believe over time, Mandiant Advantage with models in it. And the fact that we're creating software that can think and learn is that that's going to overtake the human skills required to maintain those systems. So that's one of the big differences, just how we go about minimizing all the alert and volumes of alerts data down say, here's the threats that you got to pay attention to.
And then the second thing is, Helix has the data repository and you nailed it. It stores the data, it's got common event format rules in it, it is a SIM. Whereas Mandiant Advantage is a sidecar to SIM and it has to work with Mandiant SIMs. But it's applying the IP, that is our expertise in our intelligence, but it's doing it in a different way than how Helix does it.
So there will be -- depending on the customer, a customer may buy Helix get everything we ship with it and be happy with that. But they'll have to maintain some of their own correlation rules, where they can plug as a sidecar the Mandiant Advantage to get the rules and the minimization automated overtime.
Hamza Fodderwala
And then just on the automated response front. I mean, as far as the market stands today, sort of these XDR solutions. How much do you think like -- can actually be automated by software? I mean, I think like our own security team now sort of do one click type automation. And so I'm curious to like, really think about that where Mandiant comes in on the services side?
Kevin Mandia
Yeah, I'll start with this first. Nobody cares how you provide the outcome as long as you provide it. So I would say a lot of people that I talked to, they wish they had Mandiant Advantage sitting in their stock and steering at every alert. We can't offer that that doesn't scale. But one thing we can do is create a system that learns things and it can do the minimization as if it was us. Kind of do it as well as the human, probably not. Going to do a lot faster, absolutely. And in some use cases it will do it better than humans.
But I like it and it kind of at this stage and security. It's similar to pilots are still on the plane even though the plane can take off and land itself. To some extent it is going to mark with automated defense, but I like the idea. And we do this today by the way in all our products whether you have our network product or endpoint product or email security product or automated defense, we've got a team of experts. Our advanced practices, folks mining all that data all the time to see, did we miss anything? Is there anything there?
And we're going through all the metadata that we collect to make sure our customers are safeguarded. And thank you for giving me an opportunity to market that, because we never actually talked about it. But we have some of the smartest security professionals on the planet, constantly safeguarding our customers that have bought our products. And they don't even know when they purchase our products, that there's human intelligence behind it, as well as a backstop.
So I see over the next few years, when you're training systems, it'll be just like the airline industry. I think I want our experts to make sure to constantly test and train to make sure we know the efficacy and boundaries of our software. And we've learned a lot of lessons along the way. But that's what I would want to buy the outcome of saying, if I've got Mandiant Automated Defense, regardless to how we deliver it, whether we deliver at 99% tech or 92% tech, but it will be a lot of tech? I would just want the outcome that feels safe. And that's what we want to provide.
Hamza Fodderwala
That’s super helpful. Thank you.
Operator
Thank you. [Operator Instructions] Our next question comes from Saket Kalia with Barclays. You may proceed with your question.
Saket Kalia
Great. Hey, guys, thanks for taking my questions here. Kevin, maybe for you. For those threat Intel customers that have now moved to Mandiant Advantage? Is the additional sales opportunity from your perspective for those customers to maybe cross sell them something like security validation? Or once they move to Mandiant Advantage that they can receive additional flavors of threat intel to kind of segment that that price point? Does that make sense in terms of kind of that opportunity with the threat Intel base?
Kevin Mandia
Yeah, there's probably not one size fits all. But here's how -- I'm a security guy first and foremost, why do I want intel, either to stop something from happening or see if it could happen. Those two things. And that's how it gets into my operations. And so it's either -- and the third would be to anticipate, right.
So I think with Mandiant Advantage, if I'm sitting in a SOC and I've got our intel being applied to our data right away. And again it gives us a heads up display. So when I'm looking at alerts in my SIM with Mandiant Advantage, and the plugin that we've got with it, you're getting like a cockpit display like we got in the air force, where fighter pilots literally get the situational awareness displayed like front of their face. We do that.
Here's what we know, based on that IP address, that [indiscernible]. Here's additional data you can drill down on. And we want to make sure you don't have to Google when you're responding to an alert. It's all just presented to you, not just our intel, but open source intel as well. So that's what we provide.
But a great pivot would be you're going through your log files as an operator. Do I currently have the problem? Am I currently compromised? Yes or no, is question number one you want to answer with intel. When you're done with that, let's say you're not compromising have a fire to put out there's no smoke on your network. I would pivot to could that be, how well does this work? And Christy and the team has delivered that. Within the last week we exaggerated and we have the ability now to just go straight from Oh, thank God, I don't have that problem. But you know, what? Could I? Let's run a couple paths and see how we're doing. So that's a great logical -- and that's an upsell right in the software itself.
Our account managers, I'm sure we're going to mention it. And we've trained everybody to see the relationships between it. But if you want to have an Intel-driven SOC, again, you drive. You want Intel to stop things from happening, to detect if something's happened, and then test if it's possible, it could have even happened in the first place. And that and that's we're linking all those decision points into the software.
Saket Kalia
Got it? That makes a ton of sense. Frank, maybe for a quick follow up for you. For some of that product and related ARR. I mean, just to the earlier point made, I mean we certainly seen the transformation. But as you think about that product and related ARR, we call it that three to five year kind of -- I'm sorry, 3% to 5%, kind of year-on-year decline. The question is how much of that is from sort of natural terms that you would expect, versus customers opting for a cloud form factor that's in that platform line? Does that make sense?
Frank Verdecanna
Yeah, it's a mix of both. Yeah. So especially on the email, and endpoint side, you do have customers migrating from on-prem to cloud. On the network side, we don't have as much to that migration. So on the network side, if ARR is going down it's related to kind of a smaller customer churn, that's there. But it is a mix of both. I would say the migration isn't right now a huge factor to it. But going forward, obviously, that could accelerate. But then again, we get the upside on the platform cloud bucket if that did happen.
Saket Kalia
Got it. Guys, thanks a lot for squeezing me in here.
Kevin Mandia
Thank you, Saket. Appreciate it.
Operator
Thank you. And I'm not seeing any further questions. At this time, I would now like to turn the call back over to Kevin Mandia for any further remarks.
Kevin Mandia
I'd like to thank everybody for attending. I want to congratulate the FireEye team for a great first quarter. We've never been more relevant or more needed in cybersecurity. So I want to thank the teams that have been on the frontlines, finding the zero days and protecting our customers as well as organizations that are our customers. So with that, I want to thank everybody. I look forward to speaking to you in 90 days with another update. Take care.
Operator
Thank you. Ladies and gentlemen. This concludes today's conference call. Thank you for participating. You may now disconnect.