Logo of jester cap with thought bubble.

Image source: The Motley Fool.

FireEye (MNDT)
Q4 2020 Earnings Call
Feb 02, 2021, 5:00 p.m. ET

Contents:

  • Prepared Remarks
  • Questions and Answers
  • Call Participants

Prepared Remarks:


Operator

Ladies and gentlemen, thank you for standing by, and welcome to the FireEye Q4 2020 financial results conference call. [Operator instructions] I would now like to hand the conference to your speaker today, Kate Patterson with FireEye investor relations. Please go ahead, ma'am.

Kate Patterson -- Investor Relations

Thank you. Good afternoon, and thanks to everyone on the call for joining us today to discuss FireEye's financial results for the fourth quarter of 2020 and the full-year 2020. This call is being broadcast live over the Internet and can be accessed on the investor relations section of FireEye's website at investors.fireeye.com. With me on today's call are Kevin Mandia, FireEye's chief executive officer; and Frank Verdecanna, executive vice president, chief financial officer, and chief accounting officer of FireEye.

After the market closed today, FireEye issued a press release announcing the results for the fourth quarter of 2020 and the full-year 2020. Before we begin, let me remind you that FireEye's management will make forward-looking statements during the course of this call, including statements relating to FireEye's guidance and expectations for certain financial results and metrics, FireEye's priorities, initiatives, plans and investments; drivers and expectations for growth and business transformation; the expansion of FireEye's products, subscriptions and services and expectations, benefits, capabilities and availability of new and enhanced offerings; market opportunities and go-to-market strategies. These forward-looking statements involve a number of risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. These forward-looking statements apply as of today, and you should not rely on them as representing our views in the future, and we undertake no obligation to update these statements after the call.

10 stocks we like better than FireEye
When investing geniuses David and Tom Gardner have a stock tip, it can pay to listen. After all, the newsletter they have run for over a decade, Motley Fool Stock Advisor, has tripled the market.* 

David and Tom just revealed what they believe are the ten best stocks for investors to buy right now... and FireEye wasn't one of them! That's right -- they think these 10 stocks are even better buys.

See the 10 stocks

*Stock Advisor returns as of November 20, 2020

For a detailed description of the risks and uncertainties, please refer to our SEC filings as well as our earnings release posted an hour ago. Copies of these documents may be obtained from the SEC or by visiting the investor relations section of our website. Additionally, we provide certain non-GAAP financial measures that will be discussed on this call. We have provided reconciliations on these non-GAAP financial measures for the most directly comparable GAAP financial measures in the investor relations section of the website as well as in the earnings release.

Finally, I'd like to point out that we have posted supplemental tables and slides in the investor relations section of the website. With that, I'll turn the call over to Kevin.

Kevin Mandia -- Chief Executive Officer

Thank you, Kate, and thank you to all the investors, employees, customers and partners joining us on this call. We appreciate your continued interest and support. The last few months were a pivotal time in the cybersecurity industry. During the fourth quarter, FireEye discovered a supply chain compromised by detecting a malicious backdoor in the SolarWinds platform.

Further investigation showed that a threat actor had successfully implanted a backdoor, which we labeled SUNBURST, in over 18,000 companies and organizations. These 18,000 victims included several government agencies, and the original implant was delivered as far back as March of 2020. No security products or security team detected it until FireEye did in December, exposing a cyber espionage campaign of significant scale and impact. Once we discover the SolarWinds implant, we quickly built the capability to detect it with our products, thereby protecting customers and demonstrating the power of our innovation cycle.

We also shared all the details of the Sunburst implant and the attacker techniques publicly, providing the security community the knowledge required to help our collective game. This incident demonstrates the strategic importance of our Mandiant incident responders who routinely identify how attackers are evading security safeguards, providing FireEye knowledge about the attacker behavior before other organizations are even aware of the threats. I am proud of the FireEye team and the Mandiant investigators who found the SUNBURST backdoor not only for what this meant to our company, but for the impact it's had on the security community. Now let me turn to financial and business highlights.

We posted record revenue, record annualized recurring revenue, record non-GAAP operating income and record cash flow for both the fourth quarter and the full-year of 2020. We returned to billings growth in the fourth quarter, exiting the year with double-digit billings growth for the first time in over a year. More importantly, approximately two-thirds of our billings are now in our higher growth areas. We reduced operating expenses as a percentage of revenues while accelerating our investments in strategic solutions.

Operating expenses were over 100% as a percentage of revenues when I became FireEye's CEO in 2016. Today, our operating expense for 2020 was 63% of revenues, spending $74 million less in operating expenses in 2020 and generating $234 million more in revenue compared to 2016. We had very strong results in Mandiant Threat Intelligence and Security Validation, two areas we believe are essential differentiators for our growth. And we continue to post record results in our Mandiant Services business as we expanded our proactive offerings while responding to more security breaches than ever.

We closed 64 transactions greater than $1 million in the fourth quarter and 158 transactions greater than $1 million for the year. 85% of these $1 million transactions included three or more products or solutions. And last, but perhaps most importantly, we continued our positive mix shift to our cloud platform managed services and professional services categories. ARR for our cloud category is 53% of our total ARR and grew 20% year over year.

Revenues for our cloud category and our services category combined represented 55% of our revenues in 2020. The faster-growing areas of our company now comprise two thirds of our billings and more than half of our ARR and revenues, creating more of a tailwind for our performance in 2021. I believe these results illustrate the work we have done to transform our company from an APT detection appliance vendor to a Security as a Service vendor. In 2020, we accelerated our investments in the growth areas of our business while improving our overall financial performance and reorganized into two functional areas: our FireEye products that control technologies to best protect our customers from cyber-attacks and Mandiant Solutions, product-agnostic offerings that can enable and empower all security technologies to best leverage our frontline intelligence and security expertise.

I believe this organization alignment was critical to our success in the past year, and I will take you through the highlights of our progress in each area. First, I'd like to discuss the progress we have made with our Mandiant Solutions. In addition to our consulting practice, this organization includes several subscription offerings, threat intelligence, security validation, managed defense and now Respond Software. We are bringing all these subscription offerings together as a SaaS platform for security operations that we call Mandiant Advantage.

In the wake of a SolarWinds incident, now more than ever, our customers want situational awareness, rather than just an ever-expanding aggregate of alerts and data. We are providing this awareness with Mandiant Advantage. We believe the combination of our proprietary intelligence, data and expertise gives us a unique advantage to train machine learning models used to automate security operations. To this end, in October, we launched our first Mandiant Advantage platform module, Threat Intelligence.

This Mandiant Advantage release enables customers to rapidly operationalize our threat intelligence as well as open source intelligence into our customers' security operations workflow. We are nearly complete and migrating all of our existing intelligence customers to Mandiant Advantage. And we have built a strong pipeline of new customers through our free offering that we believe will drive strong growth in 2021. Over the course of 2021, we will also integrate our validation offering into Mandiant Advantage.

Our validation module will allow our customers to pivot from learning about a threat to testing their resilience to a threat. It is clear that customers need a solution that will measure and report on security effectiveness so they can both refine their security infrastructure to ensure they are protected from attacks and prioritize their security spending. I believe that is why validation was the fastest-growing solution in our portfolio in 2020. The third module that will be added to the Mandiant Advantage platform comes from our acquisition of the Respond XDR Software.

Respond's artificial intelligence and machine learning capabilities will allow organizations to leverage our intel and expertise to respond to security alerts at machine speed. This allows security teams to address the two biggest challenges facing organizations today, the critical lack of cybersecurity talent and the growing volume of data generated by digital transformation. Where customers lack the scale of their teams and resources, we will offer managed versions of all these capabilities in a channel-friendly offering. And as I alluded earlier, demand for our Mandiant Services continue to increase for primarily two reasons: first, to address the escalation of cyberattacks; and second, because we introduced new strategic services, including new security assessments focused on remote workforce, cloud security and ransomware.

As a result, our Mandiant Services organization had another record quarter in the fourth quarter. The 11th record quarter in a row and another record year. Revenue was up 20% in 2020 and exceeded $200 million for the first time, and as we enter 2021, we have more than $1 million in services deferred revenue -- $100 million, in services deferred revenue, representing future work we will deliver in 2021. While our Mandiant Solutions are controls agnostic, they work hand in hand with FireEye products to relentlessly protect their customers.

Our innovation cycle ensures our products are updated with the latest intelligence from the frontlines. The trends we have seen in FireEye products over the past few quarters continued in the fourth quarter. Our cloud endpoint and Helix posted continued strong results in the fourth quarter, and our network security product also had a strong quarter. We continue to offer best-of-breed detection and drive innovation across our entire product portfolio.

This was validated by two first place awards in the Naval Information Warfare Systems Command challenge in March for our endpoint security solution and in December for network security with SmartVision. Entering 2021, organizations are facing an ever-increasing barrage of cyberattacks that threaten our operations every day. Our position on the front lines of security and the quality of our intelligence represent a sustainable advantage for FireEye. We are leveraging this advantage in our security control products to deliver best-of-breed protection.

But we are focused on going beyond our controls technology and addressing the challenges of today's security operations by providing the Mandiant Advantage platform: first, to make it easy to operationalize our threat intelligence; second, to enable alert triage at machine speed through AI and machine learning technologies, so 100% of alerts are processed and high-risk indicators are prioritized for human analysis; third, to empower customers to measure, manage and communicate their security effectiveness and proactively test their resilience against the latest attacks; and lastly, to scale our expertise through technology, making it available on demand as a managed service or through professional services engagements, depending on our customers' needs. To support our growth initiatives, I'm pleased to announce that Bryan Palma has joined FireEye to lead our FireEye products organization. Bryan is an industry veteran who has led multiple software transformations toward SaaS and recurring revenue. I'm looking forward to partnering with Bryan to accelerate our product innovation.

Bill Robbins, who has managed our FireEye products for the past year, will continue to lead our go-to-market organization, including sales and marketing programs. We are also aligning our Mandiant Advantage platform under the leadership of our COO, Peter Bailey, to ensure we have the appropriate focus and execution on this priority. I am confident 2021 will be a year FireEye continues to differentiate by showing our customers the FireEye line of defense is the best line of defense. Now I'd like to thank our FireEye employees for a tremendous fourth quarter.

I'm very proud of our FireEye and Mandiant teams. How we came together to investigate the SolarWinds cyber espionage incident, identify the source of the attack and update our products with countermeasures. I have sat through hundreds, if not thousands of investigator briefings. And I was never more impressed than during our own team's briefing of the details of the SUNBURST implant.

I believe we and the global security community are stronger today than before. And FireEye will continue to do its part to ensure we are all informed and protected against similar emerging threats. With that, I'll turn the call over to Frank for more details on our financial performance and our outlook for 2021. Frank?

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

Thanks, Kevin, and hello to everyone on the call. Thank you for joining us today. Before we move on to the details of our Q4 and full-year 2020 results and our guidance for Q1 and full-year 2021, let me remind you that I'll be referring to non-GAAP metrics, except for revenue and operating cash flow. Our non-GAAP measures exclude stock-based compensation, amortization of intangibles, non-cash interest expense on our convertible debt and convertible preferred equity, restructuring charges and other nonrecurring items.

Consistent with the strength we have seen building throughout the year, we had a great finish to 2020. Our results were especially strong in the strategic platform, cloud subscription and Mandiant services category, which had Q4 year-over-year billings growth of 36%. We see this momentum carrying forward into 2021, which is reflected in our revenue guidance with a midpoint of $1 billion, which is a milestone very few companies ever reach. Turning to our Q4 results.

We overachieved on almost all financial and operating metrics. We delivered record revenue of $248 million, well above our guidance range of $237 million to $241 million. We generated record non-GAAP operating income of more than $30 million. We also generated more than $71 million in operating cash flow and $67 million in free cash flow.

And total annualized recurring revenue increased 4% sequentially and 8% year over year, as growth in platform, cloud subscription and managed services ARR accelerated and ARR for our mature on-premise solutions stabilized. We remain focused on annualized recurring revenue and revenue as the most important indicators of our top line performance. The ARR metric provides insight into the expansion of our installed base and the recurring subscriptions without regard to changes in average contract length, the timing of early renewals or hardware refresh cycles. As we've seen, any one or all of these factors can cause volatility in the year-over-year growth rate for billings, especially within the breakout categories.

We know many of you still look at billings as a leading indicator, and I'm pleased to report that we achieved the highest billings quarter ever and the strongest quarterly billings growth we've had in more than a year. Total billings grew 12% year over year, led by 36% year-over-year growth in the platform, cloud subscription and managed services category. The weighted average contract length for recurring subscription was about 25 months, which is in the same range of 23 to 27 months we've seen over the past three years. Our ARR and revenue performance clearly show the underlying momentum driving our strategic Mandiant Solutions forward.

ARR for the Platform, cloud subscription and managed services category increased 20% from a year ago and 8% sequentially to $340 million. This category now represents 53% of total ARR, up from 48% in Q4 of '19 and 39% in Q4 of '18. Within this category, Verodin, cloud endpoint and threat intelligence all had standout performances. The ARR for managed defense also expanded on strong new customer and follow-on bookings and expanded managed service offerings.

Revenue growth for platform, cloud subscription and managed services category mirrored ARR growth at 20% year over year. Professional services also posted a very strong quarter, with revenues up 15% year over year to a record $58 million. Very little of our Q4 services revenue was related to the SUNBURST incident as we were already operating near capacity when we discovered the breach. We did see an increase in customer demand for our expertise as the details of the incident unfolded.

This is a contributor to the growth of our current deferred revenue for services, which increased $21 million sequentially to $110 million. The services represented by this increase in deferred revenue includes strategic security assessments, security transformation projects, incident response retainers, red teaming and expertise on demand, most of which will be delivered in 2021. Turning to our more mature product and related subscription business, we continue to see stabilization in the fourth quarter. The ARR for product and related subscription category, which represents subscriptions to our dynamic threat intelligence feeds as well as maintenance and support for our on-premise solutions, was flat sequentially and declined 3% year over year.

The year-over-year decline in our on-premise ARR was more than offset by the growth in the cloud-based product ARR, especially cloud-based endpoint. Across all form factors, product ARR increased year over year and sequentially. Revenue for the product and related subscription and support declined 8% year over year, reflecting lower current deferred revenue balances as appliances sold in prior years are fully amortized under 606. Appliance sales from 2015 and 2016 are now fully amortized and we should see this headwind begin to moderate in 2021.

Our strong revenue performance resulted in a gross profit margin of 72% compared to the top end of our guidance at 71%. Gross margin was down slightly from a year ago, primarily due to a higher mix of services, 23% of revenue this year versus 21% of revenue a year ago. While services carry a lower gross margin, they require less sales and marketing expense. The strong growth in services in Q4 and throughout 2020 was a positive factor in driving the increase in operating profit this year.

Overall, operating expenses declined about $8 million from the fourth quarter of 2019, reflecting the cost reductions from the transformation work we did in the first half of 2020 and lower T&E and facilities costs. The cost reductions achieved through transformation and lower expenses from COVID were partially offset by higher commissions on higher sales, the addition of the Respond's operating expenses and investments in the strategic growth areas of the business. The combination of higher-than-expected revenue and reduced operating expense levels resulted in a record operating margin of 12%, above our guidance range of 10% to 11%. Earnings per share was $0.12, also above our guidance range.

The weighted average fully diluted share count includes 4.2 million shares issued to Respond stockholders weighted for the time they were outstanding. Turning to the cash flow and balance sheet. With billings growth in the double digits and a record low DSOs of 46 days, we generated record cash flow from operations of $71 million. For the year, we generated $95 million in operating cash flow.

With most of our facilities still close worldwide as well as the purchase of fewer demo appliances as we continue to shift toward cloud-based solutions, our capital expenditures were $4.1 million, resulting in record free cash flow in the fourth quarter of $67 million. Our balance sheet remains very healthy and we ended the year with cash, cash equivalents and short-term investments of $1.3 billion. The increase reflects our strong cash flow performance in the fourth quarter and the Blackstone and ClearSky investment of approximately $400 million, partially offset by the cash paid for the Respond acquisition. Now let's turn to our current outlook for the first quarter and full-year 2021.

For Q1, we currently expect revenue in the range of $235 million to $238 million. This is down at the midpoint from Q4 of '20 and reflects our typical seasonal revenue pattern. For the product and related and platform, cloud subscription and managed services categories, we expect year-over-year revenue growth rates consistent with Q4. For services, we expect revenue to be approximately equal to services revenue in Q4 as capacity increases related to hiring are offset by fewer billable days in Q1 compared to Q4.

We expect gross margin of between 70% and 71%, consistent with Q1 of '20. We expect operating margin of between 6.5% and 7.5%, implying a sequential increase in operating expenses of about $6 million at the midpoint. The increase reflects the normal increase in employee-related costs in Q1 and as well as the full quarter of Respond operating expenses. Using a fully diluted weighted average share count of 238 million, we expect fully diluted earnings per share of between $0.05 and $0.07.

For 2021, we expect revenue of approximately $1 billion at the midpoint, representing growth of approximately 6% for the year. We expect that revenue growth rate will increase by about one point each quarter as the momentum we see in the sales of our Platform, Cloud Subscription and Managed Services category increases deferred revenue and ARR. We expect gross margin of between 70.5% and 71.5%, consistent with our results throughout 2020. We expect operating margin of 9% to 10%.

These ranges result in a non-GAAP earnings per share of $0.35 to $0.37 based on a weighted average shares outstanding of 240 million to 245 million on a diluted basis. Embedded within our guidance are several assumptions. Our revenue growth rate assumes billings of approximately $1 billion following a seasonal pattern, consistent with our historical results and our average contract length of approximately 24 months for subscriptions. Our annual revenue growth rate also assumes revenue from product and related subscription and support to decline by about 10% to 11%, revenue growth of 20% to 25% for our Platform, Cloud Subscriptions and Managed Services.

We expect the growth rate for this category to increase through the year as deferred revenue balances increase consistent with the subscription model. And we expect growth of 15% to 20% for Mandiant Services. Please note that while we are talking about annual growth rates for each of these categories, the quarterly year-over-year growth rates for both billings and revenue can vary. Our operating margin range assumes gradual improvement throughout the year, more heavily weighted to the second half of the year.

We have assumed an increase in facilities and T&E expenses in the second half, but at a lower overall expense level as compared to prepandemic T&E levels. This offsets the reduced payroll taxes that has historically caused our opex to trend down in absolute dollars in the second half of the year. Finally, at these expense levels, we expect an operating cash flow margin of about 10% for the year. Given the great collections performance in Q4, we entered Q1 with a lower receivables balance than we did a year ago.

And given the impact of Q1 seasonality on Q2 collections, we expect almost all of our operating cash flow to be generated in the second half of the year weighted to Q4. Really, there is a lot of detail here, but to summarize, we expect revenue at about $1 billion, a major milestone in our evolution. Revenue growth is increasing as the growth in our strategic platform, cloud subscription and managed services category becomes a greater part of the overall mix. We have proven our ability to execute on the top line growth while managing our expenses and increasing operating leverage.

Our operating margin outlook reflects the balance of investing in strategic growth initiatives and continued emphasis on operational efficiency. We have made tremendous progress over the last four years. Even with the challenges of 2020, the cumulative effect of our competitive advantage, our focused investments and our operational discipline resulted in strong financial performance and growing momentum in the strategic growth areas of the business. Our transformation is not yet complete, but after more than eight years at FireEye, I've never been more confident in the market opportunity, our competitive advantages in intelligence and expertise and on our ability to execute.

I will now turn the call back over to the operator for questions.

Questions & Answers:


Operator

[Operator instructions] Our first question comes from Sterling Auty with JPMorgan. Your line is now open.

Sterling Auty -- JPMorgan Chase -- Analyst

Yes. Thanks. Hi guys. Kevin, I actually just want to start with a thank you to you and the FireEye team for finding the breach when you think about the impact of the government, private companies and kind of our country as a whole.

Thank you for the whole team for finding it.

Kevin Mandia -- Chief Executive Officer

Thank you, Sterling.

Sterling Auty -- JPMorgan Chase -- Analyst

Shifting over to questions. Can you give us a sense -- so obviously, you saw the big uptick in the services demand, it makes perfect sense. What have you seen in terms of any uptick in Managed Services or product follow on to that demand?

Kevin Mandia -- Chief Executive Officer

Yes. I can tell you, our managed defense had a great quarter. I can't say it's in relation to the SolarWinds incident because that happened so late in the quarter. We went public on that December 8.

I think we went public on the implant late on December 12. And that was kind of late in the quarter to have any real direct impact on the quarter. But managed defense had a great quarter, and cloud endpoint is something where everybody is working from home, they need to have a distributed endpoint protection. I think that our services, Sterling, was acting at capacity prior to the SolarWinds incident and after the SolarWinds incident.

So really, it's hard to measure a difference there when they're at capacity, and we just continue to hire and continue to perform there.

Sterling Auty -- JPMorgan Chase -- Analyst

Sounds good. Thank you.

Operator

Thank you. Our next question comes from Gregg Moskowitz of Mizuho. Your line is now open.

Gregg Moskowitz -- Mizuho Securities -- Analyst

OK. Thank you very much for taking that question. And I'd like to echo Sterling's thank you in a very heartfelt way. So maybe just to double click on some verse, if I could, Kevin.

A bit of a follow up to what Sterling was asking. So prospectively, what impact going forward do you expect to see as it relates to, A, your services business; and then B, your products business?

Kevin Mandia -- Chief Executive Officer

Well, I can tell you on the services side, this is the 11th straight record quarter we mentioned that. And I anticipate almost every quarter saying the same thing. But we think that services is strategically important to build the Mandiant Advantage platform and to make sure our products have the best detection in class. So what I've observed in the past is whenever we have a powerful services quarter, you do see all C levels rise.

And the nice thing about services, there's not a bake off for services. With the kind of work that we do, a lot of people know us for our incident response capability, and they feel that's very tactical. The reality is, when you respond to breaches, you don't just figure out what happened. You also have to figure out what to do about, which is very strategic.

So we've done a lot of advanced work on creating strategic consulting practices where we take folks without a breach and proactively taking their security programs from point A to point B, and we're seeing that grow well. When I look at the products, the one that I have as a top priority is Mandiant Advantage. We have differentiated threat intelligence. It absolutely matters.

When you can speak 30-something languages, you have analysts in 20-something countries, you respond to over 1,000 breaches a year. You do over 500 red teams a year. We know more about how attackers break in the networks than anybody. And we need to get that in a scalable way to technologies besides just FireEye's technology, and that's what we're doing with Mandiant Advantage.

So I think that's a great growth opportunity for us. And then the cloud versions of endpoint and Helix are doing very well as well. So when I look at the growth drivers for 2021, it's Mandiant Advantage. Services will keep doing what it always does, and we'll have a great year for cloud endpoint, great year for managed defense.

And that Mandiant Advantage, when you hear me say that, think of it as our intel and our validation combined with now the acquisition of Respond Software because we're going to put all that together over the calendar year.

Gregg Moskowitz -- Mizuho Securities -- Analyst

That's very helpful. And then maybe just a quick follow up, if I may. Frank, you mentioned that the 2015 and 2016 appliance lines have now been fully amortized. So do you think we're now in a position where you can perhaps grow even if just very modestly the product and related ARR from this point forward?

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

Yes. I think we've seen a stabilization on the product-related ARR. And as far as growing that, obviously, that depends on kind of the customers' preferences for cloud versus on premise. So I think ultimately, we're going to see a lot more growth in the platform, cloud subscription side.

But we are definitely encouraged by the fact that we've now had a couple of quarters of pretty strong stabilization on the product and related ARR. And so now that is not becoming a huge drag on ARR.

Gregg Moskowitz -- Mizuho Securities -- Analyst

All right. Terrific.

Operator

Our next question comes from Brian Essex with Goldman Sachs. Your line is now open.

Brian Essex -- Goldman Sachs -- Analyst

Thank you for taking the question and congratulations on the results, both operationally and financially. So I guess, Kevin, can we break down a little bit in terms of the Mandiant Advantage, the Mandiant Solutions side of the platform? As you roll out incremental features and functionality like threat intelligence and Respond, how does that translate into adoption and spend by customers? And is it -- are these, I guess, roll out is going to be substantially meaningful or more kind of gradual over time in terms of the way that they impact growth across the platform?

Kevin Mandia -- Chief Executive Officer

Well, a couple of comments on this, Brian. First, there's different speeds at which an organization works. We have Chris Key, who was our Verodin CEO, running the product development there. We're moving at speed.

It's all cloud for the cloud. And the No. 1 request that I get when I talk to CISOs is, first and foremost, we want to know what you guys know. Wouldn't it be great if we had a Mandiant expert looking at every single alert we've got, or you can do that with the Mandiant Advantage.

Why not backstop your team, whether it's experienced or inexperienced, with the best threat intelligence on the planet? So that makes sense to me. And then the second question we get, well, how do we know if all this stuff we're doing works? And that's the validation component. And we've lived our whole careers responding. And this year, we'll do over 1,000 investigations.

And these are firms that have bought the best technology you can buy. They have great capability and great people. So why are there still breaches? You have to test it with validation. Putting Intel, which we've already got in the platform, that's done, and that's modernized our intel offering and giving people the form factor they want.

They know what we know virtually and real time. We use it ourselves. So if we're responding to breach right now, everything we're seeing is going into the Mandiant Advantage. So if there's anything new, now our customers are aware of it at the same moment that we are, and we're getting that done.

Combining that with validation, we can answer the question, how good is my security. And that's the No. 1 metric that works in the boardroom. You get unvarnished truth by doing validation.

So it's a real integration. It's all going to be through log in with one account, all cloud based. And then what I really liked about it and we tested this with the ransomware actor known as MAZE, we did what's called on-demand validation, and we got a tremendous response to that because folks who had never used our validation before in under 30 minutes could download an agent, run the MAZE attack methodologies against their infrastructure and learn whether they could stop the attack or detect it or neither of those, which would be a bad outcome. And that's in under 30 minutes from deciding to use on-demand validation to getting real value.

So tremendous value prop. Those two things will be together within the next few months. And then putting Respond in is fantastic because we bought them because we want software at things and learns. And we've been on a 17-year quest.

They take the Mandiant Analyst and automate that person through technology. We do believe that you can automate a lot of the things that we do when we're hired to figure out what happened and what to do about it. So we want to automate not just the detection aspect of what we do, but the respond aspect of it. And I believe we can do that.

So we bought Respond. And with our managed defense capability and the thousands of customers we have and the 550 managing consultants we have. I just think we can train it better. We can feed it better security-relevant data and we can automate so many of the tests that we're doing.

So I know it's a long-winded answer, Brian, and probably didn't answer your question. Other than bringing intel validation in the Mandiant experts' thinking process to software is a powerful proposition that we're going to do in 2021.

Brian Essex -- Goldman Sachs -- Analyst

All right. That's super helpful. Maybe if I can sneak in a quick follow up. Any shift in your M&A pipeline given the strategic investment by Blackstone and ClearSky last quarter?

Kevin Mandia -- Chief Executive Officer

We did that to get absolute conviction to our strategy. We have a portfolio that's pretty darn broad, and we're making bets on portions of that portfolio in Blackstone. It just gave us conviction to the plan and really endorse to what our strategy is here with the Mandiant Advantage and what we're doing. So pretty pleased with that partnership.

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

And Brian, we're staying very close to a lot of the technologies out there, always looking for something that would benefit the platform. But at this point, I don't think there's any big holes that we feel like we need to fill in the near term.

Brian Essex -- Goldman Sachs -- Analyst

OK. Helpful color. Thank you very much.

Operator

Our next question comes from Fatima Boolani with UBS. Your line is now open.

Fatima Boolani -- UBS -- Analyst

Good afternoon. Thank you for taking the questions. Kevin, maybe I'll start with you. You have been incredibly candid about your experience in triaging this incident internally and incredibly frank about the details that have emerged in your own process.

And one of the things, I think, you mentioned in some of your own blogging and literature to the security community is some of the red team tools that you had to "burn" as a result of some of the aftermath of what has happened. So I'm curious, how much of that has maybe translated into revenue implications or implications for your Mandiant franchise in terms of the tools, your Mandiant personnel used to assess victimized customers? And then I have a follow up for Frank, please.

Kevin Mandia -- Chief Executive Officer

Yes. So first, there's no evidence, Fatima, there were red team tools that were stolen from us during a breach in the fourth quarter. There's no evidence they've been used by any third party, just us. Second, there's no impact.

What we do for living is respond to breaches. So all the R&D for our red team, almost all of it is done by the adversaries that we respond to. So what we've always done is repurpose the things that we see out in the wild. We will observe some malware and say, wow, if the threat actor did this and that, it might have been harder to detect or more effective.

So our red teams' R&D is augmented by cyber espionage campaigns from Russia, China, Iran, North Korea and other locations and by cyber criminals. And you're always advancing in any way. So as we respond to all these breaches, we keep upping the assessment capabilities that we have with our red teams, and I anticipate, first, we'll still be able to use the tools that we had in the past because there's always a big tail from the moment we first see a method used by an attacker to the security community's ability to defend against it. So no real impact at all.

And we're already off to using and simulating more recent attacks.

Fatima Boolani -- UBS -- Analyst

I appreciate that clarification. Frank, maybe for you, that $110 million in what is essentially Mandiant Services backlog that's sitting in your deferred revenue now. Can you give us a sense of how that has compared to prior periods, and even prior fourth-quarter period so we have a sense of how much larger the magnitude is post SUNBURST? And that's it for me.

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

It's an absolute record. So we ended the fourth quarter at $110 million. A year ago, we were at $95 million, but did also increase $21 million sequentially. And so I don't know -- SUNBURST probably had a little bit of an impact because we did have a lot of demand for our expertise from that incident.

But like Kevin mentioned during the prepared remarks that it really didn't have a lot of impact on our Q4 revenue results because that team was completely operating at capacity already. But it did give somewhat of a boost to the current deferred revenue on the professional services side. But we've been building that area for quite some time because of new offerings like expertise on demand have a nice impact to current deferred as well.

Fatima Boolani -- UBS -- Analyst

Very helpful. Thank you so much Frank.

Operator

Thank you. Our next question comes from Keith Bachman with BMO. Your line is now open.

Keith Bachman -- BMO Capital Markets -- Analyst

Hi. Thank you very much. I wanted to ask two. First, for you Kevin, is there any comments you wanted to make on ARR for '21? I know you mentioned that products could flatten out here without any direction.

But any other kind of puts and takes or parameters for growth you want to provide for ARR for '21?

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

Keith, this is Frank. Yes, I think for '21, we're not guiding to a specific ARR number, but I think what we'd expect to see throughout the year and ending the year is really stabilization on the product and related, but accelerated growth on the platform cloud subscription ARR. If you think about the investments we're making in the business and the areas that we're really excited about from a growth opportunity perspective, it's all driving that Platform, Cloud subscription and Managed Service ARR.

Keith Bachman -- BMO Capital Markets -- Analyst

OK. Then ARR just putting those two together, ARR growth should improve in '21 versus '20 then?

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

Correct.

Keith Bachman -- BMO Capital Markets -- Analyst

OK. Just turning back to services for a second. You're guiding 21% to 15% to 20% kind of services growth. I just wondered if you could help frame that a little bit in terms of the constraining variable because I would have thought that growth would have been candidly higher than that.

It may well end up being higher than that. But is the key just capacity and that it's linear growth and you just can't find enough people? Because it would seem like given all the incidents that happened toward the end of the year that you'd breach '20 and in fact growth would be higher during this current fiscal year than last figure. But maybe just flush that out a little bit for us.

Kevin Mandia -- Chief Executive Officer

Yes. And Keith, first and foremost, our intent is, could we grow services faster? Yes. But right now, what we've always had, and I've been doing this for 17 years, there does come a growth rate where, first and foremost, we're about quality and capability. So I think we can probably grow it faster, but at the same time frame, we're trying to take a lot of that capability.

And I don't think you'll ever completely replace humans in security. But we do want to have a platform that makes it easier for even our own services folks to scale. So I do believe we can deliver more today than yesterday in regards to services. And to put that in perspective, when I was responding to breaches, I only could respond one at a time.

We've got folks now at Mandiant responding to seven to eight different computer intrusions at one time. So we can already scale through technology as my hope that we meet the demand by being more technology enabled. We could go out and double the hiring rate right now. A, Frank would tell me he doesn't like the expenses that's adding.

But it also -- it gives our front-line consultants on 1.5 for a while. So there's a long winded way, and I could talk to you offline in a call back, when you assimilate new consultants, we got to teach them the Mandiant way. That takes time. And I just like a 15% to 20% growth rate.

And I find when you go to 25%, wheels on the basket wobbly from a quality standpoint. So we like it where it's at.

Keith Bachman -- BMO Capital Markets -- Analyst

Yes. Fair enough then. Just wanted to complement you on the slide deck. You guys have been doing this for a while.

And I just -- I think it's very helpful, so much appreciated. Thank you.

Operator

Thank you. Our next question comes from Walter Pritchard with Citi. Your line is now open.

Walter Pritchard -- Citi -- Analyst

Hi thanks. Kevin, just wondering on services and a touch of more recurring revenue type offerings on the services side. What are you seeing in the pipeline with this recent round of services engagements? And how does that compare differently at all to what you've seen historically there, just given the nature of the attack and the engagements?

Kevin Mandia -- Chief Executive Officer

Yes. I can tell you. I don't know if it's related to the attacks you dealt with, but I see a stronger relationship between doing services in our managed defense fleet behind our Mandiant Advantage behind. And I anticipate that to continue to grow.

I think there's always been the strong relation between those things. Because when our services folks show up, whether it's a strategic consulting engagement or it's an incident response, with incident response logically behind us, lead behind our XDR capability with our folks running it. And that immediately ups the security profile of our customers from point A to point B with shales up pretty quickly. But ever since we bought validation as well, it does take a while for our folks to get dependent on the software and get more technology enabled because we have years of doing red teaming our own way with our own platforms.

And then we bought Verodin. But the relationships are getting stronger. So in short, there will be a stronger correlation between services and a lead behind managed defense or a lead behind Mandiant Advantage whether we manage that capability or not for our customers.

Walter Pritchard -- Citi -- Analyst

Got it. And then just you mentioned $1 million deals, the high percentage of those that include three or more products. Could you help us maybe lay out what are the three most common products or sort of sets of products that you see when it is three or more that are coming together in the form of a deal?

Kevin Mandia -- Chief Executive Officer

Go ahead, Frank. Yes, we do review them every quarter. And go ahead, Frank.

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

And Kevin talked about for the year. But for the fourth quarter, basically, 50% of the greater $1 million transaction. So of the $64 million, 50% of them actually included services and 72% of them included four or more products. So what we're seeing in most of them is there's a services component and then there's a product component, and it might be network email endpoint, and then a managed defense or a threat intelligence as well.

So each feels a little bit different depending on the customer's need. But I think the thing that we're really happy about is we're seeing a lot of these platform deals where our detection products and our platform are part of it as well as some of the solutions. So it's really taking advantage of our intelligence and expertise and our best-in-class detection products.

Walter Pritchard -- Citi -- Analyst

Great. Thank you.

Operator

Thank you. Our next question comes from Erik Suppiger with JMP Securities. Your line is now open.

Erik Suppiger -- JMP Securities -- Analyst

Yes. Thanks for taking the question. Can you remind us how much of your professional services is coming from forensics and incident response?

Kevin Mandia -- Chief Executive Officer

It varies. It can be anywhere from about 30%, upwards about 50%, but it just jumps up and down. What I can tell you is we're almost always at the same utilization regardless of the mix. There's always something there for our folks.

If they're doing forensics, that's great. If they're not doing that, most of those folks can always be repurposed to strategic consulting or training and the other service lines.

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

And Erik, in 2020, obviously, it was a great year on the IR side. But if you looked across all of services, we had really strong growth across proactive, strategic and investigative. So it wasn't just the IR that had a record year, it's really being strategic and proactive as well.

Erik Suppiger -- JMP Securities -- Analyst

OK. Now it sounds as though you operate at capacity pretty much most all the time, and it doesn't sound like you're changing the rate of hiring in light of SUNBURST. You've talked a little bit about how this has helped out Mandiant Advantage and things like that. But can you discuss maybe which revenue streams get most affected by an incident like SUNBURST? Is there another area of product that is particularly reactive to opportunities arising from that?

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

Yes. I think one of the things if you look during the incident, we really validated how important our intelligence and expertise. The fact that FireEye was the only company out of 18,000 companies that was able to discover this breach after being out in the wild for almost nine months in a lot of companies, it really did validate the intelligence and expertise that we bring to the table. And so the fact that we have that innovation cycle and that our products are updated with that level of intelligence and expertise, it really does have a positive impact across our portfolio.

So obviously, intelligence and expertise is going to have a really strong tailwind because of that, but also our products because our products are getting smarter every day because of the intelligence and expertise.

Erik Suppiger -- JMP Securities -- Analyst

And can you remind us what contribution you get from the intelligence?

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

So the intelligence is a really significant component of Mandiant Advantage, and it's probably the one area we'd expect the most growth in 2021.

Kevin Mandia -- Chief Executive Officer

Great. Thank you very much. Well, there's the direct results of intel, and then there's indirect. It's literally, a product without an innovation cycle, a product without a learning capability is not that valuable.

So the fact that we have something new every few minutes to go look for is very powerful. So Intel is pervades every single product that we have. Contributes to all of them.

Operator

Thank you. Our next question comes from Shaul Eyal with Oppenheimer. Your line is now open.

Shaul Eyal -- Oppenheimer & Co. -- Analyst

Thank you. Good afternoon everybody. Congrats on the healthy performance. Kudos again on the transparency back in December regarding the SUNBURST hack.

My question actually is on potential GDPR implications. You guys are obviously at the front lines. You guys are talking to so many of your customers. Have any of them began discussing with you some potential, I don't know, implications of spine that could be associated with the SUNBURST hack at this stage? Or is it preliminary right now?

Kevin Mandia -- Chief Executive Officer

Yes. I'm unaware of any risk in that area at this juncture, and I'd be shocked and astonished if that would occur.

Shaul Eyal -- Oppenheimer & Co. -- Analyst

Got it. Thank you so much for that. I appreciate it. Thank you.

Operator

Thank you. Our next question comes from Hamza Fodderwala with Morgan Stanley. Your line is now open.

Hamza Fodderwala -- Morgan Stanley -- Analyst

Hey guys. Thank you for taking my question. I'd also like to echo my gratitude for your transparency. I'm wondering if you can talk a little bit about the growing sort of priority in demand for security, even prior to SUNBURST, right? I mean you obviously have had sort of an expanding attack surface area post-COVID, a lot more complexity that's come about as well.

So can you speak to that as it relates to your pipeline? And then more specifically, any sort of early thoughts that you have around security architectures, perhaps changing overall post-Sunburst or COVID. So just sort of the general commentary on both aspects.

Kevin Mandia -- Chief Executive Officer

Yes. Clearly, post COVID or everybody is working remotely. Remote workforce protection and things that come from remote workforce protection is better identity, better authentication and movement to the cloud. So everybody knew about those trends.

They got accelerated by the pandemic. In regard to something like a SolarWinds, whenever you have an attack that everybody's missed, and every single quarter that goes by, every organization depends more on their infrastructure, their IT infrastructure. It's gets everybody to think, what is the effectiveness of our security programs and how would we fare and how would we detect these sort of things? So I think there's going to be a couple of outcomes from this, especially from the big companies, where the risk profile is such that, hey, we've got to secure our supply chain. We've got to make sure we don't have to deal with sophisticated attacks or if we do, we'll have an awareness.

I think that's why we bought validation is, I think, it's going to be very important. It gives you unvarnished truth. You simulate attack, how did you do? So that's something that will increase. There's no question supply chain security is something that everybody is going to consider.

And then, obviously, all software companies are looking into how do they develop code, where their engineers, how their engineers check code in and how do you audit that so that none of us is a supply chain risk to the folks that we serve. So that's just a quick answer. It's probably a 45-minute discussion. But this breach got everybody to recognize there's a way to compromise some of the most secure organizations on the planet in a surreptitious way.

And that alarmed people. And with that alarm comes an awareness and a desire for it to not happen again.

Hamza Fodderwala -- Morgan Stanley -- Analyst

Right. Right. Maybe just one quick follow up. Cybersecurity is obviously a top priority now for the Biden administration.

Obviously, FireEye has a pretty large footprint in the federal vertical. I'm wondering to what degree is the company being involved in sort of around advising the federal government around sort of best practices and taking a role in sort of improving our sort of national defense? And that's it for me.

Kevin Mandia -- Chief Executive Officer

Well, I appreciate that question. I think one of the biggest things that any administration would face is you have to impose risk and repercussions to sort of folks that attack American companies. And that's something that I think is not a divisive issue for our government, and they'll look into doing that. Starts with doctrine.

What do we stand for? And what are the behaviors we expect in cyber space. And then after the doctrine do the best you can to define the red line for cyber. The second thing is to make sure there's risks or repercussions to those who violate those rules. And those things are going to come to bear, I think, over the next few years.

Hamza Fodderwala -- Morgan Stanley -- Analyst

Thank you very much.

Operator

Thank you. Our next question comes from Tal Liani with Bank of America.

Tal Liani -- Bank of America Merrill Lynch -- Analyst

Yes. Hi. Your services -- Mandiant is doing great. The legacy or the product is -- it's less bad, but it continues to decline.

Is there any consideration in the company to focus more on the services part and just not compete in areas where you're struggling or exit some of the areas that are related to products and turn the company into a complete service company? I'm trying to understand what goes through your mind when you think about the long-term strategy.

Kevin Mandia -- Chief Executive Officer

Yes, absolutely, Tal. I can tell you, first off, we know what our differentiators are, the world's best threat intelligence and incredible front-line expertise from Mandiant. We want to leverage those and prioritize our portfolio to take the most advantage over that. And I think one of the ways we do that is, in fact, with the Mandiant Advantage.

And we move fast. We have a cloud-based brain that thinks, that learns, that brings to market our intel, our ability to not just share with you what we know but automate all the analytics skills that we have and at the same time frame, automate our validation. Let's put it this way, Tal. Who wouldn't want a Mandiant expert looking at every single alert coming into their company.

We can bring that to bear through software. And that's always been our goal. So we're going to focus on doing that. And that's a long-winded way of saying we have prioritized our portfolio.

And we're prioritizing it based on what we're the best in the world at and we're most differentiated at.

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

And Tal, if you look at where we're putting the investment dollars, we're -- that's the area. We're investing in the strategic growth areas on the solutions side. But if you look at the product side, the cloud growth of pure products exceeded the decline on the on-premise solution. So we actually did see growth in the third and fourth quarters on the product side.

But also one really important point is the more mature area of the business is generating significant cash flow. And that cash flow has been put back and invested in the company in the high-growth areas. So I think, you can see that transformation happening as we speak. In the fourth quarter, two-thirds of our billings came from the high-growth areas of platform, cloud subscription and managed services and services.

So I think we're making that transformation. The more mature areas are helping fund that.

Operator

Our next question comes from Saket Kalia with Barclays. Your line is now open.

Saket Kalia -- Barclays -- Analyst

Hey guys. Thanks for fitting me in here. Hey Frank, maybe just first one for you, kind of housekeeping. Can you just remind us how big Respond was from an ARR perspective? And I realize it closed intra-quarter, so there probably wasn't a ton of revenue, but I would imagine we're acquiring a book of business from an ARR perspective.

So any guardrails you could give us on how much that might have contributed to platform ARR in the quarter?

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

Yes. It added a little less than $5 million of ARR. It didn't have much contribution from a bookings, billings perspective in the fourth quarter of revenue. Because they were actually at January -- end of January fiscal year end.

So a lot of the deals that were in their fourth quarter actually closed in January of 2021. So it wouldn't be part of our Q4 results.

Saket Kalia -- Barclays -- Analyst

Got it. That's helpful. And then the quick follow up here is for you, Kevin. Obviously, a lot of focus on Mandiant Advantage threat and threat intel as sort of the starting point there.

FireEye's had a great threat intel offering for years and years now. Mandiant Advantage sort of takes that a step-up. I mean any broad brushes that you could talk about from a pricing premium perspective, right, when it comes to Mandiant Advantage threat intel versus sort of FireEye threat intel before?

Kevin Mandia -- Chief Executive Officer

So with respect to the addition -- so Mandiant Advantage, it's basically now the only way to consume that threat intelligence feed, and we've converted most of our existing threat intelligence customers to Mandiant Advantage platform. Where we'll really see the benefit is when we have multiple modules all connected through Mandiant Advantage. So you can think through when we add in validation and we add in the XDR capabilities from Respond, the synergies of having that all in one dashboard and all in one place will really come to bear.

Tal Liani -- Bank of America Merrill Lynch -- Analyst

Got it. Thanks again for the time guys. Thanks I appreciate it.

Operator

Thank you. I'm not showing any further questions at this time. I would now like to turn the call back over to Kevin Mandia for closing remarks.

Kevin Mandia -- Chief Executive Officer

I'd like to thank all of you for joining us today. We've done a great job on our transformation in 2020. The portions of our business that are faster growing are now the larger half of our business, which is very important. We enter 2021 with tailwinds to that portfolio that's higher growth, and we're more relevant than ever.

When you look at the cyber-espionage campaigns that we've responded to in the last month or two, everybody has cybersecurity top of mind. So we're very excited about 2021. And I look forward to updating you at the end of the first quarter on our progress. Thank you to all of you.

Operator

[Operator signoff]

Duration: 64 minutes

Call participants:

Kate Patterson -- Investor Relations

Kevin Mandia -- Chief Executive Officer

Frank Verdecanna -- Executive Vice president, Chief Financial Officer, and Chief Accounting Officer

Sterling Auty -- JPMorgan Chase -- Analyst

Gregg Moskowitz -- Mizuho Securities -- Analyst

Brian Essex -- Goldman Sachs -- Analyst

Fatima Boolani -- UBS -- Analyst

Keith Bachman -- BMO Capital Markets -- Analyst

Walter Pritchard -- Citi -- Analyst

Erik Suppiger -- JMP Securities -- Analyst

Shaul Eyal -- Oppenheimer & Co. -- Analyst

Hamza Fodderwala -- Morgan Stanley -- Analyst

Tal Liani -- Bank of America Merrill Lynch -- Analyst

Saket Kalia -- Barclays -- Analyst

More FEYE analysis

All earnings call transcripts