FireEye (FEYE) Q1 2021 Earnings Call Transcript

FireEye (MNDT)
Q1 2021 Earnings Call
Apr 27, 2021, 5:00 p.m. ET

Contents:

• Prepared Remarks
• Questions and Answers
• Call Participants

Prepared Remarks:

Operator

Ladies and gentlemen, thank you for standing by, and welcome to the FireEye's Q1 2021 financial results conference call. [Operator instructions] Please be advised that today's conference may be recorded. [Operator instructions] I would now like to hand the conference over to your speaker today, Kate Patterson, investor relations for FireEye.

Kate Patterson -- Investor Relations

Thank you. Good afternoon, and thanks to everyone on the call for joining us today to discuss FireEye's financial results for the first quarter of 2021. This call is being broadcast live over the Internet and can be accessed on the Investor Relations section of FireEye's website at investors.fireeye.com. With me on today's call are Kevin Mandia, FireEye's chief executive officer; and Frank Verdecanna, executive vice president, chief financial officer, and chief accounting officer of FireEye.

After the market closed today, FireEye issued a press release announcing the results for the first quarter of 2021. Before we begin, let me remind you that FireEye's management will make forward-looking statements during the course of this call, including statements relating to FireEye's guidance and expectations for certain financial results and metrics, FireEye's priorities, initiatives, plans and investments, drivers and expectations for growth and business transformation, the expansion of FireEye's products, subscriptions and services and expectations, benefits, capabilities and availability of new and enhanced offerings, market opportunities and go-to-market strategies. These forward-looking statements involve a number of risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. These forward-looking statements apply as of today, and you should not rely on them as representing our views in the future, and we undertake no obligation to update these statements after the call.

For a detailed description of the risks and uncertainties, please refer to our SEC filings as well as our earnings release posted an hour ago. Copies of these documents may be obtained from the SEC or by visiting the Investor Relations section of our website. Additionally, certain non-GAAP financial measures will be discussed on this call. We have provided reconciliations of these non-GAAP financial measures for the most directly comparable GAAP financial measures in the Investor Relations section of the website as well as in the earnings release.

And finally, I'd like to point out that we have posted supplemental slides and financial statements on the Investor Relations section. With that, I'll turn the call over to Kevin.

Kevin Mandia -- Chief Executive Officer

Thank you, Kate, and thank you to all the investors, employees, customers and partners joining us on this call. I hope all of you are doing well, and I appreciate your interest in supporting FireEye. We executed well against our plan and exceeded our guidance ranges for all key financial metrics during the first quarter. During the quarter, two themes emerged to me: first, FireEye has made the turn in our transformation; and second, the need for our frontline expertise and intelligence is accelerating.

Let me speak briefly about these two themes before I turn to the first quarter highlights and how we are innovating to meet the vast opportunities that are in front of us. First, in regards to making the turn. We are seeing an ongoing mix shift in billings, revenue and ARR to the faster growing, more strategic areas of our business. In 2016, approximately 61% of the FireEye business was tied to our on-premise sandbox technology reported as product and product-related subscriptions, and this category was seeing billings decline in double digits by the first quarter of 2016.

In the first quarter of 2021, our strategic platform, cloud subscription, and managed services category, combined with our Professional Services to grow 46% year over year in billings and represented 69% of our total billings; and this is evidence of the turn we have made with our portfolio. And second, our technology, threat intelligence and expertise has never been in more demand. During the first quarter, organizations faced a complex and hostile threat environment, implants in the supply chain, zero-day exploits impacting popular products and an onslaught of ransomware and extortion occurred. As the threat environment escalates, conventional safeguards are not effective at reducing risk.

However, coupled with our expertise in intelligence, commonly used safeguards can adapt faster to the threats and protect customers far more effectively. Therefore, we continued innovating at speed to embed our threat intelligence and expertise into FireEye products as well as the Mandiant Advantage platform. Now let me discuss some first-quarter highlights. Team FireEye delivered a strong first quarter.

In addition to our financial performance, we continue to transform our business. Our mix of the platform, cloud subscription, and managed services category combined with our professional services grew from 56% of our total billings in the first quarter of 2020 to 69% of our total billings in the first quarter of 2021. This substantial mix shift is a testament to the efforts and progress we have made with our transformation. We also saw this trend in mix shift with respect to revenue and ARR.

Our mix of revenues in our platform, cloud subscription, and managed services category combined with professional services grew from 53% of our revenues in the first quarter of 2020 to 61% in the first quarter of 2021, and our mix of ARR grew from 49% to 55%, respectively. In short, I believe our mix is moving in the right direction. Demand for our Mandiant expertise remained strong this quarter, resulting in 25% year-over-year revenue growth. This was the 12th consecutive record quarter for Mandiant Services, as we continue to scale our capacity and expand our offerings to address emerging market needs such as zero trust, ransomware assessments, cloud migration and security validation.

Our platform, cloud subscription and managed services category had 45% year-over-year billings growth and 26% year-over-year revenue growth. While we saw strength across all the solutions in this category, the acceleration in growth was driven by our threat intelligence, security validation and cloud endpoint solutions. During the first quarter, we also closed 30 transactions greater than $1 million. More than 70% of these transactions included three or more products or solutions, and 60% of these 30 transactions included consulting services.

FireEye continued to prove the value of our frontline expertise and intelligence in the first quarter. We recently published our annual M-Trends report, which contains our observations about threats and effective remediation actions, and it was gleaned from frontline Mandiant investigations performed around the globe, and here are just a few of our findings. Nearly half of the 294 distinct malware families we observed in investigations last year were new and never seen before. More than 80% of these new malware families were not publicly available, meaning they were privately developed and availability was restricted in some way.

And 70% of all the malware families we observed were only found in a single intrusion set. These observations tell us that threat actors continue to innovate faster than the technologies customers are deploying to protect their networks and organizations are deploying to protect their networks. The attackers are learning new ways to circumvent conventional safeguards that cannot or do not learn from the front lines in a timely manner. And as a result of this, organizations are reevaluating the effectiveness of their cybersecurity investments.

They are looking for strategies to implement zero trust, to protect against ransomware, to secure their cloud environments, and they want to know how security processes with XDR and how machine learning and artificial intelligence can improve their security posture. And lastly, they want to validate if they are protected from the latest attacks. This list of topics and actions aligns well with FireEye's strengths. We have performed thousands of investigations into security incidents and considered all the various remediation activities to these incidents.

And we have learned how organizations can leverage our threat intelligence and expertise to make themselves more secure. Therefore, we continue to expand our solutions to meet this need. So first, I'd like to discuss innovations with our Mandiant Solutions. In the first quarter, we expanded Mandiant Advantage, our SaaS platform for security operations by completing our integration with Respond Software, and that's the company we acquired in the fourth quarter of 2020.

As Respond became another module in the Mandiant Advantage platform, we renamed it Mandiant Automated Defense, and we launched it in early April of 2021. This capability automates the discovery and investigation of alerts at machine speed. The models in Automated Defense are trained and continuously updated with our threat intelligence and frontline expertise. So using Mandiant Automated Defense is like having a team of Mandiant experts right there in your security operations center.

Mandiant Automated Defense currently integrates with more than 70 products from other security vendors, so customers with multi-vendor environments can leverage Automated Defense to better safeguard their networks. We also integrated Automated Defense with our FireEye network, email, and endpoint security controls as well as with Helix. With the addition of Respond, the Mandiant Advantage now includes three modules: our threat intelligence module, our security validation module, and our automated defense module. Each of these modules are available as technology or as a managed service.

Second, we expanded Mandiant Security Validation with a onetime paid service to emulate an adversary and answer the question, "what is a customer's capability to defend itself against a particular threat?" We refer to this onetime offering as validation on demand, so our customers can simply and safely test what they need when they need it without an ongoing validation subscription. In addition to the updates in Mandiant Advantage, our Managed Defense offering integrated support for customers that use Microsoft Defender for Endpoint. This allows our experts to rely on and interact with Microsoft Defender for Endpoint to detect and respond to potential security incidents. This also allows Microsoft Defender customers a way to benefit from Mandiant's intelligence and expertise.

This is the first native third-party endpoint integration in Managed Defense and expands the addressable market for our Managed Defense capability to more than 1 billion Microsoft endpoints. The automated defense capability expands the potential for Mandiant Managed Defense to support over 70 different security controls. As we deliver a controls-agnostic XDR service to the market, we expect to be able to rapidly support additional controls with our Managed Defense offering. So stay tuned.

And now I'd like to turn to the innovations we accomplished in our FireEye Products. Our FireEye Security Suite continued delivering industry-leading detection and protection for our customers through our next-generation XDR platform with native endpoint, network and email capabilities. Our strategy of meeting customers where they are continues to be effective as we deploy our solutions on-premise, in the cloud and in the hybrid environments. Specifically, we saw above-market growth for cloud endpoint, high network security subscription renewal rates and a strong quarter for large email security deals.

As you may recall, we hired Bryan Palma in the first quarter to lead our products team, and he has been particularly focused on four areas: first, improving the user experience across our suite of products; second, increasing our detection efficacy by integrating our threat intelligence, frontline expertise and updating our machine learning algorithms; third, enabling better cloud security; and fourth, extending Helix functionality as a correlation engine for enterprisewide XDR. I will mention just a few of recent milestones that we have achieved with our products team over the last quarter. First, we bolstered our endpoint extensible framework by adding three additional modules, bringing the total available FireEye endpoint modules to 12. And these modules are available for download on the FireEye Marketplace and incidentally, were responsible for identifying 35% of the threat actions in the recent MITRE ATT&CK test.

Later this year, we plan to unleash the full power of the endpoint extensible framework by allowing customers, partners and our consultants, and other consultants to leverage our APIs to develop real-time modules for combating threats in the wild. Second, we launched our ask an expert capability across our endpoint platform. And this provides customers instant access to Mandiant experts when they need immediate help. And last, we extended our industry-leading network detection capabilities through our cloud-native detection on-demand solution.

Detection on demand can detect malicious files or malicious URLs across CRM, social media, messaging and storage applications. We recently added this capability across the leading collaboration tools such as Microsoft OneDrive, Slack, Salesforce, G Suite, and Box applications. And now I'd like to wrap up my prepared remarks. With the recent breach headlines as a catalyst, we are seeing customers reevaluate their security programs and look to us for solutions that deliver better security outcomes.

I believe our position of trust derived from nearly two decades of responding to security incidents that matter puts us at the forefront of the changes required to combat the current threat environment. I am confident 2021 will be a year in which FireEye continues to demonstrate to our customers that we provide the best line of defense. We are off to a great start with our first quarter, and I want to thank all the FireEye employees for their hard work in bringing us to this point. And I would like to thank our customers, our partners and our investors for their continued support.

With that, I'll turn the call over to Frank for more details on our financial performance. Frank?

Frank Verdecanna -- Executive Vice President, Chief Financial officer, and Chief Accounting Officer

Thanks, Kevin, and hello to everyone on the call. Thank you for joining us today. To summarize, last quarter, we predicted that the momentum from the second half of 2020 would carry forward into 2021, and this was clearly true. It's worth repeating that Q1 2021 was our best first-quarter performance in the company's history, and it follows an equally strong Q4 2020.

Our billings, revenue, and ARR year-over-year growth rates accelerated from Q4 to Q1 on continued strength in our strategic platform, cloud subscription, and services categories. The strength in our top-line metrics translate into overachievement on our operating metrics and allowed us to raise our outlook for revenue for the year, for revenue, gross margin, operating margin, and EPS for the remainder of 2021. Before we move on to the details of our Q1 results and our guidance for Q2 and the updated guidance for the full-year 2021, let me remind you that I'll be referring to non-GAAP metrics except for revenue and operating cash flow. Our non-GAAP measures exclude stock-based compensation, amortization of intangibles, noncash interest expense on our convertible debt and convertible preferred equity, restructuring charges, accretion on Series A convertible preferred stock, and other nonrecurring items.

Turning to the Q1 details. We delivered revenue of $246 million, $8 million above the high end of our guidance range and our second highest quarterly revenue ever. Revenue growth of approximately 10% was the highest quarterly year-over-year revenue growth in rate in more than three years. Our performance was driven by the growing adoption of our cloud products and controls-agnostic Mandiant Solutions, reflecting the market evolution Kevin discussed and the ongoing mix shift toward the higher-growth areas of our business.

Revenue in the platform, cloud subscription, and managed services category increased 26%, reflecting the steady build in deferred revenue over the past two years. This category now accounts for 47% of nonservices revenue compared with just 39% a year ago. Note that both the growth and the mix shift are organic and reflected strength in cloud endpoint, threat intelligence and validation. Services revenue growth accelerated to 25% and reflected a combination of increased capacity from 2020 hires and a higher mix of incident response compared with the Q1 of 2020.

Product and related subscription support revenue declined 8% year over year, reflecting lower deferred revenue balances at the beginning of the quarter as higher appliance sales in previous years continue to amortize out of deferred revenue. I expect that the long tail of this trend will continue as hardware sales gradually decline over time but that the impact on our total revenue and growth rates will diminish. Total annualized recurring revenue increased 1% sequentially and 9% year over year. Growth in platform, cloud subscription, and managed services ARR accelerated to 22% year over year and accounted for 55% of total ARR at quarter end.

This compares with 49% in Q1 of '20 and the -- was a result of strong performance in cloud endpoint, threat intelligence, and validation. Product and related subscription and support ARR declined slightly both year over year and sequentially as we continue to see stabilization in this area of the business. The shift in mix to our higher-growth categories offset the typical seasonality we see in the Q1 ARR metric. We remain focused on annualized recurring revenue and revenue is the most important indicators of our top-line performance and market adoption.

The ARR metric provides insight into the expansion of our installed base of recurring subscriptions without regard to changes in average contract length, renewals of large contracts or hardware refresh cycles. As we've seen, any or all of these factors can cause volatility in the quarterly billings growth rates, especially within the breakout categories. However, trended billings, especially when evaluated in conjunction with ARR performance, can be useful as a leading indicator for revenue and the underlying business momentum. With that in mind, I'm pleased to report that billings grew 18% year over year, the highest billings growth rate in three years and the second quarter in a row of double-digit growth.

Growth was broadly based across geographies, vertical markets, and customer size. The weighted average contract length for recurring subscriptions was approximately 22 months compared to 25 months in Q1 of 2020. Looking at our billings performance by category. Platform, cloud subscription, and managed services billings increased 45% year over year to $76 million.

This was the second consecutive quarter of above-market growth, and it was achieved even though the average contract length declined by two months in that category. The Respond acquisition did not contribute materially in the quarter, so the acceleration in Q1 reflects true momentum for our cloud-based products and controls-agnostic Mandiant Solutions. Services billings grew by 47% year over year, although we emphasized revenue as the best performance metric for services. The billings growth in Q1 clearly demonstrates the sustained high level of demand for our expertise.

Billings for on-premise product and related subscriptions and support declined by 17% year over year. This reflects continued year-over-year declines in appliance hardware sales and a four-month decline in average contract length for recurring subscriptions and support. Adjusting for the shorter ACL, the category would have declined just 6% year over year, better than our initial assumptions of approximately 10% to 11%. I believe our billings revenue and ARR performance in Q1 demonstrates the underlying strength of our business and the growing momentum for our strategic solutions and services.

Before we return to margins, I would like to make a quick comment about the decline in average contract length in Q1 and our assumptions going forward. Recall that we have been expecting the ACL to decline for quite a while as we increased our emphasis on ARR over multiyear contracts. The trend is healthy for our business and consistent with industry trends and the higher mix of SaaS billings as well as the higher mix of renewals in the product and related category. ACL is difficult to forecast with precision on a quarter-by-quarter basis, but our assumptions for the remainder of the year is that remains in the range of 22 to 24 months.

Turning to margins. Our strong revenue performance resulted in an operating margin of 9%, above our guidance range of 6.5% to 7.5%. Gross profit margin was 73% compared to the top end of our guidance at 71% and more than two points above Q1 2020 gross margin. The increase reflected strong services gross margin due to a high mix of incident response and higher margins for our cloud-hosted products as we continue to achieve efficiencies and economies of scale.

Overall, operating expenses declined about $4 million from the first quarter of 2020, an increase of about $11 million sequentially. The sequential increase reflects the seasonal impact of employee-related expenses as payroll taxes and other expenses kick in at the beginning of the year, plus a full quarter of respond to operating expenses and higher commissions associated with higher sales and incremental marketing programs to drive awareness and growth for our strategic solutions. Earnings per share was $0.08 above our guidance range of $0.05 to $0.07. The weighted average fully diluted share count of 244 million reflected a full quarter of shares issued for the Respond acquisition as well as higher average share price during the quarter.

Turning to the cash flow and the balance sheet. With the acceleration in billings growth and DSOs below 50 days for the second consecutive quarter, we generated cash flow from operations of $21 million. Capital expenditures of $10 million were above our guidance range of approximately $6 million. The increase in CAPEX is primarily due to an increase in internally developed software as we ramp our investment in the modules of Mandiant Advantage platform, cloud endpoint, and other strategic growth areas of the business.

Our balance sheet remains very healthy, and we ended the quarter with cash, cash equivalents, and short-term investments of $1.3 billion. We ended the quarter with accounts receivable of $109 million, the lowest level of accounts receivables since Q1 of 2018. Total deferred revenue at quarter end was $911 million, of which 65% was current. Now let's turn to our outlook for the second quarter and our updated outlook for the full-year 2021.

For Q2, we currently expect revenue in the range of $246 million to $250 million. For the product and related subscription and support and platform, cloud subscription, and managed services categories, we expect year-over-year growth rates approximately consistent with Q1. We expect the services year-over-year growth rates to be slightly less than 25% we delivered in Q1 but still toward the high end of our 15% to 20% target range. This implies relatively flat services revenue with Q1, which assumes the mix of incident response versus other strategic consulting is closer to historical levels instead of the higher mix we saw in Q1.

We expect gross margin of between 72% and 73%. We expect services margins to decline slightly from Q1, assuming a lower mix of IR and return to the 52% to 54% range. We also expect product subscription and support gross margin to remain in the mid-70s. We expect operating margin of between 9% and 10%.

This implies operating expenses are approximately flat with the first quarter on a dollar basis. Using a fully diluted share count of 247 million shares, we expect fully diluted earnings per share of between $0.08 and $0.09. For 2021, we are raising our revenue guidance range by $20 million at the midpoint, representing growth of approximately 8% for the year. We expect gross margin of between 72% and 73%.

We are raising our operating margin guidance range to 10% to 11%. These ranges result in a non-GAAP earnings per share of $0.39 to $0.41 based on a weighted average shares outstanding of approximately 250 million on a fully diluted basis. Embedded within our annual guidance are several assumptions. Our annual growth rate assumes revenue from product and related subscription and support to decline by 10% to 11% for the year; revenue growth toward the higher end of 20% to 25% for our platform and cloud subscription and managed services; and we expect growth for Mandiant Services to continue to grow at around 20% year over year for the rest of the year.

Please note that we are talking about annual growth rates for each of these categories, and quarterly year-over-year growth rates for revenue can vary. Our operating margin range assumes gradual improvement throughout the year, more heavily weighted to the second half of the year. We have assumed an increase in facilities and travel and entertainment expenses in the second half but at a lower overall expense level as compared to pre-pandemic facilities and T&E levels. We also expect to increase investments in marketing to increase awareness for the Mandiant Advantage solutions.

Finally, at these expense levels, we expect an operating cash flow margin of about 10% for the full year. Given the low level of receivables as we enter Q2, we expect to see slightly negative operating cash flow in the second quarter. Let me conclude by repeating that this Q1 was a great quarter, and our updating outlook reflects our continued confidence in our future. I will now turn the call over to the operator for questions.

Questions & Answers:

Operator

Thank you. [Operator instructions] Our first question comes from Sterling Auty with J.P. Morgan. You may proceed with your question.

Jackson Ader -- J.P. Morgan -- Analyst

Great. Thanks for taking our questions. This is Jackson Ader on for Sterling tonight. A couple of questions actually on Mandiant.

How quickly do you think you can scale up the headcount that you need in order to kind of support that continued 20% growth through the rest of the year?

Kevin Mandia -- Chief Executive Officer

That would be approximately 100 heads this year. We did a similar number last year, and we anticipate being able to do it.

Frank Verdecanna -- Executive Vice President, Chief Financial officer, and Chief Accounting Officer

And we continue to be tracking to that. It's been very consistent kind of ramping of heads. And so we've been able to continue to deliver on that, and you've seen kind of 12 record quarters of services growth there.

Jackson Ader -- J.P. Morgan -- Analyst

And Frank, I think you mentioned the -- that part of the strength that you're seeing capacity expansion for some of those heads that you added in 2020. But just curious where utilization rates are at the moment and where -- what things are running a little bit hot relative to what you expected in this first quarter.

Frank Verdecanna -- Executive Vice President, Chief Financial officer, and Chief Accounting Officer

Yes. I think it's been pretty much consistent with our expectations, but it has been running hot really for the last couple of years. I think the threat environment obviously continues to be very elevated, and that has driven the various areas of our consulting to be about as chargeable as you can be as a team.

Jackson Ader -- J.P. Morgan -- Analyst

OK. Great. Thank you.

Kevin Mandia -- Chief Executive Officer

Thank you.

Operator

Thank you. Our next question comes from Fatima Boolani with UBS. You may proceed with your question.

Fatima Boolani -- UBS -- Analyst

Good afternoon. Thank you for taking my questions. Kevin, I'll start with you. You really quantified for us how much the business has transformed on every single one of your KPIs.

So clearly, you've sort of crossed that chasm on the transition.

Kevin Mandia -- Chief Executive Officer

Yes.

Fatima Boolani -- UBS -- Analyst

So I'm wondering what's sort of the remaining 30% of the business that is still in the nonrecurring category. What sort of programs, incentives or mandates do you have in place to shepherd the rest of the customer base over to some of your newer solutions but more importantly, the newer form factors of some of your existing solutions, just the strategy behind that? And then I have a follow-up for Frank, please.

Kevin Mandia -- Chief Executive Officer

Yes. I think we could probably spend the rest of the call on the strategy there. We got numerous strategies. I think you're referring to our FireEye products, correct, Fatima, and what is our strategy as that continues, at least on the on-prem side to decelerate.

First and foremost --

Fatima Boolani -- UBS -- Analyst

That's exactly right.

Kevin Mandia -- Chief Executive Officer

Yes. First, integrate -- I mean, I can tell you, five years ago, the first thing you do is get the IP out of the black box. I think it was literally a black box, by the way, the appliance. So we've done that.

And so it's focused on cloud, focused on integration of these products so you can get a suite that works together, focus on Helix being a two XDR platform so that you can bundle email security, endpoint security, network security and win on the bundling and the value you can get from that because the folks that do use FireEye products rave about the detection efficacy. So now we just got to get that UI and usability improved, and that's something that everybody in software is always trying to do. So quickly, again, cloudify it, period, and we've done that. So you can subscribe to all our software now, and there's a cloud version for every single thing.

Integrate it and always keep working on integrations to get better coordination between the products. Make sure Helix is the nucleus of that XDR platform that we can bundle, so it's all integrated nicely; and make sure the user experience continues to improve, those four things.

Fatima Boolani -- UBS -- Analyst

I appreciate that. Frank, maybe for you --

Kevin Mandia -- Chief Executive Officer

There's four more too, but I think those will work.

Fatima Boolani -- UBS -- Analyst

That's helpful. No. I appreciate it's a long tail, especially for all the support attached to your on-premise product suite. Frank, maybe the question for you, on Mandiant Advantage, I can appreciate that you've only had sort of Threat Intelligence out as the module.

Curious if you can share some adoption statistics or ASP statistics. And what do you expect in terms of contribution from the new modules that have been now added to the family and now available at a full slate? How should we think about that as it relates to contribution in 2021? And that's it for me. Thank you.

Frank Verdecanna -- Executive Vice President, Chief Financial officer, and Chief Accounting Officer

Yes, Fatima. We're -- so we've seen -- it's obviously very early days of Mandiant Advantage, but all our intel offering right now is sold through Mandiant Advantage, and we had another really strong quarter through Mandiant Advantage for intel, and that caps off a really strong year in 2020. So I would say the new modules we've added to it are ramping and going to do really well. And obviously, if you look at the Mandiant Advantage umbrella, you've got validation in there.

You've got threat intel. You've got our new automated defense with the Respond acquisition, and then we'll be launching managed defense module in there. Those are all high-growth areas for the business, and so we're pulling it all together and tying it all together with Mandiant Advantage. So that's going to be one of the primary growth drivers of the platform cloud bucket.

Fatima Boolani -- UBS -- Analyst

Fair enough. Thanks for that.

Kevin Mandia -- Chief Executive Officer

Thank you, Fatima.

Operator

Thank you. Our next question comes from Brian Essex with Goldman Sachs. You may proceed with your question.

Brian Essex -- Goldman Sachs

Great. Good afternoon, and thank you for taking the question. Ken, I was wondering if you maybe can circle back on Mandiant Advantage now that you have those three main products of that modules within that platform. With regard to go to market, where are you seeing the most competition? Are these competitive displacements? Are these greenfield opportunities? And how much is driven by kind of the halo effect, if you will, of the SolarWinds attack and what you've been able to do on the back of that?

Kevin Mandia -- Chief Executive Officer

Yes. So I'm going to peel that backwards, Brian. I think the halo effect from us being on front lines, it wasn't just SolarWinds, but we find more zero-days that I'm aware of than any other security company. And we find them by being on the front lines responding to breaches.

And as we do our investigations, we reach a point where we just don't know how the attacker broke in. So you start peeling back software like in December with SolarWinds, and we found an implant. This year, there's others. I don't want to name every single customer we found a zero-day app.

But at the end of the day, that's what creates the halo effect is the knowledge itself, not the event, and we just happen to be at the front row seat for it. So that does provide a tailwind for intelligence. Getting demand in Advantage, what I see there is it's greenfield. I don't believe it's ever existed where you can plug a technology in and it's like adding a thousand experts to your network.

You have to have -- to make Mandiant Advantage work, here's the moat for it, Brian. You have to have a global intel capability, and we have that. We're in over 20 countries. We speak over 30 languages.

You have to own the front lines, and we have that, where we did over a thousand investigations last year. And a lot of people think, oh, investigations are tactical. They're absolutely strategic. It's how you get a front-row seat to all the threats that are circumventing the safeguards of today, so we can, with Mandiant Advantage, with our international intelligence team, and our breach intelligence that we're getting every single day, we can feed it to products that just don't learn, don't think, can adapt, too static, which is the majority of security products today because they simply don't have the knowledge and the intelligence that we have as we clean up the messes left behind from a lot of these products.

So bottom line, I think those -- that whole business has a tailwind. But I've been in the incident response business for 20 years. It was not a market 20 years ago. It was not a market 15 years ago.

It was not a market 10 years ago. It's becoming popular now because people are starting to see the strategic value in having that knowledge, but we've been invested in that for 20 years almost. So Mandiant Advantage, the greenfield opportunity is to automate that expertise in that intel and bring it to you at machine speed. And then it's naturally related, Brian, to validation, the ability to safely test your security, safely and simply do that.

You can't -- if you're going to test your security, you got to do with real threats and real knowledge. You can't just be, hey, I made software that can simulate a threat. Well, where do you get the content for it? We got the content. And so I just love the intel marries up perfectly with the validation story that we have.

So finally got it all together, and then the Automated Defense component of Mandiant Advantage, we continue to learn with it. We continue to train it. And really, it's a -- it's our way of automating, finding a needle in the haystack, which we spend a lot of time doing every single day. So that's a long-winded answer, but bottom line, Mandiant Advantage provides a lot of greenfield opportunities for us.

I don't think anything like this has existed in the past because no company's done the work to have the intel, international collections capability, frontline expertise, and then the A-on machine learning.

Brian Essex -- Goldman Sachs

Got it. That's super helpful. Maybe just a follow-up. On sales and marketing, maybe, Frank, where are you investing now? And how much is channel versus direct? And how mature is that sales force at this point?

Frank Verdecanna -- Executive Vice President, Chief Financial officer, and Chief Accounting Officer

So I think the sales and distribution is very mature, but we're investing quite a bit now in areas in brand awareness on the Mandiant Solutions side, on the Mandiant Advantage side. The other thing we're doing is investing more on inside sales because a lot of the conversions and a lot of the pipeline build on Mandiant Advantage can be handled by an inside sales force. So I think we're seeing more leverage there. And a lot of the work that Bryan has been working with the team on the product side is really to help usability, helping the products easily demo and easily deploy, which will ultimately help our channel leverage.

Brian Essex -- Goldman Sachs

Got it. Thank you very much, guys. I appreciate it.

Kevin Mandia -- Chief Executive Officer

Thanks, Brian.

Operator

Thank you. Our next question comes from Erik Suppiger with JMP Securities. You may proceed with your question.

Erik Suppiger -- JMP Securities -- Analyst

Yes. Thanks for taking the question. On the Mandiant Advantage, can you talk a little bit about ways that you're easing that into the customer base? Have you looked at using a freemium model? Or how quickly is that then? Is that easily integrated into the customers' environment?

Kevin Mandia -- Chief Executive Officer

Right now, there is a freemium model that we have out there, and thousands of folks have taken advantage of that. At the same time frame, all our current threat intelligence customers have been moved on to Mandiant Advantage. We only just added the validation and the automated defense so that now with a single credential, our customers can see the unity and the true integration between all three of these modules in the platform. But that's how we've done it to date, converted our hundreds of threat intelligence customers to it, and then we have a freemium model.

And obviously, our enterprise sales folks, we just had our second sales kickoff this year. It was actually last week. Because it's cloud-based software, we updated a heck of a lot faster, a couple of updates every single week, even more than that sometimes, so we have to do more sales kickoff. So we just continue to enable the team on more than a quarterly basis.

So, Frank, you want to add to that?

Frank Verdecanna -- Executive Vice President, Chief Financial officer, and Chief Accounting Officer

No. I mean, it's definitely a focus area for us. It's also something that we've spent more marketing dollars on because we are seeing a really nice pipeline build and really starting to see a nice conversion.

Erik Suppiger -- JMP Securities -- Analyst

And does that service lend itself more to a channel sale?

Frank Verdecanna -- Executive Vice President, Chief Financial officer, and Chief Accounting Officer

Yes. I think one of the things that we really, when we were creating Mandiant Advantage, was really focused on making it something that can easily be deployed, easily be demoed, and easily be purchased and purchase modules within Mandiant Advantage. So we've really worked on kind of that usability and the ease of use and ease of kind of purchasing, and I think that fits the channel really well.

Erik Suppiger -- JMP Securities -- Analyst

Very good. Thank you.

Frank Verdecanna -- Executive Vice President, Chief Financial officer, and Chief Accounting Officer

Thanks, Erik.

Kevin Mandia -- Chief Executive Officer

Thank you.

Operator

Thank you. Our next question comes from Hamza Fodderwala with Morgan Stanley. You may proceed with your question.

Hamza Fodderwala -- Morgan Stanley -- Analyst

Hey, guys. Good evening, and thank you for taking my question. Just two questions on Mandiant Advantage and now automated defense. Curious, for starters, how do you see that potentially perhaps cannibalizing kind of what was built initially vis-a-vis Helix? Like are Helix customers, do you think, over time going to be converted toward the Mandiant Automated Defense? I think that a lot of the use cases seem somewhat similar and feel it's going to be more of a data lake that's going to underlie what you guys have here.

I'm just curious on that.

Kevin Mandia -- Chief Executive Officer

Yes. Yes, there will be an evolution there because Helix is a SIEM with a ton of correlation rules and analytics. So over -- what you'll see is there's humans that maintain that. We do that, though.

When you get Helix, you get our rules. You get our analytics. You get our expertise there. The difference is actually in how we provide the minimization of trillions of alerts down to actionable alerts and events, is that we're using models in Mandiant Advantage with automated defense.

So to some extent, there's overlap. If you have great correlation rules, you have a mature SOC, you have 15 people maintaining your SIEM, you may get the same outcome that you might get from a trained system. But we do believe, over time, Mandiant Advantage with models in it and the fact that we're creating software that can think and learn is that that's going to overtake the human skills required to maintain those systems. So that's one of the big differences, just how we go about minimizing all the alert and volumes of alert data down to here's the threats that you got to pay attention to.

And then the second thing is Helix has the data repository and you nailed it. It stores the data. It's got common event format rules, and it is a SIEM. Whereas Mandiant Advantage is a sidecar to SIEM, and it has to work with many SIEMs.

But it's applying the IP that is our expertise and our intelligence but is doing it in a different way than how Helix does it. So there will be -- depending on the customer. A customer may buy Helix, get everything we ship with it and be happy with that. But they'll have to maintain some of their own correlation rules or they can plug as a sidecar the Mandiant advantage and get the rules and the minimization automated over time.

Hamza Fodderwala -- Morgan Stanley -- Analyst

Got it. And then just on the automated response front, just from a -- I mean, as far as the market stands today with sort of these XDR solutions, how much do you think can actually be automated by software? I mean I think like our own security team is not looking for sort of one-click type automation. And so I'm curious about what you think about and kind of where Mandiant comes in from the services side.

Kevin Mandia -- Chief Executive Officer

Yes. I'll start with this. First, nobody cares how you provide the outcome as long you provide it. Right? So I would say a lot of people that I talked to they wish they had Mandiant experts sitting in their SOC and staring at every alert.

We can't offer that. That doesn't scale. But one thing we can do is create a system that learns, it thinks, and it can do the minimization as if it was us. Can it do it as well as a human? Probably not.

Can it do it lot faster? Absolutely. And in some use cases, it'll do it better than humans. Right? But I liken it kind of at this stage in security, it's similar to pilots are still on the plane even though the plane can take off and land itself. To some extent, I see us go into market with Automated Defense.

But I like the idea. And we do this today by the way, in all our products. Whether you have our network product, our endpoint product or email security product or automated defense, we've got a team of experts, our advanced practices folks mining all that data all the time to see did we miss anything. Is there anything there? And we're going through all the metadata that we collect to make sure our customers are safeguarded.

And thank you for giving me an opportunity to market that because we never actually talk about it. But we have some of the smartest security professionals on the planet constantly safeguarding our customers that have bought our products. And they don't even know, when they purchase our products, that there's human intelligence behind it as well as a backstop. So I see, over the next few years, when you're training systems, it'll be just like the airline industry.

I think I want our experts to make sure and constantly test and train to make sure we know the efficacy and boundaries of our software. And we've learned a lot of lessons along the way, but that's what I would want to buy, is the outcome of saying, if I've got Mandiant Automated Defense, regardless of how we deliver it, even -- whether we deliver 99% tech or 92% tech, but it'll be a lot of tech, I would just want the outcome that I feel safe, and that's what we want to provide.

Hamza Fodderwala -- Morgan Stanley -- Analyst

All right. That's super helpful. Thank you.

Kevin Mandia -- Chief Executive Officer

Thanks, Hamza.

Operator

Thank you. [Operator instructions] Our next question comes from Saket Kalia with Barclays. You may proceed with your question.

Saket Kalia -- Barclays Investment Bank -- Analyst

Great. Hey, guys. Thanks for taking my questions here.

Kevin Mandia -- Chief Executive Officer

Sure.

Saket Kalia -- Barclays Investment Bank -- Analyst

Kevin, maybe for you. For those threat intel customers that have now moved to Mandate Advantage --

Kevin Mandia -- Chief Executive Officer

Right.

Saket Kalia -- Barclays Investment Bank -- Analyst

Is the additional sales opportunity, from your perspective, for those customers to maybe cross-sell them something like security validation? Or once they move to Mandiant Advantage, is it that they can receive additional flavors of threat intel to kind of segment that price point? Does that make sense in terms of kind of that opportunity with the threat intel base?

Kevin Mandia -- Chief Executive Officer

Yes. There's probably not one size fits all, but here's how -- I'm a security guy first and foremost. Why do I want intel? Either to stop something from happening or see if it could happen, those two things. And that's how it gets into my operations.

And so it's either -- and the third would be to anticipate. Right? So I think with Mandiant Advantage, if I'm sitting in a SOC and I've got our intel being applied to our data right away -- and again, it gives the heads-up display. So when I'm looking at alerts in my SIEM with Mandiant Advantage and the plug-in that we've got with it, you're getting like a cockpit display like we got in the Air Force, where fighter pilots literally get the situational awareness displayed right in front of their face. We do that.

Here's what we know based on that IP address, this 75.sub. Here's additional data you can drill down on. And we want to make sure you don't have to Google when you're responding to an alert. It's all just presented to you, not just our intel but open-source intel as well.

So that's what we provide. But a great pivot would be you're going through your log files as an operator. Do I currently have the problem? Am I currently compromised, yes or no, is question number one you want to answer with intel. When you're done with that, let's say you're not compromised, you don't have a fire to put out, there's no smoke on your network, I would pivot to could I be.

How well does this work? And Chris Key and the team has delivered that. Within the last week, we actually GA-ed it and we have the ability now that just goes straight from, "Oh, thank God I don't have that problem. But you know what, could I? Let's run a couple of tests and see how we're doing." So that's a great logical -- and that's an upsell right in the software itself. In fact, our account managers, I'm sure, are going to mention it, and we've trained everybody to see the relationships between it.

But if you want to have an intel-driven SOC, again, you drive -- you want intel to stop things from happening, to detect if something's happened, and then test if it's possible. Could it even happen in the first place? And that's -- we're linking all those decision points into the software.

Saket Kalia -- Barclays Investment Bank -- Analyst

Got it. That makes a ton of sense. Frank, maybe for a quick follow-up for you, for some of that product and related ARR, I mean just to the earlier point made, I mean we've certainly seen the transformation. But as you think about that product and related ARR, we call it that three- to five-year kind of -- I'm sorry, 3% to 5% kind of year-on-year decline.

The question is how much of that is from sort of natural churn that you would expect versus customers opting for a cloud form factor that's in that platform line? Does that make sense?

Frank Verdecanna -- Executive Vice President, Chief Financial officer, and Chief Accounting Officer

Yes. It's a mix of both. So especially on the email and endpoint side, you do have customers migrating from on-prem to cloud. On the network side, we don't have as much of that migration.

So on the network side, if ARR is going down, it's related to kind of the smaller customer churn that's there. But it is a mix of both. I would say the migration isn't right now a huge factor to it. But going forward, obviously, that could accelerate.

But then again, we'd get the upside on the platform cloud bucket if that did happen.

Saket Kalia -- Barclays Investment Bank -- Analyst

Got it. Got it. Guys, thanks a lot for squeezing me in here.

Kevin Mandia -- Chief Executive Officer

Thank you, Saket. Appreciate it.

Operator

And I'm not showing any further questions at this time. I would now like to turn the call back over to Kevin Mandia for any further remarks.

Kevin Mandia -- Chief Executive Officer

I'd like to thank everybody for attending. I want to congratulate the FireEye team for a great first quarter. We've never been more relevant or more needed in cybersecurity. So I want to thank the teams that have been on the front lines finding the zero days and protecting our customers as well as organizations that aren't our customers.

So with that, I want to thank everybody. I look forward to speaking to you in 90 days with another update. Take care now.

Operator

[Operator signoff]

Duration: 52 minutes

Call participants:

Kate Patterson -- Investor Relations

Kevin Mandia -- Chief Executive Officer

Frank Verdecanna -- Executive Vice President, Chief Financial officer, and Chief Accounting Officer

Jackson Ader -- J.P. Morgan -- Analyst

Fatima Boolani -- UBS -- Analyst

Brian Essex -- Goldman Sachs

Erik Suppiger -- JMP Securities -- Analyst

Hamza Fodderwala -- Morgan Stanley -- Analyst

Saket Kalia -- Barclays Investment Bank -- Analyst

More FEYE analysis

All earnings call transcripts