Mandiant, Inc.

Thank you, Candice. Good afternoon, and thank everyone on the call for joining us today to discuss FireEye's financial results for the third quarter of 2016.

This call is being broadcast live over the Internet and can be accessed on the Investor Relations section of FireEye's website at investors.fireeye.com. With me on today's call are Kevin Mandia, FireEye's Chief Executive Officer; and Mike Berry, Executive Vice President, Chief Financial Officer, and Chief Operating Officer of FireEye.

After the market close, FireEye issued a press release announcing the results for the third quarter of 2016. Before we begin, let me remind you that FireEye's management will make forward-looking statements during the course of this call, including statements relating to FireEye's guidance and expectations for certain financial results and metrics; FireEye's priorities, initiatives, plans and investments; FireEye's path to profitability; the expansion of FireEye's platform and the capabilities and availability of new and enhanced offerings, and growth drivers, and market opportunities.

These forward-looking statements involve a number of risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. These forward-looking statements apply as of today, and you should not rely on them as representing our views in the future.

And we undertake no obligation to update these statements after the call. For a detailed description of the risks and uncertainties, please refer to our SEC filings, as well as our earnings release posted a few moments ago.

Copies of these documents may be obtained from the SEC or by visiting the Investor Relations section of our website. Additionally, certain non-GAAP financial measures will be discussed on this call.

We have provided reconciliations on these non-GAAP financial measures for the most directly comparable GAAP financial measures in the Investors Relations section of the website as well as the earnings release. Finally, I'd also like to point out that we have posted the presentation we are showing in this webcast on the Investor Relations section of the website, you'll find detailed results on the third quarter and fourth quarter and 2016 guidance.

With that, I'll turn the call over to Kevin.

Thank you, Kate, and thank you to everyone joining us today on my first full earnings call as CEO. There are two points I want to relate to us today.

First, I'm pleased to report that we're able to accomplish what we set out to do in the third quarter. We delivered financial results that exceeded our guidance ranges on all key metrics, and we remained focused on balanced growth and our path to profitability.

I want to first thank all the employees for their hard work and heads-down execution of our mission to relentlessly protect our customers. And I'm extremely proud of the way we operated through the distractions of our restructuring in Q3 and changes in sales leadership to deliver the results we did.

Speaking off, I know many of you are wondering about this and I can tell you that we are in the very last stages of our process and hope to announce a new head of worldwide sales later this month. I also want to thank all our customers and partners.

And I'm humbled by the fact that so many of the biggest and best companies in the world trust FireEye to help them to secure the most valuable assets. We take our missions seriously, and we are committed to the trust of relationships we've worked hard to garner with our customers and our partners.

And second, we delivered important enhancements to our platform and laid the foundations for FireEye's future. And I believe FireEye knows more about what cyber attackers are doing than anyone else, and our platform now protects our customers from these attackers in the cloud, on-premise, or both.

And I'll speak more about our platform in a few minutes, but I invite each of you to come see our platform for yourselves at our Cyber Defense Summit in Washington, D.C. in late November when we demo the product.

Now taking these two points in order, let me first turn to our financial results of Q3. We exceeded our guidance ranges across all our key metrics.

Billings came in at $215.4 million, above our guidance range of $200 million to $215 million, and revenue was $186.4 million, above our guidance of $180 million to $186 million. With our continued focus on cost optimization productivity, we reduced our non-GAAP operating expenses by more than $12 million from Q2 sequentially and delivered the best operating margin in the history of FireEye.

The decline in our total non-GAAP costs allowed us to deliver earnings per share that was $0.13 better than the midpoint of our guidance of negative $0.30 to negative $0.32. And we also generated $14 million in operating cash flow.

And we remain committed to our goal of balancing growth with profitability. And I'm convinced that our renewed discipline and improved efficiency have helped us clarify our mission and enabled us to prioritize our innovation to maximize our future growth opportunities.

And our customers seem to agree. 47 customers spent more than $1 million with us during the quarter across a broad range of industries and across the globe compared with 34 $1 million transactions in Q3 of 2015.

We closed our first-ever seven-figure deal for FireEye Security Orchestrator or FSO and two of our top five transactions were for subscriptions to our FireEye iSIGHT threat intelligence. In total, we added 287 new logo customers in the quarter, including customers in the financial services, heavy industry, healthcare, retail, education as well as government and law enforcement agencies around the world.

New logo adds were especially strong in the Asia-Pacific and Middle East regions, where the market for our advanced security solutions is just beginning to take off. Moving on to my second point, delivering important enhancements and laying the foundation for FireEye's future.

Let me start by going back to our Q2 earnings call. And during that call, I focused on three key product areas: the next evolution of our MVX analysis engine; our endpoint technology and FireEye as a Service or FaaS.

We made great progress on each of these during the third quarter. First, I'm pleased to announce that we fulfilled the first phase of our MVX separation efforts and released the MVX Smart Grid.

This is the private cloud version of our MVX analysis engine. And as a reminder, MVX separation refers to us splitting the two primary functions of our MVX analysis, the network sensor and our MVX analysis engine, into two separate components, and this allows us to deliver our capability from the cloud or on-premise with hardware, software and virtual form factors.

The primary market for the MVX Smart Grid are customers and industries that choose to not to move their private data to the public cloud, due to privacy concerns or regulations. And these are industries such as the financial services, government agencies, healthcare and other regulated industries.

Now for these customers, the separation of MVX can dramatically increase throughput, simplify our security architecture, and reduce operational overhead. And it also leverages existing training and expertise on FireEye's technology and it protects the customers' investments in our appliances.

And for example, we had an existing NX and EX customer, who was at capacity with its existing security infrastructure. And after an extensive evaluation process, this financial institution committed to the FireEye platform for multiple years.

They purchased MVX Smart Grid and additional Smart Nodes, and are repurposing their existing appliances in a new architecture that improves performance while decreasing the number of data centers they have. And this was a conservative financial service, and they moved directly from our beta program into their production environment.

The next phase of our separated MVX product roadmap on track for a November release delivers MVX analysis in the public cloud on a subscription basis, and we call this release our Cloud MVX. Without the added cost of the appliance, we will be able to offer Cloud MVX at compelling price points which will allow existing customers to deploy FireEye more broadly, and open additional market segments to us.

Now I've always believed mid-market customers want the same advanced security protection as large enterprises. But until now the price differential between FireEye and the check the box alternatives have put our best of breed detection analysis out of reach.

With Cloud MVX that is no longer the case. Second, we delivered a series of innovations related to our endpoint software.

Now HX is our advanced detection system on the endpoint. And HX raises the alarm when it sees a threat and enables proactive hunting for Indicators of Compromise when legacy technologies fail.

Over the past two years, we have enabled HX to correlate threat intelligence and alerts creating a holistic view of threat activity in an organization. And we have also added key innovation such as rapid enterprise search and exploit detection to the platform.

The result is a differentiated (9:38) endpoint agent with all the intelligence required for real-time malware detection combined with the investigative capabilities of our agent. Now HX is a field tested technology with nearly 10 million agents deployed with our customers.

It is already a key enabling technology for both FireEye as a Service and our Incident Response practice. Over the course of the next six months, we plan to add broad malware detection and prevention capabilities to the agent including legacy AV to HX.

We also plan to add attack remediation, and will offer HX for Macs beginning in Q1 with support for Linux to follow. We believe the endpoint market is ready for disruption, and we are poised to be that disrupter.

And third, we made improvements to FireEye as a Service to deliver more value to its customers. The talent shortage is real, and I see the need for FireEye as a Service every day when I visit customers.

We added many important FaaS customers this quarter, but we believe FaaS can and should perform better going forward. And to that end, we expanded FaaS to apply our threat intelligence and analytics to all alerts our customers receive, not just alerts from FireEye's technology stack.

Second, we've added new dashboards to FaaS to provide better transparency into the alerts process, the attacks blocked, the investigations completed, and other hunting activities to make FaaS a virtual extension of our customer's security teams. And we've reduced pricing, as we've become more efficient, which should make FaaS accessible to more organizations.

And I believe FaaS has the potential to be a very large piece of our business with a standardized technology stack built on Cloud MVX, TAP and HX, we will be able to deploy at the speed of software, and begin provisioning protection for our customers within hours without disrupting their existing operations. Now that's a high level update on some of the most important enhancements we delivered.

And now, I would like to discuss how FireEye's capabilities in technology are all coming together into one powerful platform that lays the foundation for FireEye's future. When I visit CSOs, they tell me they have three goals for their organizations.

In addition to protecting their assets, they want to simplify their security operations, integrate all the security point products they've purchased, and they want to automate countermeasures. Let's talk about each of these three goals and how FireEye can help these organizations meet them.

First, you cannot streamline the alert to fix process without high fidelity alerts and without the intelligence context that guides people's response. No organization can automate a defensive process that depends on alerts that are unreliable, inconsistent and distracting.

This is the value FireEye's MVX analysis engine provides. With machine learning, built-in analytics and real-time detection, MVX delivers the high fidelity alerts and integrated threat intelligence required to automate responses with confidence.

And as I mentioned earlier, we now have MVX's powerful signature list based detection and analysis capability available in the cloud, on the network, and at the endpoint. Second, integration is essential.

FireEye Threat Analytics Platform consumes and reports on alerts from FireEye and other third-party security products in a single cloud-based interface. This is more than just getting all alerts into one place.

Instead it's about overlaying those alerts with our intelligence, so that our customers instantly know what we know through over nearly 1,000 incident responders, malware researchers, intel analysts, and security consultants. TAP can prioritize alerts.

It can correlate across network and endpoint that provides intelligent context in line and even detects non-malware-based threats so that security analysts never have to swivel out of that interface. And finally, FireEye Security Orchestrator automates and orchestrates the investigation and response process across the entire security infrastructure.

We deliver remediation playbooks reflecting best practices derived from close to 200,000 hours of incident response and remediation we perform every year. Orchestration allows us to reduce the alert to fix window for our customers, while simultaneously eliminating error-prone manual processes that our customers were using before they purchased FireEye Security Orchestrator.

And our confidence in this approach was reinforced by a government agency that made a seven-figure purchase of FSO or FireEye Security Orchestrator during the quarter. To understand the future of FireEye is helpful to understand our roots, and our DNA, if you will.

I found the Mandiant in February of 2004, the same month Ashar Aziz founded FireEye, and both of us were committed to replacing the legacy, ineffective security technology stack through innovation. Ashar understood that high fidelity detection was a prerequisite for effective security operations.

And as a result, Ashar focused on using virtualization combined with machine learning and behavioral models to detect what legacy technologies could not. I approached innovation by learning what the market needs, when Mandiant performed breach investigations and remediation.

FireEye's vision for the future builds on the DNA of the early innovations of both of these companies, and we're bringing them into one platform. Now responding to breaches is strategically important.

It's how we know what works for the security of our customers and perhaps just as importantly what doesn't work. We routinely get the front row seat on how the best attackers circumvent current security safeguards and evade detection we in turn innovate to solve those challenges.

The next evolution of FireEye is exciting for me since I believe after all my years of battling the adversaries that we can make a huge difference for the good guys and not just for large enterprises, but for organizations of every size in every region. As our platform becomes more open, and our cloud-based solutions make us more accessible to midmarket customers, our VAR and strategic partners will play a much larger role.

We are focused on developing these go-to-market channels and making it easier to do business with us. This will extend our reach and support continued progress on our path to profitability.

With our recent innovations and those plans to come over the next few quarters, customers will have the flexibility to deploy the FireEye platform on premise, in the cloud, rather hybrid of the two. They can manage it themselves, if they have the in-house expertise to do so, or they can choose to have it managed by our partner or by FireEye through FireEye as a Service.

Either way, the customer will have one click access to our expertise in our threat intelligence. It's like adding nearly 1,000 experts to your security operations when you need them.

I would like to reiterate my invitation to each of you to join us at FireEye Cyber Defense Summit in Washington, D.C. later in November, where we will demo this end-to-end platform.

I will turn the call over to Mike to discuss the details of our financial performance and walk you through our guidance for the rest of the year. Mike?

Great. Thank you, Kevin.

Good afternoon, everyone on the call. On today's call, I will provide some additional color on our third quarter financial results, review the impact of the restructuring plan that we completed during the third quarter, provide additional commentary on the financial implications of our new platform and products that Kevin discussed in his section, especially as it relates to our continued focus on supporting our customers move to the cloud.

And I will wrap up with our guidance for the fourth quarter and some preliminary commentary on 2017. As usual, when discussing our gross margin, expenses, operating income, operating margin and EPS amounts, I will be referring to the non-GAAP measures.

I'm very happy to start by reiterating Kevin's comment that we were quite pleased with the financial results particularly given all of the distractions in the quarter. We did better than our guidance ranges for all of our key financial metrics, including billings, revenue, operating income, EPS and cash flow from operations.

I believe you'll see it was a pretty straightforward quarter from a financial perspective. Billings finished at $215.4 million a year-over-year increase of 2% and 11% on a year-to-date basis for the third quarter.

Platform billings increased by 1% on a year-over-year basis. Inside of our platform billings, product billings declined by 20% in the third quarter and product subscription billings grew by 16% year-over-year.

The growth in product subscriptions were mainly driven by strong renewals and upsell as we saw a year-over-year growth in our subscription billings for all of our major appliance products: network, email and endpoint. This is the power of our subscription heavy model and highlights the continued success of our cross-sell and upsell focus.

Even with product billings down by 17% on a year-to-date basis, our TAP subscription billings have grown by double-digit rates over the same period. Our metrics continue to highlight our leadership with enterprise class customers as we view success in the market as further confidence in FireEye's products from the most sophisticated security buyers in the world.

This is really illustrated by the increase in the number of customer spending more than $1 million with us, which was up from 34 to 47 on a year-over-year basis. Our multi-product attach rates continue to be strong, as 41 customers of the 47 customers purchased more than one product and 29 customers included more than two products.

Although we added a fewer new customers this quarter than in the second quarter, total transactions increased by 11%, as existing customers expanded their deployments and added additional security products. We have talked a lot in the past few quarters about the continued growth in our transactions but at a lower average deal size for our larger transactions.

This was also the case in the third quarter as the average deal size for our transactions greater than $1 million was down 11% versus the third quarter 2015 and 14% on a year-to-date basis. Related to this trend, we did not complete any transactions greater than $10 million in the third quarter 2016.

Lastly, our total average contract length stayed consistent at 27 months and our customer renewal rate stayed at 90%. Our subscription and support billings performance resulted in a $29 million increase in deferred revenue from June 30.

On a year-over-year basis, total deferred revenue increased by 36% or $162 million to $616 million. Total revenue finished at $186.4 million, a year-over-year growth rate of 13% for the third quarter and 21% on a year-to-date basis.

Similar to billings, product revenue and professional services revenue were consistent with our expectations. Product subscription revenue growth of 51% and support revenue growth of 38%, reflected a strong growth in deferred revenue we posted in prior quarters as our model shifts to a higher mix of subscriptions.

Recurring subscriptions and support accounted for 61% of total revenue in the third quarter and on a year-to-date basis. Let's discuss some of the sales trends for the third quarter.

We saw a very strong growth in our e-mail solutions, both the EX email appliances, and ETP or cloud email offering. Total email platform billings grew on a year-over-year basis by a healthy double-digit growth rate and this was the first time in several quarters that we saw a year-over-year increase in our EX platform billings.

We believe this trend is due in part to the increase in ransomware attacks, but also because of the high-level of detection and product efficacy that we have built into our email solutions, as well as correlation across our other products. iSIGHT threat intelligence also had a strong quarter in both renewals and new logo business and we saw the first multimillion dollar deal for our new FireEye Security Orchestrator or FSO.

Our network product or NX came in very close to our expectations, and on a year-to-date basis, the platform revenue per NX is basically flat versus 2015. On the other end of the spectrum, we had a slower than expected quarter in billings from FireEye as a Service.

Kevin walked you through the changes we have made to the FaaS offering. These changes combined with more competitive pricing enabled by continued cost reductions make us optimistic that FaaS will be a driver of billings growth as we go through 2017.

This is a growing market within security and we are focused on increasing our share of this market. We have been asked many times about how the movement to cloud will impact FireEye.

Kevin gave you a great summary of how the product roadmap is evolving to respond to these changes in the market. But I want to make sure and highlight we already have a big cloud business within FireEye and this bodes well for our business model as we continue to introduce new cloud offerings.

We define cloud revenue as revenue generated from our products that are either delivered to the customer through the cloud or are deployed by customers in the cloud. This includes our TAP subscriptions of DTI and URL/Attach, as well as iSIGHT, ETP, MTP and TAP.

The revenue for these cloud products was over $60 million in the third quarter or approximately $250 million on an annualized basis. These cloud-based products grew by 67% on a year-over-year basis for the third quarter.

Okay. Now, let's move on to our cost structure.

Our cost of goods sold came in a little better than we expected with product margins finishing at 70% and subscription and services gross margins at 75%. As strong as our gross margin performance was, the big story in the third quarter was our lower-than-expected operating expenses.

Total operating expenses finished at $163.8 million, which was well below our implied guidance and 6% or more than $10 million below the same measure for the third quarter of 2015. This reduction is even more impressive when you consider the added expenses of the iSIGHT and Invotas acquisitions, which both closed in the first quarter of 2016.

We have been saying all year that we are serious about our path to profitability, and we're pleased to see that the hard work of everyone at FireEye is starting to pay dividends. I want to thank all of the employees who have implemented many efficiency and productivity enhancements.

When we began the process of cost optimization in the first quarter, we told you we plan to take $35 million in annual cost out of the business. Last quarter, when we adjusted our 2016 outlook, we committed to cutting an additional $80 million in annual cost for a total reduction of at least $150 million.

We completed the second cost restructuring during the third quarter reducing cost across virtually all of the discretionary expense buckets including T&E, outside services, facilities, and other expenses. Additionally, we reduced our head count by approximately 350 people, the large majority of which were full-time employees.

Excluding the employees who have exit dates into the fourth quarter relating to notice periods, we ended the third quarter with total head count of 3,025. We estimate the year-to-date restructuring activities have reduced the annualized run rate of expenses by over $119 million compared with the first quarter 2016.

To illustrate this achievement, if we compare the total cost of goods sold and operating expenses implied by our original 2016 guidance to our revised 2016 guidance of approximately $892 million, we've reduced our projected 2016 expenses by more than $125 million. Importantly, we have achieved this reduction in spending, while continuing to invest in new products and innovations that will drive our future growth.

Our higher than expected revenue results and much lower-than-expected expenses resulted in an operating loss of $26.6 million or negative 14% of revenue versus the midpoint of our guidance range of negative 26% of revenue. This is the best operating margin in our history.

This translates to a decrease in operating losses of approximately $22 million on a sequential basis versus second quarter 2016. This resulted in a net loss per share of $0.18 versus our guidance range of $0.30 to $0.32 and a net loss per share of $0.37 in the third quarter 2015.

Let's spend a few minutes on our third quarter cash flow results, which were also quite a bit better than our expectations, and you can tell my voice rises because I get excited about this part. We generated positive cash flow from operations of $14.1 million and free cash flow of $7.2 million in the third quarter 2016.

As I mentioned on the last few earnings calls, it is difficult to forecast cash flow results on a quarterly basis mainly due to the timing of collections. Our third quarter illustrated this change in a big way.

Based on our billings forecast, we had expected to collect $190 million in the quarter. We actually collected $216 million.

Add to this, the lower-than-expected expenses, and third quarter operating cash flow came in $30 million better than our expectations. The strong collections performance resulted in a quarter-end receivables balance of $124 million, flat with the receivables balance as of June 30.

Days sales outstanding, as measured by billings, of 53 days was the lowest DSO metric since the first quarter 2013. Before moving on to our guidance for the fourth quarter, I would like to include some commentary on the financial implications of what Kevin discussed related to our new offerings.

We completed two transactions for our new MVX Smart Grid private cloud offering. This was a great start as we continue to expand our product offerings to multiple form factors that will support our customers in either private, hybrid, or public cloud deployment.

Very importantly, the MVX Smart Grid architecture also provides our customers with a clear path to expanding their FireEye footprint by leveraging existing investments and offering additional functionality. We expect this private cloud offering to appeal to large organizations, both existing and new customers, particularly those in regulated industries with strict data privacy requirements.

We believe the compelling value and investment protection in this offering will increase the lifetime value of these customers. In the second phase of the new MVX product rollout scheduled this month, we will begin offering Cloud MVX as a subscription.

Cloud MVX and the virtual Smart Nodes will show up in our product subscription billings and revenue lines, similar to our cloud e-mail product, ETP. While it will take some time for us to build pipeline and ramp sales, the availability of Cloud MVX and the virtual Smart Nodes is one of the reasons we expect growth to pick up in 2017.

It is also one of the reasons we expect subscription billings and revenue to increase as a percent of the total platform mix and our cloud solutions to be a larger percentage of our business. Okay.

Let's move on to our guidance for the fourth quarter 2016. I'll spend a little bit more time on this topic as I want to be very clear on our thought process for the fourth quarter and updated 2016 guidance.

Even with all the distractions, we are pleased to have exceeded all of our guidance ranges in the third quarter. When we gave guidance in August for the second half of 2016, we noted that the biggest area of variability was related to the impact of the restructuring and how long it would take for the company to work through these changes.

As we look into the fourth quarter, we have made great progress as a company working through the restructuring, reducing expenses more than anticipated, and as a result, we are improving our full year 2016 operating margin, EPS, and cash flow guidance. But we still have some work to do related to the original restructuring.

Therefore we're going to lower our full year 2016 billings and revenue guidance ranges by a small amount. However, this does not mean we feel less optimistic about our business, especially as we come off a third quarter where we exceeded the high-end of our range.

We are simply being prudent, given that our new worldwide leader of sales has not yet started. We do not have a permanent EMEA sales leader, and we will likely have continued distractions across our go-to-market groups.

Additionally, we had higher than expected attrition in our EMEA region post the restructuring, and that is likely to have a negative impact on the fourth quarter results. I do want to note, and underline this, that the existing EMEA team is doing a great job dealing with all the distractions.

We just have a lower sales capacity than originally anticipated. All right, let's go into each one of these in more detail.

First on billings, we are reducing our 2016 full-year billings target by about $7 million at the midpoint. While our interim and existing sales leadership teams did a great job in the third quarter and we are confident they will continue to execute in the fourth quarter, we want to make sure and incorporate any changes in our assumptions since our last earnings call.

For revenue, we currently expect a combination of our recurring subscription and support revenue to continue to show strong growth in the fourth quarter with an expected increase of 36% to 39% on a year-over-year basis and professional services revenue to be sequentially flat from the third quarter, reflecting fewer billable days due to the holidays. The swing factor for revenue is related to our forecast for product revenue as the shift of subscription in cloud products continues.

As such, product revenue for the fourth quarter is expected to decline by approximately 35% on a year-over-year basis. Switching to the bottom-line view, we expect operating leverage will continue to improve in the fourth quarter.

Based on this continued focus, we are improving our full-year net loss per share guidance by $0.15 at the midpoint to $1.14 to $1.16. Lastly, as it relates to cash flow from operations, I discussed earlier that we significantly exceeded our collections forecast in the third quarter, largely as a result of higher than expected collections of in-quarter billings.

As a result, we expect cash flow from operations in the fourth quarter to be between negative $19 million and negative $29 million, which includes approximately $10 million in payments associated with our restructuring programs. This implies cash flow from operations at the midpoint of negative $46 million for 2016, an improvement in the 2016 cash flow guidance that we provided on our last call.

Importantly, the full year 2016 cash flow guidance includes total cash payments associated with our 2016 restructuring program of $22 million. $22 million is the full year number.

Please keep in mind that the final cash collections will have a large impact on this number. Lastly, on cash flow, please take a look at slide number 27 in the financial presentation as this includes a nice detailed breakdown of our cash flow from operations and the impact of what we view as one-time events for 2016.

Okay. With that said, let's recap the guidance expectations for the fourth quarter.

We currently expect billings to be between $230 million and $250 million. We currently expect total revenue to be between $187 million and $193 million.

We currently expect gross margins of approximately 74%. For operating expenses, we are forecasting that the impact of the restructuring will be fully realized, but will be partially offset by an increase in commissions and other seasonal expenses.

We are forecasting total operating expenses of between $162 million and $164 million, which yields operating margins between negative 11% and negative 13%. All of this adds up to a net loss per share of $0.16 to $0.18, assuming approximately 167 million shares outstanding.

As I mentioned earlier, we expected reported cash flow from operations between negative $19 million and negative $29 million, which includes approximately $10 million of cash payments in the fourth quarter from our restructuring programs. As with previous years, we are planning to provide our guidance for 2017 on our fourth quarter earnings call tentatively planned for early February, but I do want to provide some early thoughts as you build your models.

We expect the current downward trend in product appliance sales to continue as customers increasingly choose cloud-based solutions over appliances. While we are excited about the MVX private cloud solution and ability to cross and up-sell this into our existing customer base, similar to the transition we've been going through in e-mail from EX to ETP, we expect an increase in as-a-service offerings in cloud deployments for network security.

As a result, we currently believe product billings and revenue will show a similar negative growth on a percentage basis in 2017 that we have seen in 2016 before moderating as we go into 2018. You will also want to keep in mind historical seasonal patterns.

First quarter billings are typically down about 25% to 30% sequentially and revenue approximately 10%, again sequentially from the fourth quarter. While we are excited about the potential of our new products to reinvigorate growth, it will take time to build pipeline and to begin to close new business.

So we expect to see similar seasonal trends in the first half of 2017 that we saw in 2015 and 2016. That being said, we're optimistic about reinvigorating growth because the most sophisticated customers in the world continue to rely on our technology, intelligence and expertise.

We believe we will continue to expand our footprint with these customers through new sales, cross-sell, and renewal activities. We also expect that our increased threat coverage, new cloud and hybrid form factors and expanded FireEye as a Service offering will make FireEye technology relevant to a broader range of customers.

This is expected to drive new customer acquisition and incremental top-line growth. On a small, but important note, please remember when putting together your models for 2017 that we expect to see a sequential bump, again, sequential bump in expenses from the fourth quarter 2016 versus the first quarter 2017.

We say that again because I may have misspoke. A sequential bump in expenses from the fourth quarter 2016 versus the first quarter 2017.

This is due to several items including merit increases, payroll taxes, our annual sales meeting and increase in marketing events such as RSA and other seasonal increases. Lastly on 2017.

We are standing by our goals of non-GAAP profitability in the fourth quarter 2017 and positive free cash flow for the full year 2017. Additionally, we are planning our next Analyst Day on March 7 in New York, where we'll discuss our specific plans for 2017 in more detail.

A few comments in closing before I turn it over to Q&A. Our third quarter results show we are effectively managing the transition from appliances to cloud and the impact on our growth and financial results.

Our financial and operational performance in the third quarter also illustrates the significant progress we have made as a company, and I believe this puts us in a stronger position as we move forward, especially in being able to balance growth and profitability. With new cloud-based solutions and a compelling vision that builds on the DNA and competitive advantages of FireEye, I believe we have a bright future.

Thank you for your time. We'll now turn the call over to the operator for questions.

Hey, great. Thank you.

Maybe just to start off with a question on, now that Cloud MVX is out in the market, I was wondering if you could possibly outline or rank order the high level growth drivers for 2017 that we should be thinking about?

Hey, Andy. It's Mike Berry.

How are you?

I'm great. Thanks.

Good. Yeah.

So, just to clarify, Cloud MVX will be out later this month. So as you look into 2017 the growth drivers that we would look at are similar to the ones that we talked about last quarter, in terms of the MVX private cloud we think will continue to be a growth driver both for new and existing customers, even though FaaS hasn't performed as we would like, we're really excited about that going into 2017, it is the one part of security that continues to grow.

And we think that the changes that we've made, the new pricing will really resonate as well. We continue to be excited about endpoint, HX had a great first half and continues to do well, so we're excited about that going into next year.

Cloud MVX I think, at least initially will be a great driver of new customer acquisitions probably not as much on the billing side because they're likely to be a little bit smaller. Keep in mind from a revenue perspective those will be recognized ratably.

And then the other big driver is one of the things that the sales team has done both our great insight team as well as our reps is to cross-sell and upsell at the time of renewal. We still have a good bit of our customer base, only has one maybe two products.

So we also look at that as a great cross-sell, upsell and a growth driver next year.

Got it. And maybe just a quick follow-up on that.

The FireEye as a Service, you said hasn't performed well. I guess, is that a factor of that doesn't alert on third-party products yet or is that going to be expanded due to integrate with other products?

Yeah. This is Kevin speaking, Andrew.

And thanks for the question. I think there's a couple of factors there.

One, we were very tightly coupled to our own technology in the past and we're just bringing to the market a more openness and more of an integrated approach. We want people to leverage their prior technology spend, leverage their prior security spend, and we just need to open it up to that and we're just getting our sea legs in the sales motion as we bring that to market.

But I think that's one of the largest factors for it. The FireEye as a Service tightly coupled to our products only, and we've only just increased the aperture to say, you know what, we know more about the bad guys than anybody, give us all your alerts, give us all your events and we'll safeguard you with the knowledge, the analytics and the capabilities we bring to bear.

So we're in the early stages and we just got to keep building pipeline for it.

Got it. Thanks.

Hi, guys. Thanks for taking the question, just curious, you are obviously going for a restructuring, still looking for a head of sales and sounds like still looking for a sales rep for EMEA.

I was curious if you have any thoughts in your initial go-to-market changes as you enter next year?

Well, I know, I have a few there, I mean you're always wanting to simplify your selling motion, as FireEye evolved, we have HX, we have EX, we have NX, we have PX, we have all these great products, we need to unify them a little bit better, and have more of a motion, that's a platform motion. When you added inorganically iSIGHT and we added Invotas, and we added nPulse, it takes a little bit of time to assimilate these technologies, integrate them with our stack, and get that sales force used to that selling motion of one platform all things unified, so we're still on that journey, we're accelerating that journey, but I think that's a part of it.

We've got products that are going to market, and some of our folks who are used to FireEye having had one product or two products, and that became their playbook. We got a broad map, we're constantly doing sales, enabling them to do it, but it takes time for that to stick.

The other thing Ken, it's Mike, I would add to that is, one of the things we're excited about Cloud MVX is the potential to increase the amount that's coming through the channel. And so that is a big piece of what we want to do, we did do Essentials earlier in the year, it was okay, it wasn't as great as we would like, so Cloud MVX really driving it through the channel, and getting them back in the FireEye campus is an important initiative for us.

And along those lines and I think when you first acquired Mandiant, there's a question as to whether the channel would still be able to embrace your product set, has there been any change in the level of acceptance from the channel, relative to your acquisition of both Mandiant and your launch of Fire as a Service?

Yeah. I think this is Kevin speaking.

I mean when I look at the channel, first thing a channel likes is clarity of our policy. And I think, some ambiguity existed right after that Mandiant acquisition as to what services we'd be wanting to do, and what we went direct with or not direct with.

So we worked real hard to make sure we have clarity of process, that our organization works with our channel, works with our partners. We don't go direct, we fulfill through the channel.

And then I looked at, and so how do we increase throughput through there and channel leverage. A lot of it is the process we have working with our channel, and lot of its price.

When you see Cloud MVX, one of the biggest reasons that we're releasing that is it allows us to bring our – what I think is generally accept that it's the best threat detection technology into a price range that vastly opens new markets to us. And so that's why we're doing that.

So it's clarity of how we engage with our partners as well as the product, the process, and the price behind it.

Great. Thank you very much.

Just add on to that, I mean we do talk obviously to our partners quite a bit, and at least within the last quarter or so we have gotten feedback that it's not as bad as it was before, that there has been less conflict. So, hopefully those policies continue to drive better awareness within the partner community.

Okay. Great.

Thank you.

Thank you.

Hey, guys. This is actually Jim on for Walter.

Thanks for the questions.

Hey, Jim.

Hey, Jim.

Hey. I guess I think Mike, you kind of went into this little bit, but why have trends seemed a bit better in Q3, did you lower your Q4 guidance here?

Yeah. So Jim, let's go through that.

So, keep in mind that we raised our guidance for operating income EPS and cash flow, so I don't want to lose that part of it. As we look into Q4, when we gave guidance for the rest of 2016, we really looked it at as a second half guidance.

Obviously, we exceeded the midpoint, I'm going to use the midpoint in this explanation by about $8 million, and again we're excited about Q3. As we looked at the pipeline, as we looked at where we stood from a geo perspective, as we looked at the different products and especially and again, the EMEA team is doing a great job of dealing with all the distractions.

I think it's pretty clear that the distractions in the field especially, they're related to some additional attrition, it hurt our sales capacity enough that I wanted to bring it down a little bit, not much, $7 million on a full year basis, but we really needed to take that into account because it's hard for me to sit on a phone with you and give you a number if we don't have the sales capacity to hit it. So that's really what drove it.

And then from a revenue perspective we really tightened the range there and although I gave you pretty clear guidance on what we thought product revenue would be. And as I said in the script, the swing factor there is always product.

And we do our best to try to forecast what we think will come in as a product, might come in is FaaS, might come in as TAP, something else. So we're trying to make sure that we're prudent as it relates to that for Q4.

And everybody knows, Q4 is the biggest quarter of the year.

Got it. Makes sense.

You used to give out the percentage of unattached billings. Can you give us an update on that?

So I give you an update every year at Analyst Day. So you please show up in New York in March.

Here is what I'd say about the percentages and the growth rates is, and I want to underline this a lot. Even with the decline in product billings, the attached subscriptions have grown double digits.

And I made a note in the script to say, it's not just one product. They have grown year-over-year in network, email, and endpoint.

And what that really shows is not only strong renewal rates, but that great cross-sell, upsell traction that we're really getting going on. So that's a good part of it.

iSIGHT did very well and that shows up in unattached. Candidly the issue or the drag on growth in the unattached has been FireEye as a Service.

And that has not grown as fast as we would like. So that gives you some idea, but I think the important metric is attach continues to grow, ETP which is in unattached is having a great year and that had a super quarter as well.

Got it. Thanks for the time again (51:58).

Thanks.

Thank you.

Great. Thanks very much for taking my questions.

So can you walk us through some initial customer response here around the MVX Smart Grid and then the forthcoming launch of Cloud MVX? And then taking that one step further here in conjunction with some of your color around 2017.

As you roll out Cloud MVX, would you expect that to eventually subsume any of your deployed appliances or just kind of become a bigger part of the overall piece of the puzzle? Thank you.

Yeah. Gur, I'll start with this.

First off, we're releasing Cloud MVX in Q4, so I can only tell you what prospects think of it, but not actual buyers yet because we haven't released it.

I'll take that.

Yeah, so in regards – well, I can tell you, then I'll just give you my opinion. But in regards to the on-premise private, it's just the ability of us to do dynamic inspection and incredibly effective detection with low false positives at line speed, that's the biggest advantage to be able to have the throughput we have and do the advanced threat detection we do at line speed is something very few people, if any, can replicate.

It's hard to do. But we can do it on-premise by separating the MVX analysis brain from the sensor, so that's very valuable to be able to do that.

In regards to Cloud MVX, one of the best things about that is other technologies – when I say Cloud MVX, I want everybody to realize, to me that's a cloud-based brain for detection; that's the non-nerdy way of saying it. It has machine learning, it has models for behavior, it has the dynamic inspection that Ashar built years ago that works phenomenally well and has low false positives, high fidelity.

Other products can now leverage it. Our endpoint technology can leverage it and query it, and that MVX analysis engine is phenomenal at saying is this traffic good or bad, or is this file good or bad.

We're going to keep updating it, but when we put it in the cloud, it is more accessible to other technologies we build, so we can provision protection faster with software.

Hey, Gur, it's Mike. And the other thing on your question about the mix, and I know we've chatted a lot with everybody on the phone about this.

Certainly my expectation would be that Cloud MVX will be initially focused on driving new logos. While I do think that there'll be some of our current customer base that will be interested, my expectation is that will be an incremental deployment that they will continue with their existing deployment of either NX or EX or HX.

And if they're looking to expand into a hybrid environment, I would expect the majority of that to be incremental. Hopefully there will be very few issues of where I assume your question is going in terms of cannibalization.

Right.

And so to that point, we will watch it very carefully. I can assure you that we've had multiple discussions, sometimes very heated about the whole cannibalization issue, but we really feel that from the design of the product, the way it's priced, the capacity of it, because we can also limit some of that, that especially in 2017 hopefully very little to no cannibalization.

And Gur, just to expound on that, the decision calculus for this for most buyers, actually some of it might be price, but I agree with Mike, it's absolutely new logo add, because the decision calculus is actually going to be risk profile. If you can't put Word documents, PDF documents, and other documents where sometimes there's embedded evil in those documents, out in a public cloud you need to do that on-premise in a private cloud.

So it's been my experience dealing with prospects, it's a risk calculus that drives their buying behavior on this, and for large government agencies and financial institutions and healthcare, they're probably less inclined to farm-out content and documents to a public cloud and they'll opt for a private cloud version of it. But the Cloud MVX just gives us great reach for small geographical locations and more price flexibility.

Next question, please.

Thank you. Hi.

Good afternoon, Kevin, Mike and Kate. Congrats on a solid set of results.

I want to start asking about iSIGHT partners. I believe that last quarter you indicated it to be slightly below initial expectations year-to-date.

But I think you've expected it to ramp-up as you move forward. Just want to find out what's the current state of affairs of iSIGHT?

Hey, Shaul. It's Mike.

Yes. What we talked about in Q2 was that they were a little bit short of our expectations but that we fully expected them through Q3 and Q4 to get back and, knock on wood, hopefully even exceed those expectations.

I think Q3 came through exactly as we expected. They did very nicely on renewals.

And keep in mind that similar to our business, a good bit of their business is renewals and that's going to vary a little bit by quarter. As Kevin talked about, two of the largest transactions we did were with iSIGHT.

So they had a very good quarter. We expect that to continue into Q4 because we just get better and better about integrating the message as well as enabling sales, both the iSIGHT sales team as well as the core FireEye team, to cross-sell that.

And I'll expand on the current – Shaul, thank you for the questions.

Sure.

I get to pump up the current state of affairs for iSIGHT is I think it's an asset that's never going to be replicated outside of government intelligence. It is an amazing advantage for us when our products get an alert that we have folks operating in 30 countries speaking over 13 languages at our disposal to help us understand who might be behind this alert.

Not all threat intelligence is created equal, but when you respond to as many breaches as we do and then you can also leverage a global group or unit or network of threat intelligence analysts to get answers now, you just have more actionable intelligence, more context, and our customers absolutely appreciate it.

Got it. No, that's encouraging.

A follow-up on the competitive landscape. Check Point had a good quarter with their SandBlast, Blade; Palo Alto seems to be doing well; even Fortinet with their subscription, a lot of noise around it.

What's your guys' take, what are you guys seeing there from a competitive perspective?

I don't see us as being just competitive with firewall companies. I'd like to open by saying, we respond to a lot of breaches and every one of those breaches is behind a firewall of some brand or another.

We have found that there's a minimum of three fundamental truths in security: people don't have enough people to do it; people are getting too many darn alerts and noise that disrupts their operations; and three, eventually bad guys get in, and half the time, enterprises aren't aware of it until there's some minimal or sometimes maximum impact. So I think that those are firewall companies.

What we try to do is have a sensor grid out there to tell people, here are the alerts that matter. And we try to reduce the total cost of ownership by having high-fidelity alerts for our customers.

So I almost see it as apples to oranges. Yeah, they have these components they call sandboxes, but the MVX engine is much more than a sandbox.

It has machine learning, it has analytics, it has models, it has people that are responding to breaches today, helping us secure our customers from those breaches today. And I'm not familiar with a firewall company that has that pattern of operation.

Fair enough. Thank you.

Good luck.

Thank you.

Hi, guys. Thanks for taking my questions here.

How are you doing?

Hey, Saket.

Hey, Mike. Hey, Kevin.

Hi.

So I'll just keep to one here just in the interest of time. So not to go back to Cloud MVX, but can you just talk about how the pricing will compare there, quantitatively or qualitatively, leave it to you?

How that pricing is going to compare to some of those good enough firewall solutions. And then what is it that you're going to do differently with Cloud MVX that maybe didn't work as well with FireEye Essentials?

Yeah. Great question.

So, of course, you know I'm going to give you a qualitative answer to the pricing.

Of course.

I'm happy to do that.

I know my answer.

Yeah. So we have looked at this a lot and here's the very direct answer is that we believe and we continue to believe that our products should have a premium to the market because of the efficacy of our products.

However, that range is going to be a lot less, and we will use Cloud MVX to be much more aggressive. So let me take that one more level down.

It's one thing when you're shipping a box and you have some cost associated with that not only just to develop it but also ship it, support it, all the rest of that stuff. A virtual appliance where you're shipping software, a whole different ball game for us.

So we expect to be much more competitive and we're really going to try to use the channel a lot better and Kevin can jump in. Our Essentials was, again, that was a very good idea, but it was also still you had some of the issues in terms of dealing with FireEye.

We're doing our best to knock those down, but from a pricing perspective we expect to be much, much more competitive with the just good enough.

And second, I'll give you my answer, but I'm going to preface it with some bias towards FireEye – yeah, glad you have that there. But the way I've looked at this, I've always felt that at FireEye we are generally accepted as having better detection.

And a lot of other brands are actually recognizing, yeah, we're good enough. And I could use your help in educating everyone out there that even if you have a product that detects 98% of the bad things that happen on in the Internet, the asymmetry is such that the 2% they don't detect can infect every darn enterprise on the planet.

So good enough really doesn't help you a lot of the times. And we do spend a lot of effort understanding the attack, threat landscape, and that's why we think it's so important to respond to all the breaches that are circumventing other people's safeguards, so that we can update and respond and get the 2% to 3% that a lot of people miss.

So I need help conveying the value of that because the asymmetry on the Internet seems to be misunderstood by folks.

Understood. Thanks a lot for the detail, guys.

Thanks, Saket.

Hi, this is Hamza Fodderwala in for Melissa Gorham. Thanks for taking my questions.

Hi, Hamza.

Hi. Just a quick question.

Seems like your R&D spend was down quarter-over-quarter along with the sales reorg that you mentioned earlier. What gives you confidence that after this restructuring that the organization is right-sized for the growth opportunities ahead?

So we spend a lot of time obviously when we're doing this to make sure that that we check the box on that exact issue. Look, we did the restructuring in Q3, both Kevin and I said it, we want to be won and done.

We did it, we're done, and we're moving on. So we did not want to continue to nip at that issue.

So we believe looking forward into 2017 and 2018 that we did right-size it appropriately. We want to make sure that we have sufficient sales capacity, that we are in the right countries, and we're in the countries that matter that from a R&D perspective that we're investing in the growth opportunities, and all of that went into this process.

So there is a little bit of a crystal ball, but we think that what we did was the right thing and hopefully we've right-sized the organization. I want to underline that doesn't mean that outside of head count reductions, we are not continuing to look at how we run the business.

That's what we get paid to do. And we're looking at everything in terms of making sure that our investments and where we spend money is driving growth.

But we wanted to be won and done and we are comfortable with where we ended up.

Yeah. And I would like to expand on that.

So I looked at that and what I've observed is Jason Martin and engineering team having on-time and or even early releases. So we see that the innovation, in my opinion, has actually accelerated when we have Ramesh operating as well as he has, John Laliberte on endpoint.

We have people just somehow compressing our innovation cycle as we transform our portfolio to having that hybrid and cloud solutions and having – I call it the trends we're trying to adhere to is going from a hardware to software company, on-premise to hybrid and cloud, from close to more open and integrated, from just advanced threats to all threats, from the fear, uncertainty and doubt type of sale to the total cost of ownership with a platform, and I'm just seeing us innovate and having releases that are even getting moved up sometimes on the calendar. So I feel pretty confident that Jason Martin and the engineering team is delivering.

Okay. Just one more quick one, if I may.

What was the strength for the U.S. federal business?

There is another vendor that reported earlier today that mentioned that that segment was strong. And I just want to see how it was for you guys as well?

Thank you.

Yeah. So our federal business, and actually I'll say our public sector business including our SLED business had a very good quarter.

They came in higher than our expectations. And to get both those groups some kudos, they've done a great job on a year-to-date basis, both Fed and our state and local business are above what we expected.

So it was a good quarter. I would say, though, keep in mind if you go back to Q1, our very large deal in Q1 was in the federal sector.

So some of that got pulled forward, but they had a good strong Q3 and they've done great on a year-to-date basis.

Okay. Thank you very much.

I think we have time for one more question.

Thank you.

Hi. This is Liz on for Rob.

Thanks for squeezing me in.

Hi, Liz.

Just really quickly. I know we're over time but just love to get, step back and get an update from you on what you're seeing in the threat landscape right now?

And then on that same vein, what you're seeing in terms of customer behavior and where purchasing cycles have been? If you seeing lengthening of sales cycles, and then on the threat landscape side if you're still seeing...

Sure.

...threats that end up with shorter Mandiant engagements?

Sure. So, Mike, I'll jump on this, if you don't mind.

Okay.

I'll talk threat landscape first, purchasing behavior second. And on the threat landscape, couple of things.

One, this year at the highest of the abstraction, the threat landscape parallels geopolitical conditions in the world. So if there is no repercussions to hacking a nation from another nation, you generally see those activities.

In regards to China, we've seen a threat abatement occur. We published a report this year called Red Line Drawn where we had thousands of observables over a 10-year period based on the iSIGHT human intelligence, the Mandiant incident response work on over 5,000 customers that have bought our products.

We just saw them dial it back. Rules of engagement have been agreed upon between most of the Western nations and China, and so that counterespionage or I should say that espionage hacking effort has come down in scale and scope.

Now parallel that with what we're seeing this year, and some of you may have been reading in the press what the Russian state actors are doing in my opinion has increased quite dramatically. And we started observing that in 2014 in the fall and we were doing response work on-site and we just saw behavioral changes.

We saw the targeting change, we saw that we were responding to Russian government state actors and they were not going away when they knew we were responding. They were allowed, they were brash, and we saw, what I would call, operational security down a notch because I think the Russian state actors were operating at a scale and scope that made it hard for them to cover their tracks.

They were working with speed and maybe they didn't do the counter forensics at the same level of aptitude they did in the past. And then this year with the observables, we can see a fourth change in the Russian threat landscape is have – with the dots we can contact, and we've been working this for a long time, it looks like there could be government-sponsored folks releasing the documents that they have stolen onto the Internet, which is it changes in the rules of engagement.

In regard to the purchasing behavior, it depends on the industry you're in. If you're in an industry where you're highly targeted by some of these state actors, you've got to have that, I call it the Ravens defense of 2000, if we don't play football, just an aggressive shield of defense.

And the purchasing behavior is if you're up against the best hackers in the world and you're in certain industries like the financial services, healthcare, you got to put your shields up, and you got to create the moat and you've got to have response capabilities to respond to it, but I have seen a trend where there is more focus on total cost of ownership. Over the last few years, a lot of the 1A (1:09:04) enterprises have spent a lot of money on point products, and a recurring theme I get when I meet hundreds of CISOs a quarter is you've got to help us integrate everything we bought, because we're not using all of it and that which we are using we're not using all of that.

Help us integrate it, help us simplify, and help us automate the responses. So I do believe there is a buying behavior that's going from the fear, uncertainty, and doubt sales motion, hey, look you're compromised to the let's streamline operations and look at the total cost of ownership.

And Liz just to close that out, we haven't seen any change in the length of engagement of Mandiant engagement. They're pretty similar to what we saw in Q2.

And so I'd like to just make some closing remarks. We are serious about our path to profitability at FireEye.

And FireEye is also innovating at a rapid pace, and I think you heard that message today. We're laying the foundation for our future, and we're on the frontlines of the cyber-attacks that matter, and we know what works and we know what doesn't work to combat these attacks.

We are unifying our technology, our experience, and our military grade threat intelligence to relentlessly protect our customers from the consequences of these attacks. And I look forward to seeing all of you at FireEye Cyber Defense Summit in late November when we will show you the next generation of FireEye's platform.

I believe it's very impressive. Thank you for your time today.

Thank you very much.