Mandiant, Inc.

Thank you, Jonathan. Good afternoon, and thank everyone on the call for joining us today, to discuss FireEye's financial results for the second quarter of 2017.

This call is being broadcast live over the Internet and can be accessed on the Investor Relations section of FireEye's website at investors.fireeye.com. With me on today's call are Kevin Mandia, FireEye's Chief Executive Officer; Frank Verdecanna, Executive Vice President, Chief Financial Officer and Chief Accounting Officer; and Grady Summers, FireEye's Executive Vice President and Chief Technology Officer.

After the market closed, FireEye issued a press release announcing the results for the second quarter of 2017. Before we begin, let me remind you that FireEye's management will make forward-looking statements during the course of this call, including statements relating to FireEye's guidance and expectation for certain financial results and metrics, FireEye's priorities, initiatives, plans and investments, FireEye's path to profitability, drivers and expectations for growth, the expansion of FireEye's platform, and the capabilities and availability of new and enhanced offerings, market opportunities and go-to-market strategy.

These forward-looking statements involve a number of risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. These forward-looking statements apply as of today and you should not rely on them as representing our views in the future, and we undertake no obligation to update these statements after the call.

For a detailed description of the risks and uncertainties, please refer to our SEC filings as well as our earnings release posted a few moments ago. Copies of the documents may be obtained from the SEC or by visiting the Investor Relations section of our website.

Additionally, certain non-GAAP financial metrics will be discussed on this call. We have provided reconciliations on these non-GAAP financial measures for the most directly comparable GAAP financial measures in Investor Relations section of the website as well as the earnings release.

Finally, I'd like to point out that we have posted the supplemental slides and the financial statement on the Investor Relations section. With that, I'll turn the call over to Kevin.

Thank you, Kate. And thank you to all the investors, employees, customers and partners who are joining us on this call.

We all appreciate your interest and support. Before we begin our discussion on our Q2 performance, I would like to comment briefly on reports that began and appeared yesterday about an alleged breach of Mandiant.

Based on information posted online by this anonymous person, shortly after midnight on Monday morning, we began an immediate investigation into the matter. This is an ongoing investigation and it is too soon to discuss all the findings to-date, but so far investigation has first, found no evidence that our corporate network has been compromised; second, has found no evidence that our employees' personal systems were compromised.

Rather, the evidence we have found shows that our employees' online accounts, including LinkedIn, Hotmail and other services were compromised. Thus far, it appears that at least two customers were impacted and we have addressed this situation with each customer directly.

The documents exposed were labeled with these customers' names, but they did not contain any customer confidential information. Our top priority is to make certain that customer data is secure.

To that end, and because we were able to investigate and arrive at our preliminary conclusions very swiftly, we are confirming our findings through a second-level review. We will continue to have our people look into this matter to ensure there has been no additional exposure and we'll do our best to keep you all updated.

Now let's get back to the reason you are all here with us today and our Q2 earnings. In the last several quarterly calls, we have described a number of transitions FireEye has been executing through.

This includes our transition from disparate products to a single platform; from APT prevention to comprehensive prevention, from an on-premise appliance to more cloud and hybrid solutions; from product revenues to subscription revenues. As we execute through these and other transitions, we remain focused on two overarching priorities.

First, right-sizing our cost structure to support a balance of growth with profitability, and evolving our product portfolio to a comprehensive security platform delivered as a service on-premise in hybrid environments or in the cloud. I feel we have done an excellent job right-sizing our cost structure while emphasizing innovation.

I believe fiscal responsibility and innovation are now embedded in the FireEye culture. Now it is time for us to take advantage of the significant innovations we have delivered and to focus on growth and refining our go-to-market strategies.

Therefore today I'm going to discuss three things: some second quarter highlights, an update on FireEye's innovation, and initiatives we are taking for growth. Joining me on the call today will be our CTO, our Chief Technology Officer, Grady Summers, who will provide additional color about our product innovations and we will conclude with our Chief Financial Officer, Frank Verdecanna, who will provide the details of our Q2 financial performance and second-half forecast.

So turning to Q2 highlights, we did what we said we would do; meeting or exceeding our guidance ranges for every financial metric. First, we continued to drive operational efficiencies across the FireEye organization.

We reduced our operating losses by more than $43 million compared to the second quarter of 2016, posting our second-best operating margin ever. In fact, we have reduced our non-GAAP operating losses by a total of more than $100 million during the first half of 2017 compared to the first six months of 2016.

We continue to show strength in our NX appliance renewal and refresh opportunities, or as I call it, operation refresh. From a billings perspective, we have renewed over 100% of our expected renewal amounts.

Mandiant services posted a record quarter in Q2, with their highest effective rates, chargeability, and revenue ever. It is my opinion we have earned the market's trust as the brand to solve the most complex security challenges.

And we continued our trend of increasing the number of transactions per quarter, both sequentially and year-over-year. This trend illustrates our customers are committed to our technology and our services, but we need to stay focused on growth and broaden the markets we serve.

In a few moments, I will outline steps we are taking to do this. But I would first like to speak briefly about our commitment to innovation.

During the second quarter, we delivered a constant stream of innovation to all of our products, including considerable enhancements to the Helix platform, our endpoint product, and the network and email security products. Grady will speak to the details of our innovation in each of these areas.

And I would like to set the stage by discussing our vision for the platform we are building. With the launch of Helix platform in the last day of Q1, we began delivering the technology organizations need to build their next-generation security operations.

Now let me take a moment to explain what we mean by next-generation security operations. In spite of a broadly recognized talent shortage in the security industry, cyber security is one of the few areas in software that has not yet been transformed by automation, and FireEye aims to change this.

Unreliable data generated by signature-based products, combined with a lack of cross-vendor correlation and integration, has meant that even the most advanced security operators have had to sit through the abundance of alerts with no context, without coordination and without prioritization, and then rely on low-tech and manual processes to respond to these alerts. Many of us have witnessed these challenges for several decades.

So we have designed Helix to help address these problems. Helix unifies alerts across the organization into a single dashboard and enriches the data with our expertise to help better protect our customers.

With Helix, we are providing a single platform that blends our technology, our intelligence, and our expertise of FireEye as a seamless on-demand extension of our customers' security team. It is important to note that Helix is powered by dozens of patented innovations and is a system that continually benefits from the knowledges or the knowledge we gain on the frontlines to create heuristics, machine-learning models, specific roles, dynamic inspection, analytics and threat context to better defend our customers and make security professionals far more productive than they are today.

We witness attackers evade the safeguards of virtually every security product, allowing us to be best positioned to defend our customers from those attacks. I believe this is the future of security, an intelligence-led detection, a system that can adapt to how the threats, or the emerging threats work, and it's coupled with an automated response to known threats and the ability to pivot to on-demand security expertise when needed.

We're in the fight when you're in the fight. We have been working on this vision for more than a decade, and while we see many future enhancements, we are delivering significant new capabilities today with the Helix platform, and Grady will speak more to that.

In addition to Helix, we expect HX, our next-generation endpoint product, to drive our growth in the second half of the year; it's one of several ways we'll drive growth in the second half of this year. We introduced HX with Exploit Guard, an advanced malware detection in the first quarter.

We expanded platform coverage with our Mac operating system and Linux versions in Q1 and Q2, and we're delivering full antivirus replacement in Q3. As it stands today, FireEye's endpoint technology is going to be designed to prevent what legacy AV prevents; in addition to offering next-generation end-point capabilities to detect the threats legacy endpoint misses.

HX also adapts to the most advanced threats with logic and rules from the frontlines of combating these threats. The evolution of our solutions over the last year presents FireEye the opportunity to evolve and simplify our go-to-market.

Therefore, I will focus the rest of my comments on changes we are making in our go-to-market strategies to deliver our new solutions to an expanding set and broader audience. Traditionally, FireEye has been very effective at selling to large security mature customers.

They see the value we deliver and continue to renew and expand their deployments. But to meet our long-term growth objectives, we need to expand to a broader set of customers, to go with the broader set of capabilities that we now have.

It is clear that we have extended far beyond the sandbox technology that fuelled the early growth of FireEye. Helix makes all our solutions, even those of other security vendors, far better.

We are now taking a number of steps to align our go-to-market strategies to leverage that innovation. First, we are simplifying our messaging.

And we have progressed from network sandbox to a comprehensive security platform. The Helix platform has a hub-and-spoke model, where the spokes, a network solution, an endpoint solution, an e-mail solutions, all leverage the hub, to apply our collection of capabilities to prevent and detect unauthorized or unacceptable activity.

Grady will present the hub-and-spoke graphic that describes our vision for the Helix platform, so you can better visualize this. Second, we are simplifying our pricing and our packaging.

We kicked off a holistic pricing review to ensure our diverse set of capabilities is priced appropriately and competitively. We also need to make sure we are priced right, as we shift from appliance-based solutions to subscription-based solutions.

Third, I believe the pricing and go-to-market improvements we will be introducing will go a long way towards building our channel leverage and new customer momentum. This quarter is a pivotal moment for FireEye, because we're delivering endpoint protection wrapped with the EDR forensic capabilities and we're pricing it for channel-led sales.

I would like to now introduce Grady Summers, who will take you through some of the innovation we intend to accomplish over the remainder of this year. Grady?

Great. Thanks a lot, Kevin.

So Kevin spoke about few themes I'm going to elaborate on, specifically our innovation engine, our recent product developments and how Helix help the customers deliver on their most pressing needs. I should note we have incredibly exciting innovation taking place across all of FireEye, including in our Global Services and Intelligence team, that's FireEye as a Service, Mandiant and iSIGHT.

However, today I'll be speaking specifically about our product technologies. In his comments, Kevin talked about the four transitions that we've been executing through.

We still have much work to do and really no product is ever complete, but I'm pleased we delivered on the three product related transitions that Kevin set out a year ago. First, we now have one unified platform that unites all of our spoke product into a API-driven single interface.

Second, with our new ability to detect broader types of undesirable threats such as adware and spyware and email, all of our core products can now detect or prevent a comprehensive spectrum of threats. And third, as Kevin mentioned, with last quarter's release of HX for Linux, we now have virtual, cloud-based, and physical form factors for HX covering Windows, Mac, and Linux operating systems.

So in a year, we've gone from a single platform and a delivery model, Windows and a physical appliance, to being able to provision the form factors that customers desire with the operating system coverage they need and we view those as all big accomplishments. So you've heard Kevin talk about a unique combination of consulting and technology and the innovation that it powers and I've tried to depict that innovation engine here.

This is something we get a lot of questions about is, how does consulting work together with product. So innovation does come from a lot of different places within FireEye, but some of the best innovation we believe starts in the frontlines.

So, with our Mandiant instant response practice, we do learn more about attackers than other companies. Our consultants share what they're seeing in the field.

They provide requirements for a new product functionality and they look to us to deliver those. Now one thing that we've learned is that a consultant need to tweak the product much more quickly than our product customers would ever want to upgrade.

Consultants also have a higher tolerance for pain. By this I mean they're willing and able to put up a functionality that has rough edges.

This is why we established the Innovation and Custom Engineering or ICE team, which includes our data science organization and a rapid response development team. This team can iterate on consultants' requirements at a much faster pace than we would ever push new features out to customers.

I've indicated this on the slide with a two-way arrow, of course, as these teams constantly work together to fail fast as they innovate. This is really important for a data science team in particular.

There are many good companies in the security analytics space who have smart people trying to solve problems. However, I've noticed that most of them lack a real-world training ground for their analytics modules.

This is a real distinction for FireEye. Our data scientists aren't working on academic problems in isolation, but rather they're applying analytics to catch evil and real-time for our customers.

These new technologies and algorithms then flow to our engineering R&D team to productionize this code. Of course, requirements also flow in via our product management team, our customers, and the field, in addition to the innovative ideas that engineering comes-up with themselves.

In fact, the big data analytics and malware research labs within engineering have done tremendous works lately, as we're on pace to find more zero-day vulnerabilities this year than any year since 2013. Our innovation cycle isn't complete there though, because we didn't have an opportunity to put new features into the hands of our FireEye as a Service analyst.

So at this point, the technology is relatively stable and tested, but it might need a few iterations to ensure that it's user friendly and properly tuned and working as we expect. So since our FaaS users are experts, they can push these new features to their limits providing yet another source of validation.

So the results of this cycle are really been seen in our products; our endpoint product HX has been a key beneficiary of it. Over the last year, we've improved stability and performance.

We've improved our exploit detection capabilities to recognize and block new threats. We've integrated the investigative features that our Mandiant consultants needed.

Our new ransomware prevention module, for example, also grew out of the ICE team and it will be productionized in early 2018. Our Threat Analytics Platform or TAP has also benefited from ICE, as a multiple modules that were originally developed by the ICE data science team are now productionized in TAP.

Overall, we had 10 different analytics modules graduate, so to speak, from the data science team and moving into our products this year. So as highlighted on this slide, these areas have really set us apart.

I really believe that developing cyber security software is different from most other types of software development. There is an active adversary that's always testing security software and looking for ways around it.

There are very few companies I can think of with Mandiant caliber consultants that push our products' pass-through limits, a rapid development team to quantify their needs, a data science team that gets to hone their algorithms on the ground of an investigation, and a team of experts like (17:52) provide early feedback. While there'll always be new types of threats out there, we think our approach helps us evolve to stay abreast of the latest threat in a long-term sustainable way.

Shifting gears, I'd like to touch on FireEye Helix, which has now been on the market for one full quarter. In Q2, an additional 10 customers purchased the full Helix bundle and we saw more than $2 of additional product and subscription pull-through for every $1 that a customer spent on Helix.

Now, Helix is a very different product than we've sold in the past. It's completely cloud-based with subscription pricing, and it addresses use cases beyond our core NX and EX business.

We do realize it will take time to fully enable our sales force with Helix, and in that context, I am relatively pleased with where we are today. I'm especially encouraged by the geographic and industry mix of our Q2 Helix customers.

Five of the 10 deals in the quarter were with companies based outside the U.S. and were in industries as varied as retail, hospitality, manufacturing, banking and energy.

So the slide we're looking at now depicts Helix's architecture at a high-level. We do consider this whole FireEye product ecosystem to be Helix, and so you'll hear us distinguish between the core user interface, which we refer to as Helix machine control and the five spoke products that feed into Helix; network, email, endpoint analysis and TAP.

As a reminder, Helix works with any and all security products in our customer environment and it makes those products better. This integration occurs via TAP on the input or just inside of thing, and via orchestration on the output side.

You'll notice that intelligence remains at the center of everything we do and it's right here at the center of Helix as well. We then provide optional add-on modules on top of the Helix base.

iSIGHT Premium Intelligence is one of the those add-ons today and we'll be adding additional modules such as Advanced Orchestration and Analytics in 2018. And of course, FireEye as a Service or FaaS sits on top of Helix.

And we're really pleased with the symbiotic relationship between Helix and FaaS so far with six of our 10 Q2 Helix customers adding FaaS to the mix as well. Now, it's too early for me to tell whether FaaS is pulling Helix or Helix is pulling FaaS, but it's clear that FireEye's products and services mutually benefit when we sell them together.

Next, I'd like to talk about some innovation of Helix spokes. There's so much I'd love to share, but let me just touch on a few highlights.

The endpoint spoke HX is obviously an exciting area for us. I mentioned earlier that in the last year, we went from one model of HX, offering cloud, virtual and physical management infrastructure across Windows, Linux and Mac.

It's just table stakes to some degree and we realize that, but I mentioned it as an indication of how quickly this product has evolved. This coming quarter, we'll be releasing our antivirus replacement functionality, which combines signature base, machine learning based and heuristic base prevention.

On the email spoke, EX and ETP, we continue to iterate on our detection with an all new URL Analysis engine we introduced earlier this year. This engine scales better and has improved the types of attacks we can detect.

For example, in the last quarter, we've caught two times more credential phishing attacks. These are attacks where the attacker is trying to convince the user to give up their password, new username.

We've detected two times more credential phishing attacks than we have malware-based attacks. That's a real shift in the threat landscape.

For 2018, we have an aggressive plan to fill some basic capabilities that are necessary to compete in full stack email security, as we'll combine our leading threat detection with features like encryption, archival and e-discovery. On the network spoke, you may recall that we now offer cloud and private cloud options for MVX as well as virtual sensors.

These new form factors continue to grow their share of the overall network business. In the second half of the year, we'll be introducing new hardware that enables our latest detection technologies to run more efficiently and which will enable integrated SSL decryption early in 2018.

This has been a top customer request. I'd like to go and end with an example of how Helix makes life simpler for a security analyst.

I probably wanted to tell you that the job of a security analyst can be hectic, lots of research and e-mails, lots of different interfaces, lots of Googling for answers. In fact, our research shows that much of the security analysts' effort can be automated.

The graphic here is based on research we've done and it shows where analysts experience their effort while they're investigating a case. If you look at those first three phases, enrichment and validation, up around through ticketing and reporting and notification, this is a lot of necessary work, but it's work that can be automated.

And if so, that's over 80% of the analyst's time we could free up. So in a world of one-hour SLAs for event triage, analysts spend maybe 5 to 10 minutes of every hour actually applying their analysis to the data and the rest of their time on gathering data, enriching it, and doing reporting.

We want to shift this paradigm. We want to automate the banal and allow analysts to scale by giving them the time to investigate what's really important.

So how does Helix help? Look, fundamentally, it's about presenting all the supporting context in one place, allowing quick access to the most relevant tasks, driving efficient work flow and enabling automation.

So the user interface, we're going to wrap-up with here, shows few features that will be implemented in the third quarter and were designed by some of our leading incident response experts. So I'll show you what it looks like.

Here you see the Helix main alert view, and there's a lot of detail here and it can be a little overwhelming if you're not used to responding to alerts. So let me isolate a few key features on this page.

First here on the upper left, you see the threat context from iSIGHT. We call this iSIGHT connect and it lets our customer see what iSIGHT knows about a particular threat.

Customers can see very basic information about malware and threats to their environment or they can upgrade to a full subscription if they want broad access to search our intelligence databases. Next, we provide full context about the alert here in the middle.

Now, while you've probably seen a lot of similar looking screens from SIM vendors, what you see here is actually quite different. This is the integration of our endpoint spoke, HX with Helix.

So when Helix generates an alert or even if it gets an alert from a third-party product, it will go ahead and use HX to gather additional information and present it to the user. Gathering host data was traditionally a manual process that could take hours, but here the analyst gets it immediately on their screen.

Now at the bottom of the screen we lay out any other events that we found that relate to this alert. This saves the analyst the time of having to run searches and read through the data.

We put it all right here in a format that's easy to digest. Next we've actually clicked on an indicator up here on the left.

This is the data that triggered the alert and you'll see links to a lot more detail. This is an example of the extended intelligence that our iSIGHT Premium Intelligence customers will get in Helix.

The security analyst now knows everything about this alert that our iSIGHT analysts know. Here we've clicked over the assigned dropdown where we can initiate the workflow process.

This looks really simple, but it's the start of a powerful capability. Our customers have told us that they need more powerful alert and case management workflows.

So, once this alert has been assigned to an analyst, they can annotate it, attach supporting evidence or route it to others for action. And finally, perhaps the most important piece we've talked about, you're seeing the results of an automation playbook that's run against this alert.

This particular playbook looks up additional information about a computer, and will block it from talking on the network if certain conditions are met. We'll continue to integrate more orchestration functionality into Helix and add more playbooks to keep making life easier for the analyst.

So I feel like I barely scratched the surface of innovation here at FireEye, but that's all we have time for today. I hope many of you can join us at this year's Cyber Defense Summit October 10 through 12 in Las Vegas, where we'll have a chance to go a lot deeper.

So at this point, I'll hand it over to our CFO, Frank Verdecanna.

Thanks, Grady. Let me start by framing my comments by saying that from a financial perspective, I believe our business has made significant progress on our path to deliver year-over-year growth and non-GAAP operating profitability in Q4.

The year-over-year decline in product and total billings moderated. Sequential growth rates returned to levels consistent with our historical results, and we are positioned to exit the year with Q4 year-over-year growth in both billings and revenue.

We continue to improve on our execution, and as a result, I'm pleased to report that for the second consecutive quarter, we have met or exceeded expectations on all our financial metrics, including billings, revenue, gross margin, operating margin, expenses, EPS and operating cash flow. On today's call, I will focus on some additional color on our Q2 results, our guidance, and the key business drivers for Q3 in the second half of the year.

And since we'll be adopting ASC 606, the new revenue guidance, in Q1 2018, I will give you an update on that process. Before we begin, let me remind you that when discussing gross margin, expenses, operating income and EPS, I will be referring to non-GAAP measures, which exclude stock-based compensation, amortization of intangibles, non-cash interest expense on our convertible debt, and other non-recurring items.

Starting at the top, billings of $172 million were near the high end of our guidance range, as we continued to execute well on the NX refresh migration opportunity and posted strong growth in the Mandiant consulting business, which operated near capacity in Q2. We also closed 10 new Helix transactions and posted year-over-year growth in FireEye as a service.

Looking at the details, we booked two transactions greater than $5 million. The first transaction was with a regional transportation authority that includes a multi-year Mandiant services component, which was the primary driver of the difference between our professional services billings and professional services revenue.

The second $5 million plus deal was for our traditional NX and EX appliance-based solutions, which contributed to our strong performance on the product line. This transaction also included a subscription to our iSIGHT Intelligence.

Overall, we closed 27 transactions greater than $1 million, compared to 40 a year ago. The average transaction size of $1 million plus deals was constant on a year-over-year basis at just under $2 million.

Transaction velocity continued to increase, with total transactions up year-over-year and sequential – on a sequential basis as well, as our existing customers continued to renew and expand their deployments of FireEye solutions. Our renewal rate, which represents our customer retention rate, was consistent with Q1 at approximately 90%, with a dollar base yield above 100% on a rolling four-quarter basis.

The average contract length was 22 months, consistent with Q1 and down from 27 months in the second quarter of 2016. As you can see from the product subscription waterfall slide, we have included the decrease in contract length accounted for approximately $15 million of the year-over-year decline in product subscription billings.

The year-over-year decrease reflects the mix within product subscriptions, which includes more renewals and unattached subscriptions. We added 221 new customers in the quarter and ended the quarter with more 6,000 total customers.

On the revenue side, our strong performance on product and professional services relative to our initial expectations resulted in a total revenue of a $185.5 million, exceeding the high-end of our Q2 revenue guidance by more than $6 million. Just a couple of notes on the components of revenue.

Product revenue of $31.2 million increased 31% sequentially from Q1. Although product revenue was down year-over-year, the decline of 23% was less than the 30% to 40% we guided on our Q1 call.

This was partially due to the large NX/EX deal with a financial services customer mentioned earlier, but product sales were stronger-than-expected across the board with both refresh customers and new customers. Product subscription revenue of $86.3 million increased 13% from a year ago, but was essentially flat with the first quarter of 2017.

The majority of product subscription is recognized from current subscription deferred revenue on the balance sheet, which was flat with the prior quarter. We believe this trend is the lagged effect of the decline in product subscription billings that came with the decline in product billings that began in 2016.

This also explains why our Q3 guidance implies relatively flat product subscription and support again in Q3. Mandiant professional services posted a record quarter of $33.7 million in revenue, up 19% from Q2, 2016.

The results reflect the completion of several milestone projects as well as record chargeability and rates per hour in the quarter. Historically, strong Mandiant billings have resulted in pull-through of additional product and FireEye as a Service billings in the future quarters.

And this is one of the reasons I believe we are on-track to achieve our second half objectives. Our strong revenue performance was accompanied by continued discipline and improvement on the cost and expense side.

Gross margins of 73.5% improved sequentially and year-over-year as we become more efficient delivering our subscriptions or services. In Q2, we consolidated our services, support and threat intelligence organizations into a single organization with a more streamlined cost structure.

Total operating expenses were a $141.7 million, decrease of nearly $35 million or 20% from Q2, 2016. Sequentially from Q1, sales and marketing and G&A both declined, while R&D expenses increased slightly as we continue to invest in innovation.

Headcount increased by 30 people from Q1, 2017, the first sequential increase since Q1 of 2016. Our strong revenue performance, coupled with continued expense discipline, resulted in a better-than-expected operating margin of negative 3%.

Our Q2 operating losses decreased by $43.7 million to just $5.3 million or 3% of revenue. This was the second-best operating margin in our history, second only to the Q4, 2016.

On a year-to-date basis, we've reduced our operating losses by more than a $100 million compared to the first half of 2016. I believe we achieved a cost and expense structure that balances the need to invest in future growth with the achievement of our non-GAAP profitability targets.

Improved operational efficiency allowed us to outperform against our operating cash flow guidance as well. Operating cash flow of negative $11.5 million was better than the midpoint of our guidance range by more than $10 million.

Although we added approximately $4 million to our accounts receivable balance, DSOs measured on billings of 58 days was below our target range of 60 to 65 days. Those are the highlights of our Q2 performance.

Let's turn to, like, over the second half of the year. For Q3, we are now expecting billings in the range of a $190 million to $205 million and revenue in the range of $183 million to $189 million.

Although history has shows us it's difficult to predict the mix in any given quarter, with our strong execution on the refresh opportunity, we are expecting product sales to remain consistent with Q2 or in the range of $30 million to $32 million. We also expect to see modest sequential decline in professional services revenue.

This is due to normal seasonality associated with Q3 vacations and holidays as well completion of several milestone projects in Q2 we mentioned earlier. We're targeting a non-GAAP operating margin of negative 4% to negative 6% for the quarter.

This includes modest expense growth of a few million dollars primarily due to higher commissions as well as a full quarter of expenses associated with the head count additions in late Q2. We expect to generate positive operating cash flow of between $1 million and $10 million in the third quarter.

The increase relative to Q2 reflects the slightly higher receivables balance at the end of Q2, as well higher Q3 billings. Using shares outstanding of approximately 179 million for Q3, we expect loss per share in the range of $0.06 to $0.09.

For 2017, we are reiterating our billings guidance in the range of $745 million to $775 million and increasing our revenue guidance range by $10 million to $734 million to $746 million. We continue to target non-GAAP operating profitability in Q4, along with renewed billings and revenue growth.

We are reiterating our operating cash flow guidance of $1 million to $10 million and capital expenditures of $40 million to $50 million for the full-year 2017. To sum up the quarter, I was very pleased with our Q2 results, and as in Q1, we delivered at or better than all guided metrics.

As we move into the second half of the year, I am encouraged by the continued improvement in our ability to execute. And I'm excited by the opportunities represented by Helix and our enhanced endpoint, as well as our efforts to hone our go-to-market approach.

That's it from my prepared remarks on Q2. Before I turn the call back over to the operator to begin Q&A, I wanted to give you some comments on our adoption of ASC 606.

As you know, we will be adopting ASC 606 in Q1 of 2018. Our preliminary view is that the majority of our product revenue will be recognized ratably under the new guidelines.

This is because the appliance and subscriptions are viewed as a single unit for accounting purposes. The change has an implications for our supplemental metrics and the breakouts of billings and revenue, that we will discuss as we are closer to adoption.

We continue to make very good progress on the ASC 606 project and expect to be able to provide some additional information on the P&L impact later this year. We will also try to give you some advanced warning on any change in metrics and breakouts.

With that, I'd like to turn the call back over to the operator for Q&A.

Hi, guys. Thanks for taking the question.

Hi, Ken.

So, you've talked a lot about the large amount of NX appliances due for refresh in the back-half of the year. I was wondering if you could give us an overview of how you're tracking that process for those deals.

Sure, Ken. So basically, if you look at the full year of the NX renewals, Q3 and Q4 have the majority of renewals just based on historic seasonality.

And, if you look at what we've done for the first half of the year, we've executed really well on the refresh opportunity. We've reached refresh basically every dollar we're expecting a refresh, plus additional dollars from expanded deployments in additional products and subscriptions sold into that renewal.

Okay. And, I guess along those lines, could you discuss what portion of the NX space or even your entire installed base is facing, essentially an end of life by year-end?

So, we don't have a formal end of life process. If you look at our appliances, they can last anywhere from three to five years.

We have a significant number of appliances that are up for renewal this year, but again the customers can just renew products subscriptions and support or they can refresh to our hardware that have some additional functionality and additional bandwidth capabilities.

Great. Thanks very much.

Thanks, Ken.

Yeah. So some broader question on the second-half ramp which is still quite strong on the billing side.

So you would just talk about the refreshment? Also, and especially there were couple of large projects, it sound like they would have some pull-through and then the availability of new product projects.

I may have answered the question myself already, but I really want to make sure that we have it down in terms of how we can get that confidence and that's strong ramp-up in billing that goes into the second half?

You know, Michael, I think you hit it on the head. So, the three real growth drivers there are the NX refresh opportunity that – we have significant number of renewals coming up in Q3 and Q4.

Also the timing of endpoint with antivirus being released at the end of the third quarter is the big growth drivers for the fourth quarter, especially, and then Helix, which we did see progress in Q2, but if you look at the pipeline from the start of Q3 versus the start of Q2, our pipeline is up 6x on Helix, and one of the things we're really encouraged by on Helix is that every dollar of Helix has been kind of pulling through $2 of additional subscription and support.

Right. And if I could ask one slightly broader question regarding the outbreaks of ransomware with NotPetya and WannaCry as well as GDPR, been a lot of discussion about whether or not in general it seem to be a good long-term driver, but is that causing a pause or an acceleration of spend right now?

Well, I think people have to pay attention to it. Right now, traditionally ransomware is, what I call, an indiscriminate attack.

It's not very targeted, and a lot of folks might make the argument that if you do good hygiene, you shouldn't have to deal with those sorts of issues. However, the targeted attacks that are more advanced and more complicated to prevent, we haven't seen ransomware kind of appear in those very frequently.

But the bottom line is WannaCry, Petya and other types of ransomware attacks keeps cyber security top of mind.

Okay. Thanks very much, Kevin.

Yes.

Great. Thanks for taking my questions.

So I wanted to ask on Helix endpoint, specifically with regard to Helix. Can you talk about your thoughts regarding the product as a mechanism for up-sell to additional FireEye products?

You touched on it a bit in the call, but as Helix continues to grow, our customer is starting to see you as a more holistic security vendor?

Well, that's why we spoke so much about it on this call. I mean, we got to get the message out there, Gur, and we got to let people know, let people see.

There's no question as we go to what I'm calling and we're calling the hub-and-spoke model, the products that originate this company are now spokes. If we get people to Helix machine control, we have many ways and many other products to up-sell at that point.

So, Grady's non-verbal communication is that he really wants to talk right now. So, I'm going to pass over to him.

Okay. I was just going to mention, this year is very much about getting customers onto platform and getting the platform to the state we needed to be in.

We know there's significant up-sell and cross-sell opportunity going in next year. We've got a long roadmap of subscription up-sells we know we can layer into the platform, I touched on iSIGHT premium Intel for example.

So, there's a lot more to come, it's just important for us this year to focusing given the customers move to that platform.

And then Gur, since you opened up the door, I'll say this and it's indirectly answering your question, but our intellectual property at FireEye has always been, we know how to stop bad stuff from good stuff in my opinion better than anybody, and we build system that knows how to do that. Our first-generation as a company as we took that IP and we put it in a network appliance.

Now we pull it out of the network appliance and we want to make it available to our endpoint, our e-mail, our network and everybody else's network e-mail and endpoint products, because their true IP is telling good from bad, and that's what we want to make more widespread and more available. So, we're taking the walk with Wall Street with our customers, with all our stakeholders on, we said what was good and bad on the network, so now we're more of an analytics organization that helps your products and our products defend your network.

That's great color. And then maybe one question on endpoint.

I'll take a different angle here. It feels like you're tailoring this product specifically for the channel.

What are you seeing with regard to early commentary from your channel partners and from customers, and then give an endpoint proliferation, how noisy the endpoint market is right now, how do you differentiate from other players in this space that are going after the market with similar messaging? Thank you.

So, we went through the channel with some things. We're going back with another campaign.

So, here is how we differentiate. I've made a whole carrier out of responding when endpoint technology fails.

And, so we're still doing that. We've got hundreds of people deployed, responding to breaches behind the latest AV updates and next-gen endpoint software.

So, I see it as we differentiate in the following way. We have a layer of defense that I'm wholly unaware of other endpoint technologies having.

Table stakes on endpoint protection is you've to detect what AV detects and we have that. So, that's a check in the go box from a compliance standpoint, and that's coming out this quarter.

But then you want to also detect what AV misses with next-generation capability like machine learning models and some heuristics. We have a check in the go box there, and so do other vendors.

But there's still attacks that get through all of this, and we are the best position to respond to those with what I call an adaptive layer. And that's not the most fancy marketing in the world, but I'm going to go with it.

It's an adaptive layer. We can learn something today, and push the heuristics and rules required to defend our customers from it today into the endpoint technology.

And, that picks up where most pure product companies have a model that doesn't learn, and I'll expound for another 20 seconds. Most pure product companies, how do they learn when their products are evaded?

How do they learn how one of their customers was compromised? The answer is they actually don't usually learn how.

They don't get first-hand experience to see how their tech was evaded, how the bad guys got in, how they took things. And we see that firsthand all the time and that adaptive layer can respond to that.

Now, that being said, we also want to rely on the technologies that are emerging, machine learning models, heuristics, rules, analytics, all of that to productize what we learn, because, quite frankly, if technology can automate what humans do, technology will do it better. So we'll always strive to do that.

So anyway. It's a longwinded answer to say we differentiate by having a third layer of defense that is unique, because it's unique in my opinion to FireEye, because we're responding to dozens of breaches at any time behind the other endpoint technologies.

Kevin, as always appreciate the color and Grady, I appreciate the enthusiasm. Thanks a lot, guys.

Great. Thanks and good afternoon, guys.

Hi, Rob.

With regard to the upside that you showed in the quarter on revenue, we see the guidance uptick, but relative to billings, holding it the same, is that a function of duration or are there other puts and takes at play there?

Yeah. I think Rob, if you look at the year-over-year decline in total billings, you can almost attribute the entire decline to average contract length going from 27 to 22 months.

And in your purview, should it stay at this level moving forward or do you expect further declines?

I think it'll probably stay right around where it is today. I think the significant move from product to subscription had an impact on contract length, but if I look at most of our subscriptions right now are anywhere from one to three years, so I think leveling off around two years is reasonable.

Okay. And then number two, I apologize if I missed it.

Did you disclose what international revenues were during the quarter and how Europe trended? I know there was some broader commentary Kevin made around ransomware, but just curious where it wound up for the quarter.

Historical...

Yeah, so we did disclose in our historical metrics and basically U.S. was 67%, which was pretty consistent with Q1, Q1 was 66%.

I'm sorry, you said 67%?

Yeah, for U.S.

Okay.

So 33% International.

Thank you.

Thank you, Rob.

A little bit of static on the line. I wanted to ask about the pricing comments that you made and I understand that it's a bit difficult.

But historically, FireEye has been known as the premium product for premium capabilities. And you did make a number of comments around – you didn't use these words, but want to get more competitive as pricing.

So how should users and investors think about A, at the spoke level, if you will to use Grady's term, but then also Helix; how do customers think about the pricing of Helix relative to the other capabilities that they could buy? Thank you.

So I think it's a good question. Yeah, we've been looking at pricing, I think, both from our historic legacy products, but also more importantly for our newer products.

And if you look at Endpoint with antivirus, for example, our cloud version is very competitive to the market and historically our products were premium-priced and really challenging to go through the channel on some of the legacy products. But we feel like with Helix and Endpoint with antivirus, we're much more price competitive now with our cloud versions of those products.

And just so philosophically, do you anticipate being very competitive with the other products and then taking share through features or would you still think you'll be at a premium relative to the other products that you're competing against in the market?

Well, I can tell you a couple things. When you look at small-to-medium enterprises, they have a different price point, pain and threshold than a lot of the enterprises we're used to selling with.

So in order to expand the base that we sell to, I would like to get the pricing down and when you bundle different things, the pricing gets a little bit more complex. We were largely pricing each one of our products as if they were going to market independently.

Right.

That's no longer the case anymore. So, as we sell Helix, we're selling a system, system that learns, a system that can do a lot of different things and we want to make sure we get that pricing right.

And it's also, it can have product pool sales in it, but it's a subscription as well. So this is something that's combining many stakeholders within our organization, some that were used to go into market, almost like a company within a company.

And so, we got to have a holistic pricing review. We're working that with external consultants and working it at speed, but we want to have a value-based pricing too.

This is a company that grew up shipping appliances and units, and now we're shipping a subscription to an outcome. So...

Okay. Well, many thanks for taking the question and best of luck.

Thank you.

Great. Thanks for taking my question.

So, Kevin you were just talking about the changes you have made from a product set perspective as well as the pricing. But I'm just wondering if you can maybe provide a little bit more detail on the changes you guys are making from a go-to-market perspective and particularly if you feel like you need to do some sort of change to the sales force to better address what would be perhaps a bigger opportunity with Helix, and if that is the case, where we are in that process?

So I could probably go on for quite a bit, but one of them, at the highest level I talk about we got to simplify our messaging. We have menu EX, HX, FX, AX, NX, EX and you go through all of these things, can't we just have network, e-mail and the Endpoint, because that's actually what we have.

I can give you five more products that have NX on the end of it. So those are my opinions.

But we still want a holistic approach to this and we have a roundtable folks discussing it. But I believe we have five to six ways into our customers and I want to go-to-market that way.

And then we an endpoint route, we have an email route, we have a network route or we have somebody wanting to get us – our whole technology suite with Helix. So the bottom-line is, we want to simplify how we go-to-market.

I am looking at how we're branding everything with Xs at the end and thinking that maybe here today and gone tomorrow. Second, you look at our channel, it is my opinion and I always work with, is that, we're going to stay consistent in the positives we have and I actually think it's pricing.

I think, if we can get our endpoint priced right, it might be our first channel-ready product from a pricing and capability standpoint. You don't have to hire experts to run it, you just put it in and it's safeguarding your network, it's an endpoint fortress for you.

So bottom line, Melissa, I could talk to you about this for a lot longer and hopefully we'll get a chance in the next day or so. But those are just two examples.

Now we can simplify our messaging and simplify our go-to-market and give our channel better tools and simpler products to sell.

Okay, got it. And then just one follow-up on the refresh opportunity or the renewal opportunity.

Frank, maybe this is for you. So when an appliance is up for refresh, it's fully depreciated and it needs to be replaced, how much visibility do you have in terms of what the customer buy behavior is, such as if they're going to buy perhaps another appliance, or they're going to go more of the subscription or virtual appliance route?

Yeah. I think, our focus is really on providing the right solution for their environment.

If they're not ready to move to the cloud, we have great new appliances that are Intel based, have more bandwidth, are Mac supported. If they're ready to move to the cloud, we have both, our just traditional cloud offering with NX or we have kind of a hybrid approach, where they can actually get used of their existing appliances, sensors and then that can speak to our cloud offering as well.

So the good news is, we're now in a position on everyone in this folks to offer both on-prem, in the cloud or hybrid environments.

Got it. Okay.

Thank you.

Hey, guys. Thanks.

So, can you just tell me what drove the decline year-over-year of new logo customers?

So, Sterling, I think one of the things that we talked quite a bit about – this is Frank, it was the go-to-market approach and the changes to some of the pricing. I think, if you look at what we've done a really good job on is, continued deployments within our existing customer base.

The new logos, I think are really going to be more related to endpoint, Helix and some of our cloud versions of our older products. And so how we go to market with those and how we start working with the channels with those are really important, and that's why we've really engaged on kind of holistic pricing review, because we believe that's an area where – significant upside for us.

That makes sense. And then, just to level set, you talked about the 10 Helix customers, but can you give us a sense of what portion of the business was Helix in HX versus let's say a year ago, just so we can see how that trends from here?

So, we haven't actually broken out by products, but if you look at obviously, we didn't have Helix last here, so that 10 net new customers are all upside to that. Endpoint has been progressing nicely and if you look at the endpoint pipeline we feel really good about where we're at for the second half of the year.

But again, the endpoint with antivirus comes out the end of Q3. So I would expect much of the year-over-year progress to be in the fourth quarter and to a certain extent a little bit less in the third quarter.

Yeah. Thank you, guys.

Thanks, Sterling.

Thanks, Sterling.

Hi, thanks. So, just a quick follow-up on the go-to-market strategy, in terms of the changes you are making there, could you give us an update on what you're doing differently as it relates to channel engagement in general just beyond kind of getting pricing right and not specific to any product?

And then, on a related note, it seems like the first iteration of Helix may lend itself more to a mid-market sort of sale. Is there a way to better leverage the channel there again beyond just getting the pricing right, is there a way to better sort of educate or motivate the channel, compensate them to really get out there and sell it?

Yeah. So when I talk about the go-to-market in the past, I've always talked about process, product, price, and policy.

And in the past, I thought our products at a premium price weren't always perfect for the channel, and sometimes they were perceived as expert systems. If you bought our products, you actually have that somebody run them, look at them.

And so, I think we got the policy right, it's unambiguous, and if we keep enforcing it, we're going to win the channel over in time. So now it's more about the simplicity of the products and their price, and we're trying to get both those right.

When you look at Helix, I'd agree with you. Helix, to me, has a simplicity and grace to it.

If you buy Helix, we're telling you what matters most, and we're leveraging all prior spend, from a small, medium enterprise, or on the channel reseller moving this stuff, I see its relevance very broadly. And we're going to try to price that competitively to garner interest in net new logos.

Endpoint, it's same thing, you can feel it in the market, and you can see with our endpoint pipe increasing, and I've seen it personally for years. We started our endpoint endeavor in 2004, when I started Mandiant.

We knew there needed to be something to replace AV that was far more effective and signature-less. The time is now and we've got a product with multiple layers of defense, that I think is really perfect for the channel.

It's simple. If you buy, you're protected.

If you need extra help, we can send our expertise. Those are things that are messages that go with Helix and endpoint together.

So the bottom line, both of those products have a simplicity that is channel-friendly and we're going for a price that is channel friendly.

Okay. Perfect, and Kevin, maybe just a quick follow-up, could you share any additional detail on the strength that you saw in professional services in the quarter.

It's stronger than it had been in a number of quarters, and I was wondering if any of that was driven by the ransomware headlines and also did you find yourself capacity constrained in that business?

On the capacity side, it's kind of tough, because over any week, you can get a bunch of inbounds and chaos and sues, and you can't say yes to every job that week. So, capacity constraints do emerge from time-to-time.

But looking at it as a whole, yeah, we were pretty close to full-bore the whole quarter. I don't know, if I can simplify it as well, it was Petya or it was WannaCry, it was just – there is a certain amount of breaches.

Again, we handle most britches quietly and discretely and the public never finds out the about them, nor should they need to. And, it's just we're real busy, it's that simple.

Okay.

Some of that – I guess another expounding there though is the brand is getting just more noticed internationally, so I'm speaking anecdotally here. It feels to me, we're busier internationally than we have in the past, so some of the growth might be just as the brand kind of propagates internationally.

Okay. And just a quick follow-up, have you seen a pickup in the pro-active side of the professional services business as well or is it mostly being driven by the -sorry go ahead.

Yeah. We have a pretty good balance here, like people think well, all you do is to respond to breaches, we do that, but what it makes you uniquely capable to say what do you do about it, meaning strategic consulting holds pretty steady.

I don't have the numbers sitting right in front of me, but it's always been – it feels to me like more than a third of what we do over there, if not higher. And it will fluctuate quarter-over-quarter, if it's not more breach work, our folks are doing more strategic consulting work.

So bottom-line, we're well positioned to do it and I think the balance between the two is pretty good, between response work and in fact the strategic proactive work.

Great. Thank you very much.

Thanks, Ann.

Okay. Thanks very much.

Just a follow-up on a previous question. Kevin, wondering by roughly when you expect that the holistic pricing review might be completed and then implemented?

Completed? Well, we have a work plan.

It's somewhere around 11 weeks or 12 weeks left in that work plan, is that correct? I'm looking at people nodding to me, and we're working with external consultants there, and then, after that I want to see where it lands.

It's a great way to corral many independent and strong-willed individuals and get to a solution that's best for the company at large, and that's why we're doing it. So I would say it's 11 or 12 weeks out.

(01:00:53).

Yeah. The channel is tough, some of the things we're doing faster than that, like our endpoint pricing is going into the channel this quarter.

The training for the channels already occurred and we're doing another round of endpoint training for the channel this quarter. So some of it, we're not waiting for completion and we're moving out, but some of it, we're looking for completion and we'll learn from it.

Okay. That's helpful.

Frank, just wondering, Frank, what sort of mix you saw or any commentary you have on attached versus unattached product subscription this quarter? Thanks.

Yes. So, Gregg, we haven't been disclosing the attached and unattached, but, yeah, it's been pretty consistent.

We're seeing an increase in unattached and then obviously with the decline in product, we're seeing a decline in the product attached.

Right. Okay.

Great. Thanks.

Thanks.

Thank you.

Time for one more question, please.

Great. Good afternoon.

Thanks for taking the question. Maybe to follow up on the pipeline you're seeing in Helix, when you engage with some of the new customers in Helix, are you able to demonstrate to them ways in which they can save money through either consolidation of products or efficiency in a security operations center, and maybe just a little on the steps to get that product to go-to-market and scale?

Thank you.

So this is Grady. I can talk about the value piece.

I mean, that was one of the key premises we've been talking about Helix for a long time is, because our customers get entitlement to endpoint network, and TAP, we've additional discounting built into that. So it's been good, we're seeing some customers, one of our customers this quarter shared with us that they saw a 25% TCO reduction, by moving the Helix from the point products they've been at.

So you can always hit every customer at the same point in the refresh cycle and we're looking to swap out a lot of products, but in this case, they did, and they sell substantial savings. The next part of your question was about scale, I can just tell you where we're working really hard in getting training out there to all of our sales engineers in the field as well as our account reps.

So we'd love to get out there even faster, get them 100% to speed, but that process is happening and everybody should be fully trained on it here within the next few weeks.

Great. Thank you for call, and a follow-up for Kevin, if I could.

You mentioned all of the areas in which the company has changed over the last year, as you look to the strategic plan for the next 12 months, what are the two or three things that you're most focused on?

It's a great question and it's taking that walk from what is our intellectual property? It's our ability to tell good from bad.

And that it comes in many format. So you're going to see us constantly upgrade and innovate.

I think I want people when you think FireEye, think innovation. I think we know more about what bad actors are doing than anybody else, I think we have an adaptive system.

And I want to move the needle on those from a technology standpoint. And that's the easiest way to say it, keep our IP available, keep our analytics available to our products, and quite frankly, why not make them open and integrate them with other people's security products as well, so that everybody can benefit.

So that's where we're moving. It's a long endeavor, but I anticipate enhancements happening ever quarter.

Make sense. Thank you.

Yes. Real quick wrap up.

In Q2, we said what we – we did what we said we'd do. And I want to thank everybody that joined us on this call.

While we have driven positive changes, our mission and our focus remains the same, as does our commitment to our customers, our employees, our partners and our shareholders. So, again, I thank all of you for your support and I look forward to providing regular updates on our progress in the future.

Thank you.