HomeVideos

Palo Alto Networks CEO: "AI Found 5 Years of Bugs in 6 Weeks"

Now Playing

Palo Alto Networks CEO: "AI Found 5 Years of Bugs in 6 Weeks"

Transcript

1079 segments

0:00

One of the biggest winners right now.

0:01

[music] The big daddy of the

0:02

cybersecurity space. Palo Alto Networks

0:04

is a now performer in the space.

0:07

CEO Nikesh Arora

0:09

>> This might [music] come as news to you,

0:11

but humans have been writing bad code

0:13

for a very long time.

0:14

>> I spent 10 years [music] at Google and

0:16

you know, Google search was

0:17

democratizing information. If you take

0:19

that analogy and think about what AI is

0:21

doing, AI is democratizing [music]

0:24

intelligence.

0:25

>> Money is a way to keep track.

0:27

>> Yeah.

0:27

>> It's not the goal.

0:29

>> You've been a CEO of Palo Alto Networks

0:31

for 8 years?

0:33

>> Coming up on 8 years this week.

0:34

>> And I think when you started it was $17

0:36

billion market cap if I remember

0:38

correctly.

0:39

>> There about.

0:39

>> And this morning I checked it's $238

0:41

billion. Which if you listen to what we

0:43

said yesterday, now that you passed 100,

0:45

you're more likely to actually 10X. So

0:47

the first 10X was actually much much

0:49

harder. So you're on your way to a

0:50

trillion dollars.

0:51

>> From your mouth to God's ears.

0:53

>> Well, I I think you are. Okay, so let's

0:55

just double click into what you see

0:57

because you are

0:58

sort of in a really interesting position

1:00

to see all of it.

1:02

You see the birth of AI. Maybe you see

1:05

you've seen the rise and fall of SAS.

1:08

All the models talk to you. You were one

1:10

of

1:10

>> The rise again, right?

1:11

>> The rise again.

1:12

Uh you were one of the first and the few

1:14

that got access to Mythos. So just Let

1:17

me just push the button. Go Nikesh,

1:19

start.

1:20

>> [laughter]

1:21

>> Well, uh first of all, thank you for

1:22

having me here.

1:24

I think AI is exciting.

1:26

I think it's exciting to see all the

1:28

stuff that's gone down in the last

1:30

possibly 24 months.

1:32

Um

1:33

I think Sarah just said it. They were

1:36

right in anticipating the huge amount of

1:38

compute that was going to be needed. So

1:40

all that stuff's going on. But

1:43

you can see

1:44

that

1:46

you know, this this notion which we

1:47

talked about briefly last time that AI

1:50

is really democratizing intelligence.

1:53

What that means is I have 250 people in

1:55

marketing. They produce varied forms of

1:57

output. Now you can get 90% of the

2:00

output to be consistent across those 250

2:02

people. I have 5,000 people who talk to

2:05

customers.

2:06

There's My my failure mode is when 5,000

2:09

people do different things, where people

2:11

say, "I want to talk to Joe because he

2:13

knows how to solve the problem and Jim

2:15

doesn't."

2:16

So now you can get 5,000 people to act

2:18

almost consistently in their

2:20

interactions with people on the other

2:22

side. So I think it's going to have a

2:23

phenomenal impact to how we run

2:26

businesses, how we operate. It's going

2:29

to change the entire landscape.

2:30

Now,

2:31

in that context, you touched upon

2:33

Mythos, and you know, Dave has been very

2:35

involved with this.

2:36

Mythos has shown us that all the bad

2:38

code that humans have written over the

2:40

last 50 years

2:42

can be assessed by AI and shown uh the

2:45

vulnerabilities can be shown. We tested

2:47

for 6 weeks, and in 6 weeks we found

2:50

what would have taken us 5 to 7 years.

2:52

>> Wow. Say that one more time.

2:54

>> In 6 weeks we found vulnerabilities

2:57

which would have normally taken us 5 to

2:59

7 years to find.

2:59

>> So Mythos, but these are vulnerabilities

3:01

where?

3:02

>> Sorry?

3:02

>> These are vulnerabilities in your own

3:04

code base or in your customer or in your

3:06

own code?

3:07

>> Oh, wow.

3:07

>> So Mythos was not oversold. It was

3:10

legit.

3:11

>> The capabilities of AI in being able to

3:15

assess vulnerabilities in code are real.

3:18

Not just that,

3:20

if you put it on ultra mode, which is

3:22

persistent thinking, so it keeps trying

3:23

until it gets an answer, you can

3:26

actually daisy chain vulnerabilities,

3:28

i.e., finding a new attack path into

3:30

your company into your vulnerabilities.

3:32

Now, we pride ourselves as a top

3:34

percentile of companies that test our

3:36

code because we're in cyber security

3:37

business. If you take that and compound

3:40

that across all the companies that exist

3:42

in the world that write their own code

3:43

or the 10 million developers write code,

3:45

this thing is going to find stuff which

3:48

would have taken us 10 years to find.

3:50

>> How much did it cost? Like did you track

3:52

the token cost? Was it a hundred million

3:54

dollars, ten million dollars?

3:56

>> No, it was in the low millions. But

3:58

again, you know, the cost as Sarah said,

3:59

the cost curve is going to come down.

4:01

Already OpenAI has got a model which is

4:03

cheaper and more consistent. You know,

4:05

Anthropic's come out with another model

4:07

>> you buy the hype.

4:08

>> It's not hype, it's true.

4:10

>> It's That's the point.

4:11

>> the capabilities are

4:12

>> The You know that.

4:12

>> The capabilities are true.

4:14

>> Yes.

4:15

>> I mean, you saw IBM announce a project

4:16

for five billion dollars to fix open

4:18

source. That's the biggest problem.

4:19

>> What would have happened if Claude

4:21

didn't have the restraint and they put

4:23

it out in the public? Do you think it

4:25

would have been like a real attack

4:27

vector and caused chaos in corporations?

4:30

>> we're three months away, if not already

4:32

there, from this being available in

4:37

the wild.

4:38

>> Okay, open source.

4:39

>> Yeah, just three months.

4:41

>> Yeah.

4:41

>> Yeah, cuz I mean, we've been saying that

4:43

it's roughly six months away before

4:45

mythos-level capabilities are available

4:48

in Chinese models, you know, open

4:51

models, whatever. But you're saying it

4:52

could be three months.

4:53

>> Well, look, there's what, is 4.8 is

4:55

already out, 5.5 is already out. They

4:57

have similar capabilities. And look, you

4:59

don't need to

5:01

crack the hardest code to crack. Just

5:03

need to find a few vulnerabilities in

5:05

code that are out there. Just take an

5:08

Take an old industrial system which is

5:10

running, you know, OT code on the edge.

5:12

You can find that vulnerability

5:13

reasonably easily.

5:14

>> So, so we're in a race right now between

5:17

the cyber defenders finding these

5:19

vulnerabilities and patching them before

5:22

the cyber attackers do the same thing.

5:25

>> Yes.

5:25

>> And how do you feel like we're doing in

5:28

that race?

5:29

>> So,

5:30

not as well as we should be doing, which

5:32

is great for our business, but that's a

5:33

different story.

5:34

>> [laughter]

5:35

>> So, like, every company has to go look

5:37

at their code base and figure out where

5:39

the vulnerabilities are and fix them.

5:41

So, if you talk to CIOs today, their

5:43

biggest problem is all the vendors are

5:45

showing up saying, "Please patch my

5:47

piece of boxes that hardware that you

5:49

have please patch my code that you have

5:51

because I found vulnerabilities fix it.

5:53

While the CISOs are busy finding their

5:55

own vulnerabilities to fix their own

5:56

vulnerabilities and then this huge thing

5:58

called open source which nobody knows

6:00

quite how to solve.

6:01

>> So is it is it fair to say that it as

6:03

model capabilities go up

6:05

systemic business risk of large

6:08

enterprises also goes up?

6:10

>> On the cyber side, yes.

6:12

There are antidotes being built by

6:14

people like us and others where we're

6:15

going to provide some capability where

6:16

you don't have to patch everything. But

6:18

look, cyber has done something very

6:19

interesting around harnesses, memory and

6:22

context. Right?

6:24

The part we don't talk about here is

6:26

organizations don't have memory and

6:28

context of everything they do every day.

6:31

That's why you need to store a lot more

6:32

data

6:33

enterprise-wide to learn what good looks

6:36

like and what bad looks like.

6:37

>> Right. The same problem is in

6:38

cybersecurity.

6:39

>> We need to collect We need to collect 10

6:41

times the data in the enterprise from a

6:43

cyber perspective to be able to

6:45

understand how to

6:47

defend ourselves against the AI

6:48

attackers.

6:49

>> Do you think that the traditional

6:51

companies like the SaaS businesses that

6:53

have existed

6:55

in this world, what is their place?

6:58

As all this knowledge becomes more

6:59

persistent and stored, what happens to

7:01

SaaS?

7:03

>> Well,

7:04

you see SaaS is as Bill said, SaaS is

7:06

different pieces, right?

7:07

>> Okay.

7:08

>> If you're an analytical SaaS company,

7:09

it's over.

7:11

>> It's over. What is an analytical SaaS

7:13

company?

7:13

>> Somebody that says I'm going to collect

7:15

a lot of data for you and analyze it for

7:16

you. I don't need you to analyze it for

7:18

me. I can run

7:20

models against data and analyze them

7:22

myself. So if you think about there's a

7:24

lot of every SaaS company has a

7:25

marketplace. You can buy Salesforce

7:27

marketplace. What do they say? You have

7:29

Salesforce data, I'm a marketplace app,

7:31

take me and I'll help you analyze the

7:33

data. I don't need you.

7:34

>> You don't need that.

7:35

>> I can just go run an LM against the

7:36

data. So the entire incrementality that

7:39

has been sold as incremental software

7:41

modules to all of us

7:43

doesn't need to be sold to us because

7:44

I'd much rather have LLMs running

7:46

against that.

7:46

>> Interesting you bring this up. We had an

7:48

instance with a SaaS product with 20

7:50

seats.

7:51

Nobody was logging in and using it, but

7:53

the data was there.

7:54

>> Yes. So, we created like three accounts,

7:58

got rid of 17, connected it to Slack,

8:01

connected it to Claude, and now

8:02

everybody can interface it through

8:04

natural language and we've reduced our

8:06

bill by 90%.

8:08

>> Well, not just that, what are you going

8:09

to do next? They

8:10

Jason said, you're going to take data

8:12

from different products, put them in one

8:14

place, run the analytics against that. I

8:17

want my data for my sales reps, my

8:19

productivity data, my you know,

8:21

inventory data from SAP. I want it all

8:23

in one place so I can run analytics

8:25

against it and say, "Who's selling a

8:27

lot? Where do I have less inventory?

8:29

Let's build inventory in a region where

8:30

my sales people are extremely

8:32

productive." To run that query, you'd

8:33

have to have talked to three different

8:35

SaaS products. Tomorrow, you can put all

8:37

the data in one place. So, so that's

8:39

sort of category one.

8:40

>> Analytics SaaS today. The analytics

8:42

>> Okay,

8:43

category one analytics dead.

8:45

>> Yes. In the medium term, you get all

8:47

these bounces today and tomorrow that's

8:48

these are marginally irrelevant.

8:50

Infrastructure software undervalued.

8:53

>> Okay, what is infrastructure software?

8:55

>> Stuff that gives you databases. You

8:56

collect data into it. Stuff that allows

8:58

infrastructure to work, whether it's a,

9:00

you know, database software.

9:01

>> Databricks, Snowflake, like that.

9:03

>> Databricks, Snowflake, MongoDB, Oracle,

9:06

Oracle, all these things you need

9:08

core storage infrastructure, core data.

9:10

You're going to need 10 times the data

9:11

stored in an enterprise than we have

9:13

today. Right, 3 years. 10 times.

9:15

So, anything that helps you collect

9:17

infrastructure data, manage it, you

9:19

need.

9:20

I think the category in the middle is

9:21

called, let's call it system of work

9:24

or system, you know, of record, people

9:26

call them.

9:28

Those are deeply embedded in the way

9:29

businesses work. I have 6,000 sales

9:31

people, they know how this works. What's

9:33

going to happen is step one, we will

9:35

take away UI and let agents do the work.

9:38

UI

9:39

enterprise software and consumer

9:41

software UI is the worst thing we did as

9:44

technologists.

9:45

>> You had a couple of examples of this.

9:46

You told me this story, I don't know if

9:48

you want to repeat it, of this one

9:49

company they tried to hold you hostage

9:51

on a license.

9:52

>> Yes, that was analytical SAS, so that's

9:53

over.

9:54

>> just pointed AI at it and you just

9:55

>> Yes, we just got rid of them. That's a

9:56

different issue. But, I mean, think

9:58

about it. Today, we spend our lives

10:01

having product managers design UI so all

10:03

humans can interact with data behind the

10:05

UI.

10:05

>> Yeah.

10:06

>> If all like if you believe agents are

10:08

going to work, and I say, I just tell an

10:09

agent, look, figure out from my sales

10:11

call, figure out the key points, and go

10:13

post it into

10:15

you know, whatever sales tracking system

10:17

I have, whether it's Oracle or

10:18

Salesforce, right? An agent conceptually

10:20

should be able to do it. we're

10:21

spending trillion dollars building these

10:22

agentic backends, we need these agents

10:25

to be able to do it. If that happens, UI

10:27

goes away.

10:28

If UI goes away, I can rewire my system

10:32

of work.

10:34

Right? I have sales guy should have to

10:35

say, I had the sales call, do all the

10:38

paperwork and all the that needs to

10:39

happen in the back of the company, and

10:41

just

10:41

I'm done.

10:42

>> Right.

10:43

>> If I can change the way

10:45

work happens, which is where you will

10:47

get true efficiency, where five people

10:48

become one in a company,

10:50

all these SAS software that does system

10:53

of work needs to be re-engineered for

10:54

the next five years.

10:55

>> And it's also happening passively, which

10:57

is really interesting. It's looking at

10:59

email, it's automatically taking the

11:01

Zoom transcript and summary. So, the

11:03

sales system of record is now like, you

11:05

don't even need to input it. It's like,

11:07

I already have the Zoom call notes, I

11:09

have the deck the deck was made, the

11:12

sales deck was made by AI. It's just

11:16

we're we're all going to be looking at a

11:17

chat window and just saying, here's what

11:19

I want.

11:20

>> Your audit trail becomes a lot better

11:21

because humans are not touching your

11:22

data. It's always being managed by

11:24

agents, so I think the whole system of

11:26

work, system of record, gets reinvented

11:29

in the next five years.

11:30

>> Yeah, there's no data entry. That's an

11:31

interesting point. Yeah. Let's talk

11:32

about national security for a second. I

11:34

just want to maybe zoom out. So,

11:38

the one side of Mythos, as you said, is

11:39

like the value that it has to you and to

11:41

your and to enterprises.

11:44

The red team version of Mythos is where

11:47

foreign state actors or you know, can

11:50

essentially create economic havoc inside

11:52

of a country.

11:53

>> Yes.

11:54

>> As these models escalate in their

11:55

capability, what do you think should

11:57

happen when these models are ready?

12:00

>> You know, the sad truth is, you know,

12:01

here there's a few thousand

12:03

breaches or attacks that happen.

12:06

They happen for pretty rudimentary

12:07

reasons. It's not because somebody

12:09

cracked a hard to crack thing. It

12:11

happens because 89% of attacks happen

12:13

because credentials get stolen.

12:15

>> Or your username and password.

12:16

>> That's it.

12:17

>> I bet my password is password.

12:19

>> Yeah, I'm sure it is. Did you have

12:21

dollar sign?

12:21

>> Dollar sign password.

12:22

>> Fantastic. Well done, see? You're

12:23

already ahead of everybody else. So,

12:25

89% of breaches happen because of simple

12:27

things. So, I don't think we need more

12:28

models to go crack this stuff. Now, we

12:30

will need these models can attack

12:32

critical infrastructure and things we

12:34

try and protect from a national security

12:35

perspective. Yes, we need defenses

12:37

there. I'm not worried about

12:40

the national security part being

12:41

protected because they're very on it.

12:43

They're the right people. They spend 10%

12:45

of their budgets on IT on security. I'm

12:47

worried about the small offices across

12:50

the country where they're using some

12:52

piece of packaged software and you're

12:53

running a dentist's office or doctor's

12:55

office. Remember when then Change

12:57

Healthcare got breached?

12:59

>> Every physician's office shut down.

13:01

>> Shut down and it's ransomware.

13:02

>> Because of ransomware to Change

13:03

Healthcare. That's was the clearing

13:04

system. That's when

13:06

United Health had to actually have give

13:08

billions of dollars of credits to the

13:10

physicians to be able to run their

13:11

businesses at that point in time.

13:13

>> That's what one should worry about. It's

13:14

less about

13:15

>> the big nuts will get cracked.

13:17

>> about cracking some PG&E power

13:20

generation facility. It's more economic

13:22

chaos. Yes.

13:24

And so, what what what do we do?

13:28

>> I don't think there's a sort of a silver

13:30

bullet. I think this will take time. I

13:33

think this will basically take a while

13:35

until every system gets upgraded,

13:37

renewed, fixed over time. I just think

13:39

it increase the terminal value of the

13:41

industry, right?

13:43

>> Do you think that there's a world in

13:45

which these models become so good that

13:48

you could see yourself advocating for

13:50

more nationalism around how they're

13:53

controlled and

13:54

how they're managed and how they're

13:57

where we point them? Or do you think

13:58

there should be a maybe a set of these

14:00

models that never see the light of day

14:02

that only the NSA and other folks get

14:04

have access to or guys like you?

14:05

>> I have a slightly differentiated view

14:07

about models and how they will evolve

14:09

versus what we heard earlier from an

14:11

open AI perspective.

14:13

I think

14:14

I still believe models are going to

14:16

become a utility layer.

14:18

You'll be able to buy intelligence on

14:20

the [snorts] fly.

14:22

Or you can say, "I don't need a 180 IQ

14:24

person to go do this task. Give me a 120

14:27

IQ and I need a 250 IQ to do this task.

14:29

I'll pay $10 for this or for this I'll

14:31

pay 1 cent." So, I don't know there's a

14:33

one-size-fits-all

14:35

give you the most up-to-date model to

14:37

answer my customer call saying, "Sorry,

14:38

sir. I have no idea how to solve your

14:40

problem."

14:41

So,

14:42

I think models will get differentiated

14:43

from utilitarian perspective.

14:46

Um so, if you look at already what's

14:48

happening in the market, right? The

14:50

profit pools are in applications, not in

14:52

models. More Sarah talked about Codex

14:56

running away. She didn't say

14:57

Open AI is running away. She just Codex

14:59

is running away. Just say that's the way

15:00

I'm sure Dario says Claude code is

15:02

running away. So, you're seeing that

15:03

>> They're attacking profit pools.

15:05

>> They're attacking profit pools because

15:06

that's where the money's going to come

15:07

from. The profit pools are in

15:08

applications that companies can use. The

15:10

profit pools are not in model usage by

15:12

companies because most companies have no

15:14

idea how to use the models.

15:15

>> at these companies in a way Open AI and

15:18

Anthropic as the new Microsoft Office

15:21

coming in and doing all applications,

15:24

all productivity software for

15:26

organizations.

15:27

>> No, I see there's going to be

15:28

application companies that are going to

15:30

arbitrage between models and solve your

15:32

business problem.

15:33

>> So, you still think they won't go to the

15:35

application layer? Because this is a big

15:37

debate. Should you engage with OpenAI

15:40

and train their systems to then take

15:43

your business from you?

15:45

And Anthropic keeps releasing their

15:47

legal model, their accounting model. And

15:49

it does feel like in order for them to

15:51

hit their revenue numbers, they might

15:52

need to do what Microsoft did, which is

15:55

release the Office product on top of the

15:57

operating system.

15:57

>> See, if I'm a company, I don't want to

16:00

write every piece of software myself. I

16:03

want my HR system software, which is

16:05

agentic enabled and AI enabled to be

16:08

delivered by some application company.

16:10

It'll be a new AI application company. I

16:12

want my sales management system built by

16:14

the new agentic AI sales force of the

16:17

world, whether it's sales force or

16:18

somebody else. So, I want applications.

16:20

Now, what

16:22

Sarah said is the profit pools are in

16:23

the application layer. That's why they

16:25

want to be the application layer. So, I

16:26

think we're still waiting for that layer

16:29

of companies to be invented or created

16:31

where applications will sit. Because

16:33

50,000 uh companies need the same

16:35

application. Why would I build it

16:37

myself? It's highly inefficient. It's

16:39

silly for me to use OpenAI directly and

16:41

rewrite my entire sales system because

16:43

uh I'm smart. Right? I'm not. I want

16:45

somebody to do it for me. So, I think

16:47

that layer of companies is still not

16:49

fully formed.

16:49

>> Or so, we're going to be waiting for it.

16:51

>> control plane, a harness, and then

16:52

>> That's right. They will build the

16:54

harnesses and the memory into those

16:56

application layers. Now, the question is

16:57

how big is the application layer? Is it

16:59

one application? Is it Is one, you know,

17:01

enterprise application that does

17:03

everything? Or is it specialized

17:05

application?

17:05

>> and you kicked out this software vendor,

17:08

you did it because they were being

17:09

abusive in pricing. So, that

17:10

>> use a different vendor.

17:12

>> What's that?

17:12

>> We swapped out for a different vendor.

17:13

We just took more control.

17:14

>> Love it. So, it really is a pricing

17:16

issue. And and that's why the SAS

17:18

apocalypse in some ways makes sense.

17:21

They're not having pricing power because

17:23

you could say, "Well, I'll just put 10

17:24

developers on this and I'll save $10

17:27

million." Yes.

17:28

>> I think the part back to what Chamath

17:29

said about the regulation or whether you

17:31

want to regulate these higher-powered

17:33

models, the question is at some point in

17:34

time

17:36

when these newer models, which are even

17:37

more powerful, get built, they will come

17:39

at a different price point and they

17:41

might have to go through a certain

17:42

vetting process to understand what their

17:43

capabilities are. But I think we're in a

17:45

global race.

17:47

I don't think holding back our models

17:48

for 3 to 6 months is going to help us

17:50

any. Somebody else is going to put them

17:51

out in open source.

17:53

I I was

17:54

I was shocked to hear when I was talking

17:55

to the CEO of one of these model

17:57

companies. He says, "The entire weights

17:59

of their most recent model can fit on a

18:00

USB stick."

18:02

>> Say that again. The entire weights

18:05

>> model weights of their newest model fits

18:08

on a USB stick. That's the IP.

18:12

>> Yeah.

18:12

>> That's incredible because all the data

18:13

can be distilled in under 24 to 48 hours

18:16

and model comes out.

18:18

>> I'm curious

18:18

>> That's the IP. So, are you telling me

18:21

that

18:22

you know we can hold on to that for 6

18:24

months?

18:25

>> Right.

18:26

We we have a debate about um how

18:29

difficult it is to make a frontier

18:31

model. Some companies are starting to

18:33

think about making frontier models using

18:35

their data advantage to to build their

18:38

own.

18:39

Have you thought about that at

18:40

Palo Alto because it [clears throat]

18:42

does seem like you have proprietary

18:43

knowledge on how security works. Could

18:46

you build your own large language model

18:47

or a VSML, a small language model that

18:50

would give you some advantage in the

18:52

future?

18:54

>> nobody talks about

18:56

is the false positive rates on the

18:57

models.

18:59

What is the false positive rate on 4.8

19:01

and 5.5?

19:03

>> No idea.

19:04

>> You guys don't talk about it. You

19:04

should. The false positive rate on MSO

19:07

was 30%.

19:08

>> Oh, wow.

19:10

>> Right?

19:11

>> So, it thought it found something, but

19:13

it hadn't.

19:14

>> Yes. So, the problem is

19:16

it's great for attack, it's horrible for

19:18

defense.

19:19

Cuz you find 30 times 30% of the time

19:22

you find something that says, "I found a

19:23

problem." And you say, "Let's plug the

19:24

hole." Wait, there wasn't a hole there

19:25

in the first place.

19:26

>> No missile inbound.

19:27

>> Right.

19:28

>> Yeah.

19:28

>> So, now the same problem applies in

19:30

enterprise. If you use a If you use a

19:31

model without the right harnesses, the

19:33

right training, you could be running

19:35

into 10 20% false positive rates. Let's

19:38

use the model to pay I don't know,

19:40

insurance claims.

19:41

>> Yeah.

19:42

>> Oh, great. 10% 20% false positive. I

19:44

just lost money.

19:45

>> The sycophantic nature of these is

19:47

ridiculous, yeah.

19:48

>> So, so the problem is not who wants the

19:51

newest model. The problem is how do you

19:53

take that model with 20% or 10% false

19:55

positive and make it 0.01% false

19:58

positive. In my business, I want 0%.

20:00

>> Without losing the false negative.

20:02

>> Sorry?

20:02

>> Without losing the negative, the false

20:04

negative.

20:04

>> Yes, but it's like saying, "Hey, let's

20:06

take the new self-driving car. Mercedes

20:07

is going to use Opus 4.8 and you can

20:10

just sit in the car and it's going to

20:11

drive you." I'm not putting my kids in

20:12

that car with a 10% false positive rate.

20:14

Are you?

20:16

So, there's a lot of work that happens

20:17

post a model, which needs to happen to

20:20

make this thing

20:21

useful and effective in the business

20:23

context.

20:24

>> Let me slightly pivot for a second. You

20:26

were for a very long time the chief

20:28

business officer at Google.

20:30

You were the president of SoftBank.

20:32

Now you're the CEO of Palo Alto

20:33

Networks. So, let's play armchair CEO.

20:36

>> Armchair CEO.

20:37

>> Armchair CEO.

20:37

>> I'm still I'm still bristling from David

20:39

Feiberg trying to create a distinction

20:41

between founder CEOs and non-founder

20:43

CEOs. Just saying.

20:44

>> [laughter]

20:44

>> Just saying, David.

20:45

>> By the way, false positives.

20:46

>> Sorry?

20:47

>> And false negatives, too.

20:49

Give us what you would keep, what you

20:50

would change, and what you like about

20:52

the following companies.

20:54

>> This is going to get recorded and put

20:55

out there to say that really something I

20:56

don't know.

20:57

>> thoughts. You're one of the smartest

20:58

business people

20:58

>> don't like get to live with the glory of

21:00

these all-in podcast sessions.

21:02

>> Don't

21:03

>> Okay, ready?

21:03

>> people and roasting people.

21:05

>> ready?

21:05

>> Yeah, sure.

21:06

>> Okay.

21:07

>> [laughter]

21:08

>> What you keep, what you change, what you

21:09

like, what you don't like. Uber.

21:12

In a world of a

21:13

>> it, dude. I can't talk about my

21:15

>> on the board of Uber?

21:15

>> I'm on the board of Uber. I'm not going

21:16

to talk about Uber.

21:17

>> I didn't know that. Sorry. Okay.

21:19

>> Dr. Dara, he's the CEO. He's a great

21:20

guy.

21:21

>> Okay. [laughter]

21:22

Uh Waymo.

21:23

>> You're trying to get me fired.

21:25

>> Waymo.

21:26

>> What do I like about Waymo? The cars

21:28

work. It's amazing.

21:29

They should have more.

21:31

In many more cities around the world,

21:32

faster. I I I would say that at the rate

21:34

that I'm going to be fired.

21:36

>> Google red large.

21:38

>> I think Google's underrated.

21:40

I think it's going to be the first

21:41

trillion-dollar company in our lifetime.

21:43

I think they have all the assets that

21:44

are

21:45

that are needed to make this successful.

21:46

I think people underestimate. You can be

21:48

a model company, you still need to have

21:49

a sales force that convinces customers

21:51

to go out there and embrace these models

21:53

and buy them. And if you think about it,

21:55

three hyper scalers have the biggest

21:57

number of sales people out there. So,

21:58

they should

21:59

>> of why they're a little bit undervalued

22:00

is just the conglomerate nature is hard

22:02

to understand?

22:03

>> I don't know. You guys are smarter than

22:04

I am. I'm just a hired hand CEO.

22:07

>> I didn't say that. Reeboks said that.

22:09

Let's just be clear.

22:10

>> I know. I know.

22:11

>> I was I was providing a thesis on

22:13

recovery out of the SAS pack. Let's just

22:15

say.

22:15

>> Okay. Okay. Got it.

22:16

>> Just to be clear,

22:18

there's there's a way to segment that

22:19

basket. Okay? And you're not in that

22:21

basket.

22:22

>> I thought you were making a distinction

22:23

about how people who are founders CEOs

22:26

have

22:27

uh have the right to take more risk

22:29

and are allowed to take more risk.

22:31

>> saying that.

22:32

And I think and I and I think you you

22:33

provide a unique counterpoint to that.

22:36

And and there's not a lot of people like

22:37

you. I think the same would be true of

22:38

Jeff Weiner. And I think that there's a

22:39

few other

22:42

uh really great CEOs, but they are like

22:44

Neo in the Matrix type anomalies. And I

22:47

think you're one of those people. And

22:48

there's a very rare kind of personality

22:50

profile of someone that's willing to

22:52

take risk and take ownership of

22:53

something that wasn't theirs in the

22:55

first place and they make it theirs. And

22:57

uh it's a it's a extraordinarily unique

22:59

trait. Far more unique actually than

23:01

being a scalable founder.

23:03

>> That's an incredible save.

23:04

>> You're forgiven.

23:05

>> Yeah, good save. Incredible save.

23:06

>> back to Armchair CEO.

23:07

>> Wow, that was incredible.

23:09

>> He's more sycophantic than ChatGPT.

23:11

[laughter] He's like, "Actually, I'm

23:13

actually I'm actually the best."

23:15

>> Let's go Let's go back to Armchair CEO.

23:16

>> I'm liking this. He has Open AI more

23:18

often. Yes. [laughter]

23:20

>> They do sell faster.

23:22

>> Open AI.

23:22

>> They should sell faster, right?

23:24

>> They should sell faster.

23:26

>> I mean, I I you said it. Didn't you just

23:28

say it when you were Sarah was here that

23:29

>> And Anthropic seems to have improved

23:31

their ARR much faster than Open AI.

23:33

>> I mean, that's just the statistics.

23:35

>> They kind of went all in on enterprise,

23:37

and including specifically.

23:38

>> I think I think that's like

23:40

the the conversation right now is it's a

23:43

race to take over the profit pools.

23:46

If you are going to need tens and tens

23:47

of billions of dollars every year to get

23:49

What is that? 1 gigawatt is 10 billion

23:51

of revenue.

23:51

>> to build you? What are the most

23:52

What are the most exciting profit pools

23:54

then?

23:54

>> So, what are the most exciting

23:55

>> It costs 50. So, this is not a great

23:57

deal.

23:57

>> So, what are the most exciting profit

23:59

pools then? So, we

24:00

>> You've got coding. That's been the

24:01

breakout application over the past year.

24:03

It's massive.

24:04

You've got infrastructure, like you

24:06

said, the new databases. I think

24:09

cybersecurity is clearly one of them

24:11

because of the threats and patching

24:12

cycles so much more dynamic.

24:14

>> There's There's a slight difference in

24:15

in Yes, as you can see, these models are

24:17

trying to be the the enablers of better

24:20

cybersecurity, which is good because all

24:22

of us need to use them to test. And

24:23

you're probably going to see I mean, you

24:25

you saw Anthropic is already

24:27

uh made their cyber capable model

24:31

available generally, so that everyone

24:32

can use it. And Open AI has got one. I'm

24:35

sure Google has one, too. But they

24:36

understand this is a place where CISOs

24:39

or chief security officers want to use

24:40

it to test the code. So, this is another

24:42

profit pool. Uh I think we haven't seen

24:45

the onslaught against the application

24:47

software companies yet. I mean, there's

24:49

tens and tens of billions of dollars in

24:50

application software, which is waiting

24:52

to get reinvented, as we talked about. I

24:54

think eventually you'll see these people

24:55

saying, "What if I took this 40, 50, 100

24:58

million dollar time down, I can build a

25:00

whole brand new backbone with a

25:01

generative AI, and it'd be so

25:03

differentiated that it will cause

25:05

customers to move."

25:06

>> We are seeing it as a playbook in the

25:08

accelerators

25:10

now. The year zero and year one

25:12

companies, people are coming to us with

25:13

the pitch, "This is a thousand dollar a

25:15

seat per year,

25:17

five hundred dollars a month seat SaaS

25:19

software. We can do it for less. We're

25:20

going to charge them based on

25:21

consumption. We're going to take 80, 90%

25:24

of the cost out as

25:25

>> What are the two fastest places to make

25:27

revenue?

25:27

>> The two fastest places to make revenue?

25:29

>> Yeah.

25:30

>> In enterprise a replacement apps. If you

25:32

replace something, I already have a

25:33

budget, it's easy. I take something bad,

25:36

I replace it something better,

25:37

I get money. So, replacement apps are

25:39

beautiful. If you can replace an

25:41

industry, replace the profit pool, it's

25:43

great. The second place is consumer

25:46

revenue. It's a lot easier to get five

25:48

bucks from a per user on a consumer

25:50

side.

25:50

>> Netflix.

25:51

>> So, that's where I mean, look at it. I

25:53

think we collectively probably pay more

25:55

on subscriptions per month than we ever

25:57

did historically, and you thought your

25:58

cable bill was high.

26:00

>> Yeah.

26:00

Do you think that you're going to end up

26:02

building more or less hardware in the

26:03

future if you had to guess?

26:05

>> Hardware, even today, is the cheapest

26:09

way to uh

26:13

manage low latency, high throughput

26:14

bits.

26:16

You still need a data center.

26:17

>> Yeah.

26:17

>> What's a data center doing is just

26:19

managing high throughput, low latency

26:21

bits.

26:21

>> Yeah.

26:22

>> That's why if you look financial

26:23

services is the most reluctant industry

26:26

to go to the cloud

26:28

because you increase latency.

26:29

If you increase latency, you reduce

26:31

profit. So, if you look at every of your

26:33

largest financial services company,

26:34

whether it's Goldman or JP Morgan,

26:35

Morgan Stanley, or

26:37

these guys, they're using hardware.

26:39

>> Try to get them to run their business in

26:40

the cloud, they can't because they will

26:42

have higher latency, they will lose

26:43

money.

26:44

>> Right.

26:44

>> So, hardware is still being made. I

26:46

mean, I remember when I used to advise

26:49

Silver Lake, and I had have Dell was

26:52

done. Nobody wanted hardware. I think

26:54

Dell's might be back to like a 3 400

26:56

billion dollar market cap. So, hardware

26:58

is still going to be around. We're going

26:59

to need it. It's the fastest uh way to

27:01

move it.

27:01

>> Are our hardware development cycles

27:03

changing because of AI? Like are you

27:05

seeing a lot of like generative design

27:08

stuff moving in silica that historically

27:10

was manual and long cycle?

27:12

>> Yeah, but the long pole in the tent is

27:13

their design, right? The long pole in

27:15

the tent is production. Today, you can't

27:17

get a box produced because every

27:20

every

27:21

piece of hardware componentry is back

27:24

ordered. Everything's expensive and

27:26

every factory in the world is back

27:28

ordered because we're trying to build

27:30

all these GPUs based, you know, chip

27:32

cards for every data center in the

27:33

world. So,

27:34

>> Do you think the US is equipped to fill

27:35

that supply chain need?

27:37

Can we do that here? Or do you think

27:39

we're just done?

27:40

>> 10 years.

27:41

>> With a with a with a firm top-down

27:43

commitment.

27:44

>> Well, I mean, the good news is that

27:47

I think the hardware industry

27:50

is seeing a bonanza of a lifetime.

27:52

And generally, when you see a bonanza of

27:54

a lifetime, you can go commit 10, 20,

27:55

50, 100 billion dollars. I mean, I've

27:57

seen a CEO on television committing a

27:59

100 billion dollar plan to go build more

28:01

memory.

28:02

So, that's good. That means they have

28:04

the money to go put the money in the

28:05

ground, literally, to go build these

28:07

things for the future. So, I think that

28:09

gets us more certain that the fact

28:11

>> I think the tax incentive has a big has

28:13

a lot to do with that. The accelerated

28:14

depreciation on the the CapEx. You get a

28:18

100% write-off in the first year, right?

28:20

Under the under the year.

28:21

>> Just a Just a final question as we wrap

28:23

up. You, over the last 8 years,

28:26

you've grown organically very

28:27

aggressively, but you've also been

28:28

pretty acquisitive. You'll, you know,

28:30

you'll take shots and they've generally

28:31

worked. So, you have a ton of permission

28:34

in the market.

28:35

When you hear what Bill Ackman said

28:37

about how there's this kind of

28:40

over beaten companies, there's a few

28:41

that get celebrated, that's a ripe pool

28:43

for you to pick from.

28:45

But some of that would require you to go

28:47

maybe a little horizontally far afield,

28:49

some would say.

28:51

How do you maintain the discipline or do

28:52

you see yourself at some point

28:53

considering things that are

28:55

not nearly so much right down the middle

28:57

of of cyber?

28:58

>> So, I'll tell you what. Um

28:59

until about a year and a half ago, we

29:02

used to buy product companies and throw

29:03

them into our go-to-market engine.

29:05

We could rewire their back end so they

29:07

can work better with our go-to-market

29:09

engine. So, for me, if I'm selling $10

29:11

million to a customer, next time I go to

29:13

her later if I can sell them 20, it's

29:14

the most efficient way for me to

29:16

amortize my go-to-market spend, right?

29:18

So, that was the model. We played that

29:20

we ran that playbook to north of 150

29:22

billion. Then we got to a point where it

29:24

says, "Oh, we see an inflection arriving

29:26

in identity. It's going to be important

29:27

from an agentic perspective, security

29:29

perspective." So, we bought a $25

29:30

billion company, which we closed 3

29:32

months ago.

29:34

Um

29:35

now it's actually a very different

29:37

opportunity has presented itself.

29:39

And the different opportunity sort of

29:40

goes like this. If you can be the best

29:43

at leveraging AI to run the most

29:46

efficient enterprise business in the

29:47

world,

29:48

your operating margin can be far in

29:50

excess of the industry.

29:52

And if you can if you can crack that

29:53

code

29:54

>> Gross and net, you're saying? Gross in

29:55

the 90s, net in the 40s.

29:56

>> Yeah, if you can crack that code, then

29:58

it doesn't matter what you buy.

30:00

>> Yeah.

30:00

>> I think the problem right now is the

30:02

execution problem. Most subscale

30:03

companies cannot afford to go optimize

30:07

their company and run it better.

30:09

So, if we can run our company much

30:11

better than everybody else and have a

30:12

higher operating margin, then the street

30:14

will say, "Fine." If you take something

30:15

at a 20% margin, make it a

30:17

>> Your first M&A was really tough, no?

30:19

Like they were pretty skeptical and then

30:21

you kind of shoved it in their face.

30:22

>> pretty skeptical when they found a guy

30:23

who didn't know cybersecurity, didn't

30:25

know enterprise show up, who worked at

30:26

Google, and their you know, the track

30:27

record of people leaving Google and

30:29

being successful out of Google is still

30:31

>> Yeah.

30:32

>> varied.

30:33

>> So, basically you're saying the menu's

30:34

open. And

30:35

>> I I think we need the next 6 to 12

30:37

months to figure out how this AI settles

30:39

down and how can we use that effectively

30:41

in enterprises? I think if you think

30:43

about it, uh you know, the

30:46

the the people keep hoping that less

30:48

people we need to run companies. I

30:50

actually have a counter view. I think

30:51

we're going to have more people at Palo

30:53

Alto on the technology side than we've

30:54

ever had before because I think AI is

30:56

causing

30:57

everything to ask for a transformation.

30:59

So, I have more technical people today

31:01

than I would have had if AI didn't

31:02

exist.

31:04

>> Ladies and gentlemen, CEO Palo Alto

31:06

Networks, Nikesh Arora.

31:07

>> Thank you, guys.

31:08

>> [applause]

31:09

[music]

31:11

>> Thank you, sir.

Interactive Summary

Nikesh Arora, CEO of Palo Alto Networks, joins the All-In podcast to discuss the transformative impact of AI on business operations, cybersecurity, and the software industry. He highlights how AI acts as an 'intelligence democratizer,' enabling significant improvements in productivity and coding security. Arora argues that while traditional analytical SaaS models are facing obsolescence, infrastructure software is gaining value. He also discusses the challenges of AI-driven cyber threats, the importance of addressing false positives in automated systems, and his strategic vision for Palo Alto Networks in this evolving landscape.

Suggested questions

3 ready-made prompts