Greetings and welcome to Varonis Systems Inc. third quarter 2023 earnings conference call

Tim Perz -- Director, Investor Relations

Thank you, operator. Good afternoon. Thank you for joining us today to review Varonis' third quarter 2023 financial results. With me on the call today are Yaki Faitelson, chief executive officer; and Guy Melamed, chief financial officer and chief operating officer of Varonis.

After preliminary remarks, we will open the call to a question-and-answer session. During this call, we may make statements related to our business that would be considered forward-looking statements under federal securities laws, including projections of future operating results for our fourth quarter and full year ending December 31, 2023. Due to a number of factors, actual results may differ materially from those set forth in such statements. These factors are set forth in the earnings press release that we issued today under the section captioned Forward-looking Statements, and these and other important risk factors are described more fully in our reports filed with the Securities and Exchange Commission.

We encourage all investors to read our SEC filings. These statements reflect our views only as of today and should not be relied upon as representing our views as of any subsequent date. Varonis expressly disclaims any obligation or undertaking to release publicly any updates or revisions to any forward-looking statements made herein. Additionally, non-GAAP financial measures will be discussed on this conference call.

Additionally, non-GAAP financial measures will be discussed on this conference call. A reconciliation for the most directly comparable GAAP financial measures is also available in our third quarter 2023 earnings press release and investor presentation, which can be found at www.varonis.com in the investor relations section. Lastly, please note that a webcast of today's call is available on our website in the investor relations section. With that, I'd like to turn the call over to our chief executive officer, Yaki Faitelson.

Yaki Faitelson -- Chief Executive Officer

Thanks, Tim, and good afternoon, everyone. Thank you for joining us today. Let me start by saying our thoughts are with the employees, customers, partners, and all of those impacted by the recent events in Israel. We will continue to do whatever it takes to support our employees.

Today, I would like to review our Q3 results and discuss how AI can serve as a meaningful tailwind to our business in the years to come. But first, I would like to remind you why Varonis exists and the problems we solve. Data is the prime target for bad actors because of its importance to a business. Data is also out of control.

The explosion of the cloud and remote work has improved collaboration but has also made securing data more difficult. Varonis helps companies locate sensitive data, visualize who has access to it, and automatically lock it down. This allows companies to collaborate safely and get value from their data while managing risk, and AI will only make this an even greater priority. Our third quarter results reflect the continued healthy adoption of Varonis SaaS.

We saw further evidence that our transition to a SaaS business model is working, and SaaS ARR now represent approximately 15% of total company ARR. Third quarter SaaS mix came in at 59%, comfortably ahead of our guidance of 45%. ARR grew 16% year over year to $517.5 million, and we have generated $46 million of free cash flow year to date, up from 800,000 to the same period last year. Guy will review our Q3 results and our updated guidance in more detail.

From a macro standpoint, we continue to see higher level of deal scrutiny and longer sales cycle this quarter but remain encouraged by the progress of our SaaS transition against these headwinds. Now, I would like to spend some time on how AI present a meaningful opportunity for Varonis. In my conversations with customers and prospects, AI comes up more and more, and my key takeaway for Varonis is that the growth of AI has the potential to generate significantly more data, significantly more risk, and significantly increase the need for data security. Stepping back, generative AI present both opportunity and risk for companies.

It has an opportunity to boost productivity and efficiency. But in order to safely realize these benefits, there are security risks that businesses must mitigate first. These risks present opportunities for companies like Varonis. The first risk is related to what I call self-inflicted risk, which happens when businesses start using AI to suggest content to employees.

Unless data is locked down, there is little to prevent AI from analyzing the company entire data estate and revealing critical business assets like customer lists, payroll files, or bank account information to the wrong people. Microsoft recommends mitigating this risk by securing sensitive data before deploying Copilot, which is the company's AI assistant, and specifically recommends having the right information, access controls, and policies in place. This is precisely what Varonis does. Without Varonis, rightsizing access control is very challenging.

Managing access controls only gets harder over time if we data spoil, and AI will surely contribute further to this problem. Without the right controls in place, AI doesn't know who should see what and surface everything for everyone. This becomes a huge risk for organizations and bad actors who won't even need to search for content they want to steal. AI will help them to find it automatically.

AI will also increase the risk that companies face from external attackers. A few examples of this include helping bad actors create and translate phishing emails so they can use them in many languages, creating fake data sets in order to trick companies into paying ransoms, and creating malware. Unfortunately, the use of AI will continue to lower the barriers to entry for hacking. Varonis helps organizations mitigate this risk by ensuring that only the right people have access to the information that they need to do their job.

Varonis can help organizations ensure that employees only seek content suggestions that are relevant to their job function. If a bad actor bypass perimeter controls, Varonis can lock out the compromised users or machine, preventing damage from happening. Although it is early and we are still quantifying timing and sizing, we see AI becoming a growth tailwind to our business as it gains momentum and has detailed plan to execute it. Apart from demand opportunity that we see arising from security risk related to AI, we are also leveraging this technology in new ways to improve our customer experience.

Varonis has been using machine learning and AI for many years in our analysis engine and threat model, for example. And today, we are announcing two exciting generative AI capabilities in our SaaS data security platform: AI system security operations center, or what we call SOC; and natural language search. Although we do not plan to sell AI as a separate SKU, our AI system SOC will provide security analysts with an intelligent AI assistant, specialized in performing investigations, remediating threats, and proactively hardening environments. Our SaaS platform can analyze alerts and provide context and next steps to help analysts more efficiently resolve security incidents.

With natural language search, AI makes every Varonis user a power user. Anyone from the help desk to CSO can use natural language to get fast and accurate answers to questions such as do we have any files containing passwords that are exposed to everyone on the internet or what user has been accessing our payroll files. Today, newly introduced generative AI features build upon the Varonis SaaS benefits that we have discussed with you over the past year and will further reduce the time to value for our customers and improve their experience with Varonis. I would like to spend a moment to remind you of the three key benefits our SaaS platform provides our customers.

First, customers are much better protected with much less effort with the automated remediation and Proactive Incident Response. Second, SaaS is quicker to deploy and has significantly lower infrastructure costs. And third, SaaS is easier to maintain and upgrade. Three of the key benefits that we realize are, one, shorter sales cycle; two, larger initial lands; and three, margin benefits over time.

This quarter, we continued to see additional proof points of these benefits. A large state government organization became a Varonis SaaS customer this quarter. We first gained a department of this state as a customer in 2022. Over the past year, we had very successful deployment with the department that allowed us to build credibility and ultimately win the board of state government mandate.

For this organization, SaaS was a must-have because their security team is stretched thin. Now, they will benefit from quicker time to value, faster deployment, and most importantly, they will be better protected with our Proactive Incident Response team and automated remediation for Windows on-prem and Microsoft 365. We also continue to see healthy interest from existing self-hosted customers who converted to SaaS this quarter. One example was a multinational financial institution that first became a customer in 2020.

Given their large volume of sensitive customer data, they needed to make sure that information was locked down. They originally purchased four on-prem subscription licenses to protect their on-prem Windows environment. This organization's success protecting on-prem Windows drove a desire to consume all of the platform by going both wider and deeper. Varonis SaaS will now help them shrink their blast radius in this -- in the cloud, just as they did on-prem.

Proactive Incident Response will supplement those threat detection capabilities, and Varonis SaaS eliminates the need for these customers to manage their own hardware, which will improve their scalability. They converted their on-prem Windows licenses into a SaaS-equivalent package, and they purchased an additional SaaS package for Microsoft 365, widening their coverage. The sustained momentum that we saw from our SaaS transition this quarter, coupled with a faster pace of innovation, gets us closer to achieving our $1 billion ARR target and delivering meaningful stakeholder value. With that, let me turn the call over to Guy.

Guy.

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

Thanks, Yaki. Good afternoon, everyone. Thank you for joining us today. It goes without saying that the health and safety of our employees is of paramount importance to us, and we will continue to do whatever it takes to support them.

Before I discuss results, I want to briefly comment on the impact of the war in Israel on our operations. From a top-line perspective, Israel has historically represented less than 1% of our business. We have approximately a third of our employees located in Israel, which includes our principal research and development facility, as well as a portion of our support and general and administrative team. At this time, a low single-digit percentage of our global team members have been called up to active duty.

We have executed business contingency plans to minimize the impact on our business. And at this time, we don't expect a material impact on our global operations. With that, I'd like to turn to Q3 results. We are pleased with the continued strong adoption of Varonis SaaS against continued macro headwinds.

Our SaaS transition continues to gain momentum, and this quarter provided additional proof of the numerous benefits to our customers, as well as the tailwind to our ARR and cash flow performance. As a reminder, ARR, free cash flow, and ARR contribution margin are the leading indicators for our business during this transition. The shift from on-prem subscription licenses, where approximately 80% of the deal's value is recognized upfront, to a SaaS model with fully ratable revenue recognition will cause initial headwinds on the traditional income statement metrics as the SaaS mix and conversions of existing customers to SaaS increase. And this quarter's impact was meaningful as the number of existing customers converting to SaaS again increased.

However, these headwinds are a function of accounting treatment and are not indicative of the health of our business. In fact, the greater these accounting-related headwinds are, the better it is for our business as it means the transition is progressing at a faster pace. Our third quarter SaaS mix represented 59% of new business and net new upsell ARR versus our guidance of 45%. And after only three quarters into the transition, SaaS now represents approximately 15% of the company's total ARR.

The average deal sizes realized in Q3 continue to provide us with confidence in the 25% to 30% pricing uplift and margin structure that we previously provided. In the third quarter, a significant amount of SaaS deals were sold to new customers. We again saw an increase in existing customers converting to our SaaS offering. In the third quarter, we had approximately $10 million in conversions of existing customers, impacting our Q3 revenue.

To be clear, this is the renewal amount that was previously booked as an on-prem subscription that is now SaaS, which causes a headwind to our reported revenue and operating margin but does not impact ARR or free cash flow. The $10 million from this quarter does not include the uplift that we realized from these conversions, which is accretive to ARR and free cash flow. As we look to our revenue guidance for the fourth quarter, we're now assuming that approximately $12 million of existing customers' renewals will convert to SaaS in Q4, which is up from $10 million previously. In the third quarter, ARR grew 16% year over year to $517.5 million.

Year to date, we generated $46 million of free cash flow, which was up from $0.8 million over the same period last year, reflecting the inherent leverage in our model, as well as our commitment to balancing top-line growth with improving cash flow generation. In Q3, we continued to see a macro environment that was similar to the first half of the year. We're still seeing deal scrutiny and longer sales cycles across the board, which is impacting customer purchasing patterns and is constraining our near-term results. We expect these longer deal cycles to continue, along with the associated budgetary scrutiny, and our updated guidance takes this into consideration.

Turning now to our third quarter results in more detail. Before I get into the numbers, let me remind you of what we've said for a while now. ARR, free cash flow, and ARR contribution margin are the leading indicators for this transition. We take our commitments to the Street seriously, and our revenue guidance is based on a combination of our expected SaaS mix and existing customer conversion.

As we said previously, the faster we progress throughout the transition, the more headwinds we will experience to our traditional income statement metrics. We view these headwinds in a positive light as they show our customers are adopting our SaaS solution more rapidly. Q3 total revenues were $122.3 million, down 1% year over year. During the quarter, as compared to the same quarter last year, we had approximately a 12% headwind to our year-over-year revenue growth rate as a result of having increased SaaS sales in our booking mix, which are recognized ratably versus the upfront recognition of our on-prem subscription products.

Subscription revenues were 97.7 million, and maintenance and services revenues were $24.6 million as our renewal rates were, again, over 90%. Moving down the income statement, I'll be discussing non-GAAP results going forward. Gross profit for the third quarter was $106.7 million, representing a gross margin of 87.3%, compared to 88.3% in the third quarter of 2022, despite significant revenue headwinds, which were largely offset by greater efficiencies on our SaaS platform than we initially expected. Operating expenses in the third quarter totaled $101.9 million.

As a result, third quarter operating income was 4.9 million or an operating margin of 4%. This compares to operating income of $9.8 million or an operating margin of 7.9% in the same period last year. During the quarter, as compared to the same quarter last year, we had approximately an 11% headwind to our operating margin as a result of having increased SaaS sales in our booking mix, which are recognized fully ratable versus the upfront recognition of our on-prem subscription products. Third quarter ARR contribution margin was 11.1%, up from 3.6% last year.

The significant leverage improvement, even during the early stages of the transition, reflects our ability to drive strong incremental margins while growing ARR and transitioning to SaaS. During the quarter, we had financial income of approximately $8 million, driven primarily by interest income on our cash deposits and investments in marketable securities. Net income for the third quarter of 2023 was $10.4 million, or $0.08 per diluted share, compared to a net income of $6.7 million, or net income of $0.05 per diluted share for the third quarter of 2022. This is based on 126.7 million diluted shares outstanding and 126.9 million diluted shares outstanding for Q3 2023 and Q3 2022, respectively.

As of September 30, 2023, we had $731.5 million in cash, cash equivalents, short-term deposits, and marketable securities. For the nine months ended September 30, 2023, we generated $49 million of cash from operations, compared to $8.4 million generated in the same period last year; and capex was 2.9 million, compared to $7.6 million last year. During the third quarter, we repurchased 1.2 million shares at an average purchase price of $30.10, which completed our intended share repurchases. Over the course of the program, we repurchased approximately 4.4 million shares at an average purchase price of $22.64 for a total consideration of approximately $100 million.

Turning to our guidance in more detail. We're raising our full year SaaS mix of new business and upsell ARR guidance to 55%, up from 50% previously, and we expect Q4 SaaS mix to be 60%. We continue to take a prudent approach in building our SaaS mix outlook as the dollar value of deals we expect to close in the fourth quarter is the largest of the year, which is in line with historical trends. In Q4, we're assuming that $12 million of renewals will convert to SaaS, which will serve as a headwind to revenue.

Conversions to SaaS before considering any uplifted deal sizes do not impact ARR. Our guidance continues to factor in the same level of macro headwinds that we've discussed at length in the past. Now, turning to our guidance. For the fourth quarter of 2023, we expect total revenues of $115 million to $154 million, representing growth of 5% to 8%; non-GAAP operating income of $25 million to $27 million; and non-GAAP net income per diluted share in the range of $0.22 to $0.24.

This assumes 126.1 million diluted shares outstanding. For the full year 2023, we now expect ARR of $535 million to $539 million, representing growth of 15% to 16%; free cash flow of $40 million to $45 million, which includes $8 million to $10 million of headwind related to the TCJA capitalization of R&D provisions; total revenues of $495 million to $499 million, representing growth of 5%; non-GAAP operating income of $26.5 million to $28.5 million; non-GAAP net income per diluted share in the range of $0.31 to $0.33. This assumes 126.6 million diluted shares outstanding. In summary, we continue to see solid demand for both new and existing customers who wish to consume Varonis through our SaaS platform.

As a result, our transition continues to move quickly, and approximately 15% of our total ARR is now coming from SaaS. This is benefiting our ARR performance and cash flow generation, which positions us for a strong fourth quarter. With that, we would be happy to take questions. Operator.

Thank you. Ladies and gentlemen, at this time, we'll be conducting a question-and-answer session. [Operator instructions] Our first question comes from the line of Saket Kalia with Barclays. Please proceed with your question.

Saket Kalia -- Barclays -- Analyst

OK. Great. Hey, guys. Thanks for taking my question here and just want to send our thoughts to the Varonis team and their families in Israel.

Yaki Faitelson -- Chief Executive Officer

Thank you.

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

Thank you.

Saket Kalia -- Barclays -- Analyst

Absolutely. You know, if I stick to one question, maybe I'll make it here -- for you here, Yaki. You know, it just seems like great traction on SaaS. For those customers that are moving to your SaaS tools, what are you seeing on there on usage of the different modules? Are you seeing any change in usage now that the tools are arguably easier to deploy and use?

Yaki Faitelson -- Chief Executive Officer

No. So, we see this dramatic change. We see what we call the robotic value proposition. And it's -- the North Star was always what we call 10% of the effort over the magnitude, more value.

And this works according to plan. We can measure everything, from installation to update to remediation, our ability to reduce threats. And the other thing, we also build the ability of our people, IR, professional services to support the customer with much more ease. We can provide a lot of the value of the platform with the customer almost doing nothing, you know, just very, very little in helping them in terms of configuration.

So, just completely different value proposition. We're literally unleashing robots to solve the problem.

Saket Kalia -- Barclays -- Analyst

Got it. Very helpful. I'll get back in queue. Thank you.

Our next question comes from the line of Hamza Fodderwala with Morgan Stanley. Please proceed with your question.

Hamza Fodderwala -- Morgan Stanley -- Analyst

Hey. Good evening. Thank you for taking my question. Yaki, I wanted to dig in a little bit more about your commentary around generative AI.

I think a lot of the CIOs and CSOs that we're talking to more recently are talking about our data security and governance is a big hurdle to deploying these large language models. And I'm curious, to what extent are you starting to have conversations with customers on how they can deploy these generative AI models in a way that can prevent things like data leakage or poisoning from occurring?

Yaki Faitelson -- Chief Executive Officer

I think that it's going to be a complete game-changer. The reality is that we still haven't seen it completely, but, you know, just the initial release of stuff like Copilot for business, I think essentially what it does. It's mining all the data that people can access. And this is not me saying, but Microsoft was saying that 90% of the access controls are excessive.

You don't need them. So, you have these tools that are leveraging large language models that's going in mining massive amount of data, creating in tremendous rate high-value information products that are completely out of policy. So, now, think about it, if I take your credentials and 90% of the data you can access is not relevant for you and you have these AI tools that are extremely sophisticated that's creating this highly valuable data, I just think that, very soon, what you will see is that organizations understand that they need to make sure that they have access control and data auditing and classification in place in order to make sure they can realize productivity gains and avoid disaster. So, this is something that we're starting to see that customers are talking about it.

You know, that all the customers are talking about it. And I really believe that the onus is the foundation to make sure that you can -- that you will be able to use these AI-based products.

Hamza Fodderwala -- Morgan Stanley -- Analyst

Thank you.

Our next question comes from the line of Matt Hedberg with RBC Capital. Please proceed with your question.

Matt Hedberg -- RBC Capital Markets -- Analyst

Well, thanks, guys. Congrats on the results, and we send our thoughts and prayers to all the Varonis employees around the globe and in Israel. Yaki, maybe as a follow-up to Hamza's question, I think in the prepared remarks you said you don't expect to sell a separate gen AI SKU at this point. I'm curious, could that change in the future? And then maybe secondarily, as you're having these initial conversations with customers, how do you think it could impact deal sizes longer term?

Yaki Faitelson -- Chief Executive Officer

So, yeah, it's a -- definitely, it can change. If you think what we are doing with our AI, one thing is that you can use the product with just natural language use. It means that you don't need to learn syntax, which is tremendous. The second thing, you know, we really -- if you look at the metadata that we are collecting, we are the only company in the world that has this metadata, what we called data-oriented detection and response.

And you can take a regular IT person and he has now have the assistant to be world-class threat detection person. But with time, maybe we will monetize it. But it's -- for us, the best way to monetize it is to sell the platform. And this is really answering your -- the other part of your question, initial deals is great.

But I really think that the way that we can grow ARR within our customer base, I think that it's significant, and what we are seeing now is just the tip of the iceberg. You know, we're starting to have stability in the overall transition to completely different usage, able to leverage the unique data that we have, to have AI being the foundation for, really, the digital world to make sure that it can be prepared and benefit AI in a secure way, and then we'll decide if we are going to monetize this model. But at this point, we want to make sure that we have so much to sell to our customers, that it will be very easy for them to use it and to gain value.

Matt Hedberg -- RBC Capital Markets -- Analyst

Thanks, Yaki.

Our next question comes from the line of Brian Essex with J.P. Morgan. Please proceed with your question.

Brian Essex -- JPMorgan Chase and Company -- Analyst

Hi. Good afternoon. Thank you for taking the question, and our thoughts are with you and your families in Israel as well. Just wanted to dig in a little bit toward, maybe for Yaki, what you're seeing in the pipeline, particularly with regard to previous commentary reflecting elongated sales cycles and the impact of deals in flight as you -- or as those customers assess moving the SaaS instead of term.

Maybe if you can help us understand the impact in the quarter and then how much visibility into the pipeline? What was growth like and how much confidence that gives you into your ability to execute in the last quarter of the year here?

Yaki Faitelson -- Chief Executive Officer

So, we see a very healthy pipeline across the board. And the other thing that we're starting to see is that organizations understand that data protection is inevitable. It's actually your first frontier and your last resort. If you don't protect data wherever you will, it will never be protected.

And if everything else that you are doing will fail, it's the only thing that will save you. And I also think that many organizations didn't attack it head-on because it was hard to do. And with the robotic value proposition that we are building, they understand that they can do it. And if you look at, really, enterprise projects, they can gain immediate time to value and ongoing value in a completely automated way.

So, I just think that what -- I'm spending a lot of time with the customers these days, and I definitely see that people understand that they need a sophisticated data security platform and the only way that they can do it is automation. And we are very well positioned to take these budgets.

Brian Essex -- JPMorgan Chase and Company -- Analyst

Got it.

Our next question comes from the line of Joel Fishbein with Truist. Please proceed with your question.

Joel Fishbein -- Truist Securities -- Analyst

Thanks for taking my question, and I'm -- also, thoughts and prayers with all of you. I wanted to just follow up on these new SEC reporting rules and if you are seeing it, your customers are starting to ask questions about them? And also, is that a potential driver to your pipeline and new business?

Yaki Faitelson -- Chief Executive Officer

It's definitely a potential driver, but what we see all around is that people understand that they need to protect data. I think that in the last few years, organizations spend a fortune on security, and a lot of them get, you know, not such great return on investment. You have a lot of security around the perimeter. And at the end of the day, if you will dissect, the most breaches or they are happening from an insider that is a user or someone stole a credential and acting like a user and really inflicting the damage on the data stores.

Attacks can come from anywhere in any device, but only going in one direction, and it's the data that essentially, you know, the most valuable assets that most organizations have and the most vulnerable one. So, the SEC regulation is just another one, just inevitable. You want to have cyber security, you need to protect data. So, this is really where we are and what we see.

And definitely, every regulation is helping.

Joel Fishbein -- Truist Securities -- Analyst

Thank you.

Our next question comes from the line of Roger Boyd with UBS. Please proceed with your question.

Roger Boyd -- UBS -- Analyst

Great. Thanks for taking the question and congrats on another very strong quarter of SaaS adoption. I don't think investors should be too surprised to see Varonis outperforming on a transition timeline, but just given the success you're seeing with SaaS and the meaningful outperformance on mix expectations and conversions, any update to how you're thinking about the timing of phase 2 of the transition and why not lean further into a more active plan to convert existing customers? Thanks.

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

So, I think that question can be broken into two. One is the overall timeline, and the second part is phase 2. When we think about kind of the overall timeline, I think with a 5% SaaS increase versus last quarter, you know, when you think about that math and kind of the way it extrapolates going forward, it definitely makes sense to reconsider our timeline, and that's something that we talked about last quarter, that we would revisit our guidance for that at year-end, and we plan to do that. I think, overall, when you think about the transition, it's moving very fast.

We're very happy to have 15% of our ARR coming from SaaS in just three quarters. That's -- it's happening fast because our customers and our sales force are adopting it very, very positively. So, we definitely look forward to providing more color on that part in our nextearnings call In terms of phase 2, when you think about kind of the conversion of the installed base, and that's how we define phase 2, it hasn't begun yet, but we are increasing the number that we expect in terms of conversion in Q4 to 12 million.

And that's going up from 10 million that we guided last quarter. And when you think about the Q3 number, we actually came in at 10 million, which is a really high number as you think about it and it's very positive, but still a very small percentage of our existing customer base. So, as much as we're seeing very strong adoption that's happening in a natural way, we haven't prioritized it yet, but we plan to do that next year. So, I think, overall, as we look at the progression of the transition, it's been really positive, and we hope to continue to move in that pace going forward.

Roger Boyd -- UBS -- Analyst

Thanks, Guy.

Our next question comes from the line of Andrew Nowinski with Wells Fargo. Please proceed with your question.

Andy Nowinski -- Wells Fargo Securities -- Analyst

OK. Thank you for taking the question. I think, last quarter, your guidance was for SaaS to account for about 45% of that new and upsell business because of the expected contribution from the U.S. federal deals.

So, I guess, given how much higher SaaS was relative to your guidance this quarter, is it fair to assume that the fed demand was not as strong as you expected? And if so, what happened to those deals? Thanks.

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

So, the growth driver this quarter was overall the enterprise business. And when you look at the 59%, it was driven by the enterprise business. It's a strong reflection of how customers in the enterprise business are adopting SaaS. When you look at the federal industry as a whole, we definitely see the opportunity there, but it's still small, mid-single-digit percentages out of ARR.

But when we look at the opportunity, we feel very confident about our ability to grow there.

Our next question comes from the line of Fatima Boolani with Citi. Please proceed with your question.

Fatima Boolani -- Citi -- Analyst

Good afternoon. Thanks for taking my questions, and our prayers are with you and the entire employee base in the conflict zone. Yaki, a question for you, a bigger picture one, actually. You know, we've been hearing a lot about data protection, data security posture management, and sort of all these new monikers that are coming up, as well as more traditional backup and recovery vendors on the infrastructure side talk a lot about the importance of data protection and data recovery.

I wanted to get your perspective on how you are interfacing with buyers as buying psychology changes around data protection. And I wanted to get your sense of how those conversations are changing for you, if at all, and if these sort of "changes" in the competitive landscape are benefiting you in a way in providing a spotlight to what you've been saying all along with respect to the importance of data protection?

Yaki Faitelson -- Chief Executive Officer

I think that we just don't see the backup and business continuity in data protection, we are much more on data security. And -- but it's just people understand that they need to protect valuable data. Regarding posture management and all of this stuff, I think that organizations understand very well that -- you know, this is the first time that we are benefiting from other people doing marketing. And in order to solve the problem, you really need these three use cases and you need the metadata, and it's something that is very hard to do.

And everything really -- eventually, in order to solve the problem, you need to be under one umbrella of a data security platform. If you think, with most breaches, people are doing this lateral movement between data stores, and you need to enrich the data. So, we definitely see that the marketplace understand that they need one big platform, you need to be able to classify in one place, and then all repository to do it at scale, to have the profile of how people and identities are using data, and to be able to do remediation in a very reliable automated way. So, we definitely see that everything that is happening in the ecosystem benefiting us, and we are, you know, very excited to have a tailwind from the marketing that other vendors do.

Our next question comes from the line of Chad Bennett with Craig-Hallum. Please proceed with your question.

Chad Bennett -- Craig-Hallum Capital Group -- Analyst

Great. Thanks for taking my question. So, just on -- I know it's early, but just in terms of kind of the type of customer converting from on-prem subscription to SaaS, I think you've talked before about that 25% to 30% uplift. But -- and I think you gave a couple of examples on the call already.

But is there any commonality in terms of where the on-prem subscription customer is in their license journey when they're converting? And, you know, is there -- are you seeing significant cross-sell, upsell on that conversion from a license standpoint, or is the hope, obviously like a lot of conversion stories, that once you get them to SaaS, you know, like-for-like product that that whole cross-sell, upsell just becomes easier and kind of accelerated.

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

I think that's a very good question. And when you -- well, I'll start by saying that the SaaS offering is so much better for our customers that it's a no-brainer for them. And we're seeing that with the amount of conversions that are happening in a natural way. When conversions happen, we can get an uplift in the number of licenses that they buy because we're selling the platform, they don't have the opportunity to buy individual licenses.

We can get an uplift in the fact that the number of users goes up, and we can get an uplift in their ability to consume more of the product. It really depends on the situation of the customer, where they are in terms of their renewal, whether they want to just speed it up and -- or wait for the actual renewal date to come to place. So, it's very individual. But at the end of the day, once we get them to the SaaS offering, their ability to see value and the simplicity of the usage of the product gives us a tremendous opportunity to continue to sell them more and more licenses.

So, I would say there's no one straight answer on how it happens, but at the end of the day, it just works in our favor to get them to SaaS with good confidence in our pricing methodology as we see it so far.

Our next question comes from the line of Rob Owens with Piper Sandler. Please proceed with your question.

Rob Owens -- Piper Sandler -- Analyst

Great. Thank you for taking my question. Was curious if you could comment on just what the channel response has been regarding the move to SaaS and are you getting the breadth of channel participation that you would hope in new transactions? Thanks.

Yaki Faitelson -- Chief Executive Officer

Yeah. You know, it's -- the channel reaction is usually, you know, just in direct correlation to the customer reaction. So, definitely, they understand that it's just much easier to sell, and, you know, it requires significantly less professional services, and this is something that they will need to adapt to. You know, we just see the whole thing of this platform is tremendous automation, but we're definitely getting a lot of help with the channel to take this platform to market.

Our next question comes from the line of Jason Ader with William Blair. Please proceed with your question.

Jason Ader -- William Blair and Company -- Analyst

Yeah. Hi, guys. I wanted to ask you on, first, the -- first a clarification. You said a 12% headwind to revenue growth in Q3.

I believe that's 12 percentage points, correct?

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

Correct.

Jason Ader -- William Blair and Company -- Analyst

OK. And then just on the -- kind of following up on the channel question, can you remind us how you go to market? How much is direct? How much is indirect? And then where are you seeing the most success right now in terms of finding new customers?

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

So, we sell 100% through channel, but our outside sales force really does all of the heavy lifting of doing the risk assessment, talking to the customers, explaining where the risks are. So, the channel helps us in getting the meeting and they help us in closing the deal, but all the hard work in between is done by our outside sales force. When we look at the opportunity with our SaaS offering, it opens up new markets, it opens up new territories, it opens up new industries. So, basically, new customer opportunities that we didn't have before.

And all of the reception that we have to date received on the SaaS offering has been positive. And we expect that to continue as we kind of really went through the toughest part of the transition, kind of clearing through the pipeline, and now introducing every new customer with a quote that is SaaS-only and not really on-prem subscription, as we had in the past. So, I think, overall, we're very well positioned to take advantage of that opportunity going forward.

Our next question comes from the line of Joseph Gallo with Jefferies. Please proceed with your question.

Joe Gallo -- Jefferies -- Analyst

Hey, guys. Thanks for the question and appreciate the AI commentary. You guys have a large M365 footprint. Can you just give us an updated size and growth profile of that business? And then maybe just to be clear, given the rollout of Copilot this week, does your existing solution capture that opportunity now or is it more just that you guys are perfectly positioned to capture that opportunity long term? Thanks.

Yaki Faitelson -- Chief Executive Officer

Regarding the product, in terms of the -- to preparing an organization for AI, it's already here. So, it's just the basic robotic value proposition, understand what data is critical, make sure that only the right people can access the right data, alerting and stop any abnormal behavior. It's the basics. Without it, you can't use it in a secure way.

And this is 100% us.

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

And just to touch on the first part of the question, when we look at the Office 365 contributions, it's definitely become a significant tailwind for us going forward. But if you go back to our Investor Day in March, we actually showed in one of the slides there that our penetration within the overall 365 opportunity was -- at the time in March, it was 1%. It hasn't grown too much since then. So, when you think about the opportunity going forward, there's so much for us to capitalize on, and we see the reception of our customers as very positive when we sell that license.

Our next question comes from the line of Rudy Kessinger with D.A. Davidson. Please proceed with your question.

Rudy Kessinger -- D.A. Davidson -- Analyst

Hey. Great. Thanks for taking my question. Guy, what was SaaS as a percentage of the mix if you exclude federal in Q3, and then just how much higher is federal as a percentage of new and upsell ARR in Q3 relative to Q4 and the other quarters?

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

So, like I said before, the actual driver this quarter was the enterprise business, and that's really what drove the 59%. To remind you, we're not FedRAMP certified yet. So, we didn't have SaaS sales that were sold under the federal business. But we do expect to have FedRAMP for next year's cycle, which can become a significant opportunity for us.

And when you think at the overall opportunity from a new business and an upsell in that market, we fit like a glove to that type of use case. The amount of malicious actors that have happened only in the last couple of months has been tremendous, and our product fits there very, very nicely, and we feel that we can capitalize on that opportunity and grow our ARR coming from that industry going forward.

Our next question comes from the line of Joshua Tilton with Wolfe Research. Please proceed with your question.

Josh Tilton -- Wolfe Research -- Analyst

Hey, guys. Thanks for sneaking me in, and I'll just say my thoughts and prayers are with your employees and just all the people of Israel. I'm actually going to sneak in two and a half questions really quickly. My first question is just how should we think about the implied Q4 net new ARR seasonality and are the macro impacts baked into 4Q worse than they were a quarter ago? And on the AI front, which is my second question, why won't Microsoft offer these capabilities? And if so, do you expect this to bring you into more competition with them going forward?

Yaki Faitelson -- Chief Executive Officer

So, in terms of Microsoft, you know, we are the only truly company in the world today that taking the three streams of metadata: the permissions, the content, and the activity to build this robust but rightsized access. So, you just -- we need to build a completely different type of solutions in order to do that. So, I just think that we can, for a long time, leverage our moat and maintain a tremendous competitive advantage in this space.

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

And when we kind of think about the guidance, our philosophy hasn't changed. So, we're definitely thinking about the guidance in the same way that we've talked about it throughout the year. I think in terms of where we are in Q3, we definitely saw things stabilize compared to previous quarters, and that's a good sign for us. But our assumptions in terms of guidance have stayed the same, and we think that we are set up well for -- having our large Q4 in terms of seasonality, we don't see any change compared to the on-prem subscription.

So, SaaS should be the largest quarter. Q4 should continue to be the largest quarter of the year, as it has been in previous years. Obviously, from a revenue recognition perspective, it does change because it's ratable. But you've heard me talk millions of times about the fact that ARR, free cash flow, and ARR contribution margins are the right metrics for this transition, and especially in Q4, they should be viewed as the leading indicators of the business.

Our next question comes from the line of Shebly Seyrafi with FBN Securities. Please proceed with your question.

Shebly Seyrafi -- FBN Securities -- Analyst

Yes. Thank you. So, your headcount really was flattish in terms of growth in Q1 and Q2, and it looks like it grew around 50, which is a decent pace for the first time in like a year. So, my question is, is this a sign that the environment is better for you? You talked about deal scrutiny, etc.

But at least, is it better? In the report, you're hiring more. And related to this, talk about your headcount growth expectations going forward.

Yaki Faitelson -- Chief Executive Officer

You know, it's a -- we know how to do these transitions, and it was very important for us when we did it just to be focused on just the right moving parts to make sure that it will work. We definitely see just more stability in the transitions. And despite of the economic headwinds, we definitely see that there is just, you know, inevitable demand for data security. This is something that organizations need, and we have a lot of pipeline in what we can do in terms of a road map of features and products.

It's a massive total addressable market, so we need to cover it with sales force and make sure that our customers succeed, and we keep building the organization. So, you know, the business is performing, and we are investing against a massive opportunity.

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

And if you go back to our last quarter'searnings call you could hear in the commentary that we talked about the fact that we're hiring. So, obviously, the fact that we grew the headcount was part of our planning. We want to continue to increase the headcount, but we obviously want to do it in the right way, and we want to make sure that we generate increased productivity. And I think we can do that going forward.

So, it's a balancing act of increasing headcount at the right pace, in the right positions, in the right locations, but also improving our leverage, as we have done when you look at kind of the fact that the ARR contribution margin is now 11.1%, an increase of 750 basis points year over year, which is pretty significant.

Our next question comes from the line of Shrenik Kothari with Robert W. Baird. Please proceed with your question.

Shrenik Kothari -- Robert W. Baird and Company -- Analyst

Hey. Yeah. Thanks for taking my question. Again, thoughts and prayers to your entire team out there.

Just a follow-up to the previous Microsoft question. You know, Yaki, you mentioned the tailwinds and the growth runway in implementing the access controls and governing policies. And there was a previous question on the competitive advantage versus Microsoft as well. Just trying to understand.

Of course, as the significance of data security rises, as you just pointed out, and especially in the realm of generative AI, which -- where you're anticipating kind of more traction, particularly for data access governance, is it the right way to think that Varonis is kind of focusing on a comprehensive data protection platform, including data security, access control, governance, versus what Microsoft is offering, which is kind of more narrow kind of DLP? And this urgency around data security and, of course, with respect to the data protection tailwinds, like, is this the competitive advantage that you guys have and is that the right way to think about the competitive dynamic from your perspective? Then I have a quick follow-up there as well.

Yaki Faitelson -- Chief Executive Officer

Yeah. It's just -- yeah, it's essentially completely different. You know, what we just giving is automated outcomes regarding, you know, just access control, classification, and threat detection. We have very little features that overlap.

And a lot of very good synergy toward the way that they can label for DLP, as you mentioned, and other stuff and, you know, and -- but it's different. We, actually, you know, work very well with them, and we have a very good partnership regarding generative AI, which is the foundation, the building block. If you want to use generative AI in the right way and not to introduce a lot of risks and can end up in disaster, you need to use our solution to make sure that, you know, you are ready. So, this is a set of all the AI features that we can deliver using technologies like large language models.

We are the foundation to make sure that businesses can use it in order to extract value from their data.

Our next question comes from the line of Hugh Cunningham with TD Cowen. Please proceed with your question.

Unknown speaker

Hey, guys. Thank you for taking my call, and, you know, I'll echo that everyone here on our team, our thoughts and prayers are with you and your families, your friends, and your coworkers there at Varonis.

Yaki Faitelson -- Chief Executive Officer

Thank you.

Unknown speaker

I do have two quick ones. The first one is the 25% to 30% uplift that we're talking about, that's just on pricing of subscription versus SaaS. That doesn't include any assumptions that you mentioned before, more licenses, users go up, anything like that?

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

Apples to apples, only, so yes.

Unknown speaker

OK. And then these conversions of existing customers, are these taking place at the end of their existing contracts? What I'm trying to figure out here is if when you quote a number, 10 million or 12 million, that number includes a sort of accelerated recognition or the initial period in that subscription. Is that right?

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

No. That relates only to the deals within the quarter.

Unknown speaker

Quarter. OK.

Our next question comes from the line of Brian Colley with Stephens. Please proceed with your question.

Brian Colley -- Stephens, Inc. -- Analyst

Hi, guys. Thanks for taking my question here. Can you talk about how the SaaS platform has impacted the pipeline for new logos, you know, as well as sales cycles for those new customers? I'm just curious if you're seeing an acceleration in new logo adds or sales cycles.

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

So, I can tell you, when we look at the new customer adds, we've definitely seen positive signs this quarter. And I think that as we look at our ability to sell SaaS to new customers, as I said in one of my previous answers before, it opens up opportunities that we didn't have before with the on-prem subscription. So, I think, overall, the signs that we're seeing are healthy and positive and definitely gives us the ability to show value. I said before, we're kind of past the challenging part of the transition where we have to clean -- "clean through the pipeline" where some of the quotes were introduced to customers in the past as on-prem subscription.

Now, we're just starting with the SaaS as part of the quote, and it's been very well received by customers because the value of the -- our SaaS product is much greater than the on-prem subscription.

Tim Perz -- Director, Investor Relations

Yaki Faitelson -- Chief Executive Officer

Guy Melamed -- Chief Financial Officer and Chief Operating Officer

Saket Kalia -- Barclays -- Analyst

Hamza Fodderwala -- Morgan Stanley -- Analyst

Matt Hedberg -- RBC Capital Markets -- Analyst

Brian Essex -- JPMorgan Chase and Company -- Analyst

Joel Fishbein -- Truist Securities -- Analyst

Roger Boyd -- UBS -- Analyst

Andy Nowinski -- Wells Fargo Securities -- Analyst

Fatima Boolani -- Citi -- Analyst

Chad Bennett -- Craig-Hallum Capital Group -- Analyst

Rob Owens -- Piper Sandler -- Analyst

Jason Ader -- William Blair and Company -- Analyst

Joe Gallo -- Jefferies -- Analyst

Rudy Kessinger -- D.A. Davidson -- Analyst

Josh Tilton -- Wolfe Research -- Analyst

Shebly Seyrafi -- FBN Securities -- Analyst

Shrenik Kothari -- Robert W. Baird and Company -- Analyst

Unknown speaker

Brian Colley -- Stephens, Inc. -- Analyst

