Palo Alto Networks ft Nir Zuk & Nikesh Arora – The Grudge That Transformed Cybersecurity

Introduction

Nir Zuk: Everybody thought we were crazy. Nobody would use the cloud for cybersecurity.

Nobody would send cybersecurity-related data to be inspected in the cloud, and so on. And when I hear something like that, I say, “Of course I’m going to do it.” You know, because, uh, it’s the right thing. And if everybody believes it’s not, it, it shouldn’t be done, or it cannot be done, or nobody would want it, then you know it’s a good reason to do it. 

Roelof Botha: Welcome to Crucible Moments, a podcast about the decisions and inflection points that defined some of the most consequential companies of our time. I’m your host, Roelof Botha.

In the 1990s, as businesses rushed online, a new cybersecurity industry emerged to protect the networks powering the internet boom. Among the industry’s early builders was an Israeli engineer who helped shape several of those companies—until he grew frustrated with their overly cautious cultures that stifled innovation. So, he decided to strike out on his own.

Along with a small team of experts, Nir Zuk built something that would change the industry—the Next-Generation Firewall. Unlike traditional firewalls, it didn’t just block threats; it unified multiple layers of protection into one intelligent platform. By blending on-premise security with early cloud-based capabilities, Zuk’s vision redefined what modern cybersecurity could be—and set the standard the industry still follows today.

In this episode, we’ll explore the crucible moments that turned Palo Alto Networks from a bold startup into a global leader in cybersecurity—from bringing their disruptive product to market, to scaling into a public company and ultimately outpacing the industry again in the cloud era. This is the story of Palo Alto Networks—and the people who refused to play by the old rules.

The Chip on the Shoulder that Launced Palo Alto Networks

Nir Zuk: ​I’m Nir Zuk, Founder and Chief Technology Officer at Palo Alto Networks.

I was born in Israel in 1971, and as a teenager in the mid-eighties, one of my hobbies was to develop viruses—some of the early computer viruses in the world—uh, which landed me a job with the Israeli intelligence as part of my military service. And there, at Unit 8200 is where I met two of the three founders of Check Point.

I joined them at building Check Point Software in late ’94.

Roelof Botha: At Check Point, Nir worked on some of the first firewall technologies—network security systems that could monitor and control traffic between private networks and the outside world.

Nir Zuk: The biggest challenge I faced at Check Point was that, very early on, Check Point has decided, number one, that they’re just going to be a firewall VPN company—meaning they don’t want to do other things that customers required as part of their cybersecurity strategy. And second, that they want to optimize for very high operating margins. 

Uh, Check Point has always run close to 60% net operating margins, which is very high, but it also means that there is no money to invest—specifically in research and development. So for me, as someone that likes to build technology, likes to build products, like to take things forward, it was a challenge not being able to invest in R&D and not being able to build things beyond basic firewall VPN.

Roelof Botha: Nir transferred to Check Point’s California team, hoping it would offer an opportunity to work outside of the company’s VPN-only strategy. 

But when the team was shut down in 1999, Nir decided to leave Check Point altogether and forge his own path in the cybersecurity space. 

He wasn’t shy about the fact that his former employer was now his biggest competition.

Nir Zuk: I had a custom California license plate made—the license plate was CHKP KLR, which reads “Check Point Killer.” So I was driving around the Bay Area with, uh, with that car.

Jim Goetz: I had met with him and walked him out to his car and had spotted the plates. It was an example of a chip on the shoulder that Nir had developed in his time at Check Point. 

 My name is Jim Goetz, Partner at Sequoia Capital.

Roelof Botha: Setting out to compete with Check Point, Nir founded his first company, OneSecure, which was quickly acquired by NetScreen, which was then sold to Juniper in 2004. 

Nir Zuk: The first day—literally the first day—after the acquisition closed in, uh, April 2004, my new boss, the CTO and founder of Juniper, told me that they were not interested in the products and they wanted to rebuild them into their own products, which I thought was a disaster. So I left—many other people left—and, I left to start Palo Alto Networks.

I called a really good friend of mine called Asheem Chandna, who is a VC at Greylock, and told him I was going to start something. And he immediately brought Jim Goetz as well into the picture. I knew from the beginning—they agreed from the beginning—that we’re going to build something that’s going to change the cybersecurity industry. And the three of us sat down and tried to figure out what it is.

Deciding on the Initial Direction

Asheem Chandna: I remember when the company started—you know, part of the design goal was, uh, you know, beat NetScreen, who was an incumbent vendor at the time, in performance; beat Check Point Software, another primary incumbent, on manageability; and then beat Fortinet and Cisco, uh, in their all-in-one architecture.

I’m Asheem Chandna. I’m a Partner at Greylock.

So could one build a system where you had, you know, you would beat Check Point Software and manageability, NetScreen on performance, and, uh, you know, Cisco and Fortinet in terms of the all-in-one capability? And then the question was really, how do you insert into that?

Nir Zuk: Greylock and Sequoia were very rigor in making sure that they have the right plan to be able to conquer the market. So that was a, I guess, nine-months project where we went through different insertion plans—different ways of getting into the market with whatever it is that I’m going to end up building.

Jim Goetz: He had several ideas, but none were refined. There was energy from Nir—as you can expect—to do a frontal attack on the firewall market, and both Asheem and I felt like a market entry tactic that may not be frontal in nature, but would embrace a more subtle approach to the market, was important. And so much of the investigative work was around product definition and market-entry tactics. 

Roelof Botha: The team continued to brainstorm around this early crucible moment. 

What do you build that will set you apart in a space crowded with competitors? 

And how do you take that product to market? 

Nir Zuk: The original plan was to be based on an ASIC—custom silicone that we were going to build. That’s going to make everything really cheap and really fast. And we scrapped that as not being, uh, enough. 

And then, after one or two more iterations, we figured out that one of the features in the product—which was around being able to secure not just web browsing and email, which were the, the only, uh, protocols or only applications that enterprises were using at the time—but rather also secure other applications which were considered consumer applications at the time, like, uh, ICQ and NetMeeting (if you remember), and Skype and Facebook, was emerging at the time, and so on.

The assumption was that these were going to become also enterprise applications. So the decision was to take something that was relatively smaller—in terms of being able to secure all these applications—and making it the cornerstone of what it is that Palo Alto Networks was going to do in the early days: build network security that can secure everything, not just web browsing and email, and making that the go-to-market insertion plan—what we sell to customers.

Jim Goetz: At the time, there were dozens of appliances doing various functions that were not being done in the firewall. And Nir’s ambition was to create a single-pass architecture that would allow us to integrate that into a single system.

Asheem Chandna: Customers really had what was called “appliance fatigue.” They had, you know, many appliances for different discrete functions, around security. And so, part of the vision around the company was, to collapse all these functions into a single architecture and into a single system, but yet provide customers with scalability, and manageability and performance.

09:03 – The “Crazy” Idea That Became the Future

Roelof Botha: In  addition to a single, fully integrated platform that could serve all areas of an enterprise’s security needs, the team decided to take a gamble on the way the platform was deployed.

Nir Zuk: When I joined Sequoia and Greylock in 2005, the cybersecurity market was a hundred percent on-premise—meaning everything you would buy, whether it’s network security, or endpoint security, or data security, uh, identity and access management and so on, was on-premise, which means that projects were expensive. They took very long—uh, took three years to implement whatever it is that you bought. By the time you finish implementing it, you have to go back and reimplement it because technology has changed. We used to equate it to painting the Golden Gate Bridge—where when they finish, uh, painting the bridge, they have to go back and start painting it again because the paint is already corroded.

One of the things that we decided to do at Palo Alto Networks is to do more and more in the cloud. Well, there was no “cloud” at that time, so we did it in our own data centers—but delivered as SaaS.

So the idea was to take some cybersecurity functions and, rather than trying to deliver them on-premise within the hardware that we were building (and later, the software), we would deliver those as cloud-delivered security services from our data centers. 

Everybody thought we were crazy. Nobody would use the cloud for cybersecurity. 

Nobody would send cybersecurity-related data to be inspected in the cloud, and so on. And when I hear something like that, I say, “Of course I’m going to do it.” You know, because, uh, it’s the right thing. And if everybody believes it’s not, it, it shouldn’t be done, or it cannot be done, or nobody would want it, then you know it’s a good reason to do it.

Roelof Botha: With an ambitious plan for their novel security platform in place, the team set about bringing on talent, including an experienced head of engineering. 

Rajiv Batra: Meeting with Nir was interesting. Obviously, he knew the security very well—uh, and, uh, very sharp, very analytical. And I felt that he was trying to do too much, or basically too confident. 

I am, uh, Rajiv Batra. I’m the Co-Founder of Palo Alto Networks.

But then we had the second meeting, and we basically tried talking about the kind of company we wanted to create. And our vision about the company was very, very similar. He was telling all the things I knew—what went wrong in previous companies and what went right—and our vision was very, very aligned. And that got me excited. 

Nir Zuk: We decided that it’s important for us to be proud of everything we do. Everybody will tell you they’re, they want to be proud of everything they do—in reality, in the cybersecurity market, because it is so difficult for customers to check whether something actually works or not, more than 95% of the vendors in the industry are selling snake oil. They’re selling products that look pretty but don’t really do anything. 

So it was very important for us that whatever it is that we do, we can be proud of —actually does something, actually secures customers. It is much more expensive to do it, to develop it, yet, uh, we believe that if we do the right things for the customer, and we don’t cut corners and, we make sure that we actually secure them—despite not having to—we would be successful.

Launching the Next-Generation Firewall

Lee Klarich: We really listened to customers, uh, from when I joined. When we shipped the first version of the product, we actually hired a salesperson whose entire job was to set up meetings for me. We had nothing to sell—and their entire job was to set up customer meetings for me so I could go tell them what we were doing so I could get their feedback.

I’m Lee Klarich, Chief Product Officer at Palo Alto Networks.

I talked to close to a hundred companies in the first year when we didn’t even have a product. It was to get that feedback of—is there anything that we’re missing—so that we would have the conviction such that we launched the product, we didn’t, we didn’t get yanked and pulled in all these different directions.

Nir Zuk: The only controversial thing—or the thing we had to debate in the early days of Palo Alto Networks—is how do we call the product?

The debate was whether we call whatever it is that we built a firewall or next-generation firewall, or whether we hide the fact that it’s a firewall and we call it “multi-cybersecurity-function-gateway,” or whatever, you know, some other name that doesn’t have “firewall” in it.

And the reason for that is that when you call it the firewall, you make it very hard for you as, as a young company to sell the product because if you call it the next-generation firewall or anything that has the firewall name in it, and you go to customers and you try to sell it, the first thing they say is, “We already have a firewall.”

And then even if you are able to show them the value and you tell them, “No, it’s okay—it’s a next-generation firewall. You don’t have to replace your firewall; you can deploy it behind your firewall, and then one day, if you want, you can replace it or you don’t have to,”—which was the way we sold it—uh, in some cases you hear, “No, we already have a firewall. It’s a political issue—the firewall belongs to another department. We cannot put something that’s called a firewall, uh, behind that firewall. Go away.” 

Lee Klarich: It was hard. Like, telling your customers you’re a startup and you have a firewall—customers are like, “I’m not deploying a version 1.0 firewall in my network. Like, if it fails, my network goes down and then I get fired.” 

And so, the temptation was to say it was not a firewall—that it was a “application visibility and control” tool. Or it was like one time they wanted me to create a datasheet for it and call it a “next-gen IPS.” 

I would show up at customer meetings being told by the salesperson, “Whatever you do, don’t tell ’em it’s a firewall.” And so, the first words outta my mouth in every meeting like that was, “Hi, my name’s Lee Klarich, uh, and I represent Palo Alto Networks, and we have an amazing firewall for you.” And the sales teams would kick me under the table. 

I was paranoid that if we allowed ourselves to be positioned as anything other than a next-gen firewall—which included the firewall piece—that we would never be able to capture it again. We get relegated to being a “firewall helper” as opposed to being a firewall.

Nir Zuk: The decision eventually was, yeah—we’re going to call it a firewall, a next-generation firewall. And the reason is that this is where we want to be. We want to be a firewall. We want to be the firewall of the organization. And even if, in the beginning, we have to work harder in order to sell it, it would pay off later. 

Lee Klarich: I used to joke with the sales teams—I said, “You have to use the F-word.” And they’re like, “You have to use the F-word?” I said, “Yes—firewall.” We have to be true to what we built.

I am 100% convinced that if we had been relegated to something other than a, a firewall in the early days—even a customer didn’t deploy us that way—we would’ve never been able to get that position back.

Roelof Botha:  In 2007, Palo Alto Networks launched its “Next-Generation Firewall,” a product that could stop sophisticated cybersecurity threats at the application level using built-in intrusion prevention, malware detection and other advanced defense systems. 

With this groundbreaking solution, Nir and his team burst into the cybersecurity arena.

Nir Zuk: When we were selling against Check Point, against, uh, Juniper, against Cisco, against Fortinet, it was pretty easy actually. What we told customers is, “Hey, today you are blind to anything that comes in not via web browsing and email. Put our box on the network for a week.” 

We had a mode in the box where you didn’t even have to put it in the network—you just tapped into the network through a switch or through an optical network tap. “Give us a week and let us show you what you’re missing.” 

And in most cases, customers said fine—because it was so, it’s so easy to deploy. We put a box there, we show them their existing products are completely blind to anything that’s not basic web browsing an email.

They go back to their vendors, they ask for a fix, the vendors have no fix—and then they bought our product. 

So it was pretty easy. We, we knew from the beginning that if we get a POC—a proof of concept—with a customer, our chances of selling the product were in the nineties—so 90% or more.

Roelof Botha: Nir positioned Palo Alto Networks as the clearly superior alternative to the industry incumbents. 

His credibility, built from years of experience at those firms, helped fuel word-of-mouth among enterprise IT teams frustrated with legacy firewalls. 

Palo Alto Networks grew rapidly, generating $5 million dollars in its first year alone. 

The company began attracting larger clients, including a $10 million dollar deal with Citibank—a clear sign it was disrupting the cybersecurity industry.

Pressure to Scale

Roelof Botha:  As Palo Alto Networks’ next-generation firewall gained traction, rivals took notice, opening the company up to potential vulnerabilities. 

Nir Zuk:  When you change the market, the biggest worry you have is that one of your competitors will wake up too early and deliver the same.

Lee Klarich: It was interesting, um, in terms of how competitors reacted to us. I remember Juniper actually tried to preempt us coming outta stealth mode—and to say that they had sort of done what we did. Which, of course, they hadn’t, technically, so it didn’t matter too much. But it’s just interesting to see them trying to position it that way.

Check Point, initially, who we sort of viewed as our, our biggest competitor, their initial response was to say that we didn’t know what we were talking about—we were wrong. Uh, about two years later, they changed from, “we are wrong” to “actually, it turns out you need a next-gen firewall—and Check Point invented it, in retrospect.”

By 2010–2011 timeframe, the market space was largely—everyone was saying they had a next-gen firewall.

Roelof Botha: Nir and his team faced a crucible moment. 

They realized that if they wanted to beat out competitors and become the true industry leader, they would need to scale—and scale fast.

Nir Zuk:  We felt the pressure to scale the company fast. From the early days, we knew that there is a market out there—that we have a disruptive product—that we have to get to as many customers as possible.

We were doing a few hundreds of millions of dollars a year in sales and we needed to go to a few billion—and that always requires a change. Every time you, uh, multiply yourselves 10x, things have to change. 

They have to change in the way you market your product. You have to change the way you sell the product, you approach the market, and so on. You have to change the way you support the product. You have to change many different things in the organization.

Finding a New Leader to Scale

Roelof Botha: The company’s first change was to seek out new leadership.

Nir Zuk: When you grow really, really, really fast, very quickly you get to a point that whoever it is that you hired is running the biggest thing that they’ve ever did. Sometimes they’re able to grow with it, and sometimes they’re not. 

If you are a founder and you find yourself in a company that’s doing a few million dollars in ARR, or tens of millions of dollars in ARR or hundreds of millions—good for you. You need to scale it to the next level, 10x. So from few millions to few tens of millions, from few tens of millions to hundreds of millions, or from hundreds of millions to billions. 

If you’ve never done it yourself—which you probably haven’t—don’t be a hero. Don’t try to do it yourself. Your chances are relatively low. Bring someone that’s done it before and let them do it for you.

Rajiv Batra: So we were looking for, basically, the person who can take to the next level—who already had an experience being in the public markets, the scale we need to do, and how to basically make it happen. And, uh, we were looking for a great leader at that point, to me, that was very, very crucial. 

Mark McLaughlin: I had, uh, actually an unusual situation in that, uh, I was offered a CEO job twice—the first time in 2008. And for, uh, personal reasons, family reasons, I was unable to take it at that time. So I declined, um, knowing that I professionally regret that probably for the rest of my life.

And then, uh, lo and behold, got the opportunity again in 2011. Things had changed at home, and I was able to, uh, say yes that time—and ended up, uh, being the best, you know, professional decision ever made.

I am Mark McLaughlin. I had the privilege of being the CEO and Chairman of Palo Alto Networks from 2011 ’til 2018, and on the board until 2022.

The company’s doing very well—clearly selling well—established the next-gen firewall as an important thing in the market.

And, um, so “Let’s go, uh, scale it.” The expectation was when I joined—I mean, literally, not the expectation, it was pretty, pretty explicit—was: “Okay, you’re here; we’re gonna go public in six months.”

Slowing Down Before IPO

Roelof Botha: Palo Alto Networks’ leadership and board believed the best way to scale—and to cement its category dominance—was through an IPO. 

Going public would send a powerful signal and give the company additional resources to grow. 

But upon his arrival, Mark pushed back on the idea of an imminent IPO. 

He wanted the team to think critically about the company’s direction and ensure it was on strong footing before making this leap.

Mark McLaughlin: What’s the vision for Palo Alto Networks?

It’s very easy for a company to scale itself to death. And there’s lots in that statement—of examples you go down—which would be, you know, we have one product, the product is great, everybody loves it, and you’re just late on the next one. Or the next one. And then you just kind of, you know, you just peter off, right?

The next one is, hire, hire, hire as fast as you can—uh, because you know, we’re growing so fast—and you dilute or destroy the culture of the company simply by just layering. And because you relax, you know, your filters right on who’s gonna join the company—or just have too many people. There’s a lot of ways to scale yourself down, um, very quickly.

What I tell folks today is, um, if you’re fortunate enough to be in a hyper-growth company—and Palo Alto Networks is a hyper-growth company, not growth, not super-growth, hyper-growth—in a hyper-growth company, it’s like trying to stand on a marble. It’s very, very difficult to maintain balance or even get it ever.

Lee Klarich: The reality is, if you, if you want to go public, yeah, your product, technology and that stuff really matters. But if you don’t have just as much emphasis on how you’re going to build—and possibly innovate and scale—a go-to-market machine, you’re gonna get creamed in the public markets.

Public markets, every quarter, they don’t ask you if you launched a product; they ask you if you met your numbers. 

Mark joined, and the first thing was to slow that down—to make sure that we were going to be ready. Not to go public like that was the end state, but that was gonna be the start of, you know, the rest of the company—of being a public company—what it takes to be a successful public company. 

And we better, we better get our stuff together, um, and be ready for that.

Jim Goetz: I think Mark wanted time to recruit a world-class team and build out the culture, and make sure that we had the right talent in Europe and in Asia. But also key areas that had been, I think, under-invested early on—whether it be support, or sales enablement, finance. 

And Mark rightfully pushed back on the board and suggested that we were financially ready to go public, but we were criminally understaffed and needed to hire a handful of leaders. 

And I think, quickly, the board recognized that, you know, Mark was correct—and we all got comfortable with giving him that time. 

Roelof Botha: Mark convinced leadership to slow the sprint to an IPO. 

Meanwhile, he went about expanding sales, support and finance teams, while carefully preserving and building on the company culture Nir and Rajiv had worked so hard to cultivate. 

Asheem Chandna: What Mark really did was, came to a company where the basic product-market fit had been established and the product had begun to kind of grow in the market. But, uh, he really, kind of, you know, uh, went out and recruited a world-class executive team, worked closely with the founders and, you know, built an executive team at the company that could really take, you know, advantage of the business opportunity that had been created—and help materialize that.

Roelof Botha: In July 2012, with a firm roadmap for expansion and the proper systems and leadership in place, Palo Alto Networks went public at a market cap of around 4 billion dollars—one of the largest tech IPOs of the year.

Mark McLaughlin: The IPO, uh, gave us the money to set up the tents and buy the food at base camp. You know, like, that’s where we are. A lot of people never make it to base camp, right? But that’s where we are—and we’ve got the resources to actually start to climb the mountain now.

That was probably the, the most important thing in my mind—to go, “Okay, let’s get people thinking about ten years from today.” 

Roelof Botha: In the years that followed under Mark’s leadership, revenue soared tenfold from a run rate of just over $200 million dollars in 2012 to $3 billion dollars in 2018. 

The team grew just as dramatically, from around 700 employees to over 5,000. 

And along the way, the company definitively cornered the firewall market.

Asheem Chandna: Palo Alto Networks grew its business at a rapid pace.

And a day arrived when Palo Alto passed Check Point in revenue size. When that day came, Nir changed his license plate to CHKP KLD—killed. So, the CHKP “Killer” became CHKP KLD. 

Nir Zuk: In 2013 or ’14, we became the largest network security vendor in the world by surpassing Check Point—and Cisco and Fortinet. Juniper disappeared by that time. It was yet another milestone—uh, certainly something that we always wanted to be, always want to be the biggest one. 

It was also the queue for us that it’s time to move beyond network security and start implementing the bigger master plan: to consolidate not just the network security market, but the entire cybersecurity market into a single platform.

Expanding Beyond the Firewall

Roelof Botha: By 2018, Palo Alto Networks was the incumbent network security company. 

But Nir’s ambitions stretched towards capturing every corner of the cybersecurity industry, and his first target was endpoint security. 

Nir Zuk: It was very clear that what I was set to do in 2005—which is turn the network security market into a you buy one thing and everything else is delivered on top of it—has worked. And we’ve changed the market, and network security is done.

There are only going to be a few large vendors, and we wanted to start seeing that happening in the larger cybersecurity market, which includes other things—uh, for example, endpoint security. We wanted endpoint security to be part of a bigger thing—part of you buy network and endpoint security together, which makes a lot of sense.

But it was a struggle. It was very difficult to do that. It was not growing as fast as we wanted it to. Uh, we were still mostly a network security company.

Roelof Botha: While Palo Alto Networks was focused on building out capabilities for endpoint security, a new era of technology was emerging: the cloud. 

With its rise came a wave of cloud-first cyber security companies—ones that threatened to leave Palo Alto Networks behind.

Asheem Chandna:  The company really began in, in the on-premise era—and the company began where, you know, where, uh, cloud had not still happened, right? And so, the company really grew in the on-prem firewall market—you know, on-prem, uh, network security market. And then, you know, cloud kind of began to grow, right? And so, at some point, the company was at risk of basically being in a market that was an important market—the on-prem, uh, security market—but missing the new growth market, right? Which could become a primary market.

Lee Klarich: It was very clear by this point—very, very obvious—that the cloud was gonna have a huge impact. How do we go from being a next-gen firewall company—like, that is our DNA, that is what we do, that is 95-plus percent of our business—to being something more? And I, I remember, like, looking and saying, “Okay, well there must be some other company that has done this before. Can we, like, what’s the blueprint? Let’s go look at other companies that have gone from being the best at one thing to the best at multiple things.” 

And in cybersecurity, it, it didn’t exist. There was no blueprints. There was no companies that had done this before. There wasn’t a, there was no guidebook for this.

But we had to sort of trailblaze this, this expansion into being a multi-platform company. There was all these new cloud-security things that had nothing to do with network security and next-gen firewalls. How do we go be the absolute best at those?

A New Challenge: The Rise of the Cloud Era

Roelof Botha: Palo Alto Networks risked falling behind in the emerging cloud security category. 

They faced a crossroads: how should they adapt to seize the opportunity?

One of the first things that became clear was that the company’s strategy of building technology in-house was unsustainable.

Mark McLaughlin: I would say, on the leg of the journeys, you know, for Palo Alto Networks—and here I’ll pick up in 2010 right up to, call it, 2018—we built everything ourselves.

We didn’t buy anything, right? But that wasn’t an arrogance move, like “we’re the best at everything.” It was a move that was, uh, structural in nature, which is if you don’t build it yourself, these capabilities—at the network level—you can’t have the seamlessness of what we’re promising as next-gen firewall.

And that worked very, very well, okay, right? It worked technically well, and it translated into business success, as well. 

Okay, fast forward to, uh, 2017–2018, and with the cloud being a, you know, a major structural change on how people are actually gonna do compute, right—the problem with that of the, the mindset is “we make everything ourselves, so it all works together” really didn’t work then from a cloud perspective. 

And this is on me. I mean, as the CEO of the, buck stops at the CEO, right? Uh, I think we were late to the cloud—and by 2017, definitely 2018, realized it.

And, and part of the catch-up of like, “Okay, hey, let’s, we can be the best at this—but we have to think, like, as if we were born in the cloud.” Right? Like not, “Do, at least at try to insert ourselves, here’s our far what runs in the cloud.” Right? Like, “If you were born in the cloud, how would you do a, a firewall?” Right?

Roelof Botha: As Palo Alto Networks grappled with strategy around cloud security, leadership received startling news.

Nir Zuk: In a shocking move, Mark took Lee Klarich and I to lunch and told us that he wants to retire. 

Mark McLaughlin: I said, “Hey, it’s, uh, it’s time for me to actually, uh, spend some time at home.” And, uh, and a lot of people say that, but in my case it’s like, “No, really,” you know, right? I went home to homeschool—I went home to homeschool, my youngest child, right?

So with that in mind, very thoughtful discussions with the board are like, “Okay, this is going to happen. So now we’re gonna, you know, figure out who’s next, right?” 

Nir Zuk: Being a shock for us, okay? It took us 24 hours, we recovered. “What do we need to do? Let’s go hire a new CEO.” 

Nikesh Arora: I was kind of the black sheep candidate. They had a whole roster of people who had done cybersecurity, were sitting CEOs of cybersecurity companies, and had a long history in cybersecurity. Now, I was one of the people who had no idea about cybersecurity. I thought there was two different words—“cyber” and “security.”

My name is Nikesh Arora, I’m Chairman and CEO of Palo Alto Networks.

Jim Goetz: Nikesh was a controversial hire. I mean, Nikesh is an extraordinary talent—creative, a outside-in thinker, gifted as a leader. He is arguably one of the best recruiters on the planet and capable of motivating all aspects of an organization. But he didn’t have cybersecurity experience and lacked enterprise experience.

And so, we were taking two levels of risk. But it also became clear from the reference work that we did that he was an extraordinary leader and he was going to be an exceptional CEO. The references from Google, from Eric Schmidt, from the board, were just overwhelming. And although many of the board members were uncomfortable with his lack of expertise in cyber and enterprise, we decided we needed to take the risk.

Nikesh Arora: I approached, I’d say, the first three to six months with a very strong mindset on learning and not disrupting too much around me. Part of my job was to not look stupid, and that required me to go spend an hour every morning—give or take—with Lee Klarich, understanding how our product universe is structured, an hour near, somewhere towards the end of the day, or vice versa, saying, “Hey, how does the world operate?”

Nir Zuk: If you’re trying to build something new, and there is already a team out there—a good team out there—a team that fits your culture, that has been building it for the last several years, and they already have market traction, then the right thing to do is probably to go and buy that company instead of trying to do it yourself. 

The Acquisition Strategy That Rebuilt Palo Alto Networks

Roelof Botha:  Nikesh spearheaded an aggressive acquisition strategy, acquiring three companies in his first year on the job. 

He’d go on to acquire twelve in his first three years.

Nikesh Arora:  The challenge we ran into was we didn’t quite understand cloud security very well. We didn’t know how to talk cloud security. We didn’t know how to sell cloud security because we didn’t have a product in that category. So part of our opportunity was to see how do we bring companies into our fold who understand cloud security?

That’s why we made acquisitions of the space. We used those leaders to actually bootstrap our leadership team at that point in time. Build a whole go-to-market motion and capability around them. We actually pioneered the notion of speedboats where we said every one of these things are speedboats.

’Cause we have a large destroyer, or perhaps whichever is the more benign version of a naval vessel. But the idea of the speedboat was that we have to make sure that we don’t constrain them without them run faster. We let them build entire motion around them as opposed to bifurcate that motion functionally and suddenly have firewall people telling salespeople how to sell cloud.

So we actually built a whole cohesive team around that capability, and that allowed us to gain muscle over time to understand these new swim lanes and be able to be at scale. 

Roelof Botha: This strategy, however, came with risk.

Jim Goetz: I would say the vast majority of public market acquisitions fail.

It’s one of the challenges with a public company quarterly reporting. When you acquire these young companies, they’re often not generating meaningful revenue. There’s an opex hit. And so all of that was absorbed into the existing operating plan that we had offered to the street. So we did not frame a new set of guidelines for financials based on these acquisitions. And so we had absorbed the opex of each of these acquisitions and the dilution of the equity within our existing envelope that we had in terms of guidance for the street. And, that was at times, viewed as a risky strategy, but the execution on the go-to-market front was so extraordinary that we were able to absorb it and that became Nikesh’s go-to mode rather than resetting expectations with the street.

Nikesh Arora:  I’ve also been around the tech industry to watch that majority of M&A transactions fail because of the execution issues post M&A.

And some of the key learnings from the failures are, you know, a company falls away in a category. Doesn’t make it, goes and acquires somebody. And the same people who were toiling away in the category and failed, end up managing the new acquisition.

So we don’t do that at Palo Alto. Rule number one. You know, the acquired company or the partner that we’ve acquired actually beat us in the market with less resources, more focus, and better execution. So maybe those people should be part of Palo Alto driving that strategy, not people who’ve been trying and failed at Palo Alto.

So the first thing we do is an acquisition is you make the new leaders responsible for our strategy and put them in our leadership team to drive the new area. Two, when the acquisitions happen, a lot less time is spent on aligning the product strategy before you make the acquisition. You try and adjust it afterwards.

So, pretty much for most of our acquisitions, we spend a lot of time. I’d say the diligence period is less about understanding your financials, which we do of course. And there’s a team that does that really well. Or aligning corporate structures, aligning organizations. We spent an inordinate amount of time debating on product strategy and what the product strategy needs to be for the next two to three years because it’s a lot easier to work with people who are fully aligned from product strategy perspective.

We’ve done that before the acquisition then afterwards. So we, like, always joke, like once you buy the house, we get to choose what color we paint it, but we spend a lot of time consulting with the people who live in it to make sure that we both agree. That’s kind of unique to our approach is aligning product strategy prior to acquisition.

 So our combination of both organic product development where we accelerate and added resources and acquisition drove that up.

Roelof Botha:  Each acquisition was a strategic play to absorb the talent and expertise driving those companies, even at the expense of the company’s bottom line.

Nikesh Arora: Not all those products are fully ready and we’re not being sold. So you end up putting the cost on your balance sheet, but you’re not fully getting the benefits of the revenue because you’re still in development phase.

And we did take our operating margins down as a company for the first two or three years, and we were operating in the high teens and low twenties for the first two or three years because we were investing in building capability in multiple categories, which we didn’t exist in before.

Roelof Botha: The strategy proved correct. Under Nikesh’s leadership, Palo Alto Networks has acquired over 25 companies and released products such as Prisma Cloud and Cortex Cloud—comprehensive cloud-native application protection platforms designed to secure applications and data across multi-cloud environments. 

These innovations gave Palo Alto Networks a strategic edge that transformed the company into a comprehensive cybersecurity platform and a leader in the cloud.

Nikesh Arora: 2018 in hindsight ended up being a crucible moment for Palo Alto Networks because we could have gone down the steady path of continuing to excel in network security and possibly ended up as a large network security company. And at that point in time, we competed with two or three of the biggest players in network security who are still around.

Or the option for us was to see if we can expand to being a much larger player in cybersecurity with the ambition of being the first evergreen cybersecurity company.

And I think we chose the path that set us on track to be, I hope, which is the first at-scale evergreen cybersecurity company in the world. And had we not taken that fork in the road, you know, we’d be fine. We wouldn’t be, done poorly that those companies have done well. They’ve succeeded in their space, but they have not been able to move into other swim lanes and be successful in other swim lanes.

But that was not their stated ambition. And sometimes they say, if you don’t declare an ambition, it’s hard to get to it because you actually don’t know you’re headed there. So it was a crucible moment for us. And in hindsight, you know, it was a bet we made and it worked out.

Reflections: Disrupt or Be Disrupted

Roelof Botha: As of October 2025, Palo Alto Networks’s market cap is nearly $150 billion and it employs 16,000 people globally. 

As cybersecurity moves into the AI era, the company continues to stay nimble in an ever-changing industry. 

Nikesh Arora: The cybersecurity industry is the most innovative industry in the world because the bad guys are always trying to innovate on how to attack our customers, which means, you know, we cannot rest on our laurels. We can’t live in a world where we’re not constantly trying to out innovate the bad actors.  Today we talk about how to secure with AI, how to deploy browsers around the world, how to build a common data lake for security and be innovative in the future. So I think we are getting at the seat at the table now with our customers to define and help them think through the future cybersecurity architecture.

Lee Klarich: The way I approach Palo Alto networks today is really thinking about it and, and always trying to sort of maintain an evergreen philosophy in terms of how we approach product, technology, but even go-to-market and, and everything else the company does. Like, you can’t assume that what was what got us to our success five years ago is what’s gonna get, make us successful today or what’s, or what we’re doing today is gonna make us successful three or four years from now.

And so that evergreen philosophy and always being willing to disrupt ourselves before someone else does is a lot of what I think about every day when I think about the future of Palo Alto Networks.

Nir: If I look at Palo Alto Networks today, and, and by the way, I recently announced that I’m going to retire from Palo Alto Networks. And the reason for that is that I think that Palo Alto Networks has finally achieved the vision that I set 20 years ago, meaning recently we announced the 25 or so billion dollar acquisition of a company called CyberArk, which is in the identity space.

They’re doing many different things in identity. Identity and access management privilege, access management and other things. And that to me completes the platform, meaning we now provide all the major components of a cybersecurity infrastructure, network security, endpoint security, security operation center, automation and, and control and cloud security, identity and access management.

We went into AI security, which is a new space, uh, into email security, which is a traditional space. We went into vulnerability assessment and vulnerability management and traditional space. We have all the major components at Palo Alto Networks that an organization would need in order to achieve their cybersecurity goals, which is what I set to do 20 years ago.

And now I can retire from Palo Alto Networks with peace, knowing that I’m leaving a company with all the products and all the technology that it needs with a great management team led by Nikesh and the company in, in, in a great financial state. And the company can go and, uh, continue to be successful even without me.

My advice to startups that are being disrupted, or companies that are being disrupted by either another company doing the same thing in a much better way, in a different way, or you’re being disrupted by a shift in market dynamics like the cloud, like AI, and so on.

My advice to you is embrace the disruption. If you don’t embrace the disruption, you will end up like companies that didn’t embrace the disruption, so for example, in our case, if you end up like Check Point, in the case of uh, cell phones, you end up like Nokia that was disrupted by Apple and later Google.

You will get killed by a disruption. So always embrace a disruption despite that disruption or you embracing it, hurting your business for the short term. If you do it right, you will get out of it on the other side much stronger than you would if you hadn’t embraced the disruption.

Roelof Botha: This has been Crucible Moments, a podcast from Sequoia Capital.