Sometimes you just have to rip the band-aid off.

Varonis had a near miss on its Q3'25 earnings guidance and lowered revenue guidance for the full fiscal year. The result was placed squarely on the shoulders of their on-premise subscription business.

Many people will call it a stumble. I see it differently. It’s the start of a sprint towards the future.

They took this opportunity to formally announce what we've all known for a while: they're ending support for their on-premise product and only supporting the SaaS platform moving forward.

This is no surprise. They've been alluding to it all year. The only major change here was that they made the decision a formality and put a specific date on it.

I expect this was earlier than they planned or wanted to make this announcement (and several other hard decisions). Sometimes you choose the timing, and sometimes the timing chooses you.

When you rip the band-aid off, it hurts for a minute. It hurt when I was a kid. It hurts my kid now. Honestly, it still hurts me today even though I’m better at hiding the pain.

The thing you learn about ripping band-aids off as an adult is that the anticipation is worse than the burn you feel after taking it off. That's where we're at right now with this earnings report and SaaS transition.

A near miss on revenue and conservative guidance should not overshadow what is clearly the correct strategic decision for Varonis moving forward. It’s the right call for them to end support for their on-premise products and be 100% all-in on SaaS.

That's the part I want to dig into more — both why it's the right decision now and what it means for the future of Varonis.

SaaS transitions in cybersecurity

The cybersecurity industry has enough SaaS transition battle scars to see the pattern. The common thread: lengthy timelines, customer friction, and compressed margins.

Public markets don't have patience for this. Many cybersecurity companies have needed private equity air cover to finish the job.

Varonis's SaaS transition has been remarkably pain-free until this quarter. Their conversions have gone both quickly and smoothly from a metrics standpoint. They're two years ahead of their original schedule and have technically completed the SaaS transition, at least by the percentage of revenue marker they set at the beginning.

The part that makes Varonis's SaaS transition different is also one of their biggest strategic differentiators moving forward.

They’re going to finish the job and go all-in on SaaS.

No legacy products hanging around. No “we’ll let customers migrate at their own pace.” Just a clear declaration of 100% cutover by the end of next year.

The nuance and context behind this decision matters a lot here. It's worth explaining in detail why Varonis's strategy makes their SaaS transition different from others.

It's also the reason why they had to make the hard but necessary decision to announce the end of their on-premise product during this earnings report.

Accountability at scale

Varonis takes accountability for customer outcomes in a way I have rarely seen in cybersecurity, especially for a product-focused company.

Growing up on the services side of the industry at PwC, I'm very familiar with what it means to take deep accountability for customers (and have the scars to prove it).

In a services engagement, especially the long-term transformational programs that I did, client outcomes become your life. It's all-consuming in a way that's very hard to describe unless you've been there.

You wake up in the morning and go to sleep at night consumed by the massive problems you're trying to solve. You put most of your mental energy toward inching closer to the goal every single day.

Care doesn't scale, though. This mode of operation can only handle one or two clients at any given time.

The nature of services demands a different level of accountability than what most clients or industry professionals would typically expect of a product-focused company.

Product companies aren't irresponsible. They operate on a different accountability spectrum.

At one end: ship software, provide documentation, offer support tickets. At the other: own outcomes end-to-end, automate fixes, guarantee results.

Most cybersecurity product companies cluster in the first third of the range because deeper accountability hasn't historically scaled — or at least, it hasn't until now.

Varonis is betting they can move the median.

Something I have grown to admire about Varonis is the extraordinary level of ownership and accountability they aspire to take as a product company. Their find, fix, alert mantra is all-encompassing and all-consuming in a way that's rare to see in the industry.

They literally aspire for a world where their customers barely have to lift a finger to protect their data.

It's remarkable to even make or assert a statement like that in the first place (and actually mean it).

Most cybersecurity companies won't go that far. It's a completely next-level thing to actually be far down the path of doing it, but there is a ton of substance and evidence of execution that shows how Varonis is bringing their vision closer to reality.

More tactically, for Varonis and the data security market at large, that means a few things.

Finding and classifying data is table stakes.

That's the easy part, at least in theory. It's surprisingly not though, especially when you get into the larger enterprise customer segment who has a significant amount of sensitive data both on-premise and spread across multiple cloud providers, data stores, and SaaS applications.

For this kind of customer, the ideal customer profile for a data security platform, just finding cloud data isn't good enough. You have to be able to find and classify their data across every data store imaginable, including the old gnarly on-premise ones that most startups don't want to touch.

Varonis has exhaustively done this, maybe in some ways to their own detriment. They built, enhanced, and supported on-premise data stores for a long time because that's what matters to their customers. By their own admission, they were later than they should have been to the cloud, but they've caught up quickly with the SaaS product.

Basic data security posture management products aren't at a point where they're able to be accountable for even discovering and classifying every piece of data. Focusing on cloud data stores is a nice start, but enterprise CISOs need everything. Even that old filer over there. You know, the one with a bunch of credit cards sitting on it.

Things really start to get difficult when you try fixing problems.

For an enterprise security leader, there is a massive difference between finding data security issues and opening tickets for them versus automatically fixing the issues without intervention.

Tickets may work for smaller organizations with less data and modern tech stacks, but this approach to fixing does not scale at enterprise level.

If Varonis hadn't taken deep accountability for fixing the data security issues they find, they would have been at risk of going the way of the vulnerability management companies, who notoriously found vulnerabilities and left the patching and remediation to somebody else.

The fixing for Varonis goes beyond the traditional data security domain when necessary. To me, this is strategic, not overreaching.

One example: if the reason data is exposed is because of an identity-related permissions issue, Varonis believes it is their responsibility to fix the issue. The easy route would be to hand this off through a ticket or to another identity product and say "this is not my problem."

Varonis continues to double down on owning more and more of the accountability for fixing data security problems they identify, regardless of which domain the fix is in.

A more recent extension of accountability is through services.

Varonis's Managed Data Detection and Response (MDDR) service offering was a surprise to me, mainly because it is so rare for cybersecurity product companies to willfully operate a managed services business themselves. Historically, an overwhelming majority of companies outsource this to managed services partners.

I'll admit that I was a bit skeptical of this offering when Varonis first announced it, but in hindsight, this tracks with the overall accountability theme.

I don't think Varonis really cared what the financial profile of the services business was. They just felt like it was the best thing for their customers, so they did it.

The offering has performed amazingly well by almost any account (and certainly exceeded my expectations.)

I think this could even be a model for other product companies in the future. It sounds trite, but this is a tangible example of delivering outcomes, not just products. The product (the SaaS product, in particular) is certainly an enabler of the outcome, but (at least for now) you need people too.

Hard strategic decisions

Hard strategic decisions are the cost of accountability at scale.

Without strategic context, I can see how announcements like we heard yesterday seem jarring. It feels like an extreme and binary decision to end support for a product that carried the company for 20 years (and risk churning customers who aren't along for the ride).

I think the aha moment for Varonis was acknowledging how much they want to be accountable for customer outcomes, then laying the groundwork across many tactical decisions to make it happen.

This buildup has been happening for years. It just feels more real now.

Ending support for the on-premise product and going all-in on SaaS isn't about cutting costs — it's about closing the delta between the level of accountability they can take on-premise versus what can do now (and going forward) with the SaaS product.

The choice is obvious.

Varonis made it far enough in their SaaS transition to build conviction and make this call now.

Long after the drama from the earnings report cycles through the news and the stock volatility settles, it will be clear this was the right move.

The band-aid is off. The anticipation was worse than the sting. That short-term sting clears the path for what matters: accountability at scale.