ANNUAL REPORT 2024 2 Annual Report TO OUR SHAREHOLDERS, Our mission to secure our customers’ data wherever it lives has never been as critical as it is today. Two years ago, we announced our SaaS transition, and we are excited by the momentum we are seeing and the positive reception from our customers, people and partners. Data is the core asset of every organization, and Varonis protects this asset from internal and external threats using automation. Our ability to innovate with our SaaS platform has accelerated, and over the past year we greatly increased our coverage and functionality to help customers better protect their data with less effort, and there continues to be more opportunity ahead of us than behind us. In 2024, Varonis had a number of achievements, such as: $641.9M Annual Recurring Revenues (As of Dec. 31, 2024 — 18% y/y Growth) \\ ServiceNow \\ Databricks \\ Google Cloud \\ AWS \\ Snowflake \\ Varonis for Microsoft 365 Copilot \\ Universal Database Connector Product Coverage Expansion $115.2M Cash Flow from Operations $108.5M Free Cash Flow 53% SaaS ARR as a % of Total ARR $460M Issuance of Convertible Senior Notes Our Managed Data Detection and Response offering is the fastest adopted new product launch in the history of Varonis and is a game changer when it comes to enabling customers to better protect their data in today’s dangerous threat environment. Varonis is also helping enable organizations of all sizes to safely adopt Generative AI. We are well on our way to becoming a fully SaaS company, and there are so many benefits we will continue to realize as we complete the transition. This is why we plan to accelerate our transition timeline, and now we expect to complete it by the end of 2025 – a year earlier than our previous outlook and two years earlier than our initial expectations. This progress also gets us closer to achieving our $1 billion ARR target in 2027. We appreciate your support and investment in Varonis and look forward to capturing the growing market opportunity ahead of us, which we believe will unlock substantial value for all Varonis customers, employees, partners, and shareholders. UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 FORM 10-K (Mark One) ☒ ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 for the Fiscal Year Ended December 31, 2024 or □ TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 for the transition period from to Commission file number: 001-36324 VARONIS SYSTEMS, INC. (Exact name of registrant as specified in its charter) Delaware 57-1222280 (State or other jurisdiction of incorporation or organization) (I.R.S. Employer Identification No.) 1250 Broadway, 28th Floor New York, NY 10001 (Address of principal executive offices) (zip code) Registrant’s telephone number, including area code: (877) 292-8767 Securities registered pursuant to Section 12(b) of the Act: Title of each class Trading Symbol(s) Name of each exchange on which registered Common Stock, par value $0.001 per share VRNS The NASDAQ Stock Market LLC Securities registered pursuant to Section 12(g) of the Act: None Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☒No □ Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes □No ☒ Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes ☒No □ Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes ☒No □ Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of ‘‘large accelerated filer,’’ ‘‘accelerated filer,’’ ‘‘smaller reporting company,’’ and ‘‘emerging growth company’’ in Rule 12b-2 of the Exchange Act. Large Accelerated Filer ☒ Accelerated Filer □ Non-accelerated Filer □ Smaller reporting company □ Emerging growth company □ If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. □ Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. ☒ If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements. □ Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b). □ Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Act). Yes □No ☒ As of June 30, 2024, the aggregate market value of the registrant’s voting and non-voting common equity held by non-affiliates was approximately $5.25 billion. As of January 31, 2025, the registrant had 112,550,156 shares of common stock, par value $0.001 per share, outstanding. DOCUMENTS INCORPORATED BY REFERENCE Portions of the Registrant’s Proxy Statement relating to the 2025 Annual Meeting of Stockholders are incorporated by reference into Part III of this Annual Report on Form 10-K. Special Note Regarding Forward-Looking Statements and Summary Risk Factors This report contains, and management may make, certain forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended (the ‘‘Securities Act’’), and Section 21E of the Securities Exchange Act of 1934, as amended (the ‘‘Exchange Act’’). All statements, other than statements of historical facts, may be forward-looking statements. Forward-looking statements are often identified by the use of words such as ‘‘anticipate,’’ ‘‘believe,’’ ‘‘can,’’ ‘‘continue,’’ ‘‘could,’’ ‘‘estimate,’’ ‘‘expect,’’ ‘‘intend,’’ ‘‘likely,’’ ‘‘may,’’ ‘‘plan,’’ ‘‘project,’’ ‘‘seek,’’ ‘‘should,’’ ‘‘strategy,’’ ‘‘target,’’ ‘‘will,’’ ‘‘would’’ and similar expressions or variations intended to identify forward-looking statements. These statements are based on the beliefs and assumptions of our management based on information currently available to management. Such forward-looking statements are subject to risks, uncertainties and other important factors, many of which are difficult to predict and generally beyond our control, that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by such forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, those identified in the ‘‘Summary Risk Factors’’ below and those discussed in ‘‘Item 1A-Risk Factors’’ and ‘‘Item 7-Management’s Discussion and Analysis of Financial Condition and Results of Operations.’’ Furthermore, such forward-looking statements speak only as of the date of this report. Except as required by law, we undertake no obligation to update any forward-looking statements to reflect events or circumstances after the date of such statements. The risks that might cause actual results to differ from our expectations include, among other things, those that may be disclosed from time to time in subsequent reports filed with or furnished to the SEC, those described under ‘‘Risk Factors’’ set forth in Item 1A of this Annual Report, and the following, which also summarizes the principal risks of our business: • the fact that the market for software that analyzes, secures, governs, manages and migrates enterprise data may not continue to grow or grow at the same pace; • prolonged economic uncertainties or downturns; • currency exchange rate fluctuations; • increased competition; • security breaches, cyberattacks or other cyber-risks and failure to comply with legal requirements, contractual obligations and industry standards regarding security, data protection and privacy; • our expansion into cloud-delivered services; • our ability to predict renewal rates and manage growth effectively; • fluctuation in our quarterly results of operations due to variability in our revenues; • our limited operating history at our current scale, which makes it difficult to evaluate and predict our future prospects; • our history of losses; • our ability to maintain strong relationships with our channel partners, including distributors and resellers, to whom we sell substantially all of our products and services; • risks inherent in our international operations, including military conflicts that could impact operations, the effect of export and import controls and the risk of a violation or alleged violation of applicable anti-corruption or anti-bribery laws; • collection and credit risks; • our ability to maintain or enhance our brand recognition or reputation; • our ability to retain, attract and recruit highly qualified personnel; • our dependency on the continued services and performance of our co-founder, Chief Executive Officer and President; • our ability to continually enhance and improve our technology; i • the fact that, if we experience interruptions or performance problems with our products, or if our software is not perceived as being secure, customers may reduce the use of or stop using our products; • our ability to protect our proprietary technology and intellectual property rights; • the fact that our tax rate may vary significantly depending on our stock price; • our ability to fully utilize our net operating loss carryforwards; • our indebtedness; and • stock price volatility. You should not place undue reliance on forward-looking statements. All forward-looking statements attributable to us or persons acting on our behalf are expressly qualified in their entirety by the foregoing cautionary statements. All such statements speak only as of the date of this Annual Report and, except as required by law, we undertake no obligation to update or revise publicly any forward-looking statements, whether as a result of new information, future events or otherwise. ii VARONIS SYSTEMS, INC. ANNUAL REPORT ON FORM 10-K For The Fiscal Year Ended December 31, 2024 TABLE OF CONTENTS Page PART I Item 1 Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Item 1A Risk Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Item 1B Unresolved Staff Comments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Item 1C Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Item 2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Item 3 Legal Proceedings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Item 4 Mine Safety Disclosures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 PART II Item 5 Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Item 6 Reserved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Item 7 Management’s Discussion and Analysis of Financial Condition and Results of Operations . 44 Item 7A Quantitative and Qualitative Disclosures About Market Risk . . . . . . . . . . . . . . . . . . . . . . . . . 58 Item 8 Financial Statements and Supplementary Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Item 9 Changes in and Disagreements with Accountants on Accounting and Financial Disclosure . 96 Item 9A Controls and Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Item 9B Other Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Item 9C Disclosure Regarding Foreign Jurisdictions that Prevent Inspections . . . . . . . . . . . . . . . . . . . 97 PART III Item 10 Directors, Executive Officers and Corporate Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Item 11 Executive Compensation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Item 12 Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Item 13 Certain Relationships and Related Transactions, and Director Independence . . . . . . . . . . . . . 98 Item 14 Principal Accounting Fees and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 PART IV Item 15 Exhibits and Financial Statement Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Item 16 Form 10-K Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 iii [This page intentionally left blank] PART I Item 1. Business We were incorporated under the laws of the State of Delaware on November 3, 2004 and commenced operations on January 1, 2005. Our principal offices are located at 1250 Broadway, 28th Floor, New York, NY 10001. For convenience in this report, the terms ‘‘Company,’’ ‘‘Varonis,’’ ‘‘we’’ and ‘‘us’’ may be used to refer to Varonis Systems, Inc. and/or its subsidiaries, except where indicated otherwise. Our telephone number is (877) 292-8767. Overview Varonis is a leader in data security as, since we started operations in 2005, we recognized that an enterprise’s capacity to create and share data far exceeded its capacity to protect it. We believed that rapid data growth combined with increasing information dependence would change the global economy and the risk profiles of all organizations - from corporations to governmental agencies. Our focus has been on using innovation to address the cyber-implications of these trends, creating software that provides new ways to track, alert and protect data wherever it is stored. Data continues to grow in new and existing data stores both in the cloud and on-premises, a trend we have seen accelerate as companies worldwide undergo waves of digital transformation and artificial intelligence (‘‘AI’’) initiatives that have significantly impacted how they must approach data security. While the significant increase of software-as-service (‘‘SaaS’’) and infrastructure-as-service (‘‘IaaS’’) usage has accelerated workforce collaboration and information technology (‘‘IT’’) operations, it has also created unprecedented data sprawl and complexity that have contributed to a growing number of catastrophic data breaches. We believe the adoption of generative artificial intelligence (‘‘Gen AI’’) tools will dramatically compound data growth and introduce new data security challenges that can only be addressed with automation. Gen AI-powered productivity features, commonly called ‘‘copilots,’’ are now embedded within applications such as Microsoft 365, Salesforce, Google Workspace, and Box. These tools typically leverage existing data security controls to determine which sensitive information can be used by AI; if an organization’s data security controls are not optimized, they face an increased risk of unintentional data exposure and potential abuse by malicious actors. As organizations customize AI agents (such as Microsoft Copilot Studio and Salesforce Agentforce) and train their own large language models (‘‘LLMs’’), we believe additional challenges around the security of training data, models and the underlying infrastructure will require automated solutions. In addition to data growth, companies face an environment where threat actors continue to refine their strategies to monetize sensitive data and the risk of substantial fines for noncompliance with data-centric regulations continues to grow. At the same time, organizations are seeing a global scarcity of in-house technical expertise, as the demand for cybersecurity professionals significantly outpaces supply, and IT and security experts are under pressure to solve growing problems with fewer resources. We believe that these trends provide us with a long-term opportunity to fulfill our mission of protecting sensitive data for our customers and alleviating the resource pressure and skills shortage that companies face through our automation capabilities and Managed Data Detection and Response (‘‘MDDR’’) offering. Enterprises now use many different combinations of data stores and applications, making it difficult to holistically visualize, quantify and control data breach risk without a unified data security platform. We believe our offering’s comprehensive data coverage and automation allows organizations to keep pace with the relentless data growth, sprawl and complexity. We started in 2005 with coverage for Windows file shares. Today, we offer coverage for most mission-critical cloud and on-premises data stores, cloud infrastructure environments, identity repositories and many critical SaaS applications. In 2022, we announced the availability of our flagship Varonis Data Security Platform as a SaaS, which offers simpler deployment, faster time-to-value, and groundbreaking automation capabilities that help customers prevent data breaches. Since that time, we have seen SaaS deployments grow significantly and expect them to continue to increase through 2025, when we believe our transition to a SaaS delivery model to be complete. Varonis software enables enterprises of all sizes and industries to protect data stored in the cloud and on-premises, including: sensitive files, emails and databases; confidential personal data belonging to customers, 1 patients and employees; financial records; source code, strategic and product plans; and other intellectual property. Recognizing the challenge of protecting data with growing volume, velocity and variety, we have built an integrated platform to simplify and streamline data security, threat detection and response and data privacy and compliance. The Varonis Data Security Platform helps enterprises protect data against cyberattacks from both external and internal threats. Our technology enables enterprises to analyze data, application and account activity and user behavior to help detect and prevent attacks. Varonis prevents or limits unauthorized use of sensitive information, detects and prevents potential cyberattacks and limits potential damage by automatically locking down data, allowing access to only those who need it, and automating the removal of stale data when it is no longer useful. The Varonis Data Security Platform is driven by a proprietary technology, our Metadata Framework, that extracts critical metadata, or data about data, from an enterprise’s IT infrastructure. Our platform uses this contextual information to map functional relationships among employees, data objects, systems, content and usage. In doing so, our platform provides real-time intelligence about an enterprise’s massive volumes of data, making it more secure, accessible and manageable. We believe that the (i) Varonis Data Security Platform technology, (ii) coverage for most mission-critical cloud and on-premises data stores and cloud infrastructure environments, identity repositories and many critical SaaS applications and (iii) technical experts within the Company who continue to expand and improve our offering are our primary, hard to replicate competitive advantages. The strength of our solution is driven by several proprietary technologies and methodologies that we have developed, coupled with how we have combined them into our highly versatile platform. Our belief in our technological advantage stems from having developed a way to do each of the following: • analyze the relationships between users and data with sophisticated algorithms, including cluster analyses and machine learning; • visualize and depict the analyses in an intuitive manner, including simulating contemplated changes and automatically executing tasks that are becoming increasingly more complex for IT and business personnel; • identify and automatically classify data as sensitive, critical, private or regulated, to help organizations ensure compliance with regulations, including the General Data Protection Regulation (‘‘GDPR’’) and the California Consumer Privacy Act (‘‘CCPA’’); • automate remediation of excessive access to sensitive information across large data stores and cloud applications to safely ensure a Zero Trust or least privilege model; • profile users, devices and data to detect suspicious account behavior and unusual file and email activity using deep analysis of metadata, machine learning and user behavior analytics; • profile cloud configurations and interconnectivity to identify potential exposure and abuse; • generate meaningful, actionable alerts when security-related incidents are detected; • enable security teams to investigate and respond to cyber threats more quickly and conclusively with the help of Gen AI; • automatically respond to severe incidents, such as ransomware, to limit the potential impact and reduce recovery times; • provide customers live updates to our platform, which address the rapidly evolving threats they face; • determine relevant metadata and security information to capture without impacting the enterprise’s computing and network infrastructure; • modify and enrich that metadata in a way that makes it comparable and analyzable despite it having originated from disparate IT systems, and create supplemental metadata, as needed, when the existing IT infrastructure’s activity logs are insufficient; • decipher the key functional relationships of metadata, the underlying data, and its creators; and • use those functional relationships to create a graphical depiction, or map, of the data that will endure as enterprises continuously add large volumes of data to their network and storage resources. 2 The broad applicability of our technology has resulted in our customers deploying our software for numerous use cases. These use cases include: automatic discovery and classification of high-risk, sensitive data; data security posture management; SaaS security posture management; automated remediation of over-exposed data; centralized visibility and risk analysis of enterprise data and monitoring of user behavior and file activity; security monitoring and risk reduction; data breach, insider threat, malware and ransomware detection with MDDR; automatic response to ransomware and other severe incidents to limit exposure and reduce recovery times; data ownership identification, assignment, and automatic involvement; forensics, reporting and auditing with searchable logs; meeting security policy and compliance regulation; automatic data migration; cloud migration; automation of retention and disposition policies; automatic data quarantine; intelligent archiving; and automated indexing for data subject requests related to privacy and compliance requirements. We sell substantially all our products and services to channel partners, including distributors and resellers, which sell to end-user customers, whom we refer to in this report as our customers. Our products are also available to trial and purchase via the Azure Marketplace, AWS Marketplace, and Salesforce AppExchange. We believe that our sales model, which combines the leverage of a channel sales model with our highly trained and professional sales force, has and will continue to play a major role in our ability to grow and successfully deliver our unique value proposition for securing enterprise data. While our products serve customers of all sizes, across all industries and all geographies, the marketing focus and majority of our sales focus is on targeting larger organizations who can make sizable initial purchases with us and, over time, have a greater potential lifetime value. Our customers span leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, education and construction and engineering sectors. We believe our existing customer base is a strong source of future incremental revenues given our broad platform of products, the growing volumes and complexity of their enterprise data and the associated security concerns. Size of Our Market Opportunity The International Data Corporation’s Global DataSphere Forecast, 2024-2028, predicts that over the next five years, data will reach approximately 394 zettabytes (or 394 trillion Gigabytes) by 2028, representing a nearly 10x increase compared to 2018. That data will include both structured and unstructured data, but unstructured data overwhelmingly dominates, accounting for approximately 90% of the data created each year. We expect this significant growth to continue creating a need for automation technologies to protect and manage data. We believe that the diverse coverage and functionality offered by our platform positions us well to capitalize on this powerful trend in the digital universe. Our Technology Our proprietary technology extracts critical information about an enterprise’s data and its supporting infrastructure, and uses this contextual information, or metadata, to create a functional map of an enterprise’s data and underlying file systems. Our Metadata Framework technology has been architected to process large volumes of enterprise data and related metadata at a massive scale with minimal demands on the existing IT infrastructure. At the end of 2022, Varonis announced the availability of our flagship Varonis Data Security Platform as a SaaS. The benefits of SaaS delivery are widely established for both customers and providers, and we believe this evolution of a SaaS delivery option for the Varonis Data Security Platform is transformational for several reasons: customers are able to more quickly and easily deploy and maintain our solutions with reduced infrastructure and personnel requirements; a lower total cost of ownership; faster deployment of risk assessments, which is the core of our sales motion; enhanced threat detection; continual threat model updates; increased automation for securing data in place; and the ability to deliver additional features and functionality to customers more efficiently. In addition, our MDDR offering further reduces both the likelihood of a breach and its potential impact by enabling automated 24x7x365 monitoring with a service level agreement (‘‘SLA’’) that ensures Varonis will respond to alerts within a specified time frame. Our MDDR offering is only available for our SaaS customers because of the automation and visibility that’s built into our SaaS platform. On November 14, 2023, we announced an expansion of our AI and machine learning capabilities with the launch of Athena AI, a new Gen AI layer within the Varonis Data Security Platform. The initial functionality provided by Athena AI includes (i) an AI-powered security operations center (SOC) analyst that combines LLMs with Varonis’ unique context about an organization’s data, identities, devices and previous alerts to instantly generate tailored alert response playbooks and recommendations and (ii) a natural language search interface that lets users run reports, perform risk analysis and conduct security investigations without any domain-specific knowledge or product expertise. 3 Key Benefits of Our Technology We believe our transition to SaaS enhances many of the benefits described below and allows us to deliver additional benefits to customers that our cloud technology unlocks. Varonis has better visibility into customer usage, issues, and behaviors that better inform our innovation; customers seamlessly benefit from continual threat model updates that help them stay ahead of evolving threats; and the SaaS model allows us to deliver additional features and functionality to customers more efficiently. Automated Data Security Comprehensive Solution for Managing and Protecting Enterprise Data. Our products enable a broad range of functionality, including AI security, data governance, least privilege and Zero Trust, as well as intelligent retention. Moreover, our solution is applicable across most major enterprise data stores, cloud infrastructure environments and SaaS applications (Windows, UNIX/Linux, Intranets, email systems, Microsoft 365, including SharePoint Online, Teams and OneDrive for Business, Salesforce, AWS, Azure, Google Cloud, Google Workspace, Databricks, ServiceNow, Snowflake, Slack, GitHub, Okta, Box, Jira, Zoom and databases). Actionable Insight and Automation. Our products help customers identify and prioritize risks to their data and automatically remediate exposures so that they are less vulnerable to internal and external threats, more compliant and consistently follow a least privilege model. Because of the complexity present in even modest enterprises, we believe that effective remediation is impossible at scale without intelligent automation. Visibility and Data Monitoring Capabilities All in One Place. Our solution combines analysis from disparate on-premises and cloud stores, applications and infrastructure environments and presents them in a single view, even as data storage and user access become more dispersed and complex in hybrid environments. Fast Time-to-Value and Low Total Cost of Ownership. Our solutions do not require custom implementations or long deployment cycles. Our software can be deployed in under an hour and allows customers to realize real value with minimal effort. Our SaaS architecture enables customers to protect petabyte-scale data environments with little to no infrastructure costs and by leveraging our automation capabilities and MDDR service, customers can significantly reduce their personnel expenses. Ease of Use. While we utilize complex data structures and algorithms in our data engine, we abstract that complexity to provide a sleek, intuitive interface. Our software is accessible through a standard web browser and requires limited training, saving time and cost and making it accessible to a broader set of users. Highly Scalable and Flexible Data Engine. Our metadata analysis technology is built to be highly scalable, allowing our customers to analyze vast amounts of enterprise data. Moreover, our proprietary platform is built with a flexible, modern cloud architecture, allowing customers to expand their data coverage seamlessly and transparently without impacting performance. Threat Detection and Response Threat Detection and Response with User, Data and System Context. Our solutions combine classification and data access governance with User and Entity Behavior Analytics (‘‘UEBA’’) on data stores, cloud applications, identity repositories and perimeter devices, including Domain Name System (‘‘DNS’’), Virtual Private Network (‘‘VPN’’) and web proxy, for accurate detection and risk reduction. Our solutions reduce risk relating to unauthorized use and cyberattacks and reduce incident time to detection (TTD) and time to resolution (TTR). Protect Data from Insider Threats, Data Breaches, Malware and Cyberattacks. Our solutions analyze how employee accounts, service accounts and admin accounts use and access data, profile employees’ roles and file contents, baseline ‘‘normal’’ behavior patterns, and alert on significant deviations from profiled behaviors. Our customers can detect advanced persistent threats (‘‘APTs’’), cybercriminals, rogue insiders, attackers that have compromised internal systems and employee accounts, malware, ransomware and other significant threats. Managed Data Detection and Response. Under a SaaS delivery model, the Varonis incident response and forensics teams can review, triage, and proactively notify customers of any incidents that require their attention. Because Varonis centrally monitors a wide array of customer environments, we can spot patterns across tenants and take action to prevent data breaches and analyze our security team’s actions to continually extend our 4 automated capabilities. In 2023, we introduced Proactive Incident Response, a complementary service included in customers’ Varonis SaaS subscription. We expanded upon this offering in early 2024 by introducing MDDR, which gives customers the option to upgrade to 24x7x365 monitoring with a SLA that requires Varonis to respond to alerts within a specified time frame. Compliance Discover and Identify Regulated Data. Our solutions automatically discover, identify and classify sensitive, critical and regulated data to help meet privacy and compliance requirements. Monitor and Detect Security Vulnerabilities. Our solutions analyze, monitor, detect and report on potential security vulnerabilities: helping companies achieve compliance by creating full audit trails, achieving a least privilege model and locking down sensitive data to only those who need it, and facilitating breach notification and security investigations. By ensuring the least privilege, monitoring all access and alerting on potential misuse, Varonis enables privacy by design on data stores containing sensitive and regulated information. Fulfill Data Subject Access Requests (‘‘DSARs’’) and Protect Consumer Data. Our solutions help fulfill DSARs from file systems on-premises and in the cloud. Customers can easily find relevant files, pinpoint who has access and enforce policies to move and quarantine regulated data. Our Growth Strategy Our objective is to be the primary vendor that enterprises turn to protect their data. The following are key elements of our growth strategy. Extend Our Technological Capabilities Through Innovation and Strategic Transactions. We intend to increase, in absolute dollars, our current level of investment in product development to enhance existing products to address new use cases and continue to deliver new products, including through acquisitions. We believe that the flexibility, sophistication and broad applicability of our platform will allow us to use this framework as the core of numerous future products built on our same core technology. Our ability to leverage our research and development resources has enabled us to create a new product development engine that we believe can proactively identify and solve enterprise needs and help us further penetrate and grow our markets. We will continue to seek additional opportunities to extend our technological capabilities and grow our business, from continued organic investments in our research and development efforts to technological acquisitions. Grow Our Customer Base. The unabated rise in enterprise data, ubiquitous reliance on digital collaboration and increased cybersecurity concerns continue to drive demand for data protection, compliance and threat detection and response solutions. We intend to capitalize on this demand by targeting new customers, underpenetrated markets and use cases for our solutions. Our solutions address the needs of customers of all sizes, ranging from small and medium-sized businesses to large multinational companies with hundreds of thousands of employees and petabytes of data. Although our solutions apply to organizations of all sizes, we have and will continue focusing on targeting larger organizations that can make larger purchases with us initially and over time. Increase Sales to Existing Customers. We believe significant opportunities exist to further expand relationships with existing customers. Data growth and related security concerns continue across all data stores, and enterprises want to standardize solutions that help them manage, protect and extract more value from their data, wherever it is stored. We expect to continue to drive incremental sales from our existing customers through the increased use of our software within our installed base by expanding our footprint and usage. We believe our existing customer base is a strong source of future incremental revenues given our broad product functionality, the growing volume and complexity of enterprise data and the associated security concerns. As we continue to innovate by addressing more use cases, adding more data coverage, and providing automated data security outcomes to customers, we expect to see broader and stickier adoption of our platform. In addition, our transition to a SaaS delivery model provides us with a unique opportunity to convert existing customers to our SaaS offering. Our renewal rate for the year ended December 31, 2024 continued to be over 90%. Our key strategies to ensure a high renewal rate for our products include focusing on the quality and reliability of our customer service and support teams and providing software upgrades and enhancements when available. Grow Sales from Our New Products and Functionality. We continue introducing additional products and enhancements to existing products to support new functionalities and believe these can also be a meaningful 5 contributor to our growth. In October 2020, we announced the acquisition of Polyrize Security Ltd. (‘‘Polyrize’’), whose technology was used for the launch of DatAdvantage Cloud which provides support for cloud applications and infrastructure, including Salesforce, AWS, Azure, Google Cloud, Google Workspace, Databricks, ServiceNow, Snowflake, Slack, GitHub, Okta, Box, Jira, Zoom and databases. At the end of 2022, we announced the availability of our flagship Varonis Data Security Platform as a SaaS, which was previously only sold as a self-hosted solution. Additionally, in 2024 we began offering MDDR to our SaaS customers, which further reduces both the likelihood of a breach and its potential impact by enabling automated 24x7x365 monitoring with a SLA that requires Varonis to respond to alerts within a specified time frame. Expand Our Sales Force. Continuing to expand our sales force will be essential to achieving our customer base expansion goals. Our approach to in-house development of sales representatives has been key to our successful growth in the past and will be central to our growth plan in the future. While our products serve customers of all sizes, across all industries and all geographies, the marketing focus and majority of our sales focus is on targeting larger organizations who can make sizable initial purchases with us and, over time, generate a greater potential lifetime value. Our customers span leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, education and construction and engineering sectors. We also believe our existing customers represent significant future revenue opportunities for us. We believe that our sales model, which combines the leverage of a channel sales model with our highly trained and professional sales force to efficiently identify leads, perform risk assessments and convert them to satisfied customers, has and will continue to play a major role in our ability to grow and to successfully deliver our unique value proposition for enterprise data. Establish Our Data Security Platform as the Industry Standard. We have worked with several of the leading providers of NAS and hybrid cloud storage, including Dell/EMC, IBM and NetApp, as well as the major cloud service providers such as Microsoft, Amazon, Google and Salesforce to expand our market reach and deliver enhanced functionality to our customers. We have worked with these vendors to ensure compatibility with their product lines. Using application programming interfaces (APIs), and other integration work, our solutions also integrate with many providers of solutions in the ecosystem. We will continue to pursue such collaborations wherever they advance our strategic goals, thereby expanding our reach and establishing our platform as the de facto industry standard for enterprise data. Continue International Expansion. We believe there is a significant opportunity for our platform to address the need for data protection and threat detection and response in international markets. Revenues from Europe, the Middle East and Africa (‘‘EMEA’’) accounted for 21% and revenues from Rest of World (‘‘ROW’’) accounted for 6% of our revenues in 2024. We believe that international expansion will be a key component of our growth strategy, and we will continue to invest and market our products and services overseas. Our Products With the introduction of our flagship Varonis Data Security Platform as a SaaS, we are transitioning away from selling on-premises subscription licenses. Our SaaS offering is sold as a platform license, providing the functionality of multiple core modules in a single license. Our on-premises subscription licenses, on the other hand, offers an array of modules that customers can purchase individually or as a bundle. Software-as-a-Service (‘‘SaaS’’) Our SaaS product portfolio currently includes two product lines: (1) our flagship Varonis Data Security Platform, which protects Microsoft 365, Windows file shares, Active Directory, Edge devices (VPN, DNS, proxy), UNIX/Linux and hybrid NAS storage, and (2) DatAdvantage Cloud, which protects IaaS environments and SaaS applications such as Salesforce, AWS, Azure, Google Cloud, Google Workspace, Databricks, ServiceNow, Snowflake, Slack, GitHub, Okta and Box, Jira, Zoom and databases. • Varonis Data Security Platform. The success of our license bundles under the on-premises subscription (‘‘OPS’’) model demonstrated that customers want to utilize and benefit from the majority of Varonis’ core functionality from the start. We know that customers who utilize a higher number of licenses see more value upfront through automation and synergy between modules. Therefore, we drastically simplified our subscription licensing under SaaS, combining five of our most popular licenses into a single Varonis Data Security Platform license. The Varonis Data Security Platform SaaS license will include, by default, the functionality of five core modules: DatAdvantage, DatAlert, Automation 6 Engine, Data Classification Engine and Data Classification Policy Pack. We will no longer refer to these licenses by name; rather, they will be considered built-in functionality of the Varonis Data Security Platform SaaS license. In addition to the functionality mentioned above, the Varonis Data Security Platform SaaS license includes new capabilities not available in our self-hosted product suite. Today, the Varonis Data Security Platform SaaS license includes: ○ Data security posture management (‘‘DSPM’’). Provides customers with real-time visibility of their data security posture across their multi-cloud and on-premises data, helps prioritize remediation efforts, and tracks progress over time. ○ Data access intelligence. Combines data sensitivity, permissions, and activity to show customers who has access to critical data (i.e., their data blast radius), how they got access, and whether access is necessary. ○ Data discovery & classification. Automatically and continuously scans the contents of files, folders, and other objects to determine sensitivity with a high degree of accuracy and precision. ○ Discovery policy library. A frequently updated library for identifying and classifying personal information specific to GDPR, CCPA, and US federal controlled unclassified information (CUI). ○ Least privilege automation. Automatically and continuously remediates excessive data access granted via shared links, direct permissions, and group memberships without manual effort and without impacting business continuity. ○ Data activity monitoring. Gives customers a real-time view into who is accessing data directly or through AI (such as copilots) via a normalized and enriched log of data-centric events such as create, open, read, move, modify, and delete. Varonis also tracks, among other things, permission changes, authentication events, password updates and shared link activity. ○ Data detection and response. Provides high-fidelity, data-centric alerts and automated response actions. Includes a web-based alerts dashboard and investigative interface, and seamlessly integrates with security information and event management systems (SIEM). ○ User & entity behavior analytics. Profiles users and devices and their associated behaviors with respect to systems and data, detects and alerts on meaningful deviations that indicate compromise. New UEBA threat models are automatically delivered to customers to guard against evolving tactics used by cybercriminals, insiders and advanced persistent threats (APTs). Varonis Data Security Platform SaaS customers can decide which data stores, applications, and infrastructure environments they want to protect by purchasing ‘‘Protection Packages.’’ Our SaaS platform supports every resource covered by our self-hosted version, and we believe our SaaS architecture will allow us to move quickly to add support for new resources. Additionally, SaaS customers can purchase MDDR which further reduces both the likelihood of a breach and its potential impact by enabling automated 24x7x365 monitoring with a SLA that requires Varonis to respond to alerts within a specified time frame. The Protection Packages currently available for the Varonis Data Security Platform SaaS are: ○ Microsoft 365. Includes support for SharePoint Online, OneDrive for Business, Microsoft Teams, and Entra ID (formerly known as Azure AD). Customers can purchase add-on support for Exchange Online and Microsoft 365 Copilot. ○ Windows & NAS. Includes support for Windows/CIFS-based file shares and NAS storage such as Nutanix, Nasuni, Panzura, Pure Storage, NetApp and Dell EMC. Customers can purchase add-on support for on-premises Active Directory, UNIX/Linux and Edge devices (VPN, DNS, proxy). ○ Hybrid. Combined support for the protected resources in the Microsoft 365 and Windows & NAS packages. • Varonis DatAdvantage Cloud. DatAdvantage Cloud is a SaaS platform that helps organizations protect data across SaaS applications and IaaS environments. DatAdvantage Cloud offers functionality similar to our flagship Varonis Data Security Platform including, but not limited to, data security posture management, SaaS security posture management, data classification, data access intelligence, data 7 activity monitoring, data detection and response, and least privilege automation. The protected resources currently available for DatAdvantage Cloud are Salesforce, AWS, Azure, Google Cloud, Google Worskpace, Databricks, ServiceNow, Snowflake, Slack, GitHub, Okta, Box, Jira, Zoom and databases. On-Premises Subscription Our self-hosted product licenses utilize our core technology to deliver features and functionality that allow enterprises to fully understand, secure and benefit from the value of their data. This architecture gives our clients the ability to select the features they require for their business needs and the flexibility to expand their usage simply by adding a license, and the fully integrated nature of our products allows individual products to enhance the functionality of the others. • DatAdvantage. DatAdvantage, our flagship product, captures, aggregates, normalizes and analyzes every data access event for every user on Windows and UNIX/Linux servers, storage devices, email systems, Intranet servers, cloud applications and data stores, without requiring native operating system auditing functionalities or impacting performance or storage on file systems. • DatAlert. DatAlert profiles users and devices and their associated behaviors with respect to systems and data, detects and alerts on meaningful deviations that indicate compromise and seamlessly integrates with security information and event management systems (SIEM). • Data Classification Engine. Data Classification Engine identifies and tags data based on criteria set in multiple metadata dimensions and provides business and IT personnel with actionable intelligence about this data. • DataPrivilege. DataPrivilege provides a self-service web portal that allows users to request access to data necessary for their business functions and allows owners to review accessibility. • Data Transport Engine. Data Transport Engine provides an execution engine that unifies the manipulation of data and metadata, translating business decisions and instructions into commands, such as data migration or archiving. • DatAnswers. DatAnswers provides a secure, relevant and timely search functionality for enterprise data and helps companies comply with data privacy regulations, eDiscovery requests and to facilitate data subject access requests. Our Customers We currently have customers in over 95 countries. Our customers span numerous industries and vary greatly in size, ranging from small and medium businesses to large multinational enterprises and government agencies. Our customers include leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, education and construction and engineering sectors, with hundreds of thousands of employees and petabytes of data. Services Maintenance and Support of Subscription and Perpetual Licenses Maintenance and support associated with a term license subscription is included in the Term license subscriptions revenue line of the statement of operations. Maintenance and support associated with past perpetual licenses is included in the Maintenance and services line of the statement of operations. These maintenance agreements provide customers the right to receive support and unspecified upgrades and enhancements when and if they become available during the maintenance period and access to our technical support services. Our renewal rate for 2024 continued to be over 90%. Due to the transition to a SaaS delivery model, we expect maintenance and support revenues related to term license subscriptions to continue to decline. Additionally, we do not expect perpetual license revenues in the future and, accordingly, we expect the associated maintenance and support to continue to decline. We maintain a customer support organization that provides all levels of support to our customers. Our customers that purchase maintenance and support services receive guaranteed response times, direct telephonic support and access to online support portals. Our customer support organization has global capabilities with expertise in both our software and complex IT environments and associated third-party infrastructure. 8 Professional Services While users can easily deploy our software on their own, certain enterprises use our professional service team to provide fee-based services, which include training our customers in the use of our products, providing advice on network design, product configuration and implementation, automating and customizing reports and tuning policies and configuration of our products for the particular characteristics of the customer’s environment. Although professional services have always been a small percentage of our total revenues, we have recently seen, and expect to continue to see, that percentage decline as many of our newer licenses can provide remediation in more automated ways. Sales and Marketing Sales We sell substantially all of our products and services to a global network of resellers and distributors that we refer to as our channel partners. Our channel partners, in turn, sell the products they purchase from us to customers. In addition, we maintain a highly trained professional sales force that is responsible for overall market development, including the management of the relationships with our channel partners and supporting channel partners in winning customers through operating demonstrations and risk assessments. Our channel partners identify potential sales targets, maintain relationships with customers and introduce new products to existing customers. Sales to our channel partners are generally subject to our standard, non-exclusive channel partner agreement. These agreements are generally for a term of one year with an automatic renewal of successive one-year periods and can be terminated by us or the channel partner for any reason upon 30 days’ notice. A termination of the agreement has no effect on orders already placed. Payment to us from the channel partner is typically due within 30 to 60 calendar days of the invoice date. Marketing Our marketing strategy focuses on building our brand and product awareness, increasing customer adoption and demand, communicating advantages and business benefits as well as generating leads for our channel partners and sales force. We market our software as the Varonis Data Security Platform, a solution for securing and managing enterprise data. We execute our marketing strategy by leveraging a combination of internal marketing professionals, external marketing partners and a network of regional and global channel partners. Our marketing organization is responsible for branding, content creation, demand generation, field marketing and product marketing, and works with our business operations team to support channel marketing and sales support programs. We provide one-on-one and community education and awareness and promote the expanded use of our software. We host in-person or virtual Varonis Connect! customer events across sales regions, as well as free, online technical webinars across multiple regions. We focus our efforts on highly relevant content, events, campaigns and activities that can be leveraged by our channel partners worldwide to extend our marketing reach, such as information regarding product awards and technical certifications, security training, regional seminars and conferences, webinars, podcasts and various other demand-generation activities. Our marketing efforts also include public relations across multiple regions, industry analyst relations, customer marketing, account-based marketing, targeted advertising, extensive content development available through our website and content syndication, and our active blog. Research and Development Our research and development efforts are focused primarily on improving and enhancing our existing products, as well as expanding our platform to cover new sources of data and developing new products. Use of our products has expanded beyond just data security into threat detection and response, data privacy and data lifecycle management, and we anticipate that customer demand and innovation will drive functionality into additional areas. We regularly release updates to our products which incorporate new features and enhancements to existing ones. We conduct the majority of our research and development activities in Israel, and we believe this provides us with access to world-class engineering talent. In addition, we continue to seek opportunities to extend our technological capabilities and grow our business from strategic technological acquisitions. Intellectual Property We attempt to protect our technology and the related intellectual property under patent, trademark, copyright and trade secret laws, confidentiality procedures and contractual provisions. No single intellectual property right is solely responsible for protecting our products. The nature and extent of legal protection of our intellectual 9 property rights depends on, among other things, its type and the jurisdiction in which it arises. As of December 31, 2024, we had 89 issued patents and 31 pending patent applications in the United States. Our issued U.S. patents expire between 2025 and 2042. We also had 76 patents issued and 34 applications pending for examination in non-U.S. jurisdictions, and 18 pending Patent Cooperation Treaty (‘‘PCT’’) patent applications, all of which are counterparts of our U.S. patent applications. The claims for which we have sought patent protection relate primarily to inventions we have developed for incorporation into our products. In addition to patented technology, we rely on our unpatented proprietary technology and trade secrets. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors and customers and generally limit internal and external access to, and distribution of, our proprietary information and proprietary technology through certain procedural safeguards. We also rely on invention assignment agreements with our employees, consultants and others, to assign to the Company all inventions developed by such individuals in the course of their engagement with the Company. Moreover, we have registered the ‘‘Varonis’’ name and logo and ‘‘DatAdvantage,’’ ‘‘DataPrivilege,’’ ‘‘DatAlert,’’ and other names in the United States and, as related to some of these names, certain other countries. In addition to Company-owned intellectual property, we license software from third parties for integration into our solution, including open-source software and other software available on commercially reasonable terms. It may be necessary in the future to seek or renew licenses relating to various aspects of our products, processes and services. While we have generally been able to obtain such licenses on commercially reasonable terms in the past, such third parties may not continue to maintain such software or continue to make it available to us. Seasonality See Item 7, ‘‘Management’s Discussion and Analysis of Financial Condition and Results of Operations — Seasonality and Quarterly Trends.’’ Competition While there are some companies which offer features similar to those embedded in our platform, we believe that we do not currently compete with a company that offers comparable depth of functionality, scalability, or support for the number of data stores, applications and infrastructure environments that we cover. Nevertheless, we do compete against a select group of software vendors when the scope of a purchase is limited to a specific use case, such as DSPM, data discovery and classification, data privacy, data migration, data subject access requests and/or Active Directory security. As we continue to augment our functionality with AI security, insider threat detection and user behavior analytics and as we expand our classification capabilities to better serve compliance needs with new regulations, and as these functionalities continue to be recognized as critical to protect enterprise data, we may face increased perceived and real competition from other data security and privacy technologies. In the future, as customer requirements evolve and new technologies are introduced, we may experience increased competition if established or emerging companies develop solutions that address the enterprise data market. Furthermore, because we operate in an evolving market, we anticipate that competition will increase based on customer demand for these types of products. A number of factors influence our ability to compete in the markets in which we operate, including, without limitation: the continued reliability and effectiveness of our products’ functionalities; the breadth and completeness of our solutions’ features; the scalability of our solutions; and the ease of deployment and use of our products. We believe that we generally compete favorably in each of these categories. We also believe that we distinguish ourselves from others by delivering an integrated solution and sophisticated automation to address our customers’ needs regarding data security, threat detection and response, data privacy and retention. However, we may not be able to remain unique in this capacity or continue to be able to compete favorably with other providers in the future. If a more established company were to target our market, we may face significant competition. They may have competitive advantages, such as greater name recognition, larger sales, marketing, research and acquisition resources, access to larger customer bases and channel partners, a longer operating history and lower cloud labor and development costs, all of which may enable them to respond more quickly to new or emerging technologies and changes in customer requirements or to devote greater resources to the development, promotion and sale of 10 their products than we do. Increased competition could result in us failing to attract customers or maintain renewals and licenses at the same rate. It could also lead to price cuts, alternative pricing structures or the introduction of products available for free or a nominal price, reduced gross margins, longer sales cycles and loss of market share. In addition, our current or prospective channel partners may establish cooperative relationships with any future competitors. These relationships may allow future competitors to rapidly gain significant market share. Such developments could also limit our ability to generate revenues from existing and new customers. If we are unable to compete successfully against current and future competitors, our business, results of operations and financial condition may be harmed. Employees and Human Capital Resources As of December 31, 2024, we had 2,406 employees and independent contractors who developed, marketed, sold and supported our technology solutions, including 1,081 in the United States, 844 in Israel and 481 in other countries. We understand that our innovation leadership is ultimately rooted in our people. Competition for qualified personnel in the technology space is intense, and our success depends in large part on our ability to recruit, develop and retain a productive and engaged workforce. Accordingly, investing in our employees and their well-being, offering competitive compensation and benefits, promoting diversity and inclusion, adopting effective human capital management practices and community outreach constitute core elements of our corporate strategy. • Offer Competitive Compensation and Benefits. We strive to ensure that our employees receive competitive and fair compensation and innovative benefit offerings, tying incentive compensation to both business and individual performance, offering competitive maternal and paternal leave policies, providing meaningful retirement and health benefits and maintaining an employee stock purchase plan. • Support Employee Well-being and Engagement. We support the overall well-being of our employees from a physical, emotional, financial and social perspective. Our global well-being programs include a long-standing practice of remote working arrangements, flexible paid time off, life planning benefits, wellness platforms and employee assistance. In addition, we ensure ongoing check-ins with employees by HR and managers to provide additional channels of support. We also regularly seek input from employees, including through broad employee satisfaction and pulse surveys on specific issues, intended to assess our degree of success in promoting an environment where employees are engaged, satisfied, productive and possess a strong understanding of our business goals. • Promote Sense of Belonging. We conduct code of conduct trainings with employees and managers to share our views on the importance of respecting all individuals and creating a culture where everyone feels they belong. We have Employee Resource Groups, led by our employees, designed to foster connection, understanding and support. Our customers are located in over 95 countries and our global workforce operates across cultures, functions, language barriers and time zones to provide them dedicated and ongoing support. • Provide Programs for Employee Recognition. We offer rewards and recognition programs to our employees, including awards to recognize employees who best exemplify our values and spot awards to recognize employee contributions. We believe that these recognition programs help drive strong employee performance. We conduct semi-annual employee performance reviews, where each employee is evaluated by their personal manager and also conducts a self-assessment, a process which empowers our employees. Employee performance is assessed based on a variety of key performance metrics, including the achievement of objectives specific to the employee’s department or role. Employees have access to an internal platform to recognize their peers based on their professional and socially responsible contributions to the Company. • Create Opportunities for Growth and Development. We focus on creating opportunities for employee growth, development, training and education, including opportunities to cultivate talent and identify candidates for new roles from within the company, as well as management and leadership development programs. Employee training and education includes online certification, in person certification and 11 new hire training bootcamps. We also conduct manager training programs on an annual basis, which include in-depth managerial and coaching skills, as well as tailored feedback. We have established an internal mentoring program in which seasoned employees mentor new managers based on defined goals. • Promote Community Outreach and Support. We believe it is important to give back and promote community outreach and support through corporate giving and employee volunteerism in the communities in which we live and work. We partner with several organizations providing life skills trainings, coding and basic IT skills, financial literacy and more. All programs are led by our employees on a volunteering basis. We also provide corporate matching of employee charitable donations and flexible volunteering during work time, letting our employees know that we support the charitable efforts that matter to them. Available Information Our website is located at www.varonis.com, and our investor relations website is located at https://ir.varonis.com. The information posted on our website is not incorporated into this Annual Report on Form 10-K. Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to reports filed or furnished pursuant to Sections 13(a) and 15(d) of the Exchange Act are available free of charge on our investor relations website as soon as reasonably practicable after we electronically file such material with, or furnish it to, the Securities and Exchange Commission (the ‘‘SEC’’). You may also access all of our public filings through the SEC’s website at www.sec.gov. Investors and other interested parties should note that we use our media and investor relations website and our social media channels to publish important information about us, including information that may be deemed material to investors. We encourage investors and other interested parties to review the information we may publish through our media and investor relations website and the social media channels listed on our media and investor relations website, in addition to our SEC filings, press releases, conference calls and webcasts. 12 Item 1A. Risk Factors Investing in our securities involves risk. You should carefully consider the following risks and all other information contained herein, including our consolidated financial statements and the related notes thereto. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties that we are unaware of, or that we currently believe are not material, also may become important factors that affect us. If any of the following risks materialize, our business, financial condition and results of operations could be materially harmed. Risks Related to the Industry in which we Operate The market for software that analyzes, secures, governs, manages and migrates enterprise data may not continue to grow or grow at the same pace. We believe our future success depends in large part on the continued growth of the market for software that enables enterprises to analyze, secure, govern, manage and migrate their data. In order for us to market and sell our products, we must successfully demonstrate to enterprise IT, security and business personnel the risk of their valuable data getting compromised or stolen and the effectiveness of our products to mitigate these risks. Despite a number of high-profile cyberattacks around the world, we must still persuade customers to devote a portion of their budgets to a unified platform that we offer to analyze, secure, govern, manage and extract value from this resource. Enterprises may not recognize the need for our products or, if they do, may not decide that they need a solution that offers the range of functionalities that we offer. The market for our solution may not continue to grow at its current rate or at all and the failure of the market to continue to develop would materially adversely impact our results of operations. Prolonged economic uncertainties or downturns could materially adversely affect our business. Our business depends on our current and prospective customers’ ability and willingness to invest in IT services, including cybersecurity projects, which in turn is dependent upon their overall economic health. Negative conditions in the general economy both in the United States and abroad, including inflationary pressure, currency fluctuations and a higher interest rate environment, changes in gross domestic product growth, instability in connection with political elections, potential future government shutdowns, the federal government’s failure to raise the debt ceiling, financial and credit market fluctuations, the imposition of trade barriers and restrictions such as tariffs, political deadlock, restrictions on travel, natural catastrophes, warfare and terrorist attacks, could cause a decrease in business investments, including corporate spending on enterprise software in general and negatively affect the rate of growth of our business. For example, our operations, and the operations of our customers and partners, were affected by geopolitical turmoil and sanctions caused by the war between Russia and Ukraine, and the COVID-19 pandemic and efforts to control its spread, including by mandatory business closures and capacity limitations imposed by the jurisdictions in which we operate. Similar events and restrictions in the future could negatively affect our business. Uncertainty in the global economy makes it extremely difficult for our customers and us to forecast and plan future business activities accurately. This could cause our customers to reevaluate decisions to purchase our product or to delay their purchasing decisions, which could lengthen our sales cycles and negatively impact our results. In recent years, the European economy experienced economic turmoil that caused the devaluation of local European currencies (specifically, the Euro and the Pound Sterling), inflationary pressures and general economic uncertainty. As a result, there has been, and may in the future be, budgetary tightening and longer sales cycles in the region which may negatively impact our results of operations. The United States could also experience a sustained period of elevated inflation, which may put pressure on discretionary spending by our customers, and a lengthening of our sales cycle in the region, which could negatively impact our results. A downturn in any of our leading industries, or a reduction in any revenue-generating vertical, may cause enterprises to react to worsening conditions by reducing their spending on IT. Customers may delay or cancel IT projects, choose to focus on in-house development efforts or seek to lower their costs by renegotiating maintenance and support agreements. To the extent purchases of our software are perceived by customers and potential customers to be discretionary, our revenues may be disproportionately affected by delays or reductions in general IT spending. In addition, consolidation in certain industries may result in reduced spending on our software. If the economic conditions of the general economy or industries in which we operate worsen from present levels, our business, results of operations and financial condition could be adversely affected. 13 Overall economic uncertainty may in the future give rise to a number of risks, including, but not limited to, the following: • reduced economic activity could lead to a prolonged recession, which could negatively impact spending by our customers or the ability of customers to pay for our services; • not meeting expectations with respect to certain key performance metrics, such as renewal rates and annual recurring revenues; • our ability to enter into new markets and to acquire new customers; • an increase in bad debt reserves as customers face economic hardship and collectability becomes more uncertain, including the risk of bankruptcies; • variability with forward-looking guidance and financial results, including management’s accounting estimates and assumptions; and • our ability to raise capital. The challenges posed by and the full impact of negative conditions in the general economy on our business and our future performance are difficult to predict and there is a risk that any guidance we provide to the market may turn out to be incorrect. We may face increased competition in our market. While there are some companies which offer certain features similar to those embedded in our solutions, as well as others with whom we compete in certain tactical use cases, we believe that we do not currently compete with a company that offers the same breadth of functionalities on the number of platforms and applications that we cover. Nevertheless, we do compete against a select group of software vendors that provide standalone solutions, similar to those found in our comprehensive software suite, in the specific markets in which we operate. We also face direct competition with respect to certain use cases, specifically DSPM, data discovery and classification, privacy, data migration, data subject access requests and Active Directory security. As we continue to augment our functionality with AI security, insider threat detection and user behavior analytics and as we expand our classification capabilities to better serve compliance needs, such as General Data Protection Regulation (‘‘GDPR’’), the California Consumer Privacy Act (‘‘CCPA’’) and other data privacy laws, we may face increased perceived and real competition from other security and classification technologies. As we expand our coverage and penetration in the cloud, we may face increased perceived and real competition from other cloud-focused technologies. In the future, as customer requirements evolve and new technologies are introduced, we may experience increased competition if established or emerging companies develop solutions that address the enterprise data market. Furthermore, because we operate in an evolving area, we anticipate that competition will increase based on customer demand for these types of products. In particular, if a more established company were to target our market, we may face significant competition. They may have competitive advantages, such as greater name recognition, larger sales, marketing, research and acquisition resources, access to larger customer bases and channel partners, a longer operating history and lower labor and development costs, which may enable them to respond more quickly to new or emerging technologies and changes in customer requirements or devote greater resources to the development, promotion and sale of their products than we do. Increased competition could result in us failing to attract customers or maintain licenses at the same rate. It could also lead to price cuts, alternative pricing structures or the introduction of products available for free or a nominal price, reduced gross margins, longer sales cycles, lower renewal rates and loss of market share. In addition, our current or prospective channel partners may establish cooperative relationships with future competitors. These relationships may allow future competitors to rapidly gain significant market share. These developments could also limit our ability to obtain revenues from existing and new customers. Our ability to compete successfully in our market will also depend on a number of factors, including ease and speed of product deployment and use, the quality and reliability of our customer service and support, total cost of ownership, return on investment and brand recognition. Any failure by us to successfully address current or future competition in any one of these or other areas may reduce the demand for our products and adversely affect our business, results of operations and financial condition. 14 We are subject to a number of legal requirements, contractual obligations and industry standards regarding security, data protection and privacy, and any failure to comply with these requirements, obligations or standards could have an adverse effect on our reputation, business, financial condition and operating results. Privacy and data information security have become a significant issue in the United States and in many other countries where we have employees and operations and where we offer licenses to our products. The regulatory framework for privacy and personal information security issues worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. The U.S. federal and various state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations limiting, or laws and regulations regarding, the collection, distribution, use, disclosure, storage and security of personal information. For example, the CCPA, which went into effect on January 1, 2020, applies to personal data of consumers, business representatives, and employees who are California residents, and requires, among other things, covered companies to provide specific disclosures to California consumers and afford such consumers new abilities to exercise certain privacy rights, including opting out of certain sales of personal information. Consumer rights and obligations under the CCPA were expanded by the California Privacy Rights Act (‘‘CPRA’’) on November 3, 2020. The CPRA took effect on January 1, 2023, along with the Virginia Consumer Data Protection Act; the Colorado Privacy Act and Connecticut Act Concerning Personal Data Privacy and Online Monitoring took effect on July 1, 2023, and the Utah Consumer Privacy Act took effect on December 31, 2023. In the past few years, numerous other U.S. states have enacted comprehensive privacy laws, and we expect more states to pass similar laws in the future. These laws impose similar obligations on businesses with regard to the use, disclosure and security of personal information, and grant additional rights in that personal information to consumers. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. Laws and regulations in these jurisdictions apply broadly to the collection, use, storage, disclosure and security of data that identifies or may be used to identify or locate an individual, such as names, email addresses and, in some jurisdictions, Internet Protocol addresses. These laws and regulations often are more restrictive than those in the United States and are rapidly evolving. For example, the European Union’s (‘‘EU’’) data protection regime, the GDPR, became enforceable on May 25, 2018. Additionally, the United Kingdom (‘‘UK’’) has enacted legislation that substantially implements the GDPR, but the United Kingdom’s exit from the EU (which formally occurred on January 31, 2020), commonly referred to as ‘‘Brexit,’’ has created uncertainty with regard to the regulation of data protection in the United Kingdom. Although there are currently various mechanisms that may be used to transfer personal data from the European Economic Area (‘‘EEA’’) and UK to the United States in compliance with law, such as the EEA standard contractual clauses, the UK’s International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. Complying with the GDPR or other laws, regulations or other obligations relating to privacy, data protection or information security may cause us to incur substantial operational costs or require us to modify our data handling practices. Non-compliance could result in proceedings against us by governmental entities or others, could result in substantial fines or other liability, and may otherwise adversely impact our business, financial condition and operating results. Some statutory requirements, both in the United States and abroad, include obligations of companies to notify individuals of security breaches involving particular personal information, which could result from breaches experienced by us or our service providers. Even though we may have contractual protections with our service providers, a security breach could impact our reputation, harm our customer confidence, hurt our sales or cause us to lose existing customers and could expose us to potential liability or require us to expend significant resources on data security and in responding to such breach. In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that either legally or contractually apply to us. We also expect that there will continue to be new proposed laws and regulations concerning privacy, data protection and information security, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards, contractual obligations and other obligations may require us to incur additional costs and restrict our business operations. Because the interpretation and application of laws and other obligations relating to privacy and data protection are still uncertain, it is possible that these laws and other obligations may be interpreted and applied in a manner 15 that is inconsistent with our existing data management practices or the features of our software. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our software, which could have an adverse effect on our business. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new features could be limited. Any inability to adequately address privacy concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations and policies could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations and policies that are applicable to the businesses of our customers may increase the costs associated with, limit the use and adoption of, and reduce the overall demand for, our products. Privacy and personal information security concerns, whether valid or not valid, may inhibit market adoption of our products particularly in certain industries and foreign countries. Risks Related to Our Operations Security breaches, cyberattacks or other cyber-risks of our IT and production systems could expose us to significant liability and cause our business and reputation to suffer and harm our competitive position. Our corporate infrastructure stores and processes our sensitive, proprietary and other confidential information (including as related to financial, technology, employees, marketing, sales, etc.) which is used on a daily basis in our operations. In addition, our software involves transmission and processing of our customers’ confidential, proprietary and sensitive information. We have legal and contractual obligations to protect the confidentiality and appropriate use of customer data. As a leader in the cyber industry, we may be an attractive target for cyber attackers or other data thieves. High-profile cyberattacks and security breaches have increased in recent years, with the potential for such acts heightened as a result of the number of employees working remotely due to many companies adopting a hybrid working model. Security industry experts and government officials have warned about the risks of hackers and cyberattacks targeting IT products and enterprise infrastructure. Because techniques used to obtain unauthorized access or to sabotage systems change frequently and often are not recognized until launched against a specific target, we may be unable to anticipate these techniques or to implement adequate preventative measures. As we continue to increase our client base and expand our brand, we may become more of a target for third parties seeking to compromise our security systems and we anticipate that hacking attempts and cyberattacks will increase in the future. We may not always be successful in preventing or repelling unauthorized access to our systems. We also may face delays in our ability to identify or otherwise respond to any cybersecurity incident or any other breach. Additionally, we use third-party service providers to provide some services to us that involve the cloud hosting, storage or transmission of data, such as SaaS, cloud computing, and internet infrastructure and bandwidth, and they face various cybersecurity threats and also may suffer cybersecurity incidents or other security breaches. Despite our security measures, our IT and infrastructure may be vulnerable to attacks. Threats to IT security can take a variety of forms. Individual and groups of hackers and sophisticated organizations, including state-sponsored organizations or nation-states, continuously undertake attacks that pose threats to our customers and our IT. These actors may use a wide variety of methods, which may include developing and deploying malicious software or exploiting vulnerabilities in hardware, software, or other infrastructure in order to attack our products and services or gain access to our networks, using social engineering techniques to induce our employees, users, partners, or customers to disclose passwords or other sensitive information or take other actions to gain access to our data or our users’ or customers’ data, or acting in a coordinated manner to launch distributed denial of service or other coordinated attacks. Inadequate account security practices may also result in unauthorized access to confidential and/or sensitive data or loss of SaaS platform availability. Security risks, including, but not limited to, unauthorized use or disclosure of customer data, loss of availability of our SaaS platform offering, cyberattack on our cloud providers, theft of proprietary information, theft of intellectual property, theft of internal employee’s PII/PHI information, theft of financial data and financial reports, loss or corruption of customer data and computer hacking attacks or other cyberattacks, could require us to expend significant capital and other resources to alleviate the problem and to improve technologies, may impair our ability to provide services to our customers and protect the privacy of their data, may result in product development delays, may compromise confidential or technical business information, may harm our competitive position, may result in theft or misuse of our intellectual property or other assets and could expose 16 us to substantial litigation expenses and damages, indemnity and other contractual obligations, government fines and penalties, mitigation expenses, costs for remediation and incentives offered to affected parties, including customers, other business partners and employees, in an effort to maintain business relationships after a breach or other incident, and other liabilities. We are continuously working to improve our IT systems, together with creating security boundaries around our critical and sensitive assets. We provide advanced security awareness training to our employees and contractors that focuses on various aspects of the cybersecurity world. All of these steps are taken in order to mitigate the risk of attack and to ensure our readiness to responsibly handle any security violation or attack. If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures and our products could be harmed, we could lose potential sales and existing customers, our ability to operate our business could be impaired, we may incur significant liabilities, we could suffer harm to our reputation and competitive position, and our operating results could be negatively impacted. The expansion of cloud-delivered services introduces a number of risks and uncertainties, which could adversely affect our business, results of operations and financial condition. The launch of our cloud offerings that allow customers to use hosted software required, and any future expansion of our cloud-delivered services may require, a considerable investment in resources, including technical, financial, legal, sales, information technology and operation systems. Additionally, market acceptance of such offerings is affected by a variety of factors, including but not limited to: security, reliability, scalability, customization, performance, current license terms, customer preference, customer concerns with entrusting a third-party to store and manage their data, public concerns regarding privacy and the enactment of restrictive laws or regulations. It is possible that demand for our cloud offerings may not continue to be as strong as it has been to date. Moreover, expansion of our cloud offerings may cause a decline in revenue of our existing products and services that is not offset by revenue from the new products or services. For example, customers may delay making purchases of products and services to permit them to make a more thorough evaluation of these new products and services or until industry and marketplace reviews become widely available. We may be unable to realize the benefits of our investments or the resources we have committed to expanding our cloud-delivered services. An increasing number of jurisdictions are imposing data localization laws, which require personal information, or certain subcategories of personal information, to be stored in the jurisdiction of origin. These regulations may deter customers from using cloud-based services, and may inhibit our ability to expand into certain markets or prohibit us from continuing to offer services in those markets without significant additional costs. Our hosted offerings rely upon third-party providers to supply data center space, equipment maintenance and other colocation services and rely upon the ability of those providers to maintain continuous service availability and protect customer data on their services. Customers of our cloud-based offerings need to be able to access our platform at any time, without interruption or degradation of performance, and we provide them with service level commitments with respect to uptime. Third-party cloud providers run their own platforms that we access, and we are, therefore, vulnerable to their service interruptions. Although we have entered into various agreements for the lease of data center space, equipment maintenance and other services, third parties could fail to live up to their contractual obligations. The failure of a third-party provider to prevent service disruptions, data losses or security breaches may require us to issue credits or refunds or indemnify or otherwise be liable to customers or third parties for damages that may occur, and contractual provisions with our third-party providers and public cloud partners may limit our recourse against the third-party provider or public cloud partner responsible for such failure. Additionally, if these third-party providers fail to deliver on their obligations, our reputation could be damaged, our customers could lose confidence in us, and our ability to maintain and expand our hosted offerings would be impaired. Lastly, our cloud product offering and pricing is new and hosting and other costs may be more expensive to us than anticipated. We may not be able to predict renewal rates and their impact on our future revenues and operating results. Although our solutions are designed to increase the number of customers that purchase our products and the number of products purchased by existing and new customers to create a recurring revenue stream that increases and is more predictable over time, our customers are not required to renew their subscriptions for our solutions and they may elect not to renew when, or as we expect, or they may elect to reduce the scope of their original 17 purchases or delay their purchase. We cannot accurately predict renewal rates given our varied customer base of enterprise and small and medium size business customers and the number of multiyear contracts. Customer renewal rates may decline or fluctuate due to a number of factors, including offering pricing, competitive offerings, customer satisfaction and reductions in customer spending levels or customer activity due to economic downturns, the adverse impact of import tariffs, inflation or other market uncertainty. If our customers do not renew their contracts when or as we expect, or if they choose to renew for fewer products or renew for shorter contract lengths or if they renew on less favorable terms, our revenues and earnings may decline, and our business may suffer. Our quarterly results of operations have fluctuated and may fluctuate significantly due to variability in our revenues which could adversely impact our stock price. Our revenues and other results of operations have fluctuated from quarter to quarter in the past and could continue to fluctuate in the future. Historically, the fluctuation was partially due to the front-loaded revenue recognition nature of our business. Additionally, the Company is currently transitioning to a SaaS delivery model that recognizes revenue ratably and we do not front-load revenue with respect to those purchases. As a result, we may present reduced revenues as compared to prior periods, and comparing our revenues and results of operations on a period-to-period basis may not be meaningful, and should not be relied on for any particular period. Our revenues depend in part on the conversion of enterprises that have undergone risk assessments into paying customers; however, these risk assessments may not be converted at the same historical rates. At the same time, the majority of our sales are typically made during the last three weeks of every quarter. We may fail to meet market expectations for that quarter if we are unable to close the number of transactions that we expect during this short period and closings are deferred to a subsequent quarter or not closed at all. The closing of a large transaction in a particular quarter may raise our revenues in that quarter and thereby make it more difficult for us to meet market expectations in subsequent quarters and our failure to close a large transaction in a particular quarter or any renewals may adversely impact our revenues in that quarter. In addition, our sales cycle from initial contact to delivery of and payment for the software license generally becomes longer and less predictable with respect to large transactions and often involves multiple meetings or consultations at a substantial cost and time commitment to us. Further, we recently began focusing on the conversion of our current OPS customers to our SaaS platform and the sales cycle of such conversions can and may continue to take longer than the acquisition of new customers. Moreover, we base our current and future expense levels on our revenue forecasts and operating plans, and our expenses are relatively fixed in the short-term. Accordingly, we would likely not be able to reduce our costs sufficiently to compensate for an unexpected shortfall in revenues and even a relatively small decrease in revenues could disproportionately and adversely affect our financial results for that quarter. The variability and unpredictability of these and other factors, many of which are outside of our control, could result in our failing to meet or exceed financial expectations for a given period and may cause the price of our common stock to decline substantially. If the transition to a SaaS delivery model fails to yield the benefits that we expect, our results of operations could be negatively impacted. We successfully completed our transition to a subscription-based business model and are currently transitioning our business to a SaaS delivery model. It is uncertain whether this transition will prove successful. Market acceptance of our products is dependent on our ability to include functionality and usability that address certain customer requirements. Additionally, we must optimally price our products in light of marketplace conditions, our costs and customer demand. This transition may have negative revenue and earnings implications, including on our quarterly results of operations. This SaaS strategy may give rise to a number of risks, including the following: • our revenues and operating margins may fluctuate more than anticipated over the short-term as a result of this strategy; • if current customers desire only self-hosted licenses our SaaS sales may lag behind our expectations; • the shift to a SaaS strategy may raise concerns among our customer base, including concerns regarding changes to pricing over time and access to data once a subscription has expired; 18 • we may be unsuccessful in maintaining or implementing our target pricing or new pricing models, product adoption and projected renewal rates, or we may select a target price or new pricing model that is not optimal and could negatively affect our sales or earnings; • if our customers do not renew their subscriptions or do not renew them on a timely basis, our revenues may decline and our business may suffer; • we may incur hosting costs at a higher than forecasted rate or our SaaS platform can operate less efficiently than anticipated; • we may incur sales compensation costs at a higher than forecasted rate if the pace of our subscription transition is faster than anticipated; and • our sales force may struggle with the transition which may lead to increased turnover rates and lower headcount. We have been growing and expect to continue to invest in our growth for the foreseeable future. If we fail to manage this growth effectively, our business and results of operations will be adversely affected. We intend to continue to grow our business and plan to continue to hire new sales employees either for expansion or replacement of existing sales personnel. If we cannot adequately and timely hire new employees and if we fail to adequately train these new employees, including our sales force, engineers and customer support staff, our sales may not grow at the rates we project and/or our sales productivity might suffer, our customers might decide not to renew or reduce the scope of their original purchases, or our customers may lose confidence in the knowledge and capability of our employees or products. We must successfully manage our growth to achieve our objectives. Although our business has experienced significant growth in the past, we may not be able to continue to grow at the same rate, or at all. Our ability to effectively manage any significant growth of our business will depend on a number of factors, including our ability to do the following: • satisfy existing customers and attract new customers; • adequately and timely recruit, train, motivate and integrate new employees, including our sales force and engineers, while retaining existing employees, maintaining the beneficial aspects of our corporate culture and effectively executing our business plan; • successfully introduce new products and enhancements; • effectively manage existing channel partnerships and expand to new ones; • improve our key business applications and processes to support our business needs; • enhance information and communication systems to ensure that our employees and offices around the world are well-coordinated and can effectively communicate with each other and our growing customer base; • enhance our internal controls to ensure timely and accurate reporting of all of our operations and financial results; • protect and further develop our strategic assets, including our intellectual property rights; • continue to capitalize on the transition to a SaaS delivery model; and • successfully manage and integrate any future acquisitions of businesses, including without limitation, the amount and timing of expenses and potential future charges for impairment of goodwill from acquired companies. These activities will require significant investments and allocation of valuable management and employee resources, and our growth will continue to place significant demands on our management and our operational and financial infrastructure. We may not be able to grow our business in an efficient or timely manner, or at all. Moreover, if we do not effectively manage the growth of our business and operations, the quality of our software could suffer, which could negatively affect our brand, results of operations and overall business. 19 We have a limited operating history at our current scale, which makes it difficult to evaluate and predict our future prospects and may increase the risk that we will not be successful. We have a relatively short history operating our business at its current scale. For example, we have increased the number of our employees and have expanded our operations and product offerings. This limits our ability to forecast our future operating results and subjects us to a number of uncertainties, including our ability to plan for and model future growth. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in new markets that may not develop as expected. Because we depend in part on the market’s acceptance of our products, it is difficult to evaluate trends that may affect our business. If our assumptions regarding these trends and uncertainties, which we use to plan our business, are incorrect or change in reaction to changes in our markets, or if we do not address these risks successfully, our operating and financial results could differ materially from our expectations and our business could suffer. Moreover, although we have experienced significant growth historically, we may not continue to grow as quickly in the future. Our future success will depend in large part on our ability to, among other things: • successfully transition to a SaaS delivery model and manage our introduction of cloud-based solutions; • maintain and expand our business, including our customer base and operations, to support our growth, both domestically and internationally; • develop new products and services and bring products and services in beta to market; • renew customer agreements and sell additional products to existing customers; • maintain high customer satisfaction and ensure quality and timely releases of our products and product enhancements; • increase market awareness of our products and enhance our brand; • maintain compliance with applicable governmental regulations and other legal obligations, including those related to intellectual property, international sales and taxation; • hire, integrate, train and retain skilled talent, including members of our sales force and engineers; and • our ability to successfully manage and integrate any acquisitions of businesses. If we fail to address the risks and difficulties that we face, including those associated with the challenges listed above as well as those described elsewhere in this ‘‘Risk Factors’’ section, our business will be adversely affected, and our results of operations will suffer. If we are unable to attract new customers and expand sales to existing customers, both domestically and internationally, our growth could be slower than we expect, and our business may be harmed. Our success will depend, in part, on our ability to support new and existing customer growth and maintain customer satisfaction. Our sales and marketing teams host in-person events and engage with customers online and through other communications channels, including virtual meetings. Our sales and marketing teams may not be as successful or effective in building relationships. If we cannot provide the tools and training to our teams to efficiently do their jobs and satisfy customer demands, we may not be able to achieve anticipated revenue growth as quickly as expected. Our future growth depends upon expanding sales of our products to existing customers and their organizations and receiving renewals. If our customers do not purchase additional products or capabilities, our revenues may grow more slowly than expected, may not grow at all or may decline. Our efforts may not result in increased sales to existing customers (‘‘upsells’’) and additional revenues. If our efforts to upsell to our customers are not successful, our business would suffer. Our future growth also depends in part upon increasing our customer base, particularly those customers with potentially high customer lifetime values. Our ability to achieve significant growth in revenues in the future will depend, in large part, upon the effectiveness of our sales and marketing efforts, both domestically and internationally, and our ability to attract new customers. Our ability to attract new customers may be adversely 20 affected by newly enacted laws that may prohibit certain sales and marketing activities, such as legislation passed in the State of New York, pursuant to which unsolicited telemarketing sales calls are prohibited. If we fail to attract new customers and maintain and expand those customer relationships, our revenues may be adversely affected, and our business will be harmed. We have a history of losses, and we may not be profitable in the future. We have incurred net losses in each year since our inception, including a net loss of $95.8 million, $100.9 million and $124.5 million in each of the years ended December 31, 2024, 2023 and 2022, respectively. Because the market for our software is rapidly evolving and has still not yet reached widespread adoption, it is difficult for us to predict our future results of operations. We expect our operating expenses to increase over the next several years as we hire additional personnel, expand and improve the effectiveness of our distribution channels, and continue to develop features and applications for our software. If we are unable to maintain successful relationships with our channel partners, our business could be adversely affected. We rely on channel partners, such as distribution partners and resellers, to sell the Varonis Data Security Platform. In 2023 and 2024, our channel partners fulfilled substantially all of our sales, and we expect that sales to channel partners will continue to account for substantially all of our revenues for the foreseeable future. Our ability to achieve revenue growth in the future will depend in part on our success in maintaining successful relationships with our channel partners. Our agreements with our channel partners are generally non-exclusive, meaning our channel partners may offer customers the products of several different companies. If our channel partners do not effectively market and sell our software, choose to use greater efforts to market and sell their own products or those of others, or fail to meet the needs of our customers, our ability to grow our business, sell our software and maintain our reputation may be adversely affected. Our contracts with our channel partners generally allow them to terminate their agreements for any reason upon 30 days’ notice. A termination of the agreement has no effect on orders already placed. The loss of a substantial number of our channel partners, our possible inability to replace them, or the failure to recruit additional channel partners could materially and adversely affect our results of operations. If we are unable to maintain our relationships with these channel partners, our business, results of operations, financial condition or cash flows could be adversely affected. Finally, even if we are successful, our relationships with channel partners may not result in greater customer usage of our products or increased revenue. Our long-term growth depends, in part, on being able to continue to expand internationally on a profitable basis, which subjects us to risks associated with conducting international operations. Historically, we have generated the majority of our revenues from customers in the United States. For the years ended December 31, 2024 and 2023, approximately 73% and 72%, respectively, of our total revenues were derived from sales in the United States. Nevertheless, we have operations across the globe, and we plan to continue to expand our international operations as part of our long-term growth strategy. The further expansion of our international operations will subject us to a variety of risks and challenges, including: • sales and customer service challenges associated with operating in different countries; • increased management travel, infrastructure and legal compliance costs associated with having multiple international operations; • difficulties in receiving payments from different geographies, including difficulties associated with currency fluctuations, payment cycles, transfer of funds or collecting accounts receivable, especially in emerging markets; • variations in economic or political conditions between each country or region; • economic uncertainty around the world and adverse effects arising from economic interdependencies across countries and regions; • uncertainty around a potential reverse or renegotiation of international trade agreements and partnerships; 21 • compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations; • ability to hire, retain and train local employees and the ability to comply with foreign labor laws and local labor requirements, such as representations by an internal labor committee in France which is affiliated with an external trade union and the applicability of collective bargaining arrangements at the national level in certain European countries; • compliance with laws and regulations for foreign operations, including the U.S. Foreign Corrupt Practices Act of 1977, as amended (the ‘‘FCPA’’), the U.K. Bribery Act of 2010 (the ‘‘UK Bribery Act’’), import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our software in certain foreign markets, and the risks and costs of non-compliance; • heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of financial statements and irregularities in financial statements; • reduced protection for intellectual property rights in certain countries and practical difficulties and costs of enforcing rights abroad; and • compliance with the laws of numerous foreign taxing jurisdictions and overlapping of different tax regimes and digital tax imposed on our operations in foreign taxing jurisdictions. Any of these risks could adversely affect our international operations, reduce our revenues from outside the United States or increase our operating costs, adversely affecting our business, results of operations and financial condition and growth prospects. There can be no assurance that all of our employees, independent contractors and channel partners will comply with the formal policies we have and will implement, or applicable laws and regulations. Violations of laws or key control policies by our employees, independent contractors and channel partners could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our software and services and could have a material adverse effect on our business and results of operations. We are exposed to collection and credit risks, which could impact our operating results. Our trade receivables are subject to collection and credit risks. These agreements may include purchase commitments for multiple years of term license subscriptions and SaaS, which may be invoiced over multiple reporting periods increasing these risks. For example, our operating results may be impacted by significant bankruptcies among customers and resellers, which could negatively impact our revenues and cash flows. Although we have processes in place that are designed to monitor and mitigate these risks, we cannot guarantee these programs will be effective. If we are unable to adequately control these risks, our business, operating results and financial condition could be harmed. If currency exchange rates fluctuate substantially in the future, our results of operations, which are reported in U.S. dollars, could be adversely affected. Our functional and reporting currency is the U.S. dollar, and we generate the majority of our revenues and incur the majority of our expenses in U.S. dollars. Revenues and expenses are also incurred in other currencies, primarily Euros, Pounds Sterling, Canadian dollars, Australian dollars, Singapore dollar and the New Israeli Shekel. Accordingly, changes in exchange rates may have a material adverse effect on our business, results of operations and financial condition. The exchange rates between the U.S. dollar and foreign currencies have fluctuated substantially in recent years and may continue to fluctuate substantially in the future. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our software and renewals to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows. We incur expenses for employee compensation and other operating expenses at our non-U.S. locations in local currencies. The weakening of the U.S. dollar against such currencies would cause the U.S. dollar equivalent of such expenses to increase which could have a negative impact on our reported results of operations and our ability to attract employees in such non-U.S. locations due to the actual increase in the compensation to be paid 22 to such employees. We use forward foreign exchange contracts to hedge or mitigate the effect of changes in foreign exchange rates on our revenues and operating expenses denominated in certain foreign currencies. However, this strategy might not eliminate our exposure to foreign exchange rate fluctuations and involves costs and risks of its own, such as cash expenditures, ongoing management time and expertise, external costs to implement the strategy and potential accounting implications. Additionally, our hedging activities may contribute to increased losses as a result of volatility in foreign currency markets and the difference between the interest rates of the currencies being hedged. Our business is highly dependent upon our brand recognition and reputation, and the failure to maintain or enhance our brand recognition or reputation may adversely affect our business. We believe that enhancing the ‘‘Varonis’’ brand identity and maintaining our reputation in the IT industry is critical to our relationships with our customers and to our ability to attract new customers. Our brand recognition and reputation are dependent upon: • our ability to continue to offer high quality, innovative and error- and bug-free products; • our ability to maintain customer satisfaction with our products; • our ability to be responsive to customer concerns and provide high quality customer support, training and professional services; • our marketing efforts; • any misuse or perceived misuse of our products; • positive or negative publicity; • our ability to prevent or quickly react to any cyberattack on our IT systems or security breach of or related to our software; • interruptions, delays or attacks on our website; and • litigation or regulatory-related developments. We may not be able to successfully promote our brand or maintain our reputation. In addition, independent industry analysts often provide reviews of our products, as well as other products available in the market, and perception of our product in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive than reviews about other products available in the market, our brand may be adversely affected. Furthermore, negative publicity relating to events or activities attributed to us, our employees, our channel partners or others associated with any of these parties, may tarnish our reputation and reduce the value of our brand. If we do not successfully enhance our brand and maintain our reputation, our business may not grow, we may have reduced pricing power relative to competitors with stronger brands, and we could lose customers or renewals, all of which would adversely affect our business, operations and financial results. Moreover, damage to our reputation and loss of brand equity may reduce demand for our products and have an adverse effect on our business, results of operations and financial condition. Any attempts to rebuild our reputation and restore the value of our brand may be costly and time consuming, and such efforts may not ultimately be successful. Moreover, it may be difficult to enhance our brand and maintain our reputation in connection with sales to channel partners. Promoting our brand requires us to make significant expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new markets and geographies and as more sales are generated to our channel partners. To the extent that these activities yield increased revenues, these revenues may not offset the increased expenses we incur. Our success depends in part on maintaining and increasing our sales to customers in the public sector. We derive a portion of our revenues from contracts with federal, state, local and foreign governments and government-owned or -controlled entities (such as public health care bodies, educational institutions and utilities), which we refer to as the public sector herein. We believe that part of the success and growth of our business will continue to depend on our successful procurement of public sector contracts. Selling to public sector entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense 23 without any assurance that our efforts will produce any sales. Government demand and payment for our products and services may be impacted by public sector budgetary cycles, or lack of, and funding authorizations, including in connection with an extended government shutdown, with funding reductions or delays adversely affecting public sector demand for our products and services. Factors that could impede our ability to maintain or increase the amount of revenues derived from public sector contracts include: • changes in public sector fiscal or contracting policies; • decreases or elimination of available public sector funding; • non-compliance with or an inability to attain the proper certification to conduct business in the public sector; • changes in public sector programs or applicable requirements; • the adoption of new laws or regulations or changes to existing laws or regulations; • potential delays or changes in the public sector appropriations or other funding authorization processes; • the requirement of contractual terms that are unfavorable to us, such as most-favored-nation pricing provisions; and • delays in the payment of our invoices by public sector payment offices. In addition, we must comply with laws and regulations relating to public sector contracting, which affect how we and our channel partners do business in both the United States and abroad. These laws and regulations may impose added costs on our business, and failure to comply with these or other applicable regulations and requirements, including non-compliance in the past, could lead to claims for damages from our channel partners, penalties, termination of contracts, and temporary suspension or permanent debarment from public sector contracting. Moreover, governments may investigate and audit government contractors’ administrative processes, and any unfavorable audit could result in the government refusing to continue buying our products, which would adversely impact our revenue and results of operations, or institute fines or civil or criminal liability if the audit uncovers improper or illegal activities. Furthermore, on January 20, 2025, President Donald J. Trump announced an executive order establishing the ‘‘Department of Government Efficiency’’ to maximize government efficiency and productivity. Pressures on and uncertainty surrounding the U.S. federal government’s budget and potential changes in budgetary priorities, could adversely affect the funding for individual programs and delay purchasing decisions by our customers. The occurrence of any of the foregoing could cause public sector customers to delay or refrain from purchasing licenses of our software in the future or otherwise have an adverse effect on our business, operations and financial results. We are subject to governmental export and import controls that could subject us to liability or impair our ability to compete in international markets. We incorporate certain encryption technology into certain of our products and, as a result, are required to comply with U.S. export control laws and regulations, including the Export Administration Regulations administered by the U.S. Department of Commerce’s Bureau of Industry and Security (‘‘BIS’’). We are also subject to Israeli export control laws on encryption technology. These export control laws and regulations prohibit, restrict, or regulate our ability to, directly or indirectly, export, re-export, or transfer certain products to certain countries and territories, entities, and individuals for certain end uses. If the applicable U.S. or Israeli legal requirements regarding the export of encryption technology were to change or if we change the encryption means in our products, we may (i) be unable to export our products, (ii) need to apply for new licenses or (iii) be unable to rely on certain license exceptions. Furthermore, various other countries regulate the import of certain encryption technology, including import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries. We are also subject to U.S. and Israeli economic sanctions laws, which prohibit the shipment of certain products to embargoed or sanctioned countries, sanctioned governments and sanctioned persons. Like with export controls, we take precautions to prevent our products from being provided in violation of these laws, including requiring our business partners to commit to compliance through contractual undertakings. However, if our 24 business partners were to provide our products to certain countries, governments, or sanctioned persons in violation of these laws, such provision could have negative consequences, including government investigations, penalties and reputational harm. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Moreover, any new export or import restrictions, new legislation or shifting approaches in the enforcement or scope of existing regulations, or in the countries, persons or technologies targeted by such regulations, could result in decreased use of our products. Any decreased use of our products or limitation on our ability to export or sell our products would likely adversely affect our business, financial condition and results of operations. Our business in countries with a history of corruption and transactions with foreign governments increase the risks associated with our international activities. As we operate and sell internationally, we are subject to the FCPA, the UK Bribery Act and other laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental customers in countries known to experience corruption, particularly certain emerging countries in Eastern Europe, South and Central America, East Asia, Africa and the Middle East. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, channel partners or sales agents that could be in violation of various anti-corruption laws, even though these parties may not be under our control. While we have implemented safeguards to prevent these practices by our employees, consultants, channel partners and sales agents, our existing safeguards and any future improvements may prove to be less than effective, and our employees, consultants, channel partners or sales agents may engage in conduct for which we might be held responsible. Violations of the FCPA or other anti-corruption laws may result in severe criminal or civil sanctions, including suspension or debarment from government contracting, and we may be subject to other liabilities, which could negatively affect our business, operating results and financial condition. Acquisitions could disrupt our business and adversely affect our results of operations, financial condition and cash flows. As we continue to pursue business opportunities, we may make acquisitions that could be material to our business, results of operations, financial condition and cash flows. Acquisitions involve many risks, including the following: • an acquisition may negatively affect our results of operations, financial condition or cash flows because it may require us to incur charges or assume substantial debt or other liabilities, may cause adverse tax consequences or unfavorable accounting treatment, including potential write-downs of deferred revenues, may expose us to claims and disputes by third parties, including intellectual property claims and disputes, or may not generate sufficient financial return to offset additional costs and expenses related to the acquisition; • we may encounter difficulties or unforeseen expenditures in integrating the business, technologies, products, personnel or operations of any company that we acquire, particularly if key personnel of the acquired company decide not to work for us; • an acquisition may disrupt our ongoing business, divert resources, increase our expenses and distract our management; • an acquisition may result in a delay or reduction of customer purchases for both us and the company we acquired due to customer uncertainty about continuity and effectiveness of service from either company; • we may encounter difficulties in, or may be unable to, successfully sell any acquired products; • an acquisition may involve the entry into geographic or business markets in which we have little or no prior experience or where competitors have stronger market positions; 25 • challenges inherent in effectively managing an increased number of employees in diverse locations; • the potential strain on our financial and managerial controls and reporting systems and procedures; • potential known and unknown liabilities or deficiencies associated with an acquired company that were not identified in advance; • our use of cash to pay for acquisitions would limit other potential uses for our cash and affect our liquidity; • if we incur debt to fund such acquisitions, such debt may subject us to material restrictions on our ability to conduct our business as well as financial maintenance covenants; • the risk of impairment charges related to potential write-downs of acquired assets or goodwill in future acquisitions; • to the extent that we issue a significant amount of equity or convertible debt securities in connection with future acquisitions, existing stockholders may be diluted and earnings per share may decrease; and • managing the varying intellectual property protection strategies and other activities of an acquired company. We may not succeed in addressing these or other risks or any other problems encountered in connection with the integration of any acquired business. Our ability as an organization to successfully acquire and integrate technologies or businesses is limited. The inability to successfully integrate the business, technologies, products, personnel or operations of any acquired business, or any significant delay in achieving integration, could have a material adverse effect on our business, results of operations, financial condition and cash flows. Risks Related to Human Capital A failure to maintain sales and marketing personnel productivity or hire and integrate additional sales and marketing personnel could adversely affect our results of operations and growth prospects. Our business requires intensive sales and marketing activities. Our sales and marketing personnel are essential to attracting new customers and expanding sales to existing customers, both of which are key to our future growth. We face a number of challenges in successfully expanding our sales force. Our transition to a SaaS delivery model, and the additional demands involved in selling our platform, has increased the complexity and to some extent imposed new challenges in finding, hiring and retaining qualified sales force members. We must locate and hire a significant number of qualified individuals, and competition for such individuals is intense. In addition, as we expand into new markets with which we have less familiarity and develop existing territories, we will need to recruit individuals who have skills particular to a certain geography or territory, and it may be difficult to find candidates with those qualifications. We may be unable to achieve our hiring or integration goals due to a number of factors, including, but not limited to, the challenge in remotely recruiting employees and adequately training them, the number of individuals we hire, challenges in finding individuals with the correct background due to increased competition for such hires, increased attrition rates among new hires and existing personnel as well as the necessary experience to sell the Varonis Data Security Platform rather than individual software products. Furthermore, based on our past experience in mature territories, it can take up to 12 months before a new sales force member is trained and operating at a level that meets our expectations. We invest significant time and resources in training new members of our sales force, and we may be unable to achieve our target performance levels with new sales personnel as rapidly as we have done in the past, or at all, due to larger numbers of hires or lack of experience training sales personnel to operate in new jurisdictions or because of the remote hiring and training process. Our failure to hire a sufficient number of qualified individuals, to integrate new sales force members within the time periods we have achieved historically or to keep our attrition rates at levels comparable to others in our industry may materially impact our projected growth rate. Failure to retain, attract and recruit highly qualified personnel could adversely affect our business, operating results, financial condition and growth prospects. Our future success and growth depend, in part, on our ability to continue to recruit and retain highly skilled personnel and to preserve the key aspects of our corporate culture. Because our future success is dependent on our ability to continue to enhance and introduce new products, we are particularly dependent on our ability to 26 hire and retain engineers. Any of our employees may terminate their employment at any time, and we face intense competition for highly skilled employees. Competition for qualified employees, particularly in Israel, where we have a substantial presence and need for qualified engineers, from numerous other companies, including other software and technology companies, many of whom have greater financial and other resources than we do, is intense. Moreover, to the extent we hire personnel from other companies, we may be subject to allegations that they have been improperly solicited or may have divulged proprietary or other confidential information to us. If we are unable to timely attract, train or retain qualified employees, particularly our engineers, salespeople and key managers, our ability to innovate, introduce new products and compete would be adversely impacted, and our financial condition and results of operations may suffer. Lastly, equity grants are a critical component of our current compensation programs. If we reduce, modify or eliminate our equity compensation programs or if there is a decline in our stock price, which will result in the value of our equity compensation being lower, we may have difficulty attracting and retaining employees. We are dependent on the continued services and performance of our co-founder, Chief Executive Officer and President, the loss of whom could adversely affect our business. Much of our future performance depends on the continued services and continuing contributions of our co-founder, Chief Executive Officer and President, Yakov Faitelson, to successfully manage our company, to execute on our business plan and to identify and pursue new opportunities and product innovations. The loss of Mr. Faitelson’s services could significantly delay or prevent the achievement of our development and strategic objectives and adversely affect our business. Risks Related to our Technology, Products, Services and Intellectual Property Our failure to continually enhance and improve our technology could adversely affect sales of our products. The market is characterized by the exponential growth in enterprise data, rapid technological advances, changes in customer requirements, including customer requirements driven by changes to legal, regulatory and self-regulatory compliance mandates, frequent new product introductions and enhancements and evolving industry standards in computer hardware and software technology. As a result, we must continually change and improve our products in response to changes in operating systems, application software, computer and communications hardware, networking software, data center architectures, programming tools, computer language technology and various regulations. Moreover, the technology in our products is especially complex because it needs to effectively identify and respond to a user’s data retention, security and governance needs, while minimizing the impact on database and file system performance. Our products must also successfully interoperate with products from other vendors. While we extend our technological capabilities though innovation and strategic transactions, including our recently announced Managed Data Detection and Response and cloud-based solutions, we cannot guarantee that we will be able to anticipate future market needs and opportunities or be able to extend our technological expertise and develop new products or expand the functionality of our current products in a timely manner or at all. Even if we are able to anticipate, develop and introduce new products and expand the functionality of our current products, there can be no assurance that enhancements or new products will achieve widespread market acceptance. Our product enhancements or new products could fail to attain sufficient market acceptance for many reasons, including: • failure to accurately predict market demand in terms of product functionality and to supply products that meet this demand in a timely fashion; • inability to interoperate effectively with the database technologies and file systems of prospective customers; • defects, errors or failures; • negative publicity or customer complaints about performance or effectiveness; and • poor business conditions, causing customers to delay IT purchases. If we fail to anticipate market requirements or stay abreast of technological changes, we may be unable to successfully introduce new products, expand the functionality of our current products or convince our customers 27 and potential customers of the value of our solutions in light of new technologies. In addition, it is possible that our product innovations, including our recently announced Managed Data Detection and Response and cloud-based solutions, may not provide satisfactory results to our customers. Accordingly, our business, results of operations and financial condition could be materially and adversely affected. If our technical support, customer success or professional services are not satisfactory to our customers, they may not renew their agreements or not buy additional products in the future, which could adversely affect our future results of operations. Our business relies on our customers’ satisfaction with the technical support, customer success and professional services we provide to support our products. Our customers have no obligation to renew their agreements with us after the initial terms have expired. Our customers have an option to renew their agreements and, for us to maintain and improve our results of operations, it is important that our existing customers renew their agreements, if applicable, when the existing contract term expires. For example, our renewal rate for the years ended December 31, 2024, 2023 and 2022 continued to be over 90%. If we fail to provide technical support services that are responsive, satisfy our customers’ expectations and resolve issues that they encounter with our products and services, then they may elect not to purchase or renew contracts and they may choose not to purchase additional products and services from us. Accordingly, our failure to provide satisfactory technical support, customer success or professional services could lead our customers not to renew their agreements with us or renew on terms less favorable to us, and therefore have a material and adverse effect on our business and results of operations. Interruptions or performance problems, including associated with our website or support website or any caused by cyberattacks, may adversely affect our business. Our continued growth depends in part on the ability of our existing and potential customers to quickly access our website and support website. Access to our support website is also imperative to our daily operations and interaction with customers, as it allows customers to download our software, fixes and patches, as well as open and respond to support tickets and register license keys for evaluation or production purposes. We have experienced, and may in the future experience, website disruptions, outages and other performance problems due to a variety of factors, including technical failures, cyberattacks, natural disasters, infrastructure changes, human or software errors, capacity constraints due to an overwhelming number of users accessing our website simultaneously and denial of service or fraud. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. System failures or outages, including any potential disruptions due to a period of increased global demand on certain cloud-based systems or disruptions of our cloud-based solutions, could compromise our or our customer’s ability to perform day-to-day operations in a timely manner, which could negatively impact our business or delay our financial reporting. It may become increasingly difficult to maintain and improve the performance of our websites, especially during peak usage times and as our software becomes more complex and our user traffic increases. If our websites are unavailable or if our users are unable to download our software, patches or fixes within a reasonable amount of time or at all, we may suffer reputational harm and our business would be negatively affected. If our software is perceived as not being secure, customers may reduce the use of or stop using our software, and we may incur significant liabilities. Our software involves the transmission of data between data stores, and between data stores and desktop and mobile computers, and will increasingly involve the storage of data. We have a legal and contractual obligation to protect the confidentiality and appropriate use of customer data. Any security breaches with respect to such data could result in the loss of this information, litigation, indemnity obligations and other liabilities. The security of our products and accompanied services is important in our customers’ decisions to purchase or use our products or services. Security threats are a significant challenge to companies like us whose business is providing technology products and services to others. While we have taken steps to protect the confidential information that we have access to, including confidential information we may obtain through our customer support services or customer usage of our products, we have no direct control over the substance of the content. Security measures might be breached as a result of third-party action, employee error, malfeasance or otherwise. We also incorporate open source software and other third-party software into our products. There may be vulnerabilities in open source software and third-party software that may make our products likely to be harmed 28 by cyberattacks. Moreover, our products operate in conjunction with and are dependent on products and components across a broad ecosystem of third parties. If there is a security vulnerability in one of these components, and if there is a security exploit targeting it, such security vulnerability may adversely impact our product vulnerability and we could face increased costs, liability claims, reduced revenue, or harm to our reputation or competitive position. Because techniques used to obtain unauthorized access or sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. The limitations of liability in our contracts may not be enforceable or adequate or otherwise protect us from any such liabilities or damages with respect to any particular claim. While we maintain insurance coverage for some of the above events, the potential liabilities associated with these security breach events could exceed the insurance coverage we maintain. We incorporate machine learning and AI solutions into parts of our platform, offerings, services and features, and these applications may become more important in our operations over time. AI technologies, including generative AI, are complex and rapidly evolving, and we face competition from other companies as well as an evolving regulatory landscape. Several jurisdictions around the globe, including Europe and the United States, have already proposed or enacted laws governing AI, and we may need to commit significant resources to maintain business practices that comply with the evolving regulatory landscape. Our competitors or other third parties may incorporate AI into their products more quickly and successfully than us, which could impair our ability to compete effectively and adversely affect our results of operations. Any or all of these issues could tarnish our reputation, negatively impact our ability to attract new customers or sell additional products to our existing customers, cause existing customers to elect not to renew their agreements or subject us to third-party lawsuits, regulatory fines or other action or liability, thereby adversely affecting our results of operations. Our use of open source software could negatively affect our ability to sell our software and subject us to possible litigation. We use open source software and expect to continue to use open source software in the future. Some open source software licenses require users who distribute open source software as part of their own software product to publicly disclose all or part of the source code to such software product or to make available any derivative works of the open source code on unfavorable terms or at no cost. We may face ownership claims of third parties over, or seeking to enforce the license terms applicable to, such open source software, including by demanding the release of the open source software, derivative works or our proprietary source code that was developed using such software. These claims could also result in litigation, require us to purchase a costly license or require us to devote additional research and development resources to change our software, any of which would have a negative effect on our business and results of operations. In addition, if the license terms for the open source code change, we may be forced to re-engineer our software or incur additional costs. Some open source software may include generative AI software or other software that incorporates or relies on generative AI. The use of such software may expose us to risks as the intellectual property ownership and license rights, including copyright, of generative AI software and tools, has not been fully interpreted by U.S. courts or been fully addressed by federal or state regulation. Finally, while we implement policies and procedures, we cannot provide assurance that we have incorporated open source software into our own software in a manner that conforms with our current policies and procedures and we cannot assure that all open source software is reviewed prior to use in our solution, that our programmers have not incorporated open source software into our solution, or that they will not do so in the future. In addition, our solution may incorporate third-party software under commercial licenses. We cannot be certain whether such third-party software incorporates open source software without our knowledge. In the past, companies that incorporate open source software into their products have faced claims alleging noncompliance with open source license terms or infringement or misappropriation of proprietary software. Therefore, we could be subject to suits by parties claiming noncompliance with open source licensing terms or infringement or misappropriation of proprietary software. Because few courts have interpreted open source licenses, the manner in which these licenses may be interpreted and enforced is subject to some uncertainty. There is a risk that open source software licenses could be construed in a manner that imposes unanticipated conditions or restrictions on 29 our ability to market or provide our solution. As a result of using open source software subject to such licenses, we could be required to release proprietary source code, pay damages, re-engineer our solution, limit or discontinue sales or take other remedial action, any of which could adversely affect our business. False detection of security breaches, false identification of malicious sources or misidentification of sensitive or regulated information could adversely affect our business. Our cybersecurity products may falsely detect threats that do not actually exist. For example, our DatAlert product may enrich metadata collected by our products with information from external sources and third-party data providers. If the information from these data providers is inaccurate, the potential for false positives increases. These false positives, while typical in the industry, may affect the perceived reliability of our products and solutions and may therefore adversely impact market acceptance of our products. As definitions and instantiations of personal identifiers and other sensitive content change, automated classification technologies may falsely identify or fail to identify data as sensitive. If our products and solutions fail to detect exposures or restrict access to important systems, files or applications based on falsely identifying legitimate use as an attack or otherwise unauthorized, then our customers’ businesses could be adversely affected. Any such false identification of use and subsequent restriction could result in negative publicity, loss of customers and sales, increased costs to remedy any problem and costly litigation. Failure to protect our proprietary technology and intellectual property rights could substantially harm our business. The success of our business and competitive position depends on our ability to obtain, protect and enforce our trade secrets, trademarks, copyrights, patents and other intellectual property rights. We attempt to protect our intellectual property under patent, trademark, copyrights and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection and may not now or in the future provide us with a competitive advantage. As of December 31, 2024, we had 89 issued patents in the United States and 31 pending U.S. patent applications. We also had 76 patents issued and 34 applications pending for examination in non-U.S. jurisdictions, and 18 pending PCT patent applications, all of which are counterparts of our U.S. patent applications. We may file additional patent applications in the future. The process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way through to the successful issuance of a patent. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. Furthermore, it is possible that our patent applications may not issue as granted patents, that the scope of our issued patents will be insufficient or not have the coverage originally sought, that our issued patents will not provide us with any competitive advantages, and that our patents and other intellectual property rights may be challenged by others or invalidated through administrative process or litigation. In addition, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. Our policy is to require our employees (and our consultants and service providers that develop intellectual property included in our products) to execute written agreements in which they assign to us their rights in potential inventions and other intellectual property created within the scope of their employment (or, with respect to consultants and service providers, their engagement to develop such intellectual property). However, we may not be able to adequately protect our rights in every such agreement or execute an agreement with every such party. Finally, in order to benefit from patent and other intellectual property protection, we must monitor, detect and pursue infringement claims in certain circumstances in relevant jurisdictions, all of which is costly and time-consuming. As a result, we may not be able to obtain adequate protection or to enforce our issued patents or other intellectual property effectively. In addition to patented technology, we rely on our unpatented proprietary technology and trade secrets. Despite our efforts to protect our proprietary technologies and our intellectual property rights, unauthorized parties, including our employees, consultants, service providers or customers, may attempt to copy aspects of our products or obtain and use our trade secrets or other confidential information. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors, channel partners and customers, and generally limit access to and distribution of our proprietary information and proprietary technology through certain procedural safeguards. These agreements may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event 30 of unauthorized use or disclosure of our intellectual property or technology. We cannot provide assurance that the steps taken by us will prevent misappropriation of our trade secrets or technology or infringement of our intellectual property. In addition, the laws of some foreign countries where we operate do not protect our proprietary rights to as great an extent as the laws of the United States, and many foreign countries do not enforce these laws as diligently as government agencies and private parties in the United States. We have registered the ‘‘Varonis’’ name and logo and ‘‘DatAdvantage,’’ ‘‘DataPrivilege,’’ ‘‘DatAlert,’’ and other names in the United States and, as related to some of these names, certain other countries. However, we cannot provide assurance that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights. Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. In addition, others may independently discover our trade secrets, in which case we would not be able to assert trade secret rights or develop similar technologies and processes. Further, the contractual provisions that we enter into may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solution, technologies or intellectual property rights. If we are unable to protect our intellectual property rights and ensure that we are not violating the intellectual property rights of others, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and effort required to create the innovative products that have enabled us to be successful to date. Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and harm our business and operating results. The industries in which we operate, such as data security, cybersecurity, compliance, data retention and data governance are characterized by the existence of a large number of relevant patents and frequent claims and related litigation regarding patent and other intellectual property rights. From time to time, third parties have asserted and may assert their patent, copyright, trademark and other intellectual property rights against us, our channel partners or our customers. Successful claims of infringement or misappropriation by a third-party could prevent us from distributing certain products, performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others or to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology. Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected. In some cases, we indemnify our channel partners and customers against claims that our products infringe the intellectual property of third parties. Defending against claims of infringement or being deemed to be infringing the intellectual property rights of others could impair our ability to innovate, develop, distribute and sell our current and planned products and services. Risks Related to our Tax Regime Our tax rate may vary significantly depending on our stock price. The tax effects of the accounting for stock-based compensation may significantly impact our effective tax rate from period to period. In periods in which our stock price is higher than the grant price of the stock-based compensation vesting in that period, we will recognize excess tax benefits that will decrease our effective tax rate, while in periods in which our stock price is lower than the grant price of the stock-based compensation vesting in that period, our effective tax rate may increase. The amount and value of stock-based compensation 31 issued relative to our earnings in a particular period will also affect the magnitude of the impact of stock-based compensation on our effective tax rate. These tax effects are dependent on our stock price, which we do not control, and a decline in our stock price could significantly increase our effective tax rate and adversely affect our financial results. Multiple factors may adversely affect our ability to fully utilize our net operating loss carryforwards. A U.S. corporation’s ability to utilize its federal and state net operating loss (‘‘NOL’’) and tax credit carryforwards to offset its taxable income is limited under Section 382 and Section 383 of the Internal Revenue Code of 1986, as amended (the ‘‘Code’’), if the corporation undergoes an ownership change (within the meaning of Code Section 382). As of December 31, 2024, we have accumulated $134.3 million of federal NOL, $141.2 million of state NOL and $7.3 million of federal research credit carryforwards since inception. Future changes in our stock ownership, including future offerings, as well as changes that may be outside of our control, could result in a subsequent ownership change under Section 382, that would impose an annual limitation on NOLs. In addition, the cash tax benefit from our NOLs is dependent upon our ability to generate sufficient taxable income. Accordingly, we may be unable to earn enough taxable income in order to fully utilize our current NOLs. Changes in our provision for income taxes or adverse outcomes resulting from examination of our income tax returns could adversely affect our results. We are subject to income taxation in the United States, Israel and numerous other jurisdictions. Determining our provision for income taxes requires significant management judgment. In addition, our provision for income taxes could be adversely affected by many factors, including, among other things, changes to our operating structure including a review of our intellectual property (‘‘IP’’) structure, changes in the amounts of earnings in jurisdictions with different statutory tax rates, changes in the valuation of deferred tax assets and liabilities and changes in tax laws. Significant judgment is required to determine the recognition and measurement attributes prescribed in Accounting Standards Codification 740-10-25 (‘‘ASC 740-10-25’’). ASC 740-10-25 applies to all income tax positions, including the potential recovery of previously paid taxes, which if settled unfavorably could adversely impact our provision for income taxes. Our income in certain countries is subject to reduced tax rates provided we meet certain criteria. Failure to meet these commitments could adversely impact our provision for income taxes. We are also subject to the regular examination of our income tax returns by the U.S. Internal Revenue Services and other tax authorities in various jurisdictions. Tax authorities may disagree with our intercompany charges, cross-jurisdictional transfer pricing, IP structure or other matters and assess additional taxes. While we believe that we are currently in material compliance with our obligations under applicable taxing regimes, and regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of our provision for income taxes, there can be no assurance that the outcomes from these regular examinations will not have a material adverse effect on our results of operations and cash flows. Further, we may be audited in various jurisdictions, and such jurisdictions may assess additional taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our results of operations or cash flows in the period or periods for which a determination is made. The adoption of the U.S. tax reform and the enactment of additional legislation changes could materially impact our financial position and results of operations. On December 22, 2017, the Tax Cuts and Jobs Act (the ‘‘TCJA’’) was enacted. The TCJA remains unclear in some respects and has been, and may continue to be, subject to amendments and technical corrections, as well as interpretations and implementing regulations by the Treasury and Internal Revenue Service, any of which could lessen or increase certain adverse impacts of TCJA. Effective in 2022, the TCJA requires all U.S. companies to capitalize, and subsequently amortize R&E expenses that fall within the scope of Section 174 over five years for research activities conducted in the United States and over fifteen years for research activities conducted outside of the United States, rather than deducting such costs in the year incurred for tax purposes. As of the fourth quarter of 2024, we have accounted for an estimate of the effects of the R&E capitalization, based on interpretation of the law as currently enacted. To the extent that this provision is not modified or repealed, and once our available NOLs or tax credits are fully utilized, we would incur a significant increase in our tax expenses and a decrease in our cash flows provided by operations. 32 The Organization for Economic Cooperation and Development (‘‘OECD’’) introduced the base erosion and profit shifting project which sets out a plan to address international taxation principles in a globalized, digitized business world (the ‘‘BEPS Plan’’). As a result, changes have been and continue to be made to numerous international tax principles and local tax regimes. Due to the expansion of our international business activities, those modifications may increase our worldwide effective tax rate, create tax and compliance obligations in jurisdictions in which we previously had none and adversely affect our financial position. Risks Related to the Notes We have incurred substantial indebtedness that may decrease our business flexibility, access to capital, and/or increase our borrowing costs, and we may still incur substantially more debt, which may adversely affect our operations and financial results. In May 2020, we issued $253.0 million aggregate principal amount of Notes (the ‘‘2025 Notes’’) and in September 2024, we issued $460.0 million aggregate principal amount of Notes (the ‘‘2029 Notes’’ and together with the 2025 Notes, the ‘‘Notes’’), respectively. As of December 31, 2024, we had approximately $711.5 million outstanding aggregate principal amount of the Notes. Our indebtedness may limit our ability to borrow additional funds for working capital, capital expenditures, acquisitions or other general business purposes, limit our ability to use our cash flow or obtain additional financing for future working capital, capital expenditures, acquisitions or other general business purposes, require us to use a substantial portion of our cash flow from operations to make debt service payments, limit our flexibility to plan for, or react to, changes in our business and industry, place us at a competitive disadvantage compared to our less leveraged competitors and increase our vulnerability to the impact of adverse economic and industry conditions. Our debt obligations may adversely affect our ability to raise additional capital and will be a burden on our future cash resources, particularly if we elect to settle these obligations in cash upon conversion or upon maturity or required repurchase. Our ability to meet our payment obligations under the Notes depends on our future cash flow performance. This, to some extent, is subject to general economic, financial, competitive, legislative and regulatory factors, as well as other factors that may be beyond our control. There can be no assurance that our business will generate positive cash flow from operations, or that additional capital will be available to us, in an amount sufficient to enable us to meet our debt payment obligations and to fund other liquidity needs. If we are unable to generate sufficient cash flow to service our debt obligations, we may need to refinance or restructure our debt, sell assets, reduce or delay capital investments, or seek to raise additional capital. Our ability to refinance our indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. As a result, we may be more vulnerable to economic downturns, less able to withstand competitive pressures and less flexible in responding to changing business and economic conditions. We may issue additional shares of our common stock in connection with conversions of the Notes, and thereby dilute our existing stockholders and potentially adversely affect the market price of our common stock. In the event that the remaining Notes are converted and we elect to deliver shares of common stock, the ownership interests of existing stockholders will be diluted, and any sales in the public market of any shares of our common stock issuable upon such conversion could adversely affect the prevailing market price of our common stock. In addition, the anticipated conversion of the Notes could depress the market price of our common stock. The fundamental change provisions of the Notes may delay or prevent an otherwise beneficial takeover attempt of us. If the Company undergoes a ‘‘fundamental change,’’ subject to certain conditions, holders may require the Company to repurchase for cash all or part of their Notes at a fundamental change repurchase price equal to 100% of the principal amount of the Notes to be repurchased, plus accrued and unpaid interest to, but excluding, the fundamental change repurchase date. In addition, if such fundamental change also constitutes a ‘‘make-whole fundamental change,’’ the conversion rate for the Notes may be increased upon conversion of the Notes in connection with such ‘‘make-whole fundamental change.’’ Any increase in the conversion rate will be determined based on the date on which the ‘‘make-whole fundamental change’’ occurs or becomes effective and the price 33 paid (or deemed paid) per share of our common stock in such transaction. Any such increase will be dilutive to our existing stockholders. Our obligation to repurchase the Notes or increase the conversion rate upon the occurrence of a make-whole fundamental change may, in certain circumstances, delay or prevent a takeover of us that might otherwise be beneficial to our stockholders. The Capped Call Transactions may affect the value of the Notes and our common stock. In connection with the issuance of the Notes, we entered into Capped Call Transactions with certain financial institutions. The Capped Call Transactions are expected generally to reduce or offset the potential dilution upon conversion of the Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted Notes, as the case may be, with such reduction and/or offset subject to the Cap Price, subject to certain adjustments under the terms of the Capped Call Transactions. From time to time, certain financial institutions (with which we entered into the Capped Call Transactions) or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions prior to the maturity of the Notes. This activity could also cause or avoid an increase or a decrease in the market price of our common stock. The potential effect, if any, of these transactions and activities on the price of our common stock or Notes will depend in part on market conditions and cannot be ascertained at this time. Any of these activities could adversely affect the value of our common stock. We are subject to counterparty risk with respect to the Capped Call Transactions. All or some of the financial institutions (which are counterparties to the capped call transactions) might default under the Capped Call Transactions. Our exposure to the credit risk of the counterparties will not be secured by any collateral. Past global economic conditions have resulted in the actual or perceived failure or financial difficulties of many financial institutions. If an option counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at the time under the capped call transactions with such option counterparty. Our exposure will depend on many factors but, generally, an increase in our exposure will be correlated to an increase in the market price and in the volatility of our common stock. In addition, upon a default by an option counterparty, we may suffer adverse tax consequences and more dilution than we currently anticipate with respect to our common stock. We can provide no assurance as to the financial stability or viability of the option counterparties. Risks Related to our International Operations We face risks associated with operating in international markets that may limit our ability to develop and sell our products, which could result in a decrease of our revenues. We operate on a global basis and political, social, economic and security conditions in countries in which we operate may limit our ability to develop and sell our products. Specifically, we have operations and do business in Israel, the United Kingdom, France, Brazil and Ukraine. Continued political and social instability and war in these regions, and any other areas in the world where we have operations, may affect our business and operations in those and other neighboring regions. In March 2022, in response to the war between Russia and Ukraine, a number of countries, including the United States, imposed sanctions and export controls on Russia, which in turn imposed counter-sanctions in response. While sales in Russia represented a very small percentage of our overall business, and while our operations in Russia and Ukraine have historically been a small portion of our overall workforce, the conflict is complex and evolving and subjects us to additional regulatory risk and compliance costs. As of December 31, 2024, we do not have any employees or contractors in Russia. We have no way to predict the progress or outcome of the situation, including any impact on the rest of the world, as the conflict and government reactions are rapidly developing. Our principal research and development facility, which also houses a portion of our support and general and administrative teams, is located in Israel. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its neighboring countries, as well as incidents of terror activities and other hostilities, and a number of state and non-state actors have publicly committed to its 34 destruction. In addition, Israel is currently in a war and recently experienced social unrest in connection with the judiciary reform bill. Security, political and economic conditions in Israel could directly affect our operations. We could be adversely affected by hostilities involving Israel, including acts of terrorism or any other hostilities involving or threatening Israel, the interruption or curtailment of trade between Israel and its trading partners, a significant increase in inflation or a significant downturn in the economic or financial condition of Israel. Any on-going or future armed conflicts, terrorist activities, tension along the Israeli borders or with other countries in the region, including Lebanon, Syria, Iran or Yemen, or political instability in the region could disrupt international trading activities in Israel and may materially and negatively affect our business and could harm our results of operations. Certain countries, as well as certain companies and organizations, continue to participate in a boycott of Israeli companies, companies with large Israeli operations and others doing business with Israel and Israeli companies. The boycott, restrictive laws, policies or practices directed towards Israel, Israeli businesses or Israeli citizens could, individually or in the aggregate, have a material adverse effect on our business in the future. Some of our employees in Israel are obligated to perform routine military reserve duty in the Israel Defense Forces, depending on their age and position in the armed forces. Furthermore, they have been and may in the future be called to active reserve duty at any time under emergency circumstances for extended periods of time. Currently, due to the war in Israel that began on October 7, 2023, a portion of our employees have been called to active reserve duty and additional employees may be called in the future, if needed. It is possible that our operations could be disrupted if this continues for a significant period of time or if the situation further deteriorates, including, among other things, an expansion of the war to other countries, damage to critical infrastructure and general unrest, which could harm our business. Our insurance does not cover losses that may occur as a result of an event associated with the security situation in the Middle East or for any resulting disruption in our operations. Although the Israeli government has in the past covered the reinstatement value of direct damages that were caused by terrorist attacks or acts of war, we cannot be assured that this government coverage will be maintained or, if maintained, will be sufficient to compensate us fully for damages incurred and the government may cease providing such coverage or the coverage might not suffice to cover potential damages. Any losses or damages incurred by us could have a material adverse effect on our business. The tax benefits available to our Israeli subsidiary terminated in 2020 and we expect our Israeli subsidiary to become subject to an increase in taxes. Our Israeli subsidiary has benefited from a status of a ‘‘Beneficiary Enterprise’’ under the Israeli Law for the Encouragement of Capital Investments, 5719-1959, or the Investment Law, since its incorporation. As of December 31, 2024, the tax benefit that we have been utilizing for our Israeli subsidiary terminated. A tax rate of 16% should be paid by our Israeli subsidiary per such eligible income under the terms of the Investment Law, subject to meeting various conditions. To the extent we do not meet these conditions, our Israeli operations will be subject to a corporate tax at the standard rate of 23%. If the Israeli subsidiary is subject to a corporate tax at the standard rate, it may adversely affect our tax expenses and effective tax rates. Additionally, if our Israeli subsidiary increases its activities outside of Israel, for example, through acquisitions, these activities may not be eligible for inclusion in Israeli tax benefit programs. The tax benefit derived from the Investment Law is dependent upon the ability to generate sufficient taxable income. Accordingly, our Israeli subsidiary may be unable to earn enough taxable income in order to fully utilize its tax benefits. Risks Related to the Ownership of our Common Stock Substantial future sales of shares of our common stock could cause the market price of our common stock to decline. Sales of a substantial number of shares of our common stock into the public market, or the perception that these sales might occur, for whatever reason, including as a result of the conversion of the outstanding Notes or future public equity offerings, could depress the market price of our common stock and could impair our ability to raise capital through the sale of additional equity securities. We are unable to predict the effect that such sales may have on the prevailing market price of our common stock. As of December 31, 2024, we had options, restricted stock units (‘‘RSUs’’) and performance stock units (‘‘PSUs’’) outstanding that, if fully vested and exercised, would result in the issuance of approximately 35 7.6 million shares of our common stock. All of the shares of our common stock issuable upon exercise of options and vesting of RSUs and PSUs have been registered for public resale under the Securities Act. Accordingly, these shares will be able to be freely sold in the public market upon issuance as permitted by any applicable vesting requirements. Our stock price has been and will likely continue to be volatile. The market price for our common stock has been, and is likely to continue to be, volatile for the foreseeable future, and is subject to wide fluctuations in response to various factors, some of which are beyond our control. These factors, as well as the volatility of our common stock, could affect the price at which our convertible noteholders could sell the common stock received upon conversion of the Notes and could also impact the trading price of the Notes. The market price of our common stock may fluctuate significantly in response to a number of factors, many of which we cannot predict or control, including the factors listed below and other factors described in this ‘‘Risk Factors’’ section: • actual or anticipated fluctuations in our results or those of other companies in our industry; • the financial projections we may provide to the public, any changes in these projections or our failure to meet these projections; • failure of securities analysts to maintain coverage of our company, changes in financial estimates by any securities analysts who follow our company, or our failure to meet these estimates or the expectations of investors; • ratings changes by any securities analysts who follow our company; • announcements of new products, services or technologies, commercial relationships, acquisitions or other events by us or other companies in our industry; • new announcements that affect investor perception of our industry, including reports related to the discovery of significant cyberattacks; • changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular; • price and volume fluctuations in certain categories of companies or the overall stock market, including as a result of trends in the global economy; • the trading volume of our common stock; • investor confusion with respect to the Company’s results of operation during the SaaS transition; • changes in accounting principles; • sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders; • additions or departures of any of our key personnel; • lawsuits threatened or filed against us; • short sales, hedging and other derivative transactions involving our capital stock; • general economic conditions in the United States and abroad, including inflationary pressures and higher interest rates; • changing legal or regulatory developments in the United States and other countries; • conversion of the Notes; and • other events or factors, including those resulting from war, incidents of terrorism, pandemics, natural disasters or responses to these events. In addition, the stock markets have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many technology companies. Stock prices of many technology companies have fluctuated in a manner unrelated or disproportionate to the operating 36 performance of those companies. In the past, stockholders have instituted securities class action litigation following periods of market volatility. If we were to become involved in securities litigation, it could subject us to substantial costs, divert resources and the attention of management from our business and adversely affect our business, results of operations, financial condition and cash flows and may cause a significant increase in the premium paid for our directors and officers insurance. We do not intend to pay dividends on our common stock, so any returns will be limited to the value of our stock. We have never declared or paid cash dividends on our common stock. We currently anticipate that we will retain any future earnings and do not expect to pay any dividends in the foreseeable future. Any determination to pay dividends in the future will be at the discretion of our board of directors and will be dependent on a number of factors, including our financial condition, results of operations, capital requirements, share repurchases, general business conditions and other factors that our board of directors may deem relevant. Until such time that we pay a dividend, stockholders, including holders of our Notes who receive shares of our common stock upon conversion of the Notes, must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments. Anti-takeover provisions in our charter documents and under Delaware law and provisions in the indentures for our Notes could make an acquisition of us, which may be beneficial to our stockholders, more difficult and may prevent attempts by our stockholders to replace or remove our current management, thereby depressing the trading price of our common stock and Notes. Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may delay, discourage or prevent an acquisition of us or a change in our management, including transactions in which stockholders might otherwise receive a premium for their shares, or transactions that our stockholders might otherwise deem to be in their best interests. These provisions include: • authorizing ‘‘blank check’’ preferred stock, which could be issued by the board without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a takeover attempt; • a classified board of directors whose members can only be dismissed for cause; • the prohibition on actions by written consent of our stockholders; • the limitation on who may call a special meeting of stockholders; • the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon at stockholder meetings; and • the requirement of at least 75% of the outstanding capital stock to amend any of the foregoing second through fifth provisions. In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us, unless the merger or combination is approved in a prescribed manner. Although we believe these provisions collectively provide for an opportunity to obtain greater value for stockholders by requiring potential acquirers to negotiate with our board of directors, they would apply even if an offer rejected by our board were considered beneficial by some stockholders. In addition, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, which is responsible for appointing the members of our management. In addition, if a ‘‘fundamental change’’ occurs prior to the maturity date of the Notes, holders of the Notes will have the right, at their option, to require us to repurchase all or a portion of their Convertible Notes. If a ‘‘make-whole fundamental change’’ (as defined in the Indentures) occurs prior the maturity date, we will in some cases be required to increase the conversion rate of the Notes for a holder that elects to convert its Notes in connection with such ‘‘make-whole fundamental change.’’ These features of the Notes may make a potential acquisition more expensive for a potential acquiror, which may in turn make it less likely for a potential acquiror to offer to purchase our company, or reduce the amount of consideration offered for each share of our common 37 stock in a potential acquisition. Furthermore, the Indentures prohibit us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the Notes. General Risks Factors Real or perceived errors, failures or bugs in our software could adversely affect our growth prospects. Because our software uses complex technology, undetected errors, failures or bugs may occur. Our software is often installed and used in a variety of computing environments with different operating system management software, and equipment and networking configurations, which may cause errors or failures of our software or other aspects of the computing environment into which it is deployed. In addition, deployment of our software into computing environments may expose undetected errors, compatibility issues, failures or bugs in our software. Despite testing by us, errors, failures or bugs may not be found in our software until it is released to our customers. Moreover, our customers could incorrectly implement or inadvertently misuse our software, which could result in customer dissatisfaction and adversely impact the perceived utility of our products as well as our brand. Any of these real or perceived errors, compatibility issues, failures or bugs in our software could result in negative publicity, reputational harm, loss of or delay in market acceptance of our software, loss of competitive position or claims by customers for losses sustained by them. In such an event, we may be required, or may choose, for customer relations or other reasons, to expend additional resources in order to help correct the problem. Alleviating any of these problems could require significant expenditures of our capital and other resources and could cause interruptions or delays in the use of our solutions, which could cause us to lose existing or potential customers and could adversely affect our operating results and growth prospects. We may require additional capital to support our business growth, and this capital might not be available on acceptable terms, or at all. We continue to make investments to support our business growth and may require additional funds to respond to business challenges, including the need to develop new features or enhance our software, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financing to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing that we may secure in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. We may not be able to obtain additional financing on terms favorable to us, if at all. If we are unable to obtain adequate financing on terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business may be adversely affected. Our business is subject to the risks of fire, power outages, floods, earthquakes, pandemics and other catastrophic events, and to interruption by manmade problems such as terrorism and war. A significant natural disaster, such as a fire, flood or an earthquake, an outbreak of a pandemic disease or a significant power outage could have a material adverse impact on our business, results of operations and financial condition. In the event our customers’ IT systems or our channel partners’ selling or distribution abilities are hindered by any of these events, we may miss financial targets, such as revenues and sales targets, for a particular quarter. Further, if a natural disaster occurs in a region from which we derive a significant portion of our revenue, customers in that region may delay or forego purchases of our products, which may materially and adversely impact our results of operations for a particular period. In addition, acts of terrorism or war could cause disruptions in our business or the business of channel partners, customers or the economy as a whole. Given our typical concentration of sales at each quarter end, any disruption in the business of our channel partners or customers that impacts sales at the end of our quarter could have a significant adverse impact on our quarterly results. All of the aforementioned risks may be augmented if the disaster recovery plans for us and our channel partners prove to be inadequate. To the extent that any of the above results in delays or cancellations of customer orders, or the delay in the development, deployment or shipment of our products, our business, financial condition and results of operations would be adversely affected. 38 Changes in financial accounting standards may adversely impact our reported results of operations. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the questioning of current practices may adversely affect our operating results or the way we conduct our business. If securities or industry analysts do not publish research or reports about our business, or publish negative reports about our business, our stock price and trading volume could decline. The trading market for our common stock depends in part on the research and reports that securities or industry analysts publish about us or our business, our market and our competitors. We do not have any control over these analysts or their expectations regarding our performance on a quarterly or annual basis. If one or more of the analysts who cover us downgrade our stock or change their opinion of our stock, our stock price would likely decline. If we fail to meet one or more of these analysts’ published expectations regarding our performance on a quarterly basis, our stock price or trading volume could decline. If one or more of these analysts cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which could cause our stock price or trading volume to decline. We are obligated to develop and maintain proper and effective internal control over financial reporting. These internal controls may not be determined to be effective, which may adversely affect investor confidence in our company and, as a result, the value of our common stock. We are required, pursuant to Section 404 of the Sarbanes–Oxley Act, to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. We are also required to have our independent registered public accounting firm issue an opinion on the effectiveness of our internal control over financial reporting on an annual basis. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal control over financial reporting is effective. If we are unable to assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion on the effectiveness of our internal control over financial reporting, we could lose investor confidence in the accuracy and completeness of our financial reports, which could cause the price of our common stock to decline, and we may be subject to investigation or sanctions by the SEC. Future sales and issuances of our capital stock or rights to purchase capital stock could result in additional dilution of the percentage ownership of our stockholders and could cause our stock price to decline. Future sales and issuances of our capital stock or rights to purchase our capital stock could result in substantial dilution to our existing stockholders. We may sell common stock, convertible securities and other equity securities in one or more transactions at prices and in a manner as we may determine from time to time. If we sell any such securities in subsequent transactions, investors may be materially diluted. New investors in such subsequent transactions could gain rights, preferences and privileges senior to those of holders of our common stock. Item 1B. Unresolved Staff Comments We do not have any unresolved comments from the SEC staff. Item 1C. Cybersecurity Risk management and strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, customer’s data, sensitive financial information and personal identifiable information (‘‘Information Systems and Data’’). 39 The Chief Information Security Officer (‘‘CISO’’) and the information security team that reports to the CISO help identify, assess and manage our cybersecurity and privacy threats and risks, including through the use of our external and internal risk assessments. The CISO and the information security team identify and assess risks from cybersecurity threats by monitoring and evaluating our networks, data and our risk profile using various methods including, among other things, manual tools, automated tools, analyzing reports of threats and actors, conducting scans of the computer networks, internal and/or external audits (including compliance audits with respect to ISO (27001, 27017, 27018, and 27701), SOC 2, PCI DSS and HIPAA for our corporate and cloud based software solutions), conducting assessments for potential internal and external threats, third-party-conducted risk assessments, conducting vulnerability assessments, third-party-conducted red/blue team testing and tabletop incident response exercises and subscribing to reports and services providing cybersecurity threat intelligence. Depending on the environment, we implement and maintain various technical, physical and administrative processes, measures, standards and policies designed to manage and mitigate risks from cybersecurity threats to our Information Systems and Data, including, among other things, incident detection and response plan and procedures, a vulnerability management policy, disaster recovery/business continuity plans, risk assessments, cryptography, network security controls, secured remote access, access controls, change management, physical security, asset management, secured software development lifecycle, logging and monitoring, third-party risk management programs, security awareness trainings, third-party and company penetration testing, cybersecurity insurance and dedicated cybersecurity staff. We use our own software to help further mitigate the risk of a material cybersecurity incident. In addition, our Varonis Data Security Platform is deployed internally as part of our insider threat, data security posture, security operations and compliance management programs. Our assessment and management of material risks from cybersecurity and privacy threats are integrated into our overall risk management processes. For example, cybersecurity risk is addressed as a component of our enterprise risk management program and identified in our risk register. In addition, the information security team works with management to prioritize our risks that are more likely to have a material impact on our business and our CISO evaluates material risks from cybersecurity threats against our overall business objectives and reports to the technology committee of the board of directors (the ‘‘technology committee’’) and the board of directors. In addition, the audit committee of the board of directors (the ‘‘audit committee’’) oversees our overall enterprise risk management program and receives semi-annual updates on cybersecurity and privacy threat-related risks as part of such program. We use third-party service providers to assist us from time to time to identify, assess and manage material risks from cybersecurity threats, including, among other things. cybersecurity consultants, cybersecurity software providers, penetration testing firms and other professional services firms. We use third-party service providers to perform a variety of functions throughout our business, such as SaaS providers and cloud hosting companies. We have a vendor management program designed to manage cybersecurity and privacy risks associated with our use of these providers. The program includes risk assessments for vendors, security questionnaires, review of the vendor’s written security program, review of security assessments and reports, audits, and external attack surface scans related to the vendor and imposition of information contractual obligations on the vendor. Depending on the nature of the services provided, the sensitivity of the information systems and data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity and privacy on the provider. For a description of the risks from cybersecurity threats that may have a material effect on us, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including ‘‘Security breaches, cyberattacks or other cyber-risks of our IT and production systems could expose us to significant liability and cause our business and reputation to suffer and harm our competitive position.’’ Governance Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The technology committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. The technology committee meets quarterly with members of management, including our CISO, Chief Information Officer (‘‘CIO’’), Chief Technology Officer or VP of Cybersecurity Engineering, as applicable, to discuss cybersecurity developments, significant cybersecurity 40 threats and risks and the processes we have implemented to address them. The audit committee also receives presentations related to cybersecurity threats, risk and mitigation on a semi-annual basis unless more frequent discussions are necessary. The board of directors also receives a presentation from our CISO or CIO on our cybersecurity measures and risks at least annually. Our cybersecurity risk assessment and management processes are implemented and maintained by our CISO. Guy Shamilov, our CISO for the last eight years, has been a chief information security officer for nine years and is certified by Certified Information Systems Security Professional (CISSP), among other technical certifications he holds with respect to cybersecurity. He has worked over the last twenty years in the security industry, and prior to working with us, he was CISO of Tata Consultancy Services, Deputy Chief Information Security Officer of Traiana, Information Security Manager of Logic Industries, Senior Information Security Specialist of Migdal Group and Information Security and System Administrator at Matrix. Our CISO oversees the implementation and compliance of our information security standards and mitigation of information security related risks. Our CISO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy and communicating key priorities to relevant personnel. Our CISO is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes and reviewing security assessments and other security-related reports. Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including Security Management, the Chief Executive Officer, the Chief Financial Officer, the General Counsel, the CIO and other senior members of the Company. Such individuals work with our incident response team to help us assess, mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response plan includes reporting to the technology committee of the board of directors for certain cybersecurity incidents. Item 2. Properties We have offices in Herzliya, Israel where we employ the majority of our research and development team and a portion of our support and general and administrative teams. We also have offices in North Carolina and Cork, Ireland which serve as our primary U.S. and EMEA customer support and inside sales center, respectively. Additionally, we have offices in New York and Florida and smaller offices in Arizona, France, the United Kingdom, Oregon, Australia, Germany, the Netherlands, Singapore and Luxembourg which serve as regional sales offices and some of which are customer support centers. Our office space is primarily leased, the majority of which is under long-term leases with varying expiration dates. We believe that our facilities are adequate to meet our needs in the near future. Item 3. Legal Proceedings We are not currently a party to any material litigation. Item 4. Mine Safety Disclosures Not applicable. 41 PART II Item 5. Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities Market for Registrant’s Common Equity Our common stock has been listed on The NASDAQ Global Select Market under the symbol ‘‘VRNS’’ since February 28, 2014, the date of our initial public offering. Dividend Policy We have never declared or paid cash dividends on our common stock. We currently intend to retain any future earnings for use in the operation of our business and do not intend to declare or pay any cash dividends in the foreseeable future. Any further determination to pay dividends on our common stock will be at the discretion of our board of directors, subject to applicable laws, and will depend on our financial condition, results of operations, capital requirements, general business conditions and other factors that our board of directors considers relevant. Stockholders As of January 12, 2025 there were five stockholders of record of our common stock, including The Depository Trust Company, which holds shares of our common stock on behalf of an indeterminate number of beneficial owners. 42 STOCK PERFORMANCE GRAPH The following shall not be deemed ‘‘filed’’ for purposes of Section 18 of the Exchange Act, or incorporated by reference into any of our other filings under the Exchange Act or the Securities Act, except to the extent we specifically incorporate it by reference into such filing. This chart compares the cumulative total return on our common stock with that of the NASDAQ Composite Index and the NASDAQ Computer Index. The chart assumes $100 was invested at the close of market on December 31, 2019 in our common stock, the NASDAQ Composite Index and the NASDAQ Computer Index, and assumes the reinvestment of any dividends. The stock price performance on the following graph is not necessarily indicative of future stock price performance. The closing price of our common stock on December 31, 2024, the last trading day of our 2024 fiscal year, was $44.43 per share. Company/Index 12/31/2019 12/31/2020 12/31/2021 12/31/2022 12/31/2023 12/31/2024 Varonis Systems, Inc.. . . . . . . . . . . . . . . . . . . . . $100.00 $210.54 $188.32 $ 92.42 $174.80 $171.52 NASDAQ Composite. . . . . . . . . . . . . . . . . . . . . $100.00 $143.64 $174.36 $116.65 $167.30 $215.22 NASDAQ Computer . . . . . . . . . . . . . . . . . . . . . $100.00 $149.98 $206.76 $132.79 $221.06 $301.44 Item 6. Reserved 43 Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. This discussion contains forward-looking statements that reflect our plans, estimates and beliefs, and involve risks and uncertainties. Our actual results and the timing of certain events could differ materially from those anticipated in these forward-looking statements as a result of several factors, including those discussed in the section titled ‘‘Risk Factors’’ included under Part I, Item 1A and elsewhere in this Annual Report. See ‘‘Special Note Regarding Forward-Looking Statements and Summary Risk Factors’’ in this Annual Report. The Transition to a SaaS Delivery Model In response to the evolving needs of our customers and the growing threat landscape, we are strategically transitioning to a SaaS delivery model. This transition is driven by the increased importance of an automated, data-centric approach to security and the demand for comprehensive protection in the face of heightened cyber risks, collaboration across multiple platforms, the adoption of generative AI tools and the necessity for compliance. Enterprises now use many different combinations of on-premises and cloud data stores, SaaS applications and IaaS environments and this complexity requires a greater level of automated protection. We believe our offering provides comprehensive data coverage and our ability to address this demand has and will continue to be a key driver of our growth. In the second half of 2021, we launched our first SaaS offering, introducing new products and support for cloud infrastructure environments and applications. At the end of 2022, we announced the availability of our flagship Varonis Data Security Platform as a SaaS, which was previously only sold as a self-hosted solution. The benefits of SaaS delivery are widely established for both customers and providers, and we believe this evolution of a SaaS delivery option for the Varonis Data Security Platform is transformational. The advantages include: quicker and easier deployment and maintenance of solutions with reduced infrastructure and personnel requirements; a lower total cost of ownership; faster deployment of risk assessments, which is the core of our sales motion; enhanced threat detection; continual threat model updates; increased automation for securing data in place; and the ability to deliver additional features and functionality to customers more efficiently. In addition, our Managed Data Detection and Response (‘‘MDDR’’) offering further reduces both the likelihood of a breach and its potential impact by enabling automated 24x7x365 monitoring with a service level agreement (SLA) that requires Varonis to respond to alerts within a specified time frame. Our MDDR offering is only available for our SaaS customers because of the automation and visibility that’s built into our SaaS platform. Since launching our SaaS offerings, we have seen SaaS deployments grow significantly and expect them to continue to increase and become the primary driver of our revenues. During this transition, we expect our revenues to be negatively impacted due to revenue recognition accounting treatment variations associated with the increase in SaaS sales and existing customer conversions to SaaS. We expect these revenue variations to persist throughout the transition to a SaaS delivery model, which we believe will be complete by the end of 2025. Overview Varonis is a leader in data security as, since we started operations in 2005, we recognized that an enterprise’s capacity to create and share data far exceeded its capacity to protect it. We believed that rapid data growth combined with increasing information dependence would change the global economy and the risk profiles of corporations and governmental agencies. Our focus has been on using innovation to address the cyber-implications of these trends, creating software that provides new ways to track, alert and protect data wherever it is stored. We sell substantially all of our products and services to channel partners, including distributors and resellers, which sell to end-user customers, which we refer to in this report as our customers. We believe that our sales model, which combines the leverage of a channel sales model with our highly trained and professional sales force, has and will continue to play a major role in our ability to grow and to successfully deliver our unique value proposition for enterprise data. While our products serve customers of all sizes, across industries and across geographies, the marketing focus and majority of our sales focus is on targeting larger organizations who can make sizable initial purchases with us and, over time, have a greater potential lifetime value. Our customers span 44 leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, education and construction and engineering sectors. We believe our existing customer base serves as a strong source of future incremental revenues given our broad platform of products, their growing volumes and complexity of enterprise data and related security concerns. We will continue our focus on targeting larger organizations who can make sizable purchases with us initially and over time. We are also focused on maintaining a high renewal rate by investing in the quality and reliability of our customer service and support teams to ensure our customers receive value from our products and providing software upgrades and enhancements when and if they are available. Our product offering currently contains coverage for most mission-critical cloud and on-premises data stores and cloud infrastructure environments, and many critical SaaS applications. Our renewal rate continued to be over 90% for the year ended December 31, 2024. We believe there is a significant long-term growth opportunity in both domestic and international markets, which could include any organization that relies on data stored in SaaS applications, IaaS environments, NAS devices, file shares, databases and email servers. For the year ended December 31, 2024, approximately 73% of our revenues were derived from the United States, while approximately 21% of our revenues were derived from EMEA and approximately 6% from ROW. Additionally, despite the revenue recognition variations from the accounting treatment associated with the positive trend of our increase in SaaS sales and existing customer conversions to SaaS, total revenues still grew approximately 10% for the year ended December 31, 2024 compared with the year ended December 31, 2023. We continue to expect expansion in both domestic and international markets to be key components of our long-term growth strategy. Over the last few years, we have seen changes in customer buying patterns including, some budgetary tightening and additional scrutiny on enterprise spending as a result of a higher inflation and interest rate environment. We continue to expand our domestic and international operations as part of our long-term growth strategy. While the expansion of our domestic operations is focused primarily on our underpenetrated territories, the expansion of our international operations depends in particular on our ability to hire, integrate and retain local sales leadership and personnel in these international markets, acquire new channel partners and implement an effective marketing strategy. Given the nominal amount of our ROW revenues, our ROW revenue growth rates have fluctuated in the past and may fluctuate in the future based on the timing of deal closures. In addition, the further expansion of our international operations will increase our sales and marketing and general and administrative expenses and will subject us to a variety of risks and challenges, including those related to economic and political conditions in each region, compliance with foreign laws and regulations, and compliance with domestic laws and regulations applicable to our international operations. Since inception, we have continued to scale our business and execute on strategic initiatives which we believe have positioned us for durable long-term growth. During 2024, we have continued to grow our revenues despite revenue recognition accounting treatment variations associated with the increase in SaaS sales and existing customer conversions to SaaS. For the years ended December 31, 2024, 2023 and 2022, SaaS revenues were $208.8 million, $44.4 million and $2.2 million, respectively. For the years ended December 31, 2024, 2023 and 2022, our total revenues were $551.0 million, $499.2 million and $473.6 million, respectively. For the years ended December 31, 2024, 2023 and 2022, we had operating losses of $117.7 million, $117.2 million and $121.2 million and net losses of $95.8 million, $100.9 million and $124.5 million, respectively. Instability in the Middle East Due to the war that began on October 7, 2023, a portion of our employees in Israel have been called to active reserve duty and additional employees may be called in the future, if needed. We have a business continuity plan and will remain aware and responsive to the evolving situation; however, any deterioration in the situation might have a negative impact on our operations. Key Performance Indicators and Recent Business Highlights Annual Recurring Revenues Annual recurring revenues is a key performance indicator defined as the annualized value of active SaaS contracts, term-based subscription license contracts and maintenance contracts in effect at the end of that period. SaaS contracts, term-based subscription license contracts and maintenance contracts are annualized by dividing the total contract value by the number of days in the term and multiplying the result by 365. 45 As of December 31, 2024, 2023 and 2022, ARR was $641.9 million, $543.0 million and $465.1 million, respectively, an increase of 18% and 17% period over period, respectively. The annualized value of contracts is a legal and contractual determination made by assessing the contractual terms with our customers. The annualized value of these contracts is not determined by reference to historical revenues, deferred revenues or any other GAAP financial measure over any period. ARR is not a forecast of future revenues and can be impacted by contract start and end dates and renewal rates. We expect ARR to continue to increase in absolute dollars. Transition to SaaS Delivery Model and SaaS as a Percentage of ARR Over the last three years, we have strategically expanded our offering to be delivered as SaaS solutions. Since that time, we have seen SaaS deployments grow significantly and expect them to continue to increase and become the primary driver of our revenues. Due to differences in the revenue recognition accounting treatment, the transition to a SaaS delivery model may cause significant variation in the reported revenues for a given period compared to the same period in the previous year. We expect these revenue variations to persist throughout the transition to a SaaS delivery model, which we believe will be complete by the end of 2025. As of December 31, 2024, SaaS as a percentage of total ARR was approximately 53% and we expect this percentage to continue to increase throughout the transition to a SaaS delivery model. Remaining Performance Obligations Remaining performance obligations (‘‘RPO’’) represent contracted revenues that have not yet been recognized, which includes deferred revenues and non-cancelable amounts that will be invoiced in the future. Our RPO was $729.7 million as of December 31, 2024. We expect RPO to increase in absolute dollars as we continue to transition to a SaaS delivery model. Components of Operating Results Revenues Term License Subscription Revenues. Term license subscription revenues relate to subscription license revenues which are sold on-premises and are recognized at the point in time when the software license has been delivered and the benefit of the asset has transferred. Maintenance associated with a term license subscription is recognized ratably over the term of the agreement. Due to the transition to a SaaS delivery model, we expect term license subscription revenues to continue to decline. SaaS Revenues. SaaS revenues relate to the Company’s SaaS platform. Over the last three years, the Company began to offer SaaS solutions to its customers, including its (i) flagship Data Security Platform as a SaaS that was previously only sold as a self-hosted solution and (ii) DatAdvantage Cloud product lines. Each of these products allow customers to use hosted software, and the related revenue from these products is recognized ratably over the associated contract period. We expect SaaS revenues to continue to grow considerably and become the primary driver of our revenues in 2025, which is when we believe our transition to a SaaS delivery model will be complete. Conversions from a license sold on-premises to our SaaS offering during the original subscription period are accounted for on a prospective basis. Due to the transition to a SaaS business model, the timing of renewals and renewal rates, we could produce significant variation in the revenues we recognize in a given period. Maintenance and Services Revenues. Maintenance and services revenues consist of revenues from maintenance agreements of past perpetual license sales and, to a lesser extent, professional services. Customers with maintenance agreements are entitled to receive support and unspecified upgrades and enhancements when and if they become available. We recognize the revenues associated with maintenance ratably over the associated contract period. We measure the renewal rate for our customers over a 12-month period, based on a dollar renewal rate for contracts expiring during that time period. Our renewal rate for each of the years ended December 31, 2024, 2023 and 2022 continued to be over 90%. We do not expect perpetual license revenues in the future and, therefore, we expect the associated maintenance and support to continue to decline despite the strong renewal rates due to the transition to a SaaS delivery model. We also offer professional services, generally provided on a time and materials basis, focused on training our customers in the use of our products. We recognize the revenues associated with these professional services as we deliver the services, provide the training or when the service term has expired. Professional services have always been a small percentage of our total revenues and we expect it to continue to be a small percentage. Accordingly, maintenance and services revenues are expected to continue to decline. 46 The following table sets forth the percentage of our revenues that have been derived from term license subscriptions, SaaS and maintenance and services revenues for the periods presented. Year Ended December 31, 2024 2023 2022 (as a percentage of total revenues) Revenues: Term license subscriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46.1% 71.4% 76.8% SaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37.9% 8.9% 0.5% Maintenance and services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.0% 19.7% 22.7% Total revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100.0% 100.0% 100.0% Our products are used by a wide range of enterprises, including Fortune 500 corporations and small and medium-sized businesses. Our customers span a broad array of industries and are located in over 95 countries. Cost of Revenues, Gross Profit and Gross Margin Cost of revenues consist primarily of salaries (including payroll tax expense related to stock-based compensation), employee benefits (including commissions and bonuses) and stock-based compensation for our customer support, customer success, MDDR and services employees; third-party hosting fees; amortization of acquired intangible assets; travel expenses; and allocated overhead costs for facilities, IT and depreciation. We recognize expenses related to these costs as they are incurred and expect that these costs will increase in absolute dollars as we continue to invest in our customer success, support and MDDR teams, move to a SaaS delivery model and support the underlying programs that play a critical role in maintaining our high renewal rate. Gross profit is total revenues less total cost of revenues. Gross margin is gross profit expressed as a percentage of total revenues. As the majority of our expenses are relatively fixed quarter over quarter and due to the seasonality of our business, the first quarter typically results in the lowest gross margin as our first quarter revenues have historically been the lowest for the year. Conversely, the fourth quarter typically results in the highest gross margin as our fourth quarter revenues have historically been the highest for the year. As we complete the transition to a SaaS delivery model, we expect this seasonality to decrease due to differences in the revenue recognition accounting treatment. Operating Expenses Operating expenses are classified into three categories: research and development, sales and marketing and general and administrative. For each category, the largest component is personnel costs, which consists of salaries (including payroll tax expense related to stock-based compensation), employee benefits (including commissions and bonuses) and stock-based compensation. Operating expenses also include allocated overhead costs for facilities, IT and depreciation. Allocated costs for facilities primarily consist of rent and office maintenance. Operating expenses are generally recognized as incurred. As a company, we have always aimed to tie our level of investment in the business to the revenues we expect to achieve and we actively manage expenses across the business. We expect personnel costs to continue to increase in absolute dollars as we continue to grow our business. Research and Development. Research and development expenses primarily consist of personnel costs attributable to our research and development personnel, as well as allocated overhead costs and acquired in-process research and development. We expense research and development costs as incurred. We expect that our research and development expenses will continue to increase in absolute dollars as we further strengthen our technology platform and invest in the development of both existing and new products through the hiring of talented and capable employees. Sales and Marketing. Sales and marketing expenses are the largest component of our operating expenses and consist primarily of personnel costs, as well as marketing and business development costs, travel expenses, third-party hosting fees, training and education and allocated overhead costs. We expect that sales and marketing expenses will continue to increase in absolute dollars as we plan to expand our sales and marketing efforts, both domestically and internationally. We also expect sales and marketing expenses to continue to be our largest category of operating expenses. 47 General and Administrative. General and administrative expenses primarily consist of personnel and facility-related costs for our executive, finance, legal, human resources and administrative personnel. Other expenses are comprised of legal, accounting and other consultant fees and other corporate expenses and allocated overhead. We expect that general and administrative expenses will increase in absolute dollars as we expand our operations. Financial Income (Expenses), Net Financial income (expenses), net consists primarily of interest income, foreign exchange gains or losses, amortization of debt issuance costs and interest expense. Interest income represents interest received on our cash, cash equivalents, marketable securities, deposits and amortization of premiums and accretion of discounts related to our investment in available for sale marketable securities. Foreign exchange gains or losses relate to our business activities in foreign countries with different operational reporting currencies. As a result of our business activities in foreign countries, we expect that foreign exchange gains or losses will continue to occur due to fluctuations in exchange rates in the countries where we do business. Amortization of debt issuance costs relate to the Notes we issued in May 2020 and September 2024. Interest expense consists of the contractual interest expenses associated with the Notes. Income Taxes We operate in the U.S. and in foreign jurisdictions and are subject to taxes in each country or jurisdiction in which we conduct business. Earnings from our non-U.S. activities are subject to local country income tax and may be subject to U.S. income tax. Because of our history of operating losses, we have established a full valuation allowance against potential future benefits for deferred tax assets, including loss carryforwards. Our income tax provision could be significantly impacted by estimates surrounding our uncertain tax positions and changes to our valuation allowance in future periods. We reevaluate the judgments surrounding our estimates and make adjustments as appropriate each reporting period. In addition, we are subject to the regular examinations of our income tax returns by different tax authorities. We regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of our provision for income taxes. 48 Results of Operations The following tables are a summary of our consolidated statements of operations in dollars and as a percentage of our total revenues. Year Ended December 31, 2024 2023 2022 (in thousands) Statement of Operations Data: Revenues: Term license subscriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 254,241 $ 356,490 $ 363,898 SaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208,781 44,417 2,246 Maintenance and services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87,928 98,253 107,490 Total revenues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550,950 499,160 473,634 Cost of revenues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93,847 71,751 69,836 Gross profit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457,103 427,409 403,798 Operating expenses: Research and development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196,765 183,838 177,881 Sales and marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288,769 277,893 275,090 General and administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89,220 82,901 72,055 Total operating expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574,754 544,632 525,026 Operating loss. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (117,651) (117,223) (121,228) Financial income, net. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34,644 30,305 10,413 Loss before income taxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (83,007) (86,918) (110,815) Income taxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (12,758) (13,998) (13,703) Net loss. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ (95,765) $(100,916) $(124,518) Year Ended December 31, 2024 2023 2022 (as a percentage of total revenues) Statement of Operations Data: Revenues: Term license subscriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46.1% 71.4% 76.8% SaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37.9 8.9 0.5 Maintenance and services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.0 19.7 22.7 Total revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100.0 100.0 100.0 Cost of revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17.0 14.4 14.7 Gross profit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.0 85.6 85.3 Operating expenses: Research and development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35.8 36.8 37.6 Sales and marketing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.4 55.7 58.1 General and administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.2 16.6 15.2 Total operating expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.4 109.1 110.9 Operating loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (21.4) (23.5) (25.6) Financial income, net. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3 6.1 2.2 Loss before income taxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (15.1) (17.4) (23.4) Income taxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (2.3) (2.8) (2.9) Net loss. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (17.4)% (20.2)% (26.3)% 49 Comparison of Years Ended December 31, 2024 and 2023 Revenues Year Ended December 31, 2024 2023 % Change (in thousands) Revenues: Term license subscriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $254,241 $356,490 (28.7)% SaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208,781 44,417 370.0% Maintenance and services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87,928 98,253 (10.5)% Total revenues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $550,950 $499,160 10.4% Year Ended December 31, 2024 2023 (as a percentage of total revenues) Revenues: Term license subscriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46.1% 71.4% SaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37.9 8.9 Maintenance and services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.0 19.7 Total revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100.0% 100.0% For the year ended December 31, 2024, our revenues increased 10% compared to the year ended December 31, 2023 despite increased SaaS sales and existing customer conversions to SaaS which cause variations due to accounting treatment differences in revenue recognition for sales within the respective periods. SaaS revenues increased 370% from $44.4 million for the year ended December 31, 2023 to $208.8 million for the year ended December 31, 2024 as we continue to progress through our transition to a SaaS delivery model. The increase in SaaS revenues was driven by (i) new customer acquisitions, which are happening due to the simplicity of our SaaS platform and MDDR offering, as well as customer interest in Gen AI, (ii) existing customer conversions and (iii) our high renewal rates. Consequently, there was an expected decrease to term license subscriptions given the aforementioned transition and customer conversions, a trend we expect to continue in the coming years. ARR was $641.9 million and $543.0 million as of December 31, 2024 and 2023, respectively, representing an increase of 18%. The anticipated decrease in maintenance and services revenues was due to churn and the conversion of existing customers to SaaS despite our renewal rate continuing to be over 90% for each of the years ended December 31, 2024 and 2023. We continue to expect less associated maintenance and services revenues in the future. Cost of Revenues and Gross Margin Year Ended December 31, 2024 2023 % Change (in thousands) Cost of revenues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $93,847 $71,751 30.8% Year Ended December 31, 2024 2023 (as a percentage of total revenues) Total gross margin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.0% 85.6% The increase in cost of revenues was primarily related to a $11.3 million increase in salaries and benefits and stock-based compensation expense due to increased headcount for customer success personnel to assist with the transition to a SaaS delivery model, including our recently introduced MDDR offering, and ensure high customer satisfaction and maintain our strong renewal rates. The increase is also due to a $9.9 million increase in third-party hosting costs associated with our transition to a SaaS delivery model. 50 Operating Expenses Year Ended December 31, 2024 2023 % Change (in thousands) Operating expenses: Research and development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $196,765 $183,838 7.0% Sales and marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288,769 277,893 3.9% General and administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89,220 82,901 7.6% Total operating expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $574,754 $544,632 5.5% Year Ended December 31, 2024 2023 (as a percentage of total revenues) Operating expenses: Research and development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35.8% 36.8% Sales and marketing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.4% 55.7% General and administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.2% 16.6% Total operating expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.4% 109.1% The increase in research and development expenses was primarily related to a $6.7 million increase in acquired in-process research and development costs associated with our asset acquisition, a $3.2 million increase in salaries and benefits and stock-based compensation expense primarily due to increased headcount, an increase of $1.9 million in facilities and allocated overhead costs and a $0.8 million increase in third-party hosting costs associated with our transition to a SaaS delivery model. The increase in sales and marketing expenses was primarily related to an increase of $9.7 million in general sales and marketing expenses, including increased travel, marketing events and third-party hosting costs associated with our transition to a SaaS delivery model and a $1.8 million increase in salaries and benefits and stock-based compensation expense primarily due to increased headcount. The increase in general and administrative expenses was primarily related to an increase of $4.9 million in salaries and benefits and stock-based compensation expense primarily due to increased headcount to support the overall growth of our business and an increase of $0.5 million in facilities and allocated overhead costs. Financial Income, Net Year Ended December 31, 2024 2023 % Change (in thousands) Financial income, net. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $34,644 $30,305 14.3% The increase in financial income, net was primarily due to higher interest income, partially offset by foreign currency losses. Income Taxes Year Ended December 31, 2024 2023 % Change (in thousands) Income taxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $(12,758) $(13,998) (8.9)% Income taxes for the year ended December 31, 2024, including the decrease in income taxes, were comprised of foreign and U.S. income taxes. Inflation We do not believe that inflation rates have had a material effect on our business, financial condition or results of operations in the last three fiscal years. If our costs were to become subject to significant inflationary 51 pressures, we may not be able to fully offset such higher costs through price increases. Our inability or failure to do so could harm our business, financial condition and results of operations. Comparison of Years Ended December 31, 2023 and 2022 For a comparison of our results of operations for the years ended December 31, 2023 and 2022, see ‘‘Part II, Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations’’ of our Annual Report on Form 10-K for the year ended December 31, 2023, filed with the SEC on February 6, 2024, which comparative information is herein incorporated by reference. Seasonality and Quarterly Trends When selling on-premises subscription products, our quarterly results reflect seasonality in the sale of our products and services. Historically, we have experienced a pattern of increased sales in the fourth quarter. This trend makes it difficult to achieve sequential revenue growth in the first quarter of the following year. Because of purchasing trends, demand for our products and services is typically slowest in the first quarter, resulting in a decrease in quarterly revenues from the fourth quarter to the first quarter of the subsequent fiscal year. Our gross margins and operating margins have been affected by these historical trends because the majority of our expenses are relatively fixed quarter over quarter. Our expenses, which do not vary directly with revenues, and the seasonal pattern described above have an impact on the cost of revenues, research and development expenses, sales and marketing expenses and general and administrative expenses as a percentage of revenues in each calendar quarter during the year. We expect the impact of these seasonal patterns to decline as we sell more of our SaaS offering to new customers and transition our existing customers to our SaaS platform, due to the ratable revenue recognition of SaaS. The majority of our expenses are personnel-related costs, which consist of salaries (including payroll tax expense related to stock-based compensation), employee benefits (including commissions and bonuses) and stock-based compensation. As a result, we have not experienced significant seasonal fluctuations in the timing of expenses from period to period. Liquidity and Capital Resources The following table shows our liquidity and capital resources and our cash flows from operating activities, investing activities and financing activities for the years ended December 31, 2024 and 2023. For a discussion of our liquidity and capital resources and our cash flow activities for the fiscal year ended December 31, 2022, see ‘‘Part II, Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations’’ of our Annual Report on Form 10-K for the year ended December 31, 2023, filed with the SEC on February 6, 2024, which discussion is herein incorporated by reference. Year Ended December 31, 2024 2023 (in thousands) Net cash provided by operating activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 115,200 $ 59,416 Net cash used in investing activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (532,255) (143,076) Net cash provided by (used in) financing activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371,900 (53,400) Decrease in cash and cash equivalents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ (45,155) $(137,060) As of December 31, 2024, our cash and cash equivalents, short-term marketable securities and short-term deposits of $568.4 million were held for working capital purposes. We believe that our existing cash and cash equivalents, short-term marketable securities, short-term deposits and cash flow from operations will be sufficient to fund our operations and capital expenditures for at least the next 12 months. Additionally, as of December 31, 2024, we held $658.9 million in long-term marketable securities. Our future capital requirements will depend on many factors, including our rate of revenue growth, timing of renewals and renewal rates, the expansion of our sales and marketing activities, the timing and extent of spending to support product development efforts and expansion into new geographic locations, the timing of introductions of new software products and enhancements to existing software products, the continuing market acceptance of our software offerings and our use of cash to pay for acquisitions or share repurchases, if any. Operating Activities Our operating activities are driven by sales of our products less costs and expenses, primarily payroll and related expenses, and adjusted for certain non-cash items, mainly depreciation and amortization, stock-based 52 compensation, amortization of deferred commissions, non-cash operating lease costs, amortization of debt issuance costs, amortization of premium and accretion of discount on marketable securities, acquired in-process research and development costs, and changes in operating assets and liabilities. Changes in operating assets and liabilities are driven mainly by collection of accounts receivable from the sales of our software products and deferred revenue, which primarily consists of billed fees for our subscriptions, prior to satisfying the criteria for revenue recognition, which are subsequently recognized as revenue in accordance with our revenue recognition policy. For 2024, cash inflows from our operating activities were $115.2 million. We have observed two seasonal patterns that impact our net cash provided by operating activities. First, a majority of our sales are made during the last three weeks of the quarter. Second, the highest dollar amount of sales of our products and services occurs in the fourth quarter. Consequently, we end the fourth quarter with our highest accounts receivable balance of any quarter which in turn generates the greatest amount of collections in the following quarter. In addition, there is negative sequential sales in the first quarter, which results in a relatively lower amount collected during the second quarter. These seasonal trends also impact our operating loss because the majority of our expenses are relatively fixed in the short-term. For 2024, cash inflows were $102.1 million from our net loss excluding non-cash and acquired in-process research and development charges. Additional sources of cash inflows were from changes in our working capital, including a $110.4 million increase in deferred revenues, a $17.3 million increase in accrued expenses and other liabilities, a $3.6 million increase in trade payables, a $0.3 million decrease in other long-term assets and a $0.3 million increase in other long-term liabilities. This was partially offset by a $95.2 million increase in prepaid expenses and other short-term assets (including deferred commissions) and a $23.7 million increase in accounts receivable. Our days’ sales outstanding (‘‘DSO’’) for the three months and year ended December 31, 2024 was 77 and 74, respectively. For 2023, cash provided by operating activities were $59.4 million. Sources of cash inflows were $105.3 million, which included our net loss of $100.9 million, offset by non-cash charges of $206.2 million. Additional sources of cash inflows were from changes in our working capital, including a $69.9 million increase in deferred revenues and a $0.5 million increase in other long-term liabilities. This was partially offset by a $75.0 million increase in prepaid expenses and other short-term assets (including deferred commissions) and a $33.1 million increase in accounts receivable. Our DSO for the three months and year ended December 31, 2023 was 82 and 72, respectively. Other sources of cash outflows were from a $5.3 million decrease in accrued expenses and other liabilities, a $2.3 million decrease in trade payables and a $0.6 million decrease in other long-term assets. Investing Activities Our investing activities consist primarily of capital expenditures to purchase property and equipment, including leasehold improvements, purchase in-process research and development, purchase and sale of deposits and changes in our marketable securities. In the future, we expect to continue to incur capital expenditures to support our expanding operations. During 2024, net cash used in investing activities of $532.3 million was primarily attributable to net investments of $529.4 million in marketable securities, $6.7 million for in-process research and development and $6.7 million in capital expenditures to support our growth including hardware, office equipment and leasehold improvements mainly in connection with existing office space. This was partially offset by net proceeds of $10.5 million in deposits. During 2023, net cash used in investing activities of $143.1 million was primarily attributable to net investments of $216.6 million in marketable securities and $5.1 million in capital expenditures to support our growth including hardware, software, office equipment and leasehold improvements mainly in connection with existing office space. This was partially offset by net proceeds of $78.6 million in deposits. Financing Activities In 2024, net cash provided by financing activities of $371.9 million was attributable to $449.6 million of net proceeds from the issuance of convertible senior notes and $16.1 million of proceeds from employee stock plans, partially offset by $55.5 million related to purchases of capped calls associated with the convertible senior notes and $38.3 million in taxes paid related to net share settlement of equity awards. 53 In 2023, net cash used in financing activities of $53.4 million was attributable to $43.5 million of repurchases of common stock and $21.4 million in taxes paid related to net share settlement of equity awards, partially offset by $11.5 million of proceeds from employee stock plans. Convertible Notes On September 10, 2024, we issued the 2029 Notes. The net proceeds from the offering, after deducting issuance costs, were approximately $449.6 million. In connection with the issuance of the 2029 Notes, we used $55.5 million of the net proceeds to enter into Capped Call Transactions. On May 11, 2020, we issued the 2025 Notes. The net proceeds from the offering, after deducting issuance costs, were approximately $245.2 million. In connection with the issuance of the 2025 Notes, we used $29.3 million of the net proceeds to enter into Capped Call Transactions. For further information regarding the Notes and Capped Call Transactions, refer to Note 7 of our consolidated financial statements. Contractual Payment Obligations Our principal commitments primarily consist of obligations under leases for office space and motor vehicles. Aggregate minimum rental commitments under non-cancelable leases as of December 31, 2024 for the upcoming years were as follows: Payments Due by Period 2025 2026 2027 2028 2029 Thereafter Total (in thousands) Operating lease obligations. . . . . . . . . . . . . . $12,305 $12,029 $12,084 $12,088 $8,015 $10,012 $66,533 We have obligations related to unrecognized tax benefit liabilities totaling $33.3 million and others related to severance pay, which have been excluded from the table above as we do not believe it is practicable to make reliable estimates of the periods in which payments for these obligations will be made. We also have a contractual minimum purchase commitment with a service provider through August 31, 2027 totaling $7.1 million due in the next 12 months and $21.0 due thereafter and an additional $32.9 million contractual minimum purchase commitment with another service provider through December 31, 2026 with no specified annual commitments. We expect to fund these obligations with cash flows from operations and cash on our balance sheet. Off-Balance Sheet Arrangements As of December 31, 2024, we did not have any off-balance sheet arrangements. Critical Accounting Policies and Estimates We prepare our consolidated financial statements in accordance with generally accepted accounting principles in the United States. The preparation of consolidated financial statements also requires us to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenues, costs and expenses and related disclosures. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances. Actual results could differ significantly from the estimates made by our management. To the extent that there are differences between our estimates and actual results, our future financial statement presentation, financial condition, results of operations and cash flows will be affected. We believe that our accounting policies discussed below are critical to understanding our historical and future performance, as these policies relate to the more significant areas involving management’s judgments and estimates. Critical accounting policies and estimates are those that we consider the most important to the portrayal of our financial condition and results of operations because they require our most difficult, subjective or complex judgments, often as a result of the need to make estimates about the effect of the matters that are inherently uncertain. Revenue Recognition: We generate revenues primarily in the form of term license subscriptions, SaaS revenues and maintenance and services fees. Term license subscription revenues are sold on-premises and are comprised of time-based licenses whereby customers use our software (including support and unspecified upgrades and enhancements 54 when and if they are available) for a specified period. SaaS revenues, including SaaS with MDDR, are provided on a subscription basis and allow customers to use hosted software. Over the last few years, the Company has introduced new products and support for cloud applications and infrastructure environments, including the Varonis Data Security Platform delivered as a SaaS, which was previously only sold as a self-hosted solution. Maintenance and services primarily consist of fees for maintenance of past perpetual license sales (including support and unspecified upgrades and enhancements when and if they are available) and to a lesser extent professional services, although the user can benefit from the software without our assistance. We sell our products worldwide to a network of distributors and value-added resellers, and payment is typically due within 30 to 60 calendar days of the invoice date. We recognize revenues in accordance with ASC No. 606, ‘‘Revenue from Contracts with Customers.’’ As such, we identify a contract with a customer, identify the performance obligations in the contract, determine the transaction price, allocate the transaction price to each performance obligation in the contract and recognize revenues when (or as) we satisfy a performance obligation. Term license subscription software sold on-premises is recognized at the point in time when the software license has been delivered and the benefit of the asset has transferred. Maintenance associated with term license subscription software is recognized ratably over the term of the agreement since these services have a consistent continuous pattern of transfer to a customer during the contract period, and is included within the term license subscriptions line of the consolidated statements of operations. SaaS revenue is recognized ratably over the associated contract period, beginning when access is provided and the benefit of the service is available. Conversions from a license sold on-premises to the Company’s SaaS offering during the original subscription period are accounted for on a prospective basis. We recognize revenues from maintenance agreements ratably over the term of the underlying maintenance contract. The term of the maintenance contract is usually one year. Renewals of maintenance contracts create new performance obligations that are satisfied over the new term with the revenues recognized ratably over the contract period. Revenues from professional services consist mostly of time and material services. The performance obligations are satisfied, and revenues are recognized, when the services are provided or once the service term has expired. We enter into contracts that can include combinations of products and services, which are generally capable of being distinct and accounted for as separate performance obligations. The term license software is distinct upon delivery as the customer can derive the economic benefit of the software without any additional services, updates or technical support. We allocate the transaction price to each performance obligation based on our relative standalone selling price out of the total consideration of the contract. For software licenses and maintenance included in term license subscriptions, we determine the standalone selling prices based on the price at which we separately sell a renewal contract. For professional services, we determine the standalone selling prices based on the price at which we separately sell those services. Trade receivables are generally recorded at the invoice amount mostly for a one-year period, net of an allowance for credit losses. Deferred revenues represent mostly unrecognized fees billed or collected for SaaS and maintenance contracts. Deferred revenues are recognized as (or when) we perform under the contract. Pursuant to these contracts, customers are generally not invoiced for subsequent years until the annual renewal occurs. The amount of revenues recognized in the period that was included in the opening deferred revenues balance was $177.3 million for the year ended December 31, 2024. Revenues allocated to remaining performance obligations represent contracted revenues that have not yet been recognized, which includes deferred revenues and non-cancelable amounts that will be invoiced in the future. Our remaining performance obligations were $729.7 million as of December 31, 2024, of which we expect to recognize approximately 53% as revenue over the next 12 months and the remainder thereafter. For information regarding disaggregated revenues, refer to Note 13 to our consolidated financial statements. 55 Contract Costs: We pay sales commissions to sales and marketing and certain management personnel based on their attainment of certain predetermined sales goals. Sales commissions earned by employees are considered incremental and recoverable costs of obtaining a contract with a customer. Sales commissions paid for initial contracts, which are not commensurate with sales commissions paid for renewal contracts, are capitalized and amortized over an expected period of benefit. Based on our technology, customer contracts and other factors, we have determined the expected period of benefit to be approximately four years. Sales commissions for renewal contracts are capitalized and then amortized on a straight-line basis. Amortization expenses related to these costs are included in sales and marketing expenses in the accompanying consolidated statements of operations. Accounting for Stock-Based Compensation: We account for stock-based compensation in accordance with ASC No. 718, ‘‘Compensation-Stock Compensation.’’ For stock options and restricted stock units, stock-based compensation expense is measured at the grant date, based on the estimated fair value of the equity award granted, and is recognized as expense on a straight-line basis over the requisite service period. In addition, we grant performance stock units to certain employees. The number of performance stock units earned and eligible to vest are generally determined after a one-year performance period, based on achievement of certain Company financial performance measures and the recipient’s continued service. We recognize stock-based compensation expense for performance stock units using the graded vesting method over the requisite service period for each separately-vesting tranche of the award when it is probable that the performance conditions will be achieved. Compensation expense for performance stock units with financial performance measures is measured using the fair value at the date of grant and recorded over each vesting period, and may be adjusted over the vesting period based on interim estimates of performance against the pre-set objectives. We account for forfeitures as they occur for all stock-based awards. Income Taxes: We account for income taxes in accordance with ASC No. 740, using the asset and liability method whereby deferred tax assets and liability account balances are determined based on the differences between financial reporting and the tax basis for assets and liabilities and are measured using the enacted tax rates and laws that will be in effect when the differences are expected to reverse. We provide a valuation allowance, if necessary, to reduce deferred tax assets to the amounts that are more likely-than-not to be realized. ASC 740 contains a two-step approach to recognizing and measuring a liability for uncertain tax positions. The first step is to evaluate the tax position taken or expected to be taken in a tax return by determining if the weight of available evidence indicates that it is more likely than not that, on an evaluation of the technical merits, the tax position will be sustained on audit, including resolution of any related appeals or litigation processes. The second step is to measure the tax benefit as the largest amount that is more than 50% likely to be realized upon ultimate settlement. We accrue interest and penalties related to unrecognized tax provisions in our taxes on income. Recently Adopted Accounting Pronouncements In November 2023, the Financial Accounting Standards Board (‘‘FASB’’) issued Accounting Standards Update (‘‘ASU’’) 2023-07, Segment Reporting (Topic 280), Improvements to Reportable Segment Disclosures to improve reportable segment disclosure requirements through enhanced disclosures about significant segment expenses on an interim and annual basis. All disclosure requirements of ASU 2023-07 are required for entities with a single reportable segment. ASU 2023-07 is effective for fiscal years beginning after December 15, 2023, and interim periods for the fiscal years beginning after December 15, 2024. We adopted the fiscal year standard for the period beginning January 1, 2024 on a retrospective basis which resulted in updated segment disclosures. For more information on the updated segment disclosures, refer to Note 13 of our consolidated financial statements. Recently Issued Accounting Pronouncements Not Yet Adopted In December 2023, the FASB issued ASU 2023-09, Income Taxes (Topic 740) - Improvements to Income Tax Disclosures. The ASU requires that an entity disclose specific categories in the effective tax rate reconciliation as well as provide additional information for reconciling items that meet a quantitative threshold. 56 Further, the ASU requires certain disclosures of state versus federal income tax expense and taxes paid. The amendments in this ASU are required to be adopted for fiscal years beginning after December 15, 2024. Early adoption is permitted and the amendments should be applied on a prospective basis. We are currently evaluating the effect of adopting the ASU on our disclosures. In November 2024, the FASB issued ASU 2024-03, Income Statement-Reporting Comprehensive Income-Expense Disaggregation Disclosures (Subtopic 220-40) - Disaggregation of Income Statement Expenses. The ASU requires, among other items, additional disaggregated disclosures in the notes to financial statements for certain categories of expenses that are included on the Statements of Operations. ASU 2024-03 is effective for fiscal years beginning after December 15, 2026, and for interim periods within fiscal years beginning after December 15, 2027, with early adoption permitted, and may be applied either prospectively or retrospectively. We are currently evaluating the effect of adopting the ASU on our disclosures. 57 Item 7A. Quantitative and Qualitative Disclosures About Market Risk Market risk represents the risk of loss that may impact our financial position due to adverse changes in financial market prices and rates. Our market risk exposure is primarily a result of fluctuations in foreign currency exchange rates. We do not hold financial instruments for trading or speculative purposes. Market Risk We are exposed to certain financial risks, including fluctuations in foreign currency exchange rates and interest rates. We manage our exposure to these market risks through internally established policies and procedures. Our policies do not allow speculation in derivative instruments for profit or execution of derivative instrument contracts for which there are no underlying exposures. We do not use financial instruments for trading or speculative purposes, and we are not a party to any leveraged derivatives. We monitor our underlying market risk exposures on an ongoing basis and, where appropriate, may use hedging strategies to mitigate these risks. Foreign Currency Exchange Risk Approximately one quarter of our revenues for the years ended December 31, 2024 and 2023 were earned in non-U.S. dollar denominated currencies, mainly in the Euro and Pound Sterling. Our expenses are generally denominated in the currencies in which our operations are located, primarily the U.S. dollar and New Israeli Shekel, and to a lesser extent the Euro, Pound Sterling, Canadian dollar, Australian dollar and Singapore dollar. Our expenses denominated in foreign currencies consist primarily of personnel and overhead costs from our international operations. Our consolidated results of operations and cash flow are, therefore, subject to fluctuations due to changes in foreign currency exchange rates and may be adversely affected in the future due to changes in foreign exchange rates. We enter into financial hedging strategies to reduce our exposure to foreign currency rate changes. During 2024, the effect of a hypothetical 10% change in foreign currency exchange rates applicable to our business, after considering foreign currency hedges, would not have had a material impact on our consolidated financial statements. For purposes of our consolidated financial statements, local currency assets and liabilities are translated at the rate of exchange to the U.S. dollar on the balance sheet date and local currency revenues and expenses are translated at the exchange rate at the date of the transaction or the average exchange rate during the reporting period. We use derivative financial instruments, specifically foreign currency forward contracts, to manage exposure to foreign currency risks, by hedging a portion of our forecasted revenues and expenses generally expected to occur within 12 to 24 months. A majority of our revenues and operating expenditures are transacted in U.S. dollars; however, certain revenues and operating expenditures are incurred in or exposed to other currencies, specifically, Euro and Pound Sterling for revenues, and the New Israeli Shekel, Euro and Pound Sterling for operating expenses. The effect of exchange rate changes on foreign currency forward contracts is expected to offset the effect of exchange rate changes on the underlying hedged item. We have also previously entered into forward contracts to hedge a portion of our monetary items in the balance sheet, such as trade receivables and payables, denominated in Pound Sterling and Euro for short-term periods to protect the fair value of the monetary assets and liabilities from foreign exchange rate fluctuations. The effect of exchange rate changes on foreign currency forward contracts is expected to offset the effect of exchange rate changes in the underlying hedged item which impacts financial income, net. We do not use derivative financial instruments for trading or speculative purposes. Interest Rate Risk As of December 31, 2024, we had cash and cash equivalents, short-term marketable securities and short-term deposits of $568.4 million and investments in long-term marketable securities of $658.9 million. We hold our cash and cash equivalents, short-term marketable securities and short-term deposits for working capital purposes. We do not enter into marketable security investments for trading or speculative purposes. Our cash and cash equivalents, marketable securities and short-term deposits are subject to market risk due to changes in interest rates, which may affect our interest income and the fair value of our marketable securities. Due in part to these factors, our future investment income may fluctuate due to changes in interest rates or we may suffer losses in principal if we are forced to sell securities that decline in market value due to changes in 58 interest rates. Due to the liquid and short-term nature of our cash and cash equivalents, short-term marketable securities and short-term deposit instruments, we believe that we do not have any material exposure to changes in the fair value of these instruments as a result of changes in interest rates. Additionally, because we classify our marketable securities as available-for-sale securities, no gains or losses are recognized in the consolidated statements of operations due to the changes in interest rates, unless securities are sold prior to maturity or declines in fair value are determined to be other-than-temporary. The effect of a hypothetical 100 basis point change in interest rates would not have a material impact on our consolidated financial statements. In May 2020 we issued the 2025 Notes and in September 2024 we issued the 2029 Notes, which have fixed annual interest rates at 1.25% and 1.00%, respectively, and therefore, we do not have economic interest rate exposure on the Notes. However, the values of the Notes are exposed to interest rate risk. Generally, the fair market value of our fixed interest rate Notes will increase as interest rates fall and decrease as interest rates rise. In addition, the fair values of the Notes are affected by our stock price. The fair value of the Notes will generally increase as our common stock price increases and will generally decrease as our common stock price declines in value. Additionally, we carry the Notes at face value less unamortized costs on our balance sheet, and we present the fair value for required disclosure purposes only. To the extent we enter into other long-term debt arrangements in the future, we would be subject to fluctuations in interest rates which could have a material impact on our future financial condition and results of operation. 59 Item 8. Financial Statements and Supplementary Data INDEX TO CONSOLIDATED FINANCIAL STATEMENTS Page Reports of Independent Registered Public Accounting Firm (PCAOB ID No. 1281) . . . . . . . . . . . . . . . . . . 61 Consolidated Balance Sheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Consolidated Statements of Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Consolidated Statements of Comprehensive Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Consolidated Statements of Changes in Stockholders’ Equity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Consolidated Statements of Cash Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Notes to Consolidated Financial Statements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 60 Kost Forer Gabbay & Kasierer 144 Menachem Begin Road, Building A Tel-Aviv 6492102, Israel Tel: +972-3-6232525 Fax: +972-3-5622555 ey.com REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM To the Stockholders and the Board of Directors of VARONIS SYSTEMS, INC. Opinion on the Financial Statements We have audited the accompanying consolidated balance sheets of Varonis Systems, Inc. and subsidiaries (the Company) as of December 31, 2024 and 2023, the related consolidated statements of operations, comprehensive loss, changes in stockholders’ equity and cash flows for each of the three years in the period ended December 31, 2024, and the related notes (collectively referred to as the ‘‘consolidated financial statements’’). In our opinion, the consolidated financial statements present fairly, in all material respects, the financial position of the Company at December 31, 2024 and 2023, and the results of its operations and its cash flows for each of the three years in the period ended December 31, 2024, in conformity with U.S. generally accepted accounting principles. We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the Company’s internal control over financial reporting as of December 31, 2024, based on criteria established in Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (2013 framework) and our report dated February 6, 2025, expressed an unqualified opinion thereon. Basis for Opinion These financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on the Company’s financial statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB. We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing procedures to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the financial statements. We believe that our audits provide a reasonable basis for our opinion. Critical Audit Matter The critical audit matter communicated below is a matter arising from the current period audit of the consolidated financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the financial statements and (2) involved our especially challenging, subjective or complex judgments. The communication of the critical audit matter does not alter in any way our opinion on the consolidated financial statements, taken as a whole, and we are not, by communicating the critical audit matter below, providing a separate opinion on the critical audit matter or on the accounts or disclosures to which it relates. 61 Kost Forer Gabbay & Kasierer 144 Menachem Begin Road, Building A Tel-Aviv 6492102, Israel Tel: +972-3-6232525 Fax: +972-3-5622555 ey.com Revenue Recognition - Evaluation of standalone selling price of subscription licenses Description of the Matter As described in Note 2n to the consolidated financial statements, the Company generates revenues, among others, from term license subscriptions that are sold on-premises and are comprised of time-based licenses whereby customers use the Company’s software and maintenance associated with term license subscriptions software (which includes support and unspecified upgrades and enhancements when and if they are available) for a specified period. The term license subscriptions software and maintenance are distinct and accounted for as separate performance obligations, and the Company allocates the transaction price to each performance obligation based on its relative standalone selling price. Term license subscriptions software is recognized at the point in time when the software license has been delivered and the benefit of the asset has been transferred. Maintenance associated with term license subscriptions software is recognized ratably over the term of the agreement. The Company does not sell term license subscriptions software on a standalone basis. Therefore, the Company makes subjective assumptions to estimate the standalone selling price for each of the performance obligations and determines the standalone selling price based on observable standalone selling prices of maintenance contracts associated with past perpetual licenses. Auditing the Company’s determination of the standalone selling price for the term license subscriptions and maintenance was challenging and complex due to the high degree of judgment involved in the determination of the estimated standalone selling price. Any changes to the standalone selling price could have a significant impact on the amount and timing of revenues recognized. How We Addressed the Matter in Our Audit We obtained an understanding, evaluated the design and tested the operating effectiveness of internal controls related to the Company’s estimation of the standalone selling price for the term license subscriptions software and maintenance. We evaluated management’s standalone selling price by testing the completeness and accuracy of management’s analysis and underlying data by tracing a selection of data points from relevant transactions to management’s analysis. We also tested the mathematical accuracy of management’s related calculations. Finally, we assessed the appropriateness of the related disclosures in the consolidated financial statements. KOST FORER GABBAY & KASIERER A Member of EY Global We have served as the Company’s auditor since 2007. Tel-Aviv, Israel February 6, 2025 62 Kost Forer Gabbay & Kasierer 144 Menachem Begin Road, Building A Tel-Aviv 6492102, Israel Tel: +972-3-6232525 Fax: +972-3-5622555 ey.com REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM To the Stockholders and the Board of Directors of VARONIS SYSTEMS, INC. Opinion on Internal Control over Financial Reporting We have audited Varonis Systems, Inc. and subsidiaries’ internal control over financial reporting as of December 31, 2024, based on criteria established in Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (2013 framework) (the COSO criteria). In our opinion, Varonis Systems, Inc. and subsidiaries (the Company) maintained, in all material respects, effective internal control over financial reporting as of December 31, 2024, based on the COSO criteria. We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States)(PCAOB), the consolidated balance sheets of the Company as of December 31, 2024 and 2023, the related consolidated statements of operations, comprehensive loss, changes in stockholders’ equity and cash flows for each of the three years in the period ended December 31, 2024, and the related notes, and our report dated February 6, 2025, expressed an unqualified opinion thereon. Basis for Opinion The Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting included in the accompanying Management’s Annual Report on Internal Control over Financial Reporting. Our responsibility is to express an opinion on the Company’s internal control over financial reporting based on our audit. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB. We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion. Definition and Limitations of Internal Control Over Financial Reporting A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements. 63 Kost Forer Gabbay & Kasierer 144 Menachem Begin Road, Building A Tel-Aviv 6492102, Israel Tel: +972-3-6232525 Fax: +972-3-5622555 ey.com Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. KOST FORER GABBAY & KASIERER A Member of EY Global Tel-Aviv, Israel February 6, 2025 64 VARONIS SYSTEMS, INC. AND SUBSIDIARIES CONSOLIDATED BALANCE SHEETS (in thousands) December 31, 2024 2023 Assets Current assets: Cash and cash equivalents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 185,585 $ 230,740 Marketable securities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343,383 253,175 Short-term deposits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39,450 49,800 Trade receivables (net of allowance of $2,518 and $1,487 at December 31, 2024 and December 31, 2023, respectively) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192,832 169,116 Prepaid expenses and other short-term assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116,824 64,326 Total current assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878,074 767,157 Long-term assets: Long-term marketable securities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658,896 211,063 Operating lease right-of-use assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45,593 51,838 Property and equipment, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30,795 33,964 Intangible assets, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . — 1,263 Goodwill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23,135 23,135 Other assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27,782 15,490 Total long-term assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786,201 336,753 Total assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,664,275 $1,103,910 65 The accompanying notes are an integral part of these consolidated financial statements. VARONIS SYSTEMS, INC. AND SUBSIDIARIES CONSOLIDATED BALANCE SHEETS (in thousands, except share data) December 31, 2024 2023 Liabilities and stockholders’ equity Current liabilities: Trade payables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 4,313 $ 672 Accrued expenses and other short-term liabilities . . . . . . . . . . . . . . . . . . . . . . . . . 164,930 125,057 Convertible senior notes, net. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250,529 — Deferred revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290,113 181,049 Total current liabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709,885 306,778 Long-term liabilities: Convertible senior notes, net. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450,243 250,477 Operating lease liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42,789 51,313 Deferred revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2,211 886 Other liabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3,491 4,808 Total long-term liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498,734 307,484 Stockholders’ equity: Share capital Common stock of $0.001 par value - Authorized: 200,000,000 shares at December 31, 2024 and December 31, 2023; Issued and outstanding: 112,550,156 shares at December 31, 2024 and 109,103,721 shares at December 31, 2023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 109 Accumulated other comprehensive income (loss) . . . . . . . . . . . . . . . . . . . . . . . . . 2,676 (8,649) Additional paid-in capital . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,193,022 1,142,578 Accumulated deficit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (740,155) (644,390) Total stockholders’ equity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455,656 489,648 Total liabilities and stockholders’ equity . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,664,275 $1,103,910 66 The accompanying notes are an integral part of these consolidated financial statements. VARONIS SYSTEMS, INC. AND SUBSIDIARIES CONSOLIDATED STATEMENTS OF OPERATIONS (in thousands, except share and per share data) Year ended December 31, 2024 2023 2022 Revenues: Term license subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 254,241 $ 356,490 $ 363,898 SaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208,781 44,417 2,246 Maintenance and services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87,928 98,253 107,490 Total revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550,950 499,160 473,634 Cost of revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93,847 71,751 69,836 Gross profit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457,103 427,409 403,798 Operating expenses: Research and development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196,765 183,838 177,881 Sales and marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288,769 277,893 275,090 General and administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89,220 82,901 72,055 Total operating expenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574,754 544,632 525,026 Operating loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (117,651) (117,223) (121,228) Financial income, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34,644 30,305 10,413 Loss before income taxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (83,007) (86,918) (110,815) Income taxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (12,758) (13,998) (13,703) Net loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ (95,765) $ (100,916) $ (124,518) Net loss per share of common stock, basic and diluted . . . . . . . . $ (0.86) $ (0.92) $ (1.14) Weighted average number of shares used in computing net loss per share of common stock, basic and diluted . . . . . . . . . . . . . 111,660,541 109,141,894 109,281,368 67 The accompanying notes are an integral part of these consolidated financial statements. VARONIS SYSTEMS, INC. AND SUBSIDIARIES CONSOLIDATED STATEMENTS OF COMPREHENSIVE LOSS (in thousands) Year ended December 31, 2024 2023 2022 Net loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $(95,765) $(100,916) $(124,518) Other comprehensive income (loss): Unrealized income (loss) on marketable securities, net of tax. . . . . . (3,448) 1,547 (300) Income (loss) on marketable securities reclassified into earnings, net of tax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (650) 401 23 (4,098) 1,948 (277) Unrealized income (loss) on derivative instruments, net of tax. . . . . 26,264 13,216 (19,181) Income (loss) on derivative instruments reclassified into earnings, net of tax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (10,841) (14,256) 3,818 15,423 (1,040) (15,363) Total other comprehensive income (loss) . . . . . . . . . . . . . . . . . . . . . . . . 11,325 908 (15,640) Comprehensive loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $(84,440) $(100,008) $(140,158) 68 The accompanying notes are an integral part of these consolidated financial statements. VARONIS SYSTEMS, INC. AND SUBSIDIARIES CONSOLIDATED STATEMENTS OF CHANGES IN STOCKHOLDERS’ EQUITY (in thousands, except share data) Common stock Additional paid-in capital Accumulated other comprehensive income (loss) Accumulated deficit Total stockholders’ equity Number Amount Balance as of January 1, 2022. . . . . . . . . 107,509,096 $108 $1,018,005 $ 6,083 $(427,603) $ 596,593 Effect of adoption of ASU 2020-06. . . — — (30,794) — 8,647 (22,147) Stock-based compensation expense . . . — — 142,862 — — 142,862 Common stock issued under employee stock plans . . . . . . . . . . . . 3,078,402 3 12,493 — — 12,496 Taxes paid related to net share settlement of equity awards . . . . . . . — — (31,076) — — (31,076) Repurchase of common stock . . . . . . . (2,914,446) (3) (56,442) — — (56,445) Unrealized loss on derivative instruments, net of tax . . . . . . . . . . . — — — (15,363) — (15,363) Unrealized loss on available for sale securities, net of tax . . . . . . . . . . . . . — — — (277) — (277) Net loss . . . . . . . . . . . . . . . . . . . . . . . . . — — — — (124,518) (124,518) Balance as of December 31, 2022. . . . . . 107,673,052 108 1,055,048 (9,557) (543,474) 502,125 Stock-based compensation expense . . . — — 139,819 — — 139,819 Common stock issued under employee stock plans . . . . . . . . . . . . 2,931,316 2 12,647 — — 12,649 Taxes paid related to net share settlement of equity awards . . . . . . . — — (21,415) — — (21,415) Repurchase of common stock . . . . . . . (1,500,647) (1) (43,521) — — (43,522) Unrealized loss on derivative instruments, net of tax . . . . . . . . . . . — — — (1,040) — (1,040) Unrealized income on available for sale securities, net of tax . . . . . . . . . — — — 1,948 — 1,948 Net loss . . . . . . . . . . . . . . . . . . . . . . . . . — — — — (100,916) (100,916) Balance as of December 31, 2023. . . . . . 109,103,721 109 1,142,578 (8,649) (644,390) 489,648 Stock-based compensation expense . . . — — 126,682 — — 126,682 Common stock issued under employee stock plans . . . . . . . . . . . . 3,397,390 3 16,079 — — 16,082 Taxes paid related to net share settlement of equity awards . . . . . . . — — (38,295) — — (38,295) Unrealized income on derivative instruments, net of tax . . . . . . . . . . . — — — 15,423 — 15,423 Unrealized loss on available for sale securities, net of tax . . . . . . . . . . . . . — — — (4,098) — (4,098) Common stock issued for debt conversion . . . . . . . . . . . . . . . . . . . . . 49,045 1 1,500 — — 1,501 Purchase of capped calls related to Convertible senior notes. . . . . . . . . . — — (55,522) — — (55,522) Net loss . . . . . . . . . . . . . . . . . . . . . . . . . — — — — (95,765) (95,765) Balance as of December 31, 2024. . . . . . 112,550,156 $113 $1,193,022 $ 2,676 $(740,155) $ 455,656 69 The accompanying notes are an integral part of these consolidated financial statements. VARONIS SYSTEMS, INC. AND SUBSIDIARIES CONSOLIDATED STATEMENTS OF CASH FLOWS (in thousands) Year ended December 31, 2024 2023 2022 Cash flows from operating activities: Net loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ (95,765) $(100,916) $(124,518) Adjustments to reconcile net loss to net cash provided by operating activities: Depreciation and amortization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11,126 11,703 12,176 Stock-based compensation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126,682 139,819 142,862 Amortization of deferred commissions. . . . . . . . . . . . . . . . . . . . . . . . . . . 54,392 53,072 49,366 Non-cash operating lease costs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9,526 9,468 9,305 Amortization of debt issuance costs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2,144 1,514 1,486 Amortization of premium and accretion of discount on marketable securities, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (12,690) (9,354) (344) Acquired in-process research and development. . . . . . . . . . . . . . . . . . . . 6,653 — — Gain from sale of property and equipment . . . . . . . . . . . . . . . . . . . . . . . — — (21) Changes in assets and liabilities: Trade receivables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (23,716) (33,137) (18,800) Prepaid expenses and other short-term assets . . . . . . . . . . . . . . . . . . . . . (35,332) (21,459) (6,161) Deferred commissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (59,820) (53,505) (49,135) Other long-term assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 (577) 502 Trade payables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3,641 (2,290) (2,362) Accrued expenses and other short-term liabilities . . . . . . . . . . . . . . . . . . 17,317 (5,278) (9,115) Deferred revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110,389 69,882 5,266 Other long-term liabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 474 1,364 Net cash provided by operating activities . . . . . . . . . . . . . . . . . . . . . . . . . . 115,200 59,416 11,871 Cash flows from investing activities: Proceeds from maturities of marketable securities . . . . . . . . . . . . . . . . . . . 308,840 301,350 41,600 Proceeds from sales of marketable securities. . . . . . . . . . . . . . . . . . . . . . . . 111,552 — — Investment in marketable securities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (949,841) (517,948) (277,871) Proceeds from short-term and long-term deposits . . . . . . . . . . . . . . . . . . . . 34,795 214,444 15,961 Investment in short-term and long-term deposits. . . . . . . . . . . . . . . . . . . . . (24,254) (135,823) (142,566) Purchase of in-process research and development. . . . . . . . . . . . . . . . . . . . (6,653) — — Proceeds from sale of property and equipment . . . . . . . . . . . . . . . . . . . . . . — — 21 Purchases of property and equipment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (6,694) (5,099) (11,396) Net cash used in investing activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (532,255) (143,076) (374,251) Cash flows from financing activities: Proceeds from employee stock plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16,082 11,537 11,940 Taxes paid related to net share settlement of equity awards. . . . . . . . . . . . (38,295) (21,415) (31,077) Repurchase of common stock. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . — (43,522) (56,444) Proceeds from issuance of convertible senior notes, net of issuance costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449,635 — — Purchases of capped calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (55,522) — — Net cash provided by (used in) financing activities . . . . . . . . . . . . . . . . . . 371,900 (53,400) (75,581) Decrease in cash and cash equivalents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . (45,155) (137,060) (437,961) Cash and cash equivalents at beginning of period. . . . . . . . . . . . . . . . . . . . 230,740 367,800 805,761 Cash and cash equivalents at end of period. . . . . . . . . . . . . . . . . . . . . . . . . $ 185,585 $ 230,740 $ 367,800 70 Year ended December 31, 2024 2023 2022 Supplemental disclosure of cash flow information: Cash paid for income taxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $24,249 $16,089 $7,354 Cash paid for interest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 3,193 $ 3,196 $3,167 Lease liabilities arising from obtaining right-of-use assets . . . . . . . . . . . . . $ 3,148 $ 3,166 $1,625 Common stock issued for debt conversion . . . . . . . . . . . . . . . . . . . . . . . . . $ 1,501 $ — $ — 71 The accompanying notes are an integral part of these consolidated financial statements. VARONIS SYSTEMS, INC. AND SUBSIDIARIES NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (in thousands, except share and per share data) NOTE 1:- GENERAL Varonis Systems, Inc. (‘‘VSI’’ and together with its subsidiaries, collectively, the ‘‘Company’’ or ‘‘Varonis’’) was incorporated under the laws of the State of Delaware on November 3, 2004, commenced operations on January 1, 2005 and has twelve wholly-owned subsidiaries. The Company’s software specializes in data security, threat detection and response and data privacy and compliance. Varonis software enables enterprises of all sizes and industries to protect data stored in the cloud and on-premises including: sensitive files and emails; confidential personal data belonging to customers, patients and employees; financial records; source code, strategic and product plans; and other intellectual property. Recognizing the challenge of protecting data with growing volume, velocity, and variety, the Company has built an integrated platform to simplify and streamline data security, threat detection and response, and data privacy and compliance. The Company offers coverage for most mission-critical cloud and on-premises data stores and cloud infrastructure environments, and many critical SaaS applications. In 2022, Varonis announced the availability of its flagship Varonis Data Security Platform as a SaaS, which offers simpler deployment, faster time-to-value, and groundbreaking new automation capabilities that help customers prevent data breaches. The Varonis Data Security Platform helps enterprises protect data against cyberattacks from both external and internal threats. The Company’s products enable enterprises to analyze data, application and account activity and user behavior to detect and prevent attacks. Its software platform prevents or limits unauthorized use of sensitive information, detects and prevents potential cyberattacks and limits potential damage by automatically locking down data, allowing access to only those who need it and automating the removal of stale data when it is no longer useful. The broad applicability of the Company’s technology has resulted in its customers deploying its software for numerous use cases. These use cases include: automatic discovery and classification of high-risk, sensitive data; data security posture management; SaaS security posture management; automated remediation of over-exposed data; centralized visibility and risk analysis of enterprise data and monitoring of user behavior and file activity; security monitoring and risk reduction; data breach, insider threat, malware and ransomware detection with Managed Data Detection and Response (‘‘MDDR’’); automatic response to ransomware and other severe incidents to limit exposure and reduce recovery times; data ownership identification, assignment, and automatic involvement; forensics, reporting and auditing with searchable logs; meeting security policy and compliance regulation; automatic data migration; cloud migration; automation of retention and disposition policies; automatic data quarantine; intelligent archiving; and automated indexing for data subject requests related to privacy and compliance requirements. NOTE 2:- SIGNIFICANT ACCOUNTING POLICIES The consolidated financial statements are prepared according to United States generally accepted accounting principles (‘‘U.S. GAAP’’), applied on a consistent basis, as follows: a. Financial Statements in U.S. Dollars: Most of the Company’s revenues and costs are denominated in United States dollars (‘‘dollars’’). Some of the subsidiaries’ revenues and costs are incurred in Euros, the Pound Sterling, Canadian dollars, Australian dollars, Singapore dollars and New Israeli Shekels (‘‘NIS’’); however, the Company’s management believes that the dollar is the primary currency of the economic environment in which it and each of its subsidiaries operate. Thus, the dollar is the Company’s functional and reporting currency. Accordingly, transactions denominated in currencies other than the functional currency are remeasured to the functional currency in accordance with ASC No. 830, ‘‘Foreign Currency Matters’’ at the exchange rate at the date of the transaction or the average exchange rate in the quarter. At the end of each reporting period, financial assets and liabilities are remeasured to the functional currency using exchange rates in effect at the balance sheet date. Non-financial assets and liabilities are remeasured at historical exchange rates. Gains and losses related to remeasurement are recorded as financial income, net in the consolidated statements of operations as appropriate. 72 b. Principles of Consolidation: The consolidated financial statements include the accounts of VSI and its wholly-owned subsidiaries. All intercompany transactions and balances have been eliminated upon consolidation. c. Basis of Presentation: Certain amounts in prior years’ have been recast and reclassified to conform to the current year’s presentation. The reclassifications have no impact on total revenues, net loss, or cash flows from operating, investing and financing activities. d. Use of Estimates: The preparation of the consolidated financial statements in conformity with U.S. generally accepted accounting principles requires management to make estimates, judgments and assumptions. The Company’s management believes that the estimates, judgments and assumptions used are reasonable based upon information available at the time they are made. These estimates, judgments and assumptions can affect the reported amounts of assets and liabilities and disclosure of contingent assets and liabilities at the dates of the financial statements, and the reported amounts of revenues and expenses during the reporting period. Actual results could differ from those estimates. On an ongoing basis, the Company’s management evaluates estimates, including those related to evaluation of standalone selling price of term license subscriptions, accounts receivable credit loss allowance, fair values of stock-based awards, deferred taxes and income tax uncertainties, and contingent liabilities. Such estimates are based on historical experience and on various other assumptions that are believed to be reasonable, the results of which form the basis for making judgments about the carrying values of assets and liabilities. e. Cash, Cash Equivalents, Marketable Securities and Short-Term Investments: The Company accounts for investments in marketable securities in accordance with ASC No. 320, ‘‘Investments—Debt and Equity Securities’’ and ASC No. 326, ‘‘Financial Instruments—Credit Losses.’’ The Company considers all highly liquid investments with a maturity of three months or less when purchased to be cash equivalents. Cash and cash equivalents consist of cash on hand, highly liquid investments in money market funds and other securities. The Company considers all investments and marketable securities purchased with maturities at the date of purchase greater than three months but less than one year to be short-term. Investments and marketable securities purchased with maturities at the date of purchase greater than one year are classified as long-term assets. Marketable securities are classified as available for sale and are, therefore, recorded at fair value on the consolidated balance sheet, with any unrealized gains and losses reported in accumulated other comprehensive loss, which is reflected as a separate component of stockholders’ equity in the Company’s consolidated balance sheets, until realized. Realized gains and losses are determined based on the specific identification method and are reported in financial income, net in the consolidated statements of operations. The amortized cost of securities is adjusted for amortization of premiums and accretion of discounts to maturity. Such amortization and accretion are included as a component of financial income, net in the consolidated statement of operations. Cash equivalents, marketable securities and deposits consist of the following (in thousands): As of December 31, 2024 Amortized Cost Gross Unrealized Gains Gross Unrealized Losses Fair Value Cash equivalents Money market funds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $133,113 $ — $— $133,113 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $133,113 $ — $— $133,113 Marketable securities US Treasury securities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $342,751 $632 $— $343,383 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $342,751 $632 $— $343,383 73 As of December 31, 2024 Amortized Cost Gross Unrealized Gains Gross Unrealized Losses Fair Value Short-term deposits Term bank deposits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 39,450 $ — $ — $ 39,450 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 39,450 $ — $ — $ 39,450 Long-term marketable securities US Treasury securities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $661,955 $104 $(3,163) $658,896 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $661,955 $104 $(3,163) $658,896 As of December 31, 2023 Amortized Cost Gross Unrealized Gains Gross Unrealized Losses Fair Value Cash equivalents Money market funds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $164,848 $ — $— $164,848 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $164,848 $ — $— $164,848 Marketable securities US Treasury securities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $242,633 $ 530 $ (1) $243,162 US Government Agency securities . . . . . . . . . . . . . . . . . . . . . . . . . 9,972 41 — 10,013 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $252,605 $ 571 $ (1) $253,175 Short-term deposits Term bank deposits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 49,800 $ — $— $ 49,800 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 49,800 $ — $— $ 49,800 Long-term marketable securities US Treasury securities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $209,961 $1,102 $— $211,063 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $209,961 $1,102 $— $211,063 Unrealized losses associated with investments in available for sale securities have all been in a continuous unrealized loss position of less than one year as of December 31, 2024 and 2023. The gross unrealized gains and losses related to these investments were due primarily to changes in interest rates. Available for sale debt securities with an amortized cost basis in excess of estimated fair value are assessed using the credit losses model for marketable securities to determine what portion of that difference, if any, is caused by expected credit losses. Expected credit losses on available for sale debt securities are recognized in financial income, net on the consolidated statements of operations. During the years ended December 31, 2024 and 2023, the Company did not recognize an allowance for credit losses on available for sale marketable securities. A short-term bank deposit is a deposit with a maturity of more than three months but less than one year. These deposits bore interest at rates ranging from 4.34% - 5.24%, per annum, as of December 31, 2024 and a rate of 4.58% - 6.00%, per annum, as of December 31, 2023. Short-term deposits are presented at cost which approximates fair value due to their short maturities. f. Concentrations of Credit Risks: Financial instruments that potentially subject the Company to concentrations of credit risk consist principally of cash, cash equivalents, marketable securities, short-term deposits and trade receivables. The Company’s cash, cash equivalents, marketable securities and short-term deposits are invested in major banks mainly in the United States but also in France, the United Kingdom, Canada, the Netherlands, Israel, 74 Singapore, Australia, Germany, Ireland and Luxembourg. Such deposits in the United States may be in excess of insured limits and are not insured in other jurisdictions. The Company maintains cash and cash equivalents with reputable financial institutions and monitors the amount of credit exposure to each financial institution. The Company’s trade receivables are geographically diversified and derived primarily from sales to a network of distributors and value-added resellers (‘‘VARs’’) mainly in the United States and Europe. Concentration of credit risk with respect to trade receivables is limited by credit limits, ongoing credit evaluation and account monitoring procedures. The Company performs ongoing credit evaluations of its channel partners and establishes an allowance for credit losses based upon a specific review of all significant outstanding invoices, historical collection experience, customer creditworthiness, current, and future economic and market conditions. The Company writes off receivables when they are deemed uncollectible and having exhausted all collection efforts. g. Fair Value of Financial Instruments: Fair value is an exit price, representing the amount that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market participants. As such, fair value is a market-based measurement that should be determined based on assumptions that market participants would use in pricing an asset or a liability. A three-tier fair value hierarchy is established as a basis for considering such assumptions and for inputs used in the valuation methodologies in measuring fair value: • Level 1: Observable inputs that reflect quoted prices (unadjusted) for identical assets or liabilities in active markets. • Level 2: Observable inputs that reflect quoted prices for identical assets or liabilities in markets that are not active; quoted prices for similar assets or liabilities in active markets; inputs other than quoted prices that are observable for the assets or liabilities; or inputs that are derived principally from or corroborated by observable market data by correlation or other means. • Level 3: Unobservable inputs reflecting the Company’s own assumptions incorporated in valuation techniques used to determine fair value. These assumptions are required to be consistent with market participant assumptions that are reasonably available. The fair value hierarchy also requires an entity to maximize the use of observable inputs and minimize the use of unobservable inputs when measuring fair value. The carrying amounts of cash and cash equivalents, marketable securities, trade receivables, short-term deposits and trade payables approximate their fair value due to the short-term maturity of such instruments. h. Property and Equipment: Property and equipment are stated at cost, net of accumulated depreciation. Depreciation is calculated using the straight-line method over the estimated useful lives of the assets at the following annual rates: Computer equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33% Office furniture and equipment. . . . . . . . . . . . . . . . . . . . . . . 14% — 15% Leasehold improvements. . . . . . . . . . . . . . . . . . . . . . . . . . . . Over the shorter of the expected lease term or estimated useful life i. Leases: The Company has various operating leases for office space, vehicles and office equipment. The lease agreements generally do not contain any material residual value guarantees or material restrictive covenants. Some leases include one or more options to renew. The exercise of lease renewal options is typically at the Company’s sole discretion; therefore, the majority of renewals to extend the lease terms are not included in our right-of-use assets and lease liabilities as they are not reasonably certain of exercise. The Company regularly evaluates the renewal options, and, when it is reasonably certain of exercise, it will include the renewal period in its lease term. Lease modifications result in remeasurement of the right-of-use assets and lease liabilities. In addition, some of the real estate leases contain variable lease payments, including 75 payments based on a Consumer Price Index (‘‘CPI’’). Variable lease payments based on a CPI are initially measured using the index in effect at lease adoption. Additional payments based on the change in a CPI are recorded as a period expense when incurred. Further, as the implicit rate of the leases is not determinable, the Company uses an incremental borrowing rate based on the information available at the lease commencement date in determining the present value of lease payments. The Company has elected the short-term lease exception for leases with a term of 12 months or less and it does not recognize right-of-use assets and lease liabilities on the balance sheet for these leases. The Company also elected the practical expedient to not separate lease and non-lease components for all its leases. j. Goodwill and Other Long-Lived Assets, including Acquired Intangible Assets and Right-of-Use Assets: Goodwill represents the excess of the fair value of purchase consideration in a business combination over the fair value of net tangible and intangible assets acquired. Goodwill amounts are not amortized, but rather tested for impairment at least annually or more often if circumstances indicate that the carrying value may not be recoverable. The Company operates as one reporting segment and considers the enterprise to be the only reporting unit. If the carrying amount of the Company’s reporting unit exceeds its fair value, the Company recognizes an impairment loss in an amount equal to that excess, limited to the total amount of goodwill allocated to that reporting unit. No indications of impairment of goodwill were noted during the periods presented. Acquired intangible assets consist of identifiable intangible assets, including developed technology and trademarks, resulting from business combinations. Acquired finite-lived intangible assets are initially recorded at fair value and are amortized on a straight-line basis over their estimated useful lives. Amortization expense of developed technology and trademarks are recorded within cost of revenues and sales and marketing, respectively, in the consolidated statements of operations. The Company’s long-lived assets are reviewed for impairment in accordance with ASC No. 360 ‘‘Property, Plant and Equipment’’ whenever events or changes in circumstances indicate that the carrying amount of an asset (or asset group) may not be recoverable. Recoverability of assets (or asset group) to be held and used is measured by a comparison of the carrying amount of an asset to the future undiscounted cash flows expected to be generated by the assets. If such assets are considered to be impaired, the impairment to be recognized is measured by the amount by which the carrying amount of the assets exceeds the fair value of the assets. During the years ended December 31, 2024 and 2023, no impairment losses have been recorded. k. Long-Term Lease Deposits: Long-term lease deposits include long-term deposits for offices. l. Contractual Purchase Obligations and Contingent Liabilities: The Company has a contractual minimum purchase commitment with a service provider through August 31, 2027 totaling $7,127 due in the next 12 months and $21,000 due thereafter and an additional $32,926 contractual minimum purchase commitment with another service provider through December 31, 2026 with no specified annual commitments. The Company accounts for its contingent liabilities in accordance with ASC No. 450 ‘‘Contingencies.’’ A provision is recorded when it is both probable that a liability has been incurred and the amount of the loss can be reasonably estimated. With respect to legal matters, provisions are reviewed and adjusted to reflect the impact of negotiations, estimated settlements, legal rulings, advice of legal counsel and other information and events pertaining to a particular matter. As of December 31, 2024 and 2023, the Company was not a party to any litigation that could have a material adverse effect on the Company’s business, financial position, results of operations or cash flows. m. Asset Acquisition: On August 16, 2024, the Company entered into an asset purchase agreement with an unrelated third party. Substantially all of the fair value of the gross assets acquired was concentrated in the single in-process research and development (‘‘IPR&D’’) asset. Total cash considerations were $6,500, subject to potential adjustments for any indemnity claims and inclusive of approximately $3,250 related to contingent payments 76 that are estimated based upon the probability of the contingencies being satisfied. Additionally, the Company incurred approximately $153 in direct transaction costs related to the asset acquisition. The $6,653 consideration related to the IPR&D asset was expensed in the year ending December 31, 2024 and included in the Company’s consolidated statements of operations under research and development expenses, as the IPR&D asset had no alternative future use. n. Revenue Recognition: The Company generates revenues primarily in the form of term license subscriptions, SaaS revenues and maintenance and services fees. Term license subscription revenues are sold on-premises and are comprised of time-based licenses whereby customers use the Company’s software (including support and unspecified upgrades and enhancements when and if they are available) for a specified period. SaaS revenues, including SaaS with MDDR, are provided on a subscription basis and allow customers to use hosted software. Over the last few years, the Company has introduced new products and support for cloud applications and infrastructure environments, including the Varonis Data Security Platform delivered as a SaaS, which was previously only sold as a self-hosted solution. Maintenance and services primarily consist of fees for maintenance of past perpetual license sales (including support and unspecified upgrades and enhancements when and if they are available) and to a lesser extent professional services, although the user can benefit from the software without its assistance. The Company sells its products worldwide to a network of distributors and value-added resellers, and payment is typically due within 30 to 60 calendar days of the invoice date. The Company recognizes revenues in accordance with ASC No. 606, ‘‘Revenue from Contracts with Customers.’’ As such, the Company identifies a contract with a customer, identifies the performance obligations in the contract, determines the transaction price, allocates the transaction price to each performance obligation in the contract and recognizes revenues when (or as) the Company satisfies a performance obligation. Term license subscription software sold on-premises is recognized at the point in time when the software license has been delivered and the benefit of the asset has transferred. Maintenance associated with term license subscription software is recognized ratably over the term of the agreement since these services have a consistent continuous pattern of transfer to a customer during the contract period, and is included within the term license subscriptions line of the consolidated statements of operations. SaaS revenue is recognized ratably over the associated contract period, beginning when access is provided and the benefit of the service is available. Conversions from a license sold on-premises to the Company’s SaaS offering during the original subscription period are accounted for on a prospective basis. The Company recognizes revenues from maintenance agreements ratably over the term of the underlying maintenance contract. The term of the maintenance contract is usually one year. Renewals of maintenance contracts create new performance obligations that are satisfied over the new term with the revenues recognized ratably over the contract period. Revenues from professional services consist mostly of time and material services. The performance obligations are satisfied, and revenues are recognized, when the services are provided or once the service term has expired. The Company enters into contracts that can include combinations of products and services, which are generally capable of being distinct and accounted for as separate performance obligations. The term license software is distinct upon delivery as the customer can derive the economic benefit of the software without any additional services, updates or technical support. The Company allocates the transaction price to each performance obligation based on its relative standalone selling price out of the total consideration of the contract. For software licenses and maintenance included in term license subscriptions, the Company determines the standalone selling prices based on the price at which we separately sell a renewal contract. For professional services, the Company determines the standalone selling prices based on the price at which it separately sells those services. Trade receivables are generally recorded at the invoice amount mostly for a one-year period, net of an allowance for credit losses. 77 Deferred revenues represent mostly unrecognized fees billed or collected for SaaS and maintenance contracts. Deferred revenues are recognized as (or when) the Company performs under the contract. Pursuant to these contracts, customers are generally not invoiced for subsequent years until the annual renewal occurs. The amount of revenues recognized in the period that was included in the opening deferred revenues balance was $177,321 for the year ended December 31, 2024. Revenues allocated to remaining performance obligations represent contracted revenues that have not yet been recognized, which includes deferred revenues and non-cancelable amounts that will be invoiced in the future. The Company’s remaining performance obligations were $729,690 as of December 31, 2024, of which it expects to recognize approximately 53% as revenue over the next 12 months and the remainder thereafter. For information regarding disaggregated revenues, refer to Note 13. o. Contract Costs: The Company pays sales commissions to sales and marketing and certain management personnel based on their attainment of certain predetermined sales goals. Sales commissions earned by employees are considered incremental and recoverable costs of obtaining a contract with a customer. Sales commissions paid for initial contracts, which are not commensurate with sales commissions paid for renewal contracts, are capitalized and amortized over an expected period of benefit. Based on its technology, customer contracts and other factors, the Company has determined the expected period of benefit to be approximately four years. Sales commissions for renewal contracts are capitalized and then amortized on a straight-line basis. Amortization expenses related to these costs are included in sales and marketing expenses in the accompanying consolidated statements of operations. Deferred sales commissions on the Company’s consolidated balance sheets were $57,047 and $34,342 as of December 31, 2024 and 2023, respectively. Amortization expense was $54,392, $53,072 and $49,366 for the years ended December 31, 2024, 2023 and 2022, respectively. p. Cost of Revenues: Cost of revenues consist primarily of salaries (including payroll tax expense related to stock-based compensation), employee benefits (including commissions and bonuses) and stock-based compensation for the Company’s customer support, customer success, MDDR and services employees; amortization of acquired intangible assets; third-party hosting fees; travel expenses; and allocated overhead costs for facilities, IT and depreciation. q. Accounting for Stock-Based Compensation: The Company accounts for stock-based compensation in accordance with ASC No. 718, ‘‘Compensation-Stock Compensation.’’ For stock options and restricted stock units, stock-based compensation expense is measured at the grant date, based on the estimated fair value of the equity award granted, and is recognized as expense on a straight-line basis over the requisite service period. In addition, the Company grants performance stock units to certain employees. The number of performance stock units earned and eligible to vest are generally determined after a one-year performance period, based on achievement of certain Company financial performance measures and the recipient’s continued service. The Company recognizes stock-based compensation expense for performance stock units using the graded vesting method over the requisite service period for each separately-vesting tranche of the award when it is probable that the performance conditions will be achieved. Compensation expense for performance stock units with financial performance measures is measured using the fair value at the date of grant and recorded over each vesting period, and may be adjusted over the vesting period based on interim estimates of performance against the pre-set objectives. The Company accounts for forfeitures as they occur for all stock-based awards. r. Research and Development Costs: Research and development costs are charged to the statement of operations as incurred. ASC No. 985-20, ‘‘Software-Costs of Software to Be Sold, Leased, or Marketed,’’ requires capitalization of certain software development costs subsequent to the establishment of technological feasibility. 78 Based on the Company’s product development process, technological feasibility is established upon the completion of a working model. The Company does not incur material costs between the completion of the working model and the point at which the product is ready for general release. Therefore, research and development costs are charged to the statement of operations as incurred. s. Income Taxes: The Company accounts for income taxes in accordance with ASC No. 740, using the asset and liability method whereby deferred tax assets and liability account balances are determined based on the differences between financial reporting and the tax basis for assets and liabilities and are measured using the enacted tax rates and laws that will be in effect when the differences are expected to reverse. The Company provides a valuation allowance, if necessary, to reduce deferred tax assets to the amounts that are more likely-than-not to be realized. ASC 740 contains a two-step approach to recognizing and measuring a liability for uncertain tax positions. The first step is to evaluate the tax position taken or expected to be taken in a tax return by determining if the weight of available evidence indicates that it is more likely than not that, on an evaluation of the technical merits, the tax position will be sustained on audit, including resolution of any related appeals or litigation processes. The second step is to measure the tax benefit as the largest amount that is more than 50% likely to be realized upon ultimate settlement. The Company accrues interest and penalties related to unrecognized tax provisions in its taxes on income. t. Derivative Instruments: The Company’s primary objective for holding derivative instruments is to reduce its exposure to foreign currency rate changes. The Company reduces its exposure by entering into forward foreign exchange contracts with respect to revenues and operating expenses that are forecasted to be incurred in currencies other than the U.S. dollar. A majority of the Company’s revenues and operating expenditures are transacted in U.S. dollars; however, certain revenues and operating expenditures are incurred in or exposed to other currencies, specifically, Euro and Pound Sterling for revenues and the New Israeli Shekel, Euro and Pound Sterling for operating expenses. The Company has established forecasted transaction currency risk management programs to protect against fluctuations in fair value and the volatility of future cash flows caused by changes in exchange rates. The Company’s currency risk management program includes forward foreign exchange contracts designated as cash flow hedges. These forward foreign exchange contracts generally mature within 12 to 24 months. In addition, the Company has previously entered into forward contracts to hedge a portion of its monetary items in the balance sheet, such as trade receivables and payables, denominated in Euro and Pound Sterling for short-term periods (the ‘‘Fair Value Hedging Program’’). The purpose of the Fair Value Hedging Program is to protect the fair value of the monetary assets from foreign exchange rate fluctuations. Gains and losses from derivatives related to the Fair Value Hedging Program are not designated as hedging instruments. The Company does not enter into derivative financial instruments for trading or speculative purposes. 79 Derivative instruments measured at fair value and their classification on the consolidated balance sheets are presented in the following table (in thousands): Assets (liabilities) as of December 31, 2024 Assets (liabilities) as of December 31, 2023 Notional Amount Fair Value Notional Amount Fair Value Foreign exchange forward contract derivatives in cash flow hedging relationships for operating expenses included in prepaid expenses and other short-term assets . . . . . . . . . . . . . . . $131,363 $ 773 $128,411 $ 3,372 Foreign exchange forward contract derivatives in cash flow hedging relationships for operating expenses included in accrued expenses and other short-term liabilities . . . . . . . . . . . . $ 56,256 $(2,902) $ — $ — Foreign exchange forward contract derivatives in cash flow hedging relationships for operating expenses included in long-term other assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 96,950 $ 3,083 $ 33,233 $ 519 Foreign exchange forward contract derivatives in cash flow hedging relationships for operating expenses included in long-term other liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ — $ — $102,216 $(1,624) Foreign exchange forward contract derivatives in cash flow hedging relationships for revenues included in prepaid expenses and other short-term assets . . . . . . . . . . . . . . . . . . . . . . $142,051 $ 7,326 $ — $ — Foreign exchange forward contract derivatives for monetary items included in prepaid expenses and other short-term assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ — $ — $ 39,155 $ 36 Foreign exchange forward contract derivatives for monetary items included in accrued expenses and other short-term liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ — $ — $ 5,213 $ (7) For the years ended December 31, 2024, 2023 and 2022, the consolidated statements of operations reflect losses of $10,841 and $14,256 and a gain of $3,818, respectively, related to the cash flow hedges. No material ineffective hedges were recognized for the years ended December 31, 2024, 2023 and 2022 in operating expenses in the consolidated statement of operations. For the years ended December 31, 2024, 2023 and 2022, the consolidated statements of operations reflect a gain of $728, a loss of $508 and a gain of $2,146, respectively, in financial income, net, related to the Fair Value Hedging Program. u. Retirement and Severance Pay: VSI and Varonis U.S. Public Sector LLC (‘‘VPS’’) make available to its employees a retirement plan (the ‘‘U.S. Plan’’) that qualifies as a deferred salary arrangement under Section 401(k) of the Internal Revenue Code of 1986, as amended (the ‘‘Code’’). Participants in the U.S. Plan may elect to defer a portion of their pre-tax earnings, up to the Internal Revenue Service annual contribution limit. VSI and VPS match 100% of each participant’s contributions up to a maximum of 3% of the participant’s total pay and 50% of each participant’s contributions on contributions between 3% and 5% of the participant’s total pay. Each participant may contribute up to 80% of total remuneration up to the Internal Revenue Service’s annual contribution limit. Contributions to the U.S. Plan are recorded during the year contributed as an expense in the consolidated statements of operations. Varonis Systems Ltd (‘‘VSL’’) makes available to its employees, pursuant to Israel’s Severance Pay Law, severance pay equal to one month’s salary for each year of employment, or a portion thereof. The employees of the Israeli subsidiary elected to be included under section 14 of the Severance Pay Law, 1963 (‘‘section 14’’). According to this section, these employees are entitled only to monthly deposits, at a rate of 8.33% of their monthly salary, made in their name with insurance companies. Payments in accordance with section 14 release the Company from any future severance payments (under the above Israeli Severance Pay Law) in respect of those employees; therefore, related assets and liabilities are not presented in the balance sheet. 80 The Company’s liability for severance pay for the employees of its French subsidiary is calculated pursuant to French law, according to which French employees are entitled to an indemnity (a statutory redundancy). The law provides for the payment of severance payment to any employee working for the French subsidiary for at least a year. In addition, the Company also makes available pension plans to employees of other subsidiaries in which it operates. Total expenses related to retirement and severance pay amounted to $13,774, $11,707 and $11,366 for the years ended December 31, 2024, 2023 and 2022, respectively. The amount of severance payable included in other liabilities as of December 31, 2024 and 2023 is $2,952 and $2,744, respectively. v. Basic and Diluted Net Loss Per Share: Basic net loss per share is computed by dividing net loss by the weighted-average number of shares of common stock outstanding during the period. Diluted net loss per share is computed by giving effect to all potentially dilutive securities, including stock options, restricted stock units, performance stock units and the shares related to the conversion of the 1.25% Convertible Senior Notes issued by the Company on May 11, 2020 and due August 2025 in an aggregate principal amount of $253,000 (the ‘‘2025 Notes’’) and the 1.00% Convertible Senior Notes issued by the Company on September 10, 2024 and due September 2029 in an aggregate principal amount of $460,000 (the ‘‘2029 Notes’’ and, together with the 2025 Notes, the ‘‘Notes’’), to the extent dilutive. Basic and diluted net loss per share was the same for each period presented as the inclusion of all potential shares of common stock outstanding would have been anti-dilutive. There were 7,645,858, 8,824,701 and 9,054,955 potentially dilutive shares from the conversion of outstanding stock options, restricted stock units and performance stock units that were not included in the calculation of diluted net loss per share for the years ending December 31, 2024, 2023 and 2022, respectively. Additionally, 14,971,860 shares for the year ending December 31, 2024, and 8,239,254 shares for the years ending December 31, 2023 and 2022, underlying the conversion option of the Notes were not considered in the calculation of diluted net loss per share as the effect would be anti-dilutive for these years. w. Recently Adopted Accounting Pronouncements: In November 2023, the Financial Accounting Standards Board (‘‘FASB’’) issued Accounting Standards Update (‘‘ASU’’) 2023-07, Segment Reporting (Topic 280), Improvements to Reportable Segment Disclosures requiring public entities to disclose information about their reportable segments’ significant expenses and other segment items on an interim and annual basis. Public entities with a single reportable segment are required to apply the disclosure requirements in ASU 2023-07, as well as all existing segment disclosures and reconciliation requirements in ASC 280 on an interim and annual basis. ASU 2023-07 is effective for fiscal years beginning after December 15, 2023, and interim periods for the fiscal years beginning after December 15, 2024. The Company adopted the ASU 2023-07 during the year ended December 31, 2024, on a retrospective basis which resulted in updated segment disclosures. See Note 13 in the accompanying notes to the consolidated financial statements for further detail. x. Recently Issued Accounting Pronouncements Not Yet Adopted: In December 2023, the FASB issued ASU 2023-09, Income Taxes (Topic 740) - Improvements to Income Tax Disclosures. The ASU requires that an entity disclose specific categories in the effective tax rate reconciliation as well as provide additional information for reconciling items that meet a quantitative threshold. Further, the ASU requires certain disclosures of state versus federal income tax expense and taxes paid. The amendments in this ASU are required to be adopted for fiscal years beginning after December 15, 2024. Early adoption is permitted and the amendments should be applied on a prospective basis. The Company is currently evaluating the effect of adopting the ASU on its disclosures. In November 2024, the FASB issued ASU 2024-03, Income Statement-Reporting Comprehensive Income-Expense Disaggregation Disclosures (Subtopic 220-40) - Disaggregation of Income Statement Expenses. The ASU requires, among other items, additional disaggregated disclosures in the notes to financial statements for certain categories of expenses that are included on the consolidated Statements of 81 Operations. ASU 2024-03 is effective for fiscal years beginning after December 15, 2026, and for interim periods within fiscal years beginning after December 15, 2027, with early adoption permitted, and may be applied either prospectively or retrospectively. The Company is currently evaluating the effect of adopting the ASU on its disclosures. NOTE 3:- PREPAID EXPENSES AND OTHER SHORT-TERM ASSETS Prepaid expenses and other short-term assets consist of the following (in thousands): December 31, 2024 2023 Prepaid expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28,540 22,782 Deferred commission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34,132 21,694 Foreign currency forward contracts derivatives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8,099 3,408 Government institutions and other receivables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43,785 15,406 Short-term deposits and other. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2,268 1,036 Prepaid expenses and other short-term assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $116,824 $64,326 NOTE 4:- PROPERTY AND EQUIPMENT, NET Property and equipment, net consist of the following (in thousands): December 31, 2024 2023 Cost: Computer equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $30,933 $27,949 Office furniture and equipment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6,078 5,661 Leasehold improvements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45,062 45,878 82,073 79,488 Accumulated depreciation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51,278 45,524 Property and equipment, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $30,795 $33,964 Depreciation expense of property and equipment, net for the years ended December 31, 2024, 2023 and 2022 were $9,863, $10,177 and $10,651, respectively. NOTE 5:- ACCRUED EXPENSES AND OTHER SHORT-TERM LIABILITIES Accrued expenses and other short-term liabilities consist of the following (in thousands): December 31, 2024 2023 Government authorities and other. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 59,904 $ 40,476 Accrued commissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35,868 19,287 Accrued expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30,718 27,055 Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24,693 28,183 Operating lease liabilities, current . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10,845 10,049 Foreign exchange forward contract derivatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2,902 7 Accrued expenses and other short-term liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $164,930 $125,057 82 NOTE 6:- LEASES The Company has various operating leases for office space, vehicles and office equipment that expire through 2032. The lease agreements generally do not contain any material residual value guarantees or material restrictive covenants. Below is a summary of the Company’s operating right-of-use assets and operating lease liabilities (in thousands): December 31, 2024 Operating lease right-of-use assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $45,593 Operating lease liabilities, current . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $10,845 Operating lease liabilities, long-term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42,789 Total operating lease liabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $53,634 Operating lease liabilities, current are included within accrued expenses and other short-term liabilities in the consolidated balance sheet. Some leases include one or more options to renew. The exercise of lease renewal options is typically at the Company’s sole discretion; therefore, the majority of renewals to extend the lease terms are not included in our right-of-use assets and lease liabilities as they are not reasonably certain of exercise. The Company regularly evaluates the renewal options, and, when it is reasonably certain of exercise, it will include the renewal period in its lease term. Lease modifications result in remeasurement of the right-of-use assets and lease liabilities. Some of the real estate leases contain variable lease payments, including payments based on a Consumer Price Index (‘‘CPI’’). Variable lease payments based on a CPI are initially measured using the index in effect at lease adoption. Additional payments based on the change in a CPI are recorded as a period expense when incurred. The Company has deposit guarantees issued by a financial institution to secure various operating lease agreements in connection with its office space. Minimum lease payments for the Company’s right-of-use assets over the remaining lease periods as of December 31, 2024, are as follows (in thousands): December 31, 2024 2025 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $12,305 2026 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10,978 2027 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10,174 2028 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10,121 2029 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5,989 Thereafter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7,925 Total undiscounted lease payments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $57,492 Less: Imputed interest. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ (3,858) Present value of lease liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $53,634 As of December 31, 2024, the Company had an additional operating lease that had not yet commenced of $9,040. This operating lease is expected to commence in the second half of 2025 with a lease term of 5 years. 83 The weighted average remaining lease terms and discount rates for all operating leases were as follows as of December 31, 2024 and 2023: December 31, 2024 2023 Weighted average remaining lease term (years) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.39 6.34 Weighted average discount rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.89% 2.90% Total operating lease cost for the years ended December 31, 2024 and 2023 were $9,812 and $9,803, inclusive of sublease income of $1,154 and $1,772, respectively. Total operating lease cost for the year ended December 31, 2022 was $9,593. NOTE 7:- CONVERTIBLE SENIOR NOTES AND CAPPED CALL TRANSACTIONS 2025 Notes The Company issued the 2025 Notes pursuant to an Indenture dated May 11, 2020 (the ‘‘2025 Indenture’’). The offering totaled $253,000 aggregate principal amount. The net proceeds to the Company after issuance costs were approximately $245,158. The Company used $29,348 of the net proceeds from the offering to pay the cost of the capped call transactions described below. The 2025 Notes will mature on August 15, 2025, unless earlier converted, redeemed or repurchased. Interest will be payable semi-annually in arrears on February 15 and August 15 of each year, at a rate of 1.25% per year. The initial conversion rate for the 2025 Notes is 32.5668 shares of the Company’s common stock for each $1,000 principal amount of the 2025 Notes, which is equivalent to an initial conversion price of approximately $30.71 per share. The conversion rate is subject to adjustment in specified events. The 2025 Notes are convertible into shares of the Company’s common stock, at the option of a holder, prior to the close of business on the business day immediately preceding February 15, 2025, under certain conditions. In addition, on or after February 15, 2025, a holder may convert all or any portion of its 2025 Notes at any time. As of December 31, 2024, the conversion feature of the 2025 Notes was triggered and therefore the 2025 Notes are currently convertible, in whole or in part, at the option of the holders as of January 1, 2025. Since the issuance of the 2025 Notes, the Company has received and settled conversion notices from holders of $1,501. Upon conversion, the Company may elect to repay the 2025 Notes in cash, shares of common stock, or a combination of both. As of December 31, 2024, the 2025 Notes mature in less than one year, as such, the 2025 Notes were classified as short-term on the Company’s consolidated balance sheet. Effective August 20, 2023, the Company may redeem the 2025 Notes for cash, at its option, subject to the terms and conditions provided in the 2025 Indenture. Prior to the adoption of ASU 2020-06 on January 1, 2022, the Company separated the 2025 Notes into liability and equity components. Following the adoption of ASU 2020-06 on January 1, 2022, which the Company elected to adopt using a modified retrospective approach, the Company no longer separates the 2025 Notes into liability and equity components. The cumulative effect of the accounting change as of January 1, 2022 was a decrease to accumulated deficit of $8,647, a decrease in additional paid-in capital of $30,794 and an increase in liabilities of $22,147 on its consolidated balance sheets. 2029 Notes The Company issued $460,000 aggregate principal amount of 1.00% Convertible Senior Notes due September 2029 pursuant to an Indenture dated September 10, 2024 (the ‘‘2029 Indenture’’), between the Company and U.S. Bank Trust Company, as trustee. The offering consisted of $400,000 aggregate principal amount plus the full exercise of the initial purchasers’ option to purchase up to an additional $60,000 aggregate principal amount. The net proceeds to the Company after issuance costs were $449,635. Separately, the Company entered into privately negotiated capped call transactions and used $55,522 of the net proceeds from the offering to pay the cost of the capped call transactions as described below. 84 The 2029 Notes will mature on September 15, 2029, unless earlier converted, redeemed or repurchased. Interest will be payable semi-annually in arrears on March 15 and September 15 of each year, beginning on March 15, 2025, at a rate of 1.00% per year. The initial conversion rate for the 2029 Notes is 14.7419 shares of the Company’s common stock for each $1,000 principal amount of the 2029 Notes which is equivalent to an initial conversion price of approximately $67.83 per share. The conversion rate is subject to adjustment in specified events. The 2029 Notes are convertible into shares of the Company’s common stock, par value $0.001 per share, at the option of a holder, prior to the close of business on the business day immediately preceding March 15, 2029, only under the following circumstances: (1) during any calendar quarter commencing after the calendar quarter ending on December 31, 2024 (and only during such calendar quarter), if the last reported sale price of the common stock for at least 20 trading days (whether or not consecutive) during the 30 consecutive trading days ending on, and including, the last trading day of the immediately preceding calendar quarter is greater than or equal to 130% of the conversion price on each applicable trading day; (2) during the five consecutive business day period immediately after any five consecutive trading day period (the ‘‘measurement period’’) in which the ‘‘trading price’’ (as defined in the 2029 Indenture) per $1,000 principal amount of the 2029 Notes, as determined following a request by a holder of the 2029 Notes in the manner described in the 2029 Indenture, for each trading day of the measurement period was less than 98% of the product of the last reported sale price of the Company’s common stock and the conversion rate on each such trading day; (3) if the Company calls any or all of the 2029 Notes for redemption, at any time prior to the close of business on the scheduled trading day immediately preceding the redemption date; or (4) upon the occurrence of certain corporate events specified in the 2029 Indenture. In addition, regardless of the foregoing circumstances, on or after March 15, 2029 until the close of business on the second scheduled trading day immediately preceding the maturity date, a holder may convert all or any portion of its 2029 Notes at any time. Upon conversion, the Company may elect to repay the 2029 Notes in cash, shares of common stock, or a combination of both. As of December 31, 2024, the 2029 Notes were classified as long-term on the Company’s consolidated balance sheet. The 2029 Notes are not redeemable at the Company’s option prior to September 20, 2027. The Company may redeem the 2029 Notes for cash, at its option, on a redemption date occurring on or after September 20, 2027, and on or prior to the 41st scheduled trading day immediately preceding the maturity date, if the last reported sale price of the Company’s common stock has been at least 130% of the conversion price then in effect for at least 20 trading days (whether or not consecutive), including the trading day immediately preceding the date on which the Company provides notice of redemption, during any 30 consecutive trading day period ending on and including the trading day immediately preceding the date on which the Company provides notice of redemption at a redemption price equal to 100% of the principal amount of the 2029 Notes to be redeemed, plus accrued and unpaid interest to, but excluding, the redemption date. If the Company undergoes a ‘‘fundamental change’’ (as defined in the 2029 Indenture), subject to certain conditions, holders may require the Company to repurchase for cash all or part of their 2029 Notes at a fundamental change repurchase price equal to 100% of the principal amount of the 2029 Notes to be repurchased, plus accrued and unpaid interest to, but excluding, the fundamental change repurchase date. If the Company is required to repurchase the 2029 Notes due to a fundamental change, it remains at the Company’s discretion to determine whether the settlement is in cash, shares of the Company’s common stock, or a combination of cash and shares of the Company’s common stock. The 2029 Indenture includes customary terms, including certain events of default after which the 2029 Notes may be due and payable immediately. The 2029 Notes are the Company’s unsecured obligations and rank senior in right of payment to all of the Company’s indebtedness that is expressly subordinated in right of payment to the 2029 Notes, and equal in right of payment with all of the Company’s liabilities that are not so subordinated, including the Company’s 2025 Notes. 85 The Company accounts for the 2029 Notes as a single liability measured at it amortized cost. The carrying value of the liability is represented by the face amount of the 2029 Notes, less debt issuance costs. The total offering costs upon issuance of the 2029 Notes were $10,365 and are amortized as interest expense over the term of the 2029 Notes, using the effective interest rate method. The net carrying amount of the Notes were as follows (in thousands): December 31, 2024 2025 Notes 2029 Notes Total Liability Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $251,494 $460,000 $711,494 Unamortized issuance costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (965) (9,757) (10,722) Net carrying amount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $250,529 $450,243 $700,772 The effective interest rate for the year ended December 31, 2024 was 1.87% and 1.46% for the 2025 and 2029 Notes, respectively. The interest expense recognized related to the Notes for the years ended December 31, 2024, 2023 and 2022 were as follows (in thousands): Year ended December 31, 2024 2025 Notes 2029 Notes Total Contractual interest expense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,159 $1,406 $4,565 Amortization of debt issuance costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,550 594 2,144 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $4,709 $2,000 $6,709 Year ended December 31, 2023 2025 Notes 2029 Notes Total Contractual interest expense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,163 $— $3,163 Amortization of debt issuance costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,514 — 1,514 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $4,677 $— $4,677 Year ended December 31, 2022 2025 Notes 2029 Notes Total Contractual interest expense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,162 $— $3,162 Amortization of debt issuance costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,486 — 1,486 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $4,648 $— $4,648 As of December 31, 2024 and 2023, the total estimated fair value of the 2025 Notes was approximately $374,412 and $386,201, respectively. As of December 31, 2024, the total estimated fair value of the 2029 Notes was approximately $431,851. The fair values were determined based on the closing trading price per $100 of the Notes as of the last day of trading for the period. The fair values of the Notes are primarily affected by the trading price of our common stock and market interest rates. The fair values of the Notes are considered a Level 2 within the fair value hierarchy and were determined based on inputs that are observable in the market or that could be derived from, or corroborated with, observable market data, quoted price of the Notes in an over-the-counter market. Capped Call Transactions In May 2020 and September 2024, in connection with the pricing of the 2025 and 2029 Notes, respectively, the Company entered into privately negotiated capped call transactions (the ‘‘Capped Call Transactions’’). The Capped Call Transactions are generally expected to reduce the potential dilution to the Company’s 86 common stock upon any conversion of the Notes and/or offset any cash payments the Company is required to make in excess of the principal amount of converted Notes, as the case may be, with such reduction and/or offset subject to a cap initially equal to $47.24 and $104.36, for the 2025 and 2029 Notes, respectively, (the ‘‘Cap Price’’). The Capped Call Transactions are considered a freestanding instrument in accordance with ASC No. 480, ‘‘Distinguishing Liabilities from Equity’’, as they were entered into separately and apart from the convertible notes and since the conversion or redemption of the convertible notes does not automatically result in the exercise of the capped call. As the Capped Call Transactions are considered indexed to the Company’s stock and are considered equity classified, they are recorded in stockholders’ equity on the consolidated balance sheet and are not accounted for as derivatives. The cost of the Capped Call Transactions for the 2025 and 2029 Notes were approximately $29,348 and $55,522, respectively, and were recorded as a reduction to additional paid-in capital. NOTE 8:- GOODWILL AND INTANGIBLE ASSETS On October 29, 2020, the Company completed the acquisition of the share capital of Polyrize, a provider of software that maps and analyzes relationships between users and data across a number of cloud applications and services. Goodwill Goodwill represents the excess of the purchase price over the identifiable tangible and intangible assets acquired less liabilities assumed arising from business combinations. The Company believes the goodwill represents the synergies expected from expanded market opportunities when integrating with its offerings. All goodwill balances are subject to annual goodwill impairment testing. As of December 31, 2024, the Company concluded that no impairment for goodwill was required. Additionally, there were no additions or any other changes to the carrying amount of goodwill during the years ended December 31, 2024 and 2023. Intangible Assets Intangible assets are expensed on a straight-line basis over the useful life of the asset. The Company recorded amortization expense of $1,263, $1,525 and $1,525 for the years ended December 31, 2024, 2023 and 2022, respectively. As of December 31, 2024, all of the Company’s intangible assets were fully amortized. NOTE 9:- FAIR VALUE MEASUREMENTS The Company evaluates assets and liabilities subject to fair value measurements on a recurring basis to determine the appropriate level to classify them for each reporting period. There have been no transfers between fair value measurements levels during the years ended December 31, 2024 and 2023. The carrying amounts of cash and cash equivalents, marketable securities, trade receivables, short-term deposits and trade payables approximate their fair value due to the short-term maturity of such instruments. The following table sets forth the Company’s assets and liabilities that were measured at fair value as of December 31, 2024 and 2023 by level within the fair value hierarchy (in thousands): As of December 31, 2024 As of December 31, 2023 Level I Level II Level III Total Fair Value Level I Level II Level III Total Fair Value Financial assets: Cash equivalents: Money market funds . . . . $133,113 $ — $— $133,113 $164,848 $ — $— $164,848 Marketable securities: US Treasury securities . . . — 343,383 — 343,383 — 243,162 — 243,162 US Government Agency securities . . . . . . . . . . . — — — — — 10,013 — 10,013 87 As of December 31, 2024 As of December 31, 2023 Level I Level II Level III Total Fair Value Level I Level II Level III Total Fair Value Prepaid expenses and other short-term assets: Forward foreign exchange contracts . . . . . . . . . . . — 8,099 — 8,099 — 3,408 — 3,408 Long-term marketable securities: US Treasury securities . . . — 658,896 — 658,896 — 211,063 — 211,063 Long-term other assets: Forward foreign exchange contracts . . . . . . . . . . . — 3,083 — 3,083 — 519 — 519 Financial liabilities: Accrued expenses and other short-term liabilities: Forward foreign exchange contracts . . . . . . . . . . . — (2,902) — (2,902) — (7) — (7) Long-term other liabilities: Forward foreign exchange contracts . . . . . . . . . . . — — — — — (1,624) — (1,624) Total financial assets (liabilities), net. . . . . . . . . . . $133,113 $1,010,559 $— $1,143,672 $164,848 $466,534 $— $631,382 See Note 7 ‘‘Convertible Senior Notes and Capped Call Transactions’’ for the carrying amount and estimated fair value of the Company’s Notes as of December 31, 2024. Marketable securities are classified within Level 2 as these assets are valued using alternative pricing sources utilizing market observable inputs. NOTE 10:- STOCKHOLDERS’ EQUITY a. Common stock rights: The Company’s Amended and Restated Certificate of Incorporation authorizes the Company to issue 200,000,000 shares of common stock, par value $0.001 per share. The common stock confers upon its holders the right to participate in the general meetings of the Company, to vote at such meetings (each share represents one vote), to elect board members and to participate in any distribution of dividends or any other distribution of the Company’s property, including the distribution of surplus assets upon liquidation. b. Stock option plans: On November 14, 2013, the Company’s board of directors adopted the Varonis Systems, Inc. 2013 Omnibus Equity Incentive Plan (the ‘‘2013 Plan’’) which was subsequently approved by the Company’s stockholders. The Company initially reserved 5,713,899 shares of common stock for issuance under the 2013 Plan to employees, directors, officers and consultants of the Company and its subsidiaries. Since January 1, 2016, the share reserve under the 2013 Plan has been automatically increased by an aggregate of 27,579,672 shares. Awards granted under the 2013 Plan generally vest over four years. No awards were granted under the 2013 Plan subsequent to June 5, 2023, and no further awards will be granted under the 2013 Plan. On October 22, 2020, and as part of the Polyrize Security Ltd. (‘‘Polyrize’’) acquisition, the Company’s board of directors approved the assumption of a certain portion of Polyrize Options pursuant to the terms and conditions of the Polyrize 2019 Share Incentive (‘‘Polyrize Plan’’). No further awards were or will be granted under the Polyrize Plan. On April 20, 2023, the Company’s board of directors adopted the Varonis Systems, Inc. 2023 Omnibus Equity Incentive Plan (the ‘‘2023 Plan’’), subject to approval by our stockholders. On June 5, 2023, the Company’s stockholders approved the 2023 Plan which became effective and replaced the 2013 Plan. The 88 Company initially reserved 5,500,000 shares of common stock for issuance under the 2023 Plan to employees, directors, officers and consultants of the Company and its subsidiaries. On June 3, 2024, the Company’s stockholders approved an additional 4,400,000 shares under the 2023 Plan. A summary of employees’ stock options activities during the year ended December 31, 2024 is as follows: Year ended December 31, 2024 Number Weighted average exercise price Aggregate intrinsic value (in thousands) Weighted average remaining contractual life (years) Options outstanding as of January 1, 2024 . . . . . . . . . . . . . . . . . . 573,430 $7.564 $21,627 0.962 Granted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . — $ — Exercised . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (570,064) $7.575 Forfeited and expired . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . — $ — Options outstanding and exercisable as of December 31, 2024 . . 3,366 $5.682 $ 130 3.490 There were no options granted in 2024 pursuant to the 2013 Plan, Polyrize Plan or 2023 Plan (collectively ‘‘Stock Plans’’). The aggregate intrinsic value in the table above represents the total intrinsic value that would have been received by the option holders had all option holders exercised their options on the last date of the period. Total intrinsic value of options exercised for the years ended December 31, 2024, 2023 and 2022 was $22,174, $2,469 and $1,612, respectively. As of December 31, 2024 there was no unrecognized compensation cost related to employees and non-employees unvested stock options as all options have vested. c. Restricted stock units (‘‘RSUs’’) and performance stock units (‘‘PSUs’’): A summary of RSUs and PSUs for employees, consultants and non-employee directors of the Company for the year ended December 31, 2024 is as follows: Number of shares underlying outstanding RSUs and PSUs Weighted-average grant date fair value Unvested balance as of January 1, 2024 . . . . . . . . . . . . . . . . . . . . . . 8,234,171 $36.83 Granted. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3,864,327 $43.38 Vested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (3,224,561) $39.75 Forfeited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (1,231,445) $38.78 Unvested balance as of December 31, 2024 . . . . . . . . . . . . . . . . . . . 7,642,492 $38.60 As of December 31, 2024 and 2023, there was $181,874 and $209,546, respectively, of total unrecognized compensation cost related to employees and non-employees unvested restricted stock units and performance stock units which is expected to be recognized over a weighted-average period of 2.082 and 2.305 years, respectively. The Company grants performance stock units to certain employees under its Stock Plans. The number of performance stock units earned and eligible to vest are generally determined after a one-year performance period, based on achievement of certain Company financial performance measures and the recipient’s continued service. The Company recognizes stock-based compensation expense for performance stock units using the graded vesting method over the requisite service period for each separately-vesting tranche of the award when it is probable that the performance conditions will be achieved. Compensation expense for performance stock units with financial performance measures is measured using the fair value at the date of grant and recorded over each vesting period, and may be adjusted over the vesting period based on interim estimates of performance against the pre-set objectives. d. 2015 Employee Stock Purchase Plan 89 On May 5, 2015, the Company’s stockholders approved the Varonis Systems, Inc. 2015 Employee Stock Purchase Plan (the ‘‘ESPP’’), which the Company’s board of directors had adopted on March 19, 2015. The ESPP became effective as of June 30, 2015. The ESPP allows eligible employees to purchase shares of the Company’s common stock at a discount through payroll deductions of up to 15% of their eligible compensation, at not less than 85% of the fair market value of the Company’s common stock on the first day or last trading day in the offering period, subject to any plan limitations. The Company initially reserved 1,500,000 shares of common stock for issuance under the ESPP. The number of shares available for issuance under the ESPP was increased on January 1, 2016 and has been, and will be, increased each January 1 thereafter, by an amount equal to the lesser of (i) one percent (1%) of the number of shares of common stock issued and outstanding on each December 31 immediately prior to the date of increase, except that the amount of each such increase will be limited to the number of shares of common stock necessary to bring the total number of shares of common stock available for issuance under the ESPP to two percent (2%) of the number of shares of common stock issued and outstanding on each such December 31, or (ii) 1,200,000 shares of common stock. Since January 1, 2016, the share reserve under the ESPP has been automatically increased by an aggregate of 3,908,910 shares. The ESPP will continue in effect until the earlier of (i) the date when no shares of common stock are available for issuance thereunder or (ii) June 30, 2025; unless terminated prior thereto by the Company’s board of directors or compensation committee, each of which has the right to terminate the ESPP at any time. e. Stock-based compensation expense for employees and consultants: The Company recognized stock-based compensation expense in the consolidated statements of operations as follows (in thousands): Year ended December 31, 2024 2023 2022 Cost of revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 5,192 $ 7,221 $ 10,720 Research and development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41,766 48,679 50,971 Sales and marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41,494 48,047 51,793 General and administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38,230 35,872 29,378 Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $126,682 $139,819 $142,862 f. Share Repurchase Program: In October 2022, the Company’s board of directors authorized a share repurchase program of up to $100,000 of the Company’s common stock (the ‘‘Share Repurchase Program’’). Under the Share Repurchase Program, the Company was authorized to repurchase shares through open market purchases, privately-negotiated transactions or otherwise in accordance with applicable federal securities laws, including through Rule 10b5-1 trading plans and under Rule 10b-18 of the Exchange Act. The Share Repurchase Program expired on October 31, 2023. The Company repurchased and subsequently retired 4,415,093 shares under its Share Repurchase Program, for a total of $99,967. There were no shares repurchased for the year ended December 31, 2024. NOTE 11:- INCOME TAXES a. U.S. Tax Reform: On December 22, 2017, the Tax Cuts and Jobs Act (the ‘‘TCJA’’) was signed into law. The TCJA makes broad and complex changes to the Code that impact the Company’s provision for income taxes. The changes include, but are not limited to: • Decreasing the corporate income tax rate from 35% to 21% effective for tax years beginning after December 31, 2017 (‘‘Rate Reduction’’); and • Taxation of GILTI earned by foreign subsidiaries beginning after December 31, 2017. The GILTI tax imposes a tax on foreign income in excess of a deemed return on tangible assets of foreign corporations. 90 • Beginning in 2022, the TCJA requires taxpayers to capitalize research and development expenses with amortization periods over five and fifteen years, which has increased the Company’s tax liability in the U.S. As the Company has a valuation allowance against its deferred tax assets, including capitalized research and development costs, the taxable income in the United States has increased to account for the capitalization of research and development costs starting in 2022. GILTI Tax Certain income (i.e., GILTI) earned by controlled foreign corporations (‘‘CFCs’’) must be included currently in the gross income of the CFCs’ U.S. shareholder. GILTI is the excess of the shareholder’s ‘‘net CFC tested income’’ over the net deemed tangible income return, which is the excess of (1) 10 percent of the aggregate of the U.S. shareholder’s pro rata share of the qualified business asset investment of each CFC with respect to which it is a U.S. shareholder, over (2) the amount of certain interest expense taken into account in the determination of net CFC-tested income. For 2024, the Company is not subject to tax on account of GILTI as it has net CFC tested loss on an aggregated basis. Accounting for the TCJA The Company accounted for the tax impact related to the TCJA and believes its analysis to be completed. The Company recognizes that the IRS is continuing to publish and finalize ongoing guidance which may modify accounting interpretation for the TCJA. The Company would look to account for these impacts in the period of such change is enacted. b. The Company: The Company is taxed in accordance with U.S. tax laws. As of December 31, 2024, the Company had gross federal net operating loss (‘‘NOL’’) carry-forwards of approximately $134,330, all of which can be carried forward indefinitely but can only be used to offset 80% of taxable income. As of December 31, 2024, the Company had NOL carry-forwards for state and foreign income tax purposes of approximately $141,221 and $49,459, respectively. State NOL carry-forwards of $111,542 expire between 2027-2044 and the remainder do not expire. Foreign NOL carry-forwards do not expire. In addition, as of December 31, 2024, the Company had federal research credit carryforwards of approximately $7,299. If not utilized, the federal tax carryforwards will begin to expire in 2041. A U.S. corporation’s ability to utilize its federal and state NOL and tax credit carryforwards to offset its taxable income is limited under Section 382 and Section 383 of the Code if the corporation undergoes an ownership change (within the meaning of Code Section 382). In general, an ‘‘ownership change’’ occurs whenever the percentage of the stock of a corporation owned by ‘‘5-percent shareholders’’ (within the meaning of Code Section 382) increases by more than 50 percentage points over the lowest percentage of the stock of such corporation owned by such ‘‘5-percent shareholders’’ at any time over the testing period. An ownership change within the meaning of Code Section 382 would establish an annual limitation to the amount of federal and state NOL and tax credit carryforwards the Company could utilize to offset its taxable income or income tax in any single year. The annual limitation may result in the expiration of state net operating losses and federal and state credits before utilization and in the event we have a change of ownership, utilization of the carryforwards could be restricted. c. Loss before taxes on income is comprised as follows (in thousands): Year ended December 31, 2024 2023 2022 Domestic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $(19,840) $(21,491) $ (75,422) Foreign. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (63,167) (65,427) (35,393) $(83,007) $(86,918) $(110,815) 91 d. Taxes on income (loss) are comprised as follows (in thousands): Year ended December 31, 2024 2023 2022 Current: Domestic: Federal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 15 $ (1,077) $ 3,008 State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,511 2,420 1,314 Foreign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11,214 12,569 9,123 Total current income tax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $12,740 $13,912 $13,445 Deferred: Domestic: Federal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 62 $ 61 $ 83 State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 21 13 Foreign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (56) 4 162 Total deferred income tax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 18 $ 86 $ 258 Income tax expense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $12,758 $13,998 $13,703 e. Deferred income taxes: Deferred income taxes reflect the net tax effects of temporary differences between the carrying amounts of assets and liabilities for financial reporting purposes and the amounts used for income tax purposes. The Company’s deferred tax assets are derived from its U.S. NOL carry-forwards and other temporary differences. ASC 740 requires an assessment of both positive and negative evidence concerning the realizability of our deferred tax assets in each jurisdiction. After considering evidence such as current and cumulative financial reporting incomes, the expected sources of future taxable income and tax planning strategies, the Company’s management concluded that a valuation allowance is required in the United States and some foreign jurisdictions. A net deferred tax liability of $434 was recorded as of December 31, 2024. Future changes in these factors, including the Company’s anticipated results, could have a significant impact on the realization of the deferred tax assets which would result in an increase or decrease to the valuation allowance and a corresponding charge to income tax expense. The Company reevaluates the judgements surrounding its estimates and makes adjustments as appropriate each reporting period. Significant components of our deferred tax assets and liabilities as of December 31, 2024 and 2023 are as follows (in thousands): December 31, 2024 2023 Deferred tax assets: Carry forward losses and credits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 42,218 $ 35,050 Deferred revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . — 33,408 Accrued payroll, commissions, vacation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14,409 8,473 Equity compensation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36,169 33,435 Allowance for credit losses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2,521 867 Accrued severance pay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 273 Operating lease liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7,226 11,786 Section 174 capitalized costs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91,706 59,321 Other. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5,367 4,079 Deferred tax assets before valuation allowance . . . . . . . . . . . . . . . . . . . . . . . . . 199,856 186,692 Valuation allowance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (181,124) (169,474) Deferred tax assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 18,732 $ 17,218 92 December 31, 2024 2023 Deferred tax liability: Deferred commissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $(12,548) $ (6,830) Operating lease right-of-use assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (5,373) (9,760) Other. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (1,245) (1,069) Deferred tax liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $(19,166) $(17,659) Net deferred tax asset (liability) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ (434) $ (441) The change in the valuation allowance was an increase of $11,650 and $26,911 during 2024 and 2023, respectively. f. Reconciliation of the theoretical tax expenses: A reconciliation between the theoretical tax expense, assuming all income is taxed at the statutory tax rate applicable to income of the Company, and the actual tax expense as reported in the consolidated statements of operations is as follows (in thousands, except tax rate): Year ended December 31, 2024 2023 2022 Loss before taxes, as reported in the consolidated statements of operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $(83,007) $(86,918) $(110,815) Statutory tax rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21% 21% 21% Theoretical tax benefits on the above amount at the US statutory tax rate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $(17,431) $(18,253) $ (23,271) Income tax at rate other than the U.S. statutory tax rate . . . . . . . . . . . . 3,207 6,954 10,404 Non-deductible expenses including equity based compensation expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (339) (3,983) 941 Operating losses and other temporary differences for which valuation allowance was provided . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12,096 27,291 18,201 Research and development tax credit . . . . . . . . . . . . . . . . . . . . . . . . . . . (2,525) (1,516) — State tax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (1,204) (1,780) (1,301) Impact of rate change. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999 (3,199) (207) Change in tax reserve for uncertain tax positions. . . . . . . . . . . . . . . . . . 17,083 7,869 7,785 Other individually immaterial income tax items. . . . . . . . . . . . . . . . . . . 872 615 1,151 Actual tax expense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 12,758 $ 13,998 $ 13,703 g. A reconciliation of the beginning and ending amounts of unrecognized tax benefits, including interest and penalties, in the years ended December 31, 2024 and 2023 are as follows (in thousands): Gross unrecognized tax benefits as of January 1, 2023. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $17,324 Increase in tax position for current year. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9,528 Increase in tax position for prior years. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,937 Decrease in tax position for prior years . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (3,596) Gross unrecognized tax benefits as of December 31, 2023. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $25,193 Increase in tax position for current year. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10,487 Increase in tax position for prior years. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7,088 Decrease in tax position for prior years . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (287) Decrease for lapse of statute of limitations/settlements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (205) Gross unrecognized tax benefits as of December 31, 2024. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $42,276 There was $42,276 of unrecognized income tax benefits that, if recognized, approximately $33,273 would impact the effective tax rate after consideration of valuation allowance on deferred tax assets in the period 93 in which each of the benefits is recognized. The Company includes interest and penalties related to unrecognized tax benefits within the provision for income taxes on the consolidated statements of operations. The total amount of interest and penalties is approximately $2,980 as of December 31, 2024, which is included in the table above. h. Foreign taxation: 1. Israeli tax benefits under the Law for the Encouragement of Capital Investments, 1959 (the ‘‘Investment Law’’): VSL has utilized various benefits under the Investment Law. Those benefits relate only to taxable income attributable to the specific investment program and are conditioned upon meeting the terms stipulated in the Investment Law, the related regulations and the applicable certificate of approval. If VSL does not fulfill these conditions, in whole or in part, the benefits will most likely be cancelled, and VSL may be required to refund the benefits, in an amount linked to the Israeli consumer price index plus interest. If cash dividends are distributed out of tax-exempt profits in a manner other than upon complete liquidation, VSL will then become liable for tax at the rate of 10% - 25% (depending on the level of foreign investments in VSL) in respect of the amount distributed. 2. Undistributed earnings of foreign subsidiaries: In general, it is the Company’s practice and intention to reinvest the earnings of its non-U.S. subsidiaries in those operations. Undistributed earnings, if any, of foreign subsidiaries are immaterial for all periods presented. Because the Company’s non-U.S. subsidiary earnings have previously been included in the computation of the one-time Transition Tax on foreign earnings required by the TCJA and throughout the years have been included in the GILTI computations, any additional taxes due with respect to such earnings or the excess of the amount for financial reporting over the tax basis of its foreign investments would generally be limited to foreign withholding taxes and/or U.S. state income taxes. i. Tax assessments: As of December 31, 2024, the Company’s federal tax returns for the years 2010 through the current period, excluding the 2016 tax year which was audited by the Internal Revenue Service, and most state tax returns for the years 2009 through the current period, are still open to examination. The Company remains open to examination to the extent net carry-over unused operating losses and tax credit attributable to those years remain unutilized. During 2023, the Israeli Tax Authority initiated an income and value added tax audit for the years 2020-2022. The Company has final income tax assessments for VSL through 2019. NOTE 12:- FINANCIAL INCOME, NET Year ended December 31, 2024 2023 2022 Financial income: Interest on bank deposits & other . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $30,355 $25,207 $10,070 Amortization of premium and accretion of discount on marketable securities, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12,690 9,354 344 Foreign exchange gains, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . — 916 5,147 43,045 35,477 15,561 Financial expenses: Amortization of debt issuance costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2,144 1,514 1,486 Interest expenses, principally from convertible notes. . . . . . . . . . . . . . . . . . 4,571 3,197 3,167 Foreign exchange losses, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827 — — Bank and other charges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859 461 495 (8,401) (5,172) (5,148) Financial income, net. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $34,644 $30,305 $10,413 94 NOTE 13:- GEOGRAPHIC INFORMATION AND MAJOR CUSTOMER DATA ASC 280, ‘‘Segment Reporting,’’ establishes standards for reporting information about operating segments. Operating segments are defined as components of an enterprise about which separate financial information is available that is evaluated regularly by the chief operating decision maker (‘‘CODM’’) in deciding how to allocate resources and in assessing performance. The Company manages its business on the basis of one reportable segment and unit and derives revenues mainly from term license subscriptions, SaaS revenues and maintenance and services fees (see Note 1 for a brief description of the Company’s business and Note 2n for details on the Company’s revenue recognition). The CODM of the Company is the Chief Executive Officer. The CODM assesses the performance of the Company and decides how to allocate resources based upon consolidated net loss that is also reported within the Consolidated Statements of Operations. The measure of segment assets that is reviewed by the CODM is reported within the Consolidated Balance Sheet as consolidated Total assets. The CODM uses consolidated net loss to monitor period-over-period results and decides where to allocate and invest additional resources within the business to continue growth. The following is a summary of the significant expense categories and consolidated net loss details provided to the CODM (in thousands): Year ended December 31, 2024 2023 2022 Total revenues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $550,950 $ 499,160 $ 473,634 Less: Stock-based compensation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126,682 139,819 142,862 Other segment items (*). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520,033 460,257 455,290 Net loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ (95,765) $(100,916) $(124,518) (*) Other segment expense items included within net loss include payroll, financial income, net, marketing activities, overhead and depreciation, travel and entertainment, income taxes, information technology and communication, department activities, amortization of acquired intangibles and other miscellaneous expenses. See the consolidated financial statements for other financial information regarding the Company’s operating segment. Summary information about geographic areas: Year ended December 31, 2024 2023 2022 Revenues based on customer’s location: United States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $400,778 $358,258 $337,269 EMEA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114,355 109,587 107,848 Rest of the World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35,817 31,315 28,517 Total revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $550,950 $499,160 $473,634 During the years ended December 31, 2024, 2023 and 2022, respectively, there were no revenues to a single customer exceeding 10% of the Company’s total revenues. The following is a summary of long-lived assets, including property and equipment, net and operating lease right-of-use assets, within geographic areas (in thousands): December 31, 2024 2023 Long-lived assets by geographic region: Israel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $32,026 $34,755 United States. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31,725 35,791 Ireland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11,326 13,240 Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,311 2,016 $76,388 $85,802 95 Item 9. Changes in and Disagreements with Accountants on Accounting and Financial Disclosure There have been no changes in our independent registered public accounting firm, Kost Forer Gabbay & Kasierer, a member of EY Global, or disagreements with our accountants on matters of accounting and financial disclosure. Item 9A. Controls and Procedures Evaluation of Disclosure Controls and Procedures Our management, with the participation of our Chief Executive Officer and Chief Financial Officer, evaluated the effectiveness of our disclosure controls and procedures (as defined in Rules 13a-15(e) and 15d-15(e) of the Exchange Act) as of the end of the period covered by this report. Based on that evaluation, our Chief Executive Officer and Chief Financial Officer concluded that our disclosure controls and procedures as of the end of the period covered by this report were effective at a reasonable assurance level in ensuring that information required to be disclosed by us in reports that we file or submit under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms. We believe that a control system, no matter how well designed and operated, cannot provide absolute assurance that the objectives of the control system are met, and no evaluation of controls can provide absolute assurance that all control issues and instances of fraud, if any, within a company have been detected. Management’s Annual Report on Internal Control Over Financial Reporting Our management is responsible for establishing and maintaining adequate internal control over financial reporting (as defined in Rules 13a-15(f) and 15d-15(f) of the Exchange Act). Our management conducted an evaluation of the effectiveness of our internal control over financial reporting as of December 31, 2024 based on the criteria established in Internal Control - Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission. Based on the results of its evaluation, management concluded that our internal control over financial reporting was effective as of December 31, 2024. The effectiveness of our internal control over financial reporting as of December 31, 2024 has been audited by Kost Forer Gabbay & Kasierer, a member of EY Global and an independent registered public accounting firm, as stated in their attestation report which is included in Part II, Item 8 of this Annual Report on Form 10-K. Changes in Internal Control over Financial Reporting There was no change in our internal control over financial reporting that occurred during the three months ended December 31, 2024 that has materially affected, or is reasonably likely to materially affect, our internal control over financial reporting. We regularly seek to identify, develop and implement improvements to our technology systems and business processes, some of which may affect our internal control over financial reporting. These changes may include such activities as implementing new, more efficient systems, updating existing systems or platforms, automating manual processes or utilizing technology developed by third parties. These system changes are often phased in over multiple periods in order to limit the implementation risk in any one period, and as each change is implemented we monitor its effectiveness as part of its internal control over financial reporting. Item 9B. Other Information Rule 10b5-1 Trading Plan On November 24, 2024, Guy Melamed, our Chief Financial Officer and Chief Operating Officer, entered into a Rule 10b5–1 trading arrangement. Mr. Melamed’s arrangement includes the potential sale of up to 151,534 shares of our common stock, and expires on September 2, 2025, unless earlier terminated in accordance with the provisions of the arrangement. Mr. Melamed’s arrangement is intended to satisfy the affirmative defense of Rule 10b5-1(c) under the Exchange Act. On November 24, 2024, James O’Boyle, our Vice Chairman – Sales, entered into a Rule 10b5–1 trading arrangement. Mr. O’Boyle’s arrangement includes the potential sale of up to 100,000 shares of our common stock, and expires on December 31, 2025, unless earlier terminated in accordance with the provisions of the arrangement. Mr. O’Boyle’s arrangement is intended to satisfy the affirmative defense of Rule 10b5-1(c) under the Exchange Act. 96 On December 3, 2024, Fred Van den Bosch, Director, entered into a Rule 10b5–1 trading arrangement. Mr. Van den Bosch’s arrangement includes the potential sale of up to 18,000 shares of our common stock, and expires on December 15, 2025, unless earlier terminated in accordance with the provisions of the arrangement. Mr. Van den Bosch’s arrangement is intended to satisfy the affirmative defense of Rule 10b5-1(c) under the Exchange Act. Except as described above, during the fiscal quarter ended December 31, 2024, no director or officer of the Company adopted or terminated a “Rule 10b5-1 trading arrangement” or “non-Rule 10b5-1 trading arrangement,” as each term is defined in Item 408(a) of Regulation S-K. Change of Executive Officers On February 3, 2025, in connection with a change in the reporting structure of the Company, James O’Boyle, the Company’s Vice Chairman - Sales, is no longer an executive officer of the Company, as defined under the Securities Exchange Act of 1934. In connection with this change, Greg Pomeroy, the current Senior Vice President - Worldwide Sales, became an executive officer of the Company. Change of Corporate Headquarters In the first quarter of 2025, the Company is relocating its corporate headquarters to Miami, Florida and its principal mailing address is 801 Brickell Avenue, Miami, Florida 33131. There is no change to the Company’s telephone number. All future correspondence and communications from stockholders and others to the Company should be directed to this address. Item 9C. Disclosure Regarding Foreign Jurisdictions that Prevent Inspections Not applicable. 97 PART III Item 10. Directors, Executive Officers and Corporate Governance The information required by this item (other than the information set forth in the next paragraph in this Item 10) will be included in our definitive proxy statement with respect to our 2025 Annual Meeting of Stockholders to be filed with the SEC and is incorporated herein by reference. Code of Business Conduct and Ethics We have adopted a code of business conduct and ethics that is applicable to all of our employees, officers and directors, including our chief executive and senior financial officers. The code of business conduct and ethics is available on our website at www.varonis.com. We expect that any amendment to the code, or any waivers of its requirements, will be disclosed on our website. The inclusion of our website in this Form 10-K does not include or incorporate by reference the information on our website into this Form 10-K. Insider Trading Policy and Procedures We have adopted an insider trading policy governing the purchase, sale, and/or other dispositions of our securities by our directors, officers and employees and other covered persons. We believe these policies and procedures are reasonably designed to promote compliance with insider trading laws, rules and regulations and applicable listing standards. A copy of our Insider Trading Policy is filed as Exhibit 19.1 to this Annual Report on Form 10-K. Item 11. Executive Compensation The information called for by this item will be included in our definitive proxy statement with respect to our 2025 Annual Meeting of Stockholders to be filed with the SEC and is incorporated herein by reference. Item 12. Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters The information called for by this item will be included in our definitive proxy statement with respect to our 2025 Annual Meeting of Stockholders to be filed with the SEC and is incorporated herein by reference. Item 13. Certain Relationships and Related Transactions, and Director Independence The information called for by this item will be included in our definitive proxy statement with respect to our 2025 Annual Meeting of Stockholders to be filed with the SEC and is incorporated herein by reference. Item 14. Principal Accounting Fees and Services The information called for by this item will be included in our definitive proxy statement with respect to our 2025 Annual Meeting of Stockholders to be filed with the SEC and is incorporated herein by reference. 98 PART IV Item 15. Exhibits and Financial Statement Schedules (a) Financial Statements Our consolidated financial statements are listed in the ‘‘Index to Consolidated Financial Statements’’ under Part II, Item 8 of this Annual Report on Form 10-K. All schedules are omitted because they are not applicable or the required information is shown in the financial statements or notes thereto. (b) Exhibits The exhibits listed below in the accompanying ‘‘Index to Exhibits’’ are filed or incorporated by reference as part of this Annual Report on Form 10-K. Item 16. Form 10-K Summary None. 99 SIGNATURES Pursuant to the requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned thereunto duly authorized. VARONIS SYSTEMS, INC. February 6, 2025 By: /s/ Yakov Faitelson Yakov Faitelson Chief Executive Officer and President (Principal Executive Officer) February 6, 2025 By: /s/ Guy Melamed Guy Melamed Chief Financial Officer and Chief Operating Officer (Principal Financial Officer and Principal Accounting Officer) POWER OF ATTORNEY KNOW ALL PERSONS BY THESE PRESENTS, that each person whose signature appears below constitutes and appoints Yakov Faitelson and Guy Melamed, jointly and severally, his or her attorneys-in-fact, each with the power of substitution, for him or her in any and all capacities, to sign any amendments to this Annual Report on Form 10-K, and to file the same, with exhibits thereto and other documents in connection therewith, with the Securities and Exchange Commission, hereby ratifying and confirming all that each of said attorneys-in-fact, or his substitute or substitutes, may do or cause to be done by virtue hereof. Pursuant to the requirements of the Securities Exchange Act of 1934, this report has been signed below by the following persons on behalf of the registrant in the capacities and on the dates indicated. Signature Title Date /s/ Yakov Faitelson Chief Executive Officer, President and Chairman of the Board (Principal Executive Officer) February 6, 2025 Yakov Faitelson /s/ Guy Melamed Chief Financial Officer and Chief Operating Officer (Principal Financial Officer and Principal Accounting Officer) February 6, 2025 Guy Melamed /s/ Carlos Aued Director February 6, 2025 Carlos Aued /s/ Kevin Comolli Director February 6, 2025 Kevin Comolli /s/ John J. Gavin, Jr. Director February 6, 2025 John J. Gavin, Jr. /s/ Gili Iohan Director February 6, 2025 Gili Iohan /s/ Avrohom J. Kess Director February 6, 2025 Avrohom J. Kess /s/ Ohad Korkus Director February 6, 2025 Ohad Korkus /s/ Thomas F. Mendoza Director February 6, 2025 Thomas F. Mendoza /s/ Rachel Prishkolnik Director February 6, 2025 Rachel Prishkolnik /s/ Ofer Segev Director February 6, 2025 Ofer Segev /s/ Fred Van Den Bosch Director February 6, 2025 Fred Van Den Bosch EXHIBIT INDEX Exhibit Number Description of the Document 3.1(1) Amended and Restated Certificate of Incorporation 3.2(2) Amended and Restated Bylaws 4.1 Description of Securities Registered under Section 12 of the Securities Exchange Act of 1934 4.2(3) Indenture, dated as of May 11, 2020, by and between Varonis Systems, Inc. and U.S. Bank National Association, as Trustee (including Form of Note, representing Varonis Systems, Inc.’s 1.25% Convertible Senior Notes due 2025) 4.3(4) Indenture, dated as of September 10, 2024, by and between Varonis Systems, Inc. and U.S. Bank Trust Company, National Association, as Trustee (including Form of Note, representing Varonis Systems, Inc.’s 1.00% Convertible Senior Notes due 2029) 10.1(5)† Form of Indemnification Agreement between the Company and its directors and officers 10.3(6)† 2013 Omnibus Equity Incentive Plan 10.4(7)† Amended and Restated Varonis Systems, Inc. 2023 Omnibus Equity Incentive Plan 10.4(8)† Forms of Restricted Stock Unit Award Grant Notice and Restricted Stock Unit Award Agreement under the 2013 Omnibus Equity Incentive Plan 10.5(9)† Forms of Performance-Based Restricted Stock Unit Award Grant Notice and Performance-Based Restricted Stock Unit Award Agreement under the 2013 Omnibus Equity Incentive Plan 10.6(10)† 2015 Employee Stock Purchase Plan 10.7(11)† Employment Agreement, dated as of May 15, 2024, by and between Varonis Systems, Inc. and Yakov Faitelson 10.8(12)† Employment Agreement, dated as of May 15, 2024, by and between Varonis Systems Ltd. and Yakov Faitelson 10.9† Varonis Systems Severance Plan 10.10(13)† Employment Agreement, dated as of January 31, 2024, by and between Varonis Systems, Inc. and Guy Melamed 10.11(14)† Employment Agreement, dated as of January 31, 2024, by and between Varonis Systems Ltd. and Guy Melamed 10.12(15)† Employment Agreement, dated as of February 10, 2014, by and between the Company and James O’Boyle 10.13(16)† Amendment to Employment Agreement, dated as of August 27, 2018, by and between the Company and James O’Boyle 10.14(17)† Employment Agreement, dated as of February 8, 2018, by and between Varonis Systems Ltd. and David Bass 10.15† Employment Agreement, dated as of March 12, 2021, by and between the Company and Dov Gottlieb 10.16(18) Form of Confirmation for 2020 Capped Call Transactions 10.17(19) Form of Confirmation for 2024 Capped Call Transactions 10.18(20)† Forms of Restricted Stock Unit Award Grant Notice and Restricted Stock Unit Award Agreement under the 2013 Omnibus Equity Incentive Plan (Israeli Employees) 10.19(21)† Forms of Performance-Based Restricted Stock Unit Award Grant Notice and Performance-Based Restricted Stock Unit Award Agreement under the 2013 Omnibus Equity Incentive Plan (Israeli Employees) Exhibit Number Description of the Document 10.20(22)† Forms of Restricted Stock Unit Award Grant Notice and Restricted Stock Unit Award Agreement under the Amended and Restated 2023 Omnibus Equity Incentive Plan 10.21(23)† Forms of Performance-Based Restricted Stock Unit Award Grant Notice and Performance-Based Restricted Stock Unit Award Agreement under the Amended and Restated 2023 Omnibus Equity Incentive Plan 10.22(24)† Forms of Restricted Stock Unit Award Grant Notice and Restricted Stock Unit Award Agreement under the Amended and Restated 2023 Omnibus Equity Incentive Plan (Israeli Employees) 10.23(25)† Forms of Performance-Based Restricted Stock Unit Award Grant Notice and Performance-Based Restricted Stock Unit Award Agreement under the Amended and Restated 2023 Omnibus Equity Incentive Plan (Israeli Employees) 19.1 Insider Trading Policy 21.1 List of Subsidiaries 23.1 Consent of Kost Forer Gabbay & Kasierer, a member of EY Global 31.1 Rule 13a-14(a) Certification of Chief Executive Officer and President of the Company in accordance with Section 302 of the Sarbanes-Oxley Act of 2002 31.2 Rule 13a-14(a) Certification of Chief Financial Officer of the Company in accordance with Section 302 of the Sarbanes-Oxley Act of 2002 32.1** Section 1350 Certification of Chief Executive Officer and President of the Company in accordance with Section 906 of the Sarbanes-Oxley Act of 2002 32.2** Section 1350 Certification of Chief Financial Officer of the Company in accordance with Section 906 of the Sarbanes-Oxley Act of 2002 97 Policy For The Recovery Of Erroneously Awarded Compensation 101 The following materials from the Company’s Annual Report on Form 10-K for the year ended December 31, 2024, formatted in inline XBRL (eXtensible Business Reporting Language): (i) the Consolidated Balance Sheets, (ii) the Consolidated Statements of Operations, (iii) the Consolidated Statements of Comprehensive Loss, (iv) the Unaudited Consolidated Statements of Changes in Stockholders’ Equity, (v) the Consolidated Statements of Cash Flows and (vi) related notes to these consolidated financial statements, tagged as blocks of text and in detail 104 Cover Page Interactive Data File - (formatted as Inline XBRL and contained in Exhibit 101) † Indicates management contract or compensatory plan or arrangement. ** Document has been furnished, is not deemed filed and is not to be incorporated by reference into any of the Company’s filings under the Securities Act of 1933, as amended, or the Securities Exchange Act of 1934, as amended, irrespective of any general incorporation language contained in any such filing. (1) Filed as Exhibit 3.1 to the Company’s Quarterly Report on Form 10-Q filed with the SEC on May 8, 2014 (the ‘‘Company’s First Quarter 2014 Form 10-Q’’) and incorporated herein by reference. (2) Filed as Exhibit 3.2 to the Company’s Annual Report on Form 10-K filed with the SEC on February 8, 2022 (the ‘‘Company’s 2021 Form 10-K’’) and incorporated herein by reference. (3) Filed as Exhibit 4.1 to the Company’s Current Report on Form 8-K filed with the SEC on May 11, 2020 and incorporated herein by reference. (4) Filed as Exhibit 4.1 to the Company’s Current Report on Form 8-K with the Securities and Exchange Commission on September 10, 2024 and incorporated herein by reference (5) Filed as Exhibit 10.1 to the Company’s Registration Statement on Form S-1 (Registration No. 333-191840) (the ‘‘IPO Registration Statement’’) with the SEC on February 18, 2014 and incorporated herein by reference. (6) Filed as Exhibit 99.2 to the Company’s Registration Statement on Form S-8 (Registration No. 333-194657) with the SEC on March 18, 2014 and incorporated herein by reference. (7) Filed as Exhibit 10.1 to the Company’s Current Report on Form 8-K with the Securities and Exchange Commission on June 5, 2024 and incorporated herein by reference. (8) Filed as Exhibit 10.1 to the Company’s Quarterly Report on Form 10-Q filed with the SEC on August 6, 2014 (the ‘‘Company’s Third Quarter 2014 Form 10-Q’’) and incorporated herein by reference. (9) Filed as Exhibit 10.4 to the Company’s Current Report on Form 8-K filed with the SEC on June 26, 2019 and incorporated herein by reference. (10) Filed as Exhibit A of the Proxy Statement on Form DEF 14A with the SEC on March 26, 2015 and incorporated herein by reference. (11) Filed as Exhibit 10.2 to the Company’s Quarterly Report on Form 10-Q filed with the SEC on July 30, 2024 (the ‘‘Company’s Second Quarter 2024 Form 10-Q’’) and incorporated herein by reference. (12) Filed as Exhibit 10.3 to the Company’s Quarterly Report on Form 10-Q filed with the SEC on July 30, 2024 (the ‘‘Company’s Second Quarter 2024 Form 10-Q’’) and incorporated herein by reference. (13) Filed as Exhibit 10.10 to the Company’s Annual Report on Form 10-K filed with the SEC on February 6, 2024 (the ‘‘Company’s 2023 Form 10-K’’) and incorporated herein by reference. (14) Filed as Exhibit 10.11 to the Company’s Annual Report on Form 10-K filed with the SEC on February 6, 2024 (the ‘‘Company’s 2023 Form 10-K’’) and incorporated herein by reference. (15) Filed as Exhibit 10.11 to the IPO Registration Statement with the SEC on February 18, 2014 and incorporated herein by reference. (16) Filed as Exhibit 10.3 to the Company’s Current Report on Form 8-K filed with the SEC on August 31, 2018 and incorporated herein by reference. (17) Filed as Exhibit 10.13 to the Company’s Annual Report on Form 10-K filed with the SEC on February 12, 2019 (the ‘‘Company’s 2018 Form 10-K’’) and incorporated herein by reference. (18) Filed as Exhibit 10.1 to the Company’s Current Report on Form 8-K filed with the SEC on May 11, 2020 and incorporated herein by reference. (19) Filed as Exhibit 10.1 to the Company’s Current Report on Form 8-K with the SEC on September 10, 2024 and incorporated herein by reference. (20) Filed as Exhibit 10.1 to the Company’s Quarterly Report on Form 10-Q filed with the SEC on May 3, 2022 (the ‘‘Company’s First Quarter 2022 Form 10-Q’’) and incorporated herein by reference. (21) Filed as Exhibit 10.2 to the Company’s Quarterly Report on Form 10-Q filed with the SEC on May 3, 2022 (the ‘‘Company’s First Quarter 2022 Form 10-Q’’) and incorporated herein by reference. (22) Filed as Exhibit 10.2 to the Company’s Quarterly Report on Form 10-Q filed with the SEC on August 1, 2023 (the ‘‘Company’s Second Quarter 2023 Form 10-Q’’) and incorporated herein by reference. (23) Filed as Exhibit 10.3 to the Company’s Quarterly Report on Form 10-Q filed with the SEC on August 1, 2023 (the ‘‘Company’s Second Quarter 2023 Form 10-Q’’) and incorporated herein by reference. (24) Filed as Exhibit 10.4 to the Company’s Quarterly Report on Form 10-Q filed with the SEC on August 1, 2023 (the ‘‘Company’s Second Quarter 2023 Form 10-Q’’) and incorporated herein by reference. (25) Filed as Exhibit 10.5 to the Company’s Quarterly Report on Form 10-Q filed with the SEC on August 1, 2023 (the ‘‘Company’s Second Quarter 2023 Form 10-Q’’) and incorporated herein by reference. 3 Annual Report MANAGEMENT TEAM BOARD OF DIRECTORS Yaki Faitelson Yaki Faitelson Fred van den Bosch Tom Mendoza Gili Iohan Kevin Comolli Ofer Segev Ohad Korkus John Gavin Jr. Carlos Aued Rachel Prishkolnik Avrohom Kess Dana Shahar Shai Cohen Golan Dov Gottlieb Greg Pomeroy David Gibson Rob Sobers Sam Wethje Jim O’Boyle Guy Melamed David Bass Gilad Raz Chief Human Resources Officer Chief of Staff Vice President & General Counsel Senior VP of Worldwide Sales Senior VP of Strategic Programs Chief Marketing Officer VP of Sales, North America Vice Chairman of Sales Executive VP of Engineering & CTO CIO & VP of Technical Services Chief Financial Officer & Chief Operating Officer CEO, President, Co-Founder & Chairman of the Board CEO, President, Co-Founder & Chairman of the Board Technology Committee, Member Director, Varonis Systems, Inc. Audit Committee, Member Technology Committee, Member Director, Varonis Systems, Inc. Partner, Ion Crossover Partners Nominating and Governance Committee, Chairperson Compensation Committee, Member Partner, Accel Compensation Committee, Member Nominating and Governance Committee, Member Technology Committee, Member Chief Financial Officer, Windward Ltd. Audit Committee, Member Director & Co-Founder, Varonis Systems, Inc. Technology Committee, Chairperson Independent Lead Director, Varonis Systems, Inc. Audit Committee, Chairperson Nominating and Governance Committee, Member Technology Committee, Member Director, Varonis Systems, Inc. Legal Counsel, SolarEdge Technologies, Inc. Compensation Committee, Member Vice Chairman & Chief Legal Officer, The Travelers Companies, Inc. Compensation Committee, Chairperson www.varonis.com Protect sensitive data. Automate compliance. Varonis is the leader in data security, fighting a different battle than conventional cybersecurity companies. Our cloud-native Data Security Platform continuously discovers and classifies critical data, removes exposures, and detects advanced threats with AI- powered automation. Thousands of organizations worldwide trust Varonis to defend their data wherever it lives — across SaaS, IaaS, and hybrid cloud environments. Customers use Varonis to automate a wide range of security outcomes, including data security posture management (DSPM), data classification, data access governance (DAG), data detection and response (DDR), data loss prevention (DLP), and insider risk management.