Brad Zelnick — Analyst, Deutsche Bank
Great, thank you so much. Video on. There we are. Congrats, guys, on a strong Q2. My question for you, Brett, great to see the NRR stabilize. I know in the past you talked about downsell pressures subsiding into the back half of this year, and I just wanted to understand what other indicators might you look at as inputs into your guidance and the macro caveat that you've now removed this quarter. Does that still hold that, as we proceed from here, we feel good that NRR should effectively have bottomed? Thank you.
Todd McKinnon — CEO and Co-Founder, Okta
Hey, hey, Brad, before Brett jumps in, maybe I could just make a high-level comment. I think on the quarter, we're very pleased with the execution. I think it was solid execution. Looking forward, I think we're very excited about the strategy. Our strategy is to be the one-stop shop for identity. That's what customers want. They want fewer identity vendors. I work with one of the largest high-tech companies in the world, and they're replacing 50 identity vendors with Okta. Customers want to consolidate on a single identity partner, and they want to do it in a way that covers all of these different use cases. You'll hear different variants of this across the call. I think that's really what makes us so excited about the future and that our strategy is really working along with solid execution.
Brett Tighe — CFO, Okta
Brad, you broke up for a second in the middle of your question. You were asking around NRR and how it's trending, but you also said something around macro. Can you just clarify what you're saying?
Brad Zelnick — Analyst, Deutsche Bank
I may be incorrectly, but I think of those concepts going hand in hand. In the past, you've talked about downsell pressure alleviating come the back half of this year. We now see NRR having stabilized. Wanted to appreciate what other inputs you look to when you remove the macro caveat in your guidance going forward, and if we can have confidence that, in fact, you know, 106% is a level from which we can now re-expand. Thank you.
Brett Tighe — CFO, Okta
Absolutely. I've said for a couple of quarters now, actually a few quarters now, around the NRR effects of the macro being, you know, impacting that NRR. I'm saying the last few years, kind of the COVID cohorts, I would say not having as much of an effect after the first half of FY2026, and we still believe that to be the case. In terms of what we expect it to be for the balance of the fiscal year, we still think similar to what I said before, which was plus or minus a little bit from here, just depending on the mix of business, whether there's more new business or more upsell in the quarter. That's how we think about the NRR side.
In terms of macro effect on the rest of the guidance in the earnings remarks today, we've removed that because we clearly didn't see anything that was that differentiating in Q2. It seemed a lot more of the same from what we've seen over the last several quarters, and that's what we think it's going to be for the balance of the fiscal year.
Brad Zelnick — Analyst, Deutsche Bank
Thanks for taking my question, and congrats again.
Brett Tighe — CFO, Okta
No problem.
Brad Zelnick — Analyst, Deutsche Bank
Thanks, Brett.
Dave Gennarelli — SVP, Investor Relations, Okta
Next up is Matt Hedberg.
Great, thanks for taking my question, guys. I'll offer my congrats as well. Really solid execution, including the new product success. It's great to see. Todd, I had a question for you. When we look at the AI native cohort, are there any interesting adoption trends that you're seeing there in terms of what products they're taking, how they're using the platform, any consolidation trends? Is there any thought of some of the early AI natives from a DIY perspective? Just sort of curious on how those folks are approaching your platform.
Todd McKinnon — CEO and Co-Founder, Okta
It doesn't seem dramatically different than other cohorts in terms of adopting workforce solutions or Auth0. It looks pretty much the same, except they're growing very fast. I guess that's a difference, especially on the revenue metrics. It's growing very fast, and we think we're well positioned in that cohort. I think it's similar to every company. They're trying to figure out how they can be secure internally as they're growing very fast. I know from a workforce identity and identity security perspective for their internal operations, they're sitting on a lot of very valuable data, and definitely hackers want to attack them, like they want to attack every important company. They're really investing in identity security, and Okta helps them with that.
In terms of building their products and how they're connecting with their customers, they want to obviously connect on the web and mobile channels, but also they want to, they're all building AI agents themselves. That's one of the customers, every enterprise is being really, they have to make these choices about how many AI agents they buy, who they buy them from, and all of these AI native companies are working hard to fill that void along with Salesforce and Workday and more of the established companies. What it means for customers that are on the enterprises that are trying to adopt these great new coding tools or these great new business automation processes or even the agent building platforms is they have to figure it all out in a way that has really high security implications.
Everyone's heard this story of how big companies are doing simple AI chatbots, and then all of a sudden confidential information is leaked because the AI chatbot leaked the wrong thing. Big security implications, but at the same time they see big business value, and they're not really sure which platform to invest in. One of the things we're really focused on is trying to provide the right security for this agentic future, but also at the same time give them choice and flexibility as every new AI company is trying to give them an agent platform and a capability to build these things. As established vendors, it's pretty complex for these companies to figure out. We're trying to help them through it all, but it's an interesting time out there. I think it's a good time to be an identity company, and we're really excited about where this is all going.
Great to hear. Thanks.
Thanks.
Dave Gennarelli — SVP, Investor Relations, Okta
We'll go to Eric Kelleher.
Thanks, Dave, and congrats, Todd and Brett. If I could ask one for Todd and one for Brett, I mean, Todd, you've always been very clear that identity should be its own independent standalone platform. Can you just elaborate a little bit more on the comments of why you think that's critical for identity to be independent? Brett, if I could just on a modeling question, great, very exciting deal with the U.S. Department of Defense, the expansion deal. How should we think about that as it relates to RPO and CRPO and think about it in the model going forward?
Todd McKinnon — CEO and Co-Founder, Okta
Yeah, I think on the category of identity, back when, a long time ago when I started Okta, it was like, would it be important enough? You know, could you build a big company around identity? At the time it was like identity was a part of another platform and people didn't think it could be a big company. Over, you know, a decade and a half since, it's very clear it's super important now. Now this new question is like, should it be its own independent platform or should it be part of another platform? As you mentioned, we have a very strong worldview that it should be independent, neutral, and it's really two reasons. The first reason is that it's too fragmented and there's too many niche players and there's too many legacy platforms and it's too complicated for big companies. In that sense, it has to consolidate.
It's too complicated. It's holding companies back. I mentioned this, one of the biggest technology companies in the world, we're helping upgrade all of their disparate identity platforms from SailPoint to CyberArk to HashiCorp to Ping to ForgeRock. They're consolidating them all in Okta. The reason they're doing this is because two reasons. It's cost. It's expensive and it's operationally challenging to keep all this stuff running. A lot of them are legacy platforms running in their own data centers or Amazon. The second reason is that it's preventing them from adopting the future. It's preventing them from rolling out more agentic workflows, et cetera. There's just the simple argument of cost and fragmentation. Now the second answer is like, which, and that could be true of any category. People want, in theory, fewer vendors and less operational cost for many categories: collaboration applications, security tools, etc.
Why should your point of consolidation be identity? Our answer is simple. It's because you can, you know, like I mentioned before, you can save a lot of money, a lot of time, a lot of energy. Secondly, it's the one thing you can consolidate on and still preserve choice across everything else. If you are adopting Microsoft identity, you are making a decision that your first choice and your preferred vendor for everything else is going to be Microsoft, which could work for some companies, but it's not going to work for most companies, especially large companies. If you, that's the independence argument, and that's why we think when companies are, and you see in the results, right, as 13% CRPO growth and the success we're having across the board, what we're seeing is that customers are showing this preference too. They want to consolidate.
They want to pick the right points of consolidation. In our case, we're having the most products, the most modern products, the breadth of capabilities, the reliability, the security, it's resonating with them.
Brett Tighe — CFO, Okta
Eric, to answer your question, fairly simple, like many other public sector deals, the RPO value and the current RPO value are going to be the same because it's a one-year deal. That's just how it works with a lot of the public sector.
Dave Gennarelli — SVP, Investor Relations, Okta
Okay, next up, we're going to go to Brian Essex.
Brian Essex — Analyst, JPMorgan
Great, thanks. Did you say Eric Kelleher is on as well?
Todd McKinnon — CEO and Co-Founder, Okta
Yes.
Dave Gennarelli — SVP, Investor Relations, Okta
Yeah. Yeah.
Brian Essex — Analyst, JPMorgan
All right, awesome. Maybe for.
Eric Kelleher — President and COO, Okta
Hi, good to see you, Brian.
Brian Essex — Analyst, JPMorgan
Yeah, good to see you too. When we met intra-quarter, you gave us some great context of the evolution of the Salesforce, both a hundred farmer model and the decision to specialize. Could you maybe bring us up to date in terms of where that sales, where each of those kind of specializations or specialized sales forces have evolved to? How does that drive confidence and ability to execute through the remainder of the year, both from a productivity as well as plans for hiring going forward?
Eric Kelleher — President and COO, Okta
Todd, great question. Thanks, Brian. We feel very confident in where we are today. We said last quarter when we got together that we were very much on track for the expected impact and productivity impact of all the changes we made to specialize on the Okta platform and the Auth0 platform. In Q2, our results were very strong as well. As you can see, it's a solid quarter, and they reflect increased productivity from a specialization standpoint. We remain optimistic and confident that this works. This isn't the first time we've specialized, and Brett talked about this in his opening comments. Our first real investment in specialization was for our public sector business, and you've heard us talk for many quarters now about strength in public sector and how that's been performing.
Eighteen months ago, we implemented a 100 farmer specialization in the SMB space for North America, and we've seen that deliver. That group has had a very effective first half of this year. The change management and the change costs associated with that have really played out, and we're really pleased with the productivity for that group and the organization. Our specialization for platforms, now our third major wave of specialization, we feel good about as well. We saw productivity gains in Q2, which were in line with where we're hoping to get. One of the metrics in our commentary, we generated an all-time high for pipe in Q2. That's partly attributed to the fact that we now have people specializing in our buyers, in our buyer personas.
We have people specializing in developer buyers and people specializing in IT and security buyers, and they're more effectively able to identify and qualify and prosecute leads and convert that into opportunity at the top of the funnel. We're very pleased with progress so far.
Brian Essex — Analyst, JPMorgan
All right, great Kelleher. Thank you so much.
Todd McKinnon — CEO and Co-Founder, Okta
Hey, Brad, I would just add one thing to what Eric just said, which is around what he was saying around the pipeline by source. We saw a nice growth in the quarter for pipe being created by AEs themselves, right? That really is attributed to the fact, like what Eric was just saying, they know the products better. If you allow them to specialize, they're going to know it better, and you're going to see numbers like that. That's really a nice sign for us as an organization because it really, it's one of those positive feedback points that we feel like things are working and headed in the right direction.
Brian Essex — Analyst, JPMorgan
Right. You've been focused on channel productivity as well. Has that also improved sequentially? Are you getting kind of momentum there?
Todd McKinnon — CEO and Co-Founder, Okta
Yes, absolutely. All 20 of the top 20 deals were touched by a partner. Also, from a pipe gen perspective, in terms of the source where it was coming from, the partners also had very nice growth in the quarter. You add all that up and you get record pipe gen and nice results like we just had.
Brian Essex — Analyst, JPMorgan
Good stuff. Congrats on the results. Thank you.
Dave Gennarelli — SVP, Investor Relations, Okta
Thanks, Brian. Next up is Josh Tilton.
Thank you, guys. Since I have Todd, I'm going to try and ask a nerdy tech question, although I preface it with I'm not 100% sure I understand what I'm asking. I think investors are kind of trying to understand which piece of the identity puzzle is going to benefit the most from AI. It sounds like you're buying, you're making an acquisition because there's some PAM pieces that are going to help you secure AI. If you dig into cross-app access, it also looks like it's using tokens and protocols and stuff you use for SSO and MFA. What is your view of which piece of this puzzle is really best positioned to benefit from an AI future? More broadly, what is incremental to cross-app access that you're getting from this acquisition you just announced?
Todd McKinnon — CEO and Co-Founder, Okta
Yeah, I imagine, Josh, imagine how confused the buyers are in the market, like when they're trying to buy all this stuff. That's why our, and it's true, right? They're all very excited about, as we all are, the technologists and business people and people that just observe the world of what it could be possible with AI. They're just inundated with this complexity of how you get the best products and what the right platform is, and should you use Microsoft or should you use Google and should you use OpenAI? Like, what's the right thing to build? What's the right thing to buy? Our perspective is quite simple. It's that you have many problems today in your enterprise that are clear and present, and you can get a lot of security benefit by addressing these problems. These are the problems that we talk about a lot.
These are service accounts. These are machine identities. These are putting the right vaulting and governance workflows around all of these things. These are like the bread and butter of our identity platform across governance and privileged access and identity threat protection with Okta AI and the bread and butter of what we're talking about. These are clear and present things today. In addition to that, every company is going to make a huge investment in AI agents. What that's going to do first and foremost is it's going to make that problem I just described five times worse. Every agent wants to connect to 10 service accounts and is going to have its own tokens. We are in this environment where people are very receptive to what we're saying because it's fundamentally understood that this is a problem they have today, and it's getting worse.
I've had the last week, I've had conversations with CIOs of massive companies that everyone's heard of that say, there's no way we're going to be able to do this AI stuff if we don't get our identity foundation in order. That's clear and present. Now, in addition to that, I think there are investments we are making and innovation we're building that is going to even take it a step further, which is actually modeling the identity of an agent and giving more power to the customer to manage and secure these things because it's a native thing inside of Okta, which is also very exciting. That's very early because the amount of companies that are actually playing with AI agents is 100%. The ones that are actually putting them in production at scale is very small.
The timing is right here to solve this problem they all have today, the service accounts and token vaulting, et cetera, and then over time be the system of record for the AI agents themselves and give them choice and flexibility on if they want to use Salesforce or what they want to use Salesforce for, agents or ServiceNow agents or build their own agents and give them the fundamentals across all of that, which are security control and governance. Now, specific to your questions about Axiom, we're very excited about Axiom, but it's a little different. Axiom is, first of all, these folks on this team are super talented, and they are deep, deep privileged access management experts. One thing we're doing at Okta right now is we're on this mission to recruit across the entire company the best identity people in the world. Axiom falls in that bucket.
We get some of the best PAM experts in the world to join our privileged access management team, which is great. They also have a technical capability around securing infrastructure connections to databases that is world-class and gives us an enhanced benefit there. Honestly, it's really about the team and having this great technology for sure, but it's these expert privileged access engineers and product people to join our PAM team, which is, you know, we're trying to build the world's best team across the board, and it's a great addition too. I know this is a long answer. I'll try to say one more thing. Cross-app access is an industry-wide effort. It's actually three years old.
We've been working on this for three years, and it came out of Mike from Atlassian and Eric from Zoom and many other SaaS leaders wanted a way to standardize how, when they sold their products into companies, how those products were then hooked up to everything else in the company. Zoom wants to connect to your calendar, wants to connect to a note-taking. Atlassian wants to connect to all of your other software development tools. We invented this protocol and this concept and have published this open standard to solve a very important problem. How do you give your IT teams and your security teams visibility into all these application connections that happen between apps? That's a problem that's existed for a long time, and guess what's happening with AI? AI is supercharging this problem. Now, every agent, guess what it wants to do?
It wants to connect to 15 applications, and guess what you need? You need an open protocol for all of those applications that are letting those agents connect, publish, and share that information with the security team, so they can have visibility and control and audit that. That is why cross-app access is so important. It lets the ecosystem form around this system of how agents can share their connection information in an open and transparent way.
Actually, very helpful. I appreciate the long response. Thank you.
Dave Gennarelli — SVP, Investor Relations, Okta
Hey, let's go to Greg Moskowitz.
Gregg Moskowitz — Analyst, Mizuho
All right, terrific. Thank you, guys. Congratulations on a really good quarter. Brett, I'm wondering if there was any change in upsell or cross-sell rates among SMB customers or enterprise customers, and then realized that it's still early days, but what are you seeing so far regarding demand for your new suites? Thank you.
Todd McKinnon — CEO and Co-Founder, Okta
Yeah, I'll let Eric talk about the suite side of the house, but from an overall upsell/cross-sell perspective, it was fairly similar to what we've seen in the last few quarters. You've heard us talk about for several quarters now the pipeline being more weighted toward upsell and cross-sell as opposed to new business. That continues to be the case. You see these bigger customers getting bigger as a result of that, right? That's why you see the greater than $100K having a nice add. You see the greater than $1 million, almost 500. We're at 495, up 15% year-over-year. That upsell/cross-sell continues to work, especially as you've heard Todd talk about, we keep adding all these new products into the mix, depending on which side of the business you're on, and ultimately helping us across the board there.
Eric Kelleher — President and COO, Okta
Yeah, on the suites part of that question, and thanks, Greg, for the question. We're pleased with what we're seeing with suites. We introduced suites for the Okta platform a few months ago, and it was in response to demand from customers who have bought into Okta's vision of the secure identity fabric. These are companies that, as Todd mentioned earlier, are looking for an identity partner that they can work with to help them solve all of their identity use cases, whether that's threat protection or security posture management, access management, governance, privileged access. That is the secure identity fabric vision that Okta is bringing to customers. What we found is our customers want easier ways to engage with us to get the secure identity fabric for themselves. The suites are really designed to do that.
They bundle pieces of the Okta portfolio to help customers address the use cases that are most compelling for them right now, but also give them room for where they're going to grow on their roadmap as they go forward. We're pleased with what we've seen. We're a few months in, so we're not breaking out numbers for suites for that packaging specifically, but we're seeing the impact we expected.
Todd McKinnon — CEO and Co-Founder, Okta
I think it's a, I'll just add real quick, just to give the group some really detailed color about what's going on. We have a sales team now that's focused totally on selling the Okta products, and the opportunity there is big simply because we have to make sure the customer understands the breadth of what we have. It's much broader than it was just a couple of years ago. Just a couple of days ago, I was on a call with a big federal agency, and it's been a customer of Okta forever, but they really think of Okta as multi-factor authentication and just login. They had no idea we have a governance solution, we have identity threat protection, we have all these other products that can help them be secure across the board and consolidate vendors, etc.
Their eyes just lit up, and the size of that deal potential just, you know, probably tripled or more. It's really about getting this message out there that this is possible. We have the best solution, the most comprehensive solution, the most modern solution. There is a better way, and that's why these things like suites or specialization dovetail right into that strategy that's working.
Eric Kelleher — President and COO, Okta
It's also a tie back to the conversation we've been having for a few quarters now around specialization. One of the reasons specialization to us was the winning strategy is we've seen so much innovation on the product side of the business for both the Okta platform and the Auth0 platform. To Todd's point, our sales reps were having difficulty really articulating and evangelizing the full benefits of the entire portfolio, the entire secure identity fabric to our customers. Specializing gives them more opportunity to get deeper. Whether it's Identity Threat Protection with Okta AI or Identity Security Posture Management, Okta Identity Governance, Okta Privileged Access, fine-grained authorization, highly regulated identity, all the products that have been coming out for both of these platforms and now Auth0 for agentic AI.
These are specialists that are better able to get into the specifics of these technologies for the specific use cases our customers are talking to us. That's bringing us help. The suites are helping with that from a design and purchase standpoint.
Gregg Moskowitz — Analyst, Mizuho
Great. Thank you, guys.
Dave Gennarelli — SVP, Investor Relations, Okta
Next up, we have John DiFucci.
John DiFucci — Analyst, Guggenheim
Thanks, Dave, and thanks, everybody. There's a lot of good information coming out tonight, especially things like cross-app access, and it just demonstrates your leadership position in the whole identity space, especially when you're able to contribute that to the whole ecosystem. My question is for Brett, and it's a little more tactical, I think, because otherwise I know I'm going to get, we're all going to get this question all day tomorrow. Brett, you said that the sort of, I forget your exact words, but excess conservatism around the U.S. Fed, which was strong, and macro were no longer implied in your guide. I just want to make sure I understand what that means. Does it mean that we potentially won't see the same amount of beats going forward? You sort of alluded to that in the past.
Along the same lines, how long do you think the go-to-market changes that happened in fiscal 1Q will present a potential headwind to your business momentum? That's still in the guide, right?
Brett Tighe — CFO, Okta
Absolutely. Yes, we did remove that layer of prudence for macro going forward. The primary reason is it didn't come to fruition like we thought it was going to the last time we spoke, probably about 90 days ago, John. To answer your second part of your question, yes, the go-to-market specialization is still baked in there. Although we're seeing positive signs and positive feedback from the field, we're still a couple of quarters in. As you remember, when we first started talking to all of you about this, it takes time for these things to come to fruition and really hit their full stride. We talked about U.S. public sector. We've talked about U.S. SMB. It's taken a little, it takes some time. You have to be methodical in your approach.
Yes, to your point, John, we are trying to shoot for closer to the pin than we have historically. We started trying to do that about three, four quarters ago. I will admit that I was probably a bit a little wrong on the macro side, and we delivered a really nice beat this quarter. If you look 90 days ago, the world was a little different. I will take that charge. Ultimately, we are trying to get a little closer to the pin than we have historically.
John DiFucci — Analyst, Guggenheim
That's really helpful. Thank you, Brett.
Dave Gennarelli — SVP, Investor Relations, Okta
Next up, we have Shreenath Atkari.
Great, thanks for taking my question. Congrats on the great quarter. Just on the cross-app access securing AI agent workflows, I know it's still early days to settle on any kind of pricing or monetization model to capitalize on this opportunity. If you can help expand on how you are viewing the monetization path for this, is it going to be embedded in the existing tiers? You highlighted the initial traction from your good, better, best suite or something you see evolving to standalone. Just curious, what are the earlier signs or feedback from like Zoom or AWS or all these customers trying to standard out in terms of downstream enterprise security spending and plans on this one? Thanks.
Todd McKinnon — CEO and Co-Founder, Okta
Yeah, I would think of it this way. It's a really good question. This is how I, when we've talked about it and modeled it out, this is how we think about it. First of all, the cross-app access is an open industry standard. If we were able to talk last year around Octane, we talked about this, another new standard we've put out there and are working with all the identity companies on and a bunch of technology companies, it's called IPSI. These are two open standards we're pushing out there with the ecosystem. The effect of both of these things for Okta is going to be basically identity providers are going to be more valuable tools to their customers. They're going to have better control, better fine-grained control into resources, better policies, more value. The whole identity market gets more valuable and bigger.
That's the way to think about these open standards. Now specifically on how Okta is going to monetize these two layers I've talked about. I talked about the clear and present issue today, which is service accounts, non-human identities. We monetize that through Okta Privilege Access and Identity Security Posture Management. Identity Security Posture Management detects the non-human identities and the risks in a proactive way that's comprehensive across all platforms. Okta Privilege Access and Okta Identity Governance can vault the credentials and rotate the credentials and have the right governance workflows. Axiom, of course, is going to add capability to Okta Privilege Access to have better support and more extensive support for database connections. That's the monetization of the clear and present thing today. That's affecting the results today. We talked about new products contribute healthily to the bookings, and that's true today.
Now, on top of that, in a world of AI agents, our belief is strong that you are going to manage AI agents with your identity system. That's how we're going to monetize that. When you put a bunch of AI agents inside Okta, that's going to be more valuable from an identity security perspective, and we're going to be able to have, we're going to be able to charge for that with our customers. They're kind of separate things in two layers, but that's how we see the world unfolding. It all is kind of predicated on a vibrant, healthy, growing AI agent ecosystem, which I think is, there's a lot of different thoughts on how that exactly plays out, but who's the vendor going to be? Who's the platform? SaaS vendors versus, you know, custom development, whatever.
I think whatever happens, you're going to need to manage this stuff. That's why we're inserting ourselves on that dimension, and that's why we're very excited about where this is all going.
Super helpful, Todd. Thanks a lot.
Dave Gennarelli — SVP, Investor Relations, Okta
Next, let's go to Adam Borg.
Adam Borg — Analyst, Stifel
Awesome. Thanks for taking the question. Maybe for Eric on the go-to-market changes, you did talk about this a few minutes ago in your answer to Brian, but where are we today with sales productivity relative to historical levels? What do you guys need to see in order to put more gas in the sales new hiring process, either in the back half of the year or ultimately as we head into fiscal 2027? Thanks.
Eric Kelleher — President and COO, Okta
Yeah, you bet. We talked about at the end of last year, based upon our first two rounds of specialization in public sector and Hunter Farmer, I think it was in our Q4 results, we talked about how we would hit a multi-year high for sales productivity. We were leaning into the specialization work and reorienting our sales capacity and our supporting teams in pre-sales and post-sales and also our marketing generation teams. As I mentioned earlier, we generated a record amount of pipeline for us in Q2. Specialization is definitely helping at the top of the funnel. We're pleased with that. I think from a sales productivity standpoint, we saw gains in Q2 as well. We are very much on track with what we expected out of this model. Our guidance for the second half reflects that as well. We're confident in the strategy of specializing on our buyers and our platforms.
Adam Borg — Analyst, Stifel
Awesome. Thanks again.
Todd McKinnon — CEO and Co-Founder, Okta
One thing I'll add there is that our year is, like a lot of enterprise companies, back-end loaded. In terms of that confidence and putting the investment level, cranking the investment in terms of go-to-market and growth acceleration, et cetera, et cetera, a strong Q3, a strong Q4 is worth more than a strong Q1 and a strong Q2. That's just the nature of the numbers and how they play out. As we go through the rest of the year, we're looking to build on this strength and get super confident exiting this year and going into next year.
Adam Borg — Analyst, Stifel
Thanks again.
Todd McKinnon — CEO and Co-Founder, Okta
Here's the question, Adam.
Dave Gennarelli — SVP, Investor Relations, Okta
Sorry, next up.
Brian Essex — Analyst, JPMorgan
Thanks, Dave. Thanks everyone for the time here. I just wanted to cycle back on some of the different dimensions here for public sector. I know that you guys spoke about, hey, there was some restructuring standpoint for some of these civilian contracts. First, is it fair to assume then the Q2 played out better than what you initially anticipated? Secondly, with the removal of some of that conservatism we had previously introduced to the guide, are we now just operating in a more normalized buying environment, or are you guys just executing better than planned? Any detail on the public sector front from that standpoint would be beneficial. Thank you.
Eric Kelleher — President and COO, Okta
I was just going to say like three months ago, there was a lot of uncertainty in the public sector. You had massive government layoffs, and you had a lot of people talking about a lot of dramatic changes. I think in the quarter, what we saw is that there were some contracts that were paused or restructured, but what we also saw is that the overwhelming balance of the business was super positive. The impact on some of those government spending efforts, you know, did not materialize in a negative way. I think that is just a different, we have gotten through some of that uncertainty, and it has settled down a little bit. What we are seeing is that the technology we provide is pretty critical and pretty strategic. By the way, the government, particularly the federal government, has a huge need for it. They have legacy systems.
Identity in the federal government often means some massive outsourced operation run by a big contractor. This concept of a modern purpose-built identity security platform is just amazing for them. I think the fundamentals are winning out there in terms of, in some of the short-term uncertainty, I think was a little, we, you know, we overestimated that. Yeah. You see that in some of the structures of the deal, Mike. I talked earlier about, and Todd just said, some of the contract restructuring. What that would look like is, in some cases, oh, we do not have as many users as we used to, because I think we all know that there have been a few layoffs in the government. At the same time, there is an upsell that goes along with it for new products that they are not previously using. We end up in a good place.
It just, maybe we do not get as much of an upsell because ultimately there are less users on the other side because there are less employees in the federal government now. That is what we mean by contract restructuring. It is actually not a bad thing. It is actually them being more ingrained with Okta. We look at that as a positive, as usually more products are on, the higher the renewal rates and the higher upsell rates we get over time.
Brian Essex — Analyst, JPMorgan
Thank you, guys.
Dave Gennarelli — SVP, Investor Relations, Okta
Hey, let's go to Andy Nowinski.
Andy Nowinski — Analyst, Wells Fargo
Okay, great. Thank you so much for taking the question and a nice quarter as well. You know, Todd, I know Auth0 has been doing exceptionally well, and you have a great pipeline on Auth0 given all the new AI products coming out. I wanted to ask a question maybe about your workforce ACV. We continue to hear how customers want to consolidate identity vendors and how they want workforce products like IGA and PAM and SSO all on a single platform, which you guys have. My question is, why hasn't that sort of thirst for a complete platform had more of a positive impact on your workforce ACV growth, which has been decelerating over the last 12 months? Just wondering how you're thinking about sort of your bread and butter workforce ACV going forward.
Eric Kelleher — President and COO, Okta
I think we're going to do better there. I think the market is big. I think the opportunity is substantial, and I think we're doing a better job of explaining to customers what we have and getting the message out and getting real proof points with customers live at scale. By the way, that's one of the real strengths of our product suite, particularly in the identity governance space. Our average customer is live with multiple resources in 30 days. That's unheard of for a SailPoint implementation. It's legacy software. It's pretty heavyweight to deploy. It's hard to get successful with. As those stories get out there of proof points of customers getting live with multiple applications and bringing stuff into the management, bringing resources into the management framework, it starts to resonate. I think that's one of the reasons why we specialize in Salesforce to be more effective there.
It's one of the reasons why we're investing heavily in the R&D for these new products to make sure they're fully featured, particularly up market. That's why we're excited about the Axiom Security acquisition and many other efforts. Like I said before, we're building the best team in identity. If anyone is world-class and wants to work on identity, they should come work for us.
Andy Nowinski — Analyst, Wells Fargo
Another. Go ahead, Eric.
Eric Kelleher — President and COO, Okta
Another thing I would add to that is coming back to the overall vision of the secure identity fabric we've talked about and how to consolidate use cases on a platform. Todd talked about one account he's working with, one of the world's largest technology companies, and consolidating 50 different identity systems onto Okta. From the CIOs and CISOs that I'm talking to at the accounts that I work with, what I'm really hearing is that having such a disparate framework isn't just expensive. It also adds complexity, which adds fragility, which creates security holes. Part of the value in our customer's mind of consolidating use cases with the trusted identity provider is they can have confidence in how they administer the product, how they administer the platform, and knowing that they can have secure identity across all of these use cases.
That's an added value and something that we've seen more and more from our customers as we've seen the wave in industry ride from cloud enablement and how identity is necessary to help people move to the cloud into this phase of security and how we help companies secure identity. Now as we look forward to agentic AI, again, it's going to be even more important for our customers to make sure that they've got a partner that they can work with.
Andy Nowinski — Analyst, Wells Fargo
Thank you.
Dave Gennarelli — SVP, Investor Relations, Okta
Okay, next up, we'll go to Jonathan Rookaver.
Yeah, thanks, David. I think, Todd, this is probably for you. I'm curious if you would agree with the view that has been articulated by other industry participants that PAM capabilities can be delivered to all employees at a cost comparable to IAM. I think when you look at the growing need for cloud-native just-in-time ephemeral credentials to support agentic and machine identities, maybe help us understand, does Axiom potentially fit into that thesis that yes, PAM can be deployed more broadly and cost-effectively both across human and non-human identities? What's your strategy along those lines?
Todd McKinnon — CEO and Co-Founder, Okta
Yeah, every identity type, employees, partners, customers, every resource, so database, cloud infrastructure, servers, Kubernetes containers, every resource in machines in the environment, and then every use case. Privileged access workflows, identity governance, attestation reporting, like the core access management workflows around creating accounts and removing accounts. That's what we're building. It's comprehensive, it's complete. I do agree. I do think that you want every employee to have a really locked-down secure identity experience. That's why we have the world's leading authenticator, phishing-resistant authenticator called FastPass, which is employed by, you know, quite a significant number of our customers and has been over the last five years. It's why it's so important to have these different pieces together. I think that's very important. One of the things that's also very important is I talk to customers.
I was talking with a Chief Security Officer of a big beverage company just two weeks ago, and their whole thing was, you know, they want to make sure that their identity provider works with all of their security tools. It's in divisions and companies they bought. They have SentinelOne, they have CrowdStrike, they have legacy technology for endpoint, they have Wiz, they have Zscaler, they have Palo Alto Networks. His plea to me was, he said, "Todd, I need to consolidate something. I can't consolidate all my security stuff. It's too disparate. I can consolidate identity, but you have to make sure it connects to all this stuff. Make sure it connects to Zscaler, make sure it connects to Palo Alto Networks, make sure it connects to Microsoft's network security." I said, "That's what we do. We connect you to everything." I think that's the winning formula.
Helpful. Thank you.
Dave Gennarelli — SVP, Investor Relations, Okta
Next up is Rob Owens. Rob.
Rob Owens — Analyst, Piper Sandler
Thanks, Dave, and good afternoon, everybody. Actually, it was exactly what I was going to ask. I'll shift to a more Brett-focused RPO, CRPO question, I guess. Brett, if I look at the last couple of years, just in the RPO acceleration that you guys have seen, number one. Number two, you've talked about constant duration as well. Over that same time, you know, CRPO has been trending down. It's finding a bottom here. At what point do we see a better marriage, I guess, between prior RPO growth and forward CRPO growth? Maybe you can weave into that just what you're seeing from a retention rate perspective in terms of GRR. Thanks.
Brett Tighe — CFO, Okta
You're talking about last year we saw RPO outpace CRPO, right? Is that what you're talking about?
Rob Owens — Analyst, Piper Sandler
Yeah, it's been for a couple of years. You've seen that acceleration in RPO, and if it's constant duration, it feels like that should come through on the CRPO. You know, that's not in your guide. I think a lot of us had looked for maybe some of those headwinds to abate here in the second half that have been holding down NRR, potentially providing a lift to CRPO, especially as you're talking about your success with cross-selling and upselling.
Brett Tighe — CFO, Okta
Yeah, absolutely. When I've said the constant duration, I meant the duration of the amount to incur in RPO, you know, because you don't have a 12-month value incur in RPO at all times. That's just how it works. In terms of duration of contracts that we're signing, if you remember in FY2025, we went back to incenting the field on contract duration as part of their compensation plan. The prior couple of years, we hadn't done that. You saw RPO go up in a big way because contract duration went up in a big way, right? If you look at this year, contract duration is still in their comp plan, right? It's still a component that we pay them on, and you're seeing more of a normalization.
We see contract duration actually in the first half slightly ticking up, but it's not going to have the effect like it did last year because it's coming off of a different base, if you will, Rob. Hopefully that answers your question around current RPO and total RPO and the dynamics in between those. It's a simple sales comp model. That's all it really is.
Rob Owens — Analyst, Piper Sandler
Any broader comments on GRR?
Brett Tighe — CFO, Okta
Yeah, we tend to continue to have that be a strong number for us. It's always been, it's been healthy. It's been one of those things, it's a hallmark of this company that for years it's been, it's been healthy and it continues to be so, at least through the first half of FY2026. We're looking forward to some solid results as we finish out the fiscal year.
Rob Owens — Analyst, Piper Sandler
All right, thank you.
Brett Tighe — CFO, Okta
No problem.
Todd McKinnon — CEO and Co-Founder, Okta
Thanks, Rob.
Dave Gennarelli — SVP, Investor Relations, Okta
We're coming up on the hour, but let's try to get questions in from Anik and Gabriella. Anik Bauman, go ahead.
Hey guys, I'm on for Joe Gallo here. Brett, any verticals beyond federal, because we've talked about that a lot, or geos of strength or weakness to call out in 2Q? Todd, can you just talk us through the key to unlocking the international market? Seems like an incredible opportunity relative to what you've built in the U.S. today.
Todd McKinnon — CEO and Co-Founder, Okta
Yeah, I would say larger customers. Enterprise in general had a really nice quarter. We're feeling solid about that. That's been actually pretty consistent for a while now. We've talked about bigger customers getting bigger, and that's why we see enterprise doing well. I'll let Eric comment a little bit on that because I know it's near and dear to his heart on that topic.
Eric Kelleher — President and COO, Okta
Yeah, we continue to see strength in upmarket in large customers. I would agree with that focus. We talked about updated stats on our customers above $100,000 and customers above $1 million in ACV spend continue to be growing at high rates. That reflects what we see as the industry trend of the importance of people investing in security. We look now at cyber events worldwide, and over 80% of them start with some form of compromised identity. Our customers, CIOs and CISOs, are coming to us to help them build the partnership they need across our expanded product portfolio. We continue to see great success there.
Todd McKinnon — CEO and Co-Founder, Okta
On the international question, we have a big opportunity in international. Our strategy there is really to invest in our top 10 countries and make sure we fully do everything we need to make those successful and get those to grow to their potential versus spreading ourselves too thinly. We are going to continue to really prioritize our top 10 countries ruthlessly and invest to make those successful because we do think the opportunity is quite substantial.
Makes sense. Thanks, guys.
Dave Gennarelli — SVP, Investor Relations, Okta
Okay, last question from Gabriella Borges.
Hey, thank you for Todd and for Eric. I want to explore this idea of security and identity in the convergence effort. Give us a little bit of an update on where you're seeing progress with the go-to-market, specifically with security bias in the enterprise. The reason I'm asking now is, Todd, you mentioned not expecting to see a change in the competitive landscape because of Palo Alto. Palo Alto is really good at driving some of these strategic conversations at the top of the house with CISOs. Maybe just an update on how you're progressing. Please push back against that.
Todd McKinnon — CEO and Co-Founder, Okta
I think it's a question of the capabilities of the products you're offering. I think where a security vendor is going to struggle is the breadth of identity types, first of all, and the breadth of use cases they can support across those identity types. What we still see, it's very influenced by security, but it's still more than a security conversation. A lot of the identity management products, particularly governance, operationally help the companies in terms of being more efficient and passing compliance audits, etc.
I was talking to the Chief Information Officer of a global auto company just a couple of days ago, and she was talking about, I was talking to her about cyber, and she goes, yeah, of course, identity is a cyber thing, but it's really about, we want visibility into what people are using so we know how much we spend on all these things. We want to make sure we automate these workflows that are slowing people down. Although the security voice is very important, I think it's still not purely a security sell, which I think is a little bit different for some of these security companies. I think ultimately, Gabriella, it kind of comes down to having the products, and you have to have a broad range of identity types and use cases and resources to really serve this concept that these customers want.
Thank you for the thought.
Dave Gennarelli — SVP, Investor Relations, Okta
Okay, apologies for not getting to all the questions today. It is the top of the hour, but before you go, I just want to let you know that in addition to hosting onsite and virtual bus tours this quarter, we'll be attending the City TMT Conference on September 3 in New York, the Goldman Sachs Conference on September 9 in San Francisco, the Piper Conference in Nashville on September 10, and the JPMorgan Software Conference on October 8 in Napa. We hope to see you at one of those events. Thank you.
Eric Kelleher — President and COO, Okta
Thanks, everyone.
Dave Gennarelli — SVP, Investor Relations, Okta
Bye, everyone.