Qualys, Inc. (QLYS) Earnings Call Transcript & Summary

Welcome, everyone. I am Melissa Franchi. I'm the cybersecurity analyst here at Morgan Stanley. I'm very happy today to have with us Philippe Courtot, CEO of Qualys; and Melissa Fisher, CFO of Qualys. Thank you both for being here.

Thank you.

Let me just start with a high-level question for you, Philippe. So over the past few years or even more than that, we've seen an evolution of your product portfolio. Historically, your core competency is around vulnerability management. That still is the vast majority of your revenues today, but you really come to market with a much broader product portfolio over the past few years, whether that's patch management or EDR capabilities, IT asset inventory. So can you just talk about how your initial customer conversations have changed? And to what extent is it starting with something beyond VM and into adjacent markets?

So first of all, it was our views since the very early days that if we were taking a cloud-based architecture, we could essentially consolidate a lot of the different point solutions which were in a way of making securities very complex. So that was the overall vision. We started with vulnerability management. Now it took far longer than we thought. And there was a huge undertaking because we had to expand the platform. So as we were expanding, working toward that big goal, we were, of course, adding additional solutions. So -- and very logically. So vulnerability management, we could identify. Of course, we moved this on your environment. But then we moved into web applications scanning, which is identifying vulnerabilities on the web applications and, et cetera. And then we, of course, naturally we also realized that we could also expand that to policy compliance because essentially, they were all the same data. Instead of having the view of the security, we could also give the view of the compliance. So that's the way we expanded the platform. And we have now significantly expanded the platform which integrating a lot of open-sourced engine. We have about 140 open-sourced engines. What we have done very uniquely is essentially combine 3 major technology, which allows us to capture all the data that we need from a security compliance and even now IT point of view. So we are unifying IT, security and compliance into a cloud platform. So these 3 technologies are: the scanning technology that we have mastered in the past, which, of course, allows us to scan every IP on the planet, every website on the planet. The problem with scanning is that unless you use authenticate scan, which we call the credential per scanning windows, it's not something very real-time and it's pretty heavy. So we essentially designed that agent technology. We have now 31 million agent deployed, which allows us to wherever we can put an agent, a very small agent, 3 megabytes. Now we can capture every changes that occur on the devices where we can put that agent. And we have finally added very recently what is called the passive scanning or the network analysis, where now we can also identify everything that comes in and out of the device, analyzing the traffic and we bring all of that into one single back end. Well, now we have absolutely rearchitected that back-end. We're, in fact, a very big DevOp shop, where we have 140 open-sourced engine, where we index 3 trillion data points on our ElasticSearch clusters where we move 5 billion messages down our Kafka [ desk ], where we planted 1 million rights per second on Cassandra and on and on and on. And that essentially allows us now to consolidate significantly to, first of all, make the vulnerability management application, web data application should have been since the first -- since the beginning, which was -- that's why we call it vulnerability management, detection and response, which is essentially VMDR, which is essentially making sure that anything that connects your network, instantly, we can capture it, tell you what it is. And then from there, you will have to make the decision, what do you want to do with that device, which -- whether it's an Apple Watch or whether it's a laptop that connects. Should I manage that? Which is, in that case, put an agent on it or should I quarantine the device? Should I [ provide ] the device to connect to the network? Then from there, we'll allow you to do automatically, and I repeat automatically, your global IT asset inventory. All of the matters. So in other words, telling you the kind of laptop, the servers, everything that you had on your network. And then from there, you can create the assets group, which allows you to then look for vulnerabilities. And we do that, of course, in real-time now with the agent capabilities. And then from there, we are now -- and this is across the entire spectrum of your network, which now has become very complex because it's on-prem systems. It's endpoints. It's cloud. It's containers. It's web applications. It's mobile devices, and it's OT and IoT devices. So that one single application cuts across all these different environments. And from there, we have now significantly expanded our prioritization engine. So now we can -- after having detected the variabilities in real-time or semi real-time, now we can also help you prioritize. And finally, moving to the response, which is essentially touching or it could also be to quarantine the devices as well on taking some action. And we are further expanding now that -- the capabilities of our platform to move into fundamentally even more response, so our agent will have very soon the capabilities to kill processes. So you can do remote or make an intervention if needed. And then in addition to that, of course, we are moving now into providing the next generation of SIMs of incidence response system, which will also will have the -- all capabilities, all that integrated into one single solution, which is all cloud-based, that you get a better on-premise, that you could have at Google, that you could have on your own data centers, it's up to you. And essentially, this is what Qualys over time has built. And the secret sauce is the decision we made in 2007 to rearchitect everything and to eliminate some of these components, which were essentially costing us a lot, like we have eliminated 70% of our VMware dependency. We have now reduced the Oracle database. Nothing wrong with Oracle, but except it doesn't scale and were replaced by ElasticSearch and on and on. And then essentially -- and then the second thing is that in 2012, we decided that to invest in India, where today, we have 800 people in India. Engineering is actually where we attract the top talent. And in fact, at the end of May and June, I'm going to go to Pune to inaugurate the new campus, where we could add up to 2,500 people. So we're doubling down. So I call it the platform stupid. This is what we have done, building that platform, which was not a walk in the park. And now, VMDR essentially allows us to essentially bring vulnerability management at the level which should have been or it should be. And then, of course, as the kind of a foundation as well for bringing data into, of course, our next-generation of incidence response system.

Okay. Maybe we can drill down into the VMDR because it does highlight the power of your platform. If we think about the different components, you have VM, you have IT asset inventory and you have patch management. You've had each of those pieces of the technology for a little while now. And I guess, what's the advantage to customers to buy that integrated bundle? And you just formally unveiled it recently at RSA, so can you maybe talk about what the initial customer reception has been like?

So first of all, it's not an integrated bundle because it's one single application. And that's very different. It does -- where we input this different application that we add together, just like that. We essentially absolutely recreated one single application which, again, as I mentioned earlier, from the detection of any devices that connects up to -- at the end of the day, the patching into one single. So all the workflows associated with. So that was also a major undertaking. We could have bundled the solution much before, but I didn't want to do that because what's the purpose of bundling things which are not well put together? So we had to make that very big effort. And at the same time, what we did is also change the pricing model to follow essentially what our customers always wanted is simplification. So now we went into an asset-based pricing, which means, today, if you're a large company or even a small company, we charge you by the number of assets that you want to essentially subscribe to. So how many assets is the price. So you don't have to count the agent. You don't have to count the scanners. You're going to scrub this and this and that. All that comes to you. It's fully integrated in one single app.

Okay. And can you talk about maybe what the initial customer reception is?

Oh, I mean, it has been incredible. I mean, today, so we are, of course -- we don't do RSA anymore since about 2 years now because as I call it, there's a little bit too much cacophony from the vendors. It's not good for your ears. And so we do our own conference at the Four Seasons. So we had about -- so this is where we officially launched VMDR. We had about 400 people. And then, of course, we have all of our large customers, in fact, are meeting with us. And in fact, this is what all the large customers do. They don't go to the floor anymore. They go from one hotel to the next, essentially going and listening to the road map of the vendors. So we had absolutely fantastic reception. And not only VMDR will allow us to -- we're offering a fantastic solution to our existing customers, but it's also going to help us to do 2 more -- 3 more things. One is it will help further accelerate the ubiquity of our agent, as I call it, because now, today, we don't charge you at all for deploying agent to do your global IT asset inventory. So you could have them on your laptop. You could have them on your phones. You could have them everywhere. So you can deploy that. It doesn't cost you a penny. The second thing it does is because, as you know, those customers of Qualys who have 4 solutions or more on the enterprise, the gross retention rate is 98%. So our overall on the enterprise retention rate is around 90%. So VMDR brings everybody to 4 solutions. The beauty of us having a cloud platform is that for our customers, this is going to be an instant upgrade. They don't have to do anything. It's already there. It's available. That's the power of the cloud. And of course, everything at Qualys is centrally managed and self-updating. So that's the big advantage of the cloud as well. The third thing that VMDR will do is that it's going to allow us to essentially accelerate our expansion in the mid- to low end of the market where we have been traditionally competing with Tenable and Rapid7, which were a lower price point solution. And today, we bundle all of that. So for these companies, we offer 2 things, which have become very important for them today. One is they don't have to worry about the cloud anymore. We give them the entire view, everything they need to do to manage their cloud. And they're all moving to the cloud as fast as they can. But also with that same application will help them manage their current environment from an IT security and compliance standpoint as well. And with one single app, we're very well-priced and we have today a bit more than 10,000 mid-market and small customers. If you look theoretically, we could have 50,000 of them. So today, you're going to see Qualys doing significantly more lead generation reach out to that marketplace now that we have that very well packaged application.

And you mentioned the strategy of getting a cloud agent adoption through offering some free versions of your solutions, global IT asset inventory. I think the cloud app scanning is also free as well. Can you maybe talk about how successful that's been in terms of spurring cloud adoption? And then what you've seen in terms of converting those free users to some of your paid solutions?

So the global IT asset inventory, which we decided to make free of charge, has been a very good success. Today, it's really integrated with VMDR, which means today, we empower our customers to be much less dependent of IT. The problem of vulnerability management, and the reason why that category didn't really grow, for example, to the degree of the firewall is because the resistance. The resistance was you needed to go to IT to find out which devices, where they were and on and on. And then you needed IT again to patch so that was a lot of resistance, especially in a very silos-oriented IT world, where you have the guys doing the Windows servers, the Window patches and this and that. So to date, we liberate essentially our customers. But now -- so that is very important that having bundled that into one solution, we really empower customers. Going to your question that our global IT asset venture was a very big success. We generated -- I think we launched that about 3, 4 months ago. And we have now -- from that, we generated 600 new customers, and about 300 of our customers adopted it now. Obviously, the customers will adopt it in spades since it's already all integrated. But I think we are going to use it significantly more now to generate new customers and accelerate now that we have more understanding of what it is, et cetera. We are going to -- you're going to see us doing significantly more lead generation campaigns around our global IT asset -- our free global IT asset inventory.

Okay. In terms of platform adoption, you've already started to see numbers that are moving higher in terms of customers adopting multiple Qualys products. And this is even before the benefit of VMDR. And so what is working now to date in the platform? And then with the addition of VMDR, can you talk about what your expectation is in terms of multi-cloud -- or multi-product adoption?

Yes. So I think that will continue and will accelerate. Also, what it does is that, today, we've seen a significant increase for this same reason of the large customers -- of customers is essentially increasing above $500,000. And maybe you want to give some specifics on where we are today in these 2 metrics?

Sure. Yes. So as Melissa set the stage for -- we've seen quarter after quarter improvement in our multiproduct adoption. So right now 48% of our enterprise customers have 3 or more solutions, which is more than double the amount 3 years ago. 28% have 4 more solutions, which is 3x, nearly 3x the amount 3 years ago. And 15% have 5 or more solutions, which is 5x the amount 3 years ago. So as we pointed out, the more solutions we have, the more we roll out and the more we see adoption. That's going to propel that metric forward, which, again -- then also as a related metric, helps drive further numbers of companies that are spending more than $500,000 with us, which, year-over-year, accelerated.

Okay. Great. Let's just shift to just the core vulnerability management market. That's a market that we have thought of historically is growing mid-teens. There's sort of a debate on whether the market could grow even faster than that just given the landscape of workloads or devices to protect continues to grow. What are you seeing in terms of the health of the VM market? And do you think that the market could potentially start to accelerate as you start to encompass assets like containers, web applications, IoT?

So I think the market is pretty healthy because now today, what is happening well beyond, if you prefer the -- in the early days, it was the perimeter Internet facing devices that we are looking at. Then after that, we start to look at the critical servers. And then, of course, more of the endpoints. And today, everything connects with everything. And so you cannot absolutely neglect the fact that you have to have the full visibility of your entire environment. And that's what I believe, that VMDR is a really -- it's a pretty game changer. So I think we are going to help accelerate the market with VMDR. However, I have to say that because we are the only today company, which has essentially only 100% subscription base model recurring revenues, in a way, we are reducing the market as we expand because if you take the -- if you take perpetual license, obviously, you take the revenue all upfront when we take the revenue. And I used to say to give an idea of how important that is. Today, if we're taking 5% only of our subscriptions and turn them into a perpetual license, we will go above 20% and then our profitability will shoot 30% more. So if you reverse that thinking and look at some of these other vulnerability management companies, which are 15% to 20% to 30% of perpetual license in their numbers as Qualys continue to expand. And we expand the market, which is going to move, obviously, to become only subscription-based because that's the way everything goes. So of course, that will essentially shrink the market. On the other hand, we're also expanding the market into the cloud. And what we do also significantly, we believe, expand the market on the endpoint as well. So I cannot tell you how all that is going to be, but I think one will essentially balance the other. But I think 15% growth for the market is reasonable. It's a reasonable assumption, combining everything. So -- but again, don't hold me to that exact number.

Okay, that's helpful. So you talked about your presence on the endpoint or through your agent. You have 31 million cloud agents deployed. You have a broad portfolio. How does that play into the new focus around the data lake strategy? And why do you think Qualys is well positioned to provide incident response capabilities to your customers?

So I think we're in an extremely well position. I will not say we're extremely well positioned, and let me explain. If you look today at the current -- at the SIEM, we had 2 generations. So we are building the third generation. So the first generation was the off-site, the Q1 radar (sic) [ QRadar ], doing a very good job at taking the log, analyzing the logs and giving you that view. The problem was that they became very difficult to customize and very expensive to deploy. So Splunk came in, and Splunk came in with ElasticSearch. Essentially, that was the -- which now currently is served depending on this very, let's say, slow, complex environment. You could now pump all the data into Splunk and then have the benefit of ElasticSearch. So -- and that was fine when it was just about ingesting log. Now since you can embed them and with ElasticSearch and have immediate results. And what's funded very well is creating this very good workflow so you could customize your incidence response system, or SIM, much more easily than, of course, you could do it. Now the problem now that -- with that solution is, is that you have 2 problems. The first one is you need to capture the data. And not only just the log. You need to capture a lot of different data points. The vulnerabilities, the asset inventory, a lot of things. Now how do you bring that into Splunk? You bring that into Splunk or other solutions similar by essentially taking enterprise solutions that the enterprise has and then taking that data and bringing that. So now the problem is that, that data, you don't really know what that data really is. And then you have to correlate that data and reach the data, so it normalize that data. So you need the Splunkers, a lot of work, and you still create a lot of false positive in doing so because you don't really know your data. And then after that, you go into the solution, and then you are charged by the data you index, which is very fine in the early days when you don't have the big data set. But the problem of security is that it continues growing and growing and growing so it becomes financially impossible. So you have 2 major problems that we solve here. One, remember VMDR is the foundation, as I mentioned earlier. We capture all the data. And then because we are the one capturing the data through various agents or various sensors, we are absolutely capable. We know the data, so we could correlate, analyze and reach, normalize the data automatically. And having significant less inherently false positives. Now the problem of having false positives is that if you have false positives, you cannot automate. So if you want to automate your response, which is obviously what you want to provide as much as possible, you need to eliminate the false positives. Qualys does that inherently. And then second, we, of course, are now creating all these additional capabilities, analytics and the workflows which we don't have while also expanding our agent to provide automatic response. So we have now -- we'll have very soon the ability for agent to kill processes and to do a lot of things. So now you could automate even further the response well beyond the patch management. And then what we did is that we don't charge you by the data index. Some people are going to tell me, how could you do that? So it's really easy. Today, we index already 3 trillion data points on our ElasticSearch clusters that we don't charge a penny. Why? Because we charge by the application that collects the data. And as a result of that, we have a significantly better model. And finally, we know how to operate at scale. Again, we move 5 billion messages a day and so -- on our Kafka [ desk ], we plant 1 million rights per second in Cassandra. Scale is -- we know how to do it. And we have the engineering talent and if you prefer behind to continue and bring all that to market. And that's how we're going to have our EDR solution will be totally integrated in many ways with our incidence response system. Because if you look at EDR today, you need a significant back end to analyze all that data as well in real time, but that's incidence response, write to another application, which needs its own back end to analyze what you do in the general purpose incidence response system. And then, of course, you need to be able to capture the data, but not just only at the endpoint. You need to capture a lot of data because you could see that the malware can do lateral movement. So you could have a malware which comes from a printer and end up into your endpoint. And of course, you need to be able to have that entire view. And again, eliminating the false positives, then you can automate. So our view is we're not going to create a managed secure service, like some company like CrowdStrike does. But what we're going to do is enable our managed secure service partners, and we have today a significant number of them, all the engine or sources are Qualys customers and Qualys partners, and they're all moving into that, if you prefer, incidence response system with a lot of automation. Then we have IBM. We have NTT. We have SecureWorks. We have many, many of them. So we are not going to provide the humans behind the screens, but we are going to make the life of these humans significantly more productive. So everybody wins. So the customer wins because now certainly, these managed service providers are going to be able to do response when until then, they were much into the monitoring and somebody had to do the response. And then second, of course, they will not have to build these kind of platforms, which, of course, is very difficult to do. And so -- and of course, operate at a much higher profit, and we could continue investing in engineering. So that's essentially our model. So we're very happy where we are and I cannot wait to get this new solution being delivered.

That makes sense. Okay. I'm going to shift to a model-related question, Melissa, for you, and then I'm going to open it up for any questions in the audience. So Melissa, you're guiding to operating margins being down 100 basis points year-over-year in FY '20. Where are the incremental dollars being invested into? And what would you say to skeptics that would say Qualys needs to spend? Because you already have industry-high margins there. It's very notable how much leverage you already have in the model. And so what would you say to a skeptic that would say Qualys needs to invest more in sales and marketing in order to accelerate growth?

Yes. So we are proud of our industry-leading margins, and it's really a result of the platform stupid, as we say, or the leveraging the cloud platform model. So if I just walk through some of the levers, for example, in terms of our cost of revenue, we invested -- as Philippe mentioned, we invest in open source technologies and we focus on making them scalable. Unlike many companies that have either hybrid architectures or have been built through acquisitions, we don't have multiple architectures to maintain. Everything is built into one platform. So it gives us significant scale in that area. In terms of sales and marketing, if we talk about, we leverage the platform as a distribution channel. So the beauty of the cloud platform is people can download applications over the Internet. And they can try and buy new solutions. We do targeted campaigns, but it doesn't cost a ton of money to do that. And so we've talked about for this year, we're going to be spending more money in sales and marketing in terms of developing a digital marketing platform out of India. We'll obviously add head to wherever it makes sense. But these things don't cost -- don't involve significant deterioration in margins. We're fortunate that we have strong margins, where we can invest and still maintain industry-leading profitability.

Yes. And I will add -- yes, and I will add to what Melissa said. If you look at our model, our model is very simple. If you look at the enterprise, because we have the farmers and the hunters, the -- our farmers are technical people. It's very easy for them -- for us to grow that sales force. It's very predictable. And then on the hunter side, it's all about bringing people to trials. And we do that in as much of the mission as we can. Same thing on the low end of the market. So the ability to say, try the solution. It's very easy. It's much more effective than sending a hordes of our management sales guys, as I call them, which are going to go and try to essentially knock on doors, knock on doors and bring essentially the bacon home. It's a very expensive proposition if you could automate as much of that process. So we're building, as I call it, today now, we have now the technical platform, but now we're building a marketing platform. The marketing platform has multiple components, which some are already being built, are built already and some that we are expanding. For example, we have built in India what we call technical account representative. So these are technical people we take out of the technical schools, and they are essentially the onboard of all these trials or free services. They are technical. They're not there to sell. They are there to ensure that the customers have a very good experience and is helped at evaluating the product. So all that is pretty much automated. And to tell you the big advantage we have there is that, of course, we have a strong engineering team in India, so we can train them. We give them a career path. We take them. They are relatively young. We pay them $700 a month, believe it or not so we have a lot of them, as you can see. We train them. And then all that is automated. In addition to that, we are now building the solution that come from Salesforce.com, which they call High Velocity Sales, which have recently productized. That was the solution they were using themselves to manage or to drive the 10,000 salespeople that they had. And the beauty of the solution they give is that, essentially, as soon as we got a lead or immediately, it's in the system and then that system will dictate the cadence so you can follow all the steps that you need to do to bring from somebody who's interested, start the trial to the point of time that now you can bring that person to what we call a technical account manager, which is another technical person, which -- whether it's an enterprise person would then visit the customer or whether it's a telesales person or partners as well. So we are putting a lot of automation in our, [ should we refer ], the sales model, which is already was pretty scalable. So we're trying to bring that to another dimension. And all of that is in the logic of the platform. And this is the advantage of having a cloud platform. We couldn't do that if we were enterprise software, obviously.

Sounds great. Well, unfortunately, we're all out of time. Sorry, we ran out of time for Q&A. But thank you, Philippe, and thank you, Melissa. It was great having you. Thank you.

Thank you, Melissa.

If you have any questions, you can e-mail us and Melissa, [email protected]; PC -- like a personal computer, I have a Mac, PC but it's a personal computer, [email protected]. And there's 2 presentations that you want to look at on our investor relationship, which is the Investor Day that we gave during RSA. So you'll have the presentation where I speak about the industry, then our Chief Product Officer discussed about VMDR and our road map. And it's all on the webcast, so you have access to that, okay? Thank you very much.