Qualys, Inc. (QLYS) Earnings Call Transcript & Summary

All right. Good morning, everybody. Thank you so much for joining us. My name is Hamza Fodderwala. I'm the cybersecurity analyst here at Morgan Stanley. And this morning, we have the Qualys team joining us for a fireside chat, the new Interim CEO, Sumedh Thakar; as well as Joo Mi Kim, CFO of Qualys. We're definitely delighted to have them. Before I begin, I just wanted to point out for programming note, for important disclosures, please see our Morgan Stanley research disclosure website at www.morganstanley.com/researchdisclosures. So with that, Sumedh, Joo Mi, thank you so much for joining us.

Thank you, Hamza. Thanks for having us.

All right. So maybe if I could start off with a little bit of a macro question, right, that we're asking a number of companies within security specifically today is given your relationship with some of the world's largest organization, I was wondering if you could speak a little bit about the broader demand environment coming to 2021. And it's -- I think even pre some of these recent breaches that we've seen, how has COVID really changed the security market and maybe help to accelerate certain pre-existing trends that you were seeing even prior to 2020?

Yes. I think that's a great question. What we were seeing during COVID was obviously the move more towards remote workforce and a sudden move into having people be remote and having to secure their environment. And that certainly brought up a lot of pressure on the traditional, more enterprise solutions that required VPNs and to administer security, and those really did not function as well because of the demand of VPN technology. And so certainly, we saw a move more from customers, organizations looking more towards sort of easy-to-deploy cloud-based solutions that they could scale very quickly, expand to large number of employees and do that in a quick manner. So coupled with that was also just more acceleration towards the digital transformation of their own applications. So digital transformation was going on, but then with COVID and people working from remote, we did see customers were really looking to say, "Okay, we need to accelerate our move into the cloud and cloud-based solutions for our own applications because that's the trend that everybody is moving towards." So we were already sort of seeing that. We were looking at customers who are building in security into their infrastructure more and more. And then with the SolarWinds hack, there's a bunch of things that happened that we saw. And I think obviously, initial focus has been on the supply chain and the software that you're getting from your third parties. But if you look at the overall compromise with the information that's available, you could see that different -- additional things really happened other than the supply chain, which is lateral movement into the environment. The attackers will leverage the traditional misconfigurations, vulnerabilities, things like that to get on to other devices in the environment, moving to build servers, active directory, et cetera. But what was also interesting is that there is a lateral movement component into the SaaS environment as well. So there was also Office 365 compromise that were used to get into the on-prem environment and back and forth. And so I think as customers are really looking at what happened, how it happened, a couple of things that pop up from there from a security need perspective is just the need to be able to look at ensuring that you have your risk mitigation strategy in place, much better ensuring that configurations are fixed, vulnerabilities are fixed so you reduce the chance of lateral movement and expanding that into not just on-prem environment but cloud and SaaS environments as well, so posture management of SaaS solutions so that you don't have these situations where they can move laterally. And then the last aspect really is how do you detect. So the detection part, the fact that there is an intrusion, I think a lot of frustration came out just because there are so many tools and the data for each tool is in a different place, and trying to just look through all of that took a lot of time. So I think overall, what we see is that customers are looking more into a direction where they can have fewer tools. They can consolidate platforms, look at solutions that can provide both risk mitigation, helping them fix things, but also then detect the movement that is happening in the environment with EDR and SIM-like capabilities, and then also expanding into additional environments, not just your on-prem, but hey, how can I also look at SaaS.

Yes. And I think that parlays well into a question about sort of VMDR, right? So you're bringing together core vulnerability management, right, detection and response capabilities, very heavy focus on asset management, right, and this whole concept of shadow IT and knowing what's exposed to the Internet and kind of who has access to what. And I'm curious. It seems to make a lot of sense, right, in this current environment. And I'm wondering, kind of are you seeing any uptick there, right? I know you -- in December, you launched another free trial of VMDR. So since the hack has happened, is it coming up more on customer conversations? Are you seeing increase in attach rates on that product specifically?

Yes. I think if you look at VMDR, its vulnerability management is just detecting your risk and it isn't -- really the logical next step is to mitigate it to fix it, right? And that's why VMDR is unique because it not just only gives you the list of vulnerabilities. It actually provides the patch management capability, integration patch systems on the same platform, right? And I think that today, customers have to have a different agent for detecting vulnerabilities, a different one for prioritization, a different one for patching. VMDR brings all of those together. So customers, they really want to go in this direction. We already saw in Q3, Q4, 35% of our customers were eligible for renewal of VM solution, move to VMDR and continue to focus on that. But you have to look at also VMDR as a -- as one component of the platform because VMDR is the part that is focused on the risk detection and mitigation, but then there is also the other part, which is the EDR solution, which is the threat detection and response. So in general, we look at customers who want to do 3 main things for any infrastructure. First is discover all their assets, which is why Qualys spends significant investment in asset detection technology. Once they have detected assets, they want to mitigate the risk, which is where VMDR patch management come into play. And then after they have done all of that to protect their assets, they still want to monitor those assets to see if an attacker is in the environment, and that's where EDR and then our upcoming XDR solution is really part of the overall platform. So customers, we see, are very much interested. I think 35% renewal in that -- each quarter. I think that's really now -- we started in Q2. So we're definitely seeing a lot of that interest from customers, and they are moving more towards that. And of course, these large customers, they have different groups, different teams. So they also have to work through their internal processes because they may -- they are displacing some existing solutions that are doing other things like patch management, et cetera. So those solutions, their renewals, et cetera, are coming up as important. So what we have done with the free trials last year at -- in the middle of the year for COVID as well as towards the end of the year around SolarWinds, so it's not so much to sort of immediate lead generation or something like that. It's basically creating 60-day opportunity for our existing customers and new customers to actually see and try out the patching functionality because that's a much better way for them to then get experience on how Qualys agent that they already have is actually able to patch their systems. And then as their renewals of their existing patch management solution, et cetera, come up, we now have a few months to work with them once they have signed up for the trial to start to get them ready for that potential replacement that can come up a little bit later, right? So depending on the customer -- we, last year, gave an example of a customer that had 250,000 employees. Each one of them has a Qualys VMDR agent. When COVID hit, all their individual employees were globally in individual locations from home Internet, they were able to add on patch management on the same agent within a couple of weeks immediately because it was already there. They didn't have to deploy anything. Others have existing tools that they need to work through for their renewals, POCs, et cetera. So the free trials, really, we saw a good number of people trying it, using it, but that's more to setting it up for as their existing solution renewals come up that we are there and work with them to get those replaced.

Yes. I guess when you think about the deal cycles and the renewal cycles, at what point do you think that the VMDR product will actually lead to an uplift in numbers? Maybe this is a question more for Joo Mi, but I'm curious kind of -- at least when you -- based on your pipeline and the customer conversations, when should we start seeing that maybe start to benefit top line in a more meaningful way?

Yes. I can speak a little bit to that and then Joo Mi can add if she needs to, but we -- basically, in 2019, early 2020, we're really focused on responding to that need for having a game-changing solution that even today, none of our competitors really have, from a VMDR perspective, bundling all these capabilities into a single workflow. And then we started the rollout of VMDR in Q2 of 2020. And so we've continued that through the year and then we'll continue that through 2021. And in general, the hypothesis that we are going by and some of the anecdotal, early trends show that customers who have VMDR, they have the agents. And typically, our customers tend to do upsells at the time of the renewals. So as the Q2 2020 renewals start to come up in Q2 of 2021, that's when we start working with our customers to talk to them about the upsells. And so at this point, we're not really kind of saying any specific number, but our goal is to start working with the customers through 2021 to work on those additional upsells, et cetera, that we see that they can do. So Joo Mi, I don't know if you want to add more to that.

Yes. Just to add a little bit more color. It's -- I think we talked about it multiple times where we really thought a lot about the pricing of VMDR. In addition to the value proposition that we put forth in front of customers and new prospects. So when we did that, we knew that there wasn't going to be a meaningful revenue uptick last year. And that's just because of how we priced it. So if a customer had multiple Qualys solutions, they might be paying a little bit less when they renew into VMDR. If they only had VM and they renewed into VMDR, they might be paying a little bit more. And so last year, all in all, overall, it was broadly revenue-neutral. But if you think about it, right, like, second half of last year, 35% of customers who had VM renewed into VMDR. So you know that at least those 35%, when they come up for renewals this year, we won't have that similar impact, right, because the base, they're already starting with VMDR. And so you'll see that shift happening in 2021. With that said, it's a little bit uncertain when it will be material on the revenue front, but we do expect that to help. In addition to -- a hypothesis is if you have the VMDR and you really recognize the value, then the percentage retention will go up as well. And so we see that coming, but it won't be a onetime or dramatic thing that we see happening on the revenue side this year.

Got it. Maybe shifting back to the product side. So you mentioned launching the EDR service, and there's a data lake behind that as well. I'm curious, a lot of vendors today approaching EDR, now XDR, right, some are bringing in sort of the network telemetry, others are using end point. How is Qualys kind of differentiated in this XDR play?

Yes. That's a very good question. Typically, what happens with the SIM is the SIM is an independent, stand-alone solutions and customers still need to go buy those 50 other individual security solutions, pipe the data back into a SIM, get an additional product [ for sure ]. And so it's a pretty complex environment that's very costly for them. So in general, when you look at XDR, customers are looking for, how can I reduce 2 platforms that are also collecting the data that I need and analyzing that data. So today, when you look at Qualys with VMDR, certificates, container, cloud, now the launch of SaaS solution, mobile devices, handheld devices, application-level scanning that we do as well and then bringing in EDR data, we also released our asset scanner last year to look at network data to capture network telemetry information, bringing it. So essentially, when we look at our platform, a lot of the data collection that is needed for the security analysis already being done by Qualys through our existing sensor solutions. And now with our XDR offering, what we are doing is we are now ingesting additional log data from other solutions like firewalls and proxies that we don't typically collect the data from if that's an area that is not an area that Qualys is in. And so now, we provide a much bigger, broader context and that's -- really, the differentiator here is that a lot of the data that is going into these analytical solutions are already collected in Qualys. And now with the augmentation of this additional data, we feel that we can provide the most broader perspective because -- whether you're looking into your vulnerabilities, your assets or whether you're looking at deep information and end-of-life or your EDR, we have provided all of that. What we see today in the market otherwise is a lot of the other XDR solutions are very much coming from secure-gateway-type companies that already have the network information, but then they don't have the rich information on the end point itself to know what's on the end point, what's going on collecting that data. So today, with a combination of agent that is really deployed in a lot of locations plus the network information that we're bringing in plus SaaS, I think we're really shaping up for what we believe is going to be a pretty comprehensive solution.

One of the things that often is debated in security is sort of the suites versus best of breed, right? And I think for the most part, the best of breed tends to win more often in security than that, right, especially relative to other software markets. I'm curious. When you think about consolidating multiple areas of spend, right, going from VM to XDR to even parts of SIM, I'm curious how do you think about that, right? Are you trying to replace other solutions, right? Or do you just see these as sort of maybe natural adjacencies where Qualys has the right architecture and sort of the right product to address them?

Yes. I think it's very interesting because if you talk to any CISO, nobody will say, "I want more agents and more solutions," right? So they all want fewer agents, fewer solutions. Right now, of course, how do you get there? And that's really the question. It's how do you really get there. And that involves a lot of different things. It's, of course, the vendors' technologies need to be mature. They actually need to provide the functionality that you want with a single agent. And then there's also the internal budgets and which group owns what best-of-breed solution today and how do you get them on board so that everybody comes together and say, "Okay, this is the one solution that we are going to go towards." So I think there is the desire and everybody wants to go there, and that's the journey that we are on right now. So today, we do see that anecdotally, as an example, that one of our customers who -- let's say that they have Qualys VMDR agents. Their auditor told them that for PCI, they need to do file integrity monitoring. And for them, it was a no-brainer at that point to say, "Qualys agent, that's -- I already have certified with my security team, already has that capability. I'm just going to use that versus going and getting another agent and certifying that," et cetera. So in the newer environments where people are using cloud containers, that's becoming a lot more easier for them because they just get the agent in and then they turn on functionality as needed. There is a displacement component in existing infrastructure where we do displace existing solutions for file integrity and EDR and others. And really, it comes down to -- again, beyond the fact that you're replacing individual best-of-breed functionality, there is also a value in that integrated platform, right? So if you have an EDR agent that throws an alert saying machine CX25-27 has an alert, the EDR solution doesn't have a context of that machine. So you have to go to some other solution to find that out. You have to go to an inventory solution to find that out. So a solution like Qualys, where we are bringing inventory vulnerability, EDR together, it's more than just software. If you don't use Qualys, potentially, you have to get 1 solution for EDR, 1 for asset inventory, 1 for vulnerability and 1 for patching, 4 different agents. Looking at Qualys, one single agent can do that. But beyond that, it is also the agents being combined but also the fact that the context of that overall device is already in the platform, right? And that's what we are working with customers. That's where they see the value, and then we work with them now to say, in some cases, we need to displace existing solutions, so when are those renewals for existing solutions coming up and how do we then show the value and the consolidation. But the desire for everybody is to reduce the number of agents and consolidate the platform, and that's the direction. We are investing pretty heavily in the Qualys platform for all these years to really provide that solution, where, again, some other companies are just buying additional platforms. And so for the customer, they still have to deploy 7 solutions. So even if it's from one vendor and unlike what we have done at Qualys, we really invested to focus on an integrated approach and an integrated agent.

Got it. I want to just touch briefly on sort of your approach when it comes to competition, VM, right? I know this is asked a variety of different ways. But is it really that when it comes to another VM provider, whether it be Tenable or otherwise, Qualys' approach is like, "Hey, we don't want to get into necessarily a price competition, right? We'd rather say, hey, choose our VM and perhaps we'll maybe give you a discount or maybe some favorable pricing to move you towards this VMDR platform and then that will lead to a higher uplift over time." So do you think that's one of the reasons why maybe you're not seeing the growth today, right? And this is sort of a more longer-term tail. So you're not giving up on price today, but you're trying to sort of move to this broader platform adoption?

I think that's an overall strategy perspective. As you said, what -- we don't want to get into this price war of they give a CVE, we give a CVE so it is cheaper. And that's where we've decided to take that step to kind of invest in creating VMDR as a premium solution capability that brings additional capabilities that our competition doesn't have today and -- so that we can maintain the price not necessarily -- as Joo Mi said, it's been focused on having more of a revenue-neutral approach this year to get VMDR adoption with these customers with that hypothesis that once they get that going and they see the value when they can now add patch management on top of that for a bunch of their assets once they have VMDR because the agent is already there, they can have file integrity monitoring. Now with the upcoming -- with our EDR solution, they can add EDR. And that's really where we are saying that with 2021 as these VMDR renewals will come up. 2020, we focused on more of the revenue-neutral replacement of VM into VMDR. And then as 2020 will come about and the renewals will come up, we will be working with these customers to get that uplift on those additional solutions through the year and through the next year as well.

Got it. I want to dig in a little bit on go-to-market. So you mentioned 2021 is going to be an investment year, which makes a ton of sense. Obviously, you have this broader product portfolio and you need a sales organization to go out and sell it. You've also brought on a lot of new sales leaders in recent quarters. I think a VP of new business in the U.S., a VP of field operations in the Americas, and among others, I think also some channel sales leaders. You're looking to bring on a new CRO this year. One of the things that I think, from an investor perspective, right, that we've seen with other software companies is that when you make sort of that much drastic change to a sales organization at least in the near term, there tends to be disruption risk. So I'm curious, for both of you, how are you guys thinking about managing that transition, right, when it comes to sales org? Are there any changes that will be involved in the overall structure of the go-to-market organization? And to what degree you've even reflected that in your guidance? I'm curious how you think about that.

Yes. I think at a high level, really, the basic model for Qualys having a technical sales force and our farmers and hunters, that model is really not changing some of these additional hires that we brought on towards the end of last year, are just ensuring that our strategic alliances -- we have additional capacity to go work with our additional partners. We want our focus on new business, whatever, new business VP and also feel that with the consolidated solution and more of an all-in-one solution, the SME, SMB market will favor a solution where -- because they don't have 10 different people to do different things. So that's where focusing on bringing the VP and GM for SME, SMB has been. So I mean these are kind of deliberate, thought-out plan to get these people and additional quota-carrying salespeople onboarded in a meaningful and a deliberate manner through 2021, so that we can work with these customers where the renewals are really coming up. And as Joo Mi will also explain, I mean we have industry-leading margins, and we have a solid platform that we believe in. And so we believe we have room there to make the appropriate amount of investment that is needed and still maintain our industry-leading margin and focus then on getting the right team within the structure that we have where we are focusing on upsells and getting those customers to look at additional capabilities. So Joo Mi, I don't know if you want to add more to that.

Yes. To Sumedh's point, we understand that this is a meaningful change, but we believe that this is a right step in the right direction to balance better the growth and profitability. And one of the areas that we want to emphasize is with the new leaders coming on board, what we're doing is kind of balancing that change, the magnitude and the impact of the team by making sure that our sales execution methodology and process is not changing for now, right? So it's not like new leaders are coming in with their own ideas and we're taking a 180 approach. We still really believe that our technical account managers, especially on the farmer side, should be technical. People on the hunter side are not necessarily as technical as the farmers that we have here. And in terms of the commissions and the structural org, we believe that what we've been doing is great, and we're further looking into areas where we can enhance that and support that with additional leaders coming on board and trying out different things but it's not a 180 shift.

Got it. Got it. And then maybe just on the financial front. You mentioned, Joo Mi, like revenue, obviously, is a lagging indicator, right? And there's a lot of investments being made. You've got this renewal cycle. What are some of the KPIs that investors should be looking at, right, in 2021 to track progress around the sort of demand recovery, right? Because I mean, I think current billings is something that people have looked at, right? But there tends to be some variability there quarter-to-quarter but -- so if you could point to sort of 1 metric, right, say, hey, look at this number in the back half of '21 or maybe 1 or 2 metrics, this will really highlight the improvement that we're seeing in the underlying demand trends.

Yes. So great question. We are looking at our KPI because they have been shifting, especially in the last 12 months, with the VMDR. And so one of the metrics that we're really focused on and tracking closely internally is that VMDR adoption. And the reason why we decided to disclose it rather early last year, even when we didn't really have that traction, is because we were driving that metric, right? So for example, if you take a look at Q1, it was only 6%, but that's because we basically launched in the middle of the quarter, right? Q2 was a full quarter where 20% of the VM customers renewed into VMDR. And that was as intended. We were actually very surprised. And it was a nice traction that we saw in the first full quarter of a new product launch, right? And that percentage increased to 35% in the second half last year. And we're hoping that we maintain that or that percent increases. But like we said, it's not about a target number. We're not targeting 35%, 40%, 45%. What we want to understand is what is the number and then what is the underlying story behind that number. Let's take a look at the customer base that were up for renewal. And for those people who decided not to renew, does that make sense? Is that really what was the best for our customers? Did we make sure to present the value of VMDR in the right way, right? And sometimes, it's sales enablement. Maybe it was a technical account manager who just joined, who didn't understand Qualys, who could have done a better job. Maybe it was really due to the customer situation. They didn't have the bandwidth to renew into VMDR in that specific quarter. We just really need to understand the underlying -- the feedback from customers as well as the situation so that we can drive additional change as needed in the future quarters. So that's really one of the metrics that we're closely tracking in addition to the dollar as well, right, but the reason why we haven't highlighted the dollar percentage conversion is, like we said, we expected it to be broadly revenue-neutral. We wouldn't have been surprised either way, if it has been negative or positive, because that's really not what we're driving towards right now. But I think that as we move forward into like the back half of this year, we will be looking at the dollar more closely given what I just mentioned earlier in the -- on the call.

Got it. [Operator Instructions] Just on -- going back to go-to-market. On the CRO search, just any update you can give us on how that's going and kind of what the criteria you're looking for, for that role?

Yes. As I mentioned earlier, really, we are just at the beginning of that, and our focus is really, again, finding somebody who can -- has the experience of bringing in the sales cadence, the process, the -- helping enablement of our sales teams, educating them, figuring out ways for them to go find the additional upsells within the organizations. And so we're looking as we are moving forward, and we're taking it deliberately to make sure we find the right candidate. It's to make sure that we find somebody who has that understanding of the space and it's not somebody who's just trying to beat them on numbers. It's somebody who understands our model, the way our customers are buying as a subscription-based service and the fact that a lot of what we do is really upsell-based. So it's very early days right now. And we'll continue to look for the right candidate through the rest of the year. And whenever we have the right candidate, I think we'll move forward.

Okay. Great. So with that, we can wrap up. Sumedh, Joo Mi, thank you so much for your time. I really appreciate it. And everyone, thank you for joining us.

Thank you, Hamza. Have a good day.

Thank you.