Qualys, Inc. (QLYS) Earnings Call Transcript & Summary

[Technical Difficulty] the software equity research efforts here at Citi. And I have the pleasure of hosting the Qualys management team with me for this session, CEO, Sumedh Thakar; and CFO, Joo Mi Kim. Thank you for joining us today.

Thank you for having us, Fatima.

Excellent. Before we get into the fun part of the discussion, I did want to remind the audience, if you have any questions that you'd like me to ask on your behalf, please feel free to send an e-mail, [email protected], and I'll do my best to get to any burning questions you might have.

So with that, Sumedh, I wanted to start with you, and I'll turn it over to you. You've formally been at the helm for 2 full quarters, but you are absolutely no stranger to the company. So having been at Qualys for the better part of the last decade, what are your top priorities as CEO for the next 12 and then 24 months?

Thank you. Yes, I think being at Qualys for almost 18 years now, I've been -- I joined as a software engineer and so really worked the last few years shaping the direction of the platform for Qualys and our vision of consolidating cybersecurity solutions on a single platform, and has been fortunate to have the opportunity to lead Qualys as a CEO. My priorities, really, are 2 key priorities. One is to focus on our continued innovation on the platform, and I think that's really what sets us apart. And then the second part of that is the go-to-market and focusing on getting our go-to-market in there, in a place that we would like it to be. And I would say, on the platform side, really, our vision has been really in sync with what almost every CSO will tell you that they would really like to have a -- as fewer security platforms as possible in sort of a plethora of individual cybersecurity solutions. And so if you look at what we're focused on, on the platform side the last few years is really natively building capabilities that expand all the way from vulnerability management on endpoints and servers, out to cloud container, SaaS environments, and continue our journey on adding capabilities. Because if you look at what the CSOs look at, there's 3 main things, right? They want to know everything about what assets they own. The second is they want to do everything to protect those assets from being compromised, so mitigate the risk. And then the third is to monitor them to see if they are actually currently under attack. And that's kind of where, on the platform side, we recently announced our cybersecurity asset management capability, which is something that every CSO really needs to know what kind of assets they have in real-time and what is on those assets. Then our vulnerability management and our ability to catch those systems help them remediate, and which is reducing the risks so that they don't get compromised, and reduce the risk of compromise. And then the third aspect is with EDR capability and upcoming XDR capabilities. We will help them detect if -- after all of that, if there is any attack going on. And so our focus is do that across cloud, container, SaaS, all different kinds of environment. And that's on the platform side, just really continue our innovation. And then on the go-to-market side, priority really has been to ensure that we have the right go-to-market. And that's why recently, I hired a CRO, Chief Revenue Officer, Allan Peters, to come on board, work with us to really build out a strong go-to-market that expands from new business, upselling to existing customers, as well as partner and other areas. And then, also recently, getting a CMO on board so we can get our message of consolidation out to the right people, in front of the right audience there, and continue to showcase the value of our platform so we can really be there as customers are looking to consolidate their stack.

A number of different areas there that I want to peel back on. But before we even really dive in, I want to take a step back and just talk to you about the threat landscape, just from a big picture standpoint. So a lot has changed in the threat landscape over the course of the last 18 months and certainly with the way enterprises are working. And this -- the number of nightmares and headaches of those who've had to deal with has only compounded, right? And so I want to ask you, over the course of the last 18 months, as you've navigated the business through the pandemic, what specific big picture trends have really accentuated what Qualys' value proposition is?

Yes. I think, just like everybody else, the cybersecurity folks were really caught offguard in terms of their preparedness for work-from-home environment, and then how critical roles that are working from home can support infrastructure that is being run on-prem. And I think that really has led to sort of 2 key trends that we see with our customers. One is the remote workforce and how do we secure that remote workforce that cannot anymore leverage enterprise on-prem solutions. And the trend to leverage cloud-based capabilities, not just security, but even productivity, leveraging cloud-based productivity solutions. And you see Zoom and others really benefiting from that. But also, on the cybersecurity side, being able to leverage architectures that are helping them secure their solutions and their laptops a lot more proactively and a lot more easily than with their current on-prem solutions. The second trend we see that it's also accelerated and overall focus on re-architecture of the security stack and moving into the cloud and container environment. So as people are looking to say, "Hey, this thing has really hit me like a ton of bricks," this is the time to kind of step back and see what should the IT infrastructure be. What should the security infrastructure be? What should the architecture be? And how do we leverage kind of newer architectures to support our data center, moving into the cloud and leveraging container capabilities, right? And I think that's where I feel like on the endpoint side and on the cloud side, both Qualys is having that architecture, which is -- has been cloud-based since day 1, and extremely easy to deploy and not requiring really on-prem installation of consoles and things like that. So as an example, one of our customers who has like 245,000 employees globally, and they were leveraging Qualys VMDR for assessing the vulnerabilities on those devices. They're service providers, so they have requirements of compliance from patching perspective. So as soon as the pandemic hit, they had 245,000 employees sitting in little apartments all over the world, not being able to pass their systems using their existing solutions. So within a couple of weeks, they were really able to work with Qualys and enable patching capability, where, with 1 click of a button, all the 245,000 devices would download those patches and get patched. And that really just accelerated their patch compliance because of the way Qualys is architected and the ability to expand on their existing solution that they had. And then on the cloud side, we continue to work both on adding customer-facing features directly with cloud security posture management, et cetera, which is really helping them see sort of the bigger-picture attack surface of cloud. But then also, one of the key features of cloud is just the ability to work closely with the cloud providers to provide more built-in security. And that's where our partnership that we have with Azure and others. We've really focused on working to get the Qualys solution, again, because it's a cloud-based solution, it can be easily architected into that environment. And so I think those 2 big picture trends and the way Qualys platform is architected kind of helps customers see how they can leverage these capabilities much quicker than having to deploy on-prem solutions.

You brought up VMDR, and I want to take it back to the basics with just core VM. To your point, we, overnight, went from headquarters, 1 location, to 245,000 many offices in your particular customer example, which means 245,000 times x points of vulnerabilities, right? So when I think about vulnerability management and vulnerability assessment, and VM and VA being a very core part of your business, it's very core discipline for you, that entire market has seen some pretty significant change in the last decade. So I'm curious, specifically, what changes in the threat environment and the organizational IT landscape, maybe, have been most impactful to the VA or VM buying behavior as you've seen?

Yes. I think the -- just the acceleration of the attacks that we see with ransomware, and others that have been coming up, have really pushed -- as I mentioned earlier, really, VA is essentially your risk remediation, right? It's that you want to mitigate your risk upfront, so you just don't even have those attackers coming on to your devices. And so what has happened over the last few years, I would say, is that the customers' mindset has shifted from scan once a month maybe and patch things in once-a-month cycle, to continuous assessment, knowing, at any given point of time, exactly what vulnerabilities they have. The ability to auto-prioritize, I think, there's just a lot of vulnerabilities. Some of them are low priority, low benefit. Others are high priority, high benefit. And just the desire from the customers that, "I just have a huge pile of vulnerabilities that I'm getting, how do I prioritize to first remediate the ones that truly add risk to my environment?" has been the focus. And then as they start to do that, how do they also make sure that they're not buying into solutions that are only giving them a long list of issues? Are these solutions also helping them fix things, right? That's where kind of our focus on not just providing a list of CVEs, but the ability to also leverage Qualys' agent to patch. So you can patch those quickly. And that's really been driven by the increase of speed in which you can see the attackers are capitalizing. If you look at the exchange vulnerability that came out within a matter of days, unpatched servers were exploited at mass by attackers very quickly. So the quicker you can patch and quicker you can automate, the more risk reduction you can achieve. And that's really been -- so overall change in the landscape from vulnerability management perspective is just customers looking to figure the ways to know these vulnerabilities in real time, leveraging some sort of an agent solution, being able to prioritize the ones that are actually at risk right now and then being able to fix those quickly. And that's really driving that -- our design of VMDR and the adoption of VMDR.

And for those uninitiated VMDR, Vulnerability Management, Detection and Response, really completing that life cycle of value-add from you, right?

Correct.

So as you think about these changes, how you frame them, how do you think about this growing appetite for a more fulsome solution like VMDR impacting the medium- and long-term growth rate of the overall VM market, and then specifically for you? And I mean, what I'm really getting at is, do you think VMDR is going to be cannibalistic or accretive to the overall market growth?

Yes. See, VMDR is pretty game-changing and fairly differentiated in the market as we don't see anybody offering that end-to-end life cycle of detecting devices, detecting the vulnerabilities, prioritizing them and patching them all in one, right? And so the focus for us, and based on feedback from our customers, really, has been help them get VMDR deployed into their environment so that they can really get that real-time visibility, real-time view. Qualys can give a real estate on these devices. And most importantly, VMDR, really, is helping customers make a move into more agent-based solution, right? And that really helps us. So while VMDR itself -- we are focusing on getting that out to more and more customers. What it does is creates a base for us to then leverage the VMDR and the agent deployment that can come with VMDR to be able to help the customers consolidate their additional other solutions, where, now, they may have 5, 6 different other agents: 1 for file integrity, 1 for patching, 1 for EDR, 1 for asset management. So VMDR helps us kind of get in there, essentially leveraging our core capability of a VA and the trust that they have in the platform, get that out there, get the agent, and then from there on, work with them to be able to provide additional capabilities that our sellers can go and upsell them into. So VMDR is very strategic for us to get that out and get that adopted more and more by our customers because it helps us create opportunities for us to cross-sell additional solutions that we have that are based off of that same agent. And that's really the key is that single agent that they already have can provide all these additional capabilities very quickly without any additional software deployment.

And just to round out the discussion vis-à-vis VMDR. What type of financial traction are you seeing? What type of -- any operational metrics that you track in terms of customers graduating from traditional Qualys VM to VMDR? How does that sort of manifest in any financial or operational metrics? Maybe that's one for you, Joo Mi.

Yes. So VMDR, it's really been a positive in terms of the feedback that we've been getting from customers. And so the onset, we launched VMDR at the beginning of last year. And when we were talking about the pricing and how much we really want to push the acceleration of that VMDR adoption. We really thought that it was an intriguing product. It was going to be meaningful to us. And it was going to further increase adoption of Cloud Agents in this equipment at endpoints as well. So because of how we've been pushing it, it's one of the major KPIs that we've been tracking. And if you take a look at the percentage of customers who've adopted VMDR since the launch last year, it's up to 28%, which is significant, especially because we're in the security space. A lot of the budget owners are a little bit hesitant when a new product comes out to purchase it right away. But given the value proposition that we've been able to communicate and effectively convince our existing customers as well as new customers, we're really optimistic about the further adoption of VMDR and the momentum that we're seeing in the space.

And how do you think about the potential instrumentable estate for an agent-based solution like VMDR? Understand it's a very important conduit for growth in some of your other product areas. But as a general addressable market view, what does that addressable estate look like for you within your installed base and even at large?

Great question. So one of the -- it's because VMDRs, we believe, is going to be a driver in multiple different ways. So for example, what we believe is once customer has a VMDR purchase, what that will lead to is deployment of Cloud Agent, which is the underlying technology for multiple Qualys solutions. The additional solution purchases, cross-sells, will increase the customer spend. In addition to increasing the deployment, the number of assets that each customer is requiring -- needs to be covered at endpoints has increased, especially from the COVID, with everybody working remotely. And then third is the strong strength and retention. We really believe that this will help to further solidify our position in the market. Our customers will be more loyal to us. It will help with the retention rate as well as upsell and cross-sell rates. And this is really in combination with newer solutions that we've recently launched and planning to launch the end of this year. You're seeing a potential multiple increase in customer spend. And this is part of the reason why, when we price VMDR, even though the value proposition is there, and it makes complete sense for each of these -- of our customers to really reevaluate the security risk management and how much they're willing to pay. What is it worth it for each of the customers' organizations? We believe that we priced it right to further allow customers to free up the budget to purchase additional Qualys solutions and increase the spend. So yes, we're really looking at -- even our target addressable market is increasing from $20 billion to over $30 billion in the next couple of years just with additional solutions that we're launching, including XDR at the end of 2021.

So just on this notion of expanding the product portfolio. There's no shortage of SKUs that you offer in the portfolio. So some that you've overseen a lot of this product expansion strategy. And so when you think about the cross-sell and upsell journey with your 20,000-ish customer base, where are you with respect to penetration of a pretty broad portfolio?

Yes. I think we are definitely at the early stages right now. Our focus, like I said last year, has been to get our existing VM customers to upsell to VMDR, essentially adopt more VMDR. And then from there on, focus on as their renewals will come up. Because, typically, we're a subscription-based business. So they purchase these things at renewal, when they do upsells, et cetera. So I would say we are at the early stage. But we have, anecdotally, early indications that we have talked about even at our earnings call is we are happy with the kind of initial traction that we are seeing with Patch Management as a cross-sell, File Integrity Monitoring, Container Security, et cetera. And something that we talked about at the earnings call as well is just, again, like early days, where we can see that the new customers that have an opportunity that are coming to Qualys, and they have an opportunity to really rebuild their security stack, are right off the bat purchasing multiple capabilities, not just VMDR. So they end up doing Asset Management and/or Patch Management and/or EDR, sort of in the very first initial purchase. So I think those are some early encouraging signs for us that sort of validate that as people get an opportunity to redo their stack. They are looking at solutions that help them consolidate.

Now are you doing anything from a pricing or bundling or packaging strategy standpoint or anything as it relates to sales compensation or sales incentives to really drive this multiproduct attach and multiproduct uptake behavior?

Yes, we've always had a very strong strategy around having technical sales force that are partners with our customers, to really help them be successful with the solutions that they purchase. Again, being a SaaS solution, you kind of got to go back and earn the entire renewal plus and upsell at the end of the year. So can't sell and walk away. And so I think our strategy has always been how do we ensure that we have the right connection from an account management perspective, where fairly technical people are able to work with the customer to make them successful. So I think our focus is going to be to continue to provide these technical account managers with additional help with solution architects, et cetera, which we've done as well. And we continue to expand in that area to help them go and look at these additional opportunities and then be able to see what the customer is ready to do. So again, right, the packaging and pricing and all of that, if you look at VMDR, we follow what the customers are looking for. So as more and more customers wanted this whole thing in one workflow, we were able to package multiple capabilities into a single asset price and that became VMDR. But then they -- customers are in different places in their journey to adopt Patch Management as an example. So that's not necessarily included in VMDR. That's an additional upsell because they may not be able to do it on all of their assets, et cetera. So we really keep focusing on how the customers are looking to purchase this as a subscription service. And then on the SMB side, SME/SMB side, again, we have a good customer base there. And the advantage there being a cloud-based solution. And this is an area where these folks don't have many resources. So for them, one person who can actually leverage one solution that can do all of the discovery, the assessment and the patching through a single solution is an advantage for them. So at that segment, we are focused on doing some packaging and then working with our sales team and then partners to kind of get these packages, bundles, I would say, out. But other than that, I think we continue to evaluate with the new CRO coming on board, what are the opportunities for us to work with our sales team and our customer to really get these solutions in front of them and adopt it. And then at the right time, we will be making the right changes, if needed, in the way we are working with our customers from a selling perspective.

So you've got the internal motion in here. You have a lot of control over the playbooks you can use and the sales enablement that you can encourage within the go-to-market organization. But I want to shift the lens to external. So just from a competitive environment standpoint, as you expand or extend the capabilities of VM into VMDR, as you enter newer adjacent categories in security, like EDR, and actually also from an asset management and inventory management standpoint, moving in more of the IT ops realm, how does that change your competitive landscape? And does that change who you run into and compete with bake-offs? And how does that dynamic actually play out? Or at least what are you seeing in early days right now?

Yes. I mean, that's a great question, right? And I'll go back to the thing that we really focus on, and we start with here at Qualys, which is that every CSO wants a consolidated solution, right? A single solution that can do more and more, right? And not just a single vendor who's providing 8 solutions, right, where we have companies that are going and buying other companies and packaging them as 1 single solution. But at the end, the customer has to deploy 8 different capabilities from different acquisitions that they have done. So we continue to focus on our goal, which is we need to provide a single platform, either natively or the technology we acquire. We're always completely integrated in our solution before we take it out to market. So that really makes it extremely easy. So that the same agent enable switch, and you can do Patch Management here for that devices or asset inventory or container security, and that continues to be focused. So obviously, what we are doing, we're not necessarily looking at the competition as it exists today in terms of features and capabilities, as we're looking at where is the overall customer direction and their thought process going and how can we align to that. So of course, along in that journey, in the short term, we will always see a competition with a vendor. who's only providing vulnerability listing, right, but then they don't provide patching. We will run into a patching vendor who is providing patching, but then they don't do vulnerability assessment. It's a different agent for them. When we go into cloud, we see a completely different feature, a vendor that is selling only cloud, but then they don't help with the on-prem systems or the laptops and things like that. So we -- as different solutions are continuing to mature from Qualys, we do see that we will have bake-offs with individual solutions. But overall, our focus is how do we provide customer the value and the win based on that, yes, there is that one other competing solution that provides one little thing. But then you have another solution that now you have to deploy and integrate with some other stack. So we continue to focus on that. So yes, in the short term, we will see individual capabilities that we compete with from a bake-off perspective, but we focus on making our point and our value based on that. And again, right, it's not just a 1 plus 1, 2, it's really 1 plus 1 can be 3. That's what we are focusing on. It's not just that you're eliminating 2 agent, but having a single agent do both provides additional intelligence because you're able to see signals from different things. And so the value that you get is more than just consolidating those 2 agents. And those are the things that we focus on when we work with our customers.

Joo Mi, just putting some financial contours on this part of the discussion, given where you are in the maturity curve of VM/VA adoption, the portfolio creeping into web security, IT ops and even cloud security areas. What does the business mix or split look like between these sort of broad disciplines? And how do you see that evolving in the next couple of years?

Yes. So Qualys has evolved in the last couple of years. Before, what we used to talk about is enterprise customers with multiple different solutions and how much it really contributed to the business. Now with the launch of VMDR, what we're doing is we're really focused on the platform's play. We're really trying to communicate with our customers to understand their needs, to really figure out what is the solution that they're looking for that would be most beneficial to them. So we're not disclosing by product, bookings or revenue contribution per se because that's not how we're selling. How we're working with their salespeople is understand their needs and then sell it at a platform level, lead with VMDR because we believe that that's where you start, with asset discovery and risk mitigation. And then what else do they need in addition to VMDR? For example, Patch Management automates patching. Then we have EDR and then XDR coming out later. In addition to more customer-specific solutions like them, not everybody needed them, but there are some customers who would definitely see the value in a product like that. And so all in all, what we're trying to push is with everybody asking for a consolidation in the security space, if you're looking for a vendor who can help you do that, and the ease of use, when you're purchasing a security solution, not just a point product, we are the vendor of choice. And it does make sense for our existing customers to stay with us and further expand their scope with us and new customers who join us as new Qualys customers. And we're very excited. I do think that it's a very pivotal time for us because VMDR and EDR, XDR, all these products are some -- our product development that were developed with the feedback from customers, there was some market in here. And we're very excited to introduce that and provide it to the market. And we believe that with our scalable business platform and the way we sell, we will be able to reaccelerate the growth without a significant contraction in the margin. And we believe that we'll continue to have the industry-leading margins and with the new products that further reaccelerate growth.

I definitely don't want to lose out on asking you about the margin structure. You do have one of the most efficient cost structures in cybersecurity and certainly in software, 35%-plus operating margins pretty consistently. And so these key profitability metrics for you have expanded 2x your revenue growth rate. And so in terms of all the growth opportunities you have, where is the incremental scope of improvements from here from, that 35% mark plus margin level? And where are the priority areas for investments within that envelope?

Yes, a great question. We're having that discussion internally on a consistent basis. And it's a recurring discussion, especially with a new CRO and CMO, who's recently joined us this month. Obviously, the key area and our focus right now is go-to-market. So we do plan on increasing spend in sales and marketing, especially relative to competitors, we've been really underspending in that area. And with the products we kind of said -- introduced, it does make sense for us to like look at all the potential investments and prioritize the ones that we think that will really have an impact on our bookings and, therefore, revenue. So with that said, though, given our business structure, where historically, we've always had about 60% come from direct sales force and 40% through partnerships, right? And so it's not all driven by increasing quota-carrying sales reps per se. And so we do have a business model that we do anticipate incremental investment in sales and marketing will have an impact on margin and potentially lead to short-term margin contraction. But again, if it's going to reaccelerate growth, we are focused on better balancing growth with profitability. So we do see that coming. And then in terms of the R&D and G&A cost of revenue, we have investments that we will continue to make on that front as well. So all in all, we do anticipate our margin to contract because that's really the right thing to do, and we've guided to that at the beginning of this year. If you just take a look at our EBITDA margin in Q2, right, it was at 47%, which is too high. We understand that. At the same time, we're not -- we don't have a spending habit at Qualys, where you don't go through the -- there were prior cadence that makes sense for us. Where the ROI is there, we will be spending. And so we anticipate some margin contraction in the near term, but that's not to say that we could see our margins returning to a higher level in the outer years.

I mean, just the last one, I know we're a couple of minutes over here. So maybe just to round out the conversation. M&A has been an important part of the product expansion strategy. It's an important pillar of your capital returns program. So how do you think about M&A going forward, especially given the private market valuation environment that we're in right now? What are your -- some of your thoughts there going forward as M&A being an R&D reinforcer?

Yes. M&A has always been an important aspect for us, to provide sort of platform-native capabilities. So we're always focused on tuck-in acquisitions that bring great technology and a great set of team, people, to the platform so we can provide this capability native on the single platform. So we haven't really done sort of acquisition just so that we can sell that product separately. Our focus has always been how do we provide that. And I would say that in the last few -- in early days, it was difficult to get a solution that was compatible with the Qualys platform because most solutions out there were on-prem. Now as more and more organizations have a cloud platform that can integrate faster, better with Qualys, we continue to look forward for any opportunities that allow us to. If we can meaningfully bring that capability onto the Qualys platform and can also be meaningfully leveraged as a way for a customer acquisition that we can sell our existing solutions side to, then we continue to be open and look for opportunities to do that. So that's an integral part of what we look at when we move forward.

Fair enough. Well, with that, I'll cap the discussion there. I want to thank you both for your time for a very comprehensive dialogue. And looking forward to seeing you in real-life someday soon.

Yes, I hope so. Thank you, Fatima. It was great chatting with you.

Thank you.