Qualys, Inc. (QLYS) Earnings Call Transcript & Summary

Well, good afternoon or almost good evening, everybody. Thank you so much for joining us. My name is Hamza Fodderwala , I'm the cybersecurity analyst here at Morgan Stanley. And with us, we have the team from Qualys. We have Sumedh Thakar, CEO; Joo Mi Kim, CFO. Thank you so much for joining us.

Thank you.

Before I begin, a brief disclosure on our end for important disclosures, please see the Morgan Stanley Research disclosure website at www. morganstanley.com/researchdisclosures. With that, we'll get started.

So Sumedh. So Qualys has been one of the best cybersecurity stocks year-to-date despite some of the [ nice errors ]. So what would you contribute sort of Qualys' resilience to relative to even a lot of other cybersecurity companies that have had to cut their numbers more significantly more recently. What are you seeing from customers? And how have you gotten around maybe some of the macro headwinds that have been increasing in recent quarters.

Thanks for having us, Hamza. I think that for us, Qualys has always been focused on profitable growth for many years. And so I think that is a key part of our growth strategy. I think our focus on innovation on the platform side over the last few years has enabled us to create capabilities that have helped our customers be able to do more with Qualys and be able to expand into asset management and patch management, et cetera, which gives them better outcomes. And so which gives our customers the ability to expand very quickly with Qualys with adjacent capabilities without us having to have multiple sales forces required to sell individual products if we were acquiring separate platforms and selling each of them separately. And so part of those things and the fact that our customers can actually do more with the Qualys platform is sort of the key aspect why we are seeing -- being able to maintain our profitable growth and even in the macro headwinds, work with the customers to talk to them about the capabilities of consolidation, which is a big topic that CISOs are talking about and giving them outcomes because today, everybody wants to actually show that they have reduced the cyber risk, not just reports and dashboards. And so I think those key elements are really what help us. It's just our focus over the last few years on maintaining profitable growth has helped the stock where it is.

Got it. So yes, consolidation right now is a big theme, right? As customers look to rationalize some of their spend, not necessarily cut their security budget, but become more efficient. So what are the 2 or 3 key pillars that customers are consolidating around with Qualys, can you maybe just give a little bit of color on each of those?

Sure. Look, I think customers in our conversations continue to look at vulnerability management as a key component of the risk-reduction strategy today. The conversation CISOs are having in the Board meetings are more about risk reduction than projects and tools. And so when they look at -- I don't want to get compromised with a low-hanging fruit like my exchange server was not patched for a particular vulnerability, which has a patch out there for a year or so, which is very common. We see people not doing a good job at vulnerability management. So as our customers, when they look at to say, vulnerability management is a key component. But when you look at vulnerability management, it has 4 key components as part of the process, right? First is the ability to know your assets. Without that, you cannot do vulnerability management on those assets. Second is finding ways to detect these vulnerabilities in near real time as we do with our agents. Third is prioritizing because we are finding so many vulnerabilities. How do we figure out the ones that actually cause risk to your environment as a customer. And then the last part, which is the most important, actually fix it. I can do all these other 3, but if you don't actually patch and fix in a timely manner, you're exposed, right? You look at Log4Shell, et cetera, compromises are accelerating in terms of how short time it takes from going from a detection of the vulnerability to actually compromising that vulnerability. So the amount of time that customers have to actually fix those vulnerabilities is reducing. And so when customers are looking at a comprehensive ability to reduce their risk, these 4 components today are done by 4 different tools, 4 different teams. And that is where a lot of time is wasted. In fact, we had a conversation with the customer recently and they basically broke it down into 3 components of their life cycle. One is the time to detect and they said, with Qualys they were able to detect every 4 hours. Then they said time to communicate, finding the right asset and the owner is taking a couple of weeks. And then even after that, we communicate they're missing the 90-day SLA. And so the consolidation that they're looking for is how can I actually have a single platform, single agent, single tool that is not just giving me a list of my CVEs, but actually helping me the end-to-end process of finding assets, finding vulnerabilities, prioritizing and fixing it, which is what we do with our patch management capabilities, cybersecurity, asset management and VMDR.

Got it. Asset management, vulnerability management and then patch management are some of the key pillars among other things. Joo Mi, so how has that sort of consolidation, if you will, translated into metrics like your net retention rate or the percent of customer -- a percent of ACV that's coming from new versus existing upsell.

Yes. Great question. The way we look at our play is our go-to-market strategy has always been a platform play. And so the way we thought about the VMDR when we first came out with it was really strategic for us. What we thought would happen was it would increase our retention rate because our product would be stickier and it would increase their upsell and cross-sell rate, which has translated. So what we -- what we're seeing right now is on a constant currency basis in Q3, our net dollar expansion rate was 111%, up from 104% a year ago. And that's mostly due to our customers increasing their deployment with VMDR, but also purchasing additional products like CSAM and Patch Management. As of Q3 on an LTM basis, you're looking at CSAM and Patch Management contributing to 8% of total bookings, which is significant for us. Those 2 combined also contributed to 15% of new bookings and so this is where you're kind of seeing that the success of the adoption of our newer products is really lending itself for us to think about the opportunities ahead with products like EDR and XDR being even newer than Patch Management and CSAM and the potential given the targeted to small market for those 2 products.

Got it. So some of the people who were saying, "Look, VMDR, you're selling it, but there's no ASP uplift" and that you're selling it for "free". It was never supposed to be a price uplift. It was supposed to be a means to make that customer more sticky. So what is the differential, if you will, from a gross retention standpoint when a customer adopts VMDR as opposed to single VM?

So our gross retention rate has historically been around that 90% range. And what we're seeing is we thought that because it was always so high, since our customer base is approximately 20% enterprise and 80% SME and SMB. So the gross retention rate for 90% as a whole is really high for us. We didn't think that there was room to go up from there, but we have seen a tick up slightly in addition to the upsell going on. And so what we're seeing is VMDR is helping the customers to really plan their security spend out. So before what we heard from customers when we just had VM was, they would say, okay, we can see ourselves being with Qualys this year and next year given the budget. But the way we see it is 2 years out, 3 years out, because of your price point, how you price other products like ThreatPROTECT, there's no way that we can stay with us because it just becomes too expensive. With VMDR, what that allowed them to do is, okay, so VMDR is priced in such a way that I can increase the deployment with -- and we're getting more value for every dollar that we spend with you. And then on top of that, we can see a volume discount if we decide to purchase Patch Management, CSAM and eventually EDR and XDR. And so that's why they see 5 to 10 years with Qualys, given how they're thinking through it and we're helping to shape them, and this is why we're always acting as their adviser or consultant if you will, to help them to reduce risk in a way that also makes sense for them from a cost savings perspective.

And I'll add quickly to that in our recent user conference a couple of weeks ago in Las Vegas and the recording is online. One of the customers actually got up and talked about how by standardizing these capabilities on the single Qualys platform, they were actually able to save a bunch of cost and the cost saving was not so much from the licenses of these 4 different products they would otherwise have to use. But the integration of those products, the resources that they were needing to actually get to the patch state was half of what they would otherwise have to -- were using before with multiple different solutions. So that's actually the consolidation play right now is translating and customers are talking about that publicly now and how they see the platform play bringing value to them.

So you roll out the VMDR bundle initially in early 2020. You see the benefits in terms of enhanced gross retention, and it gives you a better on-ramp to upsell some of your other modules. Are there any instances where I think you're duration is generally around 12 to 18 months, if I'm not mistaken, the contract durations. Are there any instances when the VMDR customer comes up for renewal where you might think about just raising the price because they're getting so much value out of you and it's too cheap.

To cheap? Yes. Great question. And we've -- it's an ongoing discussion that we have right now, especially because of inflation. So the way we looked at VMDR is initially when we came out with the VMDR, we could have priced it higher because of value proposition, too, because we've never been viewed as a lower cost like product or a provider, if you will. The reason why we price it the way we have, and we have no intention of raising the prices, it's because we want to make sure that we optimize our pricing and the packaging to maximize the return and from a value perspective to our shareholders and to our customer, all stakeholders included as well allow us to increase market share. That's really important to us. And if you think about it from our perspective, we've always talked about balancing growth with profitability. We have a really high profitability margin, which allows us to not really increase price but maintain our margins. And this is why I think that we're kind of making sure that we take this opportunity to increase our market share.

Just last question on VMDR. I think it's now close to 50% of your customer base. Do you think it gets to 100% of the customer base over time?

I think that will be difficult just because historically, 70% of our customer base has had VM solution. So it's never been the case that 100% of our customers had a VM solution with that. So for example, a customer might just have web application scanning. I do think that there's a possibility there's definitely more room for that 45% customer penetration to go up but reaching that 100%, I think that it's -- not to say we won't be able to achieve it ever, but there will always be a subset of our customers who are looking to just purchase other products and not VM solution with us.

So are we saying 70% then is what we should think about as the upper bound?

All right.

Okay. All right. That's helpful. Maybe just shifting back a little bit to the macro. So obviously, the consolidation theme makes a lot of sense. What we're hearing from a lot of companies recently is you're seeing large enterprise deals are taking longer to close. And some of these deals are being broken now into multiple phases. Is that something that you're seeing? Or if not, what are you seeing on the macro front?

Yes, I think we're not immune from the macro impact that everybody else is seeing. We're seeing similar scrutiny of deals. What used to be 2 signatures is like 19 signatures. So everybody is asking the question why this, why that. So our supporters, our stakeholders have to justify exactly what the plan is, what the value is, how they're going to get value out of that. And consolidation, when you do that, it always comes with that project that you need to put in place to actually maybe rip out an existing vendor or move to a newer solution, which takes some resources. And so customers are looking at how do I -- what's my plan to -- I want to go for consolidation in this macro environment, it makes sense. It helps me reduce the resources. But to implement that, they have to have a starting point at which they feel like they have the right resources to go with some of that. And so in some cases, as we have seen, as Joo Mi talked about, 15% of net new bookings already buy those 2 additional products from us, right? In Q2, which was good because they came to Qualys, said, "Hey, I want to -- I'm in the process of changing architecture. I'm going to buy all 3 of them, which is great. " In other cases, they look at it, they say, "I'm still going to buy only VMDR, but it is good for me to know that 6 months, 9 months down the line, I can put a project in place that will replace my other patch management solution with Qualys or my cybersecurity management solution with Qualys, I can implement ServiceNow integration or something like that." So we are seeing that pause that people are putting in some cases, additional scrutiny and trying to plan how they want to actually roll out the consolidation, which, of course, takes up a little bit on the initial resources. But in the midterm and the longer term brings more value to the customer.

Okay. I want to shift to the profitability question for a second. So Qualys is one of the most profitable security and software businesses out there, 40% plus operating margins. But you also want to be a 20% grower longer term. Do you think -- and Sumedh, feel free to chime in here as well. Do you think that 40% operating margins in this industry is -- can coincide with 20% top line growth?

We do, and this is a conversation that we've had internally, especially when last year was the first year that we've hired the CRO for the very first time. And so when you bring on a new CRO, you have this discussion about all the other players that are out there that don't have the sales and marketing engine that we do. And the question that we have for ourselves is can we really maintain this go forward? How are we able to achieve this historically and maintain it so far. And I think that nothing fundamentally has changed for us. Our sustainable business model will continue. And the way we were able to maintain this margin is from the fact that we're a cloud platform. And the way we've been able to cross-sell and upsell customers is their ability to try out new products, which is so much more effective than just talking about the product and the benefit they will be getting from them. When they try it out, we're seeing that the conversions are happening. And so because of that, we don't see necessarily us having to double our sales force. We are increasing our sales force. We've increased our sales and marketing investments this year more so than we have in the recent years. So right now, we're turning to optimizing that spend. Even still, you're looking at last quarter, we ended the quarter with 44% EBITDA margin and 20% revenue growth. It will be lumpy going forward. That's what we see in this macroeconomic conditions in terms of the bookings growth. And in turn, because of that we're focused on optimizing that spend and investments to make sure that we maximize that return before we double down again, but longer term, we don't see a reason why we couldn't maintain that growth rate in the 20% range and EBITDA margin 40%, especially because you have so many other products that are new that are out there. The addressable market is large. So we're going after a very large market opportunity. So the onus is really on us to go after and capture as much as possible in the coming years given that the products are already out there.

And I'll quickly jump in to give an example of a customer who has Qualys on 300,000 laptops. They had Vulnerability Management Agent and when they wanted to try our Patch Management. If you were looking at a different solution, it will take weeks and months to get agents deployed and to get the back end deployed to even see value out of that. With us within 24 hours, they were able to get patches deployed on all 300,000 assets. And that same salesperson who was working with them for VMDR was able to sell them Patch Management, right? That's 1 example of how we -- once we get that integrated approach and the customers are trying it, it helps us actually have our sales team go and do their value prop. So with the macro, there's going to be some lumpiness in the short term. But I think, as Joo Mi said, we feel like with the integrated platform capabilities, we do see opportunities for us to get to that 20% with the 40% margin.

So Sumedh, so when you have conversations internally with Joo Mi and your Board, it sounds like every CEO is grappling with the question around growth versus profitability. On the 1 hand, we're going to be in a slower growth environment, so you want to show more leverage. On the other hand, you've got 40% EBITDA margins. You've got a good amount of cash on your balance sheet, and there are a lot of private competitors who are probably going to be finding a more difficult time in terms of fundraising. Do you see this as a time to double down on this massive market opportunity and maybe give up some of that margin? Or do you see it as a time to maybe harvest?

Look, I think this year was a year of investment for us. We have -- we are satisfied with the growth in sales and marketing that we have had in terms of headcount and other spend. And so I think now as we enter next year and this macro environment, what we are focusing on is optimizing that spend because this is something that with the new CRO new team, we have gone and done different things. So now how do we get into the next year and focusing on optimizing the spend by ensuring that all these new sales people are properly trained, have the enablement that is needed, that we are working with the partners that we have rolled out the new partner program to and make sure that we see the value, we see that productivity coming from them and then make further decisions on whether we want to -- at what point do we want to continue to do more. But I think, right now, we are satisfied with the investment we have made. And I think next year, of course, we'll continue to invest, but I think it will be an optimization and not necessarily an acceleration of that investment. So we look forward to that 40% margin.

Okay. Sounds good. Maybe shifting conversation to some of your newer growth initiatives. You talked about EDR, XDR, those are some big market opportunities, a lot of larger competitors in those spaces as well. How do you see your prospects there? Are you seeing any pipeline there at all? And do you think this is a market where, again, you'll have to kind of double down in terms of investment to really go after?

Yes. I think we've been spending last couple of years on innovating on creating capabilities through engineering. Some of the early adopter customers today who have used our EDR capability, XDR capability, are giving us some positive feedback on that. Based on that feedback, we are making updates to the product. So it's early days for us, but we see the opportunity because there are 40 plus EDR players out there in the market. And almost every asset that you deploy an EDR agent on, you also are doing vulnerability management and patch management, but you're doing that with different vendors. And so you end up with 3 different vendors, 1 for EDR, 1 for vulnerability management, 1 for patch management. What we see is the opportunity to say the comprehensive risk reduction on that asset includes 4 things, making sure you have your inventory, know what is running on the asset and reducing your end of life. Second is doing your vulnerability management and configuration management and patching that asset, so you reduce the risk of someone getting on your asset. And then if somebody does get on your asset, then use the same agent to monitor that asset for malware and then take a responsive action. Today, the EDR players are only focused on after somebody gets on it, what are they going to do? But I think what we look at is how can we provide comprehensive capabilities to our customers. so that they can do the risk mitigation and the threat detection with the same agent. And that is resonating -- the idea is resonating well with the customers. And as we roll out more capabilities through 2023, we look forward to starting to make a bigger impact in that market as we work with our customers, especially initially, the mid-market customers who have only 1 IT person or 2 IT people or maybe 1 security person, they don't have experts in vulnerability management, who are expert in patch management, expert in EDR. For them single console, single agent. Once they get it deployed, they can just click a button and it can take care of all these different aspects of risk management is appealing to them. So we're looking forward to that opportunity next year.

Any questions from the audience?

Everyone's quiet after lunch.

Okay. Capital allocation. So I think you have about $200 million or so in run rate free cash flow and a good amount of cash on the balance sheet. How do you see opportunities in terms of build versus buy? I know you've done mostly tuck-in M&A in the past. Is that something that we should expect to see going forward?

Yes. Look, I think with the example I gave you of when we do a really good job of integrating those solutions, the opportunity for us to then sell and do a quick [ POV ] and be able to close that deal increase. And so we've always been driven by making sure that we are not just going out and buying 10 different solutions and selling them independently through different sales force and stuff like that. Whatever we do, we focus on making sure that we can bring that on top of our platform, integrated extremely well so that it's a one-click enablement for our customers, and that makes it more efficient for our sales team to sell those. So we will continue to look at opportunities like we just recently did with Blue Hexagon as a way to bring MLAI capabilities onto the platform. So we'll continue to look at tuck-in acquisitions or opportunities that can bring potential customers to us. But it will always be driven by ensuring that whatever technology we bring is -- doesn't end up causing technology debt for us over a period of time that ends up us having to sell multiple different solutions with different sales force. And so I think we continue to stay open. We continue to look at those opportunities. And in this environment, as valuations are resetting in private company valuations as well. We see more and more conversations and more opportunities that can potentially come to us, and we always continue to stay open to that.

Okay. On the competitive angle. So there's obviously 2 other public VM vendors in this market. It sounds like this VMDR platform has differentiated you versus competitors, but just within the core VM market, have you seen any changes in terms of pricing at all? Is it getting more competitive, less competitive than you convert.

Yes. I mean I think Qualys, we always maintain more premium pricing and because we bring more value to our customers. We are seeing the last couple of quarters more discounting, heavier discounting by competition because they are giving more of the pure play, I scan and give you a list of CVEs, and so it's harder for them to differentiate amongst each other. But while we see that discounting that they are doing, the good thing that we look at is, of course, we look at it case-by-case basis, but we are able to go in with the customer and say, look, you have the budget, right? So we can give you Cybersecurity Asset Management. We can give you some additional Patch Management. And so that brings them more value rather than just essentially taking a discount. And so that conversation -- those conversations are helping because we have more of a platform approach. And for the same asset, we are able to give customers more value by helping them fix their things quicker and faster. And so yes, we do see some of the pressure, but we're countering that more by looking at the value that we can bring with the unified platform.

On the budget point, are you still seeing among the customers who have finalized their security budgets for next year. Are those budgets still growing? Are there any instances where security budgets have been cut based on your conversation?

I think it's a little bit mix for the most part. The budgets are resilient to what they have spent this year. I think any extra spend is being scrutinized above and beyond renewals. Questions are being asked. And so that is causing the elongated cycles that we see and people want to make sure. So we haven't seen as many customers really come and say that, hey, my security budget has been cut. I think what we see more is caution, they want to say, "Hey, let me wait for next year's budget to be finalized, so I get a better picture. " We also see in other cases, customers are coming and saying, "Hey, can we do a multiyear deal now, so we can lock in our spend and we know exactly what we are going to spend in the next 3 years." So there's no price increase, and we actually have a veritable spend on our cyber, but overall, we haven't heard any customers really say that cyber has been deprioritized or there have been any major cuts from a cyber perspective.

So typically, this time, Q4, you see some sort of budget flush in enterprise software. Would you expect to see that budget flush this year?

Again, it's been mixed, right? Different companies are looking differently. It's -- we still will get somebody saying, "I need to use this." In other cases, they're saying, " I want to conserve it." And so that's where it's been different and lumpy and quite different from what we saw last year, where it was much more of a budget flush.

I go back. Anybody has any questions? No. Okay. Channel, Joo Mi, bringing into the conversation. So I think earlier this year, you made some changes to how you go to market with the channel. And I think it required a change in the incentive structure to really drive net new customer adoption. Can you talk a little bit about that change? How do you expect that to flow through your margins, let's say, in the coming years?

Yes. It was early -- it's still early just because we launched it this year. What we found in discussion and having discussions with different channel partners is we really didn't have the basics in place, and the feedback has been that it sounded like Qualys wasn't really willing to partner with them. And I think that shifted. And we're hearing them out in terms of the deal rights protection, changing the incentive structure, if you will, in terms of the rev share. And what we see right now, historically, it's always been 50% direct and 40% indirect. That mix could easily shift to be more even in the coming years, but we don't see a dramatic change right now. So in the next year, I don't think that there's going to be any material change to margins. But even if it were to change from 40% channel to 50% channel, because the 40% is already fully baked in and reflected in our margin, it's not going to be a material impact to our EBITDA margin at the end of the day.

Last question, Sumedh. So you're coming up, I think, almost on your 2-year anniversary of CEO of Qualys, and you've done a remarkable job running the business in some unfortunate circumstances. When you think about your vision for Qualys over the next 3 to 5 years, what does that look like? I know it's a broad question, but...

No, I think that's a great question, and Qualys has always been driven by a vision and kind of today, look, CISOs have been wanting to have a seat at the table for the Board, and they got it and then they are speaking a language that the Board doesn't understand because they're going in and saying, "I implemented [ MLAI ] and implemented vulnerability management " and Board is like so what does that mean? I gave you $2 million? Like what does that mean? So I think where the market is moving and where I see the opportunities at the end of the day, it's all about cyber risk. You have to quantify that risk, you have to tie that risk to your business risk and be able to showcase that your risk was at this point. This is the investment you made in cyber, and this is where the risk is. And the rest of your risk you have to take from your cyber insurance. And that's basically what it is. And so today, with VMDR with true risk with what we have done and the ability for us to have a platform that's not just highlighting the issues, but actually just continuously reducing your risk. The future opportunities really where I see is Qualys can really help customers get a holistic view of their risk and actually also mitigate that risk across on-prem cloud container environments and really tie that to the business outcome, which is basically be able to show it. This is my investment. This was my risk. Here's the risk that I've been able to brought down. And I think today, at the end of the day, that's really what businesses are focused on, not the tools, architectures or whatever it is, the Board just want to know. And then we are also doing some forward-looking partnerships with insurance, cyber insurance companies like Cowbell, as an example, where I believe that if you're making an investment in a platform like Qualys for risk reduction, it should help you on your cyber insurance premium as well. And so what we have done with Cowbell, as an example, is that with the integration with TruRisk into the platform, if the customer has a good risk score in Qualys, they automatically get a rebate on their cyber insurance the following month. And so this is really where it needs to go in my vision for the future is cyber risk needs to be quantified and then we need to bring it down to a dollar value that you spend on it in the tools and then the rest, you do in cyber insurance and they need to work together. So customers can overall bring down the cost of what they're spending in cyber to bring down the risk.

All right. Sumedh, Joo Mi, thank you so much, and thank you, everyone, for joining us.

Okay. Thank you very much, Hamza.