Qualys, Inc. (QLYS) Earnings Call Transcript & Summary

Awesome. Well, we'll get started. Welcome, everybody. Thank you for joining. I'm Roger Boyd, the cybersecurity analyst here at Needham. My pleasure to have Qualys here for this next fireside chat. We've got Sumedh Thakar, who's President and CFO -- or CEO; and Joo Mi Kim, who is CFO. So thank you both for being here.

Yes. Thank you for having us.

[Operator Instructions] So with that, we'll get started. Sumedh, just to start on the product side, you've been talking about this vision of a platform for some time. And you've talked about the adoption of products like Patch and CSAM, the momentum they're continuing to gain. But just high level, when you talk to customers, what are they telling you about vulnerability, exposure management as one of the critical platforms when they think about kind of the future of their cybersecurity posture?

Yes, great question. So vulnerability management continues to be a cornerstone for any risk management exercise for every single organization, is required by every single mandate that's out there, they're required to do vulnerability -- I think what has happened in the last few years, and we've talked about this the last couple of years, is that as the amount of software being deployed has increased, the number of vulnerabilities being discovered has increased a lot and customers really are today saying, well, the outcome and the ROI of vulnerability management is if we can actually get things fixed. Otherwise, we're just reporting on that. And so exposure management really is about, are you just exposing the exposure with scans or are you actually managing it with getting remediation? And so we started to see this a couple of years ago, even earlier than that, where customers were struggling with actually getting things fixed. And what we hear in the vulnerability management space, and I think it applies overall to the security space, is how -- what is the ROI? How much should I focus on security and which part of security? And so when people are talking about a platform, it's not necessarily always "Can I consolidate agent?" It's also, "Can I get an outcome?" So if I use one solution end-to-end or just for vulnerability management, do I need to have 4 different solutions, right? One for discovering assets, one for scanning, one for prioritization and one for Patch Management. So when we introduced Cybersecurity Asset Management a couple of years ago, 4, 5 years ago, we introduced Patch Management, now we see that customers really adopting that. Just in 2024, as an example, Qualys agents have deployed 78 million patches from January of this year until now. So customers are actually using a VM solution to deploy the patch. So I think that's really what we see customers really talking about ROI, "How much should I focus on?" And the bottom line is there is no ROI in security if you don't fix the things. Like you can build dashboards, but that doesn't mean anything.

Yes. Makes sense. In addition to that ROI conversation, I think we'd all agree that cybersecurity is becoming more of a Board of Directors conversation. And I think the nebulous question that most Boards are asking is what is our cyber risk, which is sometimes hard to quantify. A lot of vendors are trying to address this challenge, but you introduced this new Risk Operations Center, product branding. How does that directly address some of challenges, initiatives?

I think at the end of the day, cybersecurity is a risk management exercise. And the first question anybody has when you say risk is how much. And as you rightly pointed out, most CISOs, when they're going to the Board, are not able to articulate how much risk do we have from a cyber event because that actually dictates how much you spend on reducing the risk, like you can't be spending $100 to reduce a risk of $100. And so that's where CISOs really are struggling. And so if you look at the evolution of when in the past, you used to have a NOC, where you monitored every event happening in IT infrastructure, people would hire a couple of people to look at some security events, which started to morph into a SOC. SOCs are really about detecting a breach after the [ effects ]. Somebody is in my network, can I have a [ breach ] detection? But as risk factors have also increased in the last few years because people are deploying more software and more solutions, you have [ code ] scanning tools, you have cloud security tools, you have endpoint security tools; the need for -- and given that we're never going to be able to fix everything that we're finding, the need for operationalizing risk management from a cyber perspective has been increasing. And so that's where we introduced the notion of a Risk Operations Center, the idea that you can collect all of your assets, all of your risk factors into one platform from your existing solutions, don't necessarily have to go replace your solutions, but then analyze those with threat intelligence and business context. Just because you have something exploitable may not mean it's important to fix for your business and then ultimately get that fixed. And that's essentially a Risk Operations Center. So we announced our Enterprise TruRisk Management platform. And I think what is differentiated with anything out in the market, either you have tools that are aggregating findings or tools that are doing risk quantification or tools that are doing remediation. With the ETM platform, we're bringing all of those together, which really helps us have a different conversation of not going and replacing an existing solution that they might have for cybersecurity, but saying, "Hey, with this platform, we can take the data from your existing solutions and tell you a picture of your risk, quantify that and then see what is the probability and give you a report that you can take to the Board. And that's really what everybody is looking for right now.

Got it. Okay. So in addition to Risk Operations Center, you announced a couple of other new products with TruRisk Eliminate and TotalAI family. Just how do you expect to monetize that? And I guess, more broadly, how do you think about platform monetization? Do you feel more confident about that as we get into next year? And just any sense of the ASP uplift or upsell that you think is possible?

Yes. I think if you look at TruRisk Eliminate, it's expansion on the how successful we feel Patch Management has been in a remediation perspective. So today, I would say that Patch Management is important, but it's not enough now. So while we wait for competition to catch up on adding Patch Management, now we're going beyond Patch Management. We are adding ability to mitigate vulnerabilities without deploying a patch. That's the next level, right? So -- or sometimes you just want to isolate a device because you can't fix it. So the focus, again, goes back to no ROI if you don't get things fixed. And so we're aligning our capabilities on the platform more towards what customers are looking for. Can I get things fixed? So that's really where TruRisk Eliminate will allow our Patch Management customers to then upsell to additional capabilities that allow them to address zero day where there is no patch. It's also going to help customers who are currently not -- who don't want to go for the fight with IT team for a patching solution, can now look at applying a mitigation instead of Patch Management. So it gives us opportunities there. I think as AI is continuing to be top of mind, this year, a lot of companies spent on experimenting with AI. I think a bunch of projects succeeded, a bunch didn't succeed. But next year is when a lot of people are going to try to put some of their AI LLMs into production, and they're coming to the security operations team saying, "Hey, can you certify this?" And the SecOps team has no idea what to do. And so for this -- but I also the bigger question is if you have a limited budget in cyber, should you spend all your money on AI security? Well, it depends on how much risk you have. So what we came up with TotalAI is essentially what I call as a point-and-shoot AI scanner. Give an LLM, we'll scan it, and we'll give you a green or a red. And that's like the basic assessment that you can do right now. And then from thereon, as AI deployments evolve and the threats against AI evolve, we will continue to provide those capabilities. And so customers today who have some Qualys solutions, have multiple ways that they expand, whether it's cloud security, whether it's AI, whether it's Eliminate with Patch Management. And with the ETM platform, we can also now look forward to going into customers that don't have a Qualys solution, but leverage their existing solutions to give them a view that they can take to the Board, which is very interesting to them. And then that allows us over a period of time to replace maybe a solution that they're integrating into ETM with an existing Qualys module. But we will always be bringing in data from other solutions where we don't have a solution on the platform. So I think this platform approach is going to be adjacency consolidation in certain areas and bringing data from other tools in certain areas. But I think this notion that there is one single platform that will be the only security platform you will ever need from a single vendor, most customers won't really subscribe to that.

Yes. Fair enough. Okay. I want to talk about just execution. And I think after a relatively weaker 2Q, you jumped into the CPO role. And 3Q, I think, was a pretty marked improvement on execution. And I don't think you'll accept full credit. But I think in some ways, maybe direct ownership of product and marketing helped drive better accountability and always talk about the platform, I think, is starting to make a little more sense. Can you just talk about kind of low-hanging fruit around execution that you think has been better over the last couple of months?

Yes. I think if you look at the last couple of years, we've really been -- we hired our first CRO. We never had a CRO. So we are really in this transformation that we're looking to do with our execution. And if you look at our focus on new business, we were happy. The last 5 quarters in a row, we had double-digit growth because of some of the execution improvements that we made in focusing on demand, et cetera. I think, in the same period, our net retention rate came down, which is existing customers buying more solutions. And that's where I really felt like there was an opportunity for us to execute more tightly between product management, marketing and sales. And so as I took over the role, we really came up with this idea of a [ ROC ], which really simplifies the concept of what Qualys does. The idea has resonated really well with CISOs when I talked to them, the [ ROC ] makes sense to them. So being able to simplify our GTM and then work closely with the marketing team as well as the product management and then the CRO team, actually, that's really helped us come out with a really good messaging at our user conference in October and helped us really -- because I feel like existing customers need to know better capabilities that we have, so that when they're looking at cloud security, they're looking at Eliminate, AI. They can actually look at Qualys as the first option to say, do they have a solution? Many times, if our partners don't know, we have those capabilities, if our customers don't know we have those capabilities, and the CPO organization has to execute not just developing the products, but also making sure that we have the right marketing messages; that then are distributed correctly through our marketing engine. So those are some of the short-term immediate improvements. But also, as we move forward, I think just bringing the simplified messaging of the platform together where it's not about 20 different solutions, but it's about a real single score that you can take, I think that's the execution opportunity that I see. And that's what I'm going to focus on as well, moving forward.

Got it. Okay. Joo Mi, maybe from a numbers perspective, the [ 14% ] billing CCP growth last quarter, I think, was well above most expectations. And you've talked a little bit about kind of the nuance of billings timings. But absent all that, I think generally to all -- is talking about just a better execution quarter. How much would you subscribe to that versus potential better selling environment? And how are you thinking about kind of 4Q where the comps are a little bit more difficult?

Yes. I would attribute most of that to our own internal and a macro improvement. I think that Q3 was a surprise to us. With the focused execution, we were very pleased to see that the net dollar expansion stabilized and ticked back up to 103%. There are a couple of consecutive quarters of decline, which proved to us that we really have the ability, we do have the product set that with the better positioning and being able to go out there to the market to existing customers to really show them where the value proposition is, we will be able to deliver a great upsell quarter. And looking into Q4, what we are hoping to see is underlying the guidance is assuming no material change in net dollar expansion rate, but we've kind of hit that trough this year. That's what we're thinking. And then looking at the pipeline going forward, we think that even though Q3 was a great quarter from both upsell as well as new bookings perspective, Q4 looks to be a little light just because it is a more difficult compare. Q4 last year was a great quarter from the billings perspective. So all in all, we're very pleased with the progress that we're able to make. And our guidance implies that our current billings will be more or less in line with the revenue growth rate of 8%.

Got it. Makes sense. And then once you get past 4Q where it is maybe a little more challenging from a numbers perspective, what have you said about 2025 in terms of the trajectory of billings growth there?

Yes. I think it's a little too early for us because we are thinking through the 2025 planning with the team right now. And what we're really trying to figure out is we found that our success in channel partners has been really great for us. If you're taking a look at the revenue growth from indirect, has continued to grow by 17% in Q3. Same as Q2, the drag on our business has been the direct side. And so looking into 2025, we're trying to allocate the different budgets appropriately to make sure that we drive the top line growth. And with that, what that would imply from a unit economics perspective, the margin contraction perspective, we'll be able to share more color back later in February.

Got it. Helpful. Okay. And then maybe just from an expense side, the 4Q guidance implies a fairly healthy step-up in OpEx growth. Just what are you expecting around hiring, particularly on the go-to-market organization, where you've had some changes and kind of rebuilding that? Just what are you seeing from a hiring perspective?

Yes. I think that we'll continue to hire, but probably not at the fast rate that we've seen earlier in the year just because we do see some optimization that has to take place because if you take a look at the increase in sales and marketing investments, along with the OpEx investments this year, our growth in the top line is not where we would like to see. And so right now, what we're trying to see is like we see some initiatives that hasn't generated the return that we were hoping for. And so we'll have to reposition ourselves and think through what should be set up -- what the setup should look like in 2025.

Okay. In terms of just broader sales capacity as we enter 2025, is it fair to say there's more of, and you've talked about this in the past, kind of a wait-and-see approach to see how 4Q plays out before you really start change in the investment strategy there?

That's right. That's right because Q4 is typically our biggest quarter. And what we're seeing is we see the -- we saw the trough in Q2, thankfully, and Q3 was a great quarter. We'll have to wait and see how Q4 looks like. And our guidance implies that, look, it's not going to be as strong as Q3, but we believe that the healthy momentum will continue. And so afterwards, we'll be able to say what 2025 will look like later in February.

Got it. Maybe for either of you, I mean you talked about net retention stabilizing, ticking back up to 103% in the quarter. I think in the past, you've talked about like the scanning -- headwind from scanning assets, number of assets coming down. Do you feel like that pressure is starting to alleviate? Or how do you think about kind of that versus potentially better upsell, better cross-sell?

I think it's a combination. We are getting better at helping customers articulate to them because customers don't want to just spend more money on scanning without getting an outcome, right? And so how do we work with customers to show them the value of Patch Management? How they can allocate the budget? Or maybe in some cases, they're scanning things that they're not able to fix, so they might want to take some of that budget and use that for some Patch Management so they can actually get value in what they are doing. So we see the opportunity there as part of our sales enablement, our salespeople talking to existing customers, how to leverage that. And then in addition to that, then during that conversation, how do they set up for not only optimizing the spend that they had with Qualys from last year, but then how can they go forward to say, "Well, what are your current AI challenges, right? How -- what is your Cloud Security Posture looking like? How do you move a part of what you're doing or augment that with that cloud security solutions?" And then as we get into 2025, really a go-to-market motion that involves having the conversation with CISOs about not about this celebrity vulnerability or whatever it is, it's about how much risk do you have? How much risk are you reducing? What is ROI? How are you communicating with the Board? So I think that is where I see opportunity because now today, our sellers have to go and say if they have a competing product, direct competition with Qualys, then it's a long POC cycle and all of that. But if they do have the ability to walk in with our enterprise risk management platform and say, "Oh, that's okay, if you have a competing solution, you keep it. Give me the data from your 5 different solutions, and I can give you a view that is very differentiated and you can take to the Board," that helps us with new logo -- getting new logos, but also it helps us with existing customers who can now expand into other areas and then over time, give us opportunity to replace some of those, in addition to just being able to be the layer that the CISO really wants to interact. The CISO may not necessarily want to interact with individual security solutions, but they really want to be able to do their risk conversation. So I see that with the new products that we have launched, as we get into the next couple of years and we fine-tune our marketing execution, then now that I'll jump into that. And then our partners, our CRO team executing and then the federal opportunity that we have, I'm pretty excited about the opportunity we have in front of us.

Yes. Maybe another question about sales and marketing and leadership and particularly on the marketing side. The CPO role is, I think, pretty familiar for you. That's where -- I think you spent a lot of time at Qualys. How are you thinking about that position longer term? I mean is this a role that you expect to kind of to carry out? Or is there a search to look for a replacement? And how do you think about that person kind of working in conjunction with the new CRO who's been there for a little bit?

Yes. I think Qualys has always been a very product innovation-focused company, and we really always focus on how do we build great products for our customers. So I think I feel like that's a really strategic thing for us, especially now with [ ROC ] and ETM execution. So at least in the short term, I look at continuing to really be involved from pulling the product and the marketing teams together. And of course, we will be, wherever necessary, bringing in leadership focused on maybe marketing, focused on certain areas. But I think overall, sort of given that we are in a pretty good place right now, where we are focusing these couple of years on some strategic initiatives on the product platform side, that's an area that I'm going to be involved in -- continue to be involved in more.

Got you. Okay. It's been a couple of quarters since then the wind down of the Microsoft OEM relationship. Can you just talk about what's still embedded in the guide in terms of headwinds? And then conversely, how do you think about the opportunity coming out of that? You talked about that being a customer base that there maybe some limited visibility to. Just how do you think about that being a potential customer base you can tap over the next couple of years?

Yes. I think we really didn't -- these customers were not known to us. And so it's really about how do we -- what we're focused on is how do we ensure that customers know that we have -- they have an option that is much better than potentially what is being offered to them embedded. So it's kind of hard to tell. Of course, we have had some direct conversations with a few customers. Sometimes we don't know that, that's kind of the relationship that they have come from. I think for us, it's continuing to focus on there may be tools that give you some scanning. But ultimately, we need to fix things. And so getting customers to sort of look at a more holistic solution around vulnerability management with Patch Management is an area that we are focused on. And again, we don't quite know exactly how -- which of those customers came over or are going to come over at the time of renewal next year when they've had 1 year to use the other solution and maybe they're looking to change. I think it's something that we will continue to focus on, but that's not really -- we haven't baked in anything from a guide perspective on that.

Yes. For 2024, it had approximately a 1% headwind impact -- negative impact on the revenue growth rate. So in Q3, it was about 1.5% for the quarterly revenue growth rate. In Q4, it's about -- it's going to be about [ 1% ]. So we're talking about -- we guided to 8% at the midpoint. It would have been 9% without it. And then next year, really immaterial.

Cool. Okay. You mentioned the federal opportunity a little bit ago. I think you demonstrated some early signs of success there with some early deals over the past couple of quarters. Just what are your expectations into 2025? And where is the Fed in terms of this platform vision? And particularly as you think about VM exposure management and Patch Management, I think we've talked about the incumbents that are there and the opportunity, specifically on the Patch side. When you just talked through how you're thinking about that next year, and where you feel you're differentiated maybe around the cloud offering?

We're very excited about the federal opportunity. I mean, as you know, it does take a while to get established and build out that. And we started that last year really with hiring a good team. Our focus on doing a conference this year, first time, which was a Qualys-focused conference for federal, and we are pretty excited to see some of the wins that we're seeing, and we talk about that during some of those during earnings call. What we are seeing right now is -- and we have been FedRAMP moderate for a while with many of our solutions. And now we are really awaiting our FedRAMP High authorization, which would again be an opportunity for us to go to more agencies for them to migrate over. If you look at most of the wins that we have talked about, are really about replacing an incumbent on-prem scanning solution and an incumbent on-prem Patch Management solution with a single. So really not much different in the Fed space from a commercial space when people are looking at "I want to consolidate for an outcome." That is where really a lot of the interest is coming to say, okay, as the federal agencies are also modernizing to the cloud, the last thing they want to do is take an on-prem security solution and try to move it into the cloud, right? So that's an opportunity when they look at to say, "Well, what's out there that is cloud-based, that's FedRAMP?" And we see that that's an area that's quite exciting for us. So we look to continue investing in that space, and we continue to work on building those opportunities. Today, we -- our revenue from the federal space is really small. So the opportunity is pretty big. And I think the federal agencies are definitely having conversations about consolidating with Patch Management. Because if you look at CISA -- lot of the CISA guidelines, they're not saying, "Hey, scan for these 50 vulnerabilities." They say, "These 50 vulnerabilities need to be patched." And so that's helping us drive when we give them, "Hey, here's a CISA dashboard of what exactly can we patch." So we continue to look at that, and we see opportunities for us to grow over the next few years in that space. So we're really excited about investing there.

Yes. I know you're coming from a smaller base that's exposed to the federal government. But any high-level thoughts on the health of federal agencies as customers into a new administration? There's been a lot of talk about kind of efficiencies that could potentially be capitalized on there, probably a good thing when you're thinking about automated remediation, automated patching. But just any high-level thoughts on that?

Yes. I think there are two areas, right? One is just financial savings because of consolidation. But also, I think there's a lot more pressure, given the speed of attacks of consolidating outcomes. So even if you were to spend a ton of money on two different solutions, if you can't get it fixed before an attacker gets it, that's where the agencies are getting dinged to say, "Well, why was this not fixed when you had so much time?" And so a lot of the interest is not just driven by the financial aspect of it, it's also like, "Well, okay, I could get this fixed in 2 days versus right now, it takes me 2 months." So I think with the new administration, et cetera, we'll see how that evolves. But I think cybersecurity is going to continue to be an area of focus for everybody, whether you're a federal or not. And so I think we'll look forward to see how that impacts the focus and spending patterns. But from a perspective of no matter what, I think the direction will be more efficiency, right? And so I think that's fair to say. So that's where our combined solution definitely brings more efficiency for them.

Got it. Okay. I just want to touch on cloud quickly. I think last quarter -- in the quarters prior, you've talked about your level of success selling cloud, even against established cloud vendors. I think most investors think about the space as fairly crowded, growing quickly, but relatively crowded. I think today, you've talked about CNAPP being about 4% of trailing 12-month bookings. But how significant do you think that becomes over time? And how do you think about that competitively against the broader set, but also some of your exposure management peers?

I think cloud security cannot be looked at in a silo either because it's -- again, it's -- nobody has only cloud infrastructure, right? People have offices, they have corporate environments, they have remote desktops, laptops. So when you look at the overall security, I think the question again goes back to, "Okay, so how much risk do you?" And you can't just say, "I have 25 buckets exposed, and that's the list, right?" So I think it again goes back to customers saying, "Well, the space is crowded. There are solutions out there that I can expand with existing players like Qualys." So customers are saying, looking to say, "Can I get a holistic end-to-end view of my VMware environment, my cloud environment, my non-cloud environment, my desktops, I can do that with Qualys." The cloud security-only solutions only give you a view of the cloud issues. But again, that doesn't give them the view of an overall risk to the environment because you look at a mobile application that you're using, it is -- it has a lot of infrastructure that is -- may not be even running in the cloud. So how do you look at the overall risk to this particular application? That's where customers are coming up with questions. And so as we have created more capabilities, we recently announced our Attack Path, et cetera, for cloud. As an example, the differentiator is, okay, you can get Attack Path information from a cloud security solution only for the cloud attack path. But you can -- somebody is attacking that cloud from a laptop, which is not in the cloud, so how do you get the Attack Path fully? With Qualys, they get to see the combined view. And that's where customers are saying, "Okay, that's initially in the early days of maturity of this area of security. We went to a solution that was only cloud. But now as we have spent a couple of years working with that, we want to look at what's out there that gives me a more consolidated view." And that's where we see the opportunity as our capabilities have matured, and we are seeing some good wins against the cloud security-only solutions. That, again, as we -- again, we're at the early stage right now. But as we get into the next couple of years, as spending for cloud is going to be an area that people will focus on, but also not overspending, right? So people are going to say, "How can I expand my existing solution set and add a cloud to that, so I get a holistic view and I get the benefit of a better pricing? Because I'm doing a bigger infrastructure other than cloud only." That's an area that we're excited about that we see opportunities in the next couple of years.

Got it. Okay. Maybe just to finish off, for Joo Mi. Qualys has been a pretty strong free cash flow generator for some time. Just would love to hear your thoughts about capital allocation priorities. I know there's a lot of debate over investing organically in the business. You've leveraged M&A at times in the past. Just how do you think about use of free cash flow from here? And maybe, Sumedh, you can just talk about kind of your M&A strategy criteria.

Yes. For us, it's been primarily used to repurchase our shares. And you're looking at 35 million back in Q2, 45 million in Q3. So there's a healthy amount that we're investing to repurchase our shares because we do feel like our valuation implies that it makes sense for us to repurchase our own shares. Aside from that, because our cash on balance sheet is over $500 million, we've been very proactive in looking at M&A targets with the valuations coming down, especially on the private side. It's a very healthy market. I do believe that there's attractive opportunities out there. So again, we've been very strategic in terms of looking at different opportunities of potential consolidation in the space and participating in that.

Got it. Cool. I think that's about it. So we'll wrap it there. So thank you both for being here. Thank you all for joining. Awesome.

Thank you very much, Roger.