Qualys, Inc. (QLYS) Earnings Call Transcript & Summary

All right. We'll get going here. But thank you all for joining the UBS Tech and AI Conference Day 2. I'm Roger Boyd. I cover cybersecurity here. Pleased to have the management team from Qualys. Sumedh Thakar is President and CEO; and Joo Mi Kim over there is Chief Financial Officer. So thank you both for being here.

Thank you for having us, Roger.

Awesome. I wanted to start high level, and I felt like this debate kind of came about. It's been brun for a while, but I think it manifested last earnings. And one of your peers noted that the AI threat landscape is maybe exposing the limits of traditional reactive security. I guess what's your take on that? Is there more need? I think this fits into where you've taken the platform, but is there more need for preventative security, more fireproofing versus firefighting? And how does that align with kind of the exposure management platform you've been building out?

Yes, that's a great question. And I think we're happy to see that there is validation beyond just what we have been talking about the last couple of years. I don't think it's a zero-sum game. I think reactive security is important to detect threats that are in your environment because there's going to be different ways that they can get in. However, we see more and more focus from customers on also ensuring that the proactive security mechanism, which is essentially risk management is done properly because that does help reduce the alert fatigue that you see on the reactive side, right? If you're not doing much on preventing or protecting, you're going to see a lot more activity happening and that creates that. And so where we have seen the last few years, people focus on this idea of a SOC, which is a Security Operations Center for reactive security, once somebody is in the environment, how do you find them and how do you neutralize them? It's a bit of a different mindset, a bit of a different architecture that is needed. And that's really a great validation for what we have been talking about the last year or so, which is the idea of a ROC. So you have the SOC, which is for the reactive, but then the Proactive Risk Management today when you have risk factors coming from so many different sources, you have code scanning, cloud scanning, endpoint scanning and you also have identity, you have misconfigurations. So I think this idea that you need to take a more balanced approach towards not only having a Security Operations Center that helps you detect threats that are already in the environment, and balancing some of your spend on ensuring that you're also proactively looking at risk management. That's really been what we have been talking about. And so the idea that you have to really triage through millions and millions of risk factors to really identify the ones that matter to your business and then get those fixed, that's exactly what the Risk Operations Center does, right? Like you cannot have a whack-a-mole approach to risk management. You need an operationalized process and not just talk about the technical aspects of the risk, but how does that pertain to the business, right? Just because you have a high risk score, maybe it's a very high risk score for a business entity that makes $5 million a year versus a medium risk score for an entity that makes $500 million a year. That is a whole different perspective. And at Qualys, we have been evolving from vulnerability management where vulnerability detection, which was really the focus -- key focus for risk management many years ago, continues to be the focus for risk management, but then evolving that into the fact that at the end of the day, remediation is what matters, right? Just what I call is dashboard tourism where you have so many different dashboards of posture management, but if you don't get it fixed, it doesn't matter. We have evolved a few years ago being sort of the first one in this space to come up with this idea of patching with the same solution, resonated really well with our customers, 140 million patches deployed in the last year. And now a broader risk management focus where we are allowing customers to sort of enhance their SOC by having an adjacent ROC, which allows them to put the concept of risk in the equation of the business and then actually getting an outcome of fixing things is really resonating well with our customers. And so we're pretty excited about the future opportunity that is being created with that.

Where do you think we are in kind of the demand curve for enterprises really adopting this approach? And how do you think that kind of evolves? I know 3Q was a pretty strong quarter for you. Do you feel like we're starting to see this? And then conversely, like what else could potentially drive more mind share around this? I think we were talking last quarter about the regulatory environment, potentially some opportunity there, especially in Europe with NIST 2. What do you think continues to drive people towards this framework?

I think it's a framework that is emerging with Risk Operations Center, and we're seeing very good traction primarily because CISOs are struggling many times with communicating with the Board because the business language is not there. We talk about deal scrutiny on cyber, primarily that is coming from inability to explain in business terms how additional investment in cyber is going to lead to better outcome for risk management for the company. And so with our -- when we hired Rich Seiersen as our Chief Risk Technology Officer, and he went out and started doing board workshops -- Board reporting workshops for CISOs, we saw a huge amount of CISOs wanted to come to that, right? If we said, let's talk about the latest and greatest vulnerability, you're not going to see that kind of a traction there. So we're excited. It's early days. As we talked about, we opened up our platform. We're taking data from other scanning solutions as well. And then the remediation aspect of opening up our remediation capabilities beyond patch management into a wider, what I call as a remediation buffer where you can do multiple different ways to remediate the findings is something that we are looking forward to, over the next couple of years. I think in addition to that, we're also excited about the beta that we have done with our Q-Flex pricing, which is allowing customers to be more flexible in the way that they are able to basically use more Qualys capabilities and customers might really want to use patch, but then they struggle with procurement team sometimes. So if they have the ability to buy the Q-Flex capability and then change it as they need every quarter, that gives more flexibility for them, but also good for us because if a customer can easily try out a Qualys solution, then they are more likely to buy additional credits for that. So we're excited about that capability. And then we are also seeing that with our FedRAMP High Certification that we just got a couple of months ago, that is opening up similar conversations in the federal space because government efficiency is very important. And a lot of times what the Risk Operation Center is doing is not about what you should fix. It's also telling you what you don't need to fix right now. Yes. If your IT team can reduce the number of things that they are fixing by 10%, 15%, that's time that you're giving back to the department, time that you're giving back to the business. And so that -- all of that is underlying our new partner program, which we call as the Managed Risk Operations program, which is mROC. So similar to MDR on the reactive security side, proactive security, we see that there are going to be room for services, which our partners can provide, working with a CISO to say, "Hey, we're going to give you a Board -- a report that you can take to the Board that's going to make you look very good in front of your Board. There is a demand for that. And so these kind of are some of the key things that we are excited about in addition to, of course, we have Cloud Security seeing some good traction, et cetera. But when I look out over the next few years, I think it's federal space, the ATM conversations and the mROC traction is what is going to drive growth for us.

Cool. Makes sense. I wanted to double-click on third quarter for a second. A pretty nice quarter, double-digit billings growth and revenue growth, net retention stabilized. How would you frame that? And I guess in the context of it, what's going on in the demand environment? It felt like you've been fairly vocal about some of the headwinds you've seen over the past year around asset count. Are those starting to fade? Are budgets starting to unlock after a rocky kind of first half of the year? What's going well?

I think I'll let Jimmy talk about some of those aspects. But I mean, from my perspective, the demand environment has remained the same. I think we'll continue to see scrutiny for the deals. I feel like we have gotten better at executing in the given environment. And so every quarter is a bit different, and we saw that we did a little bit better than expected on the new business in Q3. Upsells were not as well as we would have liked to. Retention was a little bit better than what we thought. Overall, conversations were positive. I think customers are -- we see better retention because we feel like customers are actually looking at the Qualys future capabilities that they're going to bring and they want to say, like let me continue to invest in Qualys now because then I can take advantage of a lot of things that are coming out there, whether it's Agentic AI or it's the ability to confirm and fix exploits, et cetera. That's what's sort of kind of driving that Q3 sentiment. But of course, we have to see how that evolves into Q4. Is this something that we see new business, net retention rate has stabilized at 104%. We want to, of course, work towards the next few years to get that above 104%, we can -- so that we can leverage our existing customer base to upsell them to cross-sell them to ETM. Those are some of the things that we're looking at. But from a Q3 perspective, I thought we were pretty happy with the outcome for Q3, and that was kind of the mix of things that drove that.

Yes. I think that focused execution really paid off in Q3, and we were pleased to see that, especially when you were looking at new logo acquisitions, I know that the historical track record for us has been -- it's been relatively lumpy. Last year, really strong new bookings growth. I think the first half of this year, it wasn't as strong. We've seen a challenging first half. And so Q3 for it to come in better than what we had anticipated from new logo acquisition front, we were very excited about that. With that said, the majority of our growth historically has been driven by existing customers. So net dollar expansion rate at 104%, very stable. We're pleased with the performance. But what we're hoping is with the key initiatives that will slowly end up picking up next year. And like Sumedh mentioned, key initiatives for us is really focusing on ETM, enabling our sales team, making sure that our partners know the value prop, how to really pitch to the end customers and working hand-in-hand with them to really accelerate that adoption and penetration of ETM, which we do plan to disclose starting in Q1 of next year because it is a critical area for us that we're driving towards. In addition, I think some of the other areas that we're focused on right now is FedRAMP High that we had achieved. We're hoping that we'll see that kind of momentum play out at the end of next year due to the budget cycle. Other areas as Sumedh mentioned already is Q-Flex, flexible pricing model, which should help us existing customers, select customers who've been asking for it were the ones who beta tested and really great reception. I think that there are multiple different levers that could really help to drive that net dollar expansion rate upwards next year.

Yes. Cool. Just to touch on new logos. You mentioned it being kind of lumpy in the past. What have you seen, and I think this manifested in 3Q, but what have you seen from a sales efficiency standpoint, sales productivity standpoint? I know you've been working through a Chief Revenue Officer change. I think there's a semipermanent result at this point. What do you feel like you can carry forward on the sales efficiency side?

I think that right now, we do see some low-hanging fruit. It's not at a place that where we think that it's producing the productivity that we were hoping to achieve, which kind of makes sense given that the new bookings growth is not really there right now for us. And so what we're trying to do is we understand the reasons why. We have a number of newer products out there. Like even ETM when we went GA with that at the end of last year, there's other further enhancements that we introduced this year, including Agentic AI capabilities, we're also talking about the TruConfirm. And so we're making sure that our sales reps are up to speed in real time, getting the right training. And so we're -- and that we're able to give them appropriate feedback in terms of what's working well in the market and making sure that given that 50% of our business is now coming through the channel side, we also have that partner enablement team, right, really focused on making sure that are we in sync with our partners? Are they really set up to succeed with us? And I think that once everything is kind of in order and we're better prepared for that, it should result in a more kind of stable, consistent new bookings growth.

Yes. I actually wanted to go to channel next. And I think the focus there has been pretty impressive. And to your point, it's now almost 50% of revenue, growing faster than overall revenue. That's been a pretty concerted effort over the past couple of years to kind of better engage that community, see that market, do you feel like you're at that point now where they can be a value multiplier and create new business and bring in the deals? Or is there still more engagement, more education you need to do there?

I think we have been on a journey, right? When we started 2, 3 years ago with this program, we had a lot of low-hanging fruit, just having a better program for deal registration, et cetera. I think that has evolved more into partners working closely with us, then there's gift to get and all of that. I think the -- for me, the critical phase of this is really the focus on creating the mROC partner program. And that's really where the ability for our partners and for us essentially to work with our partners where mROC partners can provide -- because it sounds very good when I say that I can give you a report to the CISO that you can talk about your business to the Board, but they don't know how to get and do that. So that needs a consultative approach, and that is where our partners who are mROC certified partners can come in and they can talk to the CFO of the company. They can talk to the CIO come out with a report and say like this is how we're going to do that, right? And so with that, it's -- what it will allow our partners to do is instead of having a conversation of us versus our direct competitor and a replacement conversation, now an mROC partner who has potentially sold a competing solution can still keep their computing solution, but they can now actually bring the Qualys ETM on top of that and then additionally make revenue from services that they can offer because they're able to pull data from the competing solution into Qualys. And I think what we believe right now is that, that is what will drive additional net new logo growth, the ability for us to succeed with ETM is then a partner can provide the consultative services that are required to make the transition from MDR into ETM. So we are excited about the opportunity. So right now, it's all about doubling down, helping the mROC partners come up with their offerings and working with them to create the brochure so that they can take it to their customers, working on training their team on how to position and sell these services, et cetera. And then creating that partnership where maybe there are some direct customers that want to move to ETM that we can actually bring the mROC partner in. And in return, they will be bringing us net new additional logos. And so that's really where we're looking forward to. Like we don't have a specific mix that we're targeting right now, but we do look forward to making that mROC program successful, which we believe can help us improve our net new logo count, et cetera. That's going to be the focus for us.

Yes. I wanted to move to Q-Flex and you were talking about this earlier, but it's been kind of -- it's been beta testing for a little bit now. Can you just expand on what you've seen out of that program? And it seems like it's having a material impact on bookings. You're getting larger commitments. How do you think about that behavior kind of evolving from here? And it felt like there's maybe more confidence in kind of the bundles you had, and this is an easier way to upsell into some of the different tiers there. What's kind of the future for Q-Flex?

Yes, it is an exciting capability, really primarily driven by customers asking us for it. And I think it's a win-win situation because customers for them, a lot of times, the challenges that Qualys comes up with a new capability like Agentic or patching or mitigation, customers are excited, but they are in the middle of the year. And so now they have to wait for another 6 months to adopt the Qualys solution at the time of renewal so that they can make the budget and then they can work with procurement and stuff like that. So for them, the ability to have a pricing that allows them to shift based on the Qualys modules that they would like to use based on their priorities is great. I think it's good for us because if we can get a customer to -- who needs an AI scan to be done for a compliance reason like in the next week, they can immediately start using the Qualys' total AI capability, which allows us to have more opportunities that they will expand that what they tried into additional assets in the future, et cetera. So again, early days, we are better tested with a few customers. It's -- we talked about an example where we saw a pretty nice 50% uplift for a customer who moved to Q-Flex pricing. Not that we expect that for every customer, but we do -- we are excited about the opportunity that, that creates independently, but also combining that Q-Flex with ETM then gives the customer just a lot more flexibility in terms of being able to use capabilities like eliminate, et cetera, to actually get outcomes without having to specifically commit to quantities for a particular module, number of assets upfront. They can actually move that around as needed. So we do think that this is another lever for us as we get into next year to get some additional points of interest and growth from the customers that we have.

Got you. I wanted to talk about public sector and U.S. Fed a little bit. You mentioned it before, but the ROI-based selling motion seems like it's starting to catch on there. What have you seen there? You now have FedRAMP. What is kind of the pathway to further growth there? And maybe talk a little bit about the consolidation opportunity. I think we talked about the fact that having patch management remediation is a pretty big differentiator in that market.

Absolutely. What we saw -- and we started really concentrated focus on federal the last couple of years in investment, getting a conference out there last 2 years, getting a better team, we're investing in other areas. But I think in the last few quarters, we've talked about certain federal wins, and they were primarily wins where we were replacing an incumbent on-prem scanning solution and an incumbent on-prem patching solution with a combined FedRAMP moderate Qualys solution that was doing both of those in the same. Now that we -- a couple of months ago, we got FedRAMP High, that makes us one of the only FedRAMP High platforms that can do asset inventory, vulnerability detection and patching all in the same platform. So that has led to conversations with agencies now, which is just starting, of course, with federal, it has its own cycles. But it's starting to have these conversations where the conversation of the consolidation is going beyond just the efficiency of 2 agents with 1. It's going into saying, well, if ETM can actually help me figure out what I don't need to fix, then I have a case that I can go from a [indiscernible] perspective, federal efficiency perspective that if I can deploy a solution like this, I don't need to immediately replace my incumbent on-prem solution. It gives me a path to replacing it over the next few months or year. But I also have a story to tell that says that by implementing a solution like this on top of the existing vendor, we're actually able to reduce the number of findings that IT is fixing by a magnitude of 40%, 50% or more, and then that can directly be translated into dollars efficiency saved for the Federal Government if their IT teams can -- don't have to waste that much time in fixing things that don't really have an exploit right now and nobody is attacking them, then they can leverage that conversation. And so we're seeing a lot of good traction in those conversations where people are saying, wow, I could actually bring you on top of my existing tools. I can replace these 2 things right now and 2 things later. So we're excited about it. I think now the conversations that are starting now can potentially have impact in the next 2, 3 years. That's how federal cycles go. But the FedRAMP High conversation is certainly opening up very interesting doors for us.

Yes. I know federal fiscal 1Q has been off to kind of a rocky start, but I presume there's not a huge expectation for business in your calendar 4Q. Any thoughts about kind of that opportunity kind of expanding, developing over the next year? I know this is going to be a multiyear journey, but can that start to be a contributor this federal fiscal year?

Yes, I think nothing to call out for Q4 right now from that perspective. I think the conversations are ongoing for the 2026 and 2027 spend and the budgets that they have. I think we need some more time to see how those firm up whether some of those conversations will result in deals in September of '26? Or is it something that's going to happen more in September of '27. But I think it's an opportunity that we feel is big enough for us to continue to have that investment that we have started with FedRAMP High and getting into looking at getting more of those share of the spend that they have on the federal side by showing them more efficiency.

Cool. Okay. I want to chat about margins for a minute. I think Qualys has had this reputation of being very, very prudent on investments and certainly industry-leading margins. How do you think about that balance between growth and profitability? Obviously, it seems like there's a little momentum here in the third quarter. Any guardrails to think about as we think about the margin profile in the back -- in the 4Q and into 2026?

I think that if you take a look at our margin profile, one of the reasons that we benefited in this current year is the fact that we are going partner first, which should give us some room on the sales and marketing side. We don't necessarily have to invest as heavily given that we are leaning more towards partners for them to bring us new deals as well as working with them on existing deals as well. With that said, there's always opportunities given that there's so much upside in the business. There are multiple different growth levers that we're looking at today. We are going through the 2026 planning cycle. And as expected, there -- given that there are so many initiatives in ways that we can invest back into the business, we are making sure that we prioritize, making sure that we have initiatives set aside that we have the capacity to handle it and making sure that we can maximize the potential return as we look into 2026. We do have a lot of room, and so we should be able to finalize our planning process and then be able to share a little bit more color at the next earnings.

Got it. Okay. And then from a go-to-market standpoint, it seems like there's clearly an intention and desire to invest more in the channel over time. How do you think about kind of the direct side of that business? Is there room to expand their capacity efficiency?

I think there's always room to improve on the efficiency. And so for us, one of the reasons why we were able to maintain such high margins is regardless of what the margin profile looks like, we just posted 49% EBITDA margin. We don't put aside the fact that we do see in our own internal operations ways to increase efficiency, right, whether it's leveraging AI or making sure that our teams are enabled and trained in a way that makes sense for them to more efficiently conduct their roles and responsibilities and also putting aside the fact that we have to find the right people for the right roles, whether it's hiring from outside or internal promotions. We recently just had 2 internal promotions, which is great for the morale, great for the company. And so we're -- as we're looking to execute more efficiently going forward, we do plan to invest prudently as well as making sure that we don't miss out an opportunity to gain that operational efficiency.

Yes. Cool. As we think about kind of the growth opportunity in the next year, what are the key milestones we should be watching, the key metrics. In the past, we've been tracking Cybersecurity Asset Management and Patch Management. It feels like the platform is becoming a little more cohesive. What should we be watching to kind of understand kind of the next leg of that journey?

I think we're really focusing on ETM as our. So one of the things we talked about is starting Q1, we'll start disclosing some of the information around the adoption of ETM. We don't expect it right now to be material, but that would be something that we would be looking to continue to track. And so I think that's really where we feel like the next few years is going to be working on getting our MDR customers to not only cross-sell to ETM, but also be able to bring additional assets into Qualys, which ultimately will give us more capabilities and modules that we can sell to them.

Maybe just to close, I've been asking a lot of companies this over the week. How do you feel adoption of AI is going? And from your customer conversations, how do you think about selling security on top of AI? I think it's an interesting situation where you're selling a solution that potentially introduces friction into initiatives around just broader AI adoption. And how do you feel that conversation is different when you look at heavily regulated customers versus not and large companies versus small?

Yes. I think the AI adoption by companies is not an option, right? It's just -- it's happening anyway. I think customers really look at 2 things, right? One is what are the capabilities I need to make sure that my AI adoption is secure. And that's where with the Identity Management Solution that we just talked about recently or TotalAI, we're helping customers sort of get a quick view of like, is this safe to go out there, right? Is it -- can it be jailbroken? Can it be something where you can do injection and things like that, right? I think a lot of the customers are leveraging MCP as a way to really accelerate AI. MCP just adds another layer on top of your existing services. So you still have to worry about the security of your existing solutions, and now you have to layer on MCP. The second thing where I see a lot of opportunity and customers are excited about is the leveraging Agentic AI as part of their security operations and risk operations. So with our introduction of Agentic AI as a marketplace type capability, instead of just saying I have a chatbot, you can ask any questions, we have taken this deliberate approach of like here's agent Sarah, who's an expert in patch. Here's agent John, who's an expert in ransomware. Here's somebody who's an expert in Attack Surface Management. That is actually helping customers think of like, wow, I can actually use AI in my security operations. I can augment my team of 10 people with 3 more agents. If I were to go and get a consultant to help me with ransomware, that's going to take me a long time to find a consultant and then get them up to speed. And -- but here, I can just hire a consultant right into the platform, which is an agent to AI agent, and it's going to give me an outcome. So I think in general, there is excitement about that. I do think that part of ETM value prop will be, by the way, by adopting this, you can actually get more efficiency with your team and you can maybe potentially reduce the number of people you have to hire, which anyway is a challenge with not having enough talent in Cybersecurity right now.

Got it. Cool. Well, we'll wrap it there, but thank you both for an engaging conversation. Thank you.

Thank you very much for having us.