Good day, everyone, and welcome to Qualys 4th Quarter 2018 Earnings Conference Call. This call is being recorded. At this time, all participants are in a listen only mode. Later, we will conduct a question and answer session and instructions for asking a question will be given at that time. I would now like to turn the call over to Natasha Assar, Investor Relations.
Please go ahead, ma'am.
Good afternoon, and welcome to Qualys' 4th quarter and full year 2018 earnings call. Joining me today to discuss our results are Philippe Courteau, our Chairman and CEO and Melissa Fisher, our CFO. Before we get started, I would like to remind you that our remarks today will include forward looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10 Q and 10 ks.
Any forward looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non GAAP financial measures. A reconciliation of GAAP to non GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks and accompanying investor presentation with supplemental information are available on our website. With that, I'd like to turn the call over to Philippe.
Thanks, Natasha, and welcome everyone to our Q4 earnings call. Melissa and I are pleased to report another strong quarter and year in terms of revenue growth and profitability. These results underscore our position as the leading cloud based security and compliance platform that unifies IT, security and compliance in a single pane of glass view with 2 second visibility across on premise, assets and cloud and soon mobile and OT and IoT devices. With 19 cloud apps native in our platform, we believe we are well positioned to expand our wallet share within our growing user base as well as gain new customers. At our User Conference in November, we observed that our customers increasingly view Qualys as a trusted strategic partner.
As we all know, the digital transformation of businesses, fueled by an explosion of new technologies, is leaving gaping security holes in its wake. Organizations who are continuing to layer on point solutions that do not communicate with each other are seeing diminishing returns. Qualys delivers a true platform offering greater visibility, accuracy and scalability across hybrid and cloud environments, while ultimately allowing customers to reduce their overall spend. To achieve security and compliance in this new hyper connected environment and respond to an ever increasing set of regulations, we believe that organizations, in addition to deploying traditional firewalls and intrusion detection, must: Know in real time what devices and applications are connected on the network always know the security and compliance posture for every device, both known and unknown and take immediate remediation actions whenever necessary. This is precisely where traditional enterprise solutions are falling short as they were not designed to operate at such a scale and in reality, only solutions that adopt a cloud based architecture can provide the necessary scale, visibility, correlation and immediacy.
A few months ago, again, we demonstrated to our customers at our user conference the significant extensions we have made to our cloud based platform and cloud apps. In 2008, specifically, we launched several new solutions into General Availability or Beta, including Container Security, Cloud Inventory, Cloud Security Assessment, Certificate Inventory, Certificate Assessment as well as our new groundbreaking app for Global IT Asset Inventory, which we call AI and CMDB Synchronization. Our AI Cloud App, formally launched yesterday, enabled us to offer our customers a single source of truth for all IT assets within hybrid environments covering on premise assets, endpoint, clouds and soon again mobile, OT and IoT environments. We also demonstrated our Passive Network Analysis solution, now in beta, that natively integrates network analysis functions, deep packet inspection, device fingerprinting and data correlation into the Qualys Cloud Platform, delivering customers complete IT visibility at scale. This new capability will enhance our global IT Asset Management offering by adding the visibility of unknown assets to the existing capabilities.
We acquired 1 Mobility, completed in Q2, which will enable us to provide enterprise discovery, inventory, security, compliance and response on both enterprise owned as well as employee owned mobile devices, further expanding our footprint within our customer base. And we also completed the acquisition of Layered Insight, a pioneer and global leader in runtime container security, which will provide insight into container images, adaptive analysis of running containers and automated enforcement of policy. We are currently integrating Layer Insight technology into the Qualys Container Security app, which will allow to uniquely bring transparent orchestration to Container Security. We expect to complete this integration in the second half of this year. In the Q4, we continued to expand our partnerships, integrating with AWS Security App, introducing Qualys Vulnerability and Policy Compliance findings with AWS Security App.
We launched the Qualys Container Security solution on the new AWS Marketplace for containers. We also announced today an expanded relationship with IBM X Force, RED, will deploy Qualys Patch Management and Web Application Scanning into global client environments along with its existing vulnerability management deployment. This expansion enables X Force Red Vulnerability Management Services, VMS, to automate vulnerability prioritization and patching, enabling clients to simplify vulnerability remediation and fix their most critical vulnerabilities using less resources and time. Earlier in 2018, we have been expanding our capabilities in the federal market with a deeper partnership with Carahsoft to market, sell and distribute the FedRAMP authorized Qualys Gov Platform and are now working on attaining FedRAMP certification. We are broadening our relationships with key partners including Microsoft and IBM by adding integration into Microsoft Hybrid Cloud Azure Stack, releasing monitoring and assessment for the CIS Center For Internet Security Microsoft Azure Foundation Benchmark within our Cloud Security Assessment Cloud App adding an integration with XROS Red, which deploys the Qualys Cloud Agent and the Qualys Cloud App into client environments across the globe and adding integration with IBM's first open cloud platform IBM Security Connect.
We released our Qualys Community Edition, a free version of our cloud platform, to provide organizations, including SMB Consultants Service Providers with a unified view of IT, Security and Compliance as well as 2 other free services CloudView and CertView providing companies a full size instant ability to track and monitor digital certificates and cloud resources. And we launched a new comprehensive offering as well the Qualys Consulting Edition for consultants, consulting organizations and MSSP enabling them to perform multiple ongoing vulnerability assessment engagements and track these results from a single, centralized and self updating platform. So now, building upon a very successful 2008, we will continue to increase our competitive advantage by releasing new groundbreaking security and compliance applications, leveraging both our talent base as well as acquired technology. Our current plans in 2019 include: The release of new solutions such as Passive Network Discovery, Secure Access Control Certificate Management and Cloud Security Management the general availability of Patch Management announced today enabling IT and SecOps teams to quickly target critical common vulnerabilities and exposures, then deploy the patches across endpoints, on premise or cloud assets and verify remediation, all from one console. Continued acquisitions to announced our Product Suite in January, we completed the acquisition of IDEA, a small innovative Indian startup that built their solution on the AWS Lambda platform.
Adia Solutions enables security and compliance audits of SaaS applications, which is becoming critical to enterprises as they increasingly rely on cloud based software. The Adyaq cloud based solution provides companies of all sizes with the ability to consolidate administration of their Software as a Service application into one console, manage license costs across SaaS applications, set and enforce security policies in one place and report an audit on all activities with a single tool. And finally, we have invested significantly in our backend, continuing to believe what we believe to be the most robust and scalable cloud platform in our market. We have now almost 2 trillion secondurity data points indexed in our Elasticsearch clusters, providing almost instant query results and alerts. This gives us our customers 2 second visibility and as we know, visibility, accuracy and scale are the keystones of security.
To support the significant number of additional solutions we are bringing to market, we increased our sales organization in the second half of twenty eighteen by over 20% and will continue to do so over the next year. We expect to continue to outperform market growth in 2019 while producing a high level of profitability. We are optimistic about the opportunity to increase booking growth in the future because of newest solutions, which solves meaningful problems for customers and are priced similar to or at a premium to Vulnerability Management and Policy Compliance, for example, our Cloud Agent and Threat Protect, which are priced at a fraction of Vulnerability Management and Policy Compliance. Qualys continues to clearly move well beyond vulnerability management and increased its competitive advantage through the acceleration of multi product adoption. This naturally increased our stickiness, which is a key element of our profitable growth driving value for our shareholders.
With that, I will turn the call over to Melissa to discuss our financial results, guidance and metrics. Thank you.
Thanks, Philippe, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise. Our solid Q4 financial and operational results continue to reflect the healthy demand for our scalable and robust cloud platform. This is evidenced in the following financial and operational highlights. Revenues for the Q4 of 2018 grew 18% to 74,200,000 dollars Platform adoption continued to increase as the percentage of enterprise customers with 3 or more Qualys solutions rose to 41% from 32% and the percentage of enterprise customers with 4 or more Qualus solutions increased to 21% from 15%.
New products released since 2015 contributed approximately 26% of total bookings in the quarter, up from 15%. And similar to Q3, we saw higher growth in the total number of orders from our SME and PCI customers. This positive result pulled our historical year over year average deal size increase down to 5%. However, the average deal size for our enterprise customers grew 11% year over year. Our scalable platform model continues to drive superior margins and generate significant cash flow.
Adjusted EBITDA for the Q4 of 2018 was $29,100,000 representing a 39% margin versus 38%. For comparability purposes, Q4 adjusted EBITDA margin would have been 37%, normalized for the impact of 606 and software capitalization. Q4 EPS grew 62%, including the benefit of a tax true up normalized for this Q4 EPS would have grown a healthy 44%. And we generated strong operating cash flow for the Q4 of 2018 of $29,000,000 an increase of 12%. In Q4, we continue to invest the cash we generate from operations back into Qualys, including $6,000,000 on capital expenditures, including principal payments under capital lease obligations, dollars 10,300,000 on the acquisition of Layered Insight and $38,500,000 to repurchase 521,257 of our shares.
Looking back on the year, we had a successful 2018 at Qualys as we released several new products, features and enhancements, completed 2 acquisitions and made our 1st minority investment, saw an acceleration in the number of customers spending $500,000 or more, enjoyed continued cloud agent adoption with 16,200,000 cloud agents purchased over the last 12 months, up from 6,000,000 over 150% growth. Benefited from strong performance from new products released since 2015, which at 20% of 2018 bookings, almost double the prior year, contributed to growth of our subscription revenues by 20% when you normalize for the positive impact of FX. And we achieved record EBITDA margin to 39% and grew operating cash flow 21%, normalized for the 606 benefit, software capitalization and our investment in 42Crunch. All this despite our continued investment in the business, including 37% year over year growth in headcount in 2018. Looking to 2019, we expect full year revenue in the range of $320,000,000 to $323,000,000 which represents a growth rate of 15% to 16% and Q1 revenue in the range of $74,500,000 to $75,200,000 which represents a growth rate of 15% to 16%.
We are excited about the opportunities to accelerate revenue growth with our new solutions. Many of our new solutions, for example, FIM, IOC, AI, passive scanning and Patch Management are priced similar to or at a premium to vulnerability management and policy compliance, as Phillippe mentioned. As you have seen, multiproduct adoption has increased quarter after quarter. However, these newer solutions are still early in their adoption and consistent with prior years, we are not assuming a material contribution from new solutions in our guidance. Furthermore, the large deal we referenced on our Q3 earnings call has not yet concluded.
In terms of 2019 profitability, we expect to maintain our industry leading margins, while further investing to set the stage for future revenue growth. While we achieved record profitability in 2018, we invested in the business throughout the year, particularly in building our team, driving our record 2018 headcount growth of 325 employees. This spend was back end loaded and combined with additional expenditures plan to make in 2019 across our engineering, sales and marketing, operations and administrative functions will result in our adjusted EBITDA margin in fiscal year 2019 in the range of 37% to 38% based on our current forecast. We expect capital expenditures from operations to be roughly flat with 2018 in a range of $22,000,000 to 27,000,000 dollars We're continuing to invest to support the growth of the business, but we will be benefiting from earlier investments in building out data center in U. S.
Office locations. Additionally, we expect to purchase less hardware for physical scanner subscriptions as customers increasingly subscribe to virtual scanners. As we have significantly increased our employee base in Pune, we do expect to spend an additional $4,000,000 in the second half of 2019 for the beginning of our build out of a new Qualys facility in Pune. For the Q1 of 2019, we expect capital expenditures to be in the range of $8,500,000 to $9,500,000 Even with all these infrastructure investments, we expect our 2019 year over year free cash flow growth to exceed the earnings growth currently implied by our guidance. We feel very well positioned in our markets given the unique nature of our integrated IT, security and compliance cloud platform.
Our customer count growth accelerated in 2018 and we added almost 1100 active users to our free solutions. Our new solutions provide the opportunity for us to increase average revenue per user, accelerate revenue growth and driven by our highly scalable model expand margins in the future. Our focus continues to be growing our foundation of recurring revenues and maintaining strong profitability. With that, Philippe and I would be happy to answer any of your questions.
Thank Your first question comes from Howard Smith with First Analysis. Your line is open. Your line is open.
Yes. Can you hear me?
Yes, we can.
Okay, good. Thank you. Good afternoon. And I just wanted to start in thinking about the revenue guidance for 2019 in the context of some of your longer term guidance. And 1, are you still comfortable with the 2021 projection of low 20s growth rate?
And if so, is the idea these product that are coming out and the investments you're making now and in 2019 in the headcount and sales starts to really kick in, in earnest in the following years and cause that acceleration? Or maybe you can just put it in context for us?
Yes, I'll take this, Howard. Let me start with the 2019 and then come back to the 2021. So we have a very healthy business. As I mentioned, multiproduct adoption continues to increase and new solutions contributed to 26% of our bookings. Having said that, consistent with prior years, we said that we are not assuming a material contribution from new solutions for the purposes of guidance because it's prudent given that the pace of adoption can be difficult to predict.
Now the framework for the 2021 growth rate target was that the fact that all the additional solutions when you add them up in totality come to at least $10 or 10 times out of $1 spend of VM and that framework hasn't changed. So while we're not update we don't update the model on a quarterly basis, the framework hasn't changed. And so everything that we're doing now should put us in position to achieve that.
And I will add to what Melissa said is that we have a very strong pipeline in our business. We see a lot of very good adoptions. We are very eager to bring these new services to market. But again, it takes time. So we have been relatively prudent.
And as Melissa indicated in her comments earlier, today because the Cloud Agent and the Threat Protection are only a fraction today of our vulnerability management solution and we have such a huge base, of course, it becomes a little bit harder for the services to fuel accelerated growth. And that's why essentially that combination of these two factors, the reason why we have taken a prudent approach to our revenues. Again, as we all know, being a 100 percent pure subscription based company doesn't help in the term of revenues because you need to of course, you take the revenue as you deliver them. And so this is where we are. So I think we're very bullish about the business, very happy with where we are.
We've made significant investment in our back end and you're going to see even more things in 2019, which we believe are going to add if you prefer to the very disruptive nature. And again, the passive scanning is not yet there. So, of course, we are not we are essentially competing today on our traditional market against the 2 companies which is Tenable and Rapid7, but of course we have a lot of more now to go and compete. We are doing very well with our team. Of course, the passive scanning will bring us in competition with ForeScout and others, but all of that out of a single platform and that's the really core philosophy of Qualys and that's where we put a lot of effort scaling at the scale to scale today's security at the scale that you need to is not a walk in the park.
Great. Well, I think that was a thorough response. I'll just leave it there and I'll get back in queue if I need to. Thank you.
Thank you.
Thank you. Your next question comes from Eric Stupiger with JMP Securities. Your line is open.
Hi, this is Michael Berg on for Eric Suppiger. Quick question on I'm going to dive down a little bit deeper into the guide. Can you help us walk through why it's almost 3% lower than whether the strip had it. It seems like your new products are doing getting good initial traction. You had some checks that suggested the IT Asset inventory and passive scanning are really well liked among the beta testers.
So can you just describe to us why the lower guide?
Yes. So let me remind you, we purposely do our full year guidance at the end of Q4 because Q4 has a meaningful impact on the guidance for the year. So the early expectations were not our guidance. This is our first time setting formal guidance for the year. And as I earlier mentioned, we have a very healthy business.
As I said, the key metrics that we look at like multi product adoption and the contribution of new products into bookings have been doing very well. As Philippe mentioned, those earlier new products like Cloud Agent Threat Protection are only priced at a fraction of what I'll call the older products, Policy Compliance and Vulnerability Management. The newer solutions that are coming out are priced at a similar to our premium to policy compliance and vulnerability management. Thus the opportunity to accelerate revenue growth in the future. But for the purpose of revenue guidance, we're not assuming a material contribution from these new solutions because it's difficult to predict what the uptake what the pace of the adoption will be.
So if I'm hearing you correctly, it sounds like accelerating revenue growth is still the plan for 2020 2021. It's just the 2019 numbers, you're gauging that based on what happened in the Q4. Is that my understanding?
Let me clarify a couple of things. So first of all, we've never given guidance for 2019 or 2020 before today. So if you look back at our both of our June presentation as well as the one we had at QSC, the long term target that we provided was for a growth rate in 2021 because it would have been frankly overly precise for us at that point in time to be able to give guidance for all the years up until then. And as Philippe mentioned, we always act what we think is in the prudent most prudent way. So with regards to guidance for this year, Q4 obviously had an impact as well as other quarters and we have this large base of customers and revenues and so in order to continue the growth rates at the levels, for example, that we achieved in 2018, we will need additional contribution from new solutions.
Yes. And to answer your question directly here is that yes, we do anticipate of course that these new services which carries a much bigger dollar value than the VM which will be adopted by customers and in fact will contribute to accelerate growth in the future.
Okay. Okay. That helps answer my question. Thank you.
Thank you. Your next question comes from Daniel Ives with Wedbush Securities. Your line is open.
Yes, thanks. So first question in regards to large deals, obviously, the one from Q3 hasn't closed yet, which you talked about, I appreciate that. In terms of embedded into 2019 guidance, have you factored in any of larger deals of those sizes and specifically that Q3 deal to close in 2019?
Thanks, Dan. Yes, we don't bake those type of out size opportunities into our guidance because again, we believe that we should be prudent with our guidance. So, it's something that would deals that would close of those sizes would be additive to what we've assumed.
Yes. And I could be a little bit specific about that one deal. In fact, that one deal, this is a customer which is essentially migrating a lot of his infrastructure at the time where we're about to get the order into a cloud into the totally cloud based environment and for us to essentially complete that deal we will have to port our solution to that specific cloud that they have selected, which is something in the making, but of course that we don't have done yet and until that happens, obviously it cannot materialize.
Okay, great. And in terms of leverage because obviously with the margin guidance next year real strong. In terms of the model, I know you're not giving longer term guidance, but is there just a lot more leverage even left in the model just as you just continue to execute on sort of strategy? Or maybe you could talk about that because obviously margin is strong for next year. And I guess just some thoughts maybe going ahead.
Thanks.
Yes. No, thanks Dan. We're proud of our industry leading margins and are delighted with what we achieved in the past year. We did in conjunction with the 2020 outlook, we did provide an outlook on margins. And so the margins for 2021 was we provided EBITDA adjusted EBITDA margin range of 40% to 42%.
I think big picture, this is a very scalable model. And as you saw in 2018, the more we drive the revenue growth to be higher, the more we actually expand margins.
Yes, absolutely. And just to add to what Melissa said, effectively we have a lot of leverage in our model and we really build a highly leveraged model and in fact you can see that because we did increase our sales force significantly on the second half of last year by about 20% as you mentioned. I want to continue expanding our sales force because of all these new services that we have. In fact, with our market strategy, I will add is as 2 prongs. 1, you're going to see us launching a lot of what we call mini campaigns, which are campaigns whereby we invite people to try specific solution with now 19 solutions and more to come and then we are going to have a top end work and we are preparing a top down approach which is essentially going to the CIO etcetera explain to them the value of the Qualys platform.
So, this is absolutely in the making and despite all of that and in fact you could see that the model still generates significant profitability and that's the leverage inherent to the model because we adopted absolutely a cloud that we are really the model has a lot of components on the leverage. Of course, our Indian operation is a huge leverage as well. We have today about 700 people now in Pune. I had just visited Pune last year. There's a ton of talent in our operation there and that give us a significant leverage plus also the relationship with all the Indian resources and additional partners.
So I think we're extremely well positioned.
Thank you.
Thank you. Your next question comes from Melissa Franchi with Morgan Stanley. Your line is open.
Great. Thank you for taking my question. So I just want to circle back to sort of the same idea of previous questions and thinking about the acceleration or potential acceleration in the future. So, multiproduct adoption continues to proceed nicely and new products are contributing to bookings fairly well, but billings growth did slow this quarter. And so I'm just wondering if you could maybe talk about what's happening in the core VM business?
And as you're thinking about the acceleration over the next few years, what do you need to assume about the health and pricing dynamics of core vulnerability management?
Hey, Melissa, it's Melissa. I'm going to try and take those one at a time. So first of all, let me handle your billings question. So as I mentioned, we have a very healthy business. And as we previously discussed though, we often in collaboration with our customers move deals from the end of a quarter to the beginning of the following quarter to lessen the procurement pain on both ends as we did in Q4.
The impact to us is a day or 2 of revenue and this is baked into our annual revenue guidance. So I think the bigger question that you're trying to answer is, well, how do we think about the growth prospects? And the way I think about that based on the conversations with investors is, well, you would evaluate our revenue guidance, which we said doesn't assume a material contribution from new solutions. And then assess what you think the uptake of these new solutions would be, as I said, which are not baked into our revenue guidance. With regard to the health of the core vulnerability management, so I would say a couple of things.
It still continues to remain healthy. As we've talked about previously, we don't incent our sales force by product, so we don't manage the business on a product basis. Our sales force is centered on total dollars and that way they're working with the customers to be able to provide the customers exactly what they need and they're pushing specific products that they're not going to use, deploy and then turn off. And so, we do assume that vulnerability management remains healthy, but it's not I would say there's a number of different scenarios on a product basis that could accomplish the long term target in 2021.
Yes. And I will add to what Melissa said. If you look at the vulnerability management, so in our larger customers today, as we mentioned, gross retention rate of customers which have more than 4 solution, we have attained 99%, which is absolutely strong. So today, if you look at the VM specifically, we are competing much more continuing competing at the mid market rather than at the large enterprise. In fact, we have tendency to continue expanding significantly.
So, for us, we believe that today albeit we have 2 competitors in that marketplace. 1 of obviously, it's one is Tenable and the other one is Rapid7. So, what we see specifically Rapid7 essentially more providing with Doctor inside, they are more attacking the marketplace of the low end of Splunk and that's where they find their growth and they have done a pretty good job at packaging their solution around Doctor inside. But still they don't scale that we see that every time they try to capture one of our large customers, which we can if I look today at the larger at the enterprise customers that we could that we lose you can count them in one hand and they typically are those company who have not deployed more than 2 solutions. As far as Tenable is concerned, Tenable is extremely aggressive in price today.
So, they try to steal the business, but yet they are still much more into that mid market where we compete. So, what we believe in terms of so, we don't compete really on price because what happens because scalability wins at the end of the day and when we lose on price, we typically recover these customers 1 or 2 years later. So what we believe is as we deliver more and more solution, of course, we are outgunning if you prefer the competition and it's going to become harder and harder and harder to compete with Qualys as we deliver all these new services. So once suddenly you have the asset inventory that you can do, the Patch Management that you can do, the passive scanning also all of that integrated into a single platform, we really believe that's going to be harder and harder to compete with Qualys. And that's what makes us very good, very confident in addition to a very significant pipeline that we have today that we have built.
Again, all of that needs to be translated into revenues, which again this is where we are a little bit at a disadvantage because we have $0 of perpetual license.
Got it. That's helpful. Talking about the sales force and you've made some acceleration in hiring for the sales force in the second half of the year. How do you feel about the capabilities of those individuals in terms of selling the broader suite? I know a number of products are not yet on the market, but are they fully ramped in selling the broader portfolio?
Or is there still work to do in terms of selling
the suite?
So, I will answer that they are fully ramped to sell the new all these new services. First of all, and the reason I would substantiate why. If you recall, we have in fact structure of sales force between the hunters and the farmers. The hunters, they are all technical and we hire them from our customers. So, they already have the understanding of what it takes to deploy enterprise solutions etcetera.
Of course, they can pick up pretty quickly new solutions. Of course, we have returned them etcetera, but also backed by SMEs, subject matter experts. And we have done one change today with our post sales, if you prefer, our farmers, which reflects by the way the fact that Qualys is becoming extremely strategic for a lot of companies. We have now divided them into what we call the MASA. The MASA which is the major account solution architects and of course the regular technical account managers.
We did that so we could have now the best of our times have now been promoted to essentially handle less number of accounts, much bigger ones. So, they have about typically about 10 accounts. That has been already implemented, which of course allows us to grow with some banks which we can see we could triple, quadruple the revenues that we do. And so as an example, so that's what we have done for the post sales. And that is pretty much done essentially globally in countries where we have enough of these very large customers, which not of course every country, but essentially Europe and the U.
S. And not yet in Asia, but that will come. Now, on the new business side, we are expanding in fact now more that's where we make the investment, our new business sales force, which now we're hiring typically from consulting organization. Again, technical people, but then which have now the we know how to sell to the C suite, which is obviously what is going to be the new, if you prefer impetus of Qualys since now we have all these solutions together built into one single solution. So that's essentially what we have done in the go to market.
And again, all that if you prefer supported by what I mentioned earlier, which is that flurry of you're going to see these mini campaigns going after, okay, try our VM service try our file integrity monitoring solution, etcetera. We have about 20 of those campaigns on the way which are going to essentially allows us to go bottom up. And then we're now preparing a big campaign starting at RSA with setting top down. And that's essentially what we have organized and all the investment has already been made essentially.
Very helpful. Thank you very
much. Thank you. Your next question comes from Alex Henderson with Needham. Your line is open.
Yes. Hi. I just want to hit a couple of quick ones. First off, did you give a geo split, any sense of what the growth rates are in geos? I don't think that was offered up.
And then second, along the same lines, the acquisition, any sense of the size of that in terms of either revenues or costs that we need to build into the model would be helpful? And I've got a follow-up, please.
What was it? I'm not so sure that I understood the second question.
The size of
Adia. The size of Adia. This is a small company. What is interesting, this is a fascinating company by the way. It's a very small company.
Really not looking
for a description of the company. I just need the revenue and costs associated with it.
It's not material. It's really like an acqui hire, Alex.
Yes, correct. Correct. What is interesting with them is that they have done everything based on the AWS Lambda, which is service less architecture. So you realize it's extremely cost effective for them to deploy to develop that application because they only have to upload their code into the AWS platform. So to and to answer your previous question today, if we look at the dynamic, as you know, U.
S. Has always been the bigger market and then followed by Europe and then by Asia. We are starting to see India, by the way, as a very significant market for us as we're picking up a lot of steam there. But globally speaking, we see today the growth rate in Europe being now today a little bit higher than in the U. S.
And the reason is because of course the U. S. Has already deployed all these that move much more than Europe, the threat protect and all of these services which are only carrying a fraction of the cost. However, as we develop these new services, we believe it's going to revert back, the U. S.
Being growing much faster than Europe because again that's so much that we can sell to our existing huge large base of large companies and therefore, we're going to see that change. So, that's the dynamic that we have. Does that is that clear?
Yes, but I really was when I was asking, just looking for this the mechanical splits.
For
us, I mean, do you have the what portion was in U. S, what portion was in Europe?
It's about typically 70% in the U. S, 25%, 25% in Europe and 5% in Asia Pac.
Right. Was it the same as normal or was there any change?
Yes. That has significantly changed.
Okay. And then looking at the guide for the 2019 period, can you give us some sense of what you're thinking in terms of impacts from FX, economic activity, any of the sort of exogenous variables? Are you taking into account a slower condition as a result of recent geo slowdowns? Or any change in conditions that you're seeing as a result of those broader environmental issues?
Yes. So we believe today that the impact from FX is immaterial, but we know that things could change. So it would obviously depend on how rates move. We do believe that the market for our products is still very healthy.
Yes, absolutely. And on the geo side, I don't we don't see much change today. The dynamic that we see, for example, today in Europe, thanks to our global IT asset inventory, you are becoming very strategic for large European companies, especially because they have GDPR. One of the things they've got to do is their global IT asset inventory. So that's a product that we see is going to take traction, because again the platform aspect that we have, we're helping them save money.
So, we don't see any geopolitical impact with the exception I think India we're extremely well positioned to see of course to really becoming an interesting market for us. But again, it's just not the beginning here.
One last question and then
I'll cede the floor. What rate of hiring and sales do you expect in 2019 and built into your model? Thanks. And then I'll cede the floor.
So we have increased by 20% last year on sales force. Of course, we don't need to increase as much. And the reason is because I don't have the exact number, but it's certainly not going to be 20%, I can tell you. The reason is because on our farmers, it's totally predictable. This is absolutely of course and we that's part of the power of the model is that if I double the revenues on the existing customers, I don't need to double the size of our technical account managers.
It's more on the new business side. So, I would say today that it's less much it's quite less than 20%. We make the effort at the end of the second half and I think we're going to continue expanding more on the new business side. And on the farmers, it depends on the growth of the new business essentially.
Yes. And I would just add to that. As we had mentioned that a lot of the sales a lot of these ads have come in the second half. So we're going to see from an expense perspective, it obviously hit the full year in 2019. So from a modeling perspective, you're going to see the areas, I think, of highest investment for us on a year over year basis be R and D and sales and marketing.
Thank you. Your next question comes from Sterling Auty with JPMorgan. Your line is open.
Yes. Hi, guys. So I'm bouncing between calls. So I'm still a little confused about the guidance for 2019 revenue and the slowdown. I caught the not including the new products given, I want to make sure you get confidence and I think I caught the 1 or 2 days maybe difference in terms of revenue recognition.
But what else explains the it's a pretty material slowdown from the rate that you have been seeing. Is it competitive? Is it something that you're seeing in the customers? I'm still not clear.
No, it's essentially the fact that we're prudent because today you have to realize that what was fueling our growth is essentially the Cloud Agent which is doing very well, the threat protects all these new services and they are a fraction of the cost of for $1 of VM, we got $0.20 of those products. So, because we have such a huge base today growing that base of course will require if you prefer bigger guns. And so today this is exactly what these new services that we have now today which carry far more than for a $1 VM, we have these new services are multiple of $1 VM. So, they will grind. We see today, for example, one of the services which was like the FIM specifically, it now starting to grind because we have the full product, the APIs and so forth, but we are just at the beginning.
So, we have been prudent and we don't want to ever extend ourselves and that's the fundamental reason here. So, we hope that we are going to do significantly better quite frankly, but we didn't want to And yet what is remarkable, I would add is that we can maintain our profitability and while continuing investing. And that's not the case of many. So we try to balance that. I think we've been doing that and that's today we say, I wish we could continue populating the world with agents and with Threat Protect, etcetera.
But of course, we have such a large user base, specifically in the U. S, which have adapted that pretty well, which by the way again remember these agents generate additional services and all of that the small ruts build big rivers, but it takes some time. So, well prudent.
So basically, you're saying the core VM growth has been constant or steady over the last couple of years. You had a not a surge, but you had an uplift from adoption of Cloud Agent. But now that you've gotten to a certain level of penetration, that growth will now kind of more normalized and now it's just the timing as you wait for the new products to kick in to reaccelerate that?
Yes, that's exactly it. Now we could be surprised presently because these new products are very good by the way. We know that. So I'm not questioning at all the adoption of this new product, it's more a question of timing here.
Yes, I guess, Sterling, what may help you is to give you the breakdown from revenue perspective, our VM grew 20% in the past year and the so called non VM categories grew 23%. So, you see VM has been fairly good.
Yes, because of course fueled by the component of the Cloud Agent for VM and Threat Protection, that's exactly the point.
Thank you. Your next question comes from Rob Owens with KeyBanc Capital Markets.
So if you look at the slowings to follow on, I guess, is it the VM then that slows relative to 2019? And with the 20% hiring throughout the year or in the back half, how do you think about sales force productivity? And at what point do those guys get fully ramped?
So what we have today, again, we need to distinguish between the farmers and the hunters. The farmers are extremely good productivity. Of course, we make an investment, but all that as we add this certain new services. So I would say that we certainly will maintain, if not increase the productivity on our farmers. It's on the new business side that today of course it takes a bit longer and also we have tendency naturally to instead of pushing these to make them bigger and bigger and bigger, we try to we prefer to land the customer young, if you prefer and then grow that customer.
That has been our model since the very beginning because of course it's significantly more profitable than trying to go and give big discounts at the end of the quarter and all these things that enterprise software is pretty good at. And like our competitors that we name, not name of them, but we absolutely dump their price. So that's never has been quality. So we try to do, okay, let's start small and then let's grow the customer. That has been our philosophy.
As a result of that, the ramping of that sales force of that new business sales force is much slower.
Okay, great. Thank you.
Thank you. Your next question comes from Matt Hedberg with RBC Capital Markets. Your line is open.
Yes, thanks guys. I guess following up on Sterling and Rob's question, the VM market seems to remain healthy. I mean, I think 20% growth is pretty good relative to historical trends. I know it's hard to generalize, Philippe, but I guess excluding Cloud Agent, do you have a sense for how penetrated your customer base is in terms of being scanned? In other words, like how much dark space is there in networks within your customer base?
I would say today there is not that much. If you look at the large companies, in fact that's the reason why Qualys is so strong in that marketplace on the large enterprise that's what our competition despite their pricing tactic and everything they can say, they really don't take that market away from us is because of scale. And I would say that today there's still some more growth, but it's for us it's more at the endpoint. On the service side, I think the large companies are pretty now looking continuously. And on the endpoint, of course, we have now more opportunities because of the asset inventory is going to put our agent on the endpoint.
And of course, now suddenly you do more VM and on and on. So for us the green space or the whatever
Dark space.
Dark space is on the endpoint, which is quite significant. So that's where we see the future growth. And of course, IOC, all these new solutions that all requires an agent, the Patch Management is going to really propel. Once now you suddenly do Patch Management on the endpoint, what about doing vulnerability management? What about doing compliance?
When in the past, people were saying, okay, I'm not going to do it or I've got another agent, I've got so many agents. Now today they've got a compelling reason to go. So that's what we see on the high end of the marketplace. On the mid market, what mid market is small market, the new space is the cloud, which we are extremely well positioned. More and more the SME and SMB are moving to the cloud.
And therefore, it's now a kind of a different market. And that's where we compete really essentially with Tenable and the Rapid7 is in that mid market, which is also moving into cloud and there we believe we have a unique advantage because of our agent can natively be as they are today integrated with Azure where they are about to fully be integrated the same way with AWS as well as with Google and soon with IBM as well. And at some point in time also Alibaba. So, I think we're native in the cloud and that will give us an advantage. But currently today that's where we fight if you prefer.
Great. Thanks a lot.
Thank you. Your next question comes from Gur Talpaz with Stifel. Your line is open.
Hi. This is actually Chris Speros on for Gur. Thanks for squeezing us in here. For Philippe, can you speak to the demand that you saw in Q4 for the recently launched container security and asset inventory products as well as the feedback you've received from customers in the passive scanning beta?
Absolutely. So, Container Security, this is definitively the new game in town. It's still early in the market. Customer are adopting Container Security. So are we by the way.
We have containerized now almost everything that Qualys does. This is really the future. It totally changed a lot of the IT dynamics and of course, so but it's still early. So today everybody likes our vulnerability assessment solution that we have for containers. It's very straightforward.
We have quite a very good use cases from customers. Now we're integrating with that acquisition with Layer Insight, which will happen most likely because it looks quite of complexity more in the Q2, end of Q2 timeframe, second half maybe Q3, which then will have the full solution for Container Security because not only you can do the assessment, but also you do the run time and then you can of course control and push your policies. But that's the new big game. No question, I think we're extremely well positioned. But in terms of revenues, this is still relatively early.
As far as the passive scanning is concerned, I'm very impatient to get that being delivered. It's today, it's we have a fantastic solution. We are better as you know, I would expect because there is a lot of complexity with the technically that you need to absolutely to make it easily deployable etcetera. I think we will be in Q2 GA and that component has a lot of this is the competitor except that it's going to be totally integrated with the Qualys platform. So you have at the same time agent less all that into the single platform, the full view of your global IT asset inventory.
Now you can do network traffic. It's also well embarking to another major development which we're going to speak a little bit later in the year. It also gives so much information and now what is fascinating is when you combine agentless which is the scanning, agent plus the passive scanning, you're dealing now with the volume of data that there is not a single company today who can do that. And that's essentially what we're now working on our back end is to bring all that data into a single place where you can analyze, correlate, etcetera, etcetera. So that's the new game.
So passive scanning is very strategic for us. And I think we're doing a good we are taking our time because you need to build that at scale. And that's what the big challenge is. I was mentioning already have indexed 2,000,000,000,000 data points on our Elasticsearch clusters. Believe it or not, Elasticsearch is becoming too slow.
So that's the new frontier. So we're really moving into the new frontier as well. So and later this year, we will talk about that.
Awesome. Thanks guys.
Thank you. Your next question comes from Josh Tilton with Berenberg. Your line is
open. Hi, thanks for taking my question. Just one more on the guidance. If the new products being released grow at a similar rate of the older non VM products, should we expect upside to the guidance as because they're priced higher? And then maybe just what level of contribution to revenues are you hoping from these new products that have yet to be released?
Yes. So as I mentioned, since the guidance doesn't assume any material contribution from these new solutions. Should that happen? Yes, that would be additional contribution to our revenue guidance. I'm not sure I understood the second part of your question.
Do you guys have an anticipated contribution to total revenues from the new products that are yet to be released?
We really don't manage our business on a product basis. We really, as Philippe mentioned, we have Hunter and Farmer sales force. And so our sales force is focused on our what we call that farmers are focused on renewals and upsells, and those are all done on a dollar basis. And that's because we don't want our sales force pushing product and customer that they're not going to use and that they're going to just turn off. So we've always kept our sales force, as I mentioned, with dollar based quotas and we don't manage the business on a product basis.
Yes, but I think the question was, unless I misunderstood on these new services like the Patch Management and all that and we said that we have not really considered that as a meaningful revenues to 2019 because it's hard to predict the ramp of the adoption ramp. We are very confident that our customers will adopt it, but it takes some time because they need to find the budget, they do the proof of concept, etcetera, sometimes it's a displacement, much more than so you got all that takes time, but we're absolutely confident of the adoption of these new services.
Yes, that's helpful added color. I was trying to provide the framework of how we manage our business, which is based on contribution from new customers and then growth of existing.
And are you guys expecting similar uptake by customers relative to the older products that have been released in 2015?
Well, as we said, the actual curve is going to depend on what the pace of adoption is. And without any data points, it's hard to plot what the curve is going to be. Some may be faster, some may be slower.
Right. However, if you look at the key metrics that we disclosed that the number of customers which have adopted 2 or more solution, which now is I think 70%. And then those who are 3, which I think today it's 40%.
41%.
And or 41%. Those who have adopted 4% and more, which is 21%. And now we show the 10%, which is about 10%, correct?
5% plus with 10%.
10% plus is 10%. We can absolutely say that today, we believe that, of course, these new products all continue fueling that. So at the end of the day, we believe that 70% of our customer base are going to adopt all of our solutions. Why? It's because why you would not want to do that when they are totally native in one single platform, a single administration, self updating all of these benefits and it start to reduce significantly your cost as you instead of laying around all these different solutions that you got to integrate to manage at different teams, all of that will eliminate a lot of costs.
So we're very confident that overall, what we cannot really predict is essentially the ramp in the early days. So today, as we start to see data points today, we can see the trajectory by the way of the 3 plus which today at 40%, you could almost predict when are they going to be at 70%. But those which are the more you go into, of course, the newer ones, the harder it is to predict because we have less data point. Does that make sense?
Yes. Thank you very much.
Thank you. Your next question comes from Patrick Colville with Arete Research. Your line is open.
Thank you for taking my question. Can I ask about the Patch Management tool? Because I know that in my work speaking to CISOs, that is going to be a product that's going to be really in demand. And so I'd just like to better understand it, in terms of what is the tool, I guess, going to offer and when it's like to be released? Yes, that'd be great.
Thank you.
So, we just announced today that the Patch Management is really going to be in a few weeks. So, it's well ready to go. Now, that participant solution is relatively unique. And because it cuts across all the different environment. The Patch Adjustment tools today that you have are very specific to Windows, to Unix, to these, to that.
So, it's a nightmare for companies when they are for example to put an urgent patch, which cuts across like 1 acquire, for example, multiple environment. Today with Qualys, you are now able to essentially, first of all, Qualys will tell you exactly where all your vulnerabilities are, where do you need to patch and then you just push a button and it will be all patched. Now you could of course not do that 100% automatically, you may want to have some kind of steps in between, but that's become an operational issue for companies. So that multi patching capabilities is very unique of Qualys. So that's one big differentiator.
And then after that, the question becomes also a question of automation. The problem today is that this you have never tied very well vulnerability with Patch Management with the superseding patches and that's we resolved all of these problems. So, look at us operationalizing it. So, for example, you have solution on Patch Management like what some of the Microsoft solution like SUSE are totally free. But the problem is that you just do patching without that visibility.
So Qualys for relatively very attractive price everything automated give you this capability. So, we cannot tell you again the rate of adoption. It's too soon. However, I can tell you that we are solving a real problem here because immediacy of patching has become today very important because the more time it takes you take to eliminate your vulnerabilities, the more time you give for the bad guys to essentially damage you. And as you know today, 0 days used to be few months before an exploit could was in the wild, was published now today it's almost minutes.
It's absolutely pretty fast. So, you better be on the top of your vulnerabilities. But then you need to patch without remediation identifying your vulnerabilities, what it means. Okay? So the only so you could shut down your network, close down your network, then you don't do any business.
So that immediacy is becoming very important. So we anticipate a very good success as well as the Patch Management solution.
And can I just follow-up on that? I mean, it seems like a very or like obvious place for you to go into. And so I guess why now given that this would be a product that's
Very good question. If you look today a very good question. If you look today at the story of Patch Management, you had BigFix. BigFix was the first solution that really was providing an enterprise wide Patch Management solution multi platform, if you prefer. And then IBM bought them, the problem with BigFix is that it's enterprise software.
So, it's pretty heavy. It costs a lot. So, we took a cloud approach to Patch Management. Again, everything centrally managed, self updating. It took us we have been working at that now for about essentially 4 years.
And so, it doesn't happen in one day. And we took a lot of the technology in partnership with Avanti. So taking some of because there's a lot of complexity and to deliver that as a cloud solution like doing vulnerability management solution which is very unique to what Qualys did from the cloud, very few companies have done that. In fact, we're the only one who really does that well and at scale because we needed to have our scanners then you put your scanners inside, you need to remotely manage. It's a lot of complexity to make it that easy.
And that's same thing with Patch Management. It took us about 4 years to get that product out.
Great. Thank you so much.
Thank you. And I am showing no further questions at this time. I'd like to turn the call back over to Natasha Asar for closing remarks.
Thanks, Heather, and thank you all for attending our Q4 and full year 2018 earnings call. We are holding an event for our analysts and investors during the RSA Conference. On Wednesday, March 6, from 11 a. M. To 1 p.
M, and registration will be on our site soon. We also look forward to seeing many of you later this month at the JMP Securities Technology Conference and the Morgan Stanley TMT Conference in San Thank you.
Ladies and gentlemen, thank you for participating in today's conference. This does conclude the program and you all may disconnect.