Pleasure. And I think today we're really in an extremely good position. So it took us a long, long time to get there. And as I mentioned many times, I think part of our success is the decision that Simeon and I made about, I don't know now, I don't count the years anymore at my age. So which at least was 7, 8 years ago, Simeon, when we first of all, I was going to mention in my presentation, but I would repeat it, that we had, of course, some company wanted to acquire Qualys, some of the big ones, and we said no to them.
They were a little bit offended. And because we believe that fundamentally, first of all, they didn't understand the cloud at all. They were still these enterprise software companies. And so for them, they were just trying to acquire best of breed solution and with their other portfolios. So we said no to them.
But then we also knew that we needed to re architect the back end because we had done that first application. The technology also that this Internet technology, we're not that mature at the time when we started back in 1999. So we knew that we need to re architect the back end. And the decision we made is that we realized that we made 2 decisions. 1 was to put under Cmed ops, DevOps, engineering, QA, customer support, product management, which a lot of people were telling QA customer support and product management, which a lot of people were telling us that we're totally crazy.
How could you do that? That's too much. And again, that means they were not understanding the cloud because on the enterprise software, you have the assembly line. And so you have to pass the baton from one silo to the next, from the engineers to the QA to the this, to the that. In the cloud architecture and environment, all of these pieces have to work together continuously.
So putting them under one roof was really the right organization structure. And then the really big then we realized that we could not find the talent in California because we needed people with the domain expertise and people who knew the cloud as well. So there's not enough of those that we could attract. And so we made the decision to essentially we tried Beijing, and we tried India and Pune, and we very quickly realized that China was not the place for us because we didn't have enough of the DNA, and you didn't want to really build a security company in China for reasons that I'm sure you all know. And so we finally decided to put all our eggs in India.
And so we built that we cloned that structure in Pune in India, where today we have 6 50 people. There's a huge pool of talent, and it also allows us to essentially acquire also companies and the talent is coming to us. So we don't have to even reach to the talent. And a lot of companies have looked at India as a pool of cheap labor, and I use the famous phrase of Jack Welch, which was saying, we went to India for the cost and we discovered the talent. So we went India for the talent and we discovered the cost, so in that order.
So we have built a fantastic today engineering ops customer support muscle today, which is quite significant. And now today, with that cloud architecture that we have, the cloud has become the distribution channel. So we can bring our solutions almost instantly globally and of course support them 20 fourseven, etcetera, then everything centrally managed, everything is self updating. So in doing so, we eliminate a lot of cost. So are we powered up?
Not yet? Oh my God, come on guys. Here is Okay. So we need probably 15 seconds to get the Mac. Back up.
Okay, So now we start the formal presentation. So what I would like to do this morning today, first of all, we need to go through, of course, the safe harbor, which you know by heart, I'm sure by now. So I give you a few minutes if you prefer to read through it. And now with that, we can go to the agenda. So essentially, so we'll have a series of presentation from Sumeet and Melissa and then we have one of our customers, which is Experian, which is going to really give you his view, the view from the customer.
And then after that, we have either an analyst from the 451 group, which is a very experienced analyst. He was a CISO before to give you his views of where the industry is going as well. So what I would like to do this morning is essentially tell you we will tell you where we are now, where we want to go and where we're going, essentially how we see the industry changing and the role that Qualys, we believe, we can play in it. But first, what I would like to do is to go back to the early beginning. And by the way, that screen doesn't work either.
So very good. Okay. So that's Okay. Is it powered up? That's it.
Okay. It is coming. Very good. Okay. Thank you.
So we'd like to go to the early days of we like Amazon, fundamentally, we started with books with the vision that they could essentially build the platform and essentially expand. We started with that we will have from the security people because at the time, they were looking like the cloud, that's the place where you don't want to go. Why? Because you lose control supposedly of your data. So that's the security people are supposed to keep the data safe at home.
So they didn't like that. However, what happened is that because of our architecture, the architecture of the cloud, which that cloud architecture, which allows us to essentially deploy at a much bigger scale than enterprise software. This is the story of salesforce.com versus Siebel System. Then suddenly, large companies, which are starting to have now to look at their vulnerabilities on the global scale instead of just looking at the perimeter or just looking at a few critical servers, certainly they need to have the bigger picture. So because of that, we essentially the scalability and the accuracy that our platform was our architecture was providing us allows us to essentially start to pick up speed.
And interestingly enough, as you all know, salesforce.com started from the small end of the market and then grew to the larger company. We started, in fact, because of that from the large companies. And today because of that, we've built a significant customer base of more than 70% of the Fortune 100, about 25% of the Global 2,000, essentially building that with that one vulnerability management because of scale and accuracy. Now at the same time, as I was mentioning earlier, we could see the consolidation of that enterprise security industry where the big guys, the Symantec, the McAfee, were starting to acquire the best of breed. Why best of breed?
Best of breed is because security has a unique need is that you absolutely have to eliminate false positive and false negative. These are the enemies of security. You cannot call 911. If there's a burglar, you think there's a burglar, but no, it's a bird which knocks on your window. So that's the problem of security.
So it lends itself to a very fragmented industry because security has multiple facets. And of course, the best of breed were the ones who had the less false positive and false negative and the one, therefore, raising to the top. So the McAfee, the Symantec, etcetera, was on a binge to acquire them to do vendor consolidation and hoping that they could provide a much more integrated solution. The problem is that with enterprise software, you just kind of do that. And we knew that.
So we knew that it didn't it would not work. That's also the other reason when one of these larger company became and tried to acquire our company, we say no, no, because we knew that they didn't understand the architecture that you was needed to consolidate, which is essentially what is that cloud architecture is the ability now you have very large data centers in the cloud, wherever you want, infinite computing power, infinite storage capabilities, the Internet as a means of communication. And on the other hand, you have sensors or devices. Everything is, again, remotely managed centrally managed and self updating. And that's what allows to bring the computing power to essentially the world, while client server brought the computing power to the employees of a company.
And of course, the mainframe, we're bringing the computing power to the very large and rich companies who could afford these large mainframes. So that's I'm doing the computing evolution in reverse here. So that's what we did. So fundamentally, as I mentioned earlier, we embarked in our 2.0, which is re architecting the entire back end. That was a significant, significant task.
I already told you that one part of the big success was our decision to move into India. And at the same time also, we're now expanding our solution. And we did that very carefully, starting to look again, we didn't want to acquire companies to essentially go into an adjacent market because we needed to really finish that platform. So acquiring a company with the wrong architecture didn't make any sense. So we had the patience of saying it's going to take time.
And we also thank very much our investors, which understood that Qualys was for the long run. And we have started to develop more and more applications. And today, for those who were yesterday at our user conference, you have seen that we're embarking now in our 3rd journey, which is, of course, the platform 3.0, where fundamentally, we have now put all these pieces together, and we have shown now our global as an example of the power of the platform that we have built, the ability that we have now to provide our customers with a global IT asset inventory. If you ask any CIO today of any company, do you have a good idea of the assets that you have? The answer is no.
The CMDB is not up to date. So and you finally cannot secure what you don't know. You also cannot manage your assets if you don't know what you have. Things have become significantly more complicated today because not only you have on premise, you have endpoints, but now you have cloud and now you have containers and now you have web applications and now you start to have OT and IoT devices. So that's that inventory of assets, which all now connect to your network or to connect via the Internet.
So the problem has become in space. And today, we have managed absolutely to provide company with our global ITSA inventory. And you will see that part of the demonstration of Sumeet for those who were yesterday. I'm going to give you a more condensed version of what we have. This is going to go GA at the end of the year at the end of the month for essentially the known assets, wherever you can put an agent to capture that information.
And then with the passive scanning, we'll do the unknown assets, and all that is going to be said and done by the end of the year. That is going to allow us to go directly to the CIO and to the CIO of our existing customers, and I've already started to do that, to say, Mr. Or Mrs. CIO, asking the question, what about your global IT asset inventory? And I've got the solution for you.
By the way, you already have the platform. And by the way, I can also help you consolidate a lot of your applications, save you money, etcetera. So we have now the talk, if you prefer, and the goods for the CIO, and that's one of our big thrust. And we're continuing, and you will see that in the presentation of SumeD, continuing consolidating more solutions. But we are doing even more than that.
Our vision and I ask in the audience people about if they know WeChat. And it's a fantastic application. So for those who don't know WeChat, WeChat is, in fact, an application that Tencent in China did, which integrates a lot of your apps. So for example, today, if you want to get Uber, you go and you take your phone, you click on the app, and you click and you get your car, and you know how minutes it's going to take, etcetera. But then sorry, then you want to go and essentially maybe go to a restaurant or find a Starbucks.
Now you have to go to Google Map, for example. And then you want to tell a friend that you would like to meet there, so you have to use WhatsApp. And so okay, you click another app and on and on. So today, with WeChat, you can do that absolutely seamlessly in one single app, whereby, okay, you go, etcetera. You can even have a sandwich being delivered at the very moment when you arrive.
You can do everything. You can if you have the date, you can have flowers being sent. Everything is done for you. And of course, at the center of all of that is the payment. So our vision here is very simple.
It's that as the center of everything we do is that global IT asset inventory. You look today at these SIEMs, which are they don't even know what they protect. So you have to know what you have, and you have to know that in real time. In other words, you need to know the status of that device at any moment because if not, how could you secure that new very global environment? So our vision is that we can fuse all of that.
So the question you could ask me is why in America they have not done something similar. It's very simple. It's because today, the Google, the Uber, they're all competing. They don't want to share their customer base. They have different back ends.
When what happened in China, you had 2 payment providers essentially as opposed in the U. S. So you are also a very fragmented payment industry. So you got 2 payment providers, Alibaba and Tencent. And at the center of everything is the payment.
So what they did is they created a back end where they opened up their back end so the Didi and everybody could start to integrate. So the way it's going to happen in the U. S. Is that it's going to go to be done through acquisition because it has to be done. So you will see Google acquiring Uber, etcetera, etcetera.
So through that, through these acquisition, we'll finally see the consolidation, and then you will have that single app fundamentally. So that's the very vision we have for security is that we can now provide the single pane of view and bring all this information and bring the next fundamentally generation of incidence response system where all the data comes at you. You are aware of the attacks. Everything comes at you. You don't have to go and fetch it.
And so that's our vision, and we're working very hard on that right now. So and you will see through the presentation of Cement, you will see that vision already starting to shape as we are bringing more and more and more information in that single pane of view. So again, we will show it, so this is coming. So now we'd like to discuss about where the industry is going. It's very clear to us that we're about to enter or we have entered, in fact, a consolidation phase.
And that is fundamentally driven by the fact that the cloud platforms are really becoming very disruptive. Today, the view that we have is that you look at applications like salesforce.com, for example, which salesforce.com, as you know, has done a fantastic job at essentially bringing the cloud to CRM and build a fantastic customer base, but also there to build the entire infrastructure in order to do that. So today, these platforms, whether it's Azure, whether it's Amazon, Google, Alibaba, IBM Cloud, Today, they have already built all that infrastructure at the global scale. So you we are going to see some companies which are going to say, Oh, I can do that CRM application, but I don't have to build on that huge platform. So they're going to focus on providing an application which is going to be as sexy as possible, significantly more cost effective.
So our vision is that we're going to see the cloud, and you can't just see today the number of applications which are coming on Amazon, etcetera, is absolutely incredible at the speed at which. So that's one factor of consolidation. So what happens, the established players, in order to continue growing, they are, in fact, grabbing other companies. So we have entered into that mode where the industry is going to fundamentally collapse. And we saw that in mainframes.
Every mainframe company disappeared, but one, which was IBM. And why did they survive? Because they fundamentally evolved. They changed the model of building mainframe computer to a model of being a middleware company and a service company. And the 2 architects of that transformation were Steve Mills, which essentially at the time invested when I was young and beautiful like all of you, invested $1,500,000,000 in Linux, and people said, which was a 50 people company.
And these guys were saying, they're totally crazy, IBM. No, they realized that they used that to encapsulate all of their old, if you prefer, mainframe and emerge and
create that new platform and then move into service.
And the other person who came in was cultural revolution. It's actually eliminating most of the management to recreate the new breed of people and embark into that new journey. Then we saw the era of the mini computers, the DEC, the PRIME, the data center. How many of them survived? 0.
Then the client server came in. And now today, that revolution, and I believe that Microsoft is, in many ways, the IBM because they've been able to absolutely and I had discussion with Bill Gates many years ago about that stability. You need to go into the cloud big time. And it was it's going to take time, etcetera. But now today, Microsoft has done a remarkable job of migrating phenomenally from a desk from a company with an operating system for the endpoint, essentially now to becoming a very powerful cloud platform.
So this is where we are. And of course, now today, if you look from the security angle now, we don't have it's you don't continue boarding and adding another application. You're used to that company. They have 9 agents on average on their endpoints, And they have between 20 to 100 secondurity and compliance solutions. This is absolutely unsustainable.
So it's all about now building security into the new digital transformation, as we call it. And Qualys is uniquely positioned there, again, from a technical standpoint because of our architecture and because also of the fact that on one hand, we're already Google, Microsoft, Apple Computer, Oracle. They're all using us to secure their own infrastructure, but we are now working very with them to really build the security from the top. So their users, essentially, security is building. They don't have to worry about security.
It's already there. So that's a big change which is taking place. And I believe that Qualys is very uniquely positioned today because on one hand, we can help our existing customers consolidate their stack, reduce significantly significant cost associated with having to maintain and deploy all these plethora of security and compliance solutions And at the same time, fundamentally giving them a much better visibility, increase their security and compliance posture of the old environment, and we are now helping them migrate and build security into the cloud. And you will see that part of the presentation of Experian as well that we're doing that with many of our customers already. So this is again, it's not a story.
This is a reality. And with that, I'm really very happy to introduce our Chief Product Officer that some of you know already, Simeon.
All right. Thank you very much. So I'm going to give an overview of what Philippe mentioned about Global IT Asset Inventory and the visibility that we are working on bringing that today is not really available to most of the IT organizations and for different reasons, which is what I'm going to discuss. I did some of this yesterday. But to expand on what Philippe was talking about is the transformation in IT.
Today, we have to understand what's happening in IT to be able to understand what's happening in security because, of course, without the IT, IT security doesn't exist. So I asked this question yesterday, the audience, what did they think of when they think of digital transformation? And the first thing everybody said move to the cloud. And that's only one component of it. So most organizations are looking at a very holistic approach on the reason for doing the transformation is not just about a lift and shift, take my existing server, run it into AWS.
It's about how are we significantly changing the way we do business using digital technology, which includes everything from moving your servers into the cloud, but then creating more APIs, creating mobile applications, giving the workforce mobile devices so that they can be out in the field closer to the customers being able to do these transactions very quickly and then be able to communicate to them via different channels that are out there integrating with other apps. So a lot of that is changing and it's not just that movement to the cloud. In fact, a lot of the manufacturing industries, for example, are going through their own digital transformation because their shop floors are completely becoming industrial IoT environments where every single machine is connected to some sort of a cloud, IoT cloud where they are measuring the temperature, the speed of the fan, they're measuring every little telemetry information so that they can do analytics. They can look upfront if a certain machine is going to have issues based on the trends that they see in the little telemetry information. That's also digital transformation.
So it's not just about the movement into the cloud. Hybrid cloud today, no matter what everybody says is that you just moving servers into the cloud is not going to give the visibility that they need in terms of being able to have their interact with them. So which means that the architecture as of today is a hybrid architecture. So there's mobile workforce, there's laptops that are out there everywhere. You have hybrid cloud containerization.
And then, of course, the on prem is still not gone. So containerization, I think, of all of them is probably the most significant game changer here because it is offering a very different portability to IT, which has not existed for a very long time. So you've had data centers where bare metal servers were deployed, but then the environment and the apps running on them were very tied to that particular server, so moving it somewhere else was not really possible. Cloud made it easy. But even though the concept of portability exists, not a lot of people are actually able to take their running workload in AWS and then just run it for a few hours in Azure because these cloud providers do have a lot of their own quirks, they need their tooling, they need a lot of that work to be done around them.
So today what is happening is the hypervisor is disappearing in a way and a lot of the customers are also going back to bare metal and their private cloud, which is commodity hardware, a simple layer of OS on top of it, but then being able to leverage containerization, which is, in fact, our own infrastructure, our own data center. If I look at it about 1.5 years ago, we ran 100% of everything we ran was on VMware. Now over 60% of our infrastructure does not run on VMware. We do bare metal. We do containerization on that and we don't leverage any of these things because those containers can really be easily moved between the environments.
Kubernetes, which is really the infrastructure as a code, is changing the way things are being deployed because you can very quickly move things around, you can decide how the infrastructure is supposed to behave and respond to the business needs. So at the end of the day, all everything is being done to respond to business needs. And so the ability to say, okay, if I see this much load coming in, then I can spin up these many containers, which will need these many other containers for the back end services can all be coded in 10 lines and that takes care of your entire infrastructure, which used to take a team of multiple people to manage that infrastructure and scale and grow it. And these things are moving very at a very fast pace. So Kubernetes is an orchestration tool that you would deploy to manage your containers.
You look at what's happening with AWS Fargate and Azure Container Service, these are container as a service orchestration already provided with the cloud providers. All you have to do is bring your container image and then they will manage all of it. They will spin it up. They will provide you the console needed for spinning those containers up and then moving them around, which also means that these containers are becoming smaller and smaller and they only are running very specific functionality and specific code that is needed, which is now going to another step further, which is the Lambda functions, is function as a service. So now you're not even bringing any component of your operating system with you.
You're just saying here's my code run it. So what does IT who has been deploying and patching and doing OS work, what does that mean when all you have is a function that gets run-in somebody's environment? And once it's just a function, then you can run that for a and I talked about this yesterday, there's this concept of CubeFED, which is getting very popular, is the ability to have orchestration across multiple platforms as well. So when you're running something as a function, you're running something as a very lightweight container, it is significantly easier to spin it up for a few hours in Azure because maybe they're offering you a special Christmas rate for 4 hours and so you can save a bunch of money by doing that. The portability really exists.
So IT infrastructure, which was here is the 500 servers, I'm going to have someone sit there and watch them is obviously changing and your perimeter is changing because of that. DevOps movement is really big. It's real. We see that ourselves. Pretty much all the decisions in terms of how the infrastructure is being pushed and how it's going to work in production is being done by the development team because everything is becoming a code.
So of course, they code it. So if you want, this is how these if this happens, then this is how infrastructure should behave. And if not and if this condition exists, then this is how it should behave. This is code and the developers write that and that's movement is accelerating, which means that the decision makers on the tools is changing, the buyers are changing. So the development teams are making a lot of the decisions on the data center side, what are the tools that we should use for IT, for APM monitoring, for security and all of that as well.
On prem is not really dead. So of course, the data center footprint is shrinking. But as I mentioned, your OT environment is becoming more and more digital. So you have a lot more fulfillment centers. You have manufacturing units that are IoT connected that are increasing.
So in the traditional way of thinking of on prem is they are physically under your control. Yes, that is actually increasing, it's not reducing and it's all getting connected with each other. So we've had customers who 10 years ago had a completely segregated OT environment that barely had any network connectivity and everything was run-in there and they would have routers or switches that did not even have the ability to have a tap work. So that is now changing rapidly. Corporate IT is changing.
So the traditional desktops and things like that were becoming laptops and IoT devices are being brought into the environment more and more. If you notice that this projector when Filipe was trying to get it working had an IP address. So how many of these projectors does Bellagio have and to what network are they connected and what are they running and how many vulnerabilities could they possibly have? Just think of how many that could be. So these kind of devices are significantly increasing in the traditional on prem.
I'm not even counting the example I gave yesterday of an Internet connected toothbrush that an employee connects to your office Wi Fi network and you have no idea about and has a vulnerability that leaks your password, right? We'll have a separate conversation on why you need an Internet connected toothbrush, but enterprise mobility is increasing, which is not BYOD. So it's not employee bringing their machine to check or bringing their phone to check e mail. This is organization as part of their overall digital transformation. So we talked about digital transformation on data center, digital transformation on the OT side, manufacturing this is digital transformation at the endpoint.
So to say your employees interacting at the bank, you walk into AT and T, you walk into Wells Fargo, first thing they do is they greet you with a tablet. I was just talking to Melissa. I'm a Morgan Stanley customer. Every time they come to talk to me, they come with a tablet and have all my information on that. That's what they flip through.
So and they show me everything about my financial information on that tablet that this carrying around, it goes to Starbucks, sits there, maybe forgets it over there, who knows. So that enterprise mobility is enterprise owned devices. These are devices the company has bought and given the employees to say this is this device, I own it, but you will use it for business. So of course, just like when they started giving out laptops, they are very much incentivized in ensuring that they are buying the proper licenses for all the different tools that are needed to protect those devices versus an employee bringing their laptop to work, the companies aren't going to pay for their antivirus license and their Word license and whatever license. But when it's your enterprise device, they will make sure that they are paying for the license for each of those tools, whether it's productivity or security.
And these are becoming indispensable to the business. So this is not an optional thing. More and more organizations are just using these devices for conducting business. And interestingly, like I mentioned, they are a direct window into the sensitive data that is being held in those back end data centers, just 4 digits away. So that device somewhere at a Starbucks is only 4 digits away from a passcode for someone to be able to get in there and access that information.
So enterprise mobility is increasing and part of that digital transformation, big movement into APIs, B2B, B2C, a lot more web applications, a lot more APIs and the way customers communicate and connect to the enterprises. I was on a plane with Philippe last year, and one of the ads in the newspaper said sign up for a bank account by taking a selfie from in our app. So they're saying, okay, here's an app. Just take a selfie. We'll enroll you, we'll sign you up and then somebody may come to verify something if needed.
But that's another change that is happening, which again is another window in the back end side into all of the sensitive information. So the mobile app is communicating through the back end API to conduct a transaction when you say I want to move data from this account to that account, that API call says post from account number to account number and the amount. And that's just one password away to make that call is one password away to make the call. So how do you protect that to ensure that that password doesn't if that gets compromised, somebody could be doing things that you have no idea about because APIs are called at such a large scale. So of course, another movement, which is happening quite a bit, is also moving into software as a service.
So there is no infrastructure to manage. Qualys today internally, IT absolutely does not deploy anything. Everything from HR systems to our payments to employee systems is all online. So we don't actually own the infrastructure. Now we do need security around it.
We need to know that wrong people are not accessing it, that other people who may be assigned a wrong access or employees who are sharing some of these things from SaaS platforms much more openly than there should be. But there is no endpoint to deploy an EDR agent on because all of that is being done outside in somebody's environment and of course, no applications to manage. So what does that mean for security from a current state perspective? There is no visibility in any meaningful way given the hybrid nature of the infrastructure and the scale and the ephemeral nature of how things are changing. So if you do have the ability with CubeFed at some point soon to just move your containers from one provider to another or on prem or back and your devices are traveling between multiple cities and locations and all of that, what how do you even secure something that you don't know exist or where it is?
So despite all of the movement from whatever it is to containers, the first question is, are you doing vulnerability management, so configuration assessment. So the basics of security still continue to stay the same. You need to monitor the integrity of the files and your systems. Again, question mark. If I'm running a Lambda function in AWS, Lambda, is that really a system that I'm monitoring because it's just a code?
So those are the trends. And of course, the SIEM solutions, which have traditionally been very focused on, I get some firewall logs and I correlate that with some point logs to give some insight on not scaling from a volume perspective as well. So again, basically, visibility to respond. It's visibility for the sake of visibility and a visibility to actually be able to do meaningful response. So you don't find out about a breach like 6 months after somebody spun up like simple stuff.
Just being able to have the visibility that you have a new server that got spun up in your environment, whether it's your data center virtual or physical, to be able to go inspect that is so valuable. And we've had a compromise as this. Cosmos Bank had a compromise a few months ago. Somebody got into the network and created a fake gateway approval server, which then was approving fake ATM transactions to Visa. And if they just had a simple visibility that, oh, there is a server in this environment that's communicating on the network that is not part of my approved list, that could have been prevented.
So that visibility to be able to respond is really lacking for the most part today. And we ourselves are going through this with our FedRAMP certification, and there's a lot of demands on compliance and those don't change. So I was joking about that yesterday as we were all excited and we say we have cloud, we have containers, we have this, we have that. First question back is, okay, great, so show me your CIS benchmark report, show me your compliance report on all of your containers. And we're like, oh yes, we didn't really think about that.
So how do we get that, right? So that those demands are also increasing from a current state of security perspective. Can I give an example yesterday of a car and how infrastructure really needs to have security built in? And when you go buy a car, you don't go buy the car and go buy a separate seat belt and then go to another store to buy the best airbag. You go to some other place to buy a car alarm and then some other place to then buy a parking sensor for security.
You expect that when you go do that, that manufacturer has already done all the work of finding the best meaningful seat belt and it is all integrated and you start driving and it's all taken care of and you don't even think about is that even there because you expect it to be there. That's the ideal state of where security really needs to be, which is a transparent orchestration that we have talked about is the ability to say, yes, I want to run a server and yes, I want vulnerability management and configuration assessment and these on it and then it should all be orchestrated in the back. So you are not deploying yourself 8 different agents and going and deploying 8 different consoles to manage those agents and then deploying another integrity another log solution to then collect the data from all of that and then give you the visibility on top of that and another orchestration solution to actually take response to do response actions on it. So the more you are sure that every time you spin up a container or you spin up an API or you give out a mobile device, the security is already built in and following that is that transparent orchestration that's going to at least start to give you a significant amount of visibility, which really doesn't exist today because IT throws out the stuff and then security has to figure out how to make it work, which is why it has to start in the DevOps cycle.
So it's already built in. And then after the fact, trying to because now if you don't have let's say, you don't have a device that you put on each of the tablet or an agent that you put on each of the tablet that goes out in the field all over the U. S, you give out the device and then IT now has to find and track down the owner somewhere wherever they are to try to get that device onto their that agent onto their device. So the resistance and the amount of effort needed is significantly higher versus if the gold images, whether it's a container gold image, a cloud gold image or an IT laptop gold image or all of that already had the necessary tooling built in so that as soon as it went out, it would start giving you the visibility would be the ideal state. And of course, there is a need for real meaningful security analytics, which truly doesn't exist today.
A lot of the SIEM solutions are all sort of log based and they look they try to correlate activity happening at a point in time in the past after the fact. So being able to do these analytics upfront and which is really surprising because a lot of the new industrial IoT data centers are collecting, like I mentioned, this telemetry information about the temperature changes on each of the machines or the fan speed on each of those machines. And then they use analytics beforehand to try to see if they can detect things that may happen in their environment or when things happen they have a clear visibility. So that paradigm is exists just needs to be something that security needs to start to look at as well. So what is Qualys doing?
So first of all, do what you preach. So embracing our own digital transformation is the first thing that we looked at. So we have been putting significant effort in building, continuing to build our platform. We have had major changes happen, like I said, containerization and moving to bare metal, leveraging Kafka, Cassandra, Elasticsearch, significant shift in where we were significantly Oracle's database centric and Java centric that has been changing quite a bit. So we have many products, many customers, multiple shared platforms.
We just spun up a platform in AWS recently, another shared platform, so that customers could just click and buy directly through AWS and it's provisioned on the AWS platform, which is again as I'm talking about having that ability to spin up infrastructure or security with the infrastructure in a more seamless way. And then the number of private platforms continues to increase. And these are across multiple different platforms, whether it's physical hardware, whether it's VMware based platforms or small 1U appliances or in AWS or Azure. We have pretty much private platforms in almost all the infrastructure that is out there. We're seeing almost a trillion security events annually that we have been processing.
The number of scans has been increasing significantly. You can see we're doing almost 3,000,000,000 Kafka messages on a daily basis. That's just to show the amount of usage that is happening on the platform as these solutions are communicating with each other. And then we are at 6 20 +1000000000 data points. At the beginning of the year, we were about 280.
So the amount of data that we are collecting and indexing is significantly increasing and very soon we will be approaching a trillion by the end of this year as well. So it's more to show that the platform work ongoing has really had a significant impact. And if you were there yesterday, you saw a lot of the demos and the speed at which customers were able to get the data out, which is that 2 second visibility that we have talked about. We're trying to get it down to one second, but that second is resisting right now. So we'll get over that.
Architecture wise, I think just to give that in a way, it's a simple architecture. My engineers will disagree with that with all the work that they have to do on it. But you have sensors collecting data, pushing it into a back end. And then there's UI and API. So that's the cloud architecture.
That's what we have built. No complicated, multiple master of master consoles and things like that, that you have to open up different things. It's in that sense, it's fairly straightforward. So from a strategy perspective, we just always continue to try to add more sensors. And with some of the acquisitions we have done, which I'll talk about, we just continue to add more sensors.
And then separately, the teams continue to add more and more capabilities with microservices and all of that. And then another team continues to add more and more apps that give more visibility at the top. And then we're going to add a team that kind of goes across this, which is going to look more and more at security analytics as we talked about earlier. So the sensors, again, really about ubiquity. It's about coverage, about addressing physical data center, virtual data center, cloud, containerization, laptops, mobile devices, passive scanning, which is going to go beta and I demoed that as well.
Basically, nothing can escape the Qualysensor if it is communicating on the network. And if it is not communicating on the network, honestly, we probably don't care about it. So anything that is meaningful and communicating, we are basically going to pick it up. And we continue to keep pace with a combination of agentless, agent base and passive. We continue to keep pace with looking at the infrastructure that is changing and the Layered Insight acquisition was another way is how do we address something like AWS Fargate, where you may not even have your own server to put anything and to run it.
We'll talk more about that as well. The platform continues to increase. A lot of people ask, hey, why how come Qualys is able to do so many apps and so quickly? And it's not just a it's not just a factor of number of people we've hired in Pune as well, but it is also the architecture, the ability for us to spin up multiples. So each of these applications have their container and well defined architecture and then they communicate with the rest of the platform in well defined APIs.
So when we have to spin up a new UI, a new application, it's much faster, much well defined because the base of the platform is already defined and then these teams then they just come in and start their get their sensor connected into the back end and then they basically just pick up the relevant information and start processing it and then they start displaying it. That's one of the big reasons why that architectural changes that we have done are helping us create so many products at such a fast pace. It's not just a factor of the number of engineers that we have. So we continue with the as we see with Patch Management coming up, the acquisition with layered insight. We are making more and more headway into extending our solution into remediation and response as well, not just visibility because it makes a lot of sense to have an integrated response because we have to go look at your CCTV in one place and then run 5 rooms across to close the door later by that time the intruder is already in.
So if these systems are connected, they can have a better response. And if they are actually connected to the central back end, it's even better instead of trying to collect information at different times and combining it together. So remediation response, we are, of course, something that's focusing on. Rapid expansion of the R and D org, as Filip mentioned, we are, I think, about 15, 20. So that's a big part of it.
We're getting great talent and these are this talent is helping us innovate very fast because they are empowered and they are able to spin up in their own container new capabilities onto the platform. Another thing that we are focusing on now is and we gave a little preview of that yesterday is the data lake, security data lake is bringing large amounts of security related information and then correlating that and providing flexible insights for customers so that they can see the trends and have that visibility and not have to try to hire large teams to build something to get that visibility is another area that we're focusing on in the next year. And then from a technology acquisition perspective, we really didn't do much until before last year or a year ago. Now in the last year or so, we have really focused on the acquisitions and an investment as well, again focused very specifically on the specific sensors so that we can acquire that technology and a good small team that can then integrate with the platform and integrate with our team. So from an acquisition perspective, the first one was Nevis, which we did about a year ago, I think.
And you already see that live demo running. We had a Wi Fi hotspot, it's still there, set up that anybody logs in to that hotspot on their phone or whatever it is. Within 10 seconds, we're going to show that device in Qualys and show you what it is and what the operating system is and what IP addresses and what services is it connecting to. So the earlier example I gave you of Cosmos Bank, think about that. If they had that ability to say, I always have 327 servers in my environment, well, there's something that's communicating.
I don't even know what it is, but there is something new that is actually communicating on my network. And then they could pick it up in a matter of 10 seconds. That is significant. And that's why that global IT asset inventory with the passive scanning is so important, and that's what the Nevis acquisition really gave us. And then the second phase of that is going to be the secure access control, which is traditionally the NAC, network access control, but network access control is heavily reliant just on specific firewall type IP address and port rules.
What we are doing is really bringing it to a higher level with bringing the capabilities based on the application and the use cases, not just an IP communicate with another IP, mainly because that NAC capability was fine in the past when you had specific servers that had specific IP addresses. But if you did move a bunch of your containers that are running your back end production system from Azure to AWS for 4 hours, those kind of capabilities completely break down. You cannot have it based on the network level anymore because the network is changing so fast. Netwatcher was about the event correlation platform. So that was a little sneak peek that we gave yesterday on the security analytics and the data lake project that we are working on and they have been integrating that technology as well.
1, mobility acquisition, this is really huge in terms of the number of devices that we can address out there from an enterprise perspective, the number of Ipads and Android tablets and Windows tablets that are being given out, that are being sent out, that are being used by the customers. So they have a deployed technology, which is very similar to the Qualys Cloud Agent technology. So it's basically extending their Cloud Agent architecture level to their sensors. So we basically now go to an existing customer who has millions of IPs that they're scanning with us on the data center side, in the cloud and also on the desktop side and then say, well, here's we can bring all of your X1000 tablets as part of this entire overall solution, because you will see the visibility of that tablet as it is communicating to the back end container on the same platform versus an air watch or somebody who's just providing that capability completely independently just to see the visibility on the device from an IT perspective and not really from a security perspective. So I'll talk a little bit more about that as well.
Layered Insight, so this is the recent most recent one, very exciting because it gives us a leapfrog from the technology into the container runtime container space. So Qualys has had a solution that we brought to market a few months ago focused on containers on the in the DevOps cycle, the ability for us to provide our customers full visibility into images that are being pushed out as containers and making sure that those vulnerabilities are actually fixed through Jenkins, through DevOps tools, through CICD pipeline even before they become vulnerabilities in production has been something that our customers have been quite excited about that we have more and more customers deploying that solution. But that has been more on the DevOps side. And it has had a significant impact, by the way, just from a technology perspective. The ability to eliminate a large number of the vulnerabilities upfront in the DevOps cycle really reduces the workload that the teams have to go later because we will see that a new server comes up, which already has 3 year old vulnerabilities on it and now the team is spending all their time patching, patching, patching and then that happens for 10 servers every day and a significant amount of time is spent on that.
So just from a pure technology and process perspective that DevOps thing is very important. But then of course, when it goes to production, there are still going to be new vulnerabilities that are discovered out in the wild that may apply. There will still be compromises that can happen on the containers, somebody compromising your container. And at the end, everything runs on something. So the container is running on some system, which could run a command, which could compromise, give visibility into your containers.
So that still exists. So that runtime capability of saying we instrument, very similar to the agent technology, we instrument or we have an agent that looks at every single thing that is happening on the system and sending it back to the platform, so we can correlate and give that visibility is very valuable. And so their architecture was very similar to the Qualys architecture, which is why the integration and bringing them into the solution makes perfect sense because now we can give the full end to end of scanning those images in the DevOps environment and then providing the ability to make sure that at a run time these things don't get compromised. So some of our competitors only provide the ability to upload an image and then they'll give you a report of the findings, but then nothing on the run time side. So this is again a significant advantage with bringing that technology onto the platform.
And then of course, another investment that we had announced is with 42Crunch, a very interesting API solution, which again covers both the DevOps side, ensuring that the definition of these APIs is tight, ensuring that those APIs are not accepting things that they should not accept, doing that in the DevOps cycle and then having a runtime element in production where you can actually then front those APIs with capabilities that will block malicious traffic to those APIs, block incorrect access to the APIs, provide another layer of authentication and authorization are some of the capabilities that they offer and we are working on integrating that as part of the platform as well. So with that, I don't know if I missed a few products in here, but I think the slide is fairly accurate and Melissa goes over that 100 times. So but just to show you the breadth of the support and the coverage and I don't even I think that we could slice and dice this in many different ways. You could look at it as asset asset management, security compliance, you can look at it as DevOps versus runtime, you can look at it in many different ways, visibility versus remediation or whatever it is.
But we have the goods. It's how you let go that thing to create a different view every time is really the thing. So from a road map perspective, as we talked about at the earnings call, batch management is going beta. We had a demo yesterday. We had huge, huge interest from the customers.
Every single customer wanted to have that ability to deploy those patches as soon as they find those vulnerabilities. So we're really excited about that passive network sensor as a new sensor adding data into our global ITSA inventory is going beta as well. It's running here in our production environment here at the show and in our offices. So that first beta is already out in an internal beta perspective and then the external beta will be happening in a couple of weeks as well. And then the Global IT Asset Management inventory, I should say, which is the known assets.
We kind of try to divide this between assets that I know, which are the things that I'm scanning because I know that I have them or the things that I have an agent or I'm using a cloud connector to pull those devices versus the unknown or the unmanaged asset. I have no clue somebody connected a toothbrush to my Wi Fi. How do I know that in 10 seconds? Better yet, how do I then use the security access control solution to just deny or put a simple rule that says, no, anything that's a toothbrush or anything that's not a Windows Server can be on this particular network is the ideal thing. But that's the beginning.
We're bringing this capability and then we'll expand that later. And overall, in the first half, we're continuing to work on beta for the secure access control, allowing customers the ability to control access to their critical servers, leveraging that technologies and leveraging the up to date information that Qualys is picking up from all of our sensors. So we have a lot more up to date view. Some of the solutions like Firstout, they don't really do as much of the assessment themselves. So they are reliant on the customer buying that solution and 5 other different solutions to integrate each field into their solution to be able to provide some of these capabilities.
We will have a significantly more integrated solution from that perspective. We've had Certificate VUE, which has had significant uptake, customers getting visibility into the certificates that are expiring. That's a cornerstone of any compliance program. You need to ensure no TLS 1.1, no TLS 1, no expiring certificates, no self signed certificates. And we did the free community service around that has had a really big response.
Now we are going to have the certificate management capability as well, which is the ability to renew a certificate right through the Qualys console, not just say it's expiring, but actually now click a button and say, yes, I want a new certificate. And then second phase of that will be now I use the Cloud Agent to also deploy that certificate because by that time we will have gained a lot of good experience being able to deploy patches onto the systems. So we'll be able to then go in and deploy certificates as well. Cloud Security Management, again, we have had cloud security assessment. We have had CloudView.
The CloudView is the free part. Cloud Security Assessment is the paid part where you get an assessment, not just a view of inventory. And now we are working on bringing cloud security management, which is the ability to have remediation and response. Not only will I tell you that this particular bucket has public access, but then you can write a rule or press a button through Qualys, which will then run the Lambda function in the back end and fix that issue instantly in AWS. So that's another integrated end to end capability that we are bringing.
Mobility, as I mentioned earlier, we are also going to have a beta of the mobility solution. So we will be able to give out the Qualys mobile cloud agents that then customers can deploy and get that visibility. And then the runtime container security solution, we are integrating that into the platform and that will give customers who are already using our solution for DevOps to now just in the same console, in the same UI, have an ability to say, oh, that's good on my DevOps now. Let me look at my runtime as well. All right.
So I still have time for demo. Sean, how am I doing this? Escape out. Okay. This might work.
Oh, it's working too fast. Hold on one second. All right. ITunes think this is the best time to update your computer right now, which I disagree, but it disagrees with me. I don't have a decline.
Okay, I have a decline. Review, playback, and all right, let's go with this. Let's see if this works. I'm not sure how to do a full screen on this one. Okay.
Really? Just went away. You have Sean here? Sorry about this. Okay.
All right. So I did a quick video of this. So really? Well, at least it's updating, I guess.
Okay. There you go. All right.
So this is the Global IT Asset Inventory. So just to give you a preview of the so we this is in beta with about 30 plus customers today. They love it because they are seeing things and trends that they had no idea about. Even just simple things like Oracle is now going to start charging maintenance for Java, How many Java installations do I have in my environment? No clue where to go to find that information.
CMDBs are completely out of date. How do I know at this point of time in near real time how many installations do I have? So those kind of capabilities are being provided here. So you can see the asset distribution. So we use the existing quality sensors, agents, scanners, combining all of them together.
And then this asset inventory will add a layer of normalization and categorization out of that. So it's one thing for customers to say, I want to find all of Java on my servers. But who defines a server? The customer has to create some rules usually to say Windows, this version is a server, that Oracle version is OEL is a server and this is a server. So with this, we completely normalize that.
We have with a team of 15 people, we have built a whole library. Out of the box, we'll classify hardware, operating systems, break down the categories. What you will see is that in this case, we have broken down computers, so detecting everything from notebooks, cloud, printers, security cameras all in one console. So they can click, see all the security cameras, get the details of that particular camera. You can then go down into notebooks.
So there's 1,000 notebooks, but across multiple different manufacturers. So there's Lenovo, there's Apple, there's Asus up to this is all near real time information coming from agents and scanners. You can group them in different ways, look at exact model numbers, how many assets you have, Apple. Customer does not have to define any of these rules. Out of the box, the information coming from quality sensors works here.
So we even go down to tell them exactly this 13 inches MacBook with 2 thunderbolts that was released I think only in Japan was picked up by the agent to show this in the environment without the customer having to do any of this thing. You can look at it by market version, which is interesting. So again, being able to say, show me just all my High Sierra machines just by running a query. So you can see there computers, notebooks, which are on high Sierra, you can find that very quickly. You can look at the software.
You can see all the storage instances I have. So categorizing that these things are storage. So if you see out of the box, we picked up everything that is storage related software running on your environment from Dropbox to sync or whatever it is. So let's say that you don't want to have box in your environment because you're going with Dropbox. This visibility is available out of the box to the customers.
And then they can group them by different names and find out exactly how many instances of Box and then drill down specifically into the 7 machines that will have Box running so then we can find out who has them, where they are as well. You can also look at client operating systems. We classify versus like server operating systems, find out exactly how many Windows 7 devices, client applications, just saying how many productivity tools do I have, how many commercial versus noncommercial databases do I have. If you look at client hardware again, MacBook Pros, operating systems that are missing patches, end of life, this is a big functionality, very critical and just knowing end of life hardware, knowing end of life software. So as soon as our agents are picking up the software, we bring that information back.
Our Kafka backbone will process that. It will tell you with the library that we have created now over the last year, we'll know exactly which devices have support from the manufacturers have stopped so that you can identify those and start taking remedial actions accordingly. And then you can, of course, slice and dice it by the different categories of software. Again, GA versus end of life, I have another dashboard I created for corporate IT focus. So if you want server side versus corporate IT side.
So here it is a lot more about the software types, device drivers versus productivity software, how many Word and Windows. So that's important to not have all of those club together, identify quickly anything that's open source. So in this case, let's see productivity software, I have everything. And that's really the cool part. The ability to just say show me productivity software, not show me OneNote and then Excel plus Outlook plus PowerPoint plus this plus that plus Google Docs.
That's the key here that we have helped customers. Just say I want to see productivity software. They'll tell you exactly how many of these are installed. So think of license life cycle entitlement management, being able to deal with license audits. You could easily do that here.
Drill down specifically into Microsoft, see end of life that is still deployed in the environment and you can filter that by end of life, see how many instances, group it by market version. So you could say, well, how many 2013 versus how many 2010. So still 191 Office 2010 installations I have in the environment. So just click, click, click. You'll see all the details, the specific machine on which we can see that.
And of course, integrated with the Qualys platform, so customers tagging from their business unit, business criticality, all of that is already provided as part of the integrated solution. Customers don't have to do anything. So Windows 7, we want to end of life that, still 25 assets that we have in there. Another use case is going to be tracking KPIs. So it's one thing to say I will go and do a query and I want to find that, but then how do you trend out of the box without pulling this information, putting it into Splunk, some other trending system.
So I just want to say I want to deploy Windows 10 and reduce Windows 7. You can just track that out of the box here. Are my trends going up? The ones that I want, are they going down? Endpoint production software that's end of life or devices if they're reducing, are they staying at a constant pace.
Very cool thing about unauthorized software, so customer can define themselves what is unauthorized software or we will give, so we call this category called potentially unwanted software. So this could be different things like BitMinter and fake flash and whatever it is. They actually installed something and named it Fake Flash. But so again, it helps you really narrow down and quickly identify the specific machines. Now in this case, we found the specific machine that has that and then the exact location of that device and how many seconds ago and who is the user who owns it and when was the last time that they rebooted their system.
And then, of course, because it is integrated into the Qualys platform, everything related to, oh, wow! So they have that software. What other software do they have? What vulnerabilities do they have? Are they do they have open ports?
Is it a server that is running containers? All of that is integrated into the single view. Another dashboard that I put together is more around cloud. No, I have corporate IT. So yes, here again, just to show the Qualys sensors that are connected to this environment, this IT asset inventory.
So we are bringing the information related to the IT assets from multiple different Qualys sensors. So there could be passive sensor, active scanner, mobility agents, managed versus unmanaged. This was the part I was telling you about integrated into this Global IT View. We the beta, once it's launched, will also have an unmanaged part. So the earlier one was just I know the device, I have installed an agent, I have a scanner running against it versus I have no clue.
This thing is just communicating on my network. So we will identify and categorize manufacturer devices. So just being able to say, well, how many Lenovo devices, can categorize those by, say, in this case, robots to product, no model, sorry. So then I know exactly how many iPhone 7 do I have purely without ever talking to the device or having an agent, purely looking at the traffic using fingerprints and machine learning that we have developed, we are able to tell you all this information just on the phones and then I'll go and show other things as well in the environment so that we give that visibility in near real time. So in this case, if you saw, I clicked on the phone and I'm picking up information about the phone as of a minute ago in this case or in some cases when was the last time we saw that particular device.
So we are breaking things up down to the seconds or minutes in most of the cases. All this information coming purely from looking at what's going on, on the network, specific version of the OS, exact part model numbers. If that same device gets picked up between offices by the passenger and if the device is moving from floor to floor to floor, we will be able to see that this device got picked up and this is what the device is doing. What else do I have? So this was interesting because here you can see conference room, Stonehedge.
So if you ever visited to our visited our HQ, we have new conference rooms that have a very nice tablet outside that we use to schedule conferencing and things like that. It's connected to our Wi Fi network. We're able to pick that up because it's something that is connected to our network. So just purely by looking at Wi Fi traffic, we're able to pick up the manufacturer, the conference room information and then we will also go into the category. So now we know tablets versus smartphone versus desktops versus mobile devices and drill down into that was the conference room, conference room.
There may be some other things. And what was interesting, and I know Sean is here from IT, but they haven't deployed those in a uniform manner because some show up as the number and the name as Golden Gate, others show up as a conference. So we need to certainly fix our provisioning to have more consistency. I would have never known that at all if I didn't have this visibility. We also were able to, in fact, pick up devices on our network that did not have the Qualys agent because somebody brought their personal device or IT did not install an agent on it.
So we were instantly able to say what are those agents. So again, same concept, you could do Windows and say, where detector service is BitTorrent. You don't have to go into the specific various different torrents that are out there. You could just say, hey, show me everything. We could have just said, show me everything that's a laptop, for example, bit torrent and it would have picked it up.
Again, all picked up only based on the passive scanning. So that gives you an idea of what the so this traffic summary. So all picked up purely by looking at the communication of the device, all the protocols, the family of protocol, how much data is coming in, how much is going out, grouped by the service information so that we can like I said, the first step is the identification with the sensor, but then we will soon then be able to extend that into traffic pattern analysis, anomaly detection, CNC communication, network based IOC and on and on. But just to give you a flavor of what we are already picking up, we're just working on the back end side of it, but we can basically get down into saying, did this device transfer a large amount of information and within what time frame? And then use that to say, is this doing exfiltration?
How can you go quickly today? You're an IT or security guy, you get an alert, failed user logins on one machine or you get an alert saying Qualysys detected an indication of compromise. Now you want to know what did the device do? Did it send out a large amount of traffic? What protocols was it communicating with?
What IP addresses? Then you have to go to some other system, pull up logs from the past and then do a lot of report building to be able to see that visibility. Here, click and drag. So back to the inventory, the total inventory. This is a cloud resource dashboard.
So as I said, digital transformation is not just about the devices connected on my network, but also the things that are in the cloud and containers. So here within the ITSS inventory, global ITSS inventory, we are building a cloud based dashboard that basically gives you the trends of AWS, Azure, Google VMs running in there, the regions in which they are running. I do see a map on this screen. Here it just looks like dots that are hanging out, having fun. I'm going to click in the cloud specifically databases that we picked up, just saying databases, could be hundreds of databases.
How many of them are end of life. And we even picked up a MongoDB. So it's not just a traditional and then we categorize that as NoSQL versus RDBMS database, all out of the box, right? Of course, funny enough, the only one that is not end of life in the environment is the MongoDB because this you can patch it pretty quickly compared to some other databases on this list, which I will not name. So again, Postgres database running in AWS, who's the user, get into the details of that location.
We saw it 6 months ago, So that's interesting what happened to that one. And then of course being integrated you can click and see the vulnerabilities, right? So I see an end of life what kind of vulnerabilities exist on that device. Well, because you also have Qualys VM module enabled, you will be able to pick that up as well. On the unmanaged, there was one more thing I wanted to show.
So we're making a big investment in fingerprinting, IT, OT devices as well as industrial IoT devices as well. And some of that is already being started already starting to take effect in the platform. So the team was able to pick up industrial automation and control category. So just say show me all my industrial automation devices that I see purely picked up by looking at the network without sending packets or anything like that. And then we were able to pick up 2 PLCs, a Snap 7 server.
And those who are geeks about this, apparently, this is a big deal. For me, it means nothing, but it's from Siemens. This one is from Rockwell. So we are already building significantly that library And then we'll, of course, be working with the different vendors, manufacturers that are out there to significantly increase those capabilities as well. So am I doing okay on time?
Or do I have am I over? I could do another short demo in that case. So yes, there's the model number, CPU and traffic summary. So again, is that PLC communicating to anything outside of the step 7 protocol? So another use case I want to demo again, that was more specific on ITS asset inventory.
I talked about digital transformation, digital transformation being something that starts all the way from your mobile device all the way back to your on prem AIX server that nobody knows who owns it and nobody wants to touch it, but it's still part of your system because it processes that transaction. Final transaction where the code was written by somebody 25 years ago and nobody knows how that works, It's still there today. So in this example, I'm going to show how putting together the mobility solution we acquired, layered inside and container security, API security, how we will be providing a much more comprehensive view of the entire digital transformation from a security standpoint in this environment. So here's the upcoming secure enterprise mobility, which starts by picking up all of your Android iOS devices that have an agent. How many of them are corporate owned versus employee owned?
Getting into apps with expired certificates, the ones that have weak encryption, again, these are company provided apps or hardcoded keys. Passcode not present, big deal, right? Like I said earlier, U. S. Sensitive information is just 4 digits away.
We picked up Station 10, has an Android tablet. We can get into the details of it. We can see all the information about encryption and all We will show all the apps installed on that tablet, of course. And we will show all the apps installed on that tablet, of course. And as an enterprise and the ability to have an enterprise app store so that the enterprise can push their own apps through the Qualys solution so that only those apps, let's say, are allowed to be downloaded outside of the other apps is important.
And the cool thing is that and it shows that the enterprise needs you to have the auto service booking and the customer feedback app on that tablet and it's not there. One of them is missing, the other one is found. So it's not just a diarrhea of like, hey, here's Maps app and this app. It's about making it relevant to the enterprise from a business security compliance perspective as well. Remediation, I talked about ability to just take an action, lock the screen, format the device, de enroll, find certain things, find the device, buzz it, all of that capability will be built into that particular platform.
This is about API security. So we've kind of marked up what we are working on in terms of the API security capabilities around saying this is the service center API. So the tablet has that app, which is not talking to the back end service center API. So what is the security of this particular how many vulnerabilities does that app have or the API have, how many of them are confirmed. In this case, we have details about that API, what version of Swagger.
There's a certificate that's on that API that's expired. Guess what renew, clicking renew button will do. We'll use the Qualys certificate management capability to renew the certificate right there. You don't have to wait for days for somebody else and some other team to try to do that. A lot more details around the specific API actions, get pushed, things like that.
We've detected a SQL injection vulnerability in that particular API. This is, again, talking about DevOps, that API, of course, we detected SQL injection vulnerability, but the development team that then pushed it should have done a good job in Jenkins and the CICD pipeline leveraging the Qualys built in app, which would then have told them upfront even before it ever went to production exactly how many vulnerabilities they have. And they should have never allowed the build to pass. So Jenkins, you can say don't pass the build if anything above severity 5 is detected by Qualys out of the box. So if they had done that, that would have been interesting.
There's a few things that we're working on in terms of software composition analysis to provide the same type of capability as I mentioned, but more in the traditional images or when the developers are building WAR files and binaries, they can actually detect open source software that is being included in that to build that Java application and then be able to identify which ones of those are vulnerable libraries that are being included and then being able to eliminate like in this case, there's struts, which was a big deal, of course. So being able to say 10 development projects are running struts what's the license and then being able to say that there's remote code execution with this CVE in, again, this has not even made to the build console. So this is the developers building these things on their machine and we can show very specific information with connectors cloud. So you have those APIs. Those APIs are containerized running in AWS, for example.
So with the cloud view, we're able to show that, that service center API is running as a virtual machine and has these containers running on it. 1 of those containers has an issue, API3, what are the vulnerabilities on it. You can click on that particular container and it will show you this is the layered inside integration that we are working on. It will show that a hcDPD tried to execute a shell, which is an attempted compromise. So if you click on that with the layered insight instrumentation plugging into our platform, we could tell exactly when this event happened that the web server tried to execute a shell, horrible, worst thing you could do.
And we had issued a deny on that one, completely integrated into the platform based on these rules. I got a couple of examples here. You have another virtual machine that you can click and then be able to see there are vulnerable so in this case, expired certificate again, found a virtual machine in AWS with an expired certificate, What's the grade? Why? What do I need to fix it?
So in this case, you will basically use the renew functionality. You can go click on that one virtual machine. In one place, you will see vulnerability management, configuration assessment, cloud security assessment, expired certificates and more apps and more apps and more apps and more apps at some point. Let's pick example of another virtual machine that we picked up in AWS that has security groups that are exposing vulnerable instances. So you have instances running there that are vulnerable and then you have ports that are exposing those vulnerabilities to the outside.
So you will be able to then take action to change security groups, stop the instance or do some other action. And then we're also exposing more and more direct threats vulnerable instances accessing S3 buckets. So again, there are point solutions today that offer some of the functionality, but you cannot then quickly go from one to another to say how do I click here, find out the vulnerabilities on that instance. So something like avildon. Io will then be able to provide you just that kind of a visibility, but not tell you how many vulnerabilities and configuration issues are on the instance that is running in that security group, which has the access to the compromised S3 bucket.
Here, you should be able to do that in about 4 clicks. And once we improve the UI a little bit probably about in 2 clicks. So those are the couple of demos that I wanted to do. Then going back to presentation. So as I showed you, again, individual point solutions, little tools can give you bits and pieces.
What we have been focusing on for the customers is an integrated solution starting from ITS and inventory, building a real platform, have to do the hard work. You have to use agents. You have to use scanners. You have to use active scanners and collect all this data and then start to show that visibility and then provide remedial capabilities once you have good, solid, up to date visibility, then you can start to take those actions. So that's what we have been focusing on from the perspective with our own expansion and some of the acquisitions that we have done.
Thank you very much.
Thank you, Sumedh. Today, I'm going to follow on with based on what Sumedh said and talk about how talk about the cloud platform model from a business model perspective, specifically how we are expanding our TAM, driving accelerated multi product adoption, increased stickiness as well as how the model provides operating leverage and delivers profitable growth. We have significantly expanded our TAM. We estimate our TAM today to be 11.6 $1,000,000,000 growing to $20,700,000,000 in 2021 and we've expanded it by adding solutions that Sumedh talked about such as passive scanning, IT Asset Management and cloud security. At the same time, our revenue has grown faster than the market and we're in some of the fastest growing security markets.
What enables this is the platform. You can see platform adoption accelerating across enterprise customers with 2, 3 or more and 4 or more solutions. And we see strong increases in penetration of our enterprise customers with 5 plus solutions as well. This is in part due to adoption of the cloud agent. The cloud agent enables us to deliver many new applications at only a marginal additional cost.
Multi product adoption drives meaningfully higher revenues for us with enterprise customers with 4 plus solutions at 5 times the amount of a 1 product customer and enterprise customers with 5 plus solutions at 7 times the amount of a one product customer. Oh, it's going the other way. Okay. And this impacts retention rate as well. Enterprise customers with 2 solutions have a gross dollar retention rate of 92%, but multi product adoption increases stickiness, with enterprise customers with 4 solutions at a best in class retention rate of 99%.
Our land and expand strategy is one contributor to why we enjoy industry leading margins. Our platform model has significant efficiencies in R and D and sales and marketing. On the R and D front, as Sumedh spoke about, we have all of our solutions are integrated into one platform, and we have reusable product modules that enable us to deliver solutions effectively from a time perspective and a cost perspective. We continue to grow our large base of talent, Pune, which gives us significant cost leverage. As an example, if all of our R and D in India in 2017 had been in the U.
S, we estimate that our margins would have been more than onethree lower. As you can see, our R and D as a percent of revenues in 20 17 would have gone from 16% to 29%. On the sales and marketing front, we leverage our platform as a distribution channel, enabling prospects to try and buy generating sales at a low cost and the incremental cost of additional revenues from our existing customers is very little. All this exemplified in a top tier LTV to CAC ratio. Our platform approach, which is driving accelerated multiproduct adoption, results in strong and consistent revenue growth, a 20% compound annual growth rate over the last 3 years.
And our revenue growth has been organic. Our M and A to date has been focused on acquihires and technology to accelerate our time to market, not to buy revenue growth. Because of our platform model, our revenue growth drives profitability and increases our margins. And as we shared with you in June, with the momentum that we have, we believe we can sustain low-20s revenue growth in 2021, and we see a path to revenue growth of mid-20s. The delta between the 2 will be driven both by the expansion of revenue from existing customers as well as the contribution from new customers.
We continue to balance growth and profitability, and we expect to see EBITDA margins of between 40% 42%. In summary, we believe Qualys is a unique investment opportunity because of our leading position in cloud security, our multiple levers of revenue growth and our highly profitable operational model resulting in industry leading profitability. With all the additional solutions we have, we believe we're in the early stages of building a highly profitable $1,000,000,000 revenue plus company. So with that, I would like to bring up Simeon and Philippe for questions, and we'll entertain questions from the audience now. Gives people time to think about their questions.
Thank you very much. Okay, so do we have the mic here for the first question here? Eric, okay. You stole the mic.
Eric, Roger, MP. For SumeD, the demo was impressive. Curious, the network traffic that you're collecting data on, what type of sensors are you collecting a lot of that data because it wouldn't be coming from your traditional scanning sensors or the endpoint agents. So where is a lot of that data coming from? And can you give us a little bit of contrast how that product might compare to what Tanium, I think, is doing?
Yes. So very good question. So the as you rightly pointed out, the traditional scanner is the active scanner. It goes and reaches out to the host and then the agent, of course, is on the specific devices. The network sensor is sniffer on the network that passively listens to the traffic by connecting to your TAP port of a switch or a router.
So basically, it sees the entire traffic go back and forth and it is just recording and listening to that traffic. Based on the analysis of the traffic on the platform side, then it can actually identify the devices that you see on the network and then be able to look at the traffic, for example, to say, I see this device communicating, then you'll see as part of the device, it is communicating in a way that is very consistent with iPhone 12.x or maybe it has a user agent string in the browser that helps us identify. So that is the technology that we use for that. Relative to Tanium, as far as I know, I don't think that Tanium has the ability to sniff the traffic on the network at the switch level where you can see the entire traffic of that network going through the single point so that you don't Yes.
And let me maybe add 2 more things here. One is that the secret source of our passive scanning is the fingerprinting. And the analogy that we have here is the way if you look at what Google did with their cars, they have essentially mapped every street in the planet. So today, we've embarked into a huge project of essentially fingerprinting every device on the planet. It's sniffing the traffic network, analyzing what it is.
This is a very well known technology that's been used for years years years. But that ability then if you don't fingerprint then you don't really know what connects. And so that's where the big secret sauce is, which is a huge undertaking that we've already taken. And we have a lot of customers like a very large manufacturing car companies in Germany, which essentially was signed to map all of their industrial devices as well with them and we're doing the same thing with the other companies as well. So that's a big undertaking.
The second thing I would like to add about Tanium is that Tanium, albeit their concept was fantastic and they did a very good job that's selling at the CIO level that 15 or 22nd visibility and the fact that you could see on your endpoints essentially have a lot of information and even react on these endpoints. The problem is that, albeit the vision was fantastic, the architecture was flawed or is flawed because they use peer to peer. So they have to install a 72.5 megabyte agent and then everything you've got to do is to query you have to query that agent to get the information back. And then where do you put that information back? You need to have a back end like Splunk to put that data on and do the analysis, which of course is not very real time.
On the second, it's limited to the endpoints to your traditional. They don't have a solution yet for, of course, the cloud and for these other on premise, for the containers and for all of that, which today people are tired of these one solutions that do maybe a good job at that, but then miss a lot of things. So that's where we were very patient. We were telling you that when we went public, if you recall, that don't expect Qualys to see significant growth because we want to invest, what I call, in fake growth, but not sustainable growth. We are building the platform.
It's a huge task. But when we love the platform, then we're going to be able to integrate all of that and become extremely disruptive. So this is the days that's come. And that's why at that user conference, we really unveiled where we are There is even more to come. So that's the big difference.
And now the other thing about Tanium, which is also a very big weakness is because in fact, you have query the agent when that device, that laptop leaves the network, there's no visibility anymore. With our architecture, which is again a small agent that beams up changes even when that laptop has left the network, the agent continues to monitor what's going on, on the device. So as soon as the device reconnect anywhere on the planet onto the Internet, immediately the agent beams up all the changes so we know what has happened. So then we can essentially use all that information to quarantine the device even before the device comes in into the network. And as mentioned as Sumeet mentioned, the whole NAC concept is too black and white.
So we've introduced that notion of secure access control, so it could really absolutely start to release current time that device on a much more granular basis. Please. This is an old technology, net witness or the passive scanning is again, you have companies like Cosmos,
you have a new laptop,
this is an old technology, very well known, deep packet inspections. So it's essentially essential you put on the top port. What is also very unique with Qualys is that the sensors like everything we do is centrally manage and self updating. So you install it once and forget about it. Like today, we have like 50,000 appliances worldwide distributed.
We have some that are 15 years old and that we've told you for that's our It works. It still works. So the customers, they don't have to worry about the infrastructure. So we are truly an infrastructure as a service in that sense. So that's the other big
specifically, the Nevis sensor is actually deployed at multiple banks, large banks in India in the production environment. So it's fairly battle tested. So it's been about integrating that into our platform, but more importantly, adding the sniffing technology itself is not a huge deal.
Okay. So Melissa, you had a question?
So we've talked a lot about consolidation and building out the platform, and you have a lot that's coming out in 2019. Do you feel like we'll be approaching a point to which you feel like you have the full platform? Or should we assume that the cadence that we've been seeing of R and D releases will continue? And then how do you make the determination of what you feel like you need to build or buy yourself versus what you want to partner with?
I would say, but Smedes will add, but I think the discussion that we have, we don't have these MBAs, which analyze where we should go everywhere. We listen to our customers. That's the first thing we do. We look at use cases. In fact, one of the things that our customers appreciate very much is that we connect our engineers with the customers.
So the engineers can have an idea of the use case instead of having people translating in between. So that's one of the very unique things of Qualys, our customers appreciate. We're fantastic customers. They have so much knowledge today. The days when the manufacturer were the one knowing things and delivering they were connected with the god of we were connected with the god of technology bringing that to the masses.
However, a lot of our customers they know more than we do. And they have also the use case and they have the pressure of the business. So we embark them in everything that we do. So that allows us more to absolutely understand what's important, what's not important. 2nd, we don't have that culture of invented here at Qualys.
So we have a culture where our engineers essentially are very curious of the new technology. Also ourselves, as Sumeet did in this presentation, we are eating our own dog food. We've got to evolve. And so we have learned how to change the platform, which is very hard to do because it's like changing the analogy I give is when you want to upgrade your 8 cylinder engine on the run to a 12 cylinders on the highway, you cannot stop the car. And you have to do that as you continue delivering the service.
So we have learned that very well. So we've absolutely done that. So maybe Smedes. Yes.
And then I will say, like I said at the beginning, we're completely tied to IT. So what we do, what we are on the platform. So apart from that, I hope we continue to evolve the platform from a job security perspective.
So the only thing that I would So
I would say that, sorry, just so if you had asked me a year ago about CubeFed and 2 years ago about Lambda, like we would have no idea about that. So we don't know as IT is innovating at a very fast pace and more and more things will come in IT that we will security will need to respond. And the advantage like we have is with the platform and the engineering team, we have been able to respond to that. And so next year, there will be more things that will come that we will be responding to and adding
And the other thing that we'll say in acquisition, we're also very first of all, we're absolutely we look at the architecture. That's the number of things that drive us. If the architecture is not the architecture that we believe is the right architecture for that use case And second, that we would also analyze the effort it will take us to essentially integrate that architecture to our platform. That's what guide us. The second thing which guide us is that when I look at these acquisitions today, the price that people are paying, it's absolutely insane.
It doesn't make any sense. We look for example, the example I give, we look at EvinNet. Io like when it was about 2 years ago. We look at the technology, the VCs wanted to put them in the block and we're going to see more of that. I mean, today, I used to say we're kissing a frog about Two frogs a week.
Two frogs a week. I mean, this absolutely and they've got, of course, beautiful slides and the growth and the this and the that. So when we look at EBITDA. Io, we look at the architecture and say, okay, okay, nothing Point solution. Point solution, nothing really fantastic, but not bad.
But then we start discussing about the valuation and these are so what's the valuation of what you just tell us what the valuation of what you want, $150,000,000 Okay. So we politely say we're not a very rich company. So that's too much for us. So and then after that, a few months later, Palo Alto Networks acquired them for 3 0 $2,000,000 We build absolutely all the functionalities of Evinot IO with 6 engineers in India. So that's the other element that we look.
And you say 8 months. Sorry.
It's a year and a half, sorry.
Yes, in 8 months yes, 8 months up. So for us, when we acquire a company, we look also at that, okay, should we build it or should we buy it? So the quality of the team becomes important. And one of the things that we do also very well and now that you have been able to see, we really empower the people that we acquire. We're just not there to take their technology.
No, they continue driving and you saw that in the presentation of Rohit of 1 Mobility and other presentations. So they're really driving. So this is the baby. And the only thing we ask them to do is to essentially make all the effort to really integrate that as best as possible the best possible in the platform. Because at the end of the day, what makes us disruptive is exactly what makes disruptive, the Azure, etcetera.
The platform is the delivery channel, is the delivery model. When we build something, it's immediately instantly available to all of our customers. So we're building also more automation into that so customers could set provision all these new solutions, etcetera, etcetera. So the world has changed. And I think, again, the platform is really the key.
And many people speak about platform today. I have yet to see, except this big platform that I talk about, in the security industry, companies which have really built a real platform. I think we have and I don't think there's that many others that I know of. Please? Okay, very good.
Go for it. That's a very good point. So we're very sensitive to that as well. And in fact, we started to do the share repurpose, not at all to pump up the stock, but because our large investors essentially were telling us, why don't you have so much cash, what you do with that cash, what you should do? And so they gave us the idea of why don't you essentially try to minimize the dilution that we create because we're core companies, because we have stock option in our shoes, etcetera.
So the reason why today we're not more aggressive, I would tell you, is because we still are building that war chest because I do believe that the time and I've done that in past industries, that's what we did when we sold Signo to various sites that we could acquire the competitors who are so disruptive that I see in a not so distant future competitors that today we're going to acquire a few cents of the dollar for the customer base because now we can suddenly replace all of these old technology that they So we're trying to keep a little bit continuing building the share. So that's what's behind my mind. Now when is that and then the acquisition will be bigger. I will give you some, for example, things that I could think of. If you look at what we have with File Integrity Monitoring, there's other solution out there, which are so expensive to manage and to deploy because you need servers, you need to update all the agents on every version of Windows, etcetera, etcetera.
So it's going to be a point in time and that's for example and these competitors are not growing anymore. So in the all good days, you could keep a technology and then by stopping investing fundamentally in R and D still continue to generate cash. So you had more of a tendency to keep these companies because they were becoming cash generator. These days are gone. Today with the change of technology coming so fast that you see when you start to go flat and then start to go down in revenue, then guess what, at some point in time, you go vertically down.
And that's the time when you can sort of say, oh, but by the way, okay, guys, you're doing how much are you doing in maintenance? Okay, you're doing, let's say, dollars 50,000,000 in maintenance, dollars 100 in maintenance. Okay, we buy you the maintenance. So I give you $100,000,000 we take all these contracts and then of course we're going to be replaced. So that's the reason why we're not more aggressive.
Yes. This is a very good question, in fact. So you're absolutely right, but I would say it's not going to it's changing drastically. Today, if I take, for example, ServiceNow, I see ServiceNow much more as a real partner where we can they have some discovery capabilities for the inventory. But today, we synchronize with our CMDB two way synchronization of already about 70 customers already.
We have a lot of joint customers. So we see ServiceNow specifically much more as a potential very big partners where we could have a very strong alliance because we're never going to go into the CMDB business. This is not our business. We are fundamentally still essentially, our vision is to unify IT, security and compliance into one solution, which is what we're doing. But around the data that we collect.
And then, of course, we can build the application on the top of it. So we see ServiceNow as a significant partner. Today, what is interesting, I've been, of course, starting to connect with CIOs. In fact, I was with the CIO about a year ago of French bank, the largest French bank, which is Qualys customers and the CIO of a wonderful lady. And I was starting to test and essentially say, okay, so do you have a good view of your global light chest test inventory?
We don't, etcetera. Of course, the security people say, we cannot secure what we don't know. So I explained to her what we're doing. And she told me, Philippe, as soon as you have it, please come and show it to me. So we have it.
And so very few weeks, we're going to show it to her. And that allows us to have a real dialogue with the CIOs. So today, you're going to see more and I've done tested that with many other CIOs of our customer base. I got I was in Les Assisi de la Security in France in Monaco, not for the casino there, but because I was a keynote speaker there. And I had a company like AXA, Alliance, such as additional others coming to me.
They are seeing that we have become strategic. And strategic for two reasons, very simply, because they have to consolidate the stack. Absolutely, they don't even have the people to manage all of that. And when you look at the cost, look at the cost it takes you to essentially bring all that data into Splunk and then operate all of that and then Splunk charge you by the data you index. You have seen that we have essentially indexed by the end of the year, we'll have indexed 1,000,000,000,000 data points on Elasticsearch cluster, so we know how to index data.
And so the market is now coming to us that way. So when in the past, we were setting bottom up with the technical people, relative management, with application scanning, file integrity monitoring. Now today, we really have the opportunity to sell from the top, which is much quicker, obviously. And our model is a very straightforward model, which they like. We never increase the price in our customers since the beginning.
And our model is very simple. If we can have our customers renewing and you saw that the more application they use, the most naturally sticky we become. And then of course, if we can our customer if we renew our customers, we can live forever. We just need to manage our expenses. And if we can sell them additional services, we can grow forever and grow profitably.
So everybody wins in our model. And that is because we adopted that model many years ago. And I remember always the old good days when I went in 2002 or 2003, I don't remember to see Marc Benioff, because I said, Marc, you guys are flying and we have so much resistance. What are you doing? So Marc, as you know, he's a big guy, tall, he said, look at me, Philippe, this is pretty simple.
And I say, okay. So yes, please tell me. And he said, look, Philippe, the IT people, they don't like us because they believe we take the jobs away. They have nothing anymore to install and the security people don't want to talk with us because we take the data away. These were our customers.
So we had in my life, I've never had so much resistance to fight against. But we knew ultimately that the model was the right model. And the changes we're targeting today are absolutely fascinating. I mean, it's just absolutely incredible. So we're very close to what Amazon, Azure, Google, etcetera, Alibaba, we is met with them recently are doing, because this cloud platform are already changing the world and we want to be there.
And we know that our role there is to essentially add them build security into the platform. And we did a fantastic integration with Azure whereby today if you are an Azure customer, you go to the Azure Security Center, you click, you have immediately on the you have the view of all your free resources. You click another button courtesy of Qualys, you have the view of the vulnerabilities of all of your environment and then you click on another button and that's not us, but this is Microsoft, now you can remediate. Click, click, click, done. So that's where the world is going.
And so I think we're extremely well positioned. Please? Yes, correct. That's very true.
I like how you significantly increase the number of customers over the last 5 years and
have. Yes. Correct. No, you're absolutely right. And in fact, the reason why we don't emphasize that is because in terms of dollars, they are not the percentage is not that big as compared to our revenues because first of all, we have a huge customer base, plus we do a lot of upsells now.
So as a percentage, it's not much. And in the past, it's changing now though, we were essentially starting with customers small and then we're growing them. But today, because we have more solutions, we start to see customers coming to us because, okay, we become strategic from the get go. So we didn't have to go through, okay, start with VM and then move into the web application scanning and move into compliance. Now today, we can sell again from the top.
So even on our new business, we can see today our deals becoming a little bit bigger as well. Yes, please.
I think we need the mic for the webcast actually.
That's true, yes.
Sorry. So sorry, just to repeat, it does seem like being able to really upsell your customers and kind of increase the percentages of those 2 plus, 3 plus, 5 plus tiers is really significant for kind of the long term financial growth path. But the one thing that I have been wondering is just, Sumit, I think you showed that the chart that now has all the different apps on it, right? And there's like 3 dozen little boxes with acronyms on there, right? Like to me, when I see that, I'm not a CISO or IT manager, but it feels pretty overwhelming, right?
There's a lot up there, there's a lot of different applications and it sounds like there's quite a few more to come. Is that a concern in terms of being able to get people on board with all those things? There's almost too much that it's overwhelming to them and like how does your sales model kind of account for that?
No, no, yes, not at all. It's exactly the opposite. It's exactly the opposite because first of all, yes, the our customers, they are already challenged with that plethora of application. The problem for them is that they require a specialist on each of them. They need to integrate them together.
They need to put that into a SIEM or into a Splunk. When one does this today, they see and you are going to see more and more everything unified that as you saw on the Sumit demo, all of these things, all of these apps that you see today are in fact now absolutely in that single pane of view. So it becomes pretty easy for you. And at some point in time, that's what I made the reference to WeChat, you're going to absolutely you don't care. You just do whatever you need to do, click, click, click, click.
I need to do this, I need to do that. So all these apps that you see today, which appears to you effectively overwhelming, they will fuse. So we're fusing everything.
And if I can add to that, it's today, this is how the buyers look at, I need file integrity monitoring, I need this and there are different teams, there are different teams within the organization who are buying that. So that's today how it goes. But again to that analogy of the car, at some point, you just say I have security package and not I have a seat belt, I have this, I have that, I have that. So I think that's what the buyers and everybody has to still do the transition. So today, it's we have the ability.
And the value we will bring is once all these things start to connect with each other and provide that ultimate value, which is detection overall, then the specific apps are not going to be that.
So one more point that I can make today. We see from our large customers today, they come to us and they say, we have quite a few examples of that. We like essentially instead of buying application 1 by 1 as we need, why we don't do a kind of an overall all you can eat type of application. So our answer is interestingly enough today is that follow. We absolutely agree with that.
However, there is a prerequisite. The prerequisite is that you have to now deploy and have the good view of your global adjusted inventory. Because once we know that and once you know that, then we can now sit down at the table and essentially say, okay, so now this is exactly all your scope. And now let's discuss about how you think you're going to deploy and implement. So then we can agree fundamentally on the deployment plan across 3 years or even 5 years and then say, okay, so this is what we're going to do.
We do a 3 year contract and you're 1 you pay that much, 2 you pay that just 3 and we can also see your progress in that deployment. So if you have deployed much faster, good for you. If you have deployed not as fast, good for us because we have less cost, but then we will readjust. And that also give me as you realize the opportunity to essentially have the discussion at higher level and say global light tested inventory because once we become the source of truth, we are there. And the history of the global high tested inventory I will give you, it's absolutely fascinating.
Just to tell you this is not something we've just done recently a few months or a few years ago. We saw that opportunity about 10 or 12 years ago when we saw Goldman Sachs using the result of our scans to audit the CMDB, which was Tivoli. So I say, wow, that's interesting because that was not anymore security. So we thought naively at the time that we could then therefore do that. So I went in fact to IBM, I went to see another people and they say, oh, sure, this is not of your business, blah, blah, blah, blah, blah.
But then we realized pretty quickly that the scans was not enough data that could really gather. So then we had the agent technology. So then we thought, oh, that's it. We've got it made. We can make that now global light tested inventory.
And so of course, we realized that now with the known we can do it, but then of course there is the unknown and the unknown is as important than the known. And so now today with the passive standing. So it took us that many years to get to that point. This was not a walk in the park. And by the way, nobody has ever done that.
So it tells you because if it was that easy, then we already would have a lot of people having done that already.
And it's going to continue to grow because next thing is going to be I want to see all my Lambda functions as my inventory. And then after that, it's going to be I want to see all my SaaS applications as my inventory. And today, there is nothing, no view that gives you that.
So question? So we need to wait for the mic, yes?
No, he has the mic, yes.
Coming back
to you.
Two questions. 1, in light of the breadth of products that you have, and I think you've been talking about kind of getting to a point where you could where you have the critical mass on the new products. Why wouldn't you either accelerate your spending on the sales and marketing? Or is hiring the people the limiting factor there? And then I've got a second question after that.
Okay. So not really. In fact, we're hiring and expanding. Again, what people don't realize, because they are still in the old model that in order for you to sell, you need an army of our managed sales guys that knock on doors. You have to realize that the platform is the distribution channel.
We have also already significant partners already today that now we are going to empower to do more. All the Indian outsourcers are Qualys customers and Qualys partners. Ernst and Young Managed Security Services, which is brand new is with us, etcetera, etcetera. So we have all of that already there. It's the only thing is for them to adopt the new solution that we bring to market, which are taking some time and so it's already happening as we speak.
Now we are expanding our sales force as well, but again within measure. No need to sell an army of salespeople today again because of the model. So we want to prioritize into the free services that we launched, which are absolutely very cost effective lead generation machine against throughout the cloud. And look at Amazon, do they have a lot of how many suit sales guys to sell their things? Not really.
So the platform is the distribution channel. And in doing so, we eliminate a lot of costs, both for us and as well fundamentally for the partners as well, because they can follow on our model. And again, as long as they renew and they can sell additional services more and more integrated, essentially they grow the revenues very naturally and of course the profitability follows.
Yes, just to add on, this is what I was covering in my presentation, right? So if you remember in June at our online investor and analyst event, we gave a couple of specific examples of customers who had gone who had started with us a few $1,000 and gone to become multimillion dollar customers. We don't need to multiply the number of dollars by the number of salespeople to achieve that additional dollars. The same salesperson is still capable of selling those additional solutions. And that's again because, remember, we use a technical sales force as opposed to generalists.
So they're able to pick up the adjacencies pretty well.
And we did another thing also in that expansion of our sales force is that we have now introduced the notion of major account solution architects. So we have now some of our best technical account managers, which have both the depth and breadth of technology and then they know how to really move up and speak to a higher level. They are now managing more strategic and bigger accounts and they got much fewer of them, so about 4 or 5. And that allows us then is going to allow us to grow our large customers even bigger. And so today we have large customers being multimillion dollars annual recurrent revenues.
So if I look today, our largest customers, it's more than $5,000,000 So we can see ourselves having €10,000,000 a year with these large customers being managed by essentially 1 person, managing 4 or 5 accounts. That's $50,000,000 for 1 person.
Okay. Second question, your contribution from your newer products, it was around 14%, 15% for a while. Then last quarter, it popped up to 23%, but that was a little bit of an anomaly because of the big Cloud Agent deal that you did. Where do you think that where do you see that normalizing in the near term? And then if you look out 3 years, where would you envision that contribution?
So a couple of things actually, Dan has been waiting, so we should go to him next. But to answer your question, the percent of bookings from new products actually would have jumped even without that deal. But in terms of how we see the future unveiling from a product perspective, remember, one of the things I've talked about is we continue to innovate both in new solutions, but as well as in VM, just as Cloud Agent for VM is a solution related VM, such as Threat Protection. And those today are the biggest portions of the new products. So we would expect, obviously, with the additional applications that we've just gone over to see that proportion increase.
But it's hard to say exactly what it is because people are still increasing their expansion of VM. They're not fully deployed in their environments. We're only beginning to see deployments at the endpoints.
So just to add to what Melissa said. So a question that most of you have been always asking, who is your major contributor? And I was always saying, we don't really we have a multiple cloud agent obviously be significant. But I can tell you today that I really believe that global IT asset inventory because of the large number of assets that our large customers have could really become that new contributor. And the way we charge is interesting.
So this is the way we're bringing our Cloudant Venture to market. If you want, if you have for the search, in other words, the ability for you or the IT people to search, You can deploy our agent, fair of charge. We don't charge you as long as you have asset view, as long as you're a Qualys customer. No charge because of course we want that agent to be deployed everywhere because once we have the agent deployed then we can add these additional services. Now if you want to have the IT asset inventory application that Sumit shows, then we'll charge you per IP per year with of course volume discounts plus additional few dollars for the synchronization with your CMDB.
So when you look at the sheer volumes of assets that companies have and that they want now to put their hands on, it's huge. I was discussing with the CIO of Wells Fargo, when was that 6 months ago, 9 months ago, 50,000,000 assets. Hello? Why? Because you have so many cameras that these I mean it's absolutely incredible.
So you're speaking of millions of assets and already have some customers which are already looking at deploying our global IT asset inventory as we mentioned with 30 beta users to millions of assets. So you start to realize that even that $1 per asset per year, if you have a 1,000,000 assets, not bad at all. So if you would I could not answer the question before, but today to that question I can answer. I really believe that the global IT asset inventory is the game changer and is going to be the biggest contributor of new product revenues.
Yes, thanks. So to that point, when you talk about proliferation of assets, just to move to the cloud, I mean, you're seeing it when you talk to CIOs all the time. But when you think about what's happening on the cloud between AWS, Azure, BABA, GCP, whatever, How do you as a company navigate that in terms of trying to make sure that you're aligned with the players that ultimately, whether it's geographically, internationally or domestically, that you're there for those sales cycles?
I'm not so sure.
Aligning with AWS and the way they are selling.
So we are now starting because of course it's all about first of all it's all about it's easy to virtualize one of our solution and put that in their cloud and in their marketplace. That easy. But that's not the approach that we have taken. The approach we have taken is first do the engineering effort to are totally integrated and essentially and now we're starting to have more and more discussion with AWS, which again are our customers as well as already. So now we are essentially bringing more and more of our solution to market but in a very, very integrated way.
And if I can add to that, that is still going to be like I said, the digital transformation is still going to have the hybrid overview that the customers need. So that's where we are well integrated like the example of Azure where go to our Azure marketplace, I have a bunch of stuff in Azure. I click Qualys Agent is already deployed behind the scene. I see all my visibility in Azure. Great, helps me with that.
But then that information gets piped back into Qualys. And so now my overall global IoT asset view that I get, I see everything together in one place. So we are well aligning with them in terms of, okay, you want to spin up some stuff there, you click, you get it. And then we still have that global view that they still need because their tablets don't show up in Azure.
And the same thing plays now with the APIs, which that's where we made the investment in 42 Crunch because today everything is more and more via API. So you asked the question to a CIO or to do you know how many APIs do you have? Nobody knows. Do you know really what they do? Nobody really knows.
None of that is properly documented and they are becoming absolutely crucial because you have more and more machine to machine communication, etcetera, and then you communicate to these web application via APIs. So that's another totally new frontier. And of course, these cloud providers, you need to get to them and there's a lot of more APIs and more APIs and more APIs and we're extremely good at that as well.
And then just Moza, just on growth because obviously it's been a big discussion, just that strong growth rate next few years with a mid-twenty percent growth. And there's a perception of some wrongly that it's new custom new application focus. That's what you're betting on. But if I guess, Felipe and Melissa, I mean, it's really your installed base. Right now, you look
at your
penetration and you look and you're like, if we're even correct on 30%, I'm just throwing out numbers, this is where we go. It's not like you're betting on the new applications to get to that growth. I just want to get this out there.
You're absolutely right. And I can even do I'm a brilliant mathematician as you're going to realize. I know you are. So we'll see how brilliant I am. So if let's assume that $100 of renewals, so that's the base.
So let's assume we renew at 95%, okay? So that's $95 And then let's assume that we do 5% new business on that. That's 100%. So now I'm back, okay. And then if I do 30% upsell, I'm at 130% growth.
That's absolutely the model of Qualys. So we don't need this big deal. The reason why we are cost effectively the problem factor of our software is that that's what they need this army of our managed sales guys driving the poor SC by the hand because every quarter once they have sold, they need to find another one and knock on that door to sell that same amount enough more dollars. That's what at the end of the day you saw fundamentally, McCarthy under the daily world going essentially trying to sell the all you can eat to try to be very predator to Symantec by dropping their price and doing very sweet deal, take all my application, give me a $50,000,000 check. Now as I told you before, we don't play that game.
So that's why we go to our customers. It's a partnership we have with our customers. I'm not there to take money out of their pockets. I'm there to provide them services. We need to earn their trust.
If they renew, we can live forever. If we can send them more services, we can go forever. So that's what I want to sell them. 1st, the global asset inventory, so we know exactly what they have. So we are fundamentally a consumption based, if you prefer philosophy in terms of pricing.
Even today with the Azure and with the Amazon, we're now starting to look into charging by the hour as they do. And we have that luxury that not many company has to be able to move from our current pricing model, which is essentially you pay it's a consumption based deal, but you pay in advance a year in advance too, you pay by the hour. For us to change that to that model is not difficult because it doesn't impact the revenues at all. It just of course will impact the cash. But today cash is not a problem that we have fundamentally.
So that's again the reason why we're so well positioned. But you're absolutely right. And I don't think the industry understands that because of course they're still in that old model. And even those who say we're perpetual, look at their model, most of them are hybrid, they still do perpetual license and plus some recurrent well not since day 1, that's the way we started the model back in 1999.
And we're almost over, so why don't we take questions from Rob and then Brown. Okay.
I actually
have 2, but the first one will be quick. Just out of curiosity, given your historical business of VM is not new, why does it make sense now versus before to marry VM and patch? What is the customer asking for versus why didn't they ask for 5, 10 years?
That's an interesting question Sumit could add, but the real
And if it's too long of a debate, I can take it offline. I'm just curious.
No, no, because the market was not resistant. You had the silos. The enemies of Qualys has been for the silos, the people doing the patch management and this and this and that, very complicated. So And they
have the time to take the time to patch.
So and then we're competing in the early days against the patch management solution. We said, oh, you don't need to do that for the management because you just need to patch. So now today, the fact that patch the things like struts, etcetera, the urgency of patching is what is changing the game. And now today with Qualys, you push a button, you can patch everything. It's going to take some time, but however, for company to adopt that new model because it's a bit revolutionary, but that's what needs to be done.
So it's a very good question.
And then back on Eric's question of kind of managing growth versus margin, it was back in 2015 you guys the Analyst Day introduced the whole concept of the Qualys platform and there were actually 12 bubbles at that time, 18 now. Your highest growth rate was in 2015 at the mid-20s and we haven't seen it reaccelerate to that kind of level. Based on Melissa's slides, you're about 2.5% market share. So why not invest more in trying to capture more share at this point versus kind of the growth margin profile?
No, no, it's not about the growth. The growth margin is the byproduct of our model fundamentally. Now the reason why we didn't invest in growth is because we needed to build the platform and that's where we put our money. And we have the patience to understand that it's not worth for us to buy a company, for example, to accelerate our top line growth, which will be pretty easy and take the revenue plan and what do we do with the solution of the architecture. So we're very disciplined about that.
So the VM marketplace was not big enough for us to really invest in that growth. But today again, we have the platform. I don't need to put these on money suits. So you're going to see us doing more free services, more this, more that. Of course, we're going to invest.
But I don't need to make the investment that an enterprise software solution does. I've always been absolutely amazed to see how much Salesforce dotcom invests in sales and marketing. That's I think is probably because they came from Oracle because I think they didn't need to do that. Now they did a fantastic job, don't get me wrong, but when I look at their matrix, I said, that sounds strange. So you look at other companies today, they are not investing that much as when you're cloud, the platform is the delivery kind of that's in a lot of cost.
So maybe we have a last question.
Yes. I just wanted to ask about global asset inventory and if you think it's I assume the answer is yes, but do you think it's applicable to your entire installed base of customers?
And the
second part of that is, what would you expect adoption to be over the next few years, given it sounds like a relatively new product that
just not really marketing for? So we always we could hire an MBA and give you beautiful curves and so forth of adoption. We just don't look at the business like that. I can tell you one thing, we have a huge demand for it. We see that.
We have these 30 customers that are all absolutely fascinating. I think the adoption could be pretty big. But again, you have the budget, you have these. So I only start to project when I've got enough data points on the curve. And that's what we're showing, for example, this adoption.
I can tell you one thing. If you look at customer which have acquired 2 or more solution, it's 69% of our customer base. And I can tell you that our customer base would adapt all of our products. So we should see 70% adoption fundamentally of every solution that we have. Now at some point in time, again, the UI will fuse all of that.
We probably will go into a pricing model, we should consolidate more, but it's not going to change much. And then the adoption will be even easier because suddenly I look at Threat protect for example, which today is a separate service at some point in time, we're going to abandon that with VM. That doesn't mean that we're going to reduce the price because we've banned them, no. It means that it's going to be totally fused because that's what makes sense.
And just one last thing I'd like to add to the discussion that we had over the last few questions. Remember, unlike other companies, we don't incent our sales by product because we don't want them pushing customer pushing product on our customers that they're just going to churn. Always say I give credit to Philippe for being very visionary about managing a subscription business. It's very different than managing a perpetual license business where you are dependent on the renewals every year. So we are very customer focused.
And because though our road map is developed based on the continuous dialogue with customers, we know the demand is there, and then it's a question of the timing of adoption.
Exactly. Okay. So thank you very much. Thank you and a real pleasure to be here with you.
Thank you. And we'll take a few
minute break and then we're going to have our customer speaker from Experian.
Yes. Okay. Okay. So it's Sumeed, I think okay. Do you have the is your presentation right after that?
I am trying to find it. I think I was told it was going to be loaded. It should be,
Okay. Okay. So please take your seats. And so I'm really happy now today is not Qualys speaking about what we do, it's about our customers. And by the way, quite candidly, this is what we prefer.
We like more having our customers telling about their experience with our solution and expressing the challenges that they have. And so we all become essentially smarter and understanding what needs to be done. So with that, I'm really happy to introduce Piyush. Which has been an important person at Experian, as you would see. So we don't do big introduction at Qualys because we believe that the introduction is yourself.
It's what you do and what you say. Correct, Piyush?
Yes. Thanks, Philip.
Here you go.
So thank you, everyone. I caught a little bit latter part of the initial conversation right before this. So I'll try and address some of those things as well and why we partnered with Qualys to address some of the questions which were asked in the earlier session as well and why we chose Qualys over all some of the other folks, if you would. So a little bit about myself, Piyush Patel. So I'm the regional side so far, Experian.
I look over to North America, which is more than 50% of our revenue. And I also have a lot of global programs. I run multiple global programs, sort of product security, data protection, offensive security and other areas and threat management, of course, where vulnerability management sits. So that's a little bit more about what I do at Experian. And also I'll also talk briefly about me as a person.
So because it's quite important as to why we went through the journey we did. And I think it will give you a bit more color about why we chose the platform itself. So I started out long time as a developer, and then I moved I ran operations and then I ran security operations. And then also I was a Head of Audit for a couple of years. And then I'm sure you guys must have heard, Experian had a minor breach in 2015.
As a result, there was a refresh, management refresh at Experian and I came on as part of that refresh. So I work with Tom King, who's our global CISO for Experian. So the reason that those things are important is because as you can imagine, the world is changing, right? So no longer there is on prem infrastructure, sort of premise and then cloud or software. The lines are becoming blurry.
It's becoming more and more democratized. The developers are more democratized now. They can go and just download something and try it out and then implement it, right? So you don't need a traditional more and more products are getting more and more teams are coming to me and saying, Piyush, we found this great product, we tried it on, it works and now we should go and buy the licenses. So most of the products we have implemented in last few weeks or last few years have been more from bottoms up rather than from sales guys making sales calls to us.
So that's a big difference. And that's sort of played a big role into where we got to. Now how many people know about experience or I could just skip this slide? It's the other E. It's not the one that got breached.
I know it sounds very similar, but just to give you an idea, we have 1,000,000,000 people's information. We do close to 9,000,000,000 transaction and authorize verify 9,000,000,000 transactions. We had 2,300,000,000 people's transactional information. So what does that mean? Like there's only 7 1,000,000,000 people in the world, so it's almost 1 third.
Now the reason that is important is the attacks we face are not just the traditional attacks where you get the traditional hackers, but you also face mostly nation state attacks. So our my role is primarily, if you ask me what keeps me up at night is more of a nation state persistent attack, right? Though they have unlimited resources, it's a bit of an asymmetrical sort of playing field, if you would. So the only way we can sort of level the playing field is by partnering with a lot of vendors and other sort of thought leaders within the industry to kind of level set, if you would. So we'll talk about so as I mentioned before, I've been through an initial breach.
I came on after right after the breach at Experian. And then our competitor got breached. And I felt like I have been through 2 breaches in 3 years that have survived surprisingly to tell the story. So we'll talk a bit more about that. And I think if you have questions at a personal level about what we did, I think I'm happy to answer that as well, because I know we at Experian take that very seriously.
My family's information is there, right? So is everyone else in this room for most part. So happy to take those questions as well. There are a lot of things, which I can't put in the presentation because of legal reasons, but we'll talk about that as well if you have questions. So a month before the breach, so we after our breach in 2015, we established a 4 year roadmap, It was called security first.
One of the outcomes we're looking for is, how do we reduce the friction? Security has always been looked as friction, unnecessary friction. So I describe security in a very different way. I think about it as so I used to work at Ford Motor Company, for example. So when I went and talked to the designers, right, so I asked them who's the most important is the most important part of the car?
They said brakes. I was like, why? Because if you have bigger brakes, you can go faster, right? You have full confidence then when the time comes, you'll stop at a good stopping distance. That's what security is about, right?
We are the brakes when which you need when a crisis happens or when there is a breach of trust, right? So how do you maintain that trust? So that's sort of the model we decided to go towards, where we said we're going to do a paradigm shift. Security is no longer going to be a friction, but it's going to be enabler to innovate and drive the market fast and get our products faster than the market, right? So that's sort of outcome we were desiring after the breach.
It was not just get a security posture better, but also innovate and help business innovate and move at the speed of DevOps if you would, because that's another cultural change, which we were undergoing internally. And there's another thing which was happening within Experian itself is, before our first breach, anytime there was a security problem, the conversation was what is security doing about it, right? If you think about security, I'm sure you guys probably work at the banks. I was at the I was in New York for 10 years. You do the security training, they tell you security is everyone's responsibility.
But how are we embedding that, right? That was a control transformation also we were going through. So that's sort of right before the breach, before the Equifax breach, a month before we were sort of in the we've got this funding, we sort of doing the transformation, the people have been hired, the new sort of team is in place. We're talking to a lot of the partners, the vendors to understand what other products do they have so we can jump the curve. And then it almost feels like as you see in the picture, right, it's like a shark lurking underneath the water, right.
We didn't know what was going on, but we did see like traffic patterns on our network. So we knew something was coming. We just could not pinpoint why was this happening to us, right? So then the D Day, as we call it. So this September 2017, the breach happened and it was it just changed everything for us.
Now we thought we had a 4 year program, which was quite robust and aggressive That turned into a year program, right? That 4 years is like how can we do it in a year? Like anything that was 2 years was how can you do it in 180 days? Just completely changed. So what does that mean for us as a security team and what does that mean in terms of solutions which Savindas bring for us?
That means we had to move at a rapid pace in a very complex environment. So you can imagine this is what our world looked like. Everyone was coming to us. The boards and executives are saying, what are we doing about this? Our vendors who are everyone we spend a dollar with were knocking on our door saying, how can we help, right?
And you can imagine that regulators were wondering what's going on at Experian even though the breach was like the facts, right? But you can imagine there's only 3 of us. So naturally, there was a huge scrutiny on the industry itself. So everything we had, we had to throw it out of the window. The 4 year plan went out of the window.
We said we need to do a transformation and gain back the trust of all our stakeholders, including the board, the consumers, everyone, because the industry felt like it was under the attack and we were just part of it. So as I mentioned, everything was too slow. So we said, how are we going to change the paradigm? How are we going to move faster? How are we going to get how are we going to provide a solution which manages the risk rather than talk about how we find the risk?
Because our ultimate goal for us to be able to bring back the trust of our consumer was to show that we are actually addressing the risk. We are hearing them and we are actually dialing down the risk. Not the fact that we knew about the risk, no one cares about the risks, right? What are you doing about it? That's the question we were asked.
So that's where Board put together a 100 day challenge. They said, look, I think you guys have put together this great 4 year plan. Want you to do it in 100 days. So you can imagine, we had to really think outside the box. We said, the traditional way of sort of doing the network scan and the agent base sorry, getting the report in a certain frequency, getting this information to our stakeholders at a certain frequency, just not good enough.
On top of it, as you can imagine from the breach, what the industry and everyone else realized is that the moment sort of exploit becomes available, right, it gets weaponized instantly. The world has changed. No longer do you have like a month or 2 months to kind of have time to do the remediation, right? Now you have to do instant remediation, right? You saw the I think I walked in when the WannaCry slide was up.
It's getting weaponized instantly. And what happened? NSA dropped, NSA leak happened, right? It got weaponized. And next thing you know, your environment is impacted, right?
So if you spend days and days and days discovering your risk, it's too late. You are already infected, right? So that's how we had to think about even our breach itself. By the time we found out, we knew we were 30 days, 60 days late. So what do we need to do?
So that and these are sort of some of the realities within Experia, right? Like every other firm, we are highly complex. We have a hybrid model. We have a lot of dynamic assets and these things never change. These are every CISO has these challenges.
The firms are getting more and more complex. They are going more and more sort of towards the cloud because of natural reason that you can adopt the cloud in a very frictionless way. As a result, how do you build a security to adapt to it? And that's where we said, look, let's change our thought process and let's adapt the security at the speed of DevOps. So let's implement the solutions and then iterate over time and improve them.
And that's when we started talking to Qualys. We said, look, we have this challenge. We have a 100 day challenge. I don't know what tools you have. I don't know what solutions you have.
But this is what I want. I want to be able to go to my 40 CTOs and say, I want you to address the risk in 100 days. What does that mean? Every day, I'll come back to you and say, this is what your risk posture looks like. You deployed a patch, next to that should be able to tell you what is your risk, has that patch been applied, have your risk gone down, right, because we are in the business of risk management.
Security is no longer set of operational function. It's more about risk management and driving compliance and helping the business reduce the risk and innovate and get faster. So we are going to be changing to we are evolving towards a world where security will not be running any operations. Will be much more compliance and metrics driven. And so we said, how do we adapt that, right?
How do we enable the CTOs to self-service their security? How do we make sure they have all this information at their fingertips, so they can take action and they don't have to wait for security team to do something. And that's where we work with Qualys. And they were going through this transformation where they had just deployed a new platform, everything was in the cloud. We have 30 plus data centers like everyone else, right?
We did not have the time or inclination to deploy those scanners everywhere to understand the risk. Our job was to reduce risk. Our job was not to run technology or not to run security. So that's where we worked with Sumedh and the team. I remember getting on the calls on weekends, right, before my Michigan game, I would call them up, like, look, you have half an hour, I need this solution, these are the problems I'm having before I get on and watch my game.
So we went through some of that journey during that 100 day challenge. But they really stepped up and they said, look, Piyush, these are the platforms we have. We had a whole shift away from where we were doing network scans to agent based scans, which gives you instant visibility. So I could go back to my CTOs and give them real time reporting, right. If they have patched something, they should be able to tell in next 4 or 5 hours whether that patch got applied and had their risk posture gone down, right.
And same applies for on the application side. Every time they released the code, they were expecting instant feedback, because that's what they are Everyone is sort of iterating, they're deploying like 10 to 15 times a day. And then they're understanding getting feedback, instant feedback from the marketplace and then iterating the code. So we said, let's do security in a very similar way, right? Let's deploy, let's get them real time feedback and then iterate and see what worked, what didn't work, because that enabled and empowered them to actually help us reduce the risk.
So we got out of the way and we basically sort of led the security be a more self-service function and the Qualys and the platform itself helped us enable that. So that's one of the biggest reason where I had something early on. I had everyone at my doorstep, McAfee had every vendor you can think about, right? Every one of those vendors had an on prem solution. I had to deploy across 30 data centers.
That would never work. None of my 30 data centers talk to each other, because we are a highly acquisitive company like everyone else. In last 5 years, we acquired more than 50 companies. We acquired for all kinds of same reasons like everyone else does, either we acquired for IP or for people on the platform and we keep them running and see if that fits into our portfolio, right? So we are highly fragmented.
So we did not have the luxury of sort of working across all these different technology stacks we had within the firm. And that's where it was seamless with our partners. Other vendors, I think, they were much more focused on how to be quite frank, I think, how to get more revenue, right? Of course, they are realizing that the purse strings are open, but they were not providing me solutions. And all the solutions which they provided, none of them were able to meet my timelines, if you would, where we were moving at the speed lightning speed, if you would, to kind of address the risk.
Because if the way our CEO put it, Brian Kasten put it to us is, look, if there is a third breach within the industry, we may not be in the business. There will be very heavy regulations and we will become a utility, right? So it was sort of one of those moments for us where we were on the cusp, if you would. And that's why we're looking for partners who can sort of help us address the sort of jump the curve, if you would, and rethink our problems in a very different way. Some of the lessons learned, this is more for general public like in the sense, we sort of worked with the one of the biggest differences and changes we made was, we made security everyone's responsibility.
As I mentioned earlier, it's not about just the end users responsibility, but making sure that we enable the CTOs and we give them the tools to run their own security teams, if you would, and make the risk management decisions by themselves. And of course, we play the oversight role to make sure that there were times where there were bad actors and we slowed those CTOs down, if you would. We said, look, you have to jump through a lot more gates, right, before you do deployment or before you're able to go to market. And there were ones which were doing really well. They bought into the whole system.
They were addressing the risk. And then we let them go as fast as they could because we had enough confidence. The only way we were able to do that is because of the platform. We had the telemetry into the risk, which based on which we were able to sort of make those decisions. So lesson learned, again, build partnership with the right vendors, right, make sure they have the right platform.
Make sure one of the biggest thing we learned from this whole experience was always prepare for a breach for a competitor. You will be surprised how much sort of everyone prepares for their own breach, but no one prepares for a breach, which can impact an entire industry, right? And it can also provide you sort of an opportunity where you can use the crisis to your advantage. I'm sure everyone's seen the Equifax stock is back at where it was. So we had a very short window, if you would, of 6 months to kind of really transform the security program at Experian.
And we were able to do that with the right partners. So with that, we'll pause and open up for questions. Go ahead.
Second
question is just thinking about expansion of your spend on Qualys moving forward. Are there additional modules that you're planning on adopting?
Yes. So that's a very good question. So let me go back to the couple of slides. And I'll answer the second question first and then come back to the first one. So the only thing we were using first was VM module on that, right?
It's only because of the power of the platform that we bought lot of more set of modules, because now for my purposes, I didn't have to deploy any more agents. I had one agent giving me information on all these different things, policy compliance, threat protect, file integrity monitoring, it was one agent. And one of the biggest reason one of the biggest resistance you have within security is, I'm not sure if you have computers at work. If you look it up, there are tons and tons of security agents on there, right? So we did an internal analysis, right?
70% of our compute was being used for sort of activity like processing And close to 20% of our compute was being used by security agents, right? So you can imagine all the agents we are loading on, at one point we had 22 agents on an endpoint, right? So it was creating a lot of friction with our technology teams. So one of the difference the reason we went with the Qualys agent is it has a very small footprint, right? The same agent can be used for multiple things, right?
And the reason you can do that is it does the scanning of the endpoint and does all the processing in the cloud. So the endpoint does not take on most of the load. As a result, your CIO can actually use the compute which he's invested in for what it is truly meant for delivering services, right? And security workload moves on to the cloud. And Qualys platform itself does all the analytics for you to be able to give you the telemetry of risk.
So that was one of the biggest reason. For us, one of the biggest driver was the same agent could do multiple things. We did not have to deploy a single more agent. My stakeholders loved it. It has a small footprint and I haven't had not a single complaint from them.
I can name all the vendors who they have complained about. They start with M, they start with T, they start with S. Every one of my technology guy hates it, because all the processing happens on the endpoint and they take up the compute. And the world is changing, right? If you go to Amazon, you're paying by compute, right?
Why would you want to pay for that? Why can't you let a vendor pick up their cost? Does that answer your question? Yes. Any other thoughts, questions?
Okay. So thank you. There's
a question. There's one there. I
mean, first, I'm just interested. I mean, just first off, I mean, internally at the company, like, just going through it, like was it the 60 minutes and like where was that like, oh my god moment, this is different? I'm just curious, that's my first.
Yes. So I think when so the way the sequence of events happened is we our CIO got notified like an hour before where is that slide, an hour before sort of that thing was going to go public. And it was sort of, oh my God moment. Because at that point, you had to realize when this happened, we did not know the size of the breach. So just like us, they have 1,000,000,000 people's information or a little bit less, more like 750,000,000, right?
So we did not know it was 750,000,000 or was it 140,000,000, right? You can in security, you had to assume the worst, right? And then you had to plan for the worst and hope for the best. So now the next question was for us was a similar question. You can imagine that the first question after that was, how does our posture look like?
Do we have those controls in place and are we breached, right? So we spend a week assuring our Board and our stakeholders that look, the ways are we are in a much better place because we had a better controls and we had better telemetry into the risk, because we've been like 6 months into the journey, because we had our breach 2 years ago. So as a blessing and a curse, right? The blessing was that it was just small enough where it was a wake up call for us and we kind of shifted and invested very heavily into security. So we are in a much better place.
But at that moment, that hour that phone call came in, it was all hands on deck. It was a crisis protocol, right? Everyone was sort of on the con calls. We had to give assurances to the con call to the clients. It was just it was surreal.
And with Qualys, was there speed just so impressive in terms of like you're talking to the Board and on the other call you're calling them and right away like SWAT team they're in versus other guys like yes, we could get there in a few weeks.
Yes, I could call, Sumeet was on my Speeddell, right. And that's the difference, right. I could not get to the other product managers in the other places. And to give you perspective, we were just using, as I mentioned, the VM scan, we had network scans, right, across 30 days. I deployed agents across close to 200,000 assets, I think, after all said and done in less than 30 days.
That's the speed at which we had to move. Because you can imagine, I cannot tell people what their risk posture looks like if I cannot deploy the agent and give them telemetry into their risk, right? So that was to me was the game changer for us. And we were able to do it with very little effort.
So thanks for presenting this. I think it's a pretty interesting perspective. One question that I have, you made that comment about how you kind of had this 6 month window after the thing happened where you could take advantage of the crisis essentially to kind of promote the investment in these products and these solutions to help you improve your posture. But I'm wondering about industries or companies who maybe haven't experienced something quite so drastic. So they don't have that ability to use the crisis as a motivation, right?
Like how do you justify if you wanted to expand to additional products or things like that, how would you think about kind of justifying that cost if you were sort of in a peacetime scenario?
So you can imagine every firm has lot of compliance requirements, whether it's SOX or whether it's GDPR or other areas, right? Privacy is becoming more and more important, right? As a result, you'll see in lot of the privacy regulations, there are a lot of security requirements, which are built in. So I can imagine, I haven't come across any CISO who hasn't implemented all the things I mentioned on this slide. The question is, which vendor can displace and do this seamlessly?
Where did that slide go? All these things. Policy compliance, I have to do it. It's because we are a global company across 24 countries, right? Same with VM, right?
And same with indicators of compromise and threat protect and other things. File integrity monitoring is required by PCI. Very few firms are not impacted by SOX or PCI, which requires file integrity mode. So today, they are doing it with someone. The question is, who can sort of provide a seamless, frictionless experience, which you can adopt, right?
And be able to sort of security teams are going away from running operations. If you look at the world 2 or 3 years from now, because everything's moving in the cloud, the platforms are doing it for you. That's what Qualys is doing it actually for you as well, right? Just like what AWS and Azure are doing. Most of the thing most of the security operations is actually done by the platform for you.
We security as a profession is evolving more into a compliance profession, where we are more around understanding the risk, which the firm is taking on and managing the risk and helping the business reduce the risk. That's where it's going towards. So what's happened traditionally is most of the CISOs you are dealing with. So I have a unique background. I come from a development background.
And that's where I guarantee you the next 10 years of CISOs are going to be from the development background, because AWS and Azure and everything else, you need to have that background where you are relying on the platform itself. And software is eating the world and it's true, right? So traditionally, what's happened is most of the SISOs have come from the networking background, because that you had on prem solutions. So more and more what I'm seeing is where the SISOs are starting to recognize that your job is not to run security not to run security operations, but to help manage the risk for the firm. More and more Sysos are adopting this kind of model where you let the platform do the work for you and you're managing the risk.
Does that answer your question? Because that's the transformation which
will drive.
That certainly helps. I mean, if I can follow-up just briefly, on several of these areas, I mean, I think Qualys has long been kind of regarded as VM is like bread and butter, right? But certainly, in a couple of these other areas, other players that I think a lot of people recognize as best of breed or whatever, right, like CyberArk and PAM or Varonis and DLP or something like that.
How when
you were in this situation, how were you thinking about those options versus going with something that was more consolidated? Yes.
No, you're right. So let's talk about file integrity monitoring over there, right? So we obviously have the McAfee solution, right? So it was the speed of deployment and it was the speed at which I can get to my primary sort of role, which is managing the risk, right? If I were to go with some of these vendors, right, it takes me forever to deploy and get the buy in from the solution.
So if a product works 90% at a time, I'll take it hands down, because I know that the world we are living in, I can iterate over time, I can work with the right partners and get it to the point where I need it to be, right? And also, one other thing which is changing is because the platform provides a lot of this functionality for you, now you're able to because with the APIs and other things, you're able to build those customizations on top of it, right? And because of APIs, your customizations don't go away. Previously, you had to build it in on prem and you had to every time you moved a server, you had to take it with you. You don't have to do that anymore, right?
So now I spent most of my engineers are actually application developers, who I have trained to be security experts. They are not coming from network background. So going back to your question, anyone who is going to be able to help transform and move at the speed of DevOps are the vendors who are going to survive. And the only way you can do that is you take away all the work that Sysore has to do in terms of running operations and building all the platforms, right? And take that on and sort of go back to the what they need to which they're hired to do is to manage the risk.
Okay. So no more question. Okay. So thank you, Piyush, very much. No, thank you.
Now is the view from an industry analyst from the 451 Group. I propose that we do a little change in the agenda, if that's okay with you. So Scott has about a 30 to 40 minute max presentation. The launch is next door, I suggest and for some reason, that was not really connected there because we don't have the screen there. So what I suggest we do, so what about we go through his presentation without the lunch interruption and then after that you could go for lunch.
Is that okay with you? Okay, very good. So Scott, it's all yours.
All right. Thank you. And yes, so very briefly, I'm an industry analyst with 451 Research, and I think a lot of you working on the investment side of things may be familiar with 451. If you're not, I am not a sell side analyst nor do I play 1 on TV, but I do bring a practitioner background to covering the space. I'm a former CISO myself, having worked for an NGO, a UN affiliated group, the Nuclear Test Ban Treaty Organization.
And that's the kind of experience on the syndicated research side of things we bring to bear on the market, and we tend to follow innovation and disruption in technology. And my team's focus is on infosec. We also have a survey based research group, so I will share you some of the findings that we've done in our studies over the course of the last year or so. So we'll start with some of the top takeaways for you. We will see to the point of what was discussed at Experian Compliance definitely setting an agenda for practitioners these days.
We'll also take a look at the impact of the cloud, kind of elaborating on that same theme. We'll look at some of the aspects of shared responsibility for the management of IT assets and security. And we'll take a look at the people and the process aspect of security, which is another dimension of security management and one aspect of that that has been overlooked in some of the more recent and high profile trends. So let's get started with some of the top takeaways. Of course, security spending continues to increase, but one of the interesting things that we've seeing over the last couple of years is that 2 years ago, when we saw the number of organizations where the number that reported no change in their infosec spend compared to those who said it was going to grow, that share has really expanded into the numbers that are increasing their spend in InfoSec.
Our survey for this year is in the field right now, so I expect to see that trend continue going into 2019. And as was suggested by our friends at Experian, compliance is the top driver for information security projects this year. It's right up there with user behavior, security awareness initiatives. But if you think about that, what's the relationship to vulnerability management, for example? Well, what's the largest attack surface in an enterprise?
It's their people. It's how people interact with technology. Where do you first see the evidence of that compromise? You typically see it in the endpoints and the systems that people interact with directly. So there is a direct relationship between vulnerability and asset management and user behavior and efforts by the enterprise to get a better handle on securing the organization and taking advantage of people as their first line of defense.
We see some of the chronic and ongoing issues with information security staffing up at the top too, but we also see as far as investment in the environment, cloud security, specifically for cloud infrastructure, being the top architectural priority in the organization, not too surprising considering the remarks that we've just heard. Now there's one note here about we note that security information and event management and, I should say, security analytics as coming in at number 4 among the top security projects. That needs some elaboration. This isn't all about SIEM, and it isn't all about a security operations center platform. It's about new ways to understand analytics that are relevant to security, such as your total exposure in your IT estate, what users are actually doing, the ability to distinguish malicious behavior from non malicious behavior.
And it's not just to get a handle on the insider threat. It's actually more common in a lot more cases to have visibility into when the credentials of legitimate well meaning users are captured and compromised and used by an attacker to move laterally in the organization. And of course, vulnerability assessment remains among the top projects in organizations, but that compliance number stands head and shoulders above. And it's not just because of GDPR, which, of course, is certainly having an impact around the world. In fact, almost half of organizations that we surveyed in EMEA are feeling this pressure.
But onefour to onethree of all organizations cite compliance in various manifestations as a top priority for their infosec projects. And in fact, we've seen if you look at the key determinants for approving top infosec projects, risk assessment is going to come out on top in most cases for obvious reasons. That's our business in infosec. But compliance edges it out just slightly. And again, following on the Experian talk, compliance gives you a way to qualify your information security objectives.
In fact, compliance gets a bad rep among infra sec practitioners as being, well, it's a detractor from achieving real security priorities. Well, our respondents don't really tell us that that's the case. In fact, twice as many tell us over the next most common relationship between security and compliance that compliance actually sets a baseline set of controls for their security program. And that's fairly intuitive as well too if you think about industries where the business is not highly motivated to influence security as a strategic priority. It's a cost center for most organizations.
Yes, it can be a differentiator for those who have to deal with highly sensitive information or tangible assets. But for others, it's typically a cost center. And even in those cases where they deal with tangible assets, they may not be real quick to respond, as we saw in the case of the Equifax breach or may not have the most or best informed response. Compliance helps security practitioners point to a requirement that the organization has to meet and helps them tie that to their own priorities. So it does help them prioritize their spend.
But another issue with compliance is just the sheer complexity of the estate. We have so many different manifestations of the cloud and cloud functionality. We have so many different manifestations of enterprise IT and the data center. We have burgeoning numbers of increasingly connected endpoints that the challenge of maintaining adherence with security priorities across this varied and diverse estate becomes a real headache for organizations where things like data privacy is an issue. And data goes through a lot of hands in the enterprise through IT once it comes into the custody of any organization that's handling it.
So that's the relationship there, and we've seen compliance be a primary driver for organizations this year. What about the cloud? I mentioned that cloud infrastructure security is one of the top priorities. And stepping back a little bit to the back story, we had a little bit of illustration of this, again, from Equifax. What we've seen in the last few years is this increasing abstraction of infrastructure away from the traditional physical environment.
We've seen this change evolve over the last decade or more actually, beginning with virtualization, which turned physical infrastructure into software and made it a lot more portable, made it a lot more elastic and scalable as a result. From there, we've gone on to evolutions like containers. And really, where containers began was to make it easier for application development to move from development to test to staging to production because you package all the dependencies of that application with you when you put them in a container. So it's a much more granular, much more modular way to effectively virtualize the IT environment. We're moving now towards trends toward to serverless architecture.
And essentially what that means is service providers have figured out that the customer really doesn't have to be concerned about managing the security of the underlying environment. Their approach is, look, we'll put everything below the event horizon for you. We'll handle the security of the underlying infrastructure, provisioning, availability, all of that that enterprises used to have to handle even with their own virtual machines. All you need to do is give us your application logic. We'll make it available for execution.
In fact, we're not even going to charge you for housing it full time. We'll only charge you when it's actually used. So this event driven model is characterizing serverless computing, and it fits in overall architectures in combination with all these services to the extent we're now starting to see trends toward integration of these services and concepts called service meshes, which will imply another level of management to tie these together in a coherent and consistent manner. So keep an eye on areas like API security, for example. But as Sumedh illustrated yesterday when talking about containers, the portability and ease of movement of containers also makes it possible that we're going to just that we may see something in the nature of really orchestrated well arbitrage, if you will, across cloud platforms.
The example that Sumeeti used yesterday is, let's say, a hyperscaler offers a sale on compute, goes on this limited time only. If you have intelligent enough container orchestration systems that can move those environments fluidly from one provider to another, why not arbitrage those platforms and get the most out of your investment? All this is helping to serve to drive the total cost of cloud the cost of individual cloud computing resources down, making it more of a commodity. These are all complexities that enter into the security managers challenge. How do you get a handle on all these innovations and all these developments?
We see that the investment in cloud infrastructure security is the area where we expect to see greatest changes in spending in InfoSecTechs in the next 12 months. In fact, of the four areas where we see the majority of our respondents indicating that they will increase their spend, Cloud Infrastructure Security remains at the top, and that's kind of our overall categorization of embracing cloud security in all of the manifestations that I just described. Managed security services is number 2, and that's not terribly surprising. If you look at that diversity of the IT estate and the ways to implement and deploy IT, coupled with the ongoing shortage of skilled expertise in security, I mean, it's not that the field doesn't have appeal to new people coming into it. It's finding the people with the right level of experience to handle security strategy intelligently and respond to things like sophisticated threats.
Great opportunity for service providers. In fact, we've seen segments within security services that experience a boom because emerging technologies, there's no one with the expertise in those technologies. The service providers have a motivation to invest and capitalize on areas like next generation endpoint security, hence the rise in Managed Endpoint Threat Detection and Response, or MDR. User behavior analytics, that speaks to what I said earlier. But again, that's a subcategorization of security analytics in a broader sense.
What are analytics that gives us better visibility into the estate, to give us the ability to be more proactive, more prepared for dealing with the types of threats that we deal with today beyond just simple security operations. And automation of security tasks. There are a ton of repetitive tasks in security. Some of them are created by the technologies we use, like SIEM. But because of the breadth and complexity of state, we do need a lot more automation of things like routine response, if you will, to an emerging threat or a threat that's correlated to a specific vulnerability.
How do you automate response? How do you up the ante on defense to improve the resilience of the environment? Because as Philippe mentioned in his keynote yesterday, you will be compromised at some point. So the objective post compromise is how well can you contain that threat, how well can you respond to it, how resilient is your business against that threat. And automation plays an increasing role on a number of different levels.
So for all the investment in the cloud and for all as much as it looks like the future of IT as well as infosec. It's still worth noting that non cloud environments aren't simply disappearing. In fact, we note that while the majority of organizations still maintain just a bare majority maintain an investment in non cloud environments, that's quickly changing. Last year, we actually saw that more than half of our respondents indicated that they were willing to move business critical applications to the public cloud. But at the same time, we see an interesting phenomenon going on.
Nearly half of respondents to our studies this year indicated that they plan to take an on premises modernization in place approach to their mission critical legacy applications. Is that a paradox? Is that a conflict? Did we do bad research? What's really going on there?
Well, it's not that unusual an anomaly. If you look at what the expectations of
organizations are when they get involved in their cloud
capital expenditure, shift it to OpEx, reduce the total outlay when you don't have to invest in your own infrastructure and all the benefits that come with that: resource scalability, agility, time to market and so on. But when organizations pull back from the public cloud, and we've seen 25% of respondents this year indicate that they were willing to move their public cloud investment to a private cloud hosted or on premises or a non cloud environment, we asked them why. Well, performance is part of it. If you have more direct control over the environment, if you're willing to make the investment and shoulder that burden, then you can get some performance gains for specific applications that need it. But cost, still up there.
Number 2, the same that was number 1 in moving to the public cloud. So what's really going on here? Well, what we see at 451, and we take our name from Ray Bradbury's book, 451 Fahrenheit, so we tend to use literary references when we do our analysis. We're seeing this sort of getting past the first phase of cloud adoption. And part of the issue here is that it's been so easy to move to the public cloud.
In some cases, all you need is a credit card. It's very easy to get invested. It's very easy to not have to go through dealing with whatever process you have to deal with, with IT in order to get access to a very high degree of capability and compute. But we experience this on a personal level when, let's say, you sign up for an audio streaming service, it's only $5 or $6 a month, right? Only $5 or $6 a month to manage several gigabits of your photos, only $5 or $6 a month to have access to all kinds of sports in any market until you get your bank statement at the end of the month and where did your disposable income go.
Similar sort of issue playing out in some cases in the enterprise, where organizations are seeing what their outlay is. In some cases, it's redundant. In some cases, they have assets that they're paying for. They don't even remember or know why because the people who bought them have left of the assets that are at issue have just plain disappeared or have no use to the enterprise anymore. So we see organizations wanting to take a more strategic approach to their cloud investment, get a better handle on the investment for the benefit of the whole organization and not have so much redundancy and cost outlay, so they can avoid what's been called the Jevons paradox, which is the barrier to entry is so low that you keep adding on to your investment to the point where total costs actually are higher than they used to be in the past.
So it's not that people are retreating from the cloud. Far from it. As Experian made clear, the investment in the way that IT is done in modern cloud environments is setting the pace for the future, not only of IT, but for infosec as well too. But organizations are reaching that second phase where they have to be more mature and more strategic about their investments, and we'll see that in other areas as well too. Part of the reason is it's just plain resource sprawl.
There are so many choices to choose from, not just in the cloud and the way that IT is deployed, but in the way that IT is built and rolled into production. In DevOps pipelines, where continuous integration and continuous deployment is the rule, You have developers working very closely in concert with IT operations, thanks to the advancement in the fact that infrastructure is now software. That makes programmable, so infrastructure is effectively code. That gets developers more directly involved in defining the environment. And by the way, that also means that security gets more directly involved with developers in defining the environment.
So one of the things was illustrated very well in the last talk that will define the future of infosec professionals is how strong is their background in development. And if you think that's bad news for the enterprise, it's kind of along the lines of we need data scientists, but we need people who are expert in security as well too. Well, good luck finding people who are affordable in either one of those fronts. Similar sort of situation with development. We will need to find infosec professionals that have skills in development, understand modern development pipelines and processes and tools because infosec increasingly has to interact with and interoperate and be knowledgeable about those tools and about these development practices and processes.
And today, most infra sec professionals have come up through the ranks of dealing with infrastructure, and a lot of them cut their teeth in IT operations. That's changing now. And at the operational end of the spectrum, again, the diversity in the ways that technology can be deployed in the cloud. So there's no lack of choices, and this leads to sprawl in the investment in the IT estate. And that's something that infosec professionals have been familiar with for quite some time.
Many of you are familiar with this chart from Momentum was Momentum Partners, now Momentum Cyber, thanks to Dave DeWalt in part becoming part of their team. But this is something that they track every year, and this is their logo slide. It's roughly 2,000 secondurity vendors. I don't think they have them all here. That jives pretty well with our count of the total number of vendors in the infosec space, and this has been a problem for information security professionals for some time.
And a frequently cited case in point is the number of endpoint security products, given the trends in the evolution of the endpoint security market today. Most organizations have between 2 and, in some cases, more than a dozen endpoint security products. Why is it necessary to have multiple products that solve one problem? Well, InfoSec Pros have long been known for their preference for best of breed and their willingness to take risks and invest in emerging technologies. That's not uncommon and one of the things that fuels all the venture investment in the space.
But at the same time, at least almost half of those that we survey say that it's somewhat very difficult to manage the sheer number of vendors that they have to deal with. And as IT grows more complex, we expect to see even more pressure to choose strategic vendors, not just in cloud technologies, but in security technologies as well, too. In fact, Jeff Moss, the founder of Black Hat, made a comment this year, and I think, Philippe, you might have actually been on the panel where this statement came up, where he said that, I'm guessing that maybe 20 companies in the world in a position to actually do something about raising the level of security and resilience for everybody. Now implied there are Facebook, Google, Amazon and its reach in the cloud, Microsoft and its reach not only in the cloud but in the enterprise. But it's also true that if you're responsible for infosec budget and you have this fragmented and complex landscape to deal with, you are going to want to do what Experian illustrated.
You're going to want to make your investment in areas where you can have the most advantage from your spend and gain visibility across silos. One of the things about that fragmented security market is that we tend to concentrate capability and insight in these silos, which don't talk to each other to the point where it becomes difficult to put together a cohesive and integrated defense when you have that going on. So overcoming those limitations is one of the things that's driven the emergence of what we think of as the P word in covering Infosec, which means we've seen a lot of vendors that want to say that they're a platform. In some cases, that's a survival market? We have some markets where there are a number of vendors where the market itself is somewhat drying up, threat intelligence platforms, for example.
There are 1 or maybe 2 vendors with a real player in the enterprise these days and several more that are kind of looking for relevance in the face of advances in security operations. So for them, it's for everybody, they want to be a platform, but there aren't that many true platforms in infosec. And enterprises are aware of this. They're going to want to make their investments in the ones that truly do give them more of a platform strategy to attacking their most serious problems across this environment of both the data center, across applications and services, across their highly varied and increasingly burgeoning estate of highly compute capable and networked endpoints that give them visibility across the entire environment, on premises and off premises for both legacy and new IT. I'll talk a little bit about shared responsibility of IT and IT ops for infosec.
This has been going on for a while, and we feel it particularly among Qualys' customer base because of the issue at hand. Considering the legacy and heritage that Qualys has in terms of vulnerability management, we're talking about securing vulnerabilities primarily in IT assets. Remediation of those vulnerabilities also been a shared responsibility with IT. But it's interesting to know when our survey respondents tell us who is the primary user of security technologies. You think the security team primarily owns these, and they may have influence over spend.
But a lot of times, in the case of endpoint security, the desktop team, they're responsible for deploying it. They're responsible for coordinating endpoint security with things like endpoint vulnerability remediation, patching systems management. Not that unusual. When we ask which team is primarily responsible for infosec products and services procurement, IT department. Again, much the same reason.
Who's most influential in making the investment in InfoSec? It's IT leadership. And as we see this continued integration of development and IT operations and the deployment of technology directly from developers through automated pipelines in a production and DevOps environment, We're going to see security become more of an adviser, setting guardrails. The business is not going to tolerate security putting roadblocks in the way of agile development and deployment. One of the worst things you can do is fail a build unless you've got a really good reason for doing so because those builds have to proceed towards specific business objectives.
So putting up guardrails, if you will, around what are good security practices in development and deployment is one of the objectives of working more cooperatively with IT teams and finding ways where in those cases, you don't have to necessarily fail a build, but let's say in the case of incorporating open source software into a project. You may be there may be a vulnerability in a project, but is it actually exposed in the development that you're putting into production? Well, if not, do you necessarily have to fail to build? So there are better ways to solve problems, and we have to be more cooperative with IT as security professionals in solving them. Lastly, let's take a look at some of the recent evolutions in people and process and an aspect that's often overlooked in some of these trends.
And I'm thinking specifically of something that's been at issue here just in the last few months. We heard just a few minutes ago that security op centers may be decreasing, and which is true if you have an increasing dependence on cloud infrastructure and cloud providers that do a lot of the security heavy lifting for you. But what we see in most of the enterprises that we survey is that they're actually increasing their investment in security operations. And part of the reason for that is the increasing complexity of the endpoint environment, the increasing diversity of the IT investment and the fact that a lot of organizations are still dealing with their legacy tools for managing security operations, which again feeds into the security talent shortage. And it's not just in finding personnel, which remains pretty consistent.
Twothree of organizations tell us they have problems finding personnel. 80% tell us they have a problem retaining their personnel because they become valuable, and that becomes even more pronounced in the larger organizations. So we've seen an adoption of security automation and orchestration to try solve some of these problems because we've historically had people doing a lot of these automated doing a lot of these tasks for event escalation or pulling together the context of intelligence around a threat or an incident to get a handle on are we penetrated? And if so, how bad is it? We've seen developments like the ATT and CK framework, which is an initiative largely moved forward by MITRE.
It's a successor to things like Styx and Taxi, which is a way to make threat intelligence machine readable and characterize it in ways that security tools can consume directly, which is in turn inherited from some of the impetus to the web behind the definition of CVE and CVSS and vulnerability definition, for example. But now we see this logic applied to threat intelligence in ways that can modularly, if that's a word, describe adversary attributes, specific techniques and tactics. So you can correlate an adversary to their known techniques. You can correlate specific techniques and tactics to known adversary groups. And you can get a better understanding of the threat that you face.
And you can elaborate on this. You can include in a specific scenario the type of software you use. So for example, in the case of what Mandiant refers to, APT-twenty 8, what CrowdStrike calls Fancy Bear, so basically a threat actor group acting in the Russian interest, uses Mimikatz, which is a well known credential dumping tool to pull credentials from memory in some cases, to gather credentials and use them to gain access to resources, attack the and penetrate the enterprise and move laterally from there. But what's missing in this scenario? This is all about the threat as far as this has been elaborated up to this point, but what about the target?
What is needed in organizations is a way to characterize the target in just as sophisticated and just as contextual a manner, so that organizations can build a complete view, not just of the attack and of the adversary, but of the targeted environment. When you first see the impact of an adversary, typically, you'll see it at the endpoint, what's changed about the endpoint. Do you know what endpoints you have in your environment? Do you know what makes for evidence of a threat at that endpoint? Do you know when they've contacted a gateway?
Is that gateway vulnerable to exploit? When they gain access to the back end server or service, how vulnerable is that server or service? How would you know if it's been compromised? They gain access to an application, to the application data? How do you know to build this scenario of what the likely outcome of an attack is likely to be?
You can't stop at intelligence about the adversary. You have to elaborate on that to understand the target as well, too. It gets even better because we already have tools that are moving in that direction. In fact, if we look at taking those organizations that have taken advantage of the ATT and CK framework, they're already starting to build an inventory of this information that's shareable in a public repository. And this is significant because this is what John Lambert of Microsoft has called the GitHubification of security.
The ability to pool this type of information together in a machine readable manner and managing it in a GitHub repo, GitHub repository, that anyone subscribing to the repository can then pull that information I should say, pull that information into their own environment and use to inform their systems. And anyone can contribute to it. So the same sort of community involvement in development that's gone into creating the boom in open source software is going to create a similar boom in security operations. And by the way, speaking of open source software, there's other aspects to GitHubification that you should keep your eye on as investors as well. One of them, and I touched on open source, If you're going to be incorporating open source software into your projects, wouldn't it be good to know if that software has a known vulnerability in it before you start building a production environment on it.
There are ways to do that. Qualys is investing in those now through software composition analysis. But there's another aspect of that to keep an eye on, and that's the fact that when software is pushed into or it's actually called pulled into a repository in GitHub, what a great time that would be to perform some automated checks on that software, including for security. That's not the only type of operation that can be done when software is pulled into a repository. So using pull requests as a point of execution for all kinds of processes, including security, is going to become a matter of increasing focus for development as well as operations teams.
So this notion of GitOps, if you will, operations that revolve around GitHub type processes will become more of a factor in IT as well as in security in the not too distant future. So again, getting back to the point at hand here, how well prepared is the enterprise in terms of its investments in strategic providers that can give them this visibility across this very diverse estate and that can see into each aspects of these processes and give them the information they need to understand the progress of a threat and even before that to build a more resilient environment. But once a threat appears in the environment, to give them the context they need to perform efficient and effective response and remediation. These are objectives we expect to see more of in the enterprise going forward. So with that, I don't want to keep you much further from your lunch, but I will take questions if you have any.
Well, it's always good. Okay, go ahead. Just had a question about your comment about the target. In your case, it was an application. Do you feel that most of the attacks that happen have a known target in advance?
Or do you think a lot of them are just we're trying to penetrate and depending on what we where we penetrate how, then we decide what the target will be, whether it's to take information or disrupt the company. It's pretty diverse, which makes prioritization based on threat model a real challenge for organizations. At the one end of the spectrum, they have to deal with these industrialized threats, if you will, where you have someone that's looking pretty openly for vulnerabilities, and we saw that in a very extreme way with NotPetya and WannaCry. So there's that end of the industrialized spectrum, which is very opportunistic. There's another end of the spectrum that is more strategic, and they have specific assets in mind.
So in the case of Equifax in the Equifax breach, for example, They clearly had an idea of what kind of information is available there. They also knew that there was a stress vulnerability in that in the applications that exposed that data to public networks. But 2 and 2 together, it's not too hard to follow the thread. And that feeds into a third trend, which is as soon as vulnerabilities are made available, they are capitalized on by adversaries very quickly to the point that 0 days, which was a big deal a few years ago, this move to capitalize quickly on vulnerabilities being very opportunistic is really kind of setting the pace for the more sophisticated adversary. So it's really across the spectrum, and it depends on the adversary, which makes the defenders' dilemma all that much more difficult.
They have limited resources to spread across the entire estate. The adversary can focus on what they want to. So being prepared for that more sophisticated future, behooves organizations all the more to have a more strategic approach to defense. Anyone else?
Okay.
Just one question. When you got the survey back that you did on what was the thing that surprised you the most? Like, I mean, you had a pretty good sample size like when you went through it, just you personally when you saw that? Which ones? In terms of the survey, in terms of moving in the cloud and why everyone was moving in the cloud in terms of the survey, What was the thing you thought was most different than you expected before you
did it?
The one that really stood out was the on premises modernization in place. Because of the responsibility you're taking on for managing your own assets on an ongoing basis, there has to be something really compelling for that. The advantage that means for a strategic vendor in security is that if you cover those bases from the cloud to on premise, then you have a better footing for dealing with those enterprises, immaterial to you, whether they make the investment on prem, off prem, modern, legacy or whatever. But that did surprise me because primarily the cost factor of moving to the cloud. It's a lot more efficient.
You need a lot fewer personnel to manage it. The provider themselves does a lot of the security management for you. So we see it linking back to that Jevons paradox. Total spend has gotten to a point where we need to be more selective about our strategic investments in the cloud and prioritize accordingly. On prem and legacy isn't going away.
Okay. So no more questions. So thank you very much. I think now we have lunch, which is served next door. So again, thank you for coming and we could continue our discussion there.
Okay, so thank you very much indeed.