Good morning and welcome to Qualys 2018 Analyst and Investor Day. Today, we have a series of presentations from the Qualys executive team, including product demo by Sumit Thakkar, our Chief Product Officer. Before we get started, I'd like to point you to our safe harbor and our management presentation, given that we expect to make forward looking statements during the event. Our risk factors can be found in our Q1 press release as well as our latest SEC filing. Our non GAAP to GAAP reconciliation can also be found in our press release as well as in the appendix of this presentation.
At the conclusion of this event, a replay of the webcast along with management presentations will be made available in our IR website. We will open for Q and A once the presentation is finished. So you can send your questions in at any point throughout the webcast by using the questions button at the top of your screen. Please include your full name and company name before answering the question. And with that, I'd like to introduce you to Philippe Couto, our Chairman and CEO.
Good morning, ladies and gentlemen, and welcome to our 1st online Investor and Analyst Day. Today, I will discuss the many achievements we have accomplished and after me, our Chief Product Officer, Sumeet Thakkar, will highlight the significant enhancements we have made to our cloud platform and update you on our 2018 roadmap and deliverables and also give you a few demos of the new solutions we're bringing to market. Finally, our Chief Financial Officer, Melissa Fisher, will highlight our financial model and introduce our long term model and new metrics. As you all know, we have been continuously expanding our product offerings one app at a time like Amazon, we started with books, we started with Verint Management and have now expanded our time to more than $20,000,000,000 all delivered from the same platform. This will enable us to build a multibillion dollar company by consolidating the existing security industry while helping customers secure the digital transformation.
Melissa will also be giving you more color regarding our TAM. As I said earlier, starting with Verity Management, we have built a sizable global customer base. And with the new services we're bringing to market, we expect accelerated adoption of our offerings across enterprises and SME. Now this is now all reality because of the significant expansion we have made to our cloud platform and Smed will discuss this in more detail in a few moments. In essence, we are now in a unique position to help our customers and prospects consolidate their security and compliance stack, enabling their digital transformation and considerably reduce their spend.
Our platform adoption is accelerating as you can see in these slides. And Melissa will introduce today a new metric showing the percentage of enterprise customers that have now adapted more than 5 solutions. Now as importantly, our platform approach is now providing us a unique, cost effective and disruptive way to reach out to customers and prospects as we can instantly deliver new apps across the globe either as a free or as a paying service with no software to install and maintain and at almost zero distribution cost. For example, we launched 2 new free services CloudView and CertView just a few weeks ago And I'm pleased to announce that we have now more than 1500 new companies and close to 2,000 existing customers that have subscribed to these new services. Now let me share with you that another free service is to address the needs of the security consulting organization and MSSP is on its way.
Its main purpose is to evangelize the value of our offerings when compared to other competing solutions. Last week, at the Gartner Security Conference, we introduced a groundbreaking and disruptive new app, which will go beta at the end of this month. As you would see, this represents a significant milestone for Qualys as companies like Splunk have successfully moved from IT to security. Qualys is now moving from security to IT, solving a major problem for companies across the globe that is giving them a complete view of their global IT assets with a continuous assessment of their security and compliance posture. This also allows us to go directly to the CIO to position the unique value of our platform.
You may also have seen already that our continued security new app won GA yesterday. Now another milestone for the company is our full entrance into the federal market, which until now represented only 1% of our revenues. Our late entrance was due to the fact that until now, the federal market was not ready for the adoption of cloud technology. Last week, we launched our Gov platform with great success and announced the intent to acquire Second Front, an innovative company with a superb team composed of experienced federal executive. We are now commencing the regulatory approval process necessary for us to be able to close this transaction.
With the impressive suite of new services we are bringing to market, we see an opportunity to increase the volume of business to our large network of existing partners as well as finding new ones on a global scale. We also will make shortly announcement regarding the expansion of our channels dedicated to the government market. As you may recall, we announced at the Cloud Security Alliance Summit a few weeks ago a new series of conferences and roundtable focused on bringing CIOs, CISOs, CTOs and industry leaders together to exchange experiences and ideas on how to build security into the very fabric of the digital transformation, building security in and stop bolting it on as we have done in the past. I'm happy to introduce today that our 2 first CIO CISO interchange events will take place in October in D. C.
At the Regan Center and in December at the CSA Conferences in Orlando. Now in this age of the digital transformation, security needs to be reinvented. If we want to secure our enterprises that are faced, as we all know, with a continuous barrage of attacks that existing point solutions are ineffective to protect against and costly to deploy and maintain. So working with our large customers, both enterprise and cloud vendors, as well as with the Cloud 6 gs Alliance, we devised the 5 new tenets for security that will help us build security into a hybrid and hyper connected new world. These 5 new tenets are visibility, accuracy, scale, immediacy and a new concept that we call transparent orchestration that Gilberto will discuss next.
With this, I would like to thank you for attending our first online Investor Day, and Simeon will now discuss and demonstrate the unique and disruptive capabilities of our cloud platform, bringing to the IT, security and compliance market. And I look forward to your questions toward the end of our presentations. Thank you.
Thank you, Philippe. Hello, everyone. I'm Sumit Tagore. I'm the Chief Product Officer for Qualys. And today, I'm going to talk about the enhancements that we have made recently to the Qualys platform, the architecture and an update on some of the new apps that we have recently released and the new apps that we are going to release through the rest of the year and how we're actually working with our platform to be able to address this new wave of digital transformation that is going on.
And so I want to address the 5 tenets of security that Filip talked about earlier. And really the digital transformation is enabling a lot of innovation in IT. This is really an opportunity that a lot of organizations are taking today to be able to redo security from scratch as well as they're doing their IT from scratch. And what we see to be able to do security the same way as the new IT infrastructure is being developed. It requires the ability to have this continuous visibility, the scale, the immediacy, of course, the accuracy and of course, a really clean way to transparently orchestrate security into this new IT infrastructure by building it in and not bolting it on as has been done for a long time where IT has been developed in a silo and then you throw it over to the operations team, which then has to buy multiple different tools and put them and slap them around the IT stack to try to bring security to this particular stack.
And what we see is a lot of solutions out there today are really not built for this wave of digital transformation, where the movement is going to the cloud and the containers and the speed and the scale at which this agility is being achieved. And I think that's really where Qualys platform has that advantage because of the architecture where over the last multiple years we have developed a lot of different sensors that bring a lot of telemetry information across the globe from multiple different types of infrastructure in a single place where we can now use the latest technology, use the latest analytics, the latest reporting engines to provide different views, specific views of that particular IT security compliance, meaning that a particular team has by giving them various applications like vulnerability management, file integrating monitoring, indication of compromised detection, application scanning, etcetera. And while we give them the individual team that particular view, all of the data related to security compliance is coming into that single platform and which makes it significantly easier for them now to actually do analytics on top of this platform because all of this information is already collected and doesn't have to be put together by deploying multiple different solutions and trying to get them to integrate with each other.
And of course, the key component of this platform is the back end, which is highly scalable. We've worked on this for multiple years. We continue to work on this. We've injected a lot of new technology into this infrastructure. A lot of the new stuff has been deployed, leverages the latest trends in IT, the latest open source technologies as well as leveraging microservices and then using the CICD DevOps capability to continuously release updates to the platform in a very transparent way to the customers.
So the way the platform works at a very high level is that a lot of these sensors are sending data into the platform. We've deployed a very robust Kafka streaming backbone, which today is doing about 2,000,000,000 messages processed every single day on the platform. And at a very high level as these data points are coming in from the sensors, various microservices pertaining to the specific individual applications are then picking up this information, processing it and then showing the specific view to the specific IT security team, while at the same time being able to correlate the information across these various different applications natively in a single sort of a view, which then really enables them or helps the customers to be able to do the sort of visibility and then the response and all of that in one platform and not having to go to various other platforms to try to consolidate that together. The other critical component of the platform is the various plethora of sensors that we now provide our customers. And again, these sensors are highly scalable.
They can be deployed at scale leveraging APIs, leveraging automation across the globe. They are self updating and centrally managed, which means that we take out a lot of cost and resources that the customers have to put in to just be able to update and manage these sensors as we see with a lot of legacy solutions. And so that brings that scalability. And today we have different sensors available, we have physical sensors, which are appliances that can be deployed in physical infrastructure. We have virtual appliances that are available in 11 different hypervisors that can be deployed in virtualized infrastructure.
We have certified cloud sensors. These are certified in Amazon, in Google Cloud, in Azure. We also now have a container sensor, which can be deployed in the container environment. Of course, the cloud agents are extremely popular. They go on on prem infrastructure.
They are deployed in Elastic Cloud environments as well as endpoints like laptops, which then provide again that capability to follow that device with the network where it goes around the world. The acquisition of Navios Networks gives us the ability to have this passive scanning capability where we can monitor the network activity and this again sensor enables us to do multiple different things, which is also one of the things that I'm going to talk about is the recently released our global IT asset inventory and discovery capability where we can discover new devices and the network in near real time. And then of course, you can also leverage the same sensor for looking at network activity for network based indication of compromised detection, etcetera. We do invest a lot of infrastructure for our APIs. So we have a robust set of APIs, which are being used today by a lot of our partners and customers to exchange data with these other platforms, which again helps us bring that additional enrichment of data into the Qualys platform.
And so with that, a combination of agentless, agent based and passive capabilities, we are now taking this approach where we are agentless only or agent based on your customers, the ability to decide which sensors make the most sense in the different infrastructure that they have to look at today. And with the combination of that, we can bring all of that data into the back end that I talked about earlier. With that, we are able to provide a capability where our customers can have a unified approach to those detection prevention and response across the various hybrid infrastructure that they have to deal with. So while a lot of customers are building infrastructure with the cloud and going into the cloud, they still do have to work with their on prem infrastructure, which is not exactly going away completely. They're still the corporate environment, there's IoT device in the network, IP phones, there's physical desktops.
From an endpoint perspective, they still have to deal with the laptops, they still have to deal with these laptops that are outside of their environment and traveling globally. And of course, their multi cloud strategy. And so a lot of the sort of solutions today that are available, which are cyber solutions, which are point solutions are either really working only mainly on the on prem environment. When we look at some solutions like 10 100.7, you look at endpoint solutions really like Thinium, which are really focused on the specific endpoints or solutions that are only cloud based or usually cloud focused like CloudPassive or something like that. And so they don't really provide this sort of a unified single platform visibility.
So when you have to ask the question or customers have to ask this question where they want to know how many devices in their environment have a specific version of software or hardware or they want to know which of them are actually susceptible to WannaCry or have a particular service. And I mean with the Qualys Cloud platform, they can get that visibility across all of those environment in a single view, whereas with other solutions, they have to go to multiple different answers to try to collect and get that information so that they can actually get that visibility across the environment as to what's going on. I wanted to focus a little bit on the recent acquisition that we did with One Mobility. So this now, again, gives Qualys a unique capability to also have the agents, Qualys Cal agent and extend them to iOS, Android and Windows Mobile Devices, providing the ability for our enterprise customers to now keep track of and manage and monitor all of their handheld devices that they are leveraging today in their environment to conduct business. You walk into a bank, you walk into any store today, they do a lot of the customer interaction and solution providing directly on handheld devices, tablets or cell phones, which are provided by the organization and a lot of the organizations don't have the full visibility of what the security and compliance posture is of these devices where they are providing a way to lock them down.
And so with this acquisition, we can now bring millions of these mobile devices into the Qualys platform by providing asset view, vulnerability management, compliance, threat detection, policy informance capability to these devices as well. And this is a beta that we are tracking for providing towards the end of this year. Just a quick refresher on the quality platform. They're extremely popular. As we published earlier, we have signed 1000000 collaborations that extremely lightweight, very unique approach.
They are delta based. They don't do any processing on the endpoint except collect telemetry information and push it back to the Qualys backing, which I showed earlier. And then because of that, we collect the data only once and then we are actually able to process this data in multiple different ways to provide different views from the LME assessment, configuration assessment, file integrated monitoring, indication of compromised detection, certificate view, all of that off of that single agent that we have deployed. And because the agent does not do a lot of stuff on the endpoint, it's extremely lightweight and low impact agent. With the back end, with that platform, with these agents and the acquisitions that we have done, we are now really providing our customers an integrated suite of cloud applications, which is consolidating multiple different point solutions.
And there may be legacy, there may be new age solutions, but a lot of them are point solutions. So we're able to provide multiple capabilities now on the same platform across asset management, inventory, CMDB synchronization, inventory of cloud services, inventory of certificates. We are now supporting IT security, covering the spectrum from vulnerability management to malware detection to certificate assessment, container assessment, cloud assessment from a compliance monitoring perspective, providing again multiple different capabilities using IT security and compliance together with policy compliance, which is configuration assessment, file integrated monitoring, which again is a cyber solution that customers have to deploy just for that purpose typically. We also, of course, uniquely cover web application security. We have a large number of customers that are doing application scans off of that same platform as well.
And so while there's all these different apps, if you read the use case that with acquisition of One Mobility, we look at the end to end use case that the Cordis platform is enabling, which is really unique is that now not only can we tell an enterprise exactly where their handheld mobile devices are, what's running on them, what how are they locked down, where are they, but that mobile device now is running some sort of an app, which is connecting to a back end service via REST APIs. So with the web application scanning support, we recently announced for scanning of REST APIs with Swagger support. We can look at the security of not only that handheld device, but also security of the back end APIs that are being leveraged. That API has been served most likely on a new microservices container based system. So now with the container scanning capability we have, we can assess the container security and compliance itself.
Those containers are running on some sort of a CentOS host, which has its own security configuration requirements. And so the provision we can assess and monitor the configuration and the vulnerability assessment and the file integrity of that host itself. That host is most likely a virtual machine or a workload that is running in AWS. And so now with CloudView, we can monitor the infrastructure, the platform as a service components being used in that account. So if that container is now accessing some S3 bucket, we can actually now provide the visibility of the S3 bucket, the configuration of that S3 bucket, we can provide the visibility into the security groups that are being deployed in that particular account.
Most likely the services running in that account are also communicating back to the on prem infrastructure because there is some AIX server and some Oracle database that's on the on prem infrastructure, which is doing certain core processing, which nobody knows who owns that and nobody wants to touch it. Qualys scanning is able to provide that visibility across security and compliance of that particular device as well. So now if you look at that back end data all the way through this microservices, through cloud, through APIs, all the way down to the handheld device, we provide now our customers with this integrated platform that continue to view end to end with a single platform without having to go and deploy multiple different solutions and then trying to make that work with some sort of a SIM solution. This is that single pane of glass that we talk about. If you look at the 5 tenets that we talked about earlier, when you look at visibility, we're providing that 2 second visibility when you look at accuracy.
We're tracking all of our accuracy because we see the accuracy of all of our sensors. So we're tracking at 6 Sigma accuracy from a scale perspective today. As I mentioned earlier, our Kafka message bus is doing about 2,000,000,000 messages every single day. We have 250,000,000,000 data points we're indexed in Elasticsearch clusters with millisecond response times, we're doing 3,000,000,000 scans every year. And this is helping customers really deploy a platform where they're getting visibility across multiple different application requirements without having to deploy individual point solutions.
Now to get to this point today, there's still a lot of silos that our customers encounter. Organizations have continued to build different teams for data center security, corporate endpoint security, cloud security, application security, the DevOps SecOps team, the IT other team. And a
lot of them go out and they
buy their own different solutions and then they have to have different consoles and different agents and that creates a bit overload and then they have to go and deploy some sort of SIEM solution on top to try to get that visibility, which adds cost, which adds complexity. A lot of time, 2 solutions will never, I believe, on what a specific identity of a single host is because they see different IP addresses or they see different things because of where they sit in the network. And this is a mission not just with the legacy solutions, but even next generation latest solutions that are out there and are also focused on individual use cases and are very much point solutions. So the solutions like Chrislock and AproSec are very focused only on mostly on container security and solutions like 11. Io are very much focused only on the security assessment of the cloud platform as service components and not on the workload itself.
And so this is really a hindrance for customers to get to that automated continuous monitoring and response that they really need to have for a very good end to end security architecture where you really need the ability to discover everything in your environment continuously, the ability to continuously patch your systems, looking at the hygiene of the system, looking at the availability assessment, ensuring that all those discovered assets are actually being assessed from a prevention perspective, the ability to detect activity that is anomalous ability to detect file changes, network activity, endpoint activity. And if you have accuracy across all of these and you can collect all the data at scale, then you can look into doing some sort of automated response and then actually be able to kind of create the sort of resolution into it. Because of what we talked about earlier is these are a plethora of point solutions are making that significantly more complicated to achieve this. Now the good news is that the DevOps revolution, which is accelerating to the transformation, has really given new capabilities and a good partnership with security where a lot of the security, hygiene security issues can be identified and fixed in the development cycle itself.
And that reduces the amount of issues that have to be looked at after the fact. However, while that is true, there is also another aspect of security which has always been there and which kind of is ignoring the whole noise of DevOps, which is the SecOps. So security operations team, while DevOps looks at those images or looks at the configurations upfront when things are being built and eliminates some of the vulnerability and some of the configuration issues. Once those things go into production, they still need to be monitored by looking at what they're doing, where they're going, what's being installed on them. And that typically gets sort of ignored when we look or focus only on the DevOps side of things.
And so these two things, which is the sort of the security DevOps and then the security operations team, they together really make the basis for a good security compliance solution. However, a lot of the PON solutions that are out there today, whether they are provided by the CICD software providers only focus on DevOps or the traditional security solutions and they're only focusing on the security operations side of things. And what credit customers are really looking for is a platform where they can really build that security upfront into the infrastructure, but then also be able to monitor that infrastructure once it actually goes out to production and then be able to take the necessary action. I believe this is really where that transparent orchestration is really being given a framework by cloud providers like Azure, like Amazon, like Google Security Center, where they are now providing a framework where security can be transparently integrated by working with vendors like Qualys where they can actually build in the security much more transparently to the end business unit that is deploying these things into the cloud while still giving the security team the visibility across all of their entire infrastructure in the Qualys console itself.
And so we have a very unique integration that we have done with Microsoft Azure, which I'm going to demo a little bit later. But the end business unit does not need to know the end user who's deploying things in Azure really does not need to know how the security solution is getting deployed and how it works. They just need to go and check a box saying, yes, I would like to have this capability and then it gets integrated seamlessly. We had also Capital One who did a fantastic case study at our booth at RSA and I borrowed the slide from that presentation that they did where the Qualys platform is really one of the very few platforms that is being able to provide that ability to make that security the same platform can provide the DevOps capability as well as the SecOps capability. And today when they go out, they build images, they get code images, they build their own images, they provide their developers self-service access to be able to ensure that images that are being built are being scanned, configuration, vulnerabilities are being fixed upfront.
Once those things are fixed, then they are hardened and approved by the security team. Qualys agent gets injected into each of those images and then they get promoted with the CICD pipeline as approved, gold image and AMIs, which then go into the cloud environment or on their on prem environment as approved images. And then all of the images and the instances get spun up from that. So now this right side is the security operation side of things where once the infrastructure is running, the platform or the infrastructure is already orchestrated with the ability to monitor what's going on when this thing is out in production. And now they can get the visibility of the DevOps as well as the SecOps all in one single platform and they will have to put multiple different solutions together.
And the beauty of this is that all of this is done via APIs. So every single step in this process is fully automated so that they can continue to get that end to end ability to do DevOps and SecOps with a single platform, which again is quite unique with the way Qualys does things. The platform itself continues to be enhanced with the ability to be deployed on prem for as a private cloud platform as well. So today, we do have multiple customers that have this platform deployed. It's the same code base.
The platform is available as a private platform, either as a hardware version, a virtualized version or a cloud version. So whether it's AWS or Azure, and we're also working with a version for Google Cloud. They are going to be partially fully managed by Qualys. The platform from Qualys already is FedRAMP certified. We just recently also announced the deployment of the Qualys Gov platform.
So we have a platform now that's FedRAMP certified, fully dedicated for government organizations with all of the additional requirements that they have around FedRAMP, all satisfied with this particular platform. So we have 6 public platforms, microlearning platforms that we have deployed, 3 of them in the U. S, 2 in EU and 1 in India. We provide, of course, 24x7 monitoring upgrades across the globe would follow the same model. And then we have over 65 private platforms that are also deployed across the world with end customers as well as managed service providers so they can provide Qualys services within their specific region or to their specific set of customers without the data actually leaving their environment and Qualys brings that technology to them.
From we have already released this year, Certificate View, Cloud View, Container Security as well as the data of the Global IT Asset Inventory, which I'm going to talk a little bit about. And then we continue to work on bringing more new services in the second half of this year, which include a bit of patch deployment, patch management capability, the passive network discovery capability, which is coming as a beta.
We're looking to take
the global IDS inventory GA as well. The secure access control, which is the MAC, and I got that repeated for some reason, as well as the certificate management. So we have a certificate view now with any certificate management as well as cloud management. And then the Secured Enterprise Mobility is that integration that we're doing with One Wobiliq acquisition under Qualys platform. So we plan to do a preview of that in 2014.
So as you can see, because of the architecture of the platform and because of our agility that we are able to bring multiple new services to the market in a very short amount of time. Something we did this year is we launched community additions of some of our services. And again, because of the architecture, because of the platform, we are really able to take our services like CloudView, like CertView and then provide all organizations globally a free service that they can leverage to get real value out of this sort of cloud view. They get to see all of the inventory of the multiple different clouds in a single interface for free. This is what most of the functionality of something like Evident.
Io does today. And then from there, we have the ability to provide assessment to them, which is something that they will upsell to for going from that free monitoring service to assessment. And the similar capability we provide customers all of their perimeter certificates we discover for free. We assess them. We provide them the ability to look at expiration, issuers, security of those certificates for free.
And then if they would like to do that for their internal environment is when they upsell to that service as well. Another new service we are launching this year is the community addition for consulting SMBs and MSPs around the vulnerability and management capabilities. So we have a lot of customers who are necessary for customers who are kind of being pushed into going into a Tenable that IO are coming to us. And because of their going to the cloud, they are looking at going to the best and most trusted cloud provider for these services that have already been there for a while. And so this community addition for those customers is going to even make it easy for them to try the platform and then switch over in a much, much easier and pain free manner.
And so this is something we're quite excited about and we'll be releasing this soon as well. I want to take a moment to talk about the container security that just went GA a few days ago. And so again, this is a solution that provides visibility, security and compliance capabilities around containers. So there are a few solutions in the market, which are looking only at container security and going to integrate with the rest of the platform. So with the quality solution, we have container sensors that go into the Jenkins CICD integration that go into the run Docker hosts so that we can monitor those running containers fully integrated with the Qualys platform.
So now not only do we provide customers the ability to assess the images in the DevOps cycle before they are certified containers spun up from those certified images in production to track any drift that is happening on those containers so that once they become active, if new things are being installed on them, we also provide the customers that ability. So again, we've got a lot of positive feedback and this is something that our customers are quite excited about. And this new beta that we're launching very soon this month is also very, very crucial to a lot of our customers. This is very IT focused, not necessarily security. However, security really cannot do a good job if they don't have that ability to have a full visibility of their entire IT asset inventory.
Pretty much CMTs are always out of sync and never reliable. And so you cannot really secure something that you don't know exist. So this is where with our scalable platform and the combination of the multiple different sensors that we have, we're now launching a service that enables these customers to scan their entire network or use the agents or use the passive sensor, which is coming out soon, or the mobile devices, coil connectors to get that source of truth information of all of the various hardware assets that they have on their environment, bring that data into the platform, normalize that information, categorize them into hardware, software end of life and enrich that information with additional metadata and provide that same asset view like 2 second visibility across all of their infrastructure to find and discover all of these assets and then synchronize that with the CMDB. So this service will really help security folks work closely with IT and all organizations in the world really need a service like that because they don't really have a good handle of what is on their environment and they need some sort of a source of truth. And this is something that with the combination of our sensors, we're going to focus on.
And now I'm going to give a few demos of the various services that we have talked about. So now I'm going to do some demos that highlight the various tenets of security that Philippe talked about starting with visibility. So with customers are now able to go and look at any hardware, software devices that they would like. So in this case, I'm looking for Lenovo devices. We're looking for multiple millions of records to find exactly the devices that match Lenovo and then drill down into being able to group them by the model number, for example.
So across their entire estate, they can find exactly for a given model how many devices actually are for that model and for that manufacturer. So in this case, it's 115. I can then go and do the same for software, for example. So in this case, I'm looking for specific software that's installed throughout the entire environment across the various environments on prem cloud. In this case, I'm looking for a AIR, Adobe AIR's version 22.0.0.153, and now I can see 401 devices that actually have that software installed on it.
I can then pull it based on the information that we get from the CMDB, which allows us to look at the tags, which could be location based tags, business unit based tags, so it could be a QA device, it could be a device located in a different country, like in this case, IC 22 finance devices that have that version of software installed. Clicking on it gives us the ability to go drill down, look at the users from finance who are logged into those devices. I can then go and I can then go and type a different search by the username. So in this case, I'm going to go find my own username. Just by putting a username, we can find all devices throughout the environment that have that user's account on them wherever they are globally across any infrastructure.
In this case, I'm gonna find this laptop. When you pull up that information in one place, you can see everything up to date information about the asset, about whether it's about the location of the asset, whether it's about just IT inventory of the asset or security or compliance. So in this case, you can see we're looking at everything from bios information, volume, the video services that are running, everything is searchable. You can then go and look at the users that have accounts on that. So when you have a compromised user, you can go find all devices that have that user's account on it, multiple network interfaces, bringing those together, open ports, running services, install software, the various version of software that's installed, vulnerability information near real time.
We also bring not just the vulnerability information, but also sort of this threat information. So with our Threat Protect product customers who actually use this product can see a threat view, which not just talks about severity vulnerabilities, but also active threats and exploitable vulnerabilities. We can look at configuration compliance in the same place. So typically, these are different products, but now I can drill down for this device and find all controls that are failing encryption. Against CIS benchmark against my own standard, again, in the same place in maybe this is a server, in which case I have turned on file integrity monitoring.
I'm watching the host file on the system. So all events related to file integrity violations, if that module is enabled, then the agent will also come into that same place. I'm gonna take another example of a device where we detected WannaCry. So this is the device ID that I'm gonna type in and that will now pull up the device. So in this case, when I pull up the device, I can directly go to the indication of compromised detection and be able to find exactly why we have discovered that this device has WannaCry on it, what the score is.
But more importantly, I can also immediately go and see all the other relevant information that we have brought from the different sensors because maybe it's related to a configuration. So the password length minimum password age, for example, is failing on this control. We can go and see if there are vulnerabilities on this device that may have led to WannaCry, so are there WannaCry related vulnerabilities? Maybe there are other ways leveraging the threat protect capability that bring other exploits that might have been executed or that could have been executed on this device in one place. So we can again go on and look at the installed software to really investigate.
So when you talk about investigation, this one place with all the sensors for bringing this data together, we can really go and do that investigation. Another interesting use case is as organizations are looking, for example, in this case, we're looking to say, we want to only have Windows 10 in the environment. So here I am going and looking at all Windows devices in my environment that are not Windows 10. So extremely easy to write custom queries across the global IT asset space. Here, we find that in the environment, the devices that are Windows and not Windows 10 or 3 61 devices.
So you can see Windows 7, there's Server 2012, you know, Server 2008. So we can, of course, eliminate those. But just as an example, this is what I want to track and how am I doing on a daily basis. So, right, from here, you can go and create a widget. So as customers create widgets extremely quickly, Now in this case, I'm going to name it as unapproved Windows Devices.
And I'm going to compare that against all Windows devices. So that is the percentage now I can see very quickly our Windows in this case is 35% right there without having to take this data into other solutions like Splunk to try to do the trending. Right there, we can collect all the information on a regular basis. We can give colors to these widgets. So you can say when everything is good, it's green.
When the value of this, let's say, acceptable percentage of non Windows ten devices is 10%, I can create a threshold, give it a specific color, so that now you can see that any time that the threshold is above 10%, it's going to turn orange. I'm going to create another rule where I have another level where it is, say, 25% where then it needs to turn red. So in this case, I'm going to say, let's make it red. Let's see if I can click this one. Alright.
There you go. And then a custom value of 25%. So that didn't quite work, because I did less than, but anyway I need to do change that. I can, of course, delete this rule and again start from scratch and write a rule that is more focused on saying it's more than 25%,
And the value
is put the color and say more than 25%, 25%.
There you go. And you
can now immediately add this to the dashboards. As you can see, in a matter of few seconds, you can literally track anything, any devices in your environment by hardware, by software. I can move around and create this dashboard and start to track that on a daily basis. So as you can see with the capabilities that we're bringing to our customers, it's extremely easy and very quick for them to pretty much track all of the assets, whether they're hardware, whether they're software in a very easy manner. The next example I'm gonna show is about the transparent orchestration.
So this is what I talked about earlier about Microsoft Azure. The security center in Azure has a lot of interesting capabilities, especially bringing security right into the infrastructure. So they provide recommendations. We can extremely easily highlight the devices, for example, in this case, where those virtual images are missing vulnerability assessment. You just click on it and say install VM and immediately in the background without the user having to know Qualys agent gets deployed and the user doesn't need to know how to get that agent deployed.
That's all taken care of in the back end. And then when you go back into a security center, all the findings are pushed back into that security center and customers can see all of the various vulnerabilities being reported by Qualys right there in Azure Security Center. And as you can see, the they can look into what the issues are by clicking and getting into the details. And this is really very helpful because as you can see that they don't really have to go and go to other console. And with the new paradigm automation orchestration is again being built into the cloud environment, so you can create playbooks from here and you don't need to get other orchestration solutions deployed separately because the the cloud providers are really providing this capability themselves.
And now that's for the DevOps side. Now I'm going to also talk about the SecOps, as I mentioned. So here, this is a security operations view. They want to see the various data points come together in one place. So in this case, whether it's AWS, Azure, on prem, mobile devices, laptop, you can see the IT information, security information, the compliance information.
All of it is coming together in the same concept for the security guys, And now they can click drill down, get into the details of the various applications. In this case, I'm focusing on CloudView. They can go into a specific VPC, for example. Clicking on that VPC is gonna highlight the various PaaS services that have issues. So in this case, I have a web dock bucket, which is a SP bucket that has an issue.
Clicking on that, it shows other customers right there. So this is something that Avidom mobile provides, shows the customer right there what they have to do to remediate it and then they can click on it and immediately remediate that as well. So now you can go back and then there's also the workload that's running in there. And now in the same console by clicking on the workload, we saw all the vulnerabilities, it's running container, we show all the vulnerabilities on the containers. By drilling down into the details, we can show all of the vulnerabilities in the container as well.
We can show the software that's installed on each container. So as you can see, instead of getting different point solutions like Twistlock and Evident. Io and then some build tools, use a Jenkins plug in, we can actually have that something in the Jenkins console as well. So now let's give another example here of of that IT asset inventory, which we are raising as a beta in June. So here we're bringing all of that information together related to the classification, the various infrastructure service providers on hardware, information operating system.
We also categorize what client devices versus hardware devices, so server devices. So on the server side, we have hardware versus operating system. We have virtualization information because assets are not just physical servers, but all of the virtual images and containers as well, bringing all of those together as well as the PaaS services being leveraged in one console, then we get down into normalization and we can discover web servers, databases, various different commercial and non commercial solutions. So this is that IPS set inventory. So the last demo I'm going to do is something that is pretty cool.
It's a little test app that we put together that highlights what cloud providers working together with SaaS sort of cloud deployments can actually do with API to API integration, really be able to bring that security compliance information not just to the fingertips but to the tip of the tongue of the security professionals in a way that we use on a daily basis. Okay. We will talk to Qualys Cloud Support.
Alright. Getting the test version of Qualys Cloud Support. Hello. How can Qualys help you?
How many cloud accounts do I have?
You have 15 accounts in Oz, 5 accounts in Azure, and 1 account in Google Cloud.
How many resources do I have in AWS?
There are total of 16,823 resources in your OZ accounts.
What is the current security assessment for the marketing production account?
There are 5 control failures and 3 are new.
What are the 3 new failures?
There are 12 S3 buckets which have public access enabled. 1 security group allows unrestricted ingress access to port 22. 5 instances with public IP have exploitable vulnerabilities.
Post the control failures to SOC Slack channel.
Control failures posted to SOC Slack channel.
Thank you.
Goodbye.
And so as you can see from the demos and from the presentation that I gave earlier today, we really have put together a platform that brings IT security and compliance capabilities from multiple different traditional point solutions together in a single platform, highly scalable, very quick visibility across all of the assets. We're talking about numbers in the 1,000,000,000,000, ability to really consolidate the devsecops and DevOps capabilities along with the security monitoring capabilities, again, all of that on the same platform and helping organizations that are trying to accelerate the digital transformation with providing them a security compliance platform that can be easily integrated into this new infrastructure, while at the same time keeping an eye on their existing infrastructure and the physical infrastructure that they have to manage and monitor. Thank you very much. And now I will hand over to Melissa.
Thank you, Sumit, and good morning. We have significantly increased our total addressable market by adding solutions such as passive scanning, cloud security and IT asset management. We estimate our total addressable market has increased to $11,600,000,000 growing to $20,700,000,000 in 2021. At the same time, our revenue growth has grown faster than our market growth and we're in some of the higher growth markets in security. What enables all this is the platform.
Platform adoption is accelerating across enterprise customers with 2 or more, 3 or more and 4 or more cloud solutions. We've also added an additional metric, the percent of enterprise customers with 5 plus solutions and that percent doubled last year. The multiple spend is accelerating too. In 2015 2016, customers with 5 plus products spent almost 5 times that of a 1 product customer and the multiple of spend matched for 4 plus product customers and 3 plus and so on. However, in 2017, the multiple across these cohorts showed meaningful increases, for example, with spend by 5 plus customers increasing from 4.7 times to almost 8 times.
And yet there remains still a meaningful opportunity further cross sell across the installed base. For example, you can see that vulnerability management is being used by only 58% of our customers. Additionally, there is still more upsell opportunity with our customers, which is also a significant driver of revenue growth. For example, we're only now seeing companies begin to deploy our agent on endpoints for vulnerability management. One example of successful cross sell and upsell is a large U.
K. Grocer that was originally vulnerability management only. Expanded vulnerability management and added cloud agent for the vulnerability management, continuous monitoring, threat protection, policy compliance, cloud agent for policy compliance, FAQ and web application scanning. Another example is a U. S.
Retailer that was originally PCI only for only about $7,000 A few years later, they added vulnerability management. A few years after that, they expanded vulnerability management and added policy compliance. And a few years later, they added a cloud agent for vulnerability management and policy compliance and threat protection becoming a multimillion dollar customer. Adding new customers is also part of our growth strategy. We only have 4% of Global Enterprises and 1% of SMB SMEs.
As we've previously discussed, revenue growth drives higher profitability for us as we have a very scalable operational model with the platform as a distribution channel. You see a similar increase in operating cash flow margins as we showed in EBITDA margins as well as free cash flow margins with the difference between the 2 CapEx spend. Compared to our peers, we have industry leading margins. And we stand out using the rule of 40 as well, the combination of revenue growth and EBITDA margin. With the momentum we have, we believe we can sustain our low-20s revenue growth in 2021 and we see a path to growth in the mid-20s.
The delta between the two will be driven by both the rate of expansion of revenue with existing customers as well as the contribution from new customers. We continue to balance growth and profitability and we expect EBITDA margins to be between 40% 42%. This is because we expect to get leverage across all our functions, but the most from sales and marketing. We expect to continue to be significantly cash generative and we believe free cash flow margins should be in the range of 35% to 40%. I highlight free cash flow because as many of you are aware with such high profitability free cash flow is the natural valuation metric.
In summary, we believe that Qualys is a unique investment opportunity because of our leading position in cloud security, multiple levers to drive revenue growth and our scalable operational model driving industry leading profitability. Before we open our event for questions, our Q2 earnings call will be on July 31st and we've put in a copy of our guidance in the appendix. Thank you. And we will now take our first question.
Hello. And now we're going to start with our Q and A. Thank you, Melissa. So we have a number of questions coming from the audience. With the first question, I think this one is directed mainly to Smed.
If you compete against or partner with Forecast Technologies, if you compete, do you also have an agentless approach to device visibility as ForeScout?
Thanks, Hamer. Yes, we absolutely have an agentless approach and this is something that Qualify has been doing extremely well for since the beginning of the
run of
the management solution where we have been providing support from multiple different types of devices and operating systems all the way across from devices like phones, network devices, databases. And so we do provide discovery capabilities through agentless, agent base and soon passive scanning as well as the integration of the mobility service. And so that gives us a unique advantage in the way we are able to discover devices. And so from that perspective, we absolutely do compete with ForeScout.
Yes. And this is Philippe, and I may add also is that while we compete with ForeScout now, we still are passing our data to ForeScribe as ForeScribe needs in fact the Qualys data or the Qualys from other solutions as well. So and our philosophy has been that we have been very good citizen and so we even and we pass data to even our competitors because at the end of the day, as you know, customers are not going to suddenly change the solutions and we don't want to be in a position where we are forcing them to essentially move at a speed that they really are not capable of doing toward our solution. So in that sense, we are very good citizen and we remain good citizen.
And Wissam, another related question, Sumedad, that's for you. Why has the cloud agent size increased from 2 megabytes to 3 megabytes?
Essentially, if you look at where we started with the cloud agent in the early days where we're mainly a little bit assessment. Today, with that small increase in the size of the agent, we continue to add multiple capabilities on that agent, including configuration of SMED, now file integrated monitoring, the ability for us to collect large amount of information related to activity on the device to detect malware, digital certificates. And so as we have expanded significantly the capabilities of the Cloud Agent platform, we have actually managed to keep the footprint of the agent extremely low while adding all of this additional capability.
Thank you, Samad. Another question, and I think this is directed to you, Fadeep. Can you please speak to new product revenue contribution over the last 3 years? And how we should think about new products providing to future revenues?
Yes, this is more for Medista to answer.
Yes, I'll actually take that. Thanks, New business is always a contributor to us, but obviously given our large installed base, much of our growth comes from expansion with with existing customers. There are multiple levers of revenue growth for us, which I talked about in my presentation. So there's not just one increased breadth of the platform should increase our ability to win new customers because we have more solutions to offer.
And I would like to add to what Melissa said that unlike your typical enterprise software company who wants to really get as much revenue as possible even at the expense of having a lot of software out there. Our philosophy is exactly the opposite. We don't want to push the customers to take more than what they need at the moment and then we grow them. So it's better for
the customer. It's also better for us because it's
a much more profitable model to essentially upsell an existing customers to new solution that you try to do a bigger deal and give more discounts and then of course having shelfware which in the case of a pure subscription model as we are the last thing you want is to have shelf wear because if you do then guess what the customers are not going to renew next time. So then you will have a downside which is obviously something you don't want to have.
Thank you, Felipe. Another question for Melissa. Revenue guidance for low 20s to mid-20s, what's the assumption of contribution from some of the newer products, container security, ICMA Asset Management versus some of the more solutions like VM, web application scanning, etcetera. Can you achieve that level of growth with the mix you have today or new products will need to ramp?
Yes. So as Philippe just talked about, we don't intend our sales force to push product on the customers because in a subscription business, if there's not a real customer need, they're not going to renew. But when you think about how we develop our product roadmap, it's based on continuous dialogue with our customer and it's based on real life use cases that we see across a broad spectrum. So we feel a very strong sense of demand when we go to market with when we go to develop a product and then bring it to market. And you should think about our revenue targets based on the product momentum that we're seeing today based on the existing as well as the product pipeline that we've outlined in Smed's roadmap.
Thank you, Melissa. Question, this one is for Smed and Philippe. When selling into Azure, where your solution is transparent to the customer in the Azure Microsoft Security Center? And is your pricing the same as
if you're selling through more typical channels? Maybe, Sreedhar, do you want to take it?
Yes. I mean, as of today, the way the integration works is it's very transparent to the customers. As I kind of talked in the demo, we get the both DevOps perspective inside Azure Security Center and then the typical security user gets to see that from a SecOps perspective in the Qualys console. So the way the integration while they will have the deployment in Azure and they bring the Qualys license into Azure as of today, they do have other environments that are also part of their Qualys subscription. And so as we continue to look at these kind of platforms as new channels, we will obviously be looking at new ways of integrating in the marketplace and specific pricing that might make sense as we go along.
Yes. And I will add to what Sumit said. The thing that you have to understand that with our very unique architecture, if on one hand, as you saw on the Cement demo, you could have all the information that you need on the Azure Security Center. So you don't even need to go to Qualys, everything is transparent. At the same time, there is a copy of everything you have seen in the Azure Security Center on the Qualys console and why because most of our large customers have multiple clouds.
So you could we can bring all of that information from these different cloud into that one single console. So you have really the direction. As Sumeet mentioned, of course, the cloud is accelerating. We see the platform like Amazon, like Google, like Azure as essentially formidable platform for us because we have significant integration to the point that we've even put now our entire backend into those infrastructure and therefore they become distribution channel as well. So if our platform is a distribution channel, their platform is also the distribution channel, realize how much cost we can eliminate, of course, because everything becomes totally automated and that's very important for the future profitability of our company.
So we have the model right essentially.
Philippe, there's another question for you. Can you explain further the rationale for the acquisition of Second Front, which was already a partner of Qualys? And then in terms of the federal opportunity, how long does it take for these relationships to ramp? When can we start to see Fed more material?
Okay. So the acquisition is to transform to as a very large thing for us to do. Like everything we've been doing, every acquisition that we've been doing so far it's always in the context of our platform. And now today, we are bringing that platform to the federal market, which now is receptive, which was not the case, of course, quite a few years ago because the cloud was not really albeit they were talking about the cloud, the cloud was still something that was foreign to the federal market. And the fact that now we have our cloud totally FedRAMP certified and authorized, I should say, to be very specific and that we can deliver our cloud on premise or as a cloud certified, in fact we're going to we made, we are going to create another FedRAMP public cloud that we are looking at deploying in D.
C. In the before the end of the year. So we are now ready fundamentally, so to go full time. So making that acquisition, that acquisition gave us a superb team of people that we know, we have been working with them that have all the clearances that you could dream of, understand the market very well. And now as we mentioned earlier, so we are going through the approval process and we have started that.
And then of course, when we'll have all the approval process being completed, then in that case, we could close the deal. So in terms of the other question, which is when do we see revenue starting to move up, as you know, about 1% of our revenues is only now federal. One of our main mix, albeit we're starting to have very good, very good deployments already. We don't anticipate that to see a major impact in 2018, but I think we believe that in 2019, we're going to start to see some very good growth, especially that there is a lot of vulnerability management contract, which are due for renewal next year. So, I think next year is really a very good year for us because I think we will be there with the team with the solutions and I think we are very serious about now providing our technology to the federal market.
Great. Thank you, Philippe. There's a couple of questions on agents at the end point. The first one, endpoint agent adoption has been slow. Can you comment on the challenges there and how and why that may be changing?
So that yes, I will take that question. So very simply because Qualys was really not on the endpoint. So, because we could not really scan an endpoint which was of course out of the network. So essentially our vulnerability management solution has been always essentially on the servers. The good news today is that now because of that agent capability that we have, now we see our customers and I mentioned last time at the earnings calls that we had 1 major existing customers, which has deployed now to more to 260,000 agent.
And I'm very happy to let you know that today, in fact, we have another customer, which is deploying 250,000 endpoint. So, we are moving in. And now, of course, now that we can essentially not only bring Verint Management and privacy compliance at the endpoint, but now that we also can bring IOC and all these other capabilities and essentially reducing the number of agents that company needs to have, which has been the nightmare for IT when I think the average for companies is to have something like 7 or 8 agents, I don't remember exactly the number. So today our agent is essentially consolidating a lot of agents. And as you recall from the first question, it's only with a 3 megabyte footprint.
When you compare that with the premium agent, which is in the 70 megabyte footprint And the reason is because they do scan the devices and they need to have much more work being done at the device when the work has done in our back end, which is a significantly more scalable and much in fact better solution because we can't correlate the information. So I think we're moving on the endpoint now. That's the good news. And we really are very bullish about it.
Philippe, another related question. It's good to see how the QUALSC cloud platform has evolved to encapsulate
the 5 tenets of security. How important is the cloud agent adoption within your customer base to achieve this while as to achieve your 20% plus growth guidance? Having the agent is obviously a significant driver of our business because as we mentioned earlier, not only it makes validity management and policy compliance much better in the sense that it's real time, you only need the scanning windows. So that's a very natural thing to do. On top of that, it brings us of course on the endpoint, which we were never before.
And now what is interesting is that, that agent is also a platform, I call it a platform within the platform. Our agent now has enabled file integrity monitoring, which is starting to pick up. It has enabled IOC, which is already starting to pick up as well. It's going to enable the patch the forthcoming patch management and other services like essentially we could move now much more into the policy enforcement, etcetera. So this is really a very key solution.
More importantly, it also bring us into the IoT because now we have essentially the architecture for the Internet of Things. When you look on one hand with the agent and now with the forthcoming passive scanning. With the agent, we are on the verge of releasing an SDK, So IoT vendors could now build the agent themselves and then we can deliver to them the back end wherever they like it. If they want the back end as their quality share platform, we can do that. If they want that on Google Cloud or Amazon, we can do that.
Or the one that have in their own data centers, we can do that. So these agents is very significant. So it's going to be the passive scanning. And what makes at the end of the day, our solution very unique and formidable, I should say, is because we on one hand have the scanning technology that we have mastered, we can now scan every IP on the planet, every website on the planet. Now with the agent, wherever we can put the agent, we have continuous visibility because we pick up the changes.
And now with the passive scanning, we can see everything was coming in and out of the devices. We bring all that into one single platform and you saw in the presentation of Sumed, all these engine, all that power that we have built, we speak in terms of billions, trillions of things, indexing 250,000,000,000 data points on our Elasticsearch cluster, so we can deliver information in sub second now even. So this is really what we have done. And so that's why we're very bullish because we're putting this TechnoViewer together and it's a huge differentiator. And on the top of that, not only we can now add the company, consolidate their staff, as I mentioned earlier in my presentation, but now because of our architecture, we can also add them fundamentally with that same platform, add them, secure their digital transformation, which is a new game in town.
Thank you, Philippe. We have a new question. Maybe this is for Melissa. Last event, you said potential spend by customer 5 times vulnerability management. What is your current view?
Yes. So as Philippe mentioned, the cloud agent is very important to the future growth because it's the independent technology for many of our solutions. So if we think about all these additional solutions that Sumit outlined, today we estimate that with these additional solutions, the per dollar per IP spend could be greater than 10x what we see as per IP per VM. So this gives us a lot of upsell opportunity and this is part of the underpinning for our developing this target revenue growth in 2021. What we're trying to message is you should be thinking of us as a 20% revenue grower, 20% plus.
Can you talk about capital allocation given the recent tuck ins not being particularly large and modest buyback deployment so far?
Sure. So as we've discussed with the community, we take a balanced approach to capital allocation. Traditionally, we've been preserving the strategic flexibility for M and A, But as we've done some M and A to date that we're very excited about, but to your point, we haven't used up all of our capital. We heard from our large long term shareholders, the desire to see equity dilution being minimized and we thought that would be a prudent use of our excess cash. So we announced $100,000,000 share repurchase program, it's a 2 year program.
And we don't announce things that we don't intend to do. So it's something that we intend to complete. We are doing vendor 10b18 program, which preserves us for us the flexibility to shift priorities should we need change, but it's our intention to complete that. And so I think in the Pinnia question is, as you think about the long term, as we intend to continue to minimize dilution from equity grants, you could see net income expanding much faster than share count and assets you would see meaningful EPS growth?
Yes. And I would add to what Melissa said that if you look at our acquisition strategy so far, it has been within the go forward to try to build up the revenue, the top line. We really look at technology that we could integrate into our platform. We've done that very successfully today with the Navis acquisition. We're also very confident that the One Mobility acquisition will do the same.
We're currently continuously looking at these kind of companies where we can inject technology, essentially acquiring a team of 20 to 25 people at a reasonable price. But we foresee so we're building a kind of a war chest for further bigger acquisition because we see that industry consolidating. And if today we believe that some of these acquisitions that we saw today are absolutely mind boggling because I would never pay a few $100,000,000 for something that we can develop ourselves for much cheaper. I believe that these in that consolidation to come of the traditional industry, there is going to be significant opportunity to better acquire customer basis. That is going to be our next strategy.
So we're building that kind of a cash. But at the same time, listening to our long term investor, we really care about is that they say, look, you guys, why don't you compensate? You have so much cash, why don't you compensate us for the dilution? And that we thought that was a very good thing to do.
Another question, Melissa, this is for you. How do all the new add on services impact gross margin with the higher infrastructure costs? Maybe Philippe can again
Yes, that's maybe more you may, you can say that, but I could give you the bottom line is that, yes, we do have some of course when we deliver new services, we need to have more servers, more storage capabilities, but again, this is everything is in proportion. So we have inherently a business model that scales. As I mentioned earlier, the platform is the distribution channel. So I think we have that scalability everywhere, not only in our sales force, but also in our backend. So we as we mentioned, we see ourselves continuing being in the 80% range of gross margin fundamentally, which is what our long term model this is what we said.
Do you want to add anything?
Yes, sure. So I think another aspect of this is that all the new services that we are developing are this is where we have been able to really inject a lot of new technology into the platform and a lot of the new technology, Kafka, the Thunder, Elasticsearch is also helping us move to significantly more commodity hardware and the ability for us to scale leveraging that kind of hardware will definitely help us with the gross profit margin there.
Okay. Time for a couple of more questions. This is I think mainly to you, Philippe and maybe Sumeet. Most of the new product growth has been driven by the cloud agent and to a lesser extent threat protection. What gives you confidence that you can drive material new product adoption beyond those two products?
And from a go to market perspective, what are the execution challenges you see?
That's not quite exactly right because we saw where the patient scanning doing very well. And in fact, the agent of course have essentially because they are natural extension to our vulnerability management solution, of course, they've been important. But what we see today is that if you are a CIO of the company and start to realize that you can consolidate when you have today between 20 minuteimum to about 100 application and that you can now certainly with the Qualys platform consolidate about none of them today, the cost that you eliminate are significant. Even when we started to because of our model, when we for example, replaced in a very large Mac, McAfee Verity Management solution, they could reallocate 15 FTEs because of course everything is self updating, centrally managed. So you have a kind of, if you prefer, exponential effect.
The more solution we bring together, the more people the less people you need to have, which is very important today because the number one challenge of our industry from a customer perspective is our ability to find talent. Today, there is a shortage of people. So the fact that Qualys allows you to do much more with less is significant and also due to the fact that these people now you can have them doing much more interesting job than running these scans or running this kind of solution. So all in all, this is a very virtuous thing that we bring to market at the time where the market needs, in fact, to do more with us and then at the same time invest in the digital transformation which is becoming absolutely a business necessity and then of course securing it is paramount. So I think we are extremely and I would add very uniquely positioned.
And then related to Essence Group, how will the sales team be trained on selling the new app, not new apps?
So that's one of the big advantage that we have with our with first with 2 things. One is that instead of having what I call these Harmony suite sales guys, which are very expensive and really go after trying to do big deals, which is what Ultrafast Software has been and still is, we build a technical sales force, people who are technical people and which add customers through their approval concept, try and buy. And so that's first we have a technical sales force which is much easier to educate of course that these are not technical. The second thing is that because everything is integrated in the platform today customers can even try themselves in so well packaged that essentially you can try. And then of course now we have our first force or subject matter expert in some cases or technical support people who are there to add the customer essentially evaluate our new solution.
And as you do that, then you also learn. So we have again a very natural way of training and bringing this solution to our customers. Now this being said, we are now going also to invest significantly in doing videos, in doing little training videos. This is something that Splunk has done extremely well. So we are going to copy, we are copying and we are doing is to create what we call the Qualys Academy where people can go and self and learn and of course now all these new media and you see that today our first you could see that with tomorrow our Qualys user conference, which everything is online and we have in fact 4,000 people register for that conference.
All the material will be of course now it's all online and will be available for people to listen and learn at their own time and that's the thrust of the company today.
Okay. And then we have one final question, which I will answer. We will be getting the slide back after the session and the answer yes as long along with the recorded presentation. It will be available on our IR website. That's our time for today's event.
Thank you to everyone for participating. As I mentioned at the beginning of the session, this event has been recorded and will be available for viewing shortly after it ends. The link will also be emailed to you. We will also make it available on our IR website on qualis.com/investor. Have a great day, everybody.