Good day, everyone, and welcome to Qualys Third Quarter 2017 Earnings Conference Call. This call is being recorded. At this time, all participants are in a listen only mode. Later, we will conduct a question and answer session and instructions for asking a question will be given at that time. I would now like to turn the call over to Joon Mi Kim, Vice President, FP and A and Investor Relations.
Please go ahead, ma'am.
Good afternoon, and welcome to Qualys' 3rd quarter 2017 earnings call. Joining me today to discuss our results are Philippe Courteau, our Chairman and CEO and Melissa Fisher, our CFO. Before we get started, I would like to remind you that our remarks today will include forward looking statements that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10 Q and 10 10.
Any forward looking statements that we make on this call are based on assumptions as of today and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non GAAP financial measures. A reconciliation of GAAP to non GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks and an accompanying investor presentation with supplemental information are available on our website. With that, I'd like to turn the call over to Filipe.
Thank you, Jumi, and welcome everyone to our Q3 earnings call. Melissa and I are very pleased to report another quarter with strong performance on both revenues and profit, driven by the continued adoption of our Qualys Cloud platform and its integrated suite of security and compliance application we call Cloud Apps. We are very pleased to raise again the bottom and top end of both our revenues and non GAAP EPS guidance for the full year 2017 and Melissa will provide you with more color on it. These impressive results clearly underscore the competitive advantage we have created by taking the long view to build a highly scalable cloud platform that can be delivered both as a shared platform or on premise. This dual approach gives us an additional and unique advantage given the accelerated migration to cloud solution in an increasingly vulnerable and regulated environment.
As we all know, traditional enterprise point solution, which are inherently difficult to deploy, maintain and integrate, are not effective anymore in protecting against crippling attacks, such as 1 ACWI and in coping with new regulation such as GDPR. As a result, companies are now looking for true platform solutions to consolidate the security and compliance stack in order to reduce cost and complexity, while improving the security and compliance posture. Furthermore, businesses of all sizes have a critical need to accelerate their digital transformation. This transformation requires a new approach to security, where security must be built in and not bolted down. These requirements make our platform approach strategic to our customers and bolster the expansion of our vulnerability management solution as well as the adoption of our additional solutions.
This is underscored by the fact that now 30% of our enterprise customers have deployed 3 or more solutions compared to 23% a year ago. We also saw this manifest itself this quarter through the continued adoption of our Cloud Agent, with almost €5,000,000 purchased over the last 12 months. This represents a 37% increase over last quarter and contributed to the increase in the number of large deals with both existing and new customers. As an example, we signed a multimillion dollar expansion with a leading cloud provider, who not only expanded the scope of the Verity management, but added Cloud Agent and AssetView. Additionally, this quarter, we signed a multimillion dollar annual deal with a large healthcare company encompassing both vulnerability management and threat protection.
This was an existing customer who had previously only used our web application solutions and PCI service on a limited basis. As Wellacquire and GDPR are impacting enterprises worldwide, we saw new customers' deal size in Europe increase this quarter as well. We signed a 6 figure deal with the newer European customers to fully deploy Velocity Management in their environment. In the past, as you know, many customers have begun with partial deployment. As we have discussed before, larger deal size benefit both our stickiness with our customers as well as our profitability.
A few weeks ago, we hosted our 17th Annual Qualys Conference in Las Vegas, at which we had record attendance by our customers and prospects. The theme of the conference was From Securing Our Networks to Enabling the Digital Transformation of Our Enterprises. We demonstrated there a significant expansion of our platform as evidenced by Elasticsearch, where we now index 250,000,000,000 data points, as well as the addition of additional open source backend like Cassandra and Kafka and additional analytics and reporting engines. We also showcased an impressive suite of additional solutions we will be delivering during 2018, underscoring the power of our true platform approach. And you will find the list in our investor presentation, which is now online.
Enterprises worldwide are accelerating the adoption of cloud technology to retool their businesses. This adoption requires unprecedented scalability, accuracy and speed in order to identify all global IT assets which could be vulnerable, whether on premise, in the cloud or on endpoints. Enterprises also need to ensure that vulnerabilities are rapidly and properly remediated, which is something traditional enterprise IT security solution cannot deliver effectively and at which Qualys excels. Our Qualys platform enables enterprise to build security into their digital transformation initiatives for global visibility and better business outcomes. Earlier this month, in Monaco, I introduced at Les Assies, the leading security conference in France, Hared Soudani, Societe Generale's IT Infrastructure COO, as part of my keynote.
He spoke about the vital need they had to accelerate the digital transformation Our security needs to be built into this new cloud based infrastructure rather than bolted on. And our security needs to become an enabler rather than an impediment. He also added that the world is moving toward hybrid clouds that is a combination of public and private clouds. Securing such hybrid clouds in our architectures requires that security and compliance vendors retool their solution to adopt a cloud based architecture. Because we started our journey with such a cloud based architecture in mind, we believe that it gives us a significant head start.
This is evidenced by the fact that 70% of the Fortune 50 have now adapted our cloud platform, including technology leaders such as Amazon, Microsoft, Apple and Oracle. We continue to expand our global partnerships and are pleased to announce that we have been selected by Ernst and Young to be a key component of their new next generation cybersecurity center in Texas, from where they can monitor client environment, armed with the latest and most advanced tools to streamline detection and prevention of threats. We are also starting to make inroads in the federal market due to our FedRAMP certification and the market being more receptive to cloud based solutions. Following the selection of our FedRAMP certified private cloud by Lockheed Martin, we are pleased to announce that both the Secret Service and the Capital Police became Qualys customers in Q3. This quarter, we continued to expand our offerings with the general availability release of File Integrity Monitoring, FIM, and the detection of indication of compromised Qualys FIM logs and centrally tracks file changes events across global IT systems and a variety of enterprise operating systems to provide customers a simple way to achieve centralized cloud based visibility of activity resulting from normal patching and administrative tasks, change control exceptions or violations or malicious activity, then report on that system activity as part of compliance mandates.
This highly scalable and centralized solution we provide now reduces the cost and complexity of detecting policies and compliance related changes mandated by increasingly prescriptive regulations. Qualys IOC detects activity and behavioral changes on the endpoint and delivers a continuous view of suspicious activity to customers that may indicate the presence of known malware unknown variants or threat actors actor activity of devices both on and off the network, which is quite unique. By expanding the number of applications we offer, we enable our customers to consolidate an increasing number of security and compliance solutions, eliminating the daunting challenges they have with point solutions that all require their own infrastructure, are difficult and costly to deploy and manage, and extremely costly to integrate. Our platform allows our customers to drastically reduce their spend And for Qualys, we benefit from a more strategic relationship and increased stickiness with our customers. In Q3, we closed the acquisition of Navis Network and integrated the team with our existing Pune India operation.
The acquisition of Navis Networks enabled us to enter the market that is currently served by solutions such as ForeScout. The acquisition of Navis provide us with a significant domain expertise in deep packet inspection, also known as passive scanning, and give us the opportunity to accelerate our move into the adjacent markets of medications and response. Once this technology is fully integrated into our platform, we will have additional visibility and response capability to protect against threats from IoT devices. This will provide a holistic view of vulnerabilities within our platform across devices and web applications, whether on premise, in the cloud or on endpoint. We also expect the Navis acquisition to strengthen our commercial presence in India, which we see as a significant opportunity for our company.
Speaking of Pune, our operations there now encompass 350 employees across all departments, including Ops, DevOps, Engineering, QA, Customer Support and Product Management. This is a major strategic advantage for our company as it continues to be both a competitive and a cost advantage for us. We will continue to invest heavily in Pune. In summary, we continue to strongly believe that we are best positioned to secure the vital digital transformation facing our customers, while helping them secure their current on premise and endpoint environment. We believe our customers increasingly see us as a strategic vendor, which has earned their trust by delivering a true platform that offers them greater visibility, accuracy and scalability and help them consolidate their stack.
It is this platform approach built over many years that has allowed us to build the strong foundation of recurring revenues while achieving industry leading profitability. We believe we are positioned better than ever to help our customers improve their security and compliance posture and forge ahead with our digital transformation. With that, I will turn the call over to Melissa to discuss our financial results in detail. Thank you.
Thanks, Philippe, and good afternoon. We had a terrific Q3 with both revenues and profits exceeding our expectations. We continue to see healthy demand driven by our strategic positioning as the leading cloud platform in our markets, coupled with strong market conditions. The upside in revenue drove record margins for Qualys. We saw strong demand this quarter from both new and existing customers, the latter with both renewals and upsells.
Deal sizes continued to increase in Q3, growing 17% year over year and new customer deal sizes grew 62% year over year. From a geographic perspective, we saw very good year over year growth in all geographies. In fact, we had record new customer bookings in EMEA in Q3, driven by deal sizes for new customers in EMEA growing year over year more than 100%. Consistent with last quarter, we saw strong performance in the vulnerability management category. Bookings for both cloud agent for vulnerability management as well as threat protection more than doubled year over year.
This drove meaningful acceleration in new product bookings. New products released since 2015 contributed approximately 14% of total bookings in the quarter, up from 9% last quarter. These new product bookings are mostly due to Cloud Agent, which includes the associated subscription to either vulnerability management or policy compliance and include renewals that convert to cloud agent. Including cloud agent for policy compliance, we sold 4,700,000 cloud agents in the last 12 months, an acceleration from 3,400,000 as of last quarter. Our cloud agent platform, as you may recall, is the underpinning technology of many of our new solutions, including file integrity monitoring and IOC, and therefore, should help adoption of these newly released solutions.
Multi product adoption continues to increase as well with the percent of enterprise customers with 3 or more Qualys solutions rising to 30% this quarter, up from 23% a year ago, and their average spend in the quarter increased 24% year over year. Revenues in the Q3 were $59,500,000 which represents 19% normalized growth over the Q3 of 2016. Was a negative impact on our Q3 2017 revenue growth rate of approximately 150 basis points from the MSSP contract and approximately 110 basis points from FX. In Q3, we also saw more front loading of deals, which benefited our revenues. Turning to our deferred revenue balance.
The current deferred revenue balance was $132,000,000 as of September 30, 2017, 21% greater than our balance at September 30, 2016. Normalized for the impact from FX, our current deferred revenue balance would have grown approximately 22% year over year. Before moving to our profitability and cash flow, I would like to remind everyone that unless otherwise specified, all of the expense and profitability metrics I will be discussing on this call are non GAAP results. Our non GAAP metrics exclude stock based compensation and non recurring items. A full reconciliation of all GAAP to non GAAP measures is provided in the financial tables of the press release issued earlier today and is available on the Investors section of our website.
Also note that certain amounts in prior periods have been reclassified to conform to the current periods presentation. Adjusted EBITDA for the Q3 of 2017 was $23,900,000 representing a 40% margin as compared to 35% in the Q3 of 2016. This contributed to a 63% year over year increase in GAAP EPS and 40% year over year increase in non GAAP EPS this quarter. Because of our expansion in India, we achieved this earnings growth despite a 26 percent year over year increase in headcount. In Q3, we also benefited from greater efficiencies in operations, which contributed to an increase in our gross margin to 80% from 79% in Q2 and from 79% in the Q3 of 2016.
Gross profit increased by 18% year over year to $47,000,000 in the Q3 of 2017. Operating expenses in Q3 increased by 7% year over year to $28,700,000 Research and development expense increased to 9,400,000 dollars or 15% year over year, primarily due to higher headcount. Q3 R and D expense also includes 1 month of the Nevis team and we're excited to have added the team from Nevis. Sales and marketing expense increased to $14,200,000 or 4% year over year, primarily due to higher headcount and related costs. G and A was flat year over year at $5,100,000 as higher headcount cost was offset by lower third party spend.
Net cash from operations in the Q3 of 2017 increased by 62% to $32,800,000 compared to $20,200,000 in the same period in 2016. The year over year increase in operating cash flow was driven largely by the growth in our billings and profits. Capital expenditures were $13,400,000 in the Q3 of 2017 compared to $9,800,000 in the Q3 of 2016. Out of the $13,400,000 $5,100,000 was for our business operations and $8,300,000 was for our new headquarters build out. We expect CapEx related to our operations in the Q4 of 2017 to be between $6,000,000 $7,000,000 and CapEx related to the new office to be another $4,000,000 to 5,000,000 dollars for a total Q4 CapEx spend of between $10,000,000 $12,000,000 Total 2017 CapEx related to the new headquarters build out is now expected to be between $16,000,000 $17,000,000 up from our prior expectation of $13,000,000 to 15,000,000 dollars We also spent $5,800,000 on the acquisition of Navis Networks in Q3.
In terms of guidance for the Q4 of 2017, we expect revenue to be in the range of $61,700,000 to $62,200,000 representing an estimated normalized year over year growth rate of 19% to 20% based on our current FX forecast as well as the previously mentioned impact from the MSSP contract. We will continue to invest in Q4 and look for high quality talent in a number of areas. However, given our highly scalable operational model, we now expect full year 2017 operating margin expansion. We expect the GAAP EPS for the Q4 of 2017 to be in the range of $0.15 to $0.17 per diluted share, while non GAAP EPS is expected to be in the range of $0.27 to $0.29 per diluted share. We are delighted to be raising our full year 2017 guidance for both revenues and earnings.
We are raising the bottom and top end of our revenue guidance for full year 2017 again to now be in the range of $229,600,000 to $230,100,000 from the prior range of $226,800,000 to $228,300,000 We are raising our GAAP EPS guidance range from $1.09 to $1.11 from $1.02 to $1.06 and non GAAP EPS guidance range to $1.04 to $1.06 from $0.87 to $0.91 We believe our strong financial results reflect the enthusiasm our customers have for a cloud based security and compliance platform that can secure their digital transformation and enable them to consolidate stacks for better visibility and security. At our user conference a few weeks ago, I personally saw how strategic our platform and applications are to our customers and how appreciative they are of our solution that is integrated and at a lower total cost of ownership than competitive on premise solutions. We continue to believe that our unique competitive positioning coupled with our scalable model will enable us to continue to grow our revenues and boost top tier margins. With that, Philippe and I would be happy to answer any of your questions.
Thank Our first question comes from the line of Alex Henderson of Needham and Company. Your line is open. Wow, thanks. So I just wanted to talk
a little bit about the structure of your model going forward. Obviously, with the investments in India, it sounds like your OpEx growth ought to be probably towards the lower end of the teens range going forward. But it looks like your top line growth is at the upper end of the teens range and maybe even into low 20s. Is that the right way to be thinking about the structure as we move forward into 2018 without actually giving guidance for 2018?
So our performance this quarter reflects what a scalable model we have as demonstrated by our record operating margins. We will continue to invest, however, as you can see by our Q4 guidance, which implies sequential margin contraction. Having said that, we have a highly scalable model, which allows us to continue to invest and boast very healthy margins. With regards to 2018 guidance, we will give that on our next earnings call consistent with prior years.
Just if I could one follow-up on that. So when exactly did the Nevis deal close?
It closed on August 29.
August 29. Thanks.
Thank you. Our next question comes from Sterling Auty of JPMorgan. Your line is open.
Thanks guys. Happy Halloween.
Same to you.
So GDPR, I'm kind of curious. You talked about pointed out I think strong results in Europe. GDPR, I think, was a distraction initially for a number of vendors. Do you think we've moved past that? And are you actually seeing specific deal traction driven by that initiative?
Absolutely in Europe and I think it's starting to impact the U. S. And this is something that I don't think many people understand because a lot of people look at GDPR as fundamentally a compliance requirement that okay, you've got to pass another set of things and you have to but it's much deeper than that because it has forced, especially in Europe and now it's coming to the U. S, companies to rethink their entire security strategy and to fundamentally accelerate the digital transformation. That was the speech of Khaled Soudani, which is the COO for the entire Societe Generale Infrastructure IT.
And he's got 6,000 people reporting to him. And essentially, it's all about now building security. 1st of all, accelerating the digital transformation, so you could have a much better handle on security, of course, improving the velocity of your business. And the fundamental notion that you've got to build the security into it and which means security is becoming much more of a DevOps now issue than the traditional bolt on and add security component to our enterprise security solution. It's a major shift.
And I think GDPR because of the oneiros fine that the regulator could impose up to 4% of the revenue if the corporation cannot prove to the regulators that they have been good guardian of both the security and the privacy of the data of their customers, that's a huge, huge shift. And so I think we were in a way lucky because we have the right architecture and which is not the same for a lot of other vendors.
That makes sense. Maybe one other on a vertical question. U. S. Government I think was decent for some vendors but not for others.
Can you give us maybe a little bit of your experience what you saw in terms of demand out of U. S. Federal given their fiscal year
end? So for us it's a very different again, we are very not positioned at all like all the other vendors, which I think has 20% to 40% of the revenues in federal. We have only 1%. So for us, it's all gravy. But more importantly, the government now needs scalability, immediacy and again cloud solution is really the only solution.
And when I say cloud solution, cloud based solution that means the fact that we have the ability to use cloud stack on premise is exactly what government across the world require, because they are not yet comfortable to put everything on Azure or on AWS. And their network are really pretty big. So that's what we saw with Lockheed, which now has a Qualys private cloud. And of course, now we just mentioned that the Secret Service is now a customer. So now finally the market is coming to us again.
So that was very it's very new for us. So it's all of course, it's going to take some time. As you very well know, government takes time. The procurement is so complex and lengthy. But for us, I mean, it's all gain.
I mean, we have nothing to lose here, everything to gain.
Thank you. Our next question comes from Robert Breza of Northland Capital Markets. Your question please.
Yes. I was just curious, Philippe, if you could talk about kind of the macro backdrop, I think kind of in tune with some of the prior questions. We've seen some companies execute well and some not so well. Are you seeing anything on the tea leaves from a macro environment, whether it's Europe or the U. S.
That causes you to stay awake at night or think about more intently?
No. I think for us, it's for us, again, we're so well positioned because we have that ability to deliver the cloud in the way company essentially can absorb it and also have that ability to secure like for example with Microsoft Azure, we have our agent now integrated in the Microsoft Azure. So any Microsoft Azure customer can at the click of a mouse essentially provision a Qualys agent, which will give the continuous security compliance posture of the environment on Azure. This is totally integrated. Nothing to install, nothing to do.
They just click on the link and that's it. So that ability to integrate security or to build security into this cloud environment whether they are public or whether they are private. And it's really the new game. That's the way we see it. So we see that as I mentioned earlier on the question of Sterling, GDPR is accelerating that thinking because of the onerous penalties that you could get.
So getting 4% of your revenues as a fine, you may want to say, should I not invest that ahead of the game in my digital transformation to make sure that I'm not going to be I'm going to be able to really secure it. Because quite candidly and I've been mentioning that many times during my RSA keynotes over the years to the point that I felt like Galileo, Saint Claude, I'm in America, so they didn't put me in our SRS. That is becoming harder and harder, if not impossible, to secure the current computing environment, which is network based. So with that we need to move from that client server enterprise network based environment to a much more cloud based environment.
Maybe as a follow-up to your comments around Microsoft Azure and customers moving workloads to the cloud, etcetera. As we sit back and think about the number of IP addresses being scanned, have you seen your IP addresses being scanned or customers expanding the different or more workloads, etcetera, more applications, etcetera. As they're moving towards the cloud, are you seeing that expansion increase in terms of the overall business model? Or how should we think about because obviously those elements still need to be scanned whether they're running in Azure or AWS etcetera. But So
that's an interesting Yes. This is a sorry. Go on.
No, I'm done. Thank you.
Okay. So that's a very interesting question. In fact, there's 2 moving parts here. On one hand, customers realize today that you cannot just look at your perimeter and your critical servers at a few critical applications. You've got now because everything interconnected with everything, you've got to really have a complete visibility on your entire environment.
And very soon also on these IoT devices that connects to your environment as well. So that significantly increase if you prefer the scope of IT. Now at the same time, of course, as you are moving some of these assets into the cloud, it reduces, of course, the number of IT assets that you are going to have to look at on the on premise world. But since today, we are so under businesses, there's still so much room to grow in that old world that is really that there's still a lot of expansion that we see within our existing customers. Even customers, which have been with Qualys for 10 years, they maybe have been scanning maybe 30% of their assets.
So now today, they got to do more. And then of course, they need to have that solution to scan their assets or identify the vulnerabilities on those assets, which are in cloud environments. So, the very unique thing of Qualys is that with the same platform, you do both. So it's a win win for our customers. Does that make sense?
Thank you. Our next question comes from Michael Kim of Imperial Capital. Your line is open.
Hey, good afternoon guys. Just with regards to the global partnerships, do you see a greater focus or opportunity with partners like E and Y and other consulting or MSPs? And how do you think about exploring new routes to market?
Yes. Absolutely. So what is happening today, we saw first of all, as you may recall from some of our previous call that we have established a very significant position with all the Indian outsourcers, the Tata, the Wipro, the HCL, Accenture, etcetera, which are both Qualys customers now, but as well as Qualys partner. Now we see companies like Earth and Yang and also these Indian resources really focusing on the digital transformation and building architectures, if you which absolutely again are cloud based. So they can in fact provide not only helping the customers to accelerate their digital transformation through the retooling consolidation of data center virtualization, which now by the way is not anymore virtualization now that technology has moved, it's containerization.
And then of course, you've got to look at the security as a whole. So we in fact so you have to have a cloud architecture to be able to fit into these new initiatives from these partners. And that's again the big advantage of Qualysir is that this is an enterprise software solution doesn't cut it. It's that simple. So we see that as strategic partners for the future and we're very pleased of the Earth and Yang, of course, with their brand new data center or security center, we see that coming from other companies.
And essentially, we're becoming a very strategic partner for these, I would call, next generation of outsourcers, which are essentially helping company accelerate their digital transformation and securing it.
Thank you. Our next question comes from Erik Suppiger of JMP. Your line is open.
Yes. Thanks for taking the question and congrats on a good very good quarter. Thank you. The cloud agent the cloud agent has had a nice acceleration in the last couple of quarters. Can you talk a little bit about what dynamics are changing around that?
And then secondly, can you give us a frame of reference on what kind of penetration you've had? I think we know your customer count, but I don't think we have a good sense for the endpoint customer count. So can you give us some sense of what kind of penetration you've had at this point?
So generally speaking, the cloud agent is still the same, which means we have a natural extension from our customers, which already are doing policy compliance and validity management. It's a very natural extension. As you know, this is a kind of a Trojan horse strategy for us. Every new customers today is essentially taking cloud agents as well. And so that this cloud agent, the way to look at them is that not only they expand our ability to they provide a much better management and compliance solution because it makes it real time.
As you may recall, you don't have now you don't need anymore the scanning windows, you don't need to fetch the credentials and it doesn't really give you immediacy and it doesn't really take much traffic either. So they are really very good. It's the next generation of warranty management and compliance that we have with them. But they are at the same time the enabler of a slew of new services, which now we're very pleased that we have now shipped our file integrity monitoring and our detection of indication of compromise, which are indication of compromise, this is what is going to really start pushing us more at the endpoint. Because on the endpoint, you don't really scan an endpoint that leaves the network.
So that's why we're never very strong on these endpoints. But now today, the beauty of our agent is that even if the endpoint is out of the network, we're still tracking. And that's again very unique to our architecture. And as we start to see traction, of course, for the IOCs, we're going to have more and more of our agent on the endpoints. And then, of course, you have many other services that now we are which are in the making and that will help us continue the if you prefer the acceleration of our cloud agent solution.
And from a penetration standpoint, we estimate that out of our customer base, the percent of customers with Cloud Agent is approximately 8%, which just shows how much room we have to grow. But also, even so, understates the opportunity because similar to our current VM or policy compliance solutions, our customers have not fully deployed their cloud agents. And so there's huge opportunity within our customer base for more growth.
Thank you. Our next question comes from Gur Talpaz of Stifel. Your line is open.
Great. Thanks for taking my questions. So in the press release, you made a pretty interesting customer announcement in Maersk, which was notably hit by the NotPetya ransomware campaign. Can you talk about the impact of ransomware here? Was this deal specifically related to ransomware?
And just more broadly speaking, have you seen ransomware serve as a driver of adoption just sort of given the natural correlation between vulnerabilities and your solution?
Absolutely. And let me explain. So what one acquired that ransomware essentially did that one acquired is exploiting a vulnerability, which very pervasive vulnerabilities and then essentially crippling companies. And that's a rude awakening a lot of companies. Before everybody was focused on APTs, I'm targeted.
So, okay, they go after a certain number of things. But now today they can cripple your business and we effectively gave Merx as an example, which was not Aqualix customers just to discover today which are the devices which are vulnerable to one acquired. Nobody has an idea. So that's where Qualys shines because immediately we can tell you, if you are an existing Qualys customers and we are scanning your entire environment, which we start to do more and more, then of course, we will immediately tell you without even having you to search through our Elasticsearch backend, which remember now today we have index, which is absolutely a fantastic engineering feat, 250,000,000,000 data points and growing. So immediately in 2 seconds, we tell you this is where you are exposed.
And now of course, you've got to go and through Threat Protect, you can even follow through the remediation. So we give you the dashboard, which allows you to not only immediately see everything where you are exposed, but then follow the remediation, which is as important of course as discovering them. So that has been essentially highlighting the unique capability of our scalability and has created the new business. And of course, as we continue moving more into the IOC and the detection, Now trying to detect ransomware is going to be something very interesting at the moment of infection. So this is of course extension that we are starting to go that we're starting to build into our platform to go more into the response side.
So today, WannaCry, to make the story short, serves us because of our ability to detect vulnerable devices. And now, of course, we are going to expand our platform to be also being capable of responding if an attack is occurring. But that will take of course some time and I'm not going to give a deadline to you. But that's the direction that we're absolutely taking.
Thank you. Our next question comes from Ryan Flanagan of Monness Crespi. Your line is open.
Thank you for taking my question. I had a question about hiring. We've heard scarcity of talent in the Silicon Valley. Has that been a problem for you guys? Or does the fact that you have such a large headcount in Pune kind of act as an offset there?
Yes. So, no, it has been a huge issue. And in fact, thank Claude, Sumeet and I, we made the decision now about 5 years ago to do 2 things. 1 was to essentially re architect our back end because, of course, of all the new technology coming. And now that you can see with the injection and you can see that in our investor presentation, we have injected a lot of open source back end.
The challenge and here is that these open source back end are great, but you need to make them scalable and you need to integrate them into a single solution. And that's where Qualys has absolutely done a fantastic job. Now we very candidly would not have been able to do that job if we would not have made the decision, Simeon and I, to invest in Pune 5 years ago. And so because we could not find the talent. Now the advantage, we went to India for the talent.
We didn't go to India for the cost. And of course, we discovered the cost. And now, thanks to that huge difference in terms of cost, we can still while doing that massive investment in India, we can still generate fantastic profits. And by the way, we're continuing investing big time in India. And the silicon valley, it's very, very difficult to find the talent and that we need specifically.
So I think we're really glad that we made the decision 4 years ago.
And I think one added benefit for us is given where we are with the platform and we're in a position where we've made our first acquisition and we're looking at acquisitions. We'll also be in a position to add talent inorganically, whereas 5 years ago, the company may not have been ready.
Correct, which is that's the other advantage also of having now the platform ready. In the past, while a lot of people were trying to push us to accelerate our growth by spending more money, we're trying to explain no, we want to build the platform first before doing acquisitions because it's all about being able to integrate in our model additional solution to our platform. So either we build them or we buy them. But for us to buy them, it makes only sense if there is the architecture is there that we can take that foreign DNA and that that foreign DNA is also designed in such a way that we can also take it. So that has been limiting our ability to grow through acquiring technology.
But now today, we feel that we're very positioned and very delighted by the way with that Nevis acquisition. They are already all integrated in Pune and we are quite candidly looking at the other acquisitions in India as well.
Thank you. Our next question comes from Matt Hedberg of RBC Capital Markets. Your line is open.
Great. Thanks for taking my questions. Philippe, new products continue to be a driver of bookings. I think most notably the Cloud Agent which you talked about. How should we think about the cadence of new product releases into Q4 and 2018?
Well, I think we have we're again here we have reached a very good maturity because what is very unique in any cloud environment is that you're not in the assembly line, I would say, of your traditional enterprise where you got the engineering designing and they pass that to QA and then QA pass that to customer support, and then you install, and then etcetera, etcetera. So what we have done very uniquely, as you may recall, is that under Sumedh, our Chief Product Officer, we have now ops, DevOps, engineering, QA, customer support, product management, all that under one roof and we cloned that in India. And that's one of the reasons also why we can attract top talent in India because we give them really the opportunity to really contribute instead of just writing code. So that ability to do all these pieces together, we have really mastered that. And the advantage then when you have done that is that in order for you to develop a new solution or to integrate a new solution, you don't need an army of people because you leverage the platform.
So, our application team, if you prefer, our cloud app team are small. If I tell you that Elasticsearch, for example, was done by 3 people, That's it. So we leverage, of course, the Elasticsearch engine, open source available, and then we have the 3 people really making it scale. And here, certainly, about a year later, we have indexed 250,000,000,000 data points. So that tells you that there is multiple leverage points in Qualys in our business model.
And we absolutely work at that over time and resisted the sirens of accelerated growth at any cost. And I think today we're starting to see the benefits of that longer view approach that we have taken.
And I would add Matt, another reason why we're positioned even better today than previously is, as I mentioned in my prepared remarks and I think Philippe mentioned as well, the cloud agent is the underpinning technology for some of these new solutions like file integrity monitoring and IOC. And so with now having 5,000,000 cloud agents deployed, it makes it that much easier for customers to adopt these added solutions.
Absolutely.
Thank you. Our next question comes from Jason Nolan of Robert Baird. Your question please.
Okay, great. Thank you. Melissa, I wanted to ask on the deceleration in long term deferred. Is that primarily a function of the big MSSP deal from Q1?
Actually, it's not related to the MSSP deal. The deceleration in the long term deferred is a result of amortization of existing multiyear prepaid deals exceeding the number the amount of deals sold in Q3. So if you recall, we had talked about in Q1 in terms of cash flow, we had a large number of multiyear prepaid deals. It was higher than usual And now we're back to more regular levels and that's the reason. We focus on current deferred because the majority of our business is 1 year contracts and we don't intend our sales force to do multiyear prepaid deals and we don't drive our business that way.
It's really driven by customer requests.
Thank you. Our next question comes from Rob Owens of KeyBanc Capital. Your line is open.
Hi. This is Liz Verity on for Rob Owens. Related to the ransomware question, curious if
what impact do you
think the high profile Equifax had on maybe the perception of vulnerability management overall and any impact to your business in terms of demand and maybe the quarter being more front end weighted? Thanks.
So, yes. So, no, that's this is not like 1 acquire. This is more a struts Equifax is another of this type of nasty vulnerability if you prefer, which is here it wasn't an Apache code. And so and as we know now, the Equifax was in fact a server which was vulnerable outside of the U. S.
And they managed to get back into the network and do all the bad things. So that's again for our business especially for absolutely a godsend and because it shows how important it is to identify your vulnerabilities. And if you don't look at everywhere, then you could be caught by surprise exactly what happens to Equifax that could be penetrated in one place on the globe and somehow they manage to travel from there to go inside. And once they are inside, then that's another game. It becomes much harder to detect.
And that's what we're working by the way on really trying to work on the detection from the inside, which is really a very unsolved problem. And so, at least you need to know your vulnerabilities and everybody goes back to that basis. So, the years of vulnerabilities have come, I would say. And it was always that kind of application which was relegated to yes, but we got better things to do. We need to put our forward, we need to put intrusion detection etcetera, etcetera.
But now today people realize that despite all of this precaution, the bad guys find a way to go inside. And once they're inside, then it becomes with the current environment, which is very network based, unless you segment everything on your network, which then of course at the 0 absolute nothing moves and then of course you have peace, but then you don't do much. So, that's it's good for us in a way.
Thank you. Our next question comes from Srini Nandure of Summit Redstone. Your question please.
All right. Thank you for taking my question. Philippe, regarding your comment on ForeScout and Navios acquisition, is this solution going to be deployed on premises to monitor IoT devices attaching to the network? Or it looks like it will be certainly a departure from your cloud model, which you have right now? And when is our Navis product coming to the market?
Thank you.
So essentially, the way we look at the market, some people will tell you, oh, you have to be agent less. Of course, if you have only an agent less solution, that's exactly what you will tell. So this is the solution. The reality is that you need to look the complexity of the problem is such that you need to have multiple view. And so we really believe in that kind of architecture that we have where we bring 3 different technology at scale, which is really the big challenge.
1 is, of course, the scanning technology, which is agentless, which we have really mastered on one way scanning billions of IPs a year. The second one, of course, is that agent technology, which wherever you can put an agent, you have now real time full visibility. And then now that passive or network analysis, which is also will give you other information. And it's bringing these three information together that really give you that complete view. And that's where again Qualys differentiates because to put this again you go back to the 250,000,000,000 dollars data point index on Elasticsearch, on our Elasticsearch cluster.
If you bring all this technology and by the way with the IOC, with everything we do, we're going to have even more than that. So, you need to have a highly scalable back end. Now, in order to have such a scalable back end, you cannot really do that with your traditional enterprise architecture. You need the cloud architecture. What is very unique with Qualys is that because of the requirement of some of our customers like Oracle was the first private cloud for Qualys and now of course at Microsoft, at Amazon, at many other very, very large environments, they want that on premise.
And because they want the architecture, but they want it on premise because you cannot really secure cloud from the outside, from another cloud or at least you're limited. So you want to secure the cloud from inside the cloud. But then you need to have the same architecture as the cloud to secure it. And that's what we have been doing that. We have today more than 50 platforms, private cloud installed in the world.
In large corporations, we have now a smaller version, a 2U version of our private cloud and that's what we start shipping in quite a good quantity. So for us, there is no differentiation between private and public cloud. It's the same architecture and we can deliver as customer needs and requires it. So that's the big challenge and the big opportunity for us. So we are moving definitively to answer your question on offering a much broader solution essentially that you see from the ForeScout and others.
And the Navios acquisition is a piece of it. And we anticipate today, if you go to our investor presentation under the category now that we call Secure Access Control, which is response to threat automatically by controlling access to critical resources. And that's what that Davis acquisition will be parked there and that we're anticipating today to be on the release of Q3 2018.
Which should be the target beta date?
Which is the target beta date and we will try to do better.
Thank you. Our next question comes from Siti Panagrahy of Wells Fargo. Your line is open.
Most of my questions have been answered. But Philippe, just wanted to dig a little bit into the competitive landscape. Are you seeing anything different from your competitors mainly that with 7, 10 AMOL of AI basis? Or any changes that you're seeing there?
I think as I mentioned earlier, I mean the strategy of Rapid7 is becoming very clear today for everybody is that they're already focusing on creating an analytics platform. That's what they're doing more and more through the acquisition. So, this is their inside Doctor. And so, that's of course, that's for them to execute on that strategy. And so, that's what we see.
We see them in that sense not as much as a competitor as they used to be. And as far as Tenable, the jury is out as far as I'm concerned, because on one hand, they were so against the cloud, Most of a big chunk of their business is federal. So they have now today their own enterprise architecture and now they got their new AWS architecture. So of course, there's a lot of work that they got to do to essentially come up with a really true competing solution to Qualys on the AWS platform. And on the top of that, the AWS platform, albeit shortened your deployment, because of course you don't have to build a lot of things that they have.
On the other hand, you cannot deliver really AWS on premise. So they will have if they want to do that, they will have to rebuild all of that. So we are just looking at what they They make a lot of claims. But so far, that's I see them with a significant engineering challenge ahead of them.
Thank you. Our final question comes from the line of Melissa Franchi of Morgan Stanley. Your line is open.
Great. Thank you for squeezing me in. Philippe, I was wondering if you could just comment on the health of your MSSB business. I know that you have a number of relationships and I think at the beginning of the year you also expanded your relationship with IBM. So just wondering if you have any there's any change in the overall view and if that's becoming a more strategic channel for you?
So that's a good question. So our business with MSSP is doing fine. What I see really happening is that there is going to be a race for new MSSP generation, because the existing generation, they have built their own thing and they have to retool as well. So there's going to be like we did. If you go back, well, it's 4 years ago, we realized that we needed to absolutely inject new technology.
We have just finished our diversification of our entire platform, but now everything that we do, we containerize it. So just to tell you, technology moves so fast. So when technology moves fast like that, it gives opportunities and that's what we see with the company that Ernst and Young and others trying to really come with a different with a newer architecture to compete against the existing more established MSSPs. So the race is done. And for us, quite frankly, we're more the Swiss Army here or the Swiss for us, we have a platform that people can leverage.
We are very easy to integrate in this environment, obviously, because we've got the right architecture. So we see them as a kind of more opportunity for us.
Thank you. At this time, I'd like to turn the call back over to Jumi Kyung for any closing remarks. Ma'am?
Thank you. And thank you all for attending our Q3 2017 earnings call. We look forward to seeing many of you in November at the Stifel 1 on 1 Growth Conference in Chicago and UBS Global Technology Conference in San Francisco.
Okay. Thank you.
Thank you.
And good Halloween. I don't know how you say that in English.
Happy Halloween.
Happy Halloween. Okay. To all of
you. Ladies and gentlemen, this concludes today's conference. Thank you for your participation and have a wonderful day.