Good day, everyone, and welcome to the Qualys Second Quarter 2017 Earnings Conference Call. This call is being recorded. I would now like to turn the call over to Joon Meek, Vice President, FP and A and Investor Relations. Please go ahead, ma'am.
Thank you. Good afternoon, and welcome to Qualys' 2nd quarter 2017 earnings call. Joining me today to discuss our results are Philippe Courteau, our Chairman and CEO and Melissa Fisher, our CFO. Before we get started, I would like to remind you that our remarks today will include forward looking statements that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements.
Factors that could cause the results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10 Q and 10 ks. Any forward looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non GAAP financial measures. A reconciliation of GAAP to non measures is included in today's earnings press release. As a reminder, the press release and an accompanying investor presentation with supplemental information are available on our website.
Beginning this quarter, we are also publishing our prepared remarks in the Investor Relations section of our website to make it easier for you to follow along. With that, I'd like to turn the call over to Philippe.
Thank you, Jumi, and welcome everyone to our Q2 earnings call. Melissa, Jumi and I are delighted to report another quarter that included very strong performance on both revenues and profit, driven by the continued customer adoption of the Qualys Cloud Platform and its integrated cloud apps. These results clearly underscore our highly scalable architecture, our true platform approach, its value, proposition and the unique advantages they bring to our customers. Therefore, we are raising the bottom and the top end of both our revenue and non GAAP EPS guidance for the full year 2017. We're also pleased that in Q2, we saw acceleration in our Cloud Agent deployments, with 3,400,000 Cloud Agents purchased in the last 12 months, up from 2,600,000 last quarter.
Our Cloud Platform our Cloud Agent platform, as you may recall, is the underpinning technology of many of our future solutions. We also believe that our momentum reflects our increased value and stickiness as our customers can easily consolidate an increasing number of security and compliance solutions and realize as a result significant cost savings. In addition, with the same platform, customers can also build security into their digital transformation initiatives for global visibility and better business outcomes. Furthermore, recent attacks like One Acquire and Petya have made it clear that the days of scanning the network perimeter and a few critical servers are over. Enterprises now require scalability, accuracy and speed in order to identify assets that are vulnerable and ensure they are rapidly and properly remediated, which is something traditional enterprise IT and IT security solutions cannot deliver effectively and at which Qualys excels.
At Blackhat, we unveiled a new Qualys positioning and a refresh of our logo, highlighting the new unified and simplified approach to prevention and response that the Qualys Cloud platform and its cloud apps uniquely brings to the market, helping customers again consolidate their IT security compliance stack and build security into their digital transformation initiatives. In addition, at Black Ads, we unveiled our CloudView app framework, which give customers the full insight across all their cloud environments, inventory, configuration and continuous view of their security and We showcase there its first two components, Cloud Inventory and the Cloud Security Assessment apps. CloudView provides customers with configuration scanning capabilities and simplified workflow to assess, report, monitor and remediate security related configuration issues based on the Center For Internet Security CIS benchmark, and this is currently in beta. We also unveiled our 3rd View app framework, which provides discovery and management of digital certificates and showcase its first two components, Certificate Inventory, CRI and Certificate Assessment, CRA, scheduled for beta September and for GA before the end of Q4. As you may recall, earlier in the quarter at the Gartner Security and Risk Management Summit, we showcased 4 disruptive new cloud apps in the Qualys cloud platform.
1st, container security, a new cloud based Qualys solution that enables customers to address security for containers in their DevOps pipeline and deployments across cloud and on premise environment. This is currently in beta. 2nd, File Integrity Monitoring. This highly scalable and centralized solution reduces the cost and complexity of detecting policy and compliance related changes mandated by increasingly prescriptive regulations such as the Payment Card Industry Data Security Standard, File Integrity Monitoring is currently in beta and scheduled for general availability before the end of Q3. 3rd, indication of compromise.
This service detects activity and behavioral changes on the endpoint and delivers to customers a continuous view of suspicious activity that may indicate the presence of known malware, unknown variants or threat actors activity on devices, both on and off the network. This is currently in beta and scheduled for general availability before the end of Q3. 4th, Security Configuration Assessment, SCA, a new add on to Qualys vulnerability management that allows customers to expand their Verintivty Management program with configuration scanning capabilities and simplified workflows to assess, report, monitor and remediate security related configuration issues based on the Center For Internet Security CIS benchmark. At Gartner, we also announced that the FedRAMP certified Qualys Cloud Platform now supports the requirement laid out in the 2017 White House Executive Order, EO, on strengthening the cybersecurity of federal networks and critical infrastructures. The Qualys Cloud Platform, integrated out of the box, supports for the Defense Information System Agency Technical Implementation Guidelines or Guides, sorry, DISA, STIG and the National Institute of Standards and Technology Cybersecurity Framework, NIST CSF, reduces the time and cost for agencies to meet EO requirements.
In the quarter, we released purpose built content, workflows and reporting in the Qualys Cloud Platform to provide customers with continuous IT asset visibility, data collection and risk evaluation for compliance with the European Union General Data Protection Regulation, GDPR. This also helps customers with ongoing protection of personal data across IT environment and third party. Finally, we launched a 30 day free unlimited service to businesses worldwide to identify and track remediation of assets exploitable by the one acquired ransomware that has impacted 100 of thousands of computers around the world. This week, we are extremely pleased to announce the acquisition of Navios Network. This acquisition provide us with significant expertise in deep packet inspection or passive scanning and also give us the opportunity to accelerate our move into the adjacent markets of mitigation and response.
This acquisition will also strengthen our commercial presence in India, which we see as a significant opportunity for our company, and we expect the transaction to close in Q3 and Melissa will provide further details. Navios Networks is based in Pune, India and will be integrated with our existing Pune operation, which continue to be both a competitive and at a cost advantage for us. In fact, we ended Q2 with almost 300 employees there. We remain more confident than ever in our strategy because we are essential to securing the digital transformation, enabling security to be built into the infrastructure rather than bolted up. We believe the continued expansion of our cloud platform and its integrated apps will enable us to continue to grow the top line of the business, building a strong foundation of recurring revenues, while maintaining industry leading profitability.
With that, I will turn the call over to Melissa to discuss our financial results in more details.
Thanks, Philippe, and good afternoon. We had a great second quarter with both revenues and profits exceeding our expectations. We believe this reflects both the strategic value of our integrated cloud platform solution and its integrated cloud apps as well as our highly profitable operational model. In fact, the adoption of our platform continues to increase with the percent of enterprise customers with 3 or more Qualys solutions rising to 28%, up from 22% a year ago and their average spend in the quarter increasing 24% year over year. You'll also see in our investor deck that the number of customers with annual revenues of $500,000 or more is up 40% year over year to 45 percent with a 47% increase year over year in combined revenues.
We're also thrilled to have the Nevis team joining us. First, on Q2 results. On the top line, total revenues in the Q2 were $55,300,000 which represents 18% normalized growth over the Q2 of 2016. There was a negative impact on our Q2 2017 revenue growth rate of approximately 200 basis points from the MSSP contract and approximately 150 basis points from FX. We saw strong performance this quarter across renewals and upsells and we saw particular strength in vulnerability management, including very good performance from the Cloud Agent platform.
New products released since 2015 contributed approximately 9% of total bookings in the quarter. These bookings are mostly due to Cloud Agent, which includes the associated subscription to either vulnerability management or policy compliance and includes renewals that convert to cloud agent. We also continued to see very strong performance in web application security in our SMB and SME customer base. From a geographic perspective, we saw very good results in both the Americas and EMEA, and EMEA despite a worse currency environment. In fact, the average deal size for all new customers in those regions grew 46% and 19% year over year, respectively.
Let me now address our deferred revenue balance. Our current deferred revenue balance was $125,000,000 as of June 30, 2017, 20% greater than our balance at June 30, 2016. Normalized for the impact from FX, our current deferred revenue balance would have grown approximately 22% year over year. Before moving to our profitability and cash flow, I would like to remind everyone that unless otherwise specified, all of the expense and profitability metrics I will be discussing on this call are non GAAP results. Our non GAAP metrics exclude stock based compensation and non recurring items.
A full reconciliation of all GAAP to non GAAP measures is provided in the financial tables of the press release issued earlier today and is available on the Investors section of our website. Also note that certain amounts in prior periods have been reclassified to conform to the current periods presentation. Our Q2 results demonstrate our highly profitable operational model. Adjusted EBITDA for the Q2 of 2017 was $20,400,000 representing a 37% margin as compared to 32% in the Q2 of 2016. This contributed to a 100% year over year increase in GAAP EPS and a 29% year over year increase in non GAAP EPS this quarter.
The 3% sequential decline in expenses relative to our expectations of a sequential increase was driven largely by lower software expenses in sales and marketing and more disciplined trade show spend as well as slower hiring and G and A. In Q2, our gross margin increased to 79% from 78% in Q1. Gross profit increased by 13% year over year to $44,000,000 in the Q2 of 2017, but our margin was down from 80% in Q2 twenty 16. The year over year decline in margin was driven by higher depreciation from software and hardware to support continued scaling of our operations as well as increased headcount. Operating expenses in Q2 increased by 5% year over year to 28,200,000 Research and development expense increased to $9,000,000 or 13% year over year, primarily due to higher headcount.
Sales and marketing expense increased to $14,300,000 or 7% year over year, primarily due to higher headcount and increased marketing expense. G and A declined to $5,000,000 down 11% year over year, largely due to lower third party spend. Net cash from operations in the Q2 of 2017 declined by 5% to $16,500,000 compared to 17 $300,000 in the same period in 2016. The year over year decline in operating cash flow was driven largely by changes in the timing of orders and payments as customers who paid in Q2 last year and paid in a different quarter this year. Our operational model continues to be highly cash generative as reflected by our operating cash flow margin of 45% in the first half of twenty seventeen, up 900 basis points from the first half of twenty 16.
Capital expenditures were $8,600,000 in the Q2 of 2017 compared to $4,800,000 in the Q2 of 2016. Out of the $8,600,000 $4,800,000 was for our business operations and $3,800,000 was for our new headquarters build out. We expect CapEx related to our operations in the Q3 dollars Now turning to the Neves Networks transaction, which is an acquisition of assets including employees, technology and certain customer contracts. As Philippe mentioned, the Neves Networks transaction will add a team of engineers who have significant domain expertise in passive scanning and position us in the adjacent market of mitigation and response. The team is based in Pune, India, which is a low cost geography for us.
So the additional expenses do not materially change our financial outlook. This acquisition is in line with our previously stated objectives valuation. Post close, we will be working on integrating their solutions into our platform, while we continue maintaining and selling their existing products in India. We have not currently assumed any revenues in our guidance from the Neves Networks transaction because their revenue is immaterial. In terms of guidance, given our performance to date and the momentum we are seeing in the marketplace, we are raising the bottom and top end of our revenue rate guidance for full year 2017 to be in the range of $226,800,000 to $228,300,000 from the prior range of $225,000,000 to $228,000,000 We are raising the bottom end of our GAAP EPS range from $1 to 1.02 dollars We are also raising the bottom and top end of our full year 2017 non GAAP EPS guidance to be in the range of $0.87 to $0.91 For the Q3 of 2017, we expect revenues to be in the range of $58,200,000 to $58,900,000 representing an estimated normalized growth rate of 17% to 18% based on our current FX forecast as well as the previously mentioned impact from the MSSP contract.
We expect GAAP EPS for the Q3 of 2017 to be in the range of $0.13 to $0.15 per diluted share, while non GAAP EPS is expected to be in the range of $0.21 to $0.23 per diluted share. We are thrilled that the first half of twenty seventeen has exceeded our expectations and believe our new unified approach to prevention and response will position us to become the ubiquitous security and compliance platform, enabling us to continue to grow the top line and expand margins. With that, Philippe and I would be happy to answer any of your questions.
Thank you. Our first question is from Sterling Auty of JPMorgan. Your line is open.
Yes, thanks. Hi, guys. You mentioned the good results in EMEA. We saw CyberArk and Checkpoint have troubles in the segment and there's lots of questions over what new regulations coming in might have an impact either positive or negative. I'd love to hear what you saw in the quarter in terms of the regulatory impact, if anything, in your experience that drove the good results in this segment?
I think Sterling, as I mentioned, in fact, on the last earning call is that we see that GDPR is, in fact, a godsend for Qualys and we see the effect of that because specifically it is now accelerating the digital transformation of many of the large European companies because of the risk they now incur to up to 4% of the revenues, as you know, if they cannot essentially demonstrate in case of a breach to the regulators that they've done everything possible to ensure the security and the privacy of the data of their customers. So these companies, and I did mention Societe Generale specifically last time, that essentially, what they realize is that continuing securing their current infrastructure with this enterprise point solution that are difficult to deploy and to integrate and very costly is in essence a little bit futile and therefore it's much better for them to accelerate the digital transformation effort, consolidation of data centers, moving some of their applications into a platform like Azure or AWS, and essentially securing the and bolting the security in building the security in rather than bolting it on. Furthermore, One Acquire has been also a godsend for Qualys, unlike for some other companies, because people finally realize that instead of having to buy a solution that supposedly protect them that in fact they better try to identify all of their assets and also identify the vulnerabilities on those assets, because this is what one acquires and then Petya absolutely demonstrated.
So for us, by the way, the European marketplace has always been consistent and good contrary to what some people say. The only impact that we had on EMEA was, of course, the very big drop of the dollar and of the pound, which, of course, affect our top line, while, in fact, being very good for our bottom line. So for us, EMEA is still continuing very well. We have a very strong presence there. We have a large numbers of very large companies, which have been loyal customers for many, many years.
And what we see now is them starting to grow, essentially adopting more application, which now makes the revenue for Qualys the spend bigger now with Qualys. That's a new trend that we're seeing now.
Got you. And then one follow-up question on the acquisition. Reading the materials on the website and other stuff on the web, it sounds like the technology performs a lot of the things that you would see in network access control or MAC. Is that the way that you see it? And is this going to take your solution set into competing with Cisco and some of the private guys on the Mac side?
Or is it are you implementing and doing something different with it?
Yes. So yes and So no, effectively, so there's 2 things to that acquisition that we were looking for. As you know, we said that also many times that what drives our acquisition and the reason why we've been very careful in the beginning or let's say, not very eager to we needed to have expand our platform significantly so that our platform could much more easily adapt what I call foreign DNA. So today, we are very confident that with all the expansion of our platform that we have done, with the fact that we're now 300 people in India, we have a huge engineering and operation muscle now that this the time has come for us to do that acquisition, and this is the first. So what guided us here is that these guys had really perfected a very good technology on the deep packet inspection, passive scanning, which is the 3rd technology that we're bringing into our platform.
Today, we have mastered scanning. We do more than 3,000,000,000 scans a year. We have also mastered now the agent. Nobody can say that our agents are not revolutionary. They are.
And now we are bringing that network analysis. Now in addition to that, as you mentioned, they have also that NAC, that network access control. This is going to be significant for some of the solutions that we bring. And for example, the detection of indication of compromise, which are going to be GA at the end of the year at the end of the month. So today, and you very uniquely so like everybody else, we have the hash of the indication of compromise.
We compare them. What is also unique with Qualys, we do everything in the back end. So there's no hit on the devices. But we have also classified the malware into categories. So instead of looking for the perfect match, we can identify a 60% to 70% match, which could indicate or will indicate that this is a new variant of a malware, which the malware has mutated to evade.
Now with that technology that we were building already, by the way, but now with the addition of the resources that we have now with Nevis, we're going to, of course, accelerate the availability of now trying to look at what's coming in and out of the device. So if you see that device, for example, going to a DNS server and having a 60% or 70% match on the hash code, then you say, well, now we know that the device is compromised as well. And the beauty of our solution is that all of that is automated. You don't have nobody has to do anything. And so that's one of the use case of that network access control technology.
The second one use case, because our agent beam up and as soon as you reconnect on the Internet, if you got a device which have left the network, we know and we could analyze if the device has been compromised. As a result of that, when that device come back, we can quarantine and that's where you go into the NAC. As you mentioned, we can quarantine the device. So fundamentally, one of the first use case of that technology is in fact 2 use case. 1 is to strengthen our detection of compromised solution.
The other one also is to will allow us to have the full the global view of the asset inventory, including the shadow assets, because now we can look at those devices, which certainly connect to the network and which are unknown. Does that make sense?
Thank you. Our next question is from Robert Barista of Northland Capital Markets. Your line is open.
Hi, sorry, I had you on mute there. Just quickly and kind of maybe follow-up on the last question. When you think about the environment that's out there, we've seen, I'm going to call it, some spotty results from security software company this quarter. And it seems like you guys are obviously clearly bucking the trend in terms of execution wise. Has the environment changed in your opinion?
Or is it just better execution from your own internal point of view on new products, sales execution, etcetera? Just Mike, get your color.
Now this is a very good question, and in fact, it's both. Because on one hand, of course, the fact that we have expanded our platform, the fact that we have more solution will become very, very much more sticky and strategic. We have seen our renewal rates, for example, are getting better. So that's for the execution, if you prefer, around the fact that now we are a platform that is really capable of consolidating quite a few security and compliance solutions. But the other thing is effectively is the market is finally coming our way.
The marketplace was very much enamored to these solutions. The malware detection, all of these things, all that sophisticated user behavior, these and these and that, analytics. And finally, people realize that you can deploy all of that if you still have not done a good job at identifying all of your global IT assets, identifying your vulnerabilities and remediating them or mitigating them, you can put as many of these solutions, you're going to continue being breached. And that's what we see, by the way, almost every week in the newspapers. So finally, people start to realize that it was working against us because people were rushing spending their money in putting some kind of protection solutions, which turned out be not as effective as they would have hoped.
Maybe as a just a quick follow-up.
As you think about the customer spend, it's often been cited that customers were only scanning high risk assets, given the agent adoption that you've seen, which is very, very good, it would appear that more people are scanning more IP addresses, more endpoints. That's what it appears to me at least. So when you're looking at this, how well penetrated from the number of IP addresses would you say that you're penetrating within an organization?
In overall, relatively little. We have some companies, very few, which are doing millions of IPs per day, and these are the few. But everybody is catching up. So we still have a lot on the just on the VM aspect itself, we still have an unpenetrated market within our own customer base. And then what is happening, which is really helping us, we're essentially the only solution out there that scales because of our model.
So we of course, as as people which are using another solution want to scan more, they realize that it's very costly with them. It's complicated when Qualys comes in and, oh, you want to scan 1,000,000 IP every day? No problem. You want to scan thousands of web applications? No problem.
We have the scalability working for us and the really quality of our detections as well. So the marketplace is finally coming our ways 2 ways. 1 is the way you just indicated. The second way is the cloud, Because if you want to secure the cloud or have a good view of the cloud, you need to have a cloud architecture. So our traditional competitors are rushing to try to find a solution, but we have been there for many years.
And our agents, in fact, span across on premise endpoints and cloud environment. And we have totally integrated, for example, with Microsoft, our agents, so any Microsoft customers on Azure can, at a click of a mouse, provision a Qualys agent, which comes, they have nothing to do. And then they have immediate view security and compliance posture via the Azure Security Center. So without an agent technology like ours, you could not really do that as effectively and as transparently.
Thank you. Our next question is from Melissa Gorham Frank of Morgan Stanley. Your line is open.
Thank you very much. So, Philippe, you all have released a bunch of new products at least into beta in 2017, file integrity monitoring, indications of compromise, etcetera. So I'm wondering if you could help us maybe narrow down some of the solutions that you think holds the most potential for upside and what has received the most positive customer feedback thus far?
So I would say thank you for the question, Melissa. So I would say all of the above because I think all of the solution that we bring to market, we're bringing them because we had absolutely discussed with our customers before. There's some which are, of course, have more urgencies depending on the customers. On the financial market, it's definitely the File Integrity Monitoring, which is absolutely everybody is really waiting for us to release that GA. We have a big pent up demand.
And this is because the financial institution file integrity monitoring, there's a regulatory aspect to that. And the current solution that they use are very expensive to use and to deploy, Not that they are bad solution, in fact they are pretty good solution, but they require servers and huge infrastructure because they have a lot of data. So the cost of maintaining, supporting, updating these solutions, these traditional enterprise solutions, this is the Siebel system versus salesforce.com playing here phenomena. So that's for that. The detection of indication of compromise is much more broader.
So a broad appeal for small, very large and old companies, very hot market. So we see today the huge pent up demand for this. Of course, is going to take some time to get that translating into revenues because you need to go through the budget approval, etcetera. And our customers have the tendency for most part, to put the upsell at the anniversary date of their subscription. So we got kind of a lag, but I can tell you one thing.
Everybody the betas that we've done, everybody is absolutely very happy with that, and that's another reason to further consolidate applications consolidate a lot of these old enterprise security solution, which, as we all know are difficult to install, to maintain and to deploy. And so that's it's very good for us.
Got it. That's helpful. And then just one quick one for Melissa on the margin performance this quarter. So, the results were obviously better than what you guided to and you noted a few factors. But I'm wondering, to what extent was the upside just driven by timing issues, where there was maybe slower hiring than you initially Thanks, Melissa.
That
Thanks, Melissa. That's a great question. Yes, it's really not it's not a change from the fact that 2017 is an investment year for Qualys. So to your point, some of it is timing in terms of actually finding the hires that we're looking for. Our philosophy is to wait till we find the right people, as opposed to feel We do expect expenses to sequentially increase in Q3.
We do expect expenses to sequentially increase in Q3 and Q4 across all functions as we are preparing to scale the back end for the release of these new applications that Philippe was just talking about as well as hire more engineers to support the new products. And there'll be a little bit of an impact from the Neves transaction as well.
Yes. And I will add one more thing, Melissa, is that because we have also beefed significantly our ops team. We have really a wonderful ops team. We hired a VP of ops about now about a year ago. She has been doing a remarkable job.
And we have injected a lot of new technology. We have reduced significant cost in our ops infrastructure by moving to newer technology. In other words, we are doing more and more what Facebook has done, which is try to be with all the new things that and all the containerization and everything, trying to move more into more much cheaper hardware. And of course, the cost of the storage is going down. So there's also some very good efficiencies in our ops team here that I'm very happy to mention.
Thank you. Our next question is from Jason Noland of Baird. Your line is open.
Okay, great. Thank you. And just to clarify on slower hiring where the market was harder to hire in than expected or this was just push outs into the second half of the year?
Yes. That was specifically in G and A that I was referring to, and that's those are people that are going to be pushed out. I mean, it's areas like FP and A, business applications where there are few people or a few slots where we just didn't find the right talent.
Yes. And it's also combined to the fact that we're also adding as much as we can automation. So at the end of the day, we are very careful. And of course, we have also the impact of India, where we have also moved a lot of the functions in India or complemented them that even in HR and in customer support. So there's a lot of other economies offsets that we're doing.
So in terms of the hiring, we have always been going for the talent and we've been very careful at hiring. Our philosophy is how slow, far fast. And that's what we do and I think it reflects in our numbers.
Okay. Thank you. And then a follow-up, a really nice increase in large customers trailing 12 months. Is that a function of an expanded platform or moving up into larger customers? Or what's the driver there?
No, no, no, exactly. This is expansion of the platform. We see today customers expanding, buying more solution, and it reflects to the metrics that 3 years ago, 11% of our customers had purchased 3 or more solutions, and today now it's 28%. So that's what you see here.
Thank you. Our next question is from Siti Panagrahi of Wells Fargo. Your line is open.
Hi, guys. Thanks for taking my question. I see that you have done a rebranding of Qualys and then also positioning of products into different solution category like infrastructure, cloud and apps and endpoint. I'm wondering, are you I mean, 1st of all, if you could share your thought behind that? And also, are you planning to change any kind of bundling of products and pricing as it more of a bundle?
And also, as a follow-up, are you planning any kind of change in your go to market or sales to more align into this kind of solution selling?
I see that these are very good observations, Sidi, and very good questions. In fact, effectively, the reason why we essentially rebranded in the weather company, and in fact, this is something that absolutely was planned. In fact, many years ago, I was patient to wait until we had enough expanded our platform, enough solutions to really instead of appearing as we were in the past like the very good vulnerability management company to really show that we were a company which was in fact significantly more disruptive than people have ever thought, because you don't want to start to claim things before you have them. So effectively, so that rebranding is essentially to try to really illustrate that Qualys today offer a much broader solution. So it's all about the platform, all about the fact that now we can consolidate many traditional enterprise security solutions, very much what salesforce.com did.
So this is our turn now. But also as well as, as I mentioned earlier, enabling company to secure to build the security into the digital transformation. There was 2 elements which were slowing down the digital transformation of enterprise. 1 is the talent, the people who could help them go to these new infrastructures and type of application and the second one was the security. So I think we are the one helping to make security invisible in those infrastructure as we are doing very clearly with Azure, with Amazon, with many other type of solution as well.
So that essentially what really helps us. Now in terms of now because we offer more, we're now starting to sell more from the top. In the past, Qualys has been always selling bottom up to the techies and then of course we went to the CISOs. Now today, we have the ability to go to the CIO. So you're going to see Qualys having initiatives starting early next year to essentially go and directly explain to the CIO the very simple fact that one, we can give him visibility, which he doesn't have today across all of his global IT assets that we can help them provide the security of continuous view of the security and compliance posture that we can identify these assets which have been compromised, that we can do that across your traditional IT and all these different silos and of course through the endpoint to the web applications etcetera.
So we speak to the silos because, of course, our multi tenant user role based architecture and application, we can provide to the person which is managing the digital certificates his own view. This is what we call the term view now. You could have your cert view, you could have your asset view for the infrastructure, you could have your cloud view, and all of that is out of the same platform. So as a result of that, we save significant amount of dollars. Our large customers are between 30 to 100 applications.
They cannot wait to reduce the stack, and that's what they all are asking us. And that's hence the new positioning. And the refresh of the logo is essentially to really signal that security should be easy, should be invisible, instead of being that strong thing that you have to have to protect you. So it's all about now building the security into the fabric of the new computing environment and that's the real mission of Qualys. And that's the mission we had when we started the company back in 1999.
So I'm really happy that we are finally getting there. There's been a long road, a profitable road because we were careful of not being ahead of ourselves, but I think today we're there. So I'm looking for an inflection point in our model, which I was always looking, but I think we're getting there.
Thank you. Our next question is from Srini Nanjari of Summit Redstone. Your line is open.
All right. Thank you for taking my question. Melissa, can you talk about the average deal sizes and the trends you're seeing? Can you also talk about if the deal sizes are actually compressing? Are the deal cycles are compressing?
And I have a follow-up, please.
Yes. Thanks, Srini. So average deal sizes continue to increase year over year. We've seen that consistently each quarter. We focused on giving color on what stood out to us in the quarter.
So this quarter, it was the growth in average sales size for new sales size for new customers in the Americas and EMEA. And I talked about the Americas grew 46% year over year and average sales size for new customers in EMEA grew 19% year over year. Across all new customers, it was a growth of 22% year over year. And in terms of the other part of your question on sales cycles, we really haven't seen any shift other than when we do larger deals that encompass multiple products, for example, that obviously takes longer because there's more approvals to go through and procurement takes longer.
Okay. This question is for Philip. Maybe it's a little technical, but I would ask anyway. Philip, you mentioned Cloud Agent is a foundational technology for your full stack. Can you provide 1st and foremost some color?
I think somebody asked already on the call. What percentage of installed base already has a Cloud Agent installed? And more importantly, if you think about it from a perspective of getting this cloud agent into your installed base, why don't you bundle it with other solutions? When they upgrade, they probably get it for free?
So, no, that's so these are very good questions. So generally speaking, today, I'd say every customers will move to the cloud agents. Just a question of time. I would say today, I don't have the exact numbers, but more than 30% of our customers today have adopted one way. That will be we'll verify that number.
That's my guess today. And it's increasing. We see every Qualys customers will use the agent. That's for sure. That I can tell you.
In terms of the bundling, that has been always part of our strategy in many ways. So, we do that there's some free services that we had that we were bundling. So that's exactly we're now starting to look at these kind of things because we have more and that's why we have changed our terminology. We could call them cloud apps. We have the framework, and then we have the cloud apps inside.
And then we could effectively decide to do some kind of banding or making some cloud apps totally free to gain market traction. We did that with 3rd View. So if you look at 3rd View today, we had that SSL lab, which has absolutely generated a lot of customers to identify to measure the SSL. So, there's that's all the flexibility that we have. So, yes, we will do the similar things the way that you suggest.
We are absolutely.
Thank you. Our next question is from Rob Owens of KeyBanc. Your line is open.
Hi, this is Liz on for Rob. Thanks for taking my question. Just wanted to dig into the comment on the nice growth in average deal size for new customers. Would you say that's weighted more towards larger initial deployments or maybe seeing larger multi product deals? Thanks.
It's both. In fact, we have some time. We have now, unlike in the past, we have some customers, in fact, which really take 3 or 4 of our solution from the get go. And so that's a new trend, of course. And then, of course, we have our existing customers, which is essentially add more.
Still today, our market philosophy still remains that we don't do what this enterprise typical software company do, which is trying to get as much as they can and push the customer to buy more than what he needs. We still are very truthful to our philosophy of let's just give to the customer what he can swallow, what he can eat, what he can deploy, and then we'll grow So it's really from the customers, but we do see effectively, in fact, last quarter, we had a major financial institution that placed $1,000,000 order from the get go.
Thank you. Our next question is from Gur Talpaz of Stifel. Your line is open.
Hi, this is Chris Spiroz on for Gur. Thanks for taking my question. You mentioned the cloud agent adoption increased to $3,400,000 this quarter. How much of this growth is being sourced by new customer adoption versus sales into the current installed base? Thank you.
It's actually a mix, Chris. We do see new customers disproportionately take on our newer solutions, but we see the cloud agent being adopted both by existing and new.
Thank you. Our last question is from Michael Kim of Imperial Capital. Your line is open.
Hi, good afternoon guys. Can you talk a little bit about market segmentation or customer segmentation? I think last quarter you talked a little bit about a new VP for the SME market. And curious what some of the new initiatives and how that might change your selling motion?
No. In fact, we always have that market segmentation. The only thing that we did is that we have a very neat lead business on the SMB SMB business, and we want to make it accelerate its growth, especially now that we have gotten more solutions. And we hired essentially we want to make it more of a business true business unit. And that's what we hired somebody, which in fact, the unit that he was managing has been sold now by Symantec, which was the certificate business of Symantec.
And so which was at the time when Michael Lin was there, it was about a $300,000,000 business, if I recall that correctly. So for us today, we're going to see much more marketing initiatives around the SMB Business as we have now more solutions to offer. So it makes more sense now to really one of the reasons of our profitability is that unlike some of the companies would spend and wait to have the business to come and hope the business would come to them or more on the other side that we want to make sure that we have the goods and then we go and spend the money to accelerate the go to market, to accelerate the adoption.
And then in parallel, part of my agenda has been to use finance as a way to accelerate sales velocity. So for example, a big initiative of this year is to put in place an auto renew, which we think would be viewed very positively by our SMB, SME clients as well as increased usability of paying by credit card on the website. Yes.
And then we're going to build an online store and all these things again for the SMB market.
And would you need to accelerate to make investments internal investments, whether it's channel sales or inside sales teams and channel support?
Not really. I mean, it just goes with the business. That's the advantage of our model is that because we are separated very well between the new business versus the renewals, you realize that the renewal business, which is the big chunk, will always be the bigger chunk, then that's a business that you can scale very well. Then if you have investment to make, it's much more on the front end. And because we are very leveraged also with partners, so we can do that very cost effectively.
And we don't have that these are Maniswold sales guys, which are very expensive and need an SC and need all that other infrastructure and then the product need the professional services. So we have all that advantage of having a really well designed and well packaged cloud solution that essentially deploys immediately, instantly. You don't need exactly when you buy a phone and you download an app. It's all there and it all works. So we have significant economies compared to our on the sales and marketing front as well, compared to your traditional enterprise solution.
Thank you. And that concludes our Q and A session for today. I'd like to turn the call back over to Jimmy Kim for any further remarks. Ladies and gentlemen, thank you for participating in today's conference. This does conclude today's program and you may all disconnect.
Everyone have a great day.