Good day, ladies and gentlemen, and welcome to Qualys' 4th Quarter 2016 Earnings Conference Call. This call is being recorded. At this time, all participants are in a listen only mode. Later, we will conduct a question and answer session and instructions for asking a question will be given at that time. I would now like to turn the call over to Joo Meekiam, Vice President, FP and A and Investor Relations.
Please go ahead, ma'am.
Thanks, Michelle. Good afternoon, and welcome to Qualys' 4th quarter and full year fiscal 2016 earnings call. Joining me today to discuss our results are Philippe Courteau, our Chairman and CEO and Melissa Fisher, our CFO. Before we get started, I would like to remind you that our remarks today will include forward looking statements that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements.
Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10 Q and 10 ks. Any forward looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non GAAP financial measures. A reconciliation of GAAP to non GAAP financial measures is included in today's earnings press release. The press release and an accompanying investor presentation are available on our website.
With that, I'd like to turn the call over to Filipe.
Thank you, and welcome everyone to our Q4 2016 earnings call. Melissa and I are pleased to report another solid quarter that included both strong revenues and continued profitability. We closed the year with 20% annual revenue growth and over 9,300 customers, excluding security consulting firms. In Q4, our new business bookings increased by 20% and we won 3 new Fortune 500 customers, each with an annual deal size greater than $500,000 We did have a couple of large upsells pushed into Q1, which contributed to our revenues coming in at the lower end of guidance. 1 notable late upsell of approximately $850,000 by Fortune 100 Insurance Company and a leading provider of cybersecurity insurance closed early in January.
In fact, this is quite strategic because this customer is expanding their current VM subscriptions to get the full inventory of their global IT assets, which enables them to have a continuous view of their security and compliance posture. During the quarter, we continued our momentum on the partnership front, announcing a partnership with Deutsche Telekom and we exited the quarter with additional significant partnerships in the pipeline. Our cloud platform is attractive to global MSSPs and outsourcers because our centrally managed and self updating solutions can be easily embedded into their offerings. These partners drive customers to us at a low acquisition cost and lower overhead, thereby providing us with significant sales leverage. All of this is a testament to how well we believe we are positioned in the changing cybersecurity market.
In fact, today we announced that IDC confirms we have taken the number one market share position of our IBM and HP in the $1,600,000,000 vulnerability assessment market. Qualys customers now include 70% of the Forbes Global 50 and 68% of Fortune 50. These market share gains have been driven by our unique ability to provide enterprises with both 2 second visibility across their entire global IT asset, whether on premise, on endpoint or in the cloud and a continuous view of their security and compliance posture. As importantly, our solutions significantly reduce the security and compliance spend by enabling them to consolidate multiple on premise security and compliance solutions in a single cloud platform that is centrally managed and self updating. As we indicated in our comments throughout the year, 2016 was a year of investment for Qualys from both a product and people perspective.
Regarding our products, we launched several new products into general availability in 2016, now consolidating more than 10 traditional security and compliance point solutions. To summarize, in 2016, we announced our groundbreaking cloud agent technology that transformed both vulnerability management and policy compliance applications, making them continuous and more effective by eliminating the need for scan Windows and authentication credentials. In addition to Windows, our Cloud Agent now supports Linux and Mac environment and are embedded within Microsoft Azure. We announced Threat Protect, which offers our customers the ability to integrate and correlate threat information natively, helping them prioritize remediation without having to take the data from Qualys out into other solutions. We announced our SAQ or our Self Assessment Questionnaire that allows customers to streamline their vendor and internal security audits.
We also unveiled a new form factor of our private cloud platform, the Private Cloud Platform Appliance for mid market companies needing to retain data on premise or within local geographies previously not served by Qualys. In Q4, we continue to see strong adoption of our cloud agents as well as Spod Protect with now 2,000,000 cloud agents purchased in the last 12 months and with more than 1,000,000 currently in active trials. In fact, 4 of our top 10 new customers purchased our cloud agents. We also saw Threat Protect almost doubling its booking again from the previous quarter. Regarding our investment in people, during 2016, we increased headcount by 34% from 510 people to 684 people.
The majority of this headcount increase was due to the expansion of our engineering efforts in India. This represents an important strategic advantage as we can add world class engineering, operation and customer support talent at rates favorable to our cost structure. Today, nearly half of our customer support, operation and R and D headcount is based in India. As we look into 2017, we're expecting further growth and customer adoption of our Cloud Agents and Threat Protect, expansion of our customer base and the release of many new features and offerings. Next week at RSA, we will announce a new significant strategic partnership.
We will also launch WAF 2.0 and WAF 5.0, which integrated together brings web application security to the next level by offering unprecedented scalability and remediation capabilities in the form of one click patching. At RSA, we will also showcase our File Integrity Monitoring and the detection of indication of compromised solutions, which will be in beta. We encourage you to stop by our booth to see our products in action and also join us for our company cocktails event on Monday, February 13 at the San Francisco MoMA. In summary, 2017 during 2017, we planned to release 5 additional solutions, namely 5 Integrity Monitoring, the detection of indication of compromise, Patch Management, Digital Certificates Management and Passive Scanning. Therefore, throughout 2017, we plan to continue hiring across all of our functions with a focus on the scalability of our engineering teams for the launch of new products.
We will continue growing our sales force and in fact I'd like to share that we recently hired a VP of EMEA and promoted 1 of our regional VPs to VP of U. S. Field Operations and Alliances and we will be looking for an EVP of Worldwide Field Operations. In closing, we are pleased with our achievements in 2016 and hope to take away from this call the following key points. 1, strong business performance as evidenced by our new business, renewal and upsell trends 2, a winning product and partnership strategy with an expanding and fully integrated product portfolio and new key partnerships 3, a balanced financial strategy as we continue to grow the top line of the business, building a strong foundation of recurring revenues, while maintaining industry leading profitability.
With that, I'll turn the call over to Melissa to discuss our financial results and guidance for 2017.
Thank you, Philippe, and good afternoon. I'd like to begin by sharing some color on our top line. 2016 was an important year for Qualys as we successfully released several new products, features and enhancements while growing revenues by 20%. Total revenues in the 4th quarter were $52,200,000 which represents an estimated 18% normalized growth over the Q4 of 2015. The restructuring of the MSSP contract earlier in the year resulted in a one time positive impact on Q4 revenues of approximately $350,000 This was offset by approximately $550,000 of negative FX impact.
Thus, the net effect to Q4 revenues was approximately a 40 basis point reduction on the reported growth rate. As Philippe mentioned, we closed significant new business during the quarter. However, we also had a few large upsells slip into Q1, including one for $850,000 which is already closed. On a reported growth rate basis, our vulnerability management solutions remained strong with revenues growing by 16% in Q4 from the year ago quarter and by 19% for the full year versus 2015. Q4 revenues from our other security and compliance solutions increased 22% over the year ago quarter, resulting in full year growth of 26% versus that in 2015.
We saw exceptional performance from both the cloud agent platform and from Threat Protect with cloud agent platform bookings accelerating sequentially by approximately 90% and from Threat Protect over 90%. In fact, we had 2,000,000 cloud agents purchased in the last 12 months. We continue to see adoption of our platform increasing with the number of enterprise customers with 3 or more Qualys solutions rising to 26%, up from 20% a year ago, and their spend in the quarter increasing 20% year over year. The number of customers with an average spend of over $100,000 continue to show strong growth, increasing 34% year over year in Q4, and the cumulative revenues for these customers grew 41% year over year. Clearly, we continue to see traction with our enterprise customers.
Let me now address our deferred revenue balance. Our current deferred revenue balance was $115,000,000 as of December 31, 2016, 17% greater than our balance at December 31, 2015. As we have discussed, our deferred revenues are negatively impacted in 20 16 by both the MSSP contract and FX. Normalized for the impact from the MSSP contract as well as FX, our current deferred revenue balance would have grown approximately 23% year over year. As a reminder, deferred revenues cannot be relied upon to calculate our current bookings due to the timing of the actual invoicing as well as the impact of FX.
Before moving to our profitability and cash flow, I would like to remind everyone that unless otherwise specified, all of the expense and profitability metrics I will be discussing on this call are non GAAP results. Our non GAAP metrics exclude stock based compensation and non recurring items. A full reconciliation of all GAAP to non GAAP measures is provided in the financial tables of the press release issued earlier today and is available on the risk margin remained flat sequentially at 79%, which is very healthy when you consider our continued investments. Gross profit increased by 15% year over year to $41,000,000 in the Q4 of 20 16, but our margin at 80% was down slightly from Q4 2015. The year over year decline in margin was driven by our increased headcount investment as well as software and hardware expense to support continued growth of our operations.
For the 4th quarter, operating expenses increased by 18% year over year to 27,000,000. Research and development expense increased by 7,600,000 or 23% year over year, primarily due to higher headcount. Sales and marketing expense increased to $13,900,000 or 16% year over year, primarily due to higher sales headcount, higher marketing expense and costs related to our salesforce.comrelated implementation. G and A increased to $5,700,000 15 percent year over year, largely due to higher headcount and third party spend. Operating expenses were sequentially flat as the slight increase in sales and marketing expense from higher commission and trade show expense was offset by a sequential decrease in both R and D and G and A expense.
The decrease in G and A was largely driven by lower third party spend and the lower expense in R and D was primarily driven by a reclassification of certain immaterial license and software spend to cost of sales. Due to our strong revenue growth, adjusted EBITDA for the Q4 of 2016 increased by 12% to $18,500,000 compared to $16,400,000 in the Q4 of 2015. Excluding the positive impact to revenues from the MSSP contract, adjusted EBITDA would still have increased over the Q4 of 2015. Adjusted margin adjusted EBITDA margin in the Q4 of 20 16 was 35% as compared to 37% in the Q4 of 2015. Net cash from operations in the Q4 of 2016 decreased by 45% to $13,400,000 compared to $24,300,000 in the same period in 2015.
Free cash flow generated in the Q4 of 20 16 was $9,000,000 compared to $19,100,000 in the comparable period of 2015. The year over year decrease in operating cash flow was largely due to 3 items: the MSSP contract's negative effect on deferred revenue, a large multiyear prepaid deal received in Q4 of 2015 and an increase in deferred tax assets relative to Q4 2015. Capital expenditures were $4,400,000 in the Q4 of 2016 compared to $5,200,000 in the Q4 of 2015. Now I'd like to talk to you about how we are approaching guidance for 2017, starting with revenues. For the full year 2017, we believe revenues will range from $224,000,000 to $228,000,000 which represents a normalized growth rate of 16% to 18%.
We expect our reported revenue growth rate to be negatively impacted by approximately 300 basis points, of which 150 basis points is estimated to be driven by our current FX forecast, which assumes a similar geographic mix. The remainder of the negative impact is due to the higher estimated one time bump in revenue from the restructured MSSP contract in 2016 relative to 2017. As I indicated during our Analyst Day in November, we believe there's a real opportunity to sustain and even accelerate our revenue growth rate over the next few years due to our new solutions. However, because our new solutions are in the early stages of adoption, our 2017 revenue guidance does not assume a material contribution from new products. This guidance is informed by our 2016 results during which new products released since 2015 contributed approximately 5% of total bookings.
This figure was mostly due to our cloud agent, which includes the associated subscription to either vulnerability management or policy compliance. For the Q1 of 2017, we expect revenues to be in the range of $52,000,000 to $53,000,000 representing an estimated normalized growth rate of 16% to 18% based on our current FX forecast as well as the previously mentioned impact from the MSSP contract. We believe we'll see accelerating adoption of our new solutions during 2017, leading to an uptick in bookings over the second half of the year. We're excited about our prospects in web application security with our Q1 new releases of our web application scanning and web application firewall solutions. Our file integrity monitoring and indication of compromised solutions will go into beta in Q1 as we said at our Analyst Day.
Let me now explain how we are thinking about investments and profitability this year. 16, we balanced growth and profitability by hiring 174 net new employees and releasing a series of product and platform enhancements. Our adjusted EBITDA margin was 34%, which was flat compared to 2015 and in dollars, up $11,300,000 year over year to $68,000,000 In 2017, as we discussed at our Analyst Day, we plan to continue to invest to ensure we have the necessary scale and capacity to support our growth. We anticipate purchasing more servers in storage for our platform as well as hiring significantly in R and D. In addition to growing our sales force, we expect to increase our marketing spend as we decided to time new branding initiatives with RSA and our Q1 product releases.
We expect our operating expenses to sequentially increase over the year and these investments in total to decrease our operating margins 200 to 300 basis points from 2016. We expect capital expenditures in 2017 to be in the range $20,000,000 to $25,000,000 weighted toward the back half of the year as we invest for the rollout of new products. We also signed a lease in Q4 2016 for our new headquarters, which will require additional one time CapEx of $13,000,000 to $15,000,000 approximately 50% of which will be reimbursed by our landlord. In the Q1 of 2017, we expect CapEx to be between $5,500,000 $6,500,000 including the spend related to our new headquarters. We believe 2017 will be a pivotal year for Qualys as we invest to accelerate growth, enhance our leadership position in cloud security and set ourselves up for expanded margins in the future.
Like Philippe, I'm excited about our rollout of additional products and features, which will provide us a growing foundation of profitable recurring revenue, while providing our customers greater security in a scalable cost effective manner. With that, Philippe and I would be happy to answer any of your questions.
Thank
Our
first question comes from the line of Bill Choi with Wunderlich. Your line is open. Please go ahead.
Okay. Thank you. Just wanted to see if you could provide some magnitude of the total number of the large upsells that were pushed out in terms of billings? And also just getting a little more perspective about what kind of deal closures you're expecting in Q1, whether you expect all of those push outs to get completed in Q1?
Essentially, Bill, so essentially we had 2 we had a little bit more than 2, but essentially 2 big ones, ones which we already mentioned, which $150,000 which we closed early in January. The second one was close to $500,000 that we are expecting to close in fact in a week or 2. And there was a couple of minor ones. And in terms of the deal closures for the quarter, I think we're pretty much on track with all the deals, essentially because we do not have by the way major big deals. As you know these big deals they come.
They are not they don't come every month. So this quarter we have a lot of deals, but not major deals that we have not closed or that we don't the one 100% sure that we will close.
Yes. Also wanted to get some perspective on the feedback on these new products. Obviously, you're beta testing them in Q1, but you've been engaging customers about those upcoming betas throughout 2016. How are they thinking about either budgeting for these already or do they have to evaluate test and then scrounge up budgets as they get more comfort? Do you have any sense whether they're already planned for that?
Thanks.
Yes. This is a very good question. So on the financial equity monitoring, we essentially already had a significant demand for quite a few banks, essentially financial institutions, asking us to give them budgetary pricing, so they could budget. And this is the modality, this is an agent that we're going to sell significantly at a much higher price than our Cloud Agent for VM or Cloud Agent for Policy Compliance, because of essentially of the value that we bring and the fact that we eliminate a lot of costs, a lot of costs of maintaining traditional enterprise solutions. So that's for the final integrity monitoring.
The detection of the IOC, the detection of indication of compromise, we didn't really have many people looking for the budget because that's much more something that they want to do in many ways. Everybody wants to know if your devices have been compromised or not. So it's not really a replacement here. It's more a very nice add on to VM. The way we price it is very attractive.
So we didn't really see much pricing pushback. And so this is something that we expect also to see a very good adoption. The third one, which today we're trying to accelerate is go to market, which we have a huge demand for it as well. It's our digital certificate management. As you may recall, we already capture all of the information about the digital certificate.
This is something that we have, meaning who has signed them, when they expire, etcetera, and on a global scale. And then the only missing part is essentially the updating of those such certificates and that's where our agent comes in. So this is what we are currently building. We expect today not we will not make a firm commitment because we are trying to add additional engineering resources, but we are looking at having that solution in beta in Q2. And then we know we have a huge almost immediate adoption because that's a huge problem that every large customers we have.
And the Patch Management will come later. This is more will be in the Q3 timeframe as well as our passive scanning.
And I would just add on from the statistics that we provided about Cloud Agent, we're getting very good feedback. One thing I want to make sure people heard was out of our top 10 new customers for the quarter, 4 of them were purchasing cloud agents. So we see a lot of momentum there.
Thank you. And our next question comes from the line of Jack Andrews with D. A. Davidson. Your line is open.
Please go ahead.
Hi, good afternoon. Thanks for taking my question. Felipe, I was wondering at a high level, since you offer organically built cloud solutions, as you introduce more products over the next few quarters, are you starting to run into situations where because of the functionality you offer in the cloud, there may not necessarily be a traditional incumbent anymore. And I guess said another way, are you seeing more greenfield opportunities as your product portfolio broadens?
Significant, because what we see now that's another very good question. We see today a lot of our large customers having essentially what we call the digital transformation of their business, moving into cloud solutions. And this is what Qualys is extremely well positioned. We have not spoken much of what we do on securing the cloud, but this is another big initiative that we have that we call Cloud 360. We already have our agent fully embedded on Microsoft Azure whereby any Microsoft Azure customers can at the click of a mouse provision an agent for a trial, an agent is automatically activated and now they can have the view of the security and compliance of their applications and their infrastructure on Azure and via the Microsoft Security Center.
We are doing the same thing with many other cloud providers and we see quite a few number of companies migrating their IT legacy infrastructure to cloud environment. So we're very ready for that. We're also working on containers and there's a lot of things that we're doing here part of our Cloud 360 initiative, which in fact will present in great details at our next Analyst Day.
Thanks. And just as a quick follow-up, can you provide an update on how you're thinking about the overall federal market opportunity here?
So the federal market opportunity, we are very happy to have been 1 FedRAMP certified. We also have the major win with Lockheed Martin and we are currently today working quite a few new federal customers. As you know federal takes time, so we're not anticipating much revenues in 2017, but I think we're very well positioned for the federal market, very happy with that. So we're beefing up our federal practice and really starting to line up federal integrators.
Thank you very much.
Thank you. And our next question comes from the line of Gur Talpaz with Stifel. Your line is open. Please go ahead.
Hi. This is actually Chris Spiroz on for Gur. You mentioned that over 2,000,000 cloud agents have been purchased in the last year. Can you talk about the degree to which these agents are being adopted by new customers and driving new customer adoption versus being sold into your current installed base?
Yes, that's again. So essentially what we see is that today, as we mentioned a very strong adoption from our existing customers, I would say this is a no brainer. With the new customers, we see most of the new customers adopting the Cloud Agents from the get go. And it becomes a very good differentiator. I don't have exactly the statistics, but maybe you can give me some here.
In terms of mix, it skews towards existing customers. Our business, because of the size of our renewal base and the upsells are anything our business ends up skewing towards existing. So it's been a mix, but it's still more existing customers than new. But it's still we feel pretty good. It's a pretty healthy mix.
Yes. We see most of the new business customers are taking the agent as well. So that's what we see. And again, as I mentioned, that's a good differentiator.
Got it. Thank you. And one more if I may. You also mentioned that the number of customers spending over increased enterprise spend?
Yes, there's 2 very simple factors. 1 is that more continuing VM vulnerability management deploying. And essentially the use case now becomes to do the global IT assets inventory. This is something that we really believe in. We're extremely well placed.
I would say we're better than anybody on the market. Once we add passive scanning, we'll be not only able to identify and catalog everything that you know you have, but we're going to be able to discover very easily rogue devices. So in that case the full inventory of what you know and of what you don't know. And that's the foundation that every company must have and what is very unique about Qualys is that we do that across on premise solutions, endpoints and Elastic Cloud. So that's what drives that expansion of VM.
As I mentioned, in fact earlier, a huge upset of $850,000 from one of our major one of our existing customer. And the second essentially the adoption of additional products of additional solution, which is really going very well.
Got it. Thank you, guys.
Thank you. And our next question comes from the line of Sterling Auty with JPMorgan. Your line is open. Please go ahead.
Great. Thanks. Hi, guys. This is Jackson Ader on for Sterling. A quick question on expenses.
As far as the hiring investments and the headcounts you're going to add in the year, I know you mentioned that it's probably going to increase throughout the year, but is it going to be perfectly linear? Is there going to be any kind of seasonality to that?
Yes. I think there'll be just typical seasonality in terms of in Q4, you end up hiring a little bit less because people don't often move shops, they seek to get their year end bonuses. So there's nothing out of the ordinary, other than I think typical seasonality.
Yes. And historically, that's the way we've been managing our business essentially, that kind of balance between growth and profitability, but really focus on building a very strong foundation of profitable recurring revenues. So over the years, we're always managing well our head count versus our growth and that's what we have been doing. Today, if there is an acceleration, it's in India. That's and which of course is a significant strategic advantage as we discussed earlier and we've really been doing very well in India and we're continuing investing in India.
Okay. And then just to follow-up on that, would you expect that the expenses that the majority of them will be in India for 20 17 like you've been seeing?
Not really because it's the big advantage in terms of we have more account in India growth, but not in terms of expenses because you have essentially ratio of 6 to more or more, but 7 to 8 to 1. So it's significant.
Okay. And then just a quick follow-up on can you guys remind us the cash tax impact or the GAAP tax rate impacts that you're going to see in 2017?
Yes. So as you're aware, ASC-nine came into effect such that the excess tax benefits from stock based compensation hit the book tax expense instead of hitting APIC. So for Q1, this is driven by in part stock option exercises. As it's been publicly disclosed, Philippe exercised a large option grant earlier in January. That's what's driving the large Q1 benefit of 145 percent for an effective tax rate.
Right. Okay. Thanks, guys.
Thank you. And our next question comes from the line of Michael Kim with Imperial Capital. Your line is open. Please go ahead.
Hi, good afternoon guys. So with the 5 new solutions planned in the roadmap for 2017 and you talked a little about the need for growth investments in the R and D line. How can can you talk a little bit and how you feel about sales capacity and the need to maybe invest in the field organization or account managers and how we should think about that building out over time?
Yes. So as you know, the our sales force again is divided into 2 categories, the hunters and the farmers. With the farmers, it's almost mathematical. With the growth of the customers, we essentially grow our technical account manager post sales as we call them. And of course, the big advantage we have here is that because we do now the dollars per customer is increasing, of course, we don't need to double.
If one customer is a $1,000,000 customer a year and becomes a $2,000,000 customer a year, I don't need to double that headcount. So here we have a very and that's a big base. Remember, this is the core of our business. Then now looking so this is almost mathematic. It goes with the growth that we have very predictable.
On the new business side, essentially, we have now our new business is really coming more than 50% of our new business is coming from partners. Despite some of the very big deals that we do as new business directly. So that's essentially where the investment we see in our sales force is to add more new business people. That's what we're currently looking and in fact we're looking at people who can now start selling at a higher level. We have now the ability to sell to the CIO, which we've never had before doing a top down sale.
We could provide to the companies the full view of their global IT assets. We can now provide them with a continuous view of the security compliance posture on those assets and now with the IOC also telling them which of these assets have been compromised or that we believe are very suspicious. So that allows us to have a much more top down sales as opposed to the bottom up sales that we did in the past. So that's where we're putting the focus. And of course, having very strong partners and you will see the partner that we will announce at RSA give us significant ability to grow our new business as well.
So which is a much more balanced and much more profitable than adding a lot of feet on the ground. Yes.
And I would just add, we're very excited about the 2 VP positions that we've filled, hiring someone for the VP of EMEA as well as promoting someone from within for U. S. Sales, which he thinks will help sort of organize and help elevate the discussion to the CIO.
Yes. And I'm going to be as I mentioned in the I'm going to actively look for an EVP of worldwide sales, somebody who has really knows how to sell at the top. That's essentially what we have a very we have been a very good sales force, which knows the business very well. I think he's adding more new business people and as well as people who can help us connect at higher level in the organizations.
Great. And then just going back to some of the deals that got pushed into Q1, some of them did sound a bit on the larger side. Are you seeing any change in buying patterns, any additional reviews on the part of the enterprise customers and any general trend in lengthening of sales cycles?
No. What we see now as far as our business is concerned, we don't see any change. In fact, what we see today is that now they appreciate more and more the cost saving because we have significantly more new product. So now we start to speak in fact in terms of ROI sometimes about the money we can save them if they consolidate few of their application and that's very specific with the file integrity monitoring for example, with policy compliance as well. These are really application where we saved a lot of dollars because you don't need all these amount of servers and infrastructure as you know to manage our cloud based solutions as opposed to this traditional enterprise legacy software, I would call that, which requires hundreds of servers and updates, etcetera, extremely costly, not so much on the term of their maintenance per se of the license, but in terms of all the costs associated with managing them, updating them, etcetera.
Thank you. And our next question comes from the line of Matt Hedberg with RBC Capital Markets. Your line is open. Please go ahead.
Thanks. This is actually Matt Swanson on for Matt. Philippe, can you talk a little bit about the competitive landscape in the WAF market and maybe as it relates to the updates that are coming at RSA and how that leaves you positioned?
So we're very excited with the WAF with our WAF. Again, you recall, we did our WAF 1.0 where we're very happy with the quality of the engine, but not so happy with the fact that we had been too ambitious in the beginning to provide that one click patching. So we had to go back to the drawing board a little bit to open up our engine, etcetera, to some engineering work. And that's it. We have done it.
So now today we're bringing to market. At the same time, extension to our Web Aviation Scanning, which is the web application scanning 5.0, which essentially has 2 new elements. 1 is the ability to automatically scale. So now instead of having to configure the scanners to scan large numbers of application, you don't care, you just point scanners and they automatically load balance and now we can scan very easily thousands of web applications. That's the one thing.
And the second thing and you will see why it's important to have the one click patching because what's the purpose of scanning thousands of web application if you cannot fix the code. So you need of course to eliminate the vulnerabilities and the only practical way today on web application is to do the virtual patch. So the second thing that the web application firewall brings to the table is the ability to essentially scan the REST APIs, which opened the door now to us looking at mobile web applications. So that's again, that's kind of a new market. And now with the one click patching, essentially we identified the vulnerability and now we have made that very easy with one click the ability to patch.
What was missing before the mistake was made that's when made that automatic and then of course nobody wanted to have that automatic which and so we had to open up everything, the kimono, so now we can show exactly what the engine recommends that we do. So people can look at that and then if everything is fine, plug the click and the virtual patch is pushed and installed. So they go hand in hand. So that we think is going to do 2 things. 1 is accelerate our growth of web application scanning, but also at the same time add additional revenues with the web application firewall.
So we're very happy. It went GA like I think last week or few days ago. So now it's GA and we start to see some very good results.
Thank you. And our next question comes from the line of Siti Panaghi with Wells Fargo. Your line is open. Please go ahead.
Hi. Thanks for taking my question. Malisha, this first one on housekeeping. Did you say that VM solution growth for Q4 was 16% and 2016 was 19%?
That's correct, Siti.
And what about the similar growth rates for the other security I think?
Yes. So for Q4, it was 22% and for the year, 26%.
Okay. Okay, that's helpful. Now looking at your guidance for 2017 of 16% to 18% normalized growth rate. If I compare that to your normalized 20% growth rate earlier, what are your assumptions in terms of VM market growth? Are there any factors like competitions or any other factors that influence your growth rate for 2017?
Any color would
be great. Yes. Sure. So we had a great quarter across new products as well as across VM. When we've talked about VM historically, we've talked about how VM has grown 19% both in 201520 16, continually outperforming the market.
And that's because the innovation we've done around VM related solutions. And so we talked about at Analyst Day, if you looked at the original core VM solution was approximately 83% of revenues 3 years ago, it was only approximately 75% of revenues today. But because of the early because we're in the early stages of adoptions of our new solutions, our guidance does not assume a material contribution from new solutions.
Okay. Do you expect any kind of revenue stream coming from Threat, Protect or Cloud again, any of the new product probably more in the 2018 timeframe? Or what's your expectation on that?
Yes. We haven't baked in a material contribution from new solutions, and we would include that in it as well. We provided I provided the color that for the years 2016, these solutions contributed to bookings to they were about 5% of total bookings, but that also includes the underlying for Cloud Agent, the underlying vulnerability management or policy compliance subscription. So we feel very good about the momentum, but it's early stages of adoption for us.
In terms of revenue impact?
Right. In terms of revenue impact, that's correct.
Thank you. And our next question comes from the line of John Lucia with JMP Securities. Your line is open. Please go ahead.
Hey, guys. Thanks for taking the question. You said your revenue was negatively impacted by deal pushouts out of Q4 into Q1, some of which have closed, yet your Q1 guidance doesn't seem to reflect that. The Q1 guidance is for historically low sequential growth if you look at Q1. Can you just help me understand that?
Yes. So look, as we said, we had a great quarter. We had record new business in the quarter. We saw strong performance in new solutions with Cloud Agent bookings accelerating 90% sequentially and TheraporteTek almost doubling. We saw increasing dollars from multiproduct adoption from our enterprise customers.
But Q1 is a seasonally low quarter for bookings for us. And because we're in the early stages of adoption of our newer solutions, we're not assuming material contribution in our guidance. And we also have headwinds from MSSP and FX that we've taken into account.
Okay. And I guess I want to circle back on the new products. You've had the new products like Cloud Agent. I think Cloud Agent was introduced 2 years ago, Threat Protect, I think, was a year ago. I know there's been significant product innovations that have happened since then or updates, but why are we seeing these products be meaningful in 2017?
You just need more time or is there a catalyst like a product release or something that will drive the growth in 2018? I'm just curious why we're not seeing meaningful contribution in 2017 from these products?
Yes. It just takes time for the adoption of there are 2 things that we're impacted from, right? 1 is the adoption of new products and then the time it takes to impact our revenues because we have a ratable revenue recognition model. We see a lot of interest from the cloud agents, but in certain situations, it involves getting the buy in from IT in order to implement them. And so all of our customers are giving us very good feedback.
And as we said, we have approximately 1,000,000 cloud agents in trials, so we feel very good. But we think it's prudent to guide based on no material contribution to our revenues from these.
Yes. And also if you say that the cloud agent is about will be 2 years old in August of this year essentially, but Threat Protection is much younger also as well. So of course, we have a lot of cloud agent. ThreatProtect is essentially a 30% increase in the net to us, let's say, is about 20% net, if you count the resellers and so forth on our current VM. So that's of course very good, but it takes as Melissa mentioned, it takes some time.
So we have been prudent.
Thank you. And our next question comes from the line of Stephen Couch with Stephens. Your line is open. Please go ahead. Mr.
Ketch, your line could be muted.
Sorry, it was. This is Steven on for Jonathan and thanks for taking the question. So most of my questions have already been answered, but just a quick modeling question. With regards to cost of revenue moving forward, it makes sense that you are have some additional expenses there ahead of your revenue ramp. I guess looking into the back half of twenty seventeen and probably into 2018, should we expect gross margin to tick back up into the 80% -ish range or should we think about 79% as kind of the new run rate?
And is can you give us a kind of a broad timeline on when we should expect you to grow into those additional expenses? Thanks.
Yes. So in terms of cost of sales, we're going to be adding expenses throughout the year. So while we don't guide to gross margin, you could see some pressure there and it's a bit early to give color on 2018.
Okay, great.
That's all I have. Thank you.
Thank you. And our next question comes from the line of Patrick Colville with Arete Research. Your line is open. Please go ahead.
Hi there. Thanks for taking my question. So profitability implied in your guidance seems to be kind of falling for next year. Is that due to continued R and D investments? And I guess the kind of second half of that question is R and D as a percent of sales is quite high versus software companies more broadly and security companies.
Is that something we can expect to trend down over time?
Yes. So as we indicated at our Analyst Day and then we confirmed here, this 2017 is the year of investment for Qualys. And as such, because we see such an opportunity to sustain and even accelerate our growth rate, we are making investments across the company. A lot of it is going to be headcount in R and D as we add people to support the rollout of new products. So that's not only engineers and QA around specific new products, but it's also people who are developing additional capacity in the back end to support the additional customer base that we expect to get.
So that's going to be a lot of it, but it will also be areas, I talked about like sales and marketing, both from a headcount perspective as well as the branding, as well as expenses around branding, which we decided to time around the RSA conference.
Yes. And just to add a bit more color on the engineering side to give you some example, we're continuing to expanding our back end significantly. So we introduced Elasticsearch capabilities. I'm very happy to report that believe it or not we have today 9,000,000,000 data points index with our cluster of Elasticsearch and significant. So now we're adding additional components to our backend such as Kafka and Cassandra for essentially analytics.
So all of that of course requires investment in the back end and of course as you continue delivering new services on the top of this back end capabilities that's where you really get the leverage. So we're still investing for the future. We'll be the very powerful platform. We're going to introduce passive scanning. So it's all about getting more data, more power.
We just announced that we have expanded in fact our data centers to adding 3 more, one in the U. S. And now we have 3 shared platform in the U. S. We have added 1 in India, which is going to serve the Indian market.
We are starting to see very good traction as well as Asia Pac. And another one in Amsterdam with 1 in Swiss historically and we still have one in Switzerland, we've just added another one in Amsterdam And the specific reason of that additional one in Amsterdam is to comply with the EU regulation, whereby you need to have your data in the EU country and Switzerland is not as I'm sure you all know an EU country. So now we're in Amsterdam and this is they are both these 3 additional data centers are operational already.
Got it. Thanks very much and see you next week, Oreste.
Okay. Thank you. Yes, very happy to see you there. By the way, I invite all of you to come at the booth. We have a huge, huge display 7 by 9, where we're going to showcase our solution is quite impressive.
And high definition 4 ks display, so that should be fantastic. So we cannot wait to see you there and you could see what we're doing.
Thank you. And I'm showing no further questions at this time. And I would like to turn the conference back over to Jumi Kim for any closing remarks.
Thanks, Michelle, and thank you all for attending our Q4 and full year
Ladies and gentlemen, thank you for participating in today's conference. This does conclude the program and you may all disconnect. Everyone have a great day.