Welcome to Qualys 2016 Analyst and Investor Day. I'm Jimmy Kim, VP of FP and A and Investor Relations at Qualys. Today, we have a series of presentations from the Qualys executive team and Mark Butler, Chief Information Security Officer at Pfizer. We also have some exciting product demos by Sumed that we think you'll find very interesting. Before we get started, I'd like to point you to our Safe Harbor in our management presentation, given that we expect to make forward looking statements during the event.
Our risk factors can be found in our Q3 press release and as well as our latest SEC filings. Our non GAAP to GAAP reconciliations can be also found in our press release as well as in the appendix of this presentation. At the conclusion of this event, a replay of the webcast along with management presentations will be made available in our IR website. With that, I'd like to introduce you to Philippe Courteau, our Chairman and CEO.
No, I should have Okay. So thank you very much, Jimmy, and good morning and thank you for attending our Investor Day in New York. So this morning, I would like to discuss with you about the consolidation of the cybersecurity industry that we see coming, discuss about the key drivers and then discussing with you why we believe that Qualys is very well positioned to be a consolidator of that industry and also discuss with you about where we are going to focus in 2017. So in fact, there is multiple drivers at play. We all know that attacks are not going to subside anytime soon.
Today, we are finding essentially the bad guys with a multitude of solutions, point solutions that are lead to deploy, difficult to deploy, expensive to maintain, they don't speak with each other. So we are here at a huge disadvantage. And at the same time, companies are faced also with the necessity to retool their computing infrastructure to leverage, of course, these new cloud technologies. So for them, it's a huge challenge because on one hand, you have to continue securing this old infrastructure with again tools which are very expensive to deploy and maintain. And then you have also now to secure as well.
While you move into this new environment, you have to secure also as well that environment. And that of course is a huge challenge because you need the resources. It's very expensive. Now you pay twice. So it's a huge effort and a huge challenge and we see that with all of our customers.
In addition to that now the regulatory environment is becoming putting a lot of pressures on large corporation because and we see that in Europe and it's coming as well into the U. S. Where the regulators now want to make the company responsible for the security of the privacy of the data that they collect from their customers. And in fact, there is even in Europe today, there's regulation that will impose fines if they cannot demonstrate that they have done everything they could to ensure the security and the privacy of the data of their customers. We see today a fledgling cybersecurity industry insurance industry coming, which of course is going to also look for metrics about how we can ensure that before I can ensure you that you have taken enough of the steps so you will minimize the risk of being breached.
All in all, it means that there is absolutely a need to find ways of doing these securing that complicated environment in a much more cost effective way. And in fact, in the presentation of Mike Butler, you will see the challenges that I've just described that every large company has today. The average Fortune 1,000 today has about 30, 35 secondurity and compliance solutions that they have each of them have their own infrastructure. They require specialists to operate them. They again don't speak with each other.
So you have to make the effort of integrating the data from 1 and the other so you can have a better view of your security and compliance posture. So what I would like to discuss now is how well we think we believe that Qualysys position. First of all, we build an impressive customer base, which since the very early days understood that the cloud based architecture was presenting a significant advantage. We started with VM as you may recall and our big advantage was that we could deploy much more easily. So deploying the Verint Management solution, which essentially was scanning your Internet facing devices, We were doing that from the cloud, which is very logical.
And then through appliances that we were FedExing to use, so we could look at your inside of the work and bring all that information. So we had in fact because of that, we have taken a significant share of the very high end of the marketplace with more than 60% of the Ford Global 100 because of the deployability that the cloud based solution offer us. So of course this customer base that we know today have that issue and they're absolutely looking at us to deliver more application in the same way. And that's what you're going to see is the demonstration or the new services that we're bringing together, essentially consolidating the significant number of application all delivered from the same platform. We have built a very highly scalable go to market model that Amer Diva will essentially give you more details on, as you will see a combination of market segmentation.
We now serve out of the same code base, the enterprise, the SME, the SMB, but also build a significant ecosystem with a lot of partners from the MSSPs to consulting organization to traditional enterprise consulting organizations. We have built a true cloud platform, which is extensible and Sumeet is going to give you the view of what makes that platform so powerful. In fact, we've built a significant barrier to entry. It took us a long time to build all these capabilities. Essentially today, we can scan every IP on the planet, every website on the planet.
We do about 3,000,000,000 scans a year today. And of course, we could do significantly more. But also as most of you are familiar, I've extended the capabilities of that platform with this groundbreaking agent technology, which allows us now to enter also not only make the vulnerability management application and the Policy Compass application more real time, more effective, more continuous, it's also now it's a new platform that as you will see in the demos and in the presentation of SumeD also enable us to bring additional solutions together. Sumeet will also tell you about that additional technology that we're bringing, which is the passive scanning, essentially the network analysis. So if you look at what Qualys does today, we have 2 main engines.
1 is the scanning capabilities. I used to say like the Klingon on the enterprise, scanning the universe here. And then the second technology, which is this cloud agent technology bringing in real time continuous information back. And now we're adding the 3rd technology, which is analyzing what's coming in and out of devices and what's happening in the network, bringing all that into our powerful, powerful back end where we can, of course, correlate information, analyze and have a much better view and much more continuous view of the security compliance posture of your entire computing infrastructure, whether it's on premise, whether it's on endpoints and whether it's on cloud environment. And this is what Qualys has done very uniquely.
Because of that platform also we've been able to release significant numbers of new services in 2016 and Samed will tell you more specifically about all the new services that we're about to release in 2017. We added about a few months ago Elasticsearch capabilities, which allows us now to view and search in seconds across all that information that we collect, giving the ability to provide companies with that 2 second visibility on their global IT assets. And again, Simeon will give you a demo, a live demo of those capabilities. We have in fact built an impressive engineering capabilities. First is, of course, the platform in itself.
It took us a long time to get there, but again, it's a huge barrier to entry that we created for ourselves. But also it's the unique organizational structure that we have established. When we embarked about 5, 6 years ago now to rearchitect our rearchitect our first platform because we realized that, of course, the technology has changed. So we injected a lot of new things into the platform with Barq to do then major architecture expansion. But what we realized is that the cloud was very different.
The beauty of the cloud is that you can deliver instantly your services or your solution globally. And so we realized that in fact we needed to put together into under one roof all the components that are needed to ensure that we can build, QA, deliver, support our solutions. So under one roof under SumeD, we put essentially engineering, QA, ops, DevOps, customer support and product because all these pieces have to work 24x7 together. And what we did is we cloned that structure in Pune in India, which allows us of course now to have the full 20 fourseven coverage, but also allowed us to attract in fact the top talent in India. So India has become a significant element of our ability to continue improving our solutions as well as delivering new services.
We have now today 200 people in Pune, India. We have added about 100 in 2016. And of course, we are continuing investing there. And we went to India not for the cost. Many company goes to India for the cost.
We went for the talent. And then as Jack Welch said many years ago, and then we discovered the cost. And engineers in India cost us $25,000 a year as opposed to $200,000 in California, a significant advantage. We'll also build over time a global presence. We have essentially 25 companies registered in the world where of course we pay taxes, where we have teams, local teams.
And that in a way give us significant opportunity to increase our sales productivity. Why? Because today we do much bigger deals in the U. S, which represent about either 75% of our revenues. But today we have a huge potential of increasing our sales as we deliver more services already have built infrastructure.
So of course, this is significant productivity gain that we're expecting to see in the future from our presence abroad. In the U. S, the increasing productivity is the fact that we do more and more bigger and bigger deals. And I think Melissa will give you some data about how we see the dollar for customers increasing significantly in the U. S.
So finally, we have also built a model which is extremely profitable. And in fact, and Melissa will go through the specifics of what makes our model so naturally profitable and as well as she will give you some metrics about how to look at the model that we're building over time and how is that model shaping up. So now what do we want to achieve in 2017? So essentially, we want to focus on 3 things. One is that we're continuing investing for growth.
This year was has been a year where we invested almost in every segment of Qualys in sales, in marketing, in engineering. So we have to continue that because we believe we have a huge opportunity to see as we are delivering more services, we're going to pick up naturally more momentum. Having more services to offer makes us, of course, much easier to get new customers. And of course, it makes us significantly more sticky with our existing customers. We now want to also look to we've been doing everything organically since the very beginning for a very simple reason is that as we were architecting our back end, acquiring companies and having to integrate now their technology would have been far too much.
So we're very prudent in that sense and say we need to get our architecture right, build the right foundation and then we will be capable of acquiring companies. So today, as I mentioned quite a few times on the earning calls, we're ready for that, except that we need to find the right companies and we're very careful and making sure that we're just not looking at a company just to get top line growth or looking at companies which either will allow us to accelerate some of the existing development that we're currently undertaking or that will essentially bring us faster into adjacent markets. Their technology needs to be also capable of being injected into our back end. So as we speak today, I used to say we're kissing a lot of frogs in hope to find the princess, but we are very actively now looking at making some small acquisition, technology centric, which again would either allows us to accelerate some of the undergoing developments or bring us faster into adjacent markets. The second focus is that today we have the opportunity now that we've built, as you will see from the demonstration of Sumed, a significant and very powerful solution.
This is a time for us to elevate our messaging. We always have been careful through these 2 qualities of not claiming things until we really have them. Some other companies take on a different approach. So we've been seeing and we're seeing much more as a vulnerability management company, which has done a very good job there. But today, we're significantly more than that.
As I mentioned to you, we believe that we are going to become an important actor in the much needed consolidation of the cyber security industry. And one of the things, of course, that we are going to do is to now reach out to the CIO. Historically, we have been selling bottom up. We started to sell to the techies, to the white hats and then moving up the food chain. We're selling now more and more to the CIO to the CISOs.
But now today, we have the goods and you will see that very clearly in the demonstrations of in the live demos that Sumedh will give us. We have now the ability to go and sell to the CIO. And essentially, this is what I can go and sell any CIO today on the planet. Today Qualys can provide you with a 2 second visibility across all of your global IT assets, whether they are on premise, on endpoints or in the cloud. And again, you will see that from the demo of Sumed.
Across millions of IT assets, we can add attribute to those assets. The business owner, the technical owner, the criticality, what the asset is. And then we can synchronize also that with your CMDB. And we have done already the synchronization of the ServiceNow CMDB, starting to have some customers doing that. Well, with a few large companies today building that ability to provide them with the full continuous global view of the invention, which today no company in the world really has been able to do.
The second thing from there, we can now provide you with a continuous view of the security and compliance posture of those assets. And soon early next year, we're going to be able to also provide you with indication of which assets are already compromised or those that we believe indicate that they probably are as well. And finally, and as importantly, of course, we can reduce drastically your spend. Why? Because we consolidate today 10 enterprise security and compliance solutions, which again all require their own infrastructure, their own people to manage them, that to integrate the data between those applications, you need to go and take the data and put that into a Splunk or into anything else or create that integration yourself.
And you will see, for example, with Threat Protect that Qualys offers you natively the integration of threat information with the vulnerability information so we can help you prioritize. That today requires of course, if you're a Qualys user or a Verint Management user for you to take the data out of our application and essentially use another either put that into Splunk and put the threat data, do yourself all that correlation, but now today Qualys can offer that to you natively. So just through that very simple process, we eliminate a lot of costs. And one of the beauty of our cloud based architecture is that everything that Qualys does is centrally managed safe of dealing and this is how we can eliminate significant costs. So with that, thank you.
And I would like now to introduce Sumeet, our Chief Product Officer, which is going to show to you essentially what I've just told you. Thank you very
much. Good morning, everyone. I'm Sumit Thakkar. I'm the Chief Product Officer for Qualys. As Philippe said, I'm responsible for all product related functions, engineering, product management, customer support, infrastructure ops, essentially anything that's needed to keep the product up and running and innovating on the product.
So I'm going to talk a little bit about what we have done in 2016 on the platform and then give a couple of live demos on functionality that we already have released recently as well as a couple of the upcoming new products that we are working on around file integrity monitoring, indicator of compromised detection from malware, and then give a bit of a roadmap update on when we will be delivering these services. Kind of elaborating on what Philippe said, our customers today are everybody is global. Even a small company today like Qualys, as you saw, has multiple locations, even with 600 employees. So everybody kind of needs to have a view of the global visibility in sort of this perimeterless world. And today, our customers look at infrastructure.
They have their on prem infrastructure that they are working on, have been working on for a while. Obviously, endpoints are increasing. A lot of people don't give desktops. Laptops are going out of the enterprise all the time. Traditional enterprise solutions don't work that well on that.
And then there's a definite move towards cloud in pretty much every customer. They are moving a bunch of their applications to the cloud. But so you have all these interconnected systems that are heterogeneous and they have to be looked at by the security team and the IT team all at the same time. So it's not a one flip switch that moves them from the existing infrastructure, the cloud infrastructure. A lot of times, they will have all of these infrastructure connected.
And so the risk, as they're looking at from a security perspective, is also connected. So you have your application maybe your payment processing for our customers is hosted inside their on prem environment. Maybe the front end of that is being hosted in AWS or Azure. And then you have laptops for employees that have privileged access that are out there at coffee shops. And so any one of them getting compromised can basically lead to a compromise of the overall system.
And the way customers have been looking at this is they tend to get different solutions. Maybe they'll get cloud passage in the cloud and Tanium on the laptops and then some other solutions on their on prem. But that really creates issues for them to get the single pane of glass visibility across all of this infrastructure at the same time. So which means, as Philippe said, they need to pull that data out into other solutions like Splunk and try to build it themselves, which of course incurs a lot of costs. So that need for single pane of glass is certainly there.
And the way we have been developing our platform is making sure that we can provide the single pane of glass view with sensors and connectors that are throughout all of the infrastructure that they today have to manage. So we have done a lot of work in creating multiple different sensors. So whether it's on prem physical environment, physical servers, whether it's virtual environment, with virtual we have 11 different hypervisors that we support. We have cloud certified AMIs in Amazon, Azure. We have the cloud agents now that go on all three infrastructure.
We're also pretty close to coming up with a sensor for Docker and container based security as well. And then, of course, we're releasing our passive scanning sensor, which gives the visibility on the network side as well as our API. So with this approach, we instead of having individual instances of the solution being deployed in AWS, in Azure on prem, and they don't talk to each other, Customers get the single pane of glass view, but then we take a combined approach with agent based technology, agentless technology as well as the plastic scanning technology. All of that pulling that information, putting it into the back end, and that's really where we do a lot of the analysis. So there are solutions out there, which are being leveraged to ask queries off of the devices like Kenya, where you go in and you ask the query that gives point in time response.
Our approach on architecture from a cloud oriented architecture perspective is very different. We collect information from the devices. We put that up into our platform. We have done a lot of work on the platform side with new back end with Elasticsearch, with Kafka, a lot of these improvements and new back ends that we have put in place. And the idea is that as the sensor picks up a change on the device or on the network, it sends that up to the platform.
And then based on what the customer has subscribed to, we will run the different engines that analyze that change on the platform side. So this keeps the sensors very lightweight. And then we have the ability to say one registry was changed on the device. Does that mean it's a vulnerability? Does that mean it's a compliance issue?
Does that mean it is actually part of an indicator of compromise? So we can do that analysis on the platform side without the customers having to take that hit on their devices. And this also consolidates the number of sensors. So in a traditional environment, you will have a different sensor for looking at a file. For vulnerability, you will have a different agent for file integrity, you will have a different agent for indicator of compromise detection.
Now we are able to consolidate all of that with a single agent, one sensor that is looking at the changes. And then all the analysis is being done on the platform side and now we can give different views as I will show in my presentation. We can get different views of that same change based on which group inside the organization is looking at that. So as I mentioned, because of the sensors, the distributor sensors that can go globally, we have multiple customers today that have 200, 300 appliances. These sensors, as Philippe mentioned, we have over a 1000000 agents that have been purchased already by our customers, all of them putting information up into the platform.
We have our analytics engine, we have our API, and then that is enabling us to provide multiple different solutions off of the same platform. And as you I will show in the demonstration, that one change on the file can now today, we are looking at that for vulnerability and compliance. We can also now look at that from a file integrity monitoring perspective. So for customers, what does that mean with this platform? Instead of them deploying individual sensors and agents, and then, of course, also the management consoles of each of these solutions in each of these infrastructure, and then an additional system to try to pull the data from each of them and making it work on the Qualys platform, they get all of that already built into the platform.
And all of those applications are off of that same platform. So not only can they reduce the amount of cost that they have to do by putting infrastructure, putting more servers for each of these solutions, the management console, the agent, but the information coming into the platform is already correlated. So when there is a file integrity alert, you're going to look at the asset, you already see all the information regarding the asset inventory of that asset, the vulnerability posture of that asset, the compliance issues with that asset, all in one place, already pre built, so they don't need to pull this data out in other systems. The platform already does about 3,000,000,000 scans every year. So we are processing trillions and trillions of data points.
We've also done a lot of work on taking the platform and making that available as a private cloud option as well. So which means that in highly regulated environments, customers that need to have that information on their premises, not necessarily have to put that information out in our data center, have that option. It's the exact same code base. It's deployed in the customer environment, but Qualys will remotely manage it for them. We have a hardware virtualized.
We have that in AWS now that our platform also is FedRAMP certified. We just recently became FedRAMP certified. We can now put this platform in GovCloud or SIs who actually are already working with the federal government. And it gives us multiple options for creating sovereign clouds. And today, we already have 30 of these platforms deployed globally managed by Qualys.
So it allows us to go in countries where they can a partner can deploy the Qualys platform, provide multi tenant services to the customers in that particular country because they may be okay with the cloud, but just not the data going out of their country. And so this really is enabling more of those partners, customers to deploy the same platform and all of the same services inside their premises managed by Qualys as well. We've also done a lot of work this year to create a smaller version of the platform. So for banks in these different countries where they may not have as many number of IPs, we have customers today that are scanning anywhere between 1,000,000 to 2,000,000 devices on a daily basis. So with the platform, we have managed huge scale.
But there are also leveraging container where we are leveraging container technology to deploy the same features, same functionality now inside of their environment, even for a smaller at a much lower cost to them. However, still managed by Qualys is another innovation that we have done this year, which is now enabling us to go into the markets in Asia and these countries where they do need to have, because of regulation, the information store in their environment, but they don't have that many number of devices as well. One of the foundational changes we have done on the platform side is the cloud agent. So it's a very innovative agent that we worked on and we have filed for that. It's a very lightweight agent.
It goes on your on prem servers for the customers, goes into dynamic cloud environments as well as endpoints Because of its nature and being lightweight today, it is very scalable. We have over a 1000000 of these already purchased by our customers. The really significant advantage of that is that we provide this agent. So if you think of what Philippe was talking about, giving our customers the ability to have that global view of all of their assets. We give this agent for free to all our customers, so they can deploy as many agents as they would like.
That free agent gives free asset inventory information up to date near real time, which brings a significant value to the customer. So if they want to go in and search for their assets in the platform, they can do that very easily. And then from that point on, when they decide to do that they when they decide that for they want to vulnerability assessment or compliance or filing degree monitoring or any of these additional solutions, they can just go in and then now they can actually leverage the licensing model and they can actually purchase those to get some of those agents or a bunch of those agents working on for leveraging those modules as well. So the reason why this agent is different, it's a delta based approach. So we don't actually run on the endpoint.
We actually collect information about that device and what is changing on that device and send that information up to the platform. CPU and the network and all of the information is stored on the platform side. That's where all the heavy lifting happens, which is very different than the other agents. Today, that agent provides our customers with the ability to instantly query information as our demo, you can go and say, show me all devices that are a particular manufacturer, show me all devices that have this particular OS or this service running on it or a particular version of the software running on it. So typical asset inventory challenges that customers struggle with because their CMDBs are not up to date.
We provide that functionality with this agent. That same agent is providing also that real time asset inventory with the credit capability. We are doing vulnerability management with that agent today as well as the policy compliance, configuration compliance functionality. Coming up, as you will see, early next year is also going to be file integrated monitoring with that same agent, indicator of compromised detection. And a big one that we are going to do next year is also the ability for that same agent to also deploy the patch.
So today, a lot of our customers with Qualys, they get the view of their entire patching environment or what they need to patch across all of their infrastructure in one view across 2,000,000 devices, they will see exactly how many devices in one single interface. They can see that how many of their 2,000,000 devices need a particular patch. But then when they have to go and deploy those patches, they have to work with 10 IT teams, 25 different solutions based on which operating system it is. And the patching is very costly and takes a lot of time. And so now by providing with that same agent the ability to in the same interface where we show them that these patches are missing, we just say, okay, now go ahead and deploy this patch across these 10 global locations is going to be something significant, and that will really eliminate a lot of costs for our patch management capability as well.
Quick note on the passive sensors. So as we talk about putting an agent on the devices that the customers know about having the appliance to scan actively networks, The third component of this is the ability to have a passive sensor. So we can actually look at all the traffic in the various environments, networks that the customers have. So we can pick up the activity on the network, new devices coming onto the network, devices communicating on the network. So now when they look at that interface, that single pane of glass view, they can see exactly how many live devices are communicating, are alive on the network.
Out of them, how many of them have been actually scanned already by the Qualys VM solution? How many of them already have the agent? And then how many of them they don't know what that thing is, but it's there, it's communicating. So now we provide that visibility, so customers get value out of that. But of course, it also encourages them to now be able to bring those additional devices as part of their scanning program, as part of their indicator of compromise program or their file integrity program as well.
So in 2016, we have done a lot of work. As Philippe said, we have a 200% strong team in Pune in India. We have about the same number of developers in the U. S. As well across different teams.
So we have been able to deliver quite a bit through the year. We delivered AssetView and ThreatProtect, which I'm going to demo. We went GA with our Linux and Mac agent. We created a service now CMDB synchronization because as our database is up to date in near real time about what software is installed on those devices, what hardware is there, what's the disk space availability, that information needs to be synced into ServiceNow where a lot of customers are using the ServiceNow CMDB. So we have a connector in the ServiceNow app store that they can just leverage that connector and keep their information synchronized between the 2 different solutions.
We have a TA for Splunk. Customers who want to pull this information into Splunk can now actually do that with a TA that is provided by Qualys. We talked about the smaller version of the private cloud platform that we provided. It was a huge effort to get FedRAMP certification, and we achieved that. So now we're looking forward quite a bit to working with federal customers, updated our web application scanning capabilities to address newer single page applications, AJAX applications.
That's been quite a big feature that our customers have been waiting for. Another thing that we really, I think, which is quite strategic is the Azure Agent. And the interesting thing about this is, this is one of those when we talk about security needs to be built into the fabric of the infrastructure, this is a great example of that because now Azure customers who have their security center from Azure can directly without having to download or without having to go through multiple steps of deploying, go in and click with a single click deploy the Qualys agent on all of the VMs that they are running on Azure. And that information then automatically is processed by the Qualys platform and synchronized back into Azure Security Center. So now customers who are leveraging this new infrastructure with a single click can get that functionality, but it also provides the information with the cloud to cloud integration back into Azure, so that they can actually put remediation policies around that with the security center.
They can say, if Qualys reports that there are X number of vulnerabilities, then those vulnerabilities are synchronized back there. And if I see any issue on one of these VMs, which maybe has a publicly exploitable vulnerability, that needs to be quarantined, put it in a different security group, whatever it is. So making it extremely seamless, making it very easy instead of deploying entire solutions as their own VMs into these platforms, like Azure and Amazon, not only do we have our presence there, but we are integrating very well in the true cloud to cloud integration, which is really the future. We also released a new capability around security assessment question, which is a new module our customers can buy. It provides them the ability to collect non technical information as well.
So now they can actually create questionnaires. A lot of them need to work with external vendors. They need to ask them questions, have them answer questions, upload evidence about security measures that they're doing. Now on that same platform with all of the scanning that they do with the agents, with all the security and compliance related checks they do, they also now get the ability to purchase from Qualys this capability where they can now send out questionnaires to internal stakeholders, to their vendors, have them review those, upload evidence and then provide a way to track all of that in a single place. I'm going to give a quick demo of the capabilities around AssetView Threat Protect.
Okay. So
hopefully you can see that. So this is our if you our customers are logging into Qualys now, they used to have vulnerability management as the solution that they purchased. Now when they log in, they get to look at and switch between and buy off of the same platform multiple different solutions that allow them to fulfill different compliance and security needs off of the same single platform. Today, if you look at the various things that are already available all the way from web application scanning, Threat Protect, AssetView, compliance, PCI, all of that off of a single platform. AssetView is the new module that we have put in place that allows us our customers to get that instant visibility ability to search across multiple different assets very quickly.
It really is where we have put all our Elasticsearch clusters. We are indexing about 5,000,000,000 data points for our customers today. Those are 5,000,000,000 data points that they don't have to spend money to index on their side. We are doing that already off of the platform. This is enabling them to do multiple different things.
They will really reduce the number of FTEs required to get information out, to get solutions or widgets and applications right out of the box on the platform. Simple use cases like I talked about earlier, they can just go in here across their global assets, a few million assets, they can go in here and say, show me all devices where the manufacturer is Lenovo. So out of the 2.25 2,000 devices we talked about, 6.90 devices are Lenovo and filter quickly further to say only in a particular location. So only the ones are in our India office is 127. So very fast, less than 2 second visibility.
You don't have to actually send out queries to these devices and wait for them to respond and only the ones that are alive will be responding in our model. The data is constantly kept up to date on the platform side. So we're able to go in and do these searches very fast. You can look at that information quickly group by, say, the manufacturer, the model number. So we can very quickly tell our customers across their entire infrastructure, how many assets for which particular model or which particular model is in the environment, how many of them are there.
It's all drilled down. Customers can do simple security use cases, which actually is a very important use case. We see a lot of customers buying Tanium specifically for that. It's just the ability to go and say, show me all devices, CIO, somebody sees or somebody says, I found out that a particular version of Adobe is being actively attacked, how many devices do I have in my environment that have that particular version? They can just come in here and say, for software name, let's say AIR and the version of the software 172 devices exactly in my environment have this particular version of Adobe software installed.
So now very quickly, they can go in here, they can download this very soon, we'll be allowing them a way to create a connector to send this information to ServiceNow, so they can create tickets. So from the point that they are being asked or told that we need to find information, this specific information, it's a matter of couple of seconds when they come into the platform to get this particular view without them having to create connectors and pull this data out in different environments. Of course, we also have the use of for example, here, the other thing that we do a lot is also the ability to consolidate various pieces of information and you will see more with the new things that we are doing, how we are giving customers that global view, exactly telling them who's the logged in user on that particular asset. So you can see that logged in user, IPV4, IPV6 addresses, information about the location information about time zones, model, manufacturer, all running services. You want to find out all devices that have a iPad service running on them.
Everything that I'm showing here in this screen is searchable. They can go and search that. We're bringing all information about user accounts on each system. And again, we're talking about customers, how easy it is for customers who have millions of systems, they can do this in a matter of couple of Somebody comes and says this particular user name has been compromised, how many devices are at risk? How many devices have a user account for this user on them, they can come in here, type that particular username and within a couple of seconds, we're going to give them that visibility, so they can actually make that actionable.
Bringing all network information as they have multiple adapters. Today, a lot of customers struggle with devices with multiple adapters. They only see an IP address on the network. They don't know exactly which device that belongs to. They may be the same device in multiple interfaces.
They can bring all of that together because we are collecting all this information. Everything about open ports, installed software version, so multiple use cases, just want to know how many word licenses do I have purchased versus how many of them are actually being deployed or I have in my environment. You can come in here and get that information. As you noticed so far, I haven't even talked about vulnerabilities. So we additionally also provide the vulnerability view, of course, what vulnerabilities are on this particular device?
How are these which vulnerabilities do I need to fix first? How many of them are active? Quickly change that view to going between 30, 60, 90 days. So as you will see in the upcoming release, we're bringing even more capability around that. So now when customers need to go and find out on a particular device what's going on, a lot of that information is already being provided to them out of the box in the Qualys platform.
Use cases like I want to find out where are all my Poodles related vulnerabilities, so they can come in here and say for that particular CVE, show me all the devices. I have 200 devices. I can quickly look at that by, for example, operating system. So now I can not only do I know that there are 92 devices with on the Windows 7 operating system, but I can also go down all the way to see that there's a Hitachi storage array controller that has that particular vulnerability. There's net screens that have that particular vulnerability.
And this is possible only because we have taken that approach of bringing agent based and agentless information together in one place. If this was only agent based, then you cannot get information about network devices, databases, things like that. If it's only databases and network devices, you cannot get this view real time on these assets. So as you can see, we're providing this view really snappy quick out of the box and we have done a lot of updates on the platform to be able to provide this kind of functionality. We see a lot of customers doing simple use cases like I want to know which of my machines have a are pointing to a DNS server that is compromised.
All they have to come in here and say DNS IP address, let's say, we take the example of this. Now we're going to show them exactly 338 devices in this environment have that particular DNS server on one of the interfaces. So these are the ones that maybe they need to look at quickly. So all this information is available even if the device is offline, because just before the device went offline, it has uploaded its data changes to the platform. And as soon as the device comes back online, it's going to update that information up into the platform.
Another part that we provide our customers an easy way to create applications, so they can create multiple different applications, which is a collection of dashboards, widgets that they can track different things, maybe asset only. So creating widgets is we have made it extremely easy, very much like how you can do this on Splunk without actually having to pull this information out. We provide a bunch of out of the box widgets already related to asset threat and they can share widgets amongst themselves. But it's very easy to, for example, say, I want to track all my open SSL related issues. All they have to go here and say, show me all devices that have an open SSL related vulnerability, it's going to be 334.
I say compare with my overall number of devices, I have 16 point 15%. Now for a better comparison, I'm going to say I only want to look at the ones that actually are SSL related. So what does that tell our customers very quickly? Of all the devices that have an SSL related vulnerability, what percentage are related to open SSL? Because now they can say if I patch open SSL in my environment, what's the bang for the buck that I'm getting?
And that's exactly 48.48%. If they go and focus on patching OpenSSL, they're going to get this particular thing. They can create tracking capability, give access to a lot of their internal stakeholders. You can say when everything is good for this particular widget, it's always going to be green. But any time that I want I see that that percentage is above 15, which is the minimum acceptable percentage, I can say in that particular color is going to turn orange.
So just like that very quickly in a matter of few seconds, they are able to compare anything against anything and create a very, very customizable widget off of the platform. Not only that they can actually then, what we have done and this is really significant is taken this capability of AssetView, which we have rolled out to all our customers globally. So all our customers have AssetView. We don't charge additional for AssetView if they have vulnerability management already purchased from us. However, that has enabled us to bring a new solution to market that our customers purchase from us, which is Threat Protect, is the ability for us to leverage this Elasticsearch.
And this was done just in a matter of few months, like by a couple of developers, because the platform already has so many of these components that we were able to create a new solution, which is revenue generating for us just with a few engineers and a matter of few months to give customers that ability to say, that's fine, I have all these vulnerabilities, but what is exactly going out there in the wild? What is being attacked? What is it that I need to focus on? What do I need to prioritize? So now they get to see this view, And not only do they get to see all the information that our research teams do in terms of the research, how exactly it manifests itself and all of these things.
But it also gives them the ability to which is probably more important is to basically be able to say how many devices exactly are impacted in that environment. So by clicking on that, they will know exactly the 65 devices in their environment that are impacted by this new attack that is currently attacking silver light from Microsoft in the last 24 hours, or there is a exploit kit called Angular or Neutrino and a particular vulnerability is now exploitable in one of those that we noticed in the last few hours. So it gives them that ability to actually go ahead and prioritize their fixes, so they can now focus on saying, within 5 seconds of our research team adding that capability or that intelligence in the platform, we make it actionable for all our customers because they can now go into their email that you cannot really do anything about it. A threat feed that gets sent you an email that you cannot really do anything about it. This is very actionable and this is something that our customers can purchase, again, another derivative on top of the vulnerability management solution.
We also provide enhanced capabilities on top of this with continuous monitoring, the ability for our customers to actually make this even more actionable by being alerted proactively. And this is something that they can another thing where we do a lot of the processing of the Delta and we create alerts for our customers on many, many different things, not just related to vulnerability management. Customers who want to put a simple rule that say, I only buy certificates from VeriSign in my environment. If I ever see a certificate that is not from VeriSign in a given data center, it's a security issue, compliance issue. They want to be alerted.
They don't want to have to go and dig this information every time. It's as simple as them coming here, creating a drag and drop rule that basically says anytime a new certificate is detected in the environment and if that certificate issued by does not contain VeriSign, they click finish. Now they have a rule that actually will send them email alerts or alerts into their incident response system, so that they can actually proactively start getting alerted on that. So we have customers now who are getting better with their vulnerability management program and now purchase up to this particular solution. So can do in addition to just looking at vulnerability.
So as you saw in this example, it has nothing to do with vulnerability management. But because of the sensors, the scanners, the agent as well as the upcoming passive scanner, we'll be able to feed all these now I would like to demo
is some of the
new things that are upcoming. Now I would like to demo is some of the new things that are upcoming in the next over the next few months in the changes that we have made. So I showed earlier, so of course, we're going to have this global view as we talked about on a map exactly the assets where they are, you can click on that. But as I showed earlier that AssetView is becoming that one place when they come to find out any information that they need about that particular asset. So now, with some of the enhancements that we're putting in place, our customers will see even more information as they get more solutions from Qualys, as they purchase more solutions from us, they can see even more consolidated information in a single place for that given asset.
So when there is an incident response, like I said, you find that a particular device got a malware alert, you want to go and find out what's the history of this device, what is installed on it, who's logged in user, all of that information. So now not only do they have that the vulnerability view that I talked about, now they also get the Threat Protect view, they purchase Threat Protect. So now they know very quickly exactly on that particular asset, how many vulnerabilities do they have or how many issues do they have that may not even be vulnerabilities that actually may lead to high data loss or high lateral movement or what are the issues on that particular device that have a publicly available exploit that they can look at. We go even a step further to show them that view of saying the patch summary information, so for some reason it's not working. As always, it's a QA platform, so something has to go wrong.
But the patch summary here is going to show them exactly how many patches need to be deployed to fix how many vulnerabilities. So a lot of time people want to prioritize and say, if I apply these 3 patches, that's going to fix 300 vulnerabilities. So they get to see that particular view in this particular way. If they have purchased a compliance solution from Qualys, not only will they know the security issues, they also get to know how am I doing against the compliance mandate that I have. What CIS benchmark, NERC, SIP, HIPAA, whatever different benchmarks that I'm tracking against, how many controls am I failing against?
You may have a control for encryption, for example, say, I have 42 encryption related controls that are failing on this particular device. So now you can come in here, the customers can come in here, they can actually look at that very quickly within a couple of clicks, they can see all the details of that particular information saying which exact controls are not working and why are they not working, what's the evidence around that as well.
Let's see if this loads a little bit.
As I'm going to also quickly give a demo of the new upcoming solutions around indicator of compromised detection, around file integrity monitoring, customers who are purchasing that from Qualys will also get in this single view, the ability to see what kind of malware related alerts are being generated on their system as well. So they don't have to go to 10 different solutions to try to consolidate that. So here you can see in this example, you have Zbot that's shown up. We show exactly the information on why this particular indicator of compromise has been triggered. What hashes did we find for those files?
What are the locations? Maybe there's a network connection that that particular device mailed to unknown bad IP address or an activity of suspicious IP address. So we bring all of that information together and show them which of their malware indicators maybe have been remediated, which are the new ones that are coming up. The same we do for file integrity monitoring again in that same view. They can create triggers, alerts on events that they don't want to see certain folders or configuration files that should not be updated, certain directories where no files should be written in a production environment.
So we bring all of this information. It's all drilled down, and I'll show a little bit more in details of that as well. So now early next year when we have this release now customers in addition to all the different solutions will also be able to see file integrity monitoring and indicator of compromised detection capability. So from file integrity monitoring perspective, so this is the new things that we're going to show today, and these are coming up over the next Q1, Q2 timeframe. We'll have this out in beta, and then we'll be going GA as well.
But the idea here is that this is typically what customers buy a completely separate solution for very expensive solutions like Tripwire that they deploy in their systems separately from what they do for compliance, what they do for vulnerability management. They have to have their own agent. They have to have its own console so that it can show this particular view. Now it's all combined with the same agent, with the same console. They can bring all of this information from that same device up into the platform.
They see this view of all the changes that are happening on the system. They can go into the events. They can see all the various events that we are generating. So let me take an example. In this case, if I'm looking September 1.
So we bring all the events that are being triggered on the various files based on the various profiles that they have created. We provide out of the box profiles like HIPAA or like PCI, so they don't really have to go too much into the details of that. But when they click on it, we bring all of that particular file, what host was it on. When I look at the details, it's going to show me all the information about who modified, what was modified and it will also show me exactly what was modified on that particular device all in the cloud platform. If you look at the indicator of compromise solution, again, something we're going to have a beta of in Q1.
Again, this particular solution provides the customers the ability to what typical traditional solutions like CrowdStrike or some of these may offer is the ability to say, show me the hashes of the given a hash, you can investigate a particular system or systems across your environment. You can do that with that. But we because we are proactively collecting information on our side, we can also show customers things that are suspicious, not always something that they have to go and look for hashes by looking at threat intelligence. Things like processes running from recycle bin, We are collecting this information, so we can proactively show it to them. And these are the ones that you need to focus on, because maybe that's not a normal activity.
It may not be a confirmed activity that is from malware, but again, they get that particular view of the same platform. So anything where maybe their antivirus is disabled or out of date, something where maybe something that's running without a disk image, Sometimes an algorithm installs itself, deletes its own file. So if you see a process, so we are collecting and bringing all this information together. We're also doing something very unique with our team in India, which is doing a lot of research around this is there is thousands and thousands of malware signatures generated every single day because of the variance. What we focus on is we analyze the malware and we actually look at the characteristics based on a family.
A lot of times, just like regular developers, the malware developers are also lazy. So they take the same code and they modify it a little bit and put it out there. So the good news is that a lot of the characteristics, even the hash does not match, our research teams are generating IOCs that are based on the family. So we can say, look, typically a malware of this family is going to show these 8 indicators. If we see 5 of those or 6 of those, it's a very good possibility that you have an unknown malware that's a variation that still doesn't have a signature.
So we're also providing that very unique capability around that as well. And of course, we can show all the infected host by location, by particular system, things like that, when they go into investigations. So I have this example here that I have pulled up. FBI puts out these pieces of information around when some new software is being leveraged out there that is malware, so they give these hashes. So of course, the solution can come in here and you can basically go to the events section and just say So there you go, we found a couple of files.
Again, because we already have this information where with our new agent, we are actually able to get collect the information on the hashes upfront in the platform. We're able to go find this information very quickly. So again, we can go look into the details, which show all the information around that. So again, that File Integrity solution is something that is providing that kind of a capability, again, off of the same platform, so customers can look at the various infections. Again, once a customer gets the agent for the free agent, water vulnerability, water compliance, trying all these other solutions is extremely easy.
They don't need to go and deploy anything. They don't need to deploy a new console. They don't need to go deploy a new sensor. They can just select a bunch of hosts, and they can actually go ahead and show that component as well. But customers that have the cloud agent, for them, it's extremely easy to do a trial.
We can enable a trial for them to go in there. So all they have to go and say, create a new activation key, for example, and say, any agents that are registering with this particular activation key, what modules are licensed for that? So all they have to come in here and say, yes, these agents, I want them for FIM, for IOC. It's that simple compared to even if you want to do a POC of one of these solutions, you have to spend months getting infrastructure in there, procure, deploy, and that's how easy we make it on the platform to be able to do this. Another key change we're releasing as well is we are also now providing a very important capability around the ability to create trends across the various parameters that they are looking to track.
So coming in the next month or so, we are going to release the ability for our customers to trend on these the pieces of information that they're tracking out of the box. Typically, creating trending information means that they have to set up their own data clusters, their own Splunk instances, their own Elasticsearch instances to then do an ETL process to pull this data, which needs developers, which needs machines. So we now provide this information out of the box. So when they click on that, they can clearly see the trend of what we are tracking on how the particular issue maybe, which is being exploited out in the wild, maybe SSL certs, maybe configuration issues, things that have nothing to do with vulnerability management can be tracking here completely out of the box just by checking a little checkbox saying track this particular widget. Another thing that we have also done is quite a bit of work around I'm going to try to demo the new changes that we have done around the web application scanner.
So the web application firewall, so we're releasing our new web application firewall by end of this year, early next year as well. And that has some significant changes. It really brings the ability to do virtual patching together with the scanner. So today, we have customers that are scanning hundreds of applications with the scanning solution, but they don't have the resources or the ability to deploy expensive firewalls in front of them or developers take a long time to fix that. Now in here, they have the ability to come in and do flow patching very easily directly from the scanner.
They can actually go in and say, if they go into the web application scanner, as they have findings that our scanners are finding for them, we now make it extremely easy and very unique that nobody else is really doing is the ability for them to go and say,
let's see if I can find the next
So if they so here they can actually we will show right here in there that this particular vulnerability is, for example, patched by the virtual patch. So all they have to do is right click here, say install the particular patch. For some reason, I don't see the example that I had in here. But then when they go back into the web application firewall, now they can actually see all the events that are coming up from you can do multiple things based on the specific page, the specific parameter or just things around a particular country or location or IP address. So for example, let's say, we want to go and allow them the ability to create, can you see So how easy it is for them on the platform to create these conditions?
Or they have to say when the client IP address, for example, is coming from a particular country that is in the list of, say, Ukraine. And what is the action? You want to say the action will be, say, let's say we want to drop the particular package. So that's it. Within a couple of seconds, they're able to create a rule very quickly about a parameter, about a particular location, many different things, headers.
And now this is how we are again making it extremely easy for them to be very nimble and fast with their security and compliance, so they can come in a single platform and do all of this together in one particular place. So a little bit over my time, but going back to the presentation. So a couple of quick things. I will talk about just essentially talking about the enhancements that we are going to do. So Q4 2016, we are launching the relaunching our WAF solution with all of the new updates.
Q1 of next year, we're planning to have betas of the file integrated monitoring solution, indicator of compromise solution. We are also coming up with a new solution for SSL audit or certificate audit. So this is something that customers today have to buy and deploy Venafi, which requires scanning or an agent, which Qualys already has. So we can now provide the global inventory of all the digital certificates and also create alerts on that. We also have the ability to do in Q2, we'll also have the betas for patch deployment as well as the passive analyzer.
And then in Q3, we are looking at another very unique solution, which is which we call as the CloudView 360 is going beyond just virtual machines, collect information, leveraging the APIs that cloud providers provide like Azure, Amazon and bring all that information into the Qualys platform. So across multiple clouds, VPCs, they can actually see how the resources are behaving, what are the groups that are well defined, what are unique advantage will be that we also have the information on the actual a platform, which is a single platform that is providing multiple different solutions to our customers. We already have we already provide a bunch of solutions, and we will be providing a few more as we talked about, and more are to come later in the next year as well. Okay. Thank you very
much. Jimmy?
Thanks, Sumed. Right now, we'll take 15 minute break. So if everyone can return to their seats by 10:25, that'd be great. Thank you. Hi.
We're ready to get started. So if you can please take your seat.
Good morning. My name is Amar Diba. I'm the Chief Commercial Officer for Qualys. And I'm going to quickly go over our go to market strategy and execution and how we sell our services on a global on worldwide basis. The platform that Sumedh and Philippe had talked to you about allows us to enable our customers with a cost effective service across all market segments.
The way we approach our market is through these 4 different categories, starting with the enterprise, 5,000 employees and more the small, medium enterprise between 250,05,000 the SMB, which is below 250,000 and the consultants. What's unique also about our offering is that we package the platform separately for these different categories. So the product comes packaged for the enterprise with enterprise features, enterprise capabilities, different than the SMB market and different also than the consultants, which we recently upgraded and provided a lot newer capabilities and then better packaging and pricing so we can be very competitive in that marketplace. All these packages, basically, we take them to our customers through either direct model or through our channel partners. You see the split now right now between direct and indirect is approximately 60% to 40%.
This is based on 2015 revenues. And we're maintaining approximately the same numbers in 2016. The difference really, volume is coming more and more through the channel, but we're doing much larger direct deals. That's why you see the difference right now around 60, 40. On these partners list, there's a couple of new logos here that are quite important also, and I'm going to talk about them individually.
Entity security, we signed them recently as well as with the Hewlett Packard Enterprise, which we announced last week, their managed services, converting their offering and moving it completely to our platform. Our partners, we divide them into 4 main categories: the managed service providers and the telcos, the outsourcing providers or mainly delivered through remote from their remote locations either in India or various parts of the world. The value added resellers, which also we'll go into detail into that and the consultants and auditors. Really the platform is just kind of it's a highly attractive model for our partners simply the way because the way we deliver the services and the recurring revenues we allow customers to make that on an ongoing basis. Starting with the managed service providers, as you can see from the Magic Quadrant, we cover pretty much 80% of them and the rest are going to come soon, hopefully.
We allow these partners immediately to provide a recurring revenue model into their managed services, fully integrated into their offering. So our VM services, policy compliance, web application scanning, the agents, all of that fits into their model and they deliver it automatically as part of their managed services offering with 0 CapEx and enables them to do these higher recurring margins, not just kind of on an ongoing basis and to provide value added services on top of that. So as I said, NTT is new here on the list and HP is new, and we continue to expand and that market for us. The global outsourcing providers, this is also becoming a very strategic channel for us simply because of their outreach and the ability of the automatically. We uniquely support their business model with 0 CapEx capabilities.
We give them the high margin recurring services. And we work with very well with their environments across public cloud, private cloud, co located data centers. And they can access the service and provide services to their customers remotely, which fits perfectly into what they're trying to do. We have all the leading outsourcing providers as partners with us. They sum, they deliver, they resell the services fully integrated with their offering or they bundle other services around it.
And customers.
And customers, of course. So the value added service resellers, this is basic particularly are very helpful for us in the SMB market space and internationally. So they're typically small consulting houses or security firms that are moving into managed services and want to do more with our platform. We also give them a high margins recurring revenue stream with 0 CapEx. We have over 600 of them worldwide, and we have very good relationship with a lot of them, Optiv here in the U.
S, GuidePoint and some of also in the federal space, they're a big channel for us. Moving into the consultants and auditors. We have a very unique very unique offering for the consultants. They let most of them they leverage the platform to provide pen testing services and consulting services to their clients. So we help them kind of go into their client base and provide these services either through it could be interconnected systems to the Internet or in some cases really GAAP environment, air GAAP environment and we support both of them for them.
But what's unique for us with the consulting market is they really give us building they help us build mindshare. So they go into their customer sites, they provide the engagement, they do it and sometimes they leave the product behind. So if the customer wants, come back and they can purchase the product directly from us or through some of these consulting partners who are also value added resellers. We have over 1600 consultants worldwide and it's a growing business for us. We recently expanded our offering so we can be more cost effective for them and give them better capabilities to perform these engagements for their customers.
The way we market the product is really the try and buy model. So across the board, any of these Qualys services that Sumed had showed you earlier, you can sign up online, you can try them yourself before you purchase. We give you a number of avenues and free, we call, freemiums or free tools that will allow you to access them very quickly through our website or from our partners. AssiView is the latest addition to this set of free services. Anyone can no matter how much how big is your network is, you can download AssetView and have it for free.
FreeScan is one of also the highly rated free tools on the Internet for running a free scan in your environment, but it would really allow you to test drive our entire suite from all the product tools that we have there. And SSL Labs, if you haven't used it, you should try it. It's really becoming the authority on the Internet for testing SSL and TLF. And we're also all these capabilities, you can try them as a freemium or you can also try them as a free trial through our platform. And from there, we convert the customer from a freemium to a free trial, and then they become a customer.
And all our partners have access to these free tools, so they can run their own marketing campaigns and then generate leads for their sales teams. Now I'd like to cover just a few customer case studies to show you how the platform is used and really our competitive advantage, starting with a leading software company, one of the largest, one of the top 10 in the world. They just had a bunch of legacy tools, all built in, homemade, lots of people trying to put it together to make it work, very complicated, heterogeneous environment that they needed to secure on an ongoing basis. They started a pilot with us in 2,004 on their publicly facing Internet systems, and they moved into the internal scanning starting in 2,009. As of last year, we have basically 3 PCPs in the platform.
They're doing over 2,000,000 IPs on vulnerability management using the regular scanning and the cloud agent. They're scanning using WAF for over 2,000 apps and policy compliance. Huge scale, really, we're the only solution that can work at that level and work at that scale. The next one is a leading U. S.
Health care organization, Also same day, they kind of we helped them build a successful vulnerability management and web application scanning program. They were all before doing it using consultants, very costly and expensive and not continuous. They started with a small deployment in 2010 and expanded both on VM, on web application scanning, and now they want to deploy it into all their retail stores and provide that visibility to the ward. We see more and more of that through our customer base. And of course, they're all lots of excitement about the cloud agent, and they all want to try that also for their policy compliance pilot.
From a managed service provider's perspective, this is one of our largest MSSCs that uses platform. They had built their own solution using a competing product. It was costly, expensive. They couldn't maintain it and run it and operate it themselves. They transitioned to us in 2011.
We really enabled them to transition their entire customer base over to us and they launched new services with very little investment on their end using the VM product, policy PCI, policy compliance and web application scanning. They refocus all their energy, all their tools on reselling the product, integrating it into their MSS offering it and providing it to their customers rather than building it themselves. And now they're looking to deliver the new services, including the agent, the cloud agent, Threat Protect and our FAQ. The last case study is one very recent MSFT we recently signed. Also, they had an outdated program for VM and PCI and policy compliance offering.
They were using a competing product too. So they transitioned to us. We enabled them to move their entire customer base over. We're training them, getting their sales force up to speed and then helping them refocus their resources on reselling both VM and policy compliance services fully integrated into their managed services offering. And with that, thank you for your time.
And now I defer to Melissa. Thank you.
Thank you, Amir. You heard from Philippe, Tumet and Amar how we are uniquely positioned to capitalize on the move to the cloud as well as the trend to consolidate. What I'd like to cover is a quick overview of the multiple drivers of revenue growth, the highly profitable implications of our operational model, as well as new metrics to highlight. What I want for you to take away is that we see a real opportunity to accelerate growth, enhance our leadership in cloud security and expand margins in the future. For those of you who are new to our company, we offer our solutions through a SaaS subscription model.
We bill our customers upfront for their annual subscriptions, which is very attractive from a working capital perspective. We have a few customers with multiyear contracts, so our effective average contract length is a bit more than a year. As Philippe discussed, we have a large global customer base with no customer concentration risk. When you aggregate notes, approximately 14% of our customers are from large enterprises, 41 percent of the top 500, 33% of the top 1,000. However, because our enterprise customers do larger deals, conversely, they represent a larger share of our revenues, representing approximately 73% of revenues in the year to date period.
Amer spoke to you about our go to market and having a roughly 60%, 40% mix of direct to indirect is another factor that balances our business and provides us with sales leverage. We compete in a large and growing market. We estimate our total addressable market at $3,600,000,000 growing to 6,000,000,000 dollars over the next few years and 11% compound annual growth rate. However, on a historical basis, our revenues have grown 22% over the last few years and in the year to date period. Our growth is organic as the company has not made acquisitions.
The reason for our strong organic growth is that the company has innovated both around vulnerability management solutions and other security and compliance solutions. When I joined in May, I heard questions about vulnerability management market growth and our ability to sustain our growth rates. And what I've unpacked for you on Slide 64 is that one reason we have outperformed the market is the additional vulnerability management related solutions we've rolled out. And so you can see here that the core vulnerability management solution, which used to be 83% of revenues 3 years ago, is only 74% year to date. On Slide 65, we show the revenue growth of vulnerability management together with its newer related solutions, continuous monitoring, AssetView, Threat Protect and the Cloud Agent and our other security and compliance solutions together, which are about fifty-fifty policy compliance and web application security.
This is the segmentation we plan on using going forward. It includes all products grouped together in a manner that we believe most closely resembles our business with scanners allocated across revenues. Both these groups have continued to outperform their markets. Revenue from vulnerability management solutions grew 20% in the year to date period and other security and compliance solutions grew 27% year to date versus IDC's estimated market growth in 2016 of 13%. Our strong revenue growth has been driven by new customers and to a greater degree expansion within existing customers, which is a key element of our strategy.
You can see that since 2012, our revenue growth has accelerated at a faster pace than our customer count. And this is due to the powerful up sell opportunities we have with our customers. We get many of our customers young and we grow them. And in fact, our net dollar expansion rates have been consistently over 100%. We expect the increased breadth of our solutions to increase our ability to win new customers and displace others because they provide meaningful savings by reducing infrastructure, operational and maintenance costs.
We're proud of the large customer base that we have built. But when you compare it to the potential universe of customers, we see significant opportunity for increased share. Our estimate is that we have only 3% of global enterprises and 1% of global SMEs and SMBs. We also see the opportunity for additional revenues in our existing customer base. Even within our existing customers, we are not fully penetrated in terms of number of critical IPs that could be scanned.
You can see on Slide 70 that there's also meaningful opportunity for further penetration of our current solutions with only 29% of our customers having web application scanning subscriptions and only 8% with policy compliance. We see the opportunity for both our vulnerability management and policy compliance solution revenues to grow with the adoption of Cloud Agent. For greenfield opportunities like the endpoints, all the revenues will be additive. And for traditional deployments, we generate an approximately 20% uplift to the underlying vulnerability management or policy compliance subscription. We're seeing good momentum with 1,300,000 paid agents over the last 12 months, but we see that as more of an indicator of a demand rather than a driver of significant near term revenues, given that it's early in terms of greenfield deployments.
We also have the opportunity to accelerate the growth rate of our web application security revenues with the release of our web application firewall that Sumit talked about, which provides our customers a remediation tool. Slide 71 shows the customers with the most spend on new services, and I'd like to point out 2 things. One is you'll see that spend is higher with existing most of the newer services spend is going towards the cloud agent. The power of our platform model, which drives upsells, can be seen in further detail on the next few slides. We shared that the percent of enterprise customers who have bought 3 or more solutions has risen to 23%, up from 18% a year ago.
We focus on enterprise customers because while we sell our platform cost effectively to the small customers of 50 employees as well as large enterprises, we expect to see additional solution uptake more pronounced in our large enterprise customer base. And this additional solution uptake drives a meaningfully higher spend. For the year to date period, the average spend of an enterprise customer with 3 or more solutions was 82% higher than customers with 2 products and over 3 times that of customers with 1 product. And it's also driving increasingly larger deals. Since 2012, we've seen a 22% compound annual growth rate in terms of a number of customers with deals larger than $100,000 and the underlying revenues of those customers has more than doubled.
We expect this to only increase with our new solutions. While we haven't finalized pricing of all of our new solutions, we believe that today for a customer who spends $1 on VM, the dollar opportunity inclusive of all of our upcoming solutions is more than 5 times that. Now the reality is our customers spend 1,000 of dollars on vulnerability management with us, so the opportunity is multiples of that. The benefit to our customers is greater security in a scalable cost effective manner and to us additional revenues and stickiness with our customers. Our ability to land and expand is one contributor to why we enjoy industry leading margins.
Our operational model, whose foundation is an organically developed platform, has significant efficiencies in R and D and sales and marketing. On the sales and marketing front, as Aamir discussed, our cloud platform enables prospects to try and buy generating sales at a lower cost than on premise software companies. We have a unique sales force based on technical account managers, we call TAMs at Qualys, who we partner with our new business reps. These TAMs stay with the client post transaction to provide continuity to the customer. They manage all renewals and upsells, so you can imagine that the incremental cost of additional revenue trust is very little.
We get these TAMs from our customer base and they're successful because they know our market, they know our product and they know the challenges in deploying different solutions. They make more money working for us, but we benefit because they're less expensive than a traditional enterprise software sales force. Adding to this, our channel partners drive thousands of customers to that much overhead. These factors create significant sales leverage with our 2015 revenue per sales and marketing head over $1,000,000 as compared to a median of approximately 540,000 for comparable security and SaaS peers. On the R and D front, Qualys has created an extremely efficient architecture.
We have one code base which we use for all of our customer segments from SMB to the enterprise. We have reusable modules which easily enables us to add products quickly. Philippe also discussed we have built a large operation in Pune, India with at the end of Q3, 44 percent of our R and D customer operations customer support and operations employees based there. Philippe also mentioned we actually went in search of great talent, but we happen to find great costs too, which is a key element of our model. And by having a strong operation there, we can innovate 20 fourseven, which accelerates our ability to develop solutions for our customers.
These drivers are why we've been able to increase margins so significantly. You can see that the company's EBITDA margins increased from 15% in 2012 to 34% in 2015, a 60% compound annual growth rate and operating cash flow margins from 24% in 2012 to 40% in 2015, a 40% compound annual growth rate. Let me share now a few thoughts on our outlook. We are reaffirming the Q4 2016 and full year 2016 guidance that we provided on our earnings call a few weeks ago. We have guided to revenues in the range of $51,900,000 to $52,900,000 for Q4.
We currently expect that our year over year revenue growth rate in the Q4 will be understated by about 50 basis points because the negative impact of FX is expected to outweigh the positive impact from the MSSP contract. Our current deferred revenues are impacted negatively both by FX as well as by the MSSP contract and we expect that impacted our Q4 current deferred revenue growth rate to be between 5006100 basis points. Our full year 2016 revenue guidance is in the range of $197,600,000 to $198,600,000 Q4 GAAP EPS guidance is in the range of $0.06 to $0.08 per diluted share and $0.16 to $0.18 for non GAAP EPS per diluted share. We expect our expenses to sequentially increase in Q4 as we are investing for the rollout of the additional solutions. Full year GAAP EPS guidance is in the range of $0.41 to $0.42 per diluted share and non GAAP EPS in the range of $0.79 to $0.80 Regarding our 2017 outlook, we will provide more specific thoughts on guidance as we always have after we report Q4 earnings.
Directionally speaking though, I'd like to highlight that we currently expect our year over year revenue growth rate in 2017 to be understated by approximately 300 basis points based on our current FX forecast as well as from the absence of the one time bump in revenues in 2016 from the MSSP contract. We're excited about the upcoming solutions, but given our ratable revenue recognition model, we do not expect them to have a material impact on 2017 revenues. We believe that we'll see increasing adoption over the course of the year, leading to an uptick in bookings in the second half. We see a real opportunity to sustain and even accelerate our revenue growth rate over the next few years, especially given the Trojan horse nature of the cloud agents. But let me caution you that the growth may not be linear as the pace of adoption of new solutions is not easily predictable.
Given the opportunity we see for these new solutions, 2017 will be another investment year to ensure scale and capacity to support our growth. We anticipate purchasing more servers and storage and storage for the platform as well as hiring across all functions, although the majority of hiring will be in R and D. In terms of what that means for margins, it's too early to provide direction. We're in the midst of our budgeting process, which we approach with a view towards balancing growth and profitability, and it's also dependent on our 2017 revenue expectations. It's important that you know that our company philosophy has been to not spend ahead of growth.
However, we see a real opportunity to accelerate growth, enhance our leadership model and expand our margins in the future. We believe continued innovation is the engine that drives greater customer adoption. Rather than present a 5 year model, I'd like to underscore our view of the leverage in our operational model by reminding you what Qualys has already achieved. In 2013, Qualys crossed the $100,000,000 revenue mark. And thereafter, the incremental expenses associated with generating incremental revenue significantly declined from 78% to 19% over the next few years.
When our new solutions scale, we believe we have the opportunity to see additional margin expansion since our costs associated with additional revenues at scale is rather low. This is the scalability of our unique platform model and why we enjoy industry leading margins as compared to both SaaS and security peers. In summary, we believe that Qualys is a unique investment opportunity because of our competitive positioning and cloud security, our multiple drivers of revenue growth and our scalable operational model. By virtue of our integrated platform and its evolving breadth, we believe we can offer our customers greater visibility, security and compliance at a much lower cost than on premise solutions. But you don't have to just take my word for it.
We have Mark Butler here to give you a customer perspective. Mark Butler is Chief Information Security Officer at Fiserv. Mark has over 25 years of technology experience managing enterprise information security functions, delivering security consulting services and enabling security solutions at a number of companies, including Fiserv, H&R Block, IOActive and DEPS Security. As a CISO, Mark focuses on establishing the right financial investment to provide the needed visibility to take risk informed actions to protect the business. Mark supports and actively partners with executive management, IT, risk, business leadership and legal counsel to provide security visibility into ongoing and new business opportunities.
And here's Mark.
All right. Thank you so much. Everybody hear me? All right. Thank you.
I'm going to give you a little bit of history. So if you've been around the security industry, if you've been involved in the security industry, if you're obviously looking and investing in the security industry, the security industry is obviously the best place to be for lots of different reasons. But the historical approach that most enterprises, most environments have taken have been go choose the best product you can find for a particular purpose and choose that one, right? And so there's been this best of breed strategy to choose the best product for the best point solution and deploy it. And there's been a heavy investment over time in best of breed products, point solutions, let's go find the best product for a particular use case, a particular opportunity.
There's been a defense in-depth design, defense in-depth architectures. So the defense in-depth concept is if an attacker gets through one layer, they will likely not get through a second or a third or a fourth or a 5th, etcetera. So defense in-depth has been the architectural design paradigm. The marketing engines and the product teams, etcetera, in the security industry want you to think that their product is as close to the silver bullet as possible, and they are the one solution that you need and the one solution that you must have. And then there's been a blend of people, process, technology to pull off investments, capabilities, solutions, in a particular environment to deal with the risks of that environment.
So this is all historical approaches of companies, enterprises looking at how do we deal with information security, how do we deal with our risks, how do we manage our environment, right? These are all the historical approaches. So where has this approach taken us and what was the outcome of this approach? There's been too many best of breed solutions and too many by the fact that we've had very high quality, we've had very focused and very targeted solutions to meet a very particular use case. And while they may meet that use case and may meet that requirement, they're not integrated.
And the integration story is very important. Fiserv has 36 secondurity vendors, and that could be 50 plus if we hadn't have managed it proactively. So when you look at the number of security vendors we have, the number of security solutions we have, the scale, the complexity, the data management, the work that a security analyst has to do to figure out what is going on in our environment across network endpoint, identity management, analyzing traffic, looking at threats, etcetera, is a daunting task. So from a management structure and a vision and a strategy standpoint, the integration piece is a byproduct the lack of integration is a byproduct of these best of breed solutions that are not talking to each other. They're not integrated on the back end and the data isn't converged.
So that's a big point here. No silver bullet solution actually does exist. So that's something that marketing engines like you to try to reach and attain, but there is not one master solution for every particular use case. And we have disparate people process and technology integration. So this is the result of the historical approach that enterprises have taken, that the information security marketplace has kind of modeled their products and selling around.
And this is a reality that every enterprise deals with. What I'm seeing in the security industry landscape is there's more and more specialized vendors coming out, popping up, as being established. And there's reasons there's very specific niche vendors. There's a reason that they're created, there's a reason that they're invested in, there's a reason that they're putting a niche product out there is because there is a need for it. There's a lack of orchestration.
There's a lack of integration across the solutions. The data is the most important element of any solution. The data represents identities. The data represents assets. The data represents traffic, the data represents a potential valid transaction or a potential breach.
So the data integration on the back end is a huge piece that most organizations underestimate until they try to deal with the volume of data. They try to deal with the analyst view of the data and they try to take timely responses and timely action based on that data. So what you'll see in the industry and Qualys is a great example of this, of heavy investment in integration, heavy investment in APIs, heavy investment in the ability for the solutions to talk not only to other components of Qualys' solution but outside, right? So when Qualys talks to ServiceNow for ticketing or Qualys can pull in additional threat feeds from additional vendors, right, there's that integration piece is critical because every time there's an integration, there's one less manual step that a human analyst or person has to do and possibly could miss something from a process standpoint. So a little bit about Fiserv.
So Fiserv processes transactions. We provide solutions to financial services, industry, regional banks, large banks, credit unions, broker dealers, etcetera. From a Qualys standpoint, we do not have the biggest environment out there, but we do have a substantial environment. We scan about 200,000 IPs. That's production assets, certification environment assets, any type of assets that deal with transaction, money movement, settlement, ACH, person to person, etcetera.
We have 140 on premise scanners. That's a large footprint. We have 42 data centers. We will be getting that down to a single digit number of data centers over time. But from a footprint standpoint, that's what we have.
The way we cover our environment is we scan an entire network range. So whatever assets are on that range, we scan the range. So if one day there's 100 web servers and the next day there's 150, it doesn't matter. We cover them all. And we use authentication as well to make sure that we're logging into the box, we're getting authenticated traffic back from the host and we're getting additional quality of data from a vulnerability standpoint.
We file 42 PCI reports on compliance. So if you're familiar with the PCI ROC, we file 42 of those annually. That's a huge effort. So Qualys is a great foundational piece for us to not only say what kind of vulnerabilities do we have, what are the highest risk vulnerabilities, what business unit do those assets belong to, which PCI rock do they relate to? When where is my last quarterly scan?
Have I addressed issues out of my last quarterly scan and is that scan attested, right? So there's a huge support ecosystem that Qualys provides to us just related to our PCI ROC filings. This third bullet item, private cloud. So Fiserv is a service provider to financial institutions. We leverage the public cloud for very specific use cases from a corporate standpoint.
We do not leverage the public cloud for transactional environments. We build our own private cloud for that. So this is something we're working with Qualys on heavily is the paradigm of a highly virtualized data center is a dramatically different operating environment than a traditional data center. So the new generation of data centers are fully virtualized from the network all the way up to the applications. And there's a different way to look at vulnerabilities.
There's a way to look at different way to look at assets, hosts, virtual machines, traffic management, etcetera. So this is a what is a typically a greenfield opportunity from a build out standpoint. It's a different way to look at risks, a different way to look at traffic analysis, it's a different way to look at host level scanning vulnerabilities, etcetera. So this is actually a very exciting area. It's something that we will continue to heavily invest in.
But the opportunity is the traditional approach of putting all of your controls, all of your agents, all of your configuration monitoring on a server, which relates to a physical asset, all of that's virtualized. So there's going to be efficiency gains based on how we look at that traffic, how we analyze it, how we risk that it from a container, a compartment, etcetera standpoint, which is a group of elastic services, which are running within a defined set of boundaries. So from an investment standpoint, we use policy compliance, we use vulnerability scanning, we're going to be piloting the file integrity monitoring product, which is coming out. We've deployed the agent and we are very excited about the Threat Protect capability. So Threat Protect allows you to say, okay, if I have 100,000 vulnerabilities in my environment, these are the 10 that I really care about.
Go take care of these 10 and then we'll figure out what the next 10 is. There's a huge fatigue factor in vulnerability scanning, vulnerability reporting, vulnerability routing of all those tickets, all that work stream, all the downstream work efforts and how do you prioritize what should you really care about and what do you have to fix. So Threat Protect is something that we looked at internally to say how could we do a custom scoring model and we figured out that we could build a custom scoring model, but we would have to defend it to auditors. We would have to maintain it. We would have to tweak it, we'd have to adjust it, etcetera.
What Threat Protection gives us is an industry referenced model to say, are these vulnerabilities easily exploitable? Are they remotely accessible? Are there active exploits occurring? So it gives us that 3rd party external objective view to help us prioritize the 10 vulnerabilities versus the 100,000. So Fiserv's security strategy.
So if I go talk to a business leader, I'm going to say, I want to obviously optimize my spend, that's a given, right? So my financial investment needs to make sense, it needs to be justified, it needs to be the least amount for the given capability I'm trying to realize. Risk visibility is a key priority and then data analytics. So if you look on the left, you'll see goals and then on the right, you'll see outcomes. So obviously, we want to realize value from our investments.
We want to prevent risks. And in the security industry, you'll see a lot of pendulum swings between detect, respond, prevent, right? So prevent what you can. If you can't prevent it, detect it. If you and if you detect it, respond as quickly as possible.
And then there's this simplification of our environment. So with 36 plus security vendors, we're trying to get down to a manageable number, which reduces the number of vendors we manage, reduce the number of interactions we have to do from a supplier risk assessment standpoint. We want to collapse our data sets on the back end. We want to integrate with our SIEM solutions, with Splunk, with Palo Alto Networks, with pick another vendor, right? The integration strategy, the integration story is huge because every single vendor we have has a different portal, a different management dashboard, a different report engine, etcetera.
So these are our high level security strategy goals and outcomes. So from a business standpoint, what I get asked about on a regular basis is, are we spending money in the right areas? Are we spending money in the right way? And are we addressing our risks from an adequate inadequacy standpoint? So what we've done is we've looked at 11 core domains and there's different ways to look at this.
You can have 5 domains, 20 domains, etcetera. We chose 11. And what it gives us is a model to say, okay, let's say somebody in a business unit wants Tanium, for example. Okay, well, why do I want Tanium? I want visibility.
Well, why do you want visibility? Because I need to manage my assets. Okay, that's a great use case. How else can we do that? Do we already have an existing vendor that does that?
Do we already have an existing relationship with a vendor that does that? And does Tanium give us anything unique that will close a gap that will justify the investment, right? So this whole model is it's not to put in a governance structure in place that stops anything. It's to put a governance structure in place that aligns the investment close a real gap that's documented, noted and we need to prioritize it. So this is a spider chart.
You'll see the 11 areas of focus here. You'll see all kinds of topics here, right? You'll see physical security, you'll see identity, you'll see network, you'll see analytics, etcetera. But this is a way for us to demonstrate where are we at, where are we going, what kind of investment is it going to take to get us from a maturity level of 3 to a maturity level of 3.5 and then who's going to how are we going to align this against vendor investments and vendor capabilities that will help us realize our goals. And all of this relates to the visibility, maturity from an analytics standpoint and then optimizing spend.
So this is something that's been very helpful with our management to say, we have an industry recognized framework, we can map all of these areas to a set of controls on the back end, which are NIST related. So if anybody wants to get into details, there's a whole spreadsheet behind this. And we can say where are our gaps, What are the most important priorities to mature? And then what vendors can we use to help us there. So we're on a journey just like everybody else.
We've assessed ourselves against these 11 core domains. We're aligning our vendor relationships with who can help us simplify, who can help us collapse, who can help us get better data visibility, risk visibility and take timely actions. And so one of the exciting things about Qualys' direction, Qualys' product roadmap. We're not pushing our vendor, in this case, Qualys, to kind of see the light at the end of the tunnel. They're actually ebbing and flowing, right, with us to say, we're building out Threat Protect and we were doing something internally similar, right?
They're building out agent views. We were looking at other agents to accomplish the same things, right? So there's this ecosystem of Qualys pushing the envelope, us seeing that need, looking at alternatives at the same time and being able to come together and blend our investments, our projects, our portfolio initiatives with their product roadmaps. So we don't have to duplicate efforts and we don't have to spend time creating something that's already on their roadmap. All right.
I will be glad to take questions and we can go from there.
Okay. We're going to change there's a change in schedule slightly, so we're just going to break straight to Q and A right now.
Mark,
thanks for coming. Can I ask about the process you went through in evaluating the agent? What was it that you liked about it? How are you deploying it kind of versus when do you stand, when do you use the agent? And then have you looked, have you thought about it for endpoint VM?
Right. So that's a good question. So there's a heavy focus on endpoint detection and response, right, from an industry standpoint. We actually use an agent called Carbon Black for incident response, right, for isolation, for investigation, for forensic type of activity. Where we're using the Qualys agent is to get the visibility that we need that we can't get from the network, right?
So it's to complement the network view of ports, services and protocols, getting the actual host configuration, the actual settings that are configured on the host and blending those two worlds together so we can complete that risk posture. That's where we're focused. And so we're focused on externally facing servers that have web services, APIs, externally supporting transaction services. That's our initial deployment of the agents and then we'll expand them into the back end of the infrastructure based on security zones and monitoring, if that helps. Does that answer your question?
Hi, Sterling Hodder from JPMorgan. So with the number of new products that you're going to be phasing in, not only here at the end of 2016, but into 2017, talk to us about the back end architecture, the capacity that you have. Is there incremental spend that's going to be necessary to handle the increased compute loads? Does it change the way that you either store data points that are coming in and does that have any impact on capacity as well?
Yes. So that's a very good question. So it really depends on so there's an inherent advantage built into the being a platform, single platform, where we are organically bringing all this information together. So depending on the solution, so for example, like I said, Threat Protect was something that did not require any additional storage or any additional investment from being able to bring that with just a few developers. We're able to bring that very quickly.
If you look at solutions like file integrity monitoring or indicator of compromise detection, those will require additional investment, a little bit additional investment from us in terms of the storage requirements because it does generate a larger number of events. However, at the end of the day, the event generator file integrity or for indicator of compromise are very similar events. So we get that advantage of actually not having to duplicate and store those events separately as other individual solutions might have to. So there is an inherent advantage built into being able to have that on a single platform. And because a lot of the common modules that are required for these solutions are already present on the platform, the amount of resources we need from a development perspective are not that much.
Typically, we would have anywhere between 10 to 15 developers, QA required to add an additional solution like file integrated monitoring to bring that onto the platform.
Thank you very much. Steve Ashley, Robert Baird. My question is around hiring. I mean, you're about to roll out a whole bunch of products in the coming year, and we've talked about maybe seeing some accelerated growth over an extended period of time. And with that comes a need to add, and I think we've talked about in the past some challenges in terms of bringing on sales reps, especially the hunters.
How do you view that going forward? And how do you see being able
to meet that need?
Yes. I guess, in terms of the hunters, as most of you know by now, our sales force is divided into 2 teams, the hunters and the farmers. So in terms of the farmers, which essentially are responsible for renewal and upsell, I think we have really find a good formula. We hire them from our customers. Of course, we cherry pick them those that we believe are the most interested and really capable.
So that's a very good success for us. In terms of the hunters, when we have done that, we have slightly changed our model whereby we're now looking at people who may be less technical, but technical enough because they're SC in the traditional enterprise sales model and become the farmer. So the way we engage a new customer today is to say, okay, we knock on the door, of course, and then we explain our value proposition and then we try to drive them to a proof of concept. The way we said is try and buy essentially. But now today that proof of concept is not going to be done by the hunter, but it's going to be done this is when the farmer brings.
So the big advantage for the customer is that sees immediately the person who is going to be the one who is going to take care of him if or her if of course they selected us. And that now allows us much more flexibility in terms of hiring these hunters because in the past we're looking more at people who could also do the POC. So that was restricting our ability to hire hunters. So I'm very confident we are now today looking at expanding essentially our hunter sales force rather than the farmers, which I think we're pretty well equipped at the moment, especially that we leverage more and more the farmers as well. Does that answer your questions?
Craig Iann Kurpas from First Analysis. From Mark, I wonder if you could just help us think about consolidation and how you weigh the quality of security you think you're going to get from 1 vendor delivering 10 or 15 solutions.
How do you weigh that versus just the
whole traditional breadth of breed approach that you talked about? How do you get comfort that what you're consolidating to is going to meet what you need for regulatory and internal requirements?
Yes. So every time we talk to one of our clients and they're obviously the biggest financial institutions in the U. S, if they if we come to them and say, hey, here's our security stack and here's our list of vendors and they've never heard of it and they've never heard one of those vendors, they're going to ask questions, right? So there's a industry reputable piece of it, right? There's a vendor supplier risk assessment process, there's annual process that we go through to say, is somebody at risk of being acquired?
Is somebody not performing. So from a services delivery performance, etcetera standpoint, we have a very rigorous vendor and supplier risk assessment program. Cisco basket, right, for example, or all of our eggs in the Palo Alto basket or all of our eggs in some other basket, right, there's risks associated with that, right? So what we have to have is confidence from a roadmap standpoint, from a vendor performance, etcetera, and there's no ultimate guarantees 5 years from now. But you have it is an sign up, install the agent, turn it on and assume everything's good, right?
You have to have an active management program with the vendor, lockstep with them. And that's something that a lot of enterprises, they kick off a project, they implement a tool, and then they assume the operational pieces are going to be solid enough to address any issues that may bubble up. And a lot of times, the operational transition and turnover needs to be improved, right, to allow quick visibility to maybe an agent that's not performing as it should or it's consuming too many resources or it's doing some behavior that's not supposed to, right? So it's there's not an easy answer to your question, but it's a combination of active management, good operational turnover, where's this vendor going, where are we going and what's that synergy where is this vendor going, where are we going and what's that synergy look like. And if there's too disparate of a trajectory, then that's
a very important question that you raised and I would like to add a few comments and Bart if you want to comment after mine. So security as one of the reasons why we started with best of breed is because security at the end of the day, the enemy of security is false positive or negative. It's like an x-ray, if you go to get an MRI, you want to have the quality of the image, so you could have a proper diagnostic sensing and security. So in the past, customers also, the companies were naturally looking, you cannot have too many vendors, it's just not practical. So they were looking at vendor consolidation and this one we saw that binge of the larger companies, the Symantec, the Cisco, etcetera, acquiring best of breed solutions.
And the reason why that strategy failed is because of the architecture of those solutions, which are enterprise software solutions. The problem with enterprise solution is that they all require their own console, their own platform, their own specialty. So having one single vendor trying to integrate all that together didn't really work. In fact, you had Symantec and McAfee, that's what they did. McAfee did a pretty good try very hard from a technical standpoint through EPO to try to consolidate all of that, but still it didn't really work.
Samasek went easy where they just put as I used to say yellow around and say it's all integrated. So what we believed when we started the company in 1999 is that the cloud architecture was the solution to that answer. Why? Because you can put naturally the data into one place. And then of course, it's all about acquiring the data and then you put the data into one place.
And then from there, it becomes very practical to give the security, the compliance, the IT view, all these different view on the same data. And that's what allows us all BT to take significantly longer than I ever thought to that you saw in the demonstration that Sumeet gave us today, that ability to see everything there. Why? Because it's already the data is all in the back end. And that's what really allows us to essentially consolidate, answer the question now today of our customers have.
It's not so much about vendor consolidation, it's about and I think this is what Mark was saying in his presentation, it's about the stack consolidation. We cannot have all these different solutions and then we customers being responsible for that integration of all these different pieces that even designers like Symantec and McAfee could not really succeed, how will the company succeed? So this is where I believe we've reached our point where this cloud architecture now are being the fundamental element to that consolidation of the cybersecurity, which is much needed. Do you have anything to add, Mark? Yes.
You have to have more than 1 vendor and you can't have 100, right? So there's the sweet spot, right? And the consolidation play that a lot of larger vendors have gone down, maintenance standpoint and not continue to innovate, right? And then what are we stuck with, right? So there's a critical piece of why are you acquiring, what are you going to do with that product, how's the integration story within that vendor.
And then also there's a sweet spot from probably a size standpoint of motivated, innovative teams and building something that has not been done before versus acquiring just to acquire and say we have that in a stable, but we're not going to do
anything.
Thanks. Bill Choi at Wonderlic. A question for Melissa. I appreciate the additional details you're giving out here on two slides in particular, the newer solution adoption by customers so far. And you see very healthy cloud agent for VM and incremental cloud agent for policy compliance.
When you look 2 pages later, actually maybe a couple more, Page 75 and you show what you think your potential customer spend will be. The bucket for Cloud Agent for the policy compliance is quite big and much bigger than even the Cloud Agent for the VM portion of the business. So just want to get a little bit understanding of what you're thinking there, what's driving that and how people choose the cloud agent for the 2 different pieces today? And then for Mark, just a little clarification on what you said on your use of agents. 1, you mentioned using agents for the external facing servers, which is for the VM component.
And then you talked about file integrity monitoring. Was the biointegrity monitoring, where are you deploying that, laptops, servers and is that what you're looking at to replace carbon black? Thanks.
Yes. So I can quickly answer the first question. The delta is going to be the fact that policy compliance is already priced at a premium to vulnerability management. So as I had mentioned, we price for traditional deployments or cloud agents a 20% premium to the underlying subscription. So because you're adding a 20% uplift to already a higher price subscription, that's going to result in a higher dollar opportunity than the vulnerability management cloud agent.
Yes. And then there's another element. The fact that one of what has been limited our growth fundamentally of the policy compliance is the fact that the need to do authentication to get the credentials and all of that, which for many companies is really painful and as well as the endpoints. So we could not really go at all to the endpoints. And this is where essentially you see the pharma takes you, etcetera.
So the way we see that it's much more important to help us grow if you prefer essentially the policy compliance position that we have, thanks to the agent.
Yes, the bucket, by the way, is like 6x bigger for the proxy compliance than the VM and the cloud is invested. Huge numbers. Is that what you're seeing? Well, obviously, you're not seeing that push customer update now. When does that happen?
Well, as
I said, look, we see the opportunity to sustain our growth rate and accelerate it over the next 2 years, but it's early in terms of deployments. And so ultimately, the pace of adoption of new solutions is not easily predictable.
So to answer your question on the agents. So the agent deployments that we're doing right now are for visibility. They're not for incident response. All right. So our Carbon Black footprint is on our corporate space.
So our corporate endpoints, laptops, desktops, etcetera. The Qualys universe for us is in the commercial space. So we're not trying to replace Carbon Black with the Qualys agent. We're deploying the Qualys agent in the commercial space to get that visibility that we need on the facing services that we didn't have before. And we're trying to reduce the agent footprint of other vendors by deploying the callus agent.
And so we can do patching, we can do local scanning, etcetera, and get better visibility, if that makes sense.
And to add also, if you look, our agent will, of course, enable us to move into the incidence response world as well. So this is more in the 2018 timeframe where now certainly we can do, of course, even naturally once you have an agent, that's why you can do incidence response without
an agent. And one of the things we did internally, we have to go through a justification process to get an agent approved to be deployed, right? There's a threshold that we have to meet that says, okay, well, why do we need an agent? How much memory does it consume? What's the consumption of resources on the system?
Do the systems have the bandwidth? There's all these things because we have multiple agents running for antivirus, for asset management, for file integrity monitoring, etcetera, right. So we can't just add an agent just because we want to. We have to add an agent because we get capability that we don't have and we're simplifying and we're consolidating our stacks. So those the requirements.
And to that point, we're very proud of having such a big adoption of our agent, dollars 1,300,000 agent. Nobody would have believed that we could achieve that in such a short period of time, which speaks very well to the quality of our agent, the fact that they are not really they don't take significant bandwidth. They have very little CPU consumption. So the architecture of these agents is really the big differentiator. So and again, they now are enabling a lot of new services.
But just adding to that, I mean, as I mentioned as well, because of our ratable revenue recognition model, we don't expect to achieve a real impact from new solutions to 2017 revenue and that our growth may not be linear as well.
Okay. I'm here for Srinivasanum at Redstone. I have two questions. One is for Mark, one is for Mir. The deeper question for Mark.
Enjoyed your presentation. Just curious, you talked about how you like Wallace because of their integration, how they talk, the various business talk, the guys, but you're also talking with the other vendors. And as they buy that best solution, the point solution in the past, their plans of integration, he gave a couple of examples of like vendors trying to break and something like that. I guess, can you characterize more in terms of the technology fee that Qualys has with their products? I mean, the other vendors, they could start putting their data on the platform and try to get it more of an increase.
I much believe UC Quality has The question maybe more question for Amir is, you talked about the trials for the product rolled out. Just curious what the conversion rates have been for premium? Thank you.
Yes. To answer the first question, Qualys has been leading, I think, in general, right? So when we look at full disclosure, right, we have Tripwire, right? We've had Tripwire for years. They've not innovated their product.
Their product is basically the same as it was 5, 7, 8 years ago, right? We have a project on the books to convert from Tripwire to Qualys. We've already used their policy compliance tool. We will test out their FIM tool. We expect to get cost savings, right, and vendor consolidation and better data management on the back end with ServiceNow integration, etcetera.
That's a good example of we've had Tripwire for a compliance checkbox, but we've not had Tripwire from a security, risk, analytics and response standpoint, right, because it's literally been a compliance tool. We want tools that are not just compliance tools, we want tools that are risk analytics tools, right? And that's why we're moving the direction we are. So I would say Qualys has been leading and continues to lead based on what I've seen. And there's a lot of vendors out there that are hanging their hat on technology that's 10, 12, 15 years old, and they're not continuing to innovate where they need to.
And the reason I will add is that it's very difficult for enterprise vendors, and you saw that with Siemens Suttel versus safehold.com. You cannot release your architectures or all about the architecture. You have to re architect your solution totally. You have a cloud based solution. That's a huge undertaking because not only it takes a lot of money and time, but also you need to have the domain expertise in your company.
And that's why we never saw all the mainframe company, how many of the mainframe company became client server company. That will disappear, but for IBM, which changed their business model. So the same thing is happening here. There's nothing new here.
On the lead side, so we typically on a quarterly basis, we see conversion from overall number of leads to trials. It's approximately 10%. But those that convert to trials, we see over 25% conversion to customers. So our focus is take the lead to trial that we do all kind of nurturing campaigns and syndication and education to the industry. So we convert the lead to trial because that's then we can engage with the customer, a candidate is talking to them on the phone or in person, they have a trial and then from there it goes.
And our sales cycle varies specifically on the SMB side from 60 days to 90 days. And on the enterprise, it can go up to basically 6 months.
Yes. And on the trial also, what we try to do, unlike if you prefer, what your typical enterprise software solution do, is that we try to really ask our customers doing the full trial. Just try completely, just not do a small POC. We don't charge you for it, but try as big as you like. And the reason is because, of course, the inherent scalability that we have, this is our huge differentiator against this enterprise software solution where you need to go and install the software, etcetera, etcetera.
With us essentially, it implies if you do a trial on your Internet facing devices, you have absolutely nothing to install. Now if you want to do the full trial with our agents or without scanner appliances, you have to install them. But with FedEx, the appliance, you 2 days later they arrive, 5 minutes later they're installed. And from that point of view, you don't touch them any more. They are set up daily centrally managed.
Same thing with our agents, you push them, that's if they're installed and then you don't touch them So that's the big advantage that we have and that's where our model is really try and buy and which of course is very effective on the same front.
And I'd like to add a little bit about you said they can move to the cloud. And as Philippe said, it's not they have to re architect. It's not just going to be take the VM and put it in the cloud. And so a lot of these solutions that we talked about require semantic, ESM. They were built to say one console supports 5, 6, 7, 10000 agents at the max.
And so if you were to move that into the cloud, all you're doing is basically hosting 10 different consoles in AWS. But to actually re architect that, you're going to have they are going to actually go back and say we need to leverage Kafka new technology, we need to leverage Elasticsearch, which is basically redoing the entire back end if you really want to make it elastic and scalable. That's going to be the difference. So while just moving the VM is just going to be easy, but it just really doesn't give any advantage except not having to host
it. Yes, Sterling, you had one question?
Yes, I'll go ahead. Eric Subraman, JMP. A question for Mark. You had mentioned the vendor Tanium. I'm curious if you've evaluated them, thoughts how they might compare to what Qualys is talking about?
And then secondly, as you consolidate more functions into Qualys deployment, what multiple of spend will that generate per endpoint that you're looking at? How much of a markup does that create for Qualys? Then more broadly across Qualys Management, how can we gauge the success of your new products over 2017? Are there any particular products that we should be looking for in terms of a quicker ramp than others? And I think you've said that the revenues may not be too material.
What can we one
of the
metrics has been the cloud agent deployments, that's been a big help, but what else can we monitor to gauge your success? Yes, I'll start with Tanium. So Tanium obviously has gotten
a lot of press lately and they're very successful. So what we were looking at Tanium for, So what we were looking at Tanium for was can we get real time visibility to a configuration status So does every one of our endpoints have disk encryption, antivirus, DLP agents, carbon black agents, software deployment agents, etcetera, right. So our use case for Tanium and we have not purchased Tanium. We've just continued to evaluate it. And I'll tell you why we haven't chosen it yet or haven't chosen it.
We looked at Tanium as can you help us displace one of our existing technologies. Tanium could not do that. They could augment and enhance visibility on top of our existing footprints of agents and software, but they could not displace. And one of our requirements is if we can't simplify and we can't get better visibility and we can't optimize spend, we're not investing in it no matter how good it is, right? So Tanium really has a creative architecture, right, from a peer to peer communication standpoint.
But the use cases that we gave Tanium, they couldn't solve. So an unmanaged endpoint or a client connecting into our network that is not a Fiserv asset, those were our 2 primary use cases we gave Tanium, and they were not able to solve those for us based on their architecture, right? So they can give us visibility, we don't have. They can give us real time status, but we have not chosen them just based on the evaluation what the use cases are that we gave them. Does that make sense?
I think
so. I think
so. So as we
so I think
the simple things
that I mean,
some of the things that we're talking about, as I showed in the demo, is the real time visibility across the assets and asking all my assets, what do they have? Do they have this agent? Which is basically saying, do they have this service running? Do they have Carbon Black service running? All of that visibility out of the agents that we already have,
we provide them that out of the box. For us, the most interesting conversation we have with Tanium was not only can you give me real time compliance monitoring of all my security controls, can you auto correct all of them in real time, And based on our use cases, we've obviously not selected them.
This is the piece that we that Cement will have to build. Right.
And the second part We
can build, but again, it's going to take some time.
And the second part, you talked about the unmanaged endpoints. That's exactly what the passive scanning actually addresses is giving that visibility into saying, we don't know what this is, but it's connecting, it's there and this is what it is doing. We bring that into the platform and then you give the ability to say, can I then use this to maybe push an agent or do a deeper scan, turning around and doing that? So that combination of agent based, agent less active scanning and passive scanning will give that visibility exactly the way he is looking for.
And I'll handle the second question. So we will continue to give color on how our new products are doing. In addition to the cloud agent, we've talked about Threat Protection this last quarter. We've added new metrics, such as the percent of enterprise customers purchasing more than 3 products. We would expect to see that as an indicator of progress with new solutions.
And we'll continue to share information like deal sizes and probably add some of the new metrics that we share today that may make sense on a quarterly basis, like number
on the
and a half to 3 times. Sterling Auty from JPMorgan again. Two questions. The first one is, if I think about Qualys as a 20% plus grower into the future, what does vulnerability management, broadly speaking, in terms of all the products that are vulnerability management, need to continue to do. Obviously, you've shown the chart here, good consistency for the last couple of years, 2019, 20% to 20% range, I think, so far this year.
Does that need to continue at
that level to have the overall business grow up 20% plus? And what drives that? Is it going to be further penetration to the existing customers or is it going to be further new customers coming out of the platform?
Yes. So I think there's actually a number of scenarios in which we could see the mix shift. I think you've achieved some of the other solutions outtake accelerate their growth sets that you see kind of slower on the vulnerability management. We could also easily see vulnerability management staying 20%. And that's because, as I pointed out, these additional new solutions that we've rolled out that are in the family of vulnerability management.
So, continuous monitoring, Threat Protection and the cloud agent. And in terms of what's sustaining the growth, it is these added solutions that are part of related to vulnerability management. So Threat Protect allowing you to prioritize the actual vulnerabilities. That's an easy upsell for someone, the cloud agent. And in terms of momentum, we see a lot of opportunities still with existing customers because as I've mentioned, even with existing customers, we're not fully penetrated in terms of the number of IPs that could be scanned.
But we also see, I mean, if they just if we see significant adoption of TheraporteX and the cloud agent, that'll drive revenues significantly higher on vulnerability management, recognizing the ratable revenue recognition.
Yes. And I will add one thing also if you just look at the broad numbers. 1, we have 62% of the Fortune 50 as customers and about 24% of Global 2,000, when we are underpenetrated, we are not fully penetrated in the large enterprises, still significant sales within all of our large customers on the VM side because they're not fully deployed. But also if you look at the broader market where the huge deal opportunity to continue with VM. We believe that the BCPA, which is that 1 new appliances, it's significant in countries like in Asia, like in countries where they're not really in the Middle East, where they're not totally cloud centered yet.
So we see still the huge expansion of our VM would be. It's now starting to be a pretty big base. It's only 24% of the market, that's a global market that we have.
And having more and more and
more solution oriented, of course, absolutely will accelerate our capabilities.
And just one follow-up. It shows the penetration, 29% for web application scanning, 8% for a policy configurator. So the products that are not kind of VM output or VM expansion, some of the other areas, was it the new products that hopefully will drive the penetration you saw with web application scanning versus the lower penetration?
What we see today, for example, the flight attendant monitoring is a no brainer. It's a no brainer. Why? Because we absolutely eliminate significant costs. The cost today is not that, for example, the 3rd part solution is not a good solution.
It is a good solution. But you have to update all the agents on all the different version of Windows. You have to have hundreds of servers to manage all of that. So we eliminate significant costs, same thing on the policy compliance as well. So that's we see FEMA as a significant as a really something which will be a driver.
We also believe our detection of litigation because of the very unique way that we do again. It's very straightforward. You saw that on the presentation of Bob Smith, but only we can do like everybody else, get the hash, but we have also that notion of family and also we have the ability to provide you with the suspicious devices that you want to investigate as well. So this is quite unique at all of Vergaon, already available in the platform. You just have to deploy the agent.
That's all what you got to do. To do that, you're in and deploying agents made it very easy. So we see a lot in the services picking up speed, relatively quickly. And of course, as Melissa said, it takes some time to start to bring that to the revenue, but certainly on the booking side.
That's the
question then.
Okay. Yes, Stephen Kouchin with Stephen. That's probably for Sumit or Humbert. So I guess I'm interested in Wallace's place in competing platforms like whether maybe not competing platforms, but a SIEM or CMDB. I still think it's early in the game, but just generally what's the competitive landscape look like there with regards to maybe European solution inside of the SIEM or something like that?
And then what's the pricing monetization strategy for that longer term? And then also, I mean, do you think this could be a material growth driver for Qualys, maybe not in 2017, but 2018, 2019, 2020?
Yes. So very good questions. On the CMDB side, there is the biggest CMDB have is the information being up to date inside the CMDB. And there is no good way that people today have in doing that. And so with our agents collecting information for the CMDB to be able to know exactly what's installed, what's on it and taking that real time is what is feeding and making those CMDBs really much more effective by having that information synchronized.
So if you take the example of ServiceNow with what we did, we actually built a connector that is synchronizing the information that our agents are collecting into the CMDB for ServiceNow, making that CMDB significantly better in terms of the visibility that it's providing. And for us, we charge for that connector in ServiceNow. So getting that Qualys information fed and synchronized into ServiceNow is what we are focusing. So today, we don't compete directly with the CMDB because we don't focus on the capabilities around the management that come with the CMDB. But the core of the CMDB, which is the data that's in there, is something that we are the ones that are keeping that up to date, and that's what we are actually kind of feeding into.
So from today, we see uptake on that. We see our customers leveraging the APIs to update their CMDB. So from a revenue perspective, I don't really see that as a by itself today, but it is certainly a driver. So the fact that as people realize that this agent is also not only is it going to give me vulnerability management and compliance, it's also going to help my CMDB be up to date. That's going to drive even more
To add on, Sumed, also on the SIEM side, the biggest piece that's missing is the asset data in all the SIEMs, and they come to us for that information. So with Q1 Radar, with Splunk now, we're building these native apps, not just to bring vulnerability data, but the most important component is the asset data, which everything evolves around that. So we become the source of truth for all these assets and we keep it up to date and we bring all the data other data around it on the platform, which makes this SIM a lot better correlation, better analysis, better reporting for the customer. So we're trying wherever we can to get native in all of these SIMs. So we just become part of the SIM, a very important component.
And we're also reducing from the SIM perspective, instead of the way the SIMs are being deployed today, they're collecting a lot of raw data information putting into the SIM that increases the cost and the complexity of the SIM with the Qualys solution providing a lot of this correlation out of the box already in our platform. The information that needs to be synchronized into the SIM now is much less and much more high value, high accuracy information that needs to go in, which really reduces for example, if we take Splunk, taking every single vulnerability in detection and every time that we detect it and putting in the Splunk, it's significantly higher amount of data that customers have to pay for to index that versus now taking a feed directly from ThreatProtect that says, okay, this is exactly the assets that actually have vulnerabilities that may be exploitable out there is a much smaller percentage and thus they can reduce the data that they need for correlation to get better results.
Melissa, it was Melissa, it was helpful how you can lay it out and you quantified the 3 point headwind to revenue growth from the end of the MSSP extra revenue and FX. Can you help us think about what that means from an EBITDA perspective? Was there much cost that was tied to the MSSP revenue this year? Is there much cost that comes out because of the FX move? Or is it more like a 10 point headwind to EBITDA as we think about next year?
It's there's no cost associated with there's no extra cost associated with the MSSP contract. So yes, I mean, it sort of flows through as you take it out, but at the end of the day, it's going to be pretty immaterial. But again, we haven't guided to margins next year for yet. So it will depend on kind of the overall picture based on revenues and costs.
Okay. We'll take 2 additional questions for the weather downturn. Yes.
And the
effect plays both ways. In other words, it hits the top line. But on the expense side, it's positive as well. So wash.
Hi, Jack Andrews with D. A. Davidson. Philippe, it seems to me one of the key themes coming out of your user conference last month was this whole improving your messaging and improving communication at all levels of your organization. And I was just wondering if you could talk a little bit about the specific tactics, maybe on the sales and marketing side that you're going to be employing around that and specifically as it relates to, I guess, improving your messaging at the C level executive?
So essentially, you saw that in fact, I hope you saw that in my presentation already. It's not to have today. I can give you the value proposition of quality in one slide, which is that 2 second visibility, the ability to synchronize, of course, the visibility on your assets and synchronize with CMBB, providing you the continuous you have just taken in contrast posture and the implication of compromises and of course, reducing the spend. So essentially, our effort today in terms of messaging, etcetera, is focused around RSA, which is now coming pretty fast, which essentially in the I
think the 2nd week of February.
Yes, the 2nd week of February. We are going to like to see all these demo, you are going to see all that live, etcetera. The product would be these new services probably would be already quite a few maybe better. So this is going to where we're essentially showing, if you prefer, that new image of Qualys that consolidator, if you prefer. So that's one thing.
The second thing is that we're really giving up to bring that messaging to the CIO, as I was mentioning to you earlier. And the big advantage we have with that is that we have we will start that effort, of course, to the CIO for existing customers today. So they could also have a vision that what it sees and we have already embarked, by the way, already that with a few CIOs of our existing customers where we are in fact currently working with them to help them provide that global view of the global IT So it's going to be use cases that we want to break that large corporation, etcetera, is already doing this and this and that with clients. So these are the essence. That's the way we've always done our marketing and our messaging to really have our customers speaking rather than us speaking about.
And so that's what is going to be the thrust. So we're both of the pieces together. It's all about, at our end, really scoring the gamut if you
This is Melissa. Sorry if I missed what your point was on this one slide about getting more leverage on each dollar of incremental revenue, it's gone down to about $0.19 per dollar.
Was it a trajectory?
You talked about investment year, this year, next year. Does that move higher before it moves back down? How do you think about that over the next 2 years of new products, Ren?
Sorry, does what move higher?
There's a chart about expenses to incremental revenue.
Right.
That's been going down pretty significantly down to 2019. I'm just saying over the next few years, if you're in an investment mode, does that go back higher to more incremental or you get less incremental or more incremental over the next 2 years on the spend?
So right now where we are with new solutions, they're not at scale. So that's why you're seeing higher expenses associated with those incremental revenues. As we scale these new solutions, we're not going to need much more expenses because think about think of our fixed costs for running a product is relatively low. It's 15 people on a product, let's say, on an R and D team. So as those scale as those revenues scale, the incremental becomes very low.
But today, we're still in investment here because the solutions haven't scaled yet. So we're at a higher end. That's how I think about it.
Great. That concludes the webcast portion of our Analyst and Investor Day. Thanks, everyone, for joining us.
Okay. I also wanted to thank you very much, very much. Appreciate it for your presence and your question. Thank you very much.