Hello, everyone, and thank you for joining us for our Growth Stock Conference and today's session with Qualys. My name is Jonathan Ho, and I'm the Cybersecurity Analyst for William Blair & Company. With us today are Sumedh Thakar, the CEO of the company, and Joo Mi Kim, the CFO of the company. Before we begin, I'm required to inform you that a complete list of disclosures is available at our website at www.williamblair.com. We'll have the company just give a little bit of an overview of the business, followed by a fireside chat. So I'll just hand it over to Sumedh and Joo Mi to just give us a little bit of an overview of Qualys. Thank you.
All right, thank you, Jonathan. Thank you for having us. So Qualys, we've, I would say that we are really a pioneer in, started as a pioneer in the vulnerability management space, and today we are, helping enterprises manage their overall cyber risk in their, environment. We started, 20+ years ago, fully as a SaaS solution back in the day when, SaaS was pretty new. And over the years, we have evolved in the space of vulnerability management, and from vulnerability management, being a leader in that space, gone on to, asset management, patch management, cloud security solutions, etc.
And now we are focusing on enterprise risk management that from a cyber perspective, to help CISOs really be able to articulate risk coming from cyber to the boards as well as to their internal stakeholders, CFOs, as well as IT teams. So that at a high level, and you know, we're 100% SaaS, and maybe, Joo Mi, you want to add on our business model a little bit?
Yeah, our business model, like Sumedh said, is nearly 100% SaaS, subscription-based, and we have about, you know, we used to have about 60% of revenue coming from direct sales force, 40% from channel partners, and most more recently, we've been investing in the channel partners, building our relationship with them, and so that has grown to be 45% of our revenue. In terms of the international mix, we have about approximately 60% of our revenues coming from the U.S. and then 40% from the rest, the globally. For us, we've been really focusing on balancing growth and profitability. Last year, we booked 13% revenue growth and then 47% EBITDA margin.
This year, we guided to 8%-10% revenue growth, and then EBITDA margin in the low 40s because we are planning to reinvest, accelerate the investments back into the business to reaccelerate growth.
Excellent. Excellent. You know, one thing that I wanted to understand a little bit better is that Qualys has been working to build a platform of solutions well beyond vulnerability management for quite some time now. Can you help us understand, you know, how the conversations have evolved over time, and where are customers today in understanding that Qualys can just offer so much more?
Yeah, great question. So I've been at Qualys for over 20 years, really started as a software engineer, and I've been really focused on building out organic capabilities on our platform, and expanding the platform, as you talked about, moving from just detecting VM issues into asset management, being able to help customers actually fix those vulnerabilities, and then also into the space of cloud file integrity monitoring, etc. I think we've done a really good job at being able to get the market to see the capabilities that Qualys has around vulnerability management adjacent capabilities like cybersecurity asset management, which are the same buyer that is buying vulnerability management. We've done a really good job.
I think what we see is some of the additional capabilities that we have are different buyers within the same enterprise, and that's where we are focusing on getting the DevSecOps people to understand the Qualys cloud capabilities, getting the IT team to understand the Patch Management capabilities because they end up being... So as we have grown the platform, the buyers within the customer who are looking at Qualys has also expanded. And so today, I think we have been focusing on awareness.
We are actually also pleased to see that we are getting traction with our newer solutions, like, CyberSecurity Asset Management, Patch Management today are, you know, like, for example, net new business, new customers coming to us are right off the bat, buying those new capabilities in addition to Vulnerability Management that we are known for, and that's growing like 20, that's about 20% of our bookings last quarter coming from these newer products. So I think we are on our way to get the market to see the additional capabilities. But of course, there's plenty of opportunity because we're still at the early innings there to help customers consolidate their overall cybersecurity stack with multiple capabilities from a single solution.
That makes a ton of sense. We've also seen the traditional vulnerability management market itself has undergone significant changes over the past few years. You know, our discussions with resellers and customers indicate that the market is evolving rapidly into, you know, things like continuous threat exposure management or CTEM. I think that's a term that Gartner has been talking about recently. Can you talk a little bit about what CTEM is and how, you know, Qualys' cybersecurity risk management 3.0 solution kind of fits into that framework?
Yeah, you know, I think our industry likes to have lots of acronyms, so CTEM is one more of those, but at the end of the day, it's very simple, okay? You get no credit for anything you do if you don't fix the vulnerability before an attacker gets to it. And so the whole point of doing vulnerability management has the three key areas, which is: do you know all your assets? Which almost no organization does. They don't have a good CMDB. Second part is the ability to discover all of your vulnerabilities and misconfigurations. And the third, which is the most important part, is, you know, all these CTEM players are focusing on how can I show you all the issues, but the real value is in fixing those.
That's where patch management is the most crucial part because the only thing you do after vulnerability management is patch management. And so that's really where Qualys is focused on, is that while, of course, our platform being SaaS and with 3 billion detections that we do on the platform every year, 100 million agents out there, we are continuously assessing the customer's external environment, internal environment. Where I think we have had really good feedback from our customers is that we are the only platform in this space with the other competitors, where we are actually helping them patch with the same platform. And so what that means is that in terms of their exposure management, the key part there is the management is only useful if you can actually get it fixed.
And that's where our ability to uniquely go and fix vulnerabilities that are being detected in extremely short period of time means that for the customer, their exposure to an attacker for a particular vulnerability can be significantly reduced. And so when we launched this 4-5 years ago, it was very revolutionary because no other player was doing that, where the same vulnerability detection could also fix it. And we're very glad to see that in the last 12 months, we have 55 million patches being deployed by Qualys agents just in 12 months. And so we're seeing a big push from customers in not just detecting things and seeing exposure, but also being able to pivot into mitigating and fixing these issues, and that's really where we have gotten very positive feedback from customers on that.
That makes a ton of sense. One for Joo Mi. So, you know, when we think about the profitability of Qualys, you know, Qualys has historically had very high margins as a business. You know, how do you think about balancing, you know, sort of the need to invest versus, you know, producing, you know, or sustaining these high-margin levels?
Yeah, great question. So last year, when we had guided to 2023 margins, we had planned on reinvesting back into the business. But like we always do, we always have a plan in place, and then we have a regular cadence to make sure that if we feel that we're not gonna get the right ROI level, we will, we will reassess our initiatives and then the investment that we plan to make into, back into the business. And just to revisit last year, we had a CRO turnover. We were looking at an environment where for the very first time, we felt like there was a pushback from the cybersecurity budget, which we hadn't seen before in that magnitude. And part of the reason was because we felt like the ultimate approver and the buyer was shifting.
So before, what our sales reps had to do is really convince a CISO that Qualys was the right solution. This is why we have you have to increase your spend or investment in the Qualys, Qualys product. Because of the recessionary environment and the budget constraints, what we felt like was we had to convince now the CEOs and the board of directors how you're going how you should be looking at Qualys and how you should be measuring the ROI from the investments in, in cybersecurity. And because of that, we decided, you know what? Let's, let's take a look at our investments plan and our long-term strategy. How how to market position us as a security vendor of choice, and we came out with risk scoring, Enterprise TruRisk Management, that Sumedh just talked about.
We reset the planning and the investment for 2024, and because of that, we feel like there's a huge opportunity out there for able to come up with a standardized scoring mechanism that could speak to non-security professionals, such as like board of directors, who just really want to understand what's a baseline? How are you going to increase the return from the investments? How should... Why should we reallocate resources to cybersecurity versus, like, growth mechanism, increasing investments in sales and marketing, where a lot of companies are decelerating growth in 2024? So we're optimistic. So because of that, we are planning to regrow and invest in sales and marketing, both on the direct sales side, as well as channel partners, investing in marketing, as well as the R&D as well.
This year, we are planning to contract margins because we believe that in the longer term, that will help us to reaccelerate the revenue growth in the double digits.
I think we're in a good place, relative to the rest of the industry, where this year we actually are investing in growing our sales and marketing while still maintaining industry-leading profitability, which is very different than most other companies today who are having to cut down their spend in sales and marketing to meet the bottom line goals.
Yeah. I wanted to build on your comments around TruRisk. It seems like we're seeing a lot of complexity increase in terms of traditional IT infrastructure itself and, you know, particularly with hybrid environments that are out there. Can you talk a little bit more about sort of what TruRisk is, and, you know, how do, you know, these other, you know, cloud solutions you have potentially benefit here as well?
Yeah, if you look at the history of the last 10+ years of cybersecurity, it's and the purchases have been very much of a best practice. Let's do this, and we will be safer. Let's do that, and we'll be safer. And so people have been spending a lot of money into buying different cyber tools, and people say: "We'll do Zero Trust," and like, "Okay, that's good. Two-factor authentication, that's good." But as these conversations are reaching the board, and it's coming out to, well, how much are we spending? The question is coming out around ROI. And what, what is cyber? Cyber is a risk, and if you cannot articulate your risk, how can you talk about how much risk do you have and how much you should spend on mitigating that risk?
And those are the conversations that are pushing the CISOs to say: "Don't talk to me about, you did two-factor authentication after spending two years and $2 million. What does that mean?"... Am I 10x safer? Am I 2x safer? Am I 5x safer? And so many customers, many CISOs struggle with being able to articulate what is the risk to the business from cyber. And what TruRisk does basically now is that, with, by looking at all the different risk signals that are coming from the hybrid environment, whether it's cloud, non-cloud, laptops, IoT devices, it can basically score by looking at the threat model, and then by looking at your business, give you scores that actually help you measure your risk.
So for the very first time, really, the industry is asking for: Can you help us understand what the risk is? So then we can say, "This is our risk to our $500 million business. We're gonna spend $10 million to bring down on that risk by using tools, and then another $2 million to buy cyber insurance." But today, a lot of those questions cannot be answered if you-- How much cyber insurance should a company buy? A lot of people are not able to explain that because how much insurance you should buy is related to how much risk do you have, and how many people can actually articulate that risk.
And so we, that's why we see that this is a game-changing capability, where the TruRisk score that we have introduced, that started with vulnerability management, scoring and expanding into many other areas, and now collecting data from third-party security tools so that you can really bring in your spend in different types of security tools, combine it together, and as Jumi said, give an industry's score so that you can go and present to the board to say, "Our $500 million business has a score of 700. Our acceptable score is 400.
This is the risk, and we are gonna spend this much in reducing the risk, and we are gonna spend this much in buying cyber insurance to mitigate the rest of the risk that we cannot reduce." And so this is really where we feel like this measurement is important. The communication of that risk to the board and other stakeholders is very important. And the third piece, which is at the end of the day, you have to eliminate the risk. And that's where the Enterprise TruRisk Platform that we announced end of last year is not only helping them measure the risk and then report it to the board, etc., but it also has built-in capabilities to immediately reduce the risk by leveraging patch manager and mitigation, cloud misconfiguration fixing, etc., as well.
So very, very different approach than just best practices-based cybersecurity, where people just say, "Okay, I'll implement this, and I'll be better," but you can't quantify how much better.
Yeah, it's amazing. We actually sat in on an evaluation for a similar product in terms of TruRisk. It was interesting because typically, when you go into these product demonstrations, it's going to be your traditional IT staff, your engineers-
Yes.
The people that walked into the room were actually the corporate counsel, people that were working in the risk and compliance departments. These folks really were a different buying center altogether, so.
Absolutely. And that, that's a great point because when we... Earlier this year, we hired Rich Seiersen, who was author of the book, How to Measure Anything in Cybersecurity Risk, as our Chief Risk Technology Officer. And since then, we have been offering cyber risk quantification and board reporting workshops to CISOs, and all of them are completely sold out because, to your point, the CISOs and the CFOs, we're having meetings where CFOs are coming into the meeting to look at the scoring because that's how they are—they are looking to say, "If you're gonna ask me for a 10% increase in cyber budget, tell me, what am I gonna get back?" Of course, it's not a, a increase in the top line, but if you can say a clear risk reduction, that is something very interesting to the corporate counsel, to the, you know...
Earlier, the conversation this came up is to say, even can a D&O insurance for board members, when they are monitoring cyber for a company, what are they monitoring? Just saying, "Okay, you guys did two-factor, which means it's good," or are you actually monitoring the company's actual risk by being able to measure it? So we're definitely seeing that, where this is really now taking the Qualys TruRisk platform, not just at the level of the vulnerability management person, but really at the executive level in the company.
Excellent, excellent. Just to switch a little bit to some of the more current issues around the Qualys story. You know, when we spoke to Microsoft about their decision to move away from Qualys as part of the Defender for Servers' transition to Qualys, they told us that it wasn't related to product quality, it wasn't related to functionality. It was, you know, mostly around their ability to control the product itself, as well as to have a single party to address customer concerns. So, you know, what Microsoft told us is that, you know, the customers do not automatically transition over to Microsoft Defender's VM, and that they have the opportunity to choose a new solution, when the contract expires. Can you talk a little bit about the opportunity here for Qualys?
Just the quick background for the audience is that Qualys was the default solution for Microsoft in the cloud.
Yeah. Thank you. So look, when we started a few years ago with Microsoft in this relationship, they, they took our legacy VM solution, which was sort of the scan-only, detect-only solution, and embedded that into their platform. So anybody who was using Azure had the option of saying: Hey, we pay for vulnerability management, and this is provided by Qualys. I think, and that was a great partnership. It worked well, but over the last year or so, we've been, you know, working on this together with Microsoft. And, for us, we've transitioned over via to VMDR. VMDR is our pro platform that gives our customers ability to have agents, etc., which gives us opportunity to go to those customers and then upsell them to many other capabilities and modules, which unfortunately was not possible with the embedded capability that Microsoft was providing them.
I think Microsoft, for their own reason, had some of their customers confused about why Endpoint has this scanning engine and the servers has Qualys, and so they wanted to simplify a little bit of that. And so, you know, we worked together on that, and we basically decided that, they were going to give the customer the option of picking Qualys versus, Defender. I think we see that customers who will pick Qualys will be an advantage for us because, first of all, VMDR will be giving more value to the customer, and we can actually charge more and gives us opportunities for, additional upsells.
Now, it just went into end of life, I think, in early May, so it's still early for us to say that we already have a few customers who have come to us and have that conversation to say today, the issue is not how can I detect more vulnerabilities? People have way too many vulnerabilities anyway. So while Defender is good, you know, at detecting vulnerabilities, maybe on certain assets, they're not getting the help in actually prioritizing and fixing, which they can get with the Qualys overall VMDR solution. And so that we see as a longer-term opportunity to continue to get more of these users. And you know, there's already capability built in for them to embed VMDR into or rather, integrate VMDR into Azure by taking the license from Qualys.
So I think there's many other ways that they can simplify their deployment in Azure. So we see this as a longer-term opportunity, and we continue to work with them as a partner. We are working on ingesting Defender data into Qualys ETM, as well as they are working on ingesting Qualys data into Copilot. And so, I think overall, the partnership has matured, I would say.
Excellent, excellent. You know, part of the challenge in the platform evolution is also getting your sales force to be more productive and having channel partners generate those leads. So with new sales leadership in place, you know, what are we thinking in terms of, you know, changes to processes? You know, where do you still see the opportunities to improve on the GTM side?
Yeah, one of the things I mentioned earlier, that the, as our platform has added more capabilities that simplify the overall, cybersecurity outcome for the customer. The way customer environments, however, are, set up is that the VM buyer is different, the patch buyer is different, the cloud buyer is different. And so part of us having, our GTM, we really operationalize much better, is also enabling our sales teams to be able to go, and within the same customer, be able to go reach out and talk to, different buyers.
Many times, if our partners are not enabled and they're not aware that Qualys has these capabilities, what happens is that within that customer, a different buyer might go to the partner and say, "I would like to get File Integrity Monitoring." And then that partner is not positioning Qualys because they, they didn't know that we have File Integrity Monitoring. So we saw last year that there is an opportunity for us to work on getting better leads from our partners.
If we can train them on various Qualys capabilities, we can enable them, we can incentivize them, because even for the partner, instead of just selling one solution from Qualys, if they can get a customer to buy four, five solutions from Qualys, it also helps the partner in their own bottom line because they don't have to deal with five different vendors. It also helps the customer because they can integrate the stack. And so, we started last year with the partner program. You know, again, it's a multi-year project that we are working on, but early feedback has been great. We have seen our partners react very positively to the changes that we have made.
We are also glad to see that, where a couple of years ago, it was 40% of our revenue came from partners, now it's already pivoted to 45% without a significant impact to our margin. So we have been successful in working with these partners. And now with the launch of the MSSP portal that we announced, last quarter, where 50-plus MSSPs have already signed up, we also see an opportunity there. We are working with our cloud partners for EDP, committed spend [l aw], to be able to leverage those as well. So partners we see are a key part of our growth strategy for the next couple of years. And, again, part of this is enabling them. And so we are working on investments. We have invested more in enablement team.
We actually built an enablement team, now, and we are continuing to expand more with our partners by having more partner camps as part of our sales force so that they're working to bridge the gap between our sellers and the partner sellers, et cetera. So quite a bit of investments going in that area.
It makes sense. It makes sense. Just maybe speaking to net expansion, you know, given the broader range of products that you are offering now and faster growth parts of the business becoming larger contributors, you know, what has to happen for net expansion to become a more positive contributor for the business? Joo Mi, you want to-
Yeah. So our net dollar expansion rate last quarter was 104%, and it's been trickling down because one year ago, it was 109. And this is something that's new to us because historically, majority of our growth was driven by our existing customers, and the way we were selling to existing customers, whether it's upsell or cross-sell of newer products, it was a different kind of value proposition that we were going to them with. I think with now the Enterprise TruRisk and the more competition in the cybersecurity space, we are really looking at it from the risk management, how do we help them to measure the ROI?
So we are starting with that strategy since we just launched it, and we talked about it last year, and we're planning to go GA with Enterprise TruRisk by the end of this year. And I think that that will help us to position us, as in helping us to really be that risk management player, and that should drive our net dollar expansion rate up, and also helping us to increase the bookings increase from our contribution from newer products like Patch Management and CSAM.
So you can't really have a discussion at this conference without at least mentioning AI. So I'll just leave that question open to you. How does AI give you either more opportunity or how are you leveraging AI within your organization as well?
Yeah, I think we're doing all of the above, right? And so I think really part of this is we see opportunities where and again, I think now that AI is being parsed out into LLMs versus machine learning and all of that, I think people are getting familiar with that. But Qualys acquired Blue Hexagon well before ChatGPT, you know, based AI, I think, came out because we have such a huge amount of data that we collect on customer assets that that makes us the perfect platform to be able to do deep machine learning. And when we acquired Blue Hexagon, Blue Hexagon was mainly acquired for their machine learning and AI capabilities, so that we would build that in different aspects of the platform throughout Qualys.
And so now we are seeing that we are releasing capabilities around that, and I'm not talking about the LLM-based generative AI, where you can chat. We are talking about things like, can we look at millions of assets that customers mark as critical assets and build models that help customers actually identify assets in their environment? Because customers are talking about hundreds and thousands of assets. Can AI identify which assets in their environment should have been marked critical that they did not mark critical and may be losing out on focusing on those kind of capabilities? So we see AI can really help understand risk of an asset because you know that the attackers are also looking at similar capabilities. The attackers are a business.
They are looking at ways to optimize their business, and part of that is instead of going out and trying to poke around every asset that they find on the internet, they are looking to leverage AI so that they can put all the data that's available to find out which asset has the highest chance of being hacked successfully, and they are honing on that. And that's what opportunity the defenders also have, what Qualys is putting in the platform, is the ability to take all of these risk signals, as I mentioned, with CTEM, and leverage AI to really pinpoint, of all of this data and all these assets that you have, which have the highest chance of actually being compromised successfully because of the different factors that you have. So that's those are areas where we are using machine AI as well.
In addition to, with our cybersecurity asset management, many customers who are using AI don't even know right now who is using AI in their environment. Where is AI software deployed? Where are my GPUs that people are using? So our asset management product is helping customers identify the use of AI within their own environment, because now we can see, and on every single device that we are on, whether somebody has downloaded AI-related capabilities, whether somebody has some LLMs that are stored on that particular machine. And then also the ability to look at LLMs. This is something that we are working on to say: Can those be jailbroken? Can we scan LLMs? So these are additional opportunities that can help us expand into customers who are looking at... I mean, the question is, what is the risk from AI?
How do you quantify that risk at the end of the day? And if I have a limited budget on cyber, should I spend that on chasing AI security, or should I still spend that on fixing the vulnerabilities that can be exploited by an attacker today? And so we see multiple opportunities across the environment for us to provide capabilities to our customers, while at the same time, internally, we continue to, you know, use AI for better coding within our developer base, as well as using AI in different areas of the business like, you know, our sales management forecasting tools, et cetera, so.
Yeah. We live at a time where, you know, the budgets are under pressure, and CIOs and CISOs need to show the efficacy of the solutions that they're investing in.
Absolutely.
Qualys seems to be a partner that can help in that process. We've got a few minutes for questions from the audience, so if anybody has a question, don't be shy. Any questions?