Hi, everyone. I'm Kingsley Crane, one of the software analysts here at CG. Excited to have the Qualys team with us today. We have Sumedh Thakar, our CEO, and Joo Mi Kim, CFO. This will be a fireside chat format. We will, you know, we'll take questions. We'll work them in. Thanks for being with us today.
Thank you for having us.
So look, there's been a mixed macro backdrop across the space. Every company's feeling it. You've been executing well. You reported Q2 last week, included a modest cut to the guide. As we look towards the back half of the year, what's the state of the business in your own words?
Yeah, I think if you look at sort of where we have been executing and the way we look at our business, I think for us, we have been investing the last few quarters in our business, and we are pleased to see some of the traction that we are getting in our net new business, which is double-digit growth over the last 4 quarters in a row. The macro is definitely something that has continued, and deals are being scrutinized much more heavily. And customers are looking for value, and they're looking for outcomes. And so for us, looking at sort of where we have been investing in partners, new business, federal space, we're happy.
Of course, as we said, talked about in Q2, I think our net retention was something that was a bit of a unexpected number for 102 , compared to where we were the same quarter last year at 108, and so that's an area that we are working with to make sure that we are training our sales team, giving them the right amount of focus to go out and talk to our customers, existing customers, so that they can see the value of patch management and a lot of other innovations that we have come out with, especially at Black Hat, with mitigation as well as AI Security. And so as we look at the back half, you know, we're not at this point, it's too early.
We're not assuming any sort of change from what we have seen in terms of the macro. We're focusing just on making sure that with all the new capabilities that we are bringing to the market and continuing our execution in the areas that we see ROI in, that we are looking forward to, you know, working on our execution.
Right. 102 is a bit of a surprise for some, and a simple question some investors would ask would be: Do you have line of sight into that, and that being a trough there, either we're there now or maybe in the next couple quarters or any thoughts on that?
Yeah, I think it's a little too early for us to call that trough, because at the beginning of this year, when we guided to the revenue growth rate of 8%-10%, we had assumed that our net dollar expansion rate wouldn't materially change.
We've seen that continue to tick down to 102%. The headwinds that we're facing today, we know that what's working well for our business, which is new business logos and working well with our channel partners. Where we need a little bit more effort on the execution part is working with our post-sales team to really figure out how to go out to our existing customers to, you know, propose a value prop that makes sense for them, so they can spend more with us. And with the new products that we're launching in the second half of this year, we are hoping that we'll see that, kind of... We'll be able to better gauge the interest and how that will impact the bookings growth next year.
That's helpful. Just wanted to put a finer point on that. So look, you've done a remarkable job building out the platform over the past couple years. Just big picture, how would you describe VM demand at the moment? How secular is this trend? How cyclical and you know how foundational is VM, and how can you build off that and expand spend within the platform?
Yeah, certainly what we see with our customers, and if you look at any sort of a mandate or requirement, whether it's PCI, whether it's HIPAA, GLBA, a lot of them, pretty much each one of them requires vulnerability management as an area that every organization needs to focus on. So I think it's really more about the question of, you know, what we have been talking about the last few quarters is being that vulnerability management is evolving from, you know, as people are deploying more software, they just don't want to scan more to find more issues that are not getting fixed.
And so what we see is a movement towards vulnerability management is also about getting the right vulnerabilities fixed in the right amount of time, and that's really where a few years ago, when Qualys introduced patch management as a way to really get an outcome from vulnerability management programs, was not just about scanning. And so we continue to see that customers are focusing on not just the scanning piece, and they're actually focusing on getting things fixed. And so in the current environment, of course, vulnerability management is foundational and important. It is about where if there is additional spend in VM right now or as customers have flattish budgets, we've seen that over the last year, compared to last year, customers have overall flat spend in cybersecurity.
And so within that, how do you allocate that, amount of money that you're spending on VM? And what we see with our existing customers and net new customers coming to us is, people are optimizing their current VM programs. They might, in some cases, move some of the spend that they have on scanning into saying: Let me also get a few patch management licenses on my critical infrastructure so that I can get an outcome of risk reduction. And so, what we do see is that VM is foundational, for almost every company. That is a requirement for almost every standard.
But it is also evolving at the same time into more of being able to also get things fixed, and that's where at Black Hat, in addition to patch management, we also launched a mitigation capability where we now allow our customers to use additional methods to mitigate the risk if they cannot do patch management, as an example. And then vulnerability management is also expanding into cloud, as well as now AI is coming up.
So with the launch of our TotalCloud solution last year, we are really seeing a lot of very good conversations and initial traction with our cloud security solution from a VM perspective and also expanding into what we launched at Black Hat, is our ability to provide security, vulnerability security solutions around AI, which is an area that we will see more and more investment happening next year. And that's sort of where, from an industry perspective, I think vulnerability management has been evolving, which we have talked about in the past as well.
Right, so you mentioned some budgets are relatively flat, right now. One of the subsegments that is probably growing faster than some others is cloud security.
Yes.
That's a place that you certainly have a position in. So, your cloud security percent of LTM bookings, it's been relatively stable, around 4 or 5%. I mean, is that something that could be a step function up, or, you know, is that something we should expect to go up? Or, you know, and then how... You know, what could you do from a product standpoint to get there?
Yeah. We certainly feel like our investment in the product, as we're starting to see those initial interactions, we're starting to see wins against some of the established cloud security-only players. But when customers looking at overall risk management, you know, they are sort of saying: I don't wanna get a siloed cloud security-only solution for the long term. I wanna consolidate my security capabilities, so I don't have to go one place, look for cloud security, another place for infrastructure security, another place for application security. So the Qualys platform ties all of these different things together, and that's where we see the advantage against cloud security-only solutions.
And so part of our focus is really, how do we enable our sales teams to be able to go to existing customers, where there might be a different buyer within that same organization for cloud security, and go have the right conversations with them, create the opportunities? And then how do we do, you know, cloud-focused marketing as well, is something that we are looking at. So this is an area that, I really feel like we have potential, to grow into. And as we execute and as we, as the product is becoming more and more mature, I do see that over the next few years, that is an area that is gonna bring us more opportunities and, and a bigger, potential wallet size for existing customers who don't want to have more siloed solutions in their environment.
It's certainly, yeah, an exciting journey to follow. So Google and Mandiant, they've sort of changed the recommendation for certifications to be 90 days from roughly a year. And if you think about some engineer that's manually trying to solve that themselves that becomes increasingly untenable. But so how much is that going to be a boon for your business, or, you know, how much is that involved in customer conversations right now?
It definitely is drawing a lot of focus on the certificate management discovery and lifecycle management capability that Qualys has. So as quantum computing and the concerns around that are becoming more pronounced, you know, one of the areas is the time it takes to break your encryption is starting to reduce. One of the focus is going to be in the future, you know, how do you ensure that you're able to rotate all of your certificates automatically without disruption in a period of time that's lesser than how long it is taking for from a quantum perspective, to break the encryption?
One of the key capabilities of our VMDR solution has been around certificate discovery and inventory, because you can talk about quantum, but if you ask customers, most of them don't even know how many certificates they have, where are the certificates, and how, when are they expiring? I do see that the opportunity for the platform, where we already have agents, and we're using scanners to discover but also rotate these certificates on a regular basis in a completely automated basis, similar to how we're able to, you know, deploy patches in an automated fashion.
As the focus on certificate management and lifecycle management of certificates will increase, that is another area that I see customers can really rely on Qualys with their existing deployment and not have to go deploy another separate tool for certificate management as well.
So related to this, we've heard about machine identities for years. I think that more recently, it's become probably a more important threat vector, and we've seen some companies talk about it and monetize it more effectively. If we look at something like what Venafi was doing, it's a private company that has been taken out, how much does that overlap with the certificate management approach? I know it's sort of coming at it from a different maybe architecture or idea but just, yeah, what are the overlap there?
Yeah, I think we, and we do see that at times with our customers where, you know, again, they were using a siloed certificate management-only tool. I think one of the things that we brought to the table for a lot of these customers is that for you to be able to discover all of your certificates, you need a tool that is ubiquitous in your environment, that can actually see every single asset that is out there. And so part of our CyberSecurity Asset Management deployment capability, today with asset management, we have some of the most comprehensive asset inventory and visibility in the customer's overall asset environment.
And so, while with Venafi and other tools, they will have to go and deploy again a certificate-specific tool to go and discover all of the certificates, which causes a lot of overhead for them. The ability for them to use the existing Qualys platform, which is ubiquitously deployed across all of their assets, gives them that visibility completely out of the box, and that's included as part of the VMDR capability. And so the key capability for them is really about being able to rotate these certificates and renew certificates in an automated manner, and that is something that, as that area becomes more mature, I would think that customers would need to rely less and less on point solutions or single siloed solutions that are only focusing on certificates.
Because from a machine identity perspective, et cetera, we see every single machine in the environment, so we're bringing that data back, and we're synchronizing that with the CMDB as well.
Right. So along those lines, if we take a step back just from machine identity, but how do you view tool sprawl for customers? In cybersecurity, it's, you know, notorious for long vendor lists and crowded expo halls with point solutions. You know, how can Qualys help with that?
That's an area where people have been talking about for a long time, right? Like, I have too many tools, and people talk about too many agents. But it never has been that huge push to say: I'm just gonna go and change everything. And I think part of this is because consolidating the agents by themselves may not give you a specific outcome other than maybe, you know, reducing some operational overhead. But when you look at security outcomes, it's the consolidation is about whether it's a horizontal consolidation or a vertical consolidation, which is something that people don't necessarily talk about. So vulnerability management is a great space where if you look at what is consolidation in vulnerability management, there are four key pillars in vulnerability management.
One is, first, you have to know your assets, which without that, you don't have any thing to scan. Second, you have to scan everything. Third thing is you have to prioritize everything, and then the fourth thing is you have to patch everything. And as people haven't necessarily been thinking in the past about consolidation as an outcome, which is: Can I find assets, find vulnerabilities, prioritize, and patch them all with a single solution? It's always been like: Oh, can I combine my EDR agent with my vulnerability detection agent? And so what we're seeing now more and more is customers are saying, "I want a outcome." So if you look at some of the scan-only solutions, the best outcome you can get from them is a nice dashboard.
Outcome you can get from Qualys for vulnerability management is your actual vulnerability is actually fixed, which is the outcome that you're looking at. So we do see, customers now looking at the same thing from cloud security, is how do I get an outcome of where I mitigate the actual threats, and eliminate things, rather than just a consolidation of 2, 3 agents, et cetera. And I do think that this will be an interesting trend moving forward, where Qualys today... And I'll give a great example of the new AI security product that we just announced at Black Hat, right? Customers come and ask: "Okay, hey, what is Qualys doing for AI security?" And I ask them: "Well, what should we do for AI security?" And they don't have an answer. And so I say: "Okay, fine.
Well, why don't you tell me how many, AI workloads, LLMs are you running in your organization?" No idea, right?
Yep.
The great news is that the customers that have the Qualys CyberSecurity Asset Management already deployed, without having to install anything extra, immediately and instantly, they get to know exactly which machines are running software that are related to AI. So now they have a very good idea of where their AI workloads are running, and now they need to find the vulnerabilities in those workloads, and they don't have to go get another solution. Now, the only additional functionality then we add is the ability to poke the LLM to make sure it's not responding maliciously or it's not responding things that it should not be.
So for us, as a platform, because we have done so much of the groundwork of asset inventory and vulnerability detection, the incremental additional co-functionality we had to add was not that significant. And the customers who already have Qualys deployed, they get value out of that instantaneously, right? So we can go to all of our customers now who have the asset management solution deployed and say, "Hey, here's... Click this one button, and you will immediately see all the places where your AI workloads are providing." So that's gonna be another consolidation that I don't have to go get another solution to go discover all of my AI workload, as an example.
Right. I think you make a good point, that, it's about getting visibility into all your assets and projects whether they're, you know, fully deployed or they're still, you know, in development. Security is increasingly shifting left and moving more towards, you know, DevSecOps, even though that's just the name. But it's hard to have the high-fidelity security outcomes and then also ship code quickly. So, for you, I mean, is that a conscious effort to get closer to the developer, or how do you think about that as... Yeah.
I think the way customers look at it, that is, you know, you wanna do as much as you can to reduce the issues that you find in development. And then you still also need to deploy real-time, like, runtime solutions, right? You cannot say, "Because I scanned my code, I don't need to deploy a vulnerability assessment solution in my production environment." And so today, what customers are saying is: "Well, then what's the balance? Do I wanna spend heavily on both sides, or do I want to look at the ROI that I'm getting?" And so what we are seeing is that when customers are, have been deploying code scanning tools recent years, it's generating so much noise for them.
That if they spend all their time, developers' time, trying to fix those issues, they may not get any meaningful ROI because a lot of those vulnerabilities may not even make it to production. And so they're just spending time fixing a bunch of things that doesn't actually impact the risk. And so what customers are now really looking at is you have issues on the DevOps side, you have issues in production, you have issues runtime. Which of these things present an actual risk to the organization based on, you know, the, the application, based on the dollar value of that business unit, et cetera? And then they want to fix those within that, because otherwise, we are giving top ten for ten different solutions, which is top hundred for the developers to fix, right?
So the focus for us on the new enterprise risk management platform that we talked about at the end of last year and we're planning to deliver later this year, is about taking findings from the developer side, taking findings from runtime production side, and then prioritizing them based on actual risk, and then providing remediation capabilities so that those can be fixed in a much shorter period of time. And so part of this could be, look, we're giving them ability to scan things in the development environment, but does that mean that those are the things that are truly causing a risk, or is it something else? And so the new platform will be taking inputs from DevOps, runtime, cloud, application security, and putting all of them together in a single view, which ultimately is the...
You know, if you look at today, the conversation about why there is deal scrutiny and the budgets are flat, is because cyber is a risk. And when it's about the risk, the first question is: How much? A nd very few customers are able to actually explain how much is the risk. And so if you don't know how much your risk is, from a dollar value perspective, how do you decide how much you should spend on mitigating that risk, and what's your ROI, right? And so these conversations are coming about how much should we focus on DevOps versus how much should we focus on runtime, and our, our outcome and our goal for the ETM platform is gonna be really about that.
You make a good point about risk. One of the organizations that thinks a lot about risk is insurance-
Yes.
And cyber insurance has been a significant boon to the cyber industry. It helps support some of the demand over the past couple of years. You can get lower premiums if you demonstrate better coverage of. How has that affected your platform?
It definitely feeds into the overall risk management strategy for the customer. So number one is, you know, you have to be able to articulate your risk. So if you, where a lot of customers struggle with a lot of CISOs, if you ask them, are not able to quite articulate the risk. So first, you have to articulate your overall risk. So you will need to be able to say, "My $500 million business unit has a potential daily loss value of $10 million, and my... And the chance of that happening is at 75% today. And then if I can spend $500,000, I can bring that risk factor down to 25%, which is a more acceptable risk." And then the question becomes: Well, okay, so now you have this residual risk.
So you, you put tools to reduce the risk down, but then you still have this residual risk, and how much cyber insurance should you get to take that risk off, right? That's the basic equation. What is the risk? How much am I going to invest in tools, and then how much do I... But a lot of times those conversations are not quite happening.
So while there is a best practices-based approach where cyber insurance is saying, like: "Look, if you do, like, deploy some of these solutions, it's gonna, you know, we feel better that you have a better security posture." But with the TruR isk score that we have, that's a great opportunity that as we work with, you know, we have a couple insurance companies already doing that, where they look at the score, not the count, and they say: "Look, the overall score of this customer is looking better," and so they can get benefit on their cyber insurance premium. And I think as the score matures and as we launch the ETM platform, that score has the potential of becoming something that the cyber insurance companies can truly, you know, look at to say: "Here's how, you know, the score is trending.
I can actually give you a benefit on your cyber insurance or decide on how much coverage you need to get." But these are questions that are not quite well answered today.
Look, we have a couple of minutes left. I just wanna check to see if there's any questions in the audience. Okay, we'll continue. I would be remiss not to mention the CrowdStrike BSOD event or outage. Everyone's been talking about it, but I mean, what's your take on the event, and then what are you hearing from customers, either perspective or existing?
Look, I think it's about balancing your operational risk with security risk, and that's a question that a lot of customers are asking. And, you know, when they—after the event, they, of course, talk to Qualys. And, I think one of the things I look at as an advantage for our platform is that we're not dependent on the single agent as a way to deliver our services. So customers today, Qualys has a comprehensive set of sensors where we can use scanners that without an agent, we can use agents, we can use snapshot scanning, we can use off-node scanning. So there are multiple different ways customers can deploy those services. And of course, we don't run in the kernel, as the CrowdStrike agent did.
So we are in user space, and so with the combination of those things, it gives them ability to decide in certain environments, if operational risk is too high by deploying an agent, they can still use Qualys by using a scanner and get the outcome of that. In other cases, they might be, they might find leveraging the agent a lot more valuable. And so I think, of course, it is, it is an area where, the conversations are helping us demonstrate, again, the Qualys architecture is not just singularly dependent on one way, and, and one way of delivering our service. We have multiple ways that we can do that.
Right. It's a good point about the, you know, the type of work your agent's doing or the type of access it has. I mean, it's great if the CrowdStrike agent has so much access to the kernel and, but it doesn't work well if they, you know, ship a bad update.
Right. Yes.
Look, so you have roughly 75% of your employees outside the US, many of those in India. But I guess just can you speak to how you've been able to find talent in the region and just how you've built your business there?
Yeah, we, we've started in investing in India from a talent you know, getting talent about you know, over 10 years ago. And so over the time, we have really built a, a great R&D center where a lot of our innovation is, is happening over there. And of course, it is an area where there is availability of a lot of talent, a lot of universities around in the area where we are. And having built a brand name as a you know, Silicon Valley cybersecurity, technology, SaaS company, leveraging some of the latest technology that is out there, you know, whether it's AI, whether it's Kafka, Cassandra, etc.
So with that, and the fact that, in the region in India, a lot of the key infrastructure, like the biometric identity by the government, that authority, they use Qualys to secure the identity of the citizens. So a lot of that brand name actually does help us get good talent, and overall, we have put a lot of effort on culture and helping us attract and maintain high-quality talent by giving them global responsibilities wherever it makes sense as well.
Look, so we're running up on time. Anything you'd like to leave investors with?
Look, I think, you know, we are focusing on ensuring that we put the proper investments to address our net retention rate. We're happy about the positives that we have seen in the quarter with net new business in this environment, growing double digits for four straight quarters. The potential that we have for federal business, where we really have a very small footprint today, and the ability for us to, as with FedRAMP High coming later this year, which will make us one of the only FedRAMP High platforms that does vulnerability patching, etc., is an area that we see opportunities, and then just our expansion into overall remediation with mitigation, etc., and our innovation enabled to address AI security so rapidly, which is an up-and-coming area for next year.
We feel that, for the long term, we are positioned to continue to grow well and be able to penetrate newer areas of cybersecurity.
Great! Exciting time. Thanks again, Sumedh Thakar and Joo Mi Kim.
Awesome. Thank you very much.