Thank you both for being here.
Yeah. Thank you for having us.
Before we get started, if you wanna ask a question, there should be a card in front of you. You could submit it through the app, the QR code. It'll show up here on the iPad. I'm happy to kinda weave it into the conversation. So, with that, we'll get started. Sumedh, just to start on the product side, you've been talking about this vision of a platform for some time, and you've talked about the adoption of products like patch and CSAM, the momentum they're continuing to gain, but just high level, when you talk to customers, what are they telling you about vulnerability exposure management as one of the critical platforms when they think about kinda the future of their cybersecurity posture?
Yeah. Great question. So, vulnerability management continues to be a cornerstone for any risk management exercise for every single organization. It's required by every single mandate that's out there. You know, they're required to do vulnerability. I think what has happened in the last few years, and we've talked about this last couple of years, is that as the amount of software being deployed has increased, the number of vulnerabilities being discovered has increased a lot. And customers really are today saying, "Well, the outcome and the ROI of vulnerability management is if we can actually get things fixed." Otherwise, we're just reporting on that. And so, exposure management really is about, are you just exposing the exposure with scans, or are you actually managing it with getting remediation?
And so we started to see this a couple of years ago, even earlier than that, where customers were struggling with actually getting things fixed. And what we hear in the vulnerability management space, and I think it applies overall to the security space, is, what is the ROI? How much should I focus on security and which part of security? And so when people are talking about a platform, it's not necessarily always, "Can I consolidate SaaS?" And it's also, "Can I get an outcome?" So if I use one solution end-to-end, or just for vulnerability management, do I need to have four different solutions, right? One for discovering assets, one for scanning, one for prioritization, and one for patch management. So when we introduced as Cybersecurity Asset Management a couple of years ago, four or five years ago, we introduced patch management.
Now we see that customers really adopting that. Just in 2024, as an example, Qualys agents have deployed 78 million p atches from January of this year till now. So customers are actually using a VM solution to deploy the patch. So I think that's really what we see customers really talking about, you know, ROI, how much, should I focus on? And the bottom line is there is no ROI in security if you don't fix the things. Like, you can build dashboards, but that doesn't mean anything.
Yeah. Makes sense. In addition to that ROI conversation, I think we'd all agree that cybersecurity is becoming more of a Board of Directors conversation.
Yeah.
And I think the nebulous question that most boards are asking is, "What is our cyber risk?" which is sometimes hard to quantify. A lot of vendors are trying to address this challenge, but you introduced this new, Risk Operations Center.
Yeah.
Product branding. How does that directly address some of those challenges and initiatives?
You know, I think that the end of the day, cybersecurity is a risk management exercise. And the first question anybody has when you say risk is how much. And as you rightly pointed out, most CISOs, when they're going to the board, are not able to articulate, "Well, how much risk do we have from a cyber event?" Because that actually dictates how much you spend on reducing the risk, right? You can't be spending $100 to reduce a risk of $100. And so that's where CISOs really are struggling. And so if you look at the evolution of when, you know, in the past, you used to have a NOC where you monitored every event happening in your IT infrastructure. People were hired, a couple of people to look at some security events, which started to morph into a SOC.
SOCs are really about detecting a breach after the fact. Somebody's in my network. Can I have a breach detection? But as risk factors have also increased in the last few years because people are deploying more software and more solutions, you have code scanning tools, you have cloud security tools, you have endpoint security tools, and given that we're never gonna be able to fix everything that we're finding, the need for operationalizing risk management from a cyber perspective has been increasing. And so that's where we introduced the notion of a Risk Operations Center, the idea that you can collect all of your assets, all of your risk factors into one platform from your existing solutions. Don't necessarily have to go replace your solutions, but then analyze those with threat intelligence and business context.
Just because you have something exploitable may not mean it's important to fix for your business. And then ultimately get that fixed. And that's essentially a risk operations center. So we announced our enterprise risk management platform. And I think what it's differentiated with anything out in the market, either you have tools that are aggregating findings or tools that are doing risk quantification or tools that are doing remediation.
With the ETM platform, we're bringing all of those together, which really helps us have a different conversation of not going and replacing an existing solution that they might have for cybersecurity, but saying, "Hey, with this platform, we can take the data from your existing solutions and tell you a picture of your risk, quantify that, and then see what is the probability and give you a report that you can take to the board." And that's really what everybody's looking for right now.
Got it. Okay. So in addition to Risk Operations Center, you announced a couple other new products with TruRisk Eliminate, and TotalAI family. Just how do you expect to monetize that? And I guess more broadly, how do you think about platform monetization? Do you feel more confident about that, as we get into next year? And just any sense of the ASP uplift or upsell that you think is possible?
Yeah. I think if you look at TruRisk Eliminate, it's expansion on the how successful we feel patch management has been, in a remediation perspective. So today, I would say that patch management is important, but it's not enough now. So while we wait for competition to catch up on adding patch management, now we're going beyond patch management. We are adding ability to mitigate vulnerabilities without deploying a patch. That's the next level, right? So or sometimes you just wanna isolate a device because you can't fix it. So the focus again goes back to no ROI if you don't get things fixed. And so we're aligning our capabilities in the platform more towards what customers are looking for. Can I get things fixed?
So that's really where TruRisk Eliminate will allow our patch management customers to then upsell to additional capabilities that allow them to address zero-day where there is no patch. It's also going to help customers who are currently not, who don't want to go for the fight with IT team for a patching solution can now look at applying a mitigation instead of patch management. So it gives us opportunities there. I think as AI is continuing to be a top of mind this year a lot of companies spent on experimenting with AI. I think a bunch of projects succeeded, a bunch didn't succeed but next year is when a lot of people are going to try to put some of their AI LLMs into production.
Mm-hmm.
And they're coming to the security operations team saying, "Hey, can you certify this?" And the SecOps team has no idea what to do. And so, for the short, but I think also the bigger question is if you have a limited budget in cyber, should you spend all your money on AI security? Well, it depends on how much risk you have. So what we came up with TotalAI is essentially what I call as a point-and-shoot AI scanner. You give an LLM, we'll scan it, and we'll give you a green or a red. And that's like the basic assessment that you can do right now. And then from there on, as AI deployments evolve and the threats against AI evolve, we will continue to provide those capabilities.
And so, customers today who have some Qualys solutions have multiple ways that they can expand, whether it's cloud security, whether it's AI, whether it's Eliminate with patch management. And with the ETM platform, we can also now look forward to going into customers that don't have a Qualys solution but leverage their existing solutions to give them a view that they can take to the board, which is very interesting to them. And then that approach that allows us over a period of time to replace maybe a solution that they are integrating into ETM with an existing Qualys module. But we will always be bringing in data from other solutions where we don't have a solution on the platform. So I think this platform approach is going to be adjacency consolidation in certain areas and bringing data from other tools in certain areas.
But I think this notion that there is one single platform that will, you know, be the only security platform you will ever need, from a single vendor, most customers won't really subscribe to that.
Yeah. Fair enough. Okay. I wanna talk about just execution. And I think after a relatively weak quarter or 2 Q, you jumped into the, the CPO role. And, 3Q, I think, was a, a pretty marked improvement on, on execution. And I don't think you'll accept full credit, but, I, I think in, in some ways, maybe direct ownership of, of product and marketing helped, helped drive, better accountability. And, and on all this talk about the platform, I think is, is starting to make a little more sense. Can you just talk about kind of low-hanging fruit around execution that you think has, has been better over the last couple of months?
Yeah. I think if you look at the last couple of years, we've really been, you know, we hired our first CRO. We never had a CRO. So we are really in this transformation that we're looking to do with our execution. And if you look at our focus on new business, we were happy the last five quarters in a row, we had double-digit growth because of some of the execution improvements that we made in focusing on demand gen, etc. I think in the same period, our net retention rate came down, which is existing customers buying more solutions. And that's where I really felt like there was an opportunity for us to execute more tightly between product management, marketing, and sales.
And so as I took over the role, we really came up with this idea of a ROC, which really simplifies the concept of what Qualys does. The idea has resonated really well with CISOs when I talk to them. The ROC makes sense to them, so being able to simplify our GTM, and then work closely with the marketing team as well as the product management and then the CRO team, actually, that's really helped us come out with a really good messaging at our user conference in October, and helped us really, because I feel like existing customers need to know better capabilities that we have.
So that when they're looking at cloud security, they're looking at TotalAI, they can actually look at Qualys as the first option to say, "Do they have a solution?" Many times, if our partners don't know we have those capabilities, if our customers don't know we have those capabilities, and the CPO organization has to execute, not just developing the products but also making sure that we have the right marketing messages that then are distributed correctly through our marketing engine. So, you know, those are some of the short-term immediate improvements. But also, as we move forward, I think just bringing the simplified messaging of the platform together where it's not about 20 different solutions, but it's about a real single score that you can take. I think that's the execution opportunity that I see. That's what I'm going to focus on, as well, moving forward.
Got it. Okay. You mean maybe from a numbers perspective, the 14% billing CCB growth last quarter, I think, was well above most expectations. And you've talked a little bit about kind of the nuance of billing's timings. But absent all that, I think generally to all you guys talking about just a better execution quarter, how much would you subscribe to that versus potential better selling environment? And how are you thinking about kind of 4 Q where the comps are a little bit more difficult?
Yeah. I would attribute most of that to our own internal and a macro improvement. I think that Q3 was a surprise to us. With the focused execution, we were very pleased to see that our net dollar expansion stabilized and ticked back up to 103%. There are a couple consecutive quarters of decline, which proved to us that, you know, we really have the ability. We do have the product set that with the better positioning and being able to go out there to the market, to existing customers, to really show them where the value proposition is, we will be able to deliver a great upsell quarter. And looking into Q4, what we're hoping to see is underlying the guidance is assuming no material change in net dollar expansion rate, but we've kind of hit that trough this year. That's what we're thinking.
And then looking at the pipeline going forward, we think that, you know, even though Q3 was a great quarter from both upsell as well as new bookings perspective, Q4 looks to be a little light just because it is more difficult compared to Q4 last year with a great quarter, from the billings perspective. So all in all, we're very pleased with the progress that we're able to make. And our guidance implies that, you know, our current billings will be more or less in line with our revenue growth rate of 8%.
Got it. Makes sense. And then once you get past Q4, where it is maybe a little more challenging from a numbers perspective, what have you said about 2025 in terms of the trajectory of billing's growth there?
Yeah. I think it's a little too early for us because we are thinking through the 2025 planning with the team right now. And what we're really trying to figure out is, you know, we found that our success [in] channel partners has been really great for us. If you're taking a look at the revenue growth from indirect has continued to grow by 17% in Q3, same as Q2. The drag on our business has been the direct side. And so looking into 2025, we're trying to allocate the different budgets appropriately to make sure that we drive that top-line growth. And with that, what that would imply from a unit economics perspective, the margin contraction perspective, we'll be able to share more color back later in February.
Got it. Helpful. Okay. And then maybe just from an expense side, the 4Q guidance implies a fairly healthy step up in OpEx growth. Just what are you expecting around about hiring, particularly on the go-to-market organization where you've had some changes and kind of rebuilding that? Just what are you seeing from a hiring perspective?
Yeah. I think that we'll continue to hire, but probably not at the fast rate that we've seen earlier in the year just because we do see some optimization that has to take place. Because if you take a look at the increase in sales and marketing investments along with the OpEx investments this year, our growth in the top line is not where we would like to see.
Yeah.
Right now, what we're trying to see is, like, we see some initiatives that hasn't generated the return that we were hoping for. We'll have to reposition ourselves and think through what it should be set up, what the setup should look like in 2025.
Okay. In terms of just broader sales capacity as we enter 2025, is it fair to say there's more of a, and you've talked about this in the past, kind of a wait-and-see approach to see how 4 Q plays out before you really start changing the investment strategy there?
That's right. That's right. Because Q4 is typically our biggest quarter. And what we're seeing is we see the trough, we saw the trough in Q2, thankfully. And Q3 was a great quarter. We'll have to wait and see how Q4 looks like. And our guidance implies that, look, it's not gonna be as strong as Q3, but we believe that the healthy momentum will continue. And so afterwards, we'll be able to say what 2025 will look like later in February.
Got it. Maybe for either of you, I mean, you talked about net retention stabilizing, ticking back up to 103 in the quarter. I think in the past, you've talked about, like the scanning, the headwind from scanning assets, number of assets coming down. Do you feel like that pressure's starting to alleviate? Or how do you think about kind of that versus potentially better upsell, better cross-sell?
I think it's a combination of, you know, we are getting better at helping customers articulate to them 'cause customers don't wanna just spend more money on scanning without getting an outcome, right? And so how do we work with customers to show them the value of patch management, how they can allocate the budget, or maybe in some cases, they're scanning things that they're not able to fix. So they might wanna take some of that budget and use that for some patch management so they can actually get value in what they are doing. So we see the opportunity there, as part of our sales enablement, our existing salespeople talking to existing customers, how to leverage that.
And then in addition to that, then during that conversation, how do they set up for not only optimizing the spend that they had with Qualys from last year, but then how can they go forward to say, "Well, what, what are your current AI challenges, right? How, what is your cloud security posture looking like? How do you move part of what you're doing or augment that with that cloud security solutions?" and then as we get into 2025, really a go-to-market motion that involves having the conversation with CISOs about not about this celebrity vulnerability or whatever it is. It's about how much risk do you have, how much risk are you reducing, what is ROI, how are you communicating with the board?
I think that is where I see opportunity because now, today, our sellers have to go and say if they have a competing product, direct competition with Qualys, then it's a long POC cycle and all of that. But if they do have the ability to walk in with our enterprise risk management platform and say, "Oh, that's okay. If you have a competing solution, you keep it.
Give me the data from your five different solutions, and I can give you a view that is very differentiated and you can take to the Board," that helps us with new logos, getting new logos, but also it helps us with existing customers who can now expand into other areas and then over time give us opportunity to replace some of those, in addition to just being able to be the layer that the CISO really wants to interact. The CISO may not necessarily want to interact with individual security solutions, but they really wanna be able to do that risk conversation.
I see that, with the new products that we have launched, as we get into the next couple of years and we fine-tune our marketing execution, now that I've jumped into that, and then our partners, our CRO team executing, and then the federal opportunity that we have, I'm pretty excited about the opportunity we have in front of us.
Yeah. Maybe another question about sales and marketing and leadership and particularly on the marketing side. The CPO role is, I think, pretty familiar for you. That's where you, I think you spent a lot of time at Qualys then.
Yeah.
How are you thinking about that position longer term? I mean, is this a role that you expect to kind of carry out, or is there a search to look for a successor? And how do you think about that person kind of working in conjunction with the new CRO who's been there for a little bit?
Yeah. I think Qualys has always been a very product innovation-focused company, and we have really always focused on how do we build great products for our customers. So I think I feel like that's a really strategic thing for us, especially now with ROC and ETM execution. So, at least in the short term, I look at continuing to really be involved from pulling the product and the marketing teams together. And, you know, of course, we will be, wherever necessary, bringing in leaderships focused on maybe marketing, focused on certain areas. But, I think overall, sort of given that we are in a pretty good place right now, where we are focusing these couple of years on some strategic initiatives on the product platform side, that's an area that I'm going to be involved in, continue to be involved in more.
Gotcha. Okay. It's been a couple quarters since then the wind down of the Microsoft OEM relationship. Can you just talk about what's still embedded in the guide in terms of, of headwinds? And then conversely, how do you think about the opportunity coming out of that? You've talked about that being a customer base that there may be some limited visibility to. Just how do you think about that being a potential customer base you can tap over the next couple years?
Yeah. I think we really didn't, you know, these customers were not known to us. And so it's really about how do we, what we're focused on is how do we ensure that customers know that we have they have an option that is much better than, potentially what is being offered to them embedded. So it's kinda hard to tell. We, of course, have had some direct conversations with a few customers. Sometimes we don't know that that's kind of the relationship that they have come from. I think for us, it's continuing to focus on, you know, there may be tools that give you some scanning, but ultimately, you know, we really need to fix things. And so getting customers to sort of look at a more holistic solution around vulnerability management with patch management is an area that we are focused on.
Again, we don't quite know exactly how which of those customers came over or are going to come over at the time of renewal next year when they've had a year to use the other solution and maybe they're looking to change. I think that's something that we will continue to focus on. You know, that's not really. We haven't baked in anything from a guide perspective on that, you know.
Yeah. For 2024, it had approximately 1% headwind impact, negative impact on the revenue growth rate. So in Q3, it was about 1.5% for the quarterly revenue growth rate. In Q4, it's going to be about 1%. So you're talking about we guided to 8% at the midpoint. It would've been 9% without it, and then next year, really immaterial.
Yeah. Cool. Okay. You mentioned the federal opportunity a little bit ago, and I think you've, you've demonstrated some early signs of success there with, with some early deals over the past couple of quarters. Just what, what are your expectations into 2025? And where, where's the Fed in terms of this platform vision? And particularly as you think about VM exposure management and patch management, I think we've talked about the incumbents that are there and, and the opportunity specifically on the patch side. What, when you just talk through how, how you're thinking about that next year, and where you feel you're differentiated maybe around the cloud.
Yeah.
Cloud offering.
We're very excited about the federal opportunity. I mean, as you know, it does take, you know, a while to get established and build out that. And we started that last year really with hiring a good team. Our focus on doing a conference this year first time, which was a Qualys focus conference for federal. And we are pretty excited to see some of the wins that we're seeing. And we talk about that during the earnings call, some of those. What we are seeing right now is, you know, and we have been FedRAMP moderate for a while with many of our solutions. And now we are really awaiting our FedRAMP high authorization, which would again be an opportunity for us to go to more agencies for them to migrate over.
If you look at most of the wins that we have talked about are really about replacing an incumbent on-prem scanning solution and an incumbent on-prem patch management solution with a single. So really not much different in the Fed space from a commercial space when people are looking at, "I wanna consolidate for an outcome." That is where really a lot of the interest is coming to say, "Okay. I, as the federal agencies are also modernizing to the cloud, the last thing they want to do is take an on-prem security solution and try to move it into the cloud, right?" So that's an opportunity when they look at to say, "Well, what's out there that is cloud-based? That's FedRAMP." And we see that that's an area that's quite exciting for us. So we look to continue investing in that space.
We continue to work on building those opportunities. Today, our revenue from the federal space is you know really small. So the opportunity is pretty big. And I think the federal agencies are definitely having conversations about consolidating with patch management. Because if you look at CISOs, a lot of the CISA guidelines, they're not saying, "Hey, scan for these 50 vulnerabilities." They say, "These 50 vulnerabilities need to be patched.
Yeah.
And so that's helping us drive when we give them, "Hey, here's a CISO dashboard of what exactly can be patched," so we continue to look at that, and we see opportunities for us to grow over the next few years in that space, so we're really excited about investing there.
Yeah. And you're coming from a smaller base that's exposed to the federal government. But any high-level thoughts on the health of federal agencies as customers into a new administration? There's been a lot of talk about kind of efficiencies that could potentially be capitalized on there. Probably a good thing.
Yeah.
If you're thinking about automated remediation, automated patching. But just any, any high-level thoughts on that?
Yeah. I think there are two areas, right? One is, you know, just financial savings because of consolidation. But also, I think there's a lot more pressure given the speed of attacks of consolidating outcomes. So even if you were to spend a ton of money on two different solutions, if you can get it fixed before an attacker gets there, that's where the agencies are getting dinged to say, "Well, why was this not fixed when you had so much time?" And so a lot of the interest is not just driven by the financial aspect of it. It's also like, "Well, I could get this fixed in two days versus right now it takes me two months." So, I think with the new administration, etc., we'll see how that evolves.
But I think, cybersecurity is gonna continue to be, an area of focus for everybody, whether you're a federal or not. And so I think we'll look forward to see how that impacts, focus and spending patterns. But, from perspective of, no matter what, I think the direction will be more efficiency, right? And so I think that's fair to say. So that's where our combined solution, definitely brings more efficiency for them.
Got it. Okay. I just wanna touch on cloud quickly. I think last quarter and in quarters prior, you talked about your level of success selling cloud even against established cloud vendors.
Yeah.
I think most investors think about the space as fairly crowded. It's growing quickly, but relatively crowded. I think today you talked about CNAPP being about 4% of trailing 12-month bookings. But how significant do you think that becomes over time? And how do you think about that competitively against the broader set, but also some of your exposure management peers?
You know, I think, cloud security cannot be looked at in a silo either because it's again, nobody has only cloud infrastructure, right? People have offices. They have corporate environments. They have remote desktops, laptops. So when you look at overall security, I think the question again goes back to, "Okay. So how much risk do you have?
Yeah.
And you can't just say, "I have 25 buckets exposed, and that's the list," right? So I think it again goes back to customers saying, "Well, the space is crowded. There are solutions out there that I can expand with existing players like Qualys." So customers saying, looking to say, "Can I get a holistic end-to-end view of my VMware environment, my cloud environment, my non-cloud environment, my desktops? I can do that with Qualys." The cloud security-only solutions only give you a view of the cloud issues. But again, that doesn't give them the view of an overall risk to the environment because, you know, you look at a mobile application that you're using. It has a lot of infrastructure that is, like, may not be even running in the cloud.
So how do you look at the overall risk to this, this particular application? That's where the customers are coming up with questions. And so as we have created more capabilities, we recently announced our attack path, etc., for cloud. As an example, the differentiator is, okay, you can get attack path information from cloud security solution only for the cloud attack path. But you can, you know, you're somebody's attacking that cloud from a laptop, which is not in the cloud. So how do you get the attack path fully? With Qualys, they get to see, you know, the, the combined view. And that's where customers are saying, "Okay. That's initially in the early days of, you know, maturity of this area of security, we went to a, a solution that was only cloud.
But now, as we have spent a couple of years working with that, we wanna look at what's out there that gives me a more consolidated view." And that's where we see the opportunity as our capabilities have matured and we are seeing some good wins against the cloud security-only solutions. That again, as we're at the early stage right now. But as we get into the next couple of years, that spending for cloud is gonna be an area that people will focus on, but also not overspending, right? So people are gonna say, "How can I expand my existing solution set and add a cloud to that so I get a holistic view and I get the benefit of a better pricing because I'm doing a bigger infrastructure other than cloud only?" That's an area that we're excited about. We see opportunities in the next couple of years.
Got it. Okay. Maybe just to finish off, for Joo Mi, Qualys has been a pretty strong free cash flow generator for some time. Just love to hear your thoughts about capital allocation priorities. I know there's a lot of debate over investing organically in the business. You've leveraged M&A at times in the past. Just how do you think about use of free cash flow from here, and maybe Sumedh, you can just talk about kind of your M&A strategy criteria.
Yeah. For us, it's been primarily used to repurchase our shares. And you're looking at $35 million back in Q2, $45 million in Q3. So there's a healthy amount that we're investing to repurchase our shares because we do feel like our valuation implies that it makes sense for us to repurchase our own shares. Aside from that, because our cash on balance sheet is over $500 million, we've been very proactive in looking at M&A targets with the valuations coming down, especially on the private side. It's a very healthy market. I do believe that there's attractive opportunities out there. So we've been very, you know, strategic in terms of looking at different opportunities for potential consolidation in this space and participating in that.
Got it. Cool. Well, I think that's, that's about it. So we'll, we'll wrap it there. So thank you both for being here. Thank you all for joining.
Awesome. Thank you very much, Roger.