Good day, everyone, and welcome to the Qualys 4th Quarter 2019 Earnings Conference Call. This call is being recorded. At this time, all participants are in a listen only mode. Later, we will conduct a question and answer session and instructions for asking a question will be given at that time. I would now like to turn the call over to Vinayak Raul, Vice President, Corporate Development and Investor Relations.
Please go ahead, sir.
Good afternoon, and welcome to Kallen's Q4 2019 earnings call. Joining me today to discuss the results are Philip Coteau, our Chairman and CEO and Melissa Fisher, our CFO. Before we get started, I would like to remind you that our remarks today will include forward looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10 Q and 10 ks.
Any forward looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non GAAP financial measures. A reconciliation of GAAP to non GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks, investor presentation and supplemental historical financial spreadsheet are available on our website. With that, I'd like to turn the call over to Philippe.
Thank you, Vinayak, and welcome, everyone, to our Q4 earnings call. Medica and I are pleased to report another good quarter in terms of revenue growth and profitability. We are also very pleased to report continued acceleration in our paid Cloud Agent subscriptions with almost 31,000,000 now, 90% growth from prior from the prior year quarter. We continue to see good adoption of our free global IT Asset Inventory Discovery application with almost 6,000 new companies signed up and over 600 using the service. We now have over 300 existing customers using it as well.
We saw strong growth this quarter from our paid ITS and Discovery and Inventory Solutions. And in fact, a leading aerospace company procured the solution this quarter in order to gain visibility of all their known and unknown assets across multiple environments as well as the end of life of their installed software. In terms of our other newer solutions, we also saw robust growth against again from container security and FIM, file integrity monitoring. A large software company selected Qualys FIM as well as Policy Compliance this quarter in order to build these capabilities into their DevOps and cloud environments, which they could not do with competitive products and deployments. And the deployment was simple as they utilize existing Volatility Management our existing Volatility Management cloud agents.
In addition, it's worth noting that Patch Management has seen the highest customer ramp among our newest application with particular strength in the mid market segment. Now let's look at our product innovation. In Q4, we continue to make strong progress in our goal of achieving ubiquity for our Cloud Agent. Our Cloud Agent is the technology platform for 7 security compliance and IT solutions, namely, vulnerability management, policy compliance, file integrity monitoring, indication of compromise and Patch Management, Asset Inventory and the upcoming a Certificate Management and with more to come. Our key accomplishments this quarter to drive cloud agent adoption included unveiling Verinty Management Detection and Response, which we call vMDR at our user conference in QSC.
VMDR takes vulnerability management to the next level by providing the power to continuously detect vulnerabilities and misconfiguration across the entire global hybrid IT environment and respond in real time to mitigate or remediate assets that are vulnerable or already compromised. VMDRs bundles asset discovery and inventory and vulnerability assessment and patch detection as a single app. It's effortless to deploy on a global scale and price as a fully bundled solution, drastically saving deployment, administration and software subscription costs with, of course, our real time lightweight cloud agents and the virtual scanners that are self updating and easy to deploy as well. Also, announcing a partnership with Microsoft, embedding Qualys Velocity Management and Qualys Container Security into Microsoft Azure Security Center, providing real time visibility to secure cloud workload, provisioning and DevOps orchestration and also partnering with Google Cloud to provide its customers with one click vulnerability assessment through a seamless integration of the Qualys Cloud Agent with the Google Cloud Platform, GCP, bringing building security to Google Cloud customers with essentially no software to install or maintain. Additionally, Google Cloud customers will have access to Qualys VMDR to build a streamlined workflow to create their global IT asset inventory, continuously identify vulnerabilities across the entire environment, prioritize and remediate those vulnerabilities at a click of a mouse, drastically reducing against the threat exposure.
This is based on our other product release earlier in 2019, including the Patch Management app, enabling IT and SecOps teams to quickly target critical common vulnerabilities and exposure, then deploy the patches across endpoints on premise or cloud assets and verify remediation, all from one single console. IOC 2.2 app, which provides a quantum leap in IOC detection with new detection, and investigation and response capabilities that identified in nearly real time not only known IOCs, but also suspicious devices. The FIM 2.0 app, where we have now added incidents reporting, API integration, rule based alerting and event correlation capabilities. We have also created a light version of TIM for customers that require compliance only, like with PCI requirements. And finally, the Cloud Agent Gateway Service app, an important extension of our Cloud Agent platform, enabling customers to securely connect Qualys Cloud Agent from sensitive environment like DMZs, while also drastically reducing the bandwidth demands of large scale deployment.
Now let's look at our go to market initiatives. Given the increased breadth of our product suite and the launch of VMDR during RSA, we have now embarked on a few additional go to market initiative that leverage the efficiency and effectiveness of our cloud platform. This is, in fact, a key element of our profitable growth, driving value for both our customers and shareholders. Our go to market activities in 2019 included leveraging our cloud platform for lead generation. We launched our global ITSA inventory asset discovery and inventory app as a free service, as you remember, from our platform to generate meaningful demand of our paid apps.
With a single agent subscribing to additional apps is frictionless. This drive multi product adoption, which naturally increase the stickiness of our platform and helps make us impenetrable to our competition. We do not offer the same breadth of solution. Also, launching new targeted campaigns, which enable prospective customers to easily click and create their own trial accounts creating a new team of technical account representative, which we call TARs, who onboard and support customers utilizing our free applications. Also building the Qualys Canadian Cloud, which expands Qualys global operation to 8 locations on 3 continents.
And expanding partnerships, Core Fire Systems selected Qualys vulnerability management and continuous monitoring capabilities to integrate into their secure cloud automation services. Proficio, an award winning global managed security service provider, choose to fully integrate the Qualys suite of cloud based solutions with Proficio's management, detection and response capabilities. And finally, the Center For Internet Security, CIS, selected Qualys to provide its member with building visibility of their externally facing websites, certificates and SSL TLS configuration. Additionally, with VMDR, we are now increasing our focus on the small and medium enterprise market segment and are delighted to announce the promotion of Michael Solomon to VP Small and Medium Enterprises for the Americas and EMEA. Michael has been at COLI since 2016 and was previously running our new business sales team for the mid market.
And I'm also happy to welcome back Dan Barona as our Chief Marketing Officer, who has now significantly expanded the marketing team. Looking forward to 2020, we plan to meaningfully expand our sales and marketing efforts, giving our increased numbers of solutions, including our game changing VMDR, which was recently highlighted in a report by Arvind, a market leading data research and consulting firm. And you can get the report on our website, very easy to find that just look for Ovum on the reports. In essence, the MDR uniquely provides customers with full visibility across their entire global IT environment and combine these with state of the art prioritization engine that also take into consideration misconfiguration and digital certificate security exposure. Thus, the EMDR provides the real foundation for a comprehensive risk based vulnerability management program that does not solely rely on CVE based vulnerabilities and arbitrary risk score, which unfortunately can give a false sense of security.
You can learn more about Vmdr as well as our other planned initiative solution at our user conference during RSA at the 4th season, San Francisco. And again, you can register for that day, which we are going to showcase really VNDR as well as some of the new innovation where we will be bringing to market in 2020. And again, you can go to the website to register. At the conference, we will also provide an update on our transformational data lake and EDR solutions that will leverage our robust scalable backend and its array of sensors, which already collect, enrich, normalize and correlate trillions of data points across on premise, cloud and soon mobile OT and IoT environment. This is an important new opportunity for our company and our industry as current incidence response solutions are quite complex and costly, requiring organization to use multiple vendors to collect the data that is needed and bring it into their SIEMs with full transactional information, resulting, as we all know, in what is called the alert fatigue, too many false positives.
Additionally, we will host an Analyst and Investor Luncheon on Friday on February 26. These events will include a demonstration of our newest application and a discussion on our 2020 product roadmap by our President and Chief Product Officer, Sumit Thakkar and a financial update by our Chief Financial Officer, Melissa Fisher. And again, you can register on our website. Please, we're happy to have you there. With that, I will turn the call to Melissa to discuss our financial results.
Thanks, Philippe, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non GAAP and growth rates are based on comparison to the prior year period unless stated otherwise. We're delighted with our increasing cloud agent subscriptions and multiproduct adoption, which lays the foundation for future revenue growth and industry leading profitability. Our Q4 financial and operational highlights include: revenues for the Q4 of 2019 grew 14% to $84,700,000 Platform adoption continued to increase as a percentage of enterprise customers with 3 or more Qualys solutions rose to 48% from 41%, and the percentage of enterprise customers with 4 or more Qualys solutions increased to 28% from 21%. Paid cloud agent subscriptions accelerated to $30,700,000 over the last 12 months, up from $27,900,000 for the 12 months ended in Q3 2019.
New products released since 2015 contributed approximately 35% of total annual bookings in the quarter, up from 26%. And our average deal size continues to increase growing 9%. Our scalable platform model continues to drive superior margins and generate significant cash flow. Adjusted EBITDA for the Q4 of 2019 was $37,600,000 representing a 44% margin versus 39%. Q4 EPS grew 25%, and our free cash flow for the Q4 of 2019 was 25 $100,000 up 9%.
Excluding onetime CapEx related to the build out of our Pune headquarters and M and A related payments, our free cash flow grew 32%. In Q4, we continued to invest the cash we generated from operations back into Qualys, including $5,300,000 in capital expenditures for operations, including principal payments under capital lease obligations as well as $3,200,000 in capital expenditures for the build out of our Pune headquarters and $12,500,000 to repurchase 145,000 of our shares. Looking back on the year, we are proud to have continued our product leadership while meaningfully growing earnings and cash flow for our shareholders. In 2019, we released several new products, features and enhancements the number of customers spending $500,000 or more accelerated. Cloud agent adoption grew almost 90% from 16,200,000 Cloud agent subscriptions to 30,700,000.
Dollars New products released since 2015 sharply increased to approximately 30% of 2019, up from approximately 20%. We achieved record EBITDA margins of 44% and grew free cash flow 30% even as we continue to invest for growth. Excluding onetime CapEx related to the build out of our Pune headquarters and M and A related payments, our free cash flow increased 35%. And we utilized $86,400,000 of our cash to repurchase approximately 1,000,000 of our outstanding shares, offsetting dilution to our shareholders from equity grants. Looking to 2020, we are excited about the revenue growth opportunities from our new solutions, including the upcoming VMVR.
Because our VMDR solution packages the ability to detect vulnerabilities with response in a single app, we see an opportunity to further drive cloud agent deployment as well as increase our strong renewal rates. Adoption of our cloud agents is important because it is the technology platform for 7 of our security compliance and IT solutions and lays the foundation for future revenue growth. We expect full year revenue in 2020 to be in the range of 3 $64,000,000 to $369,000,000 which represents a growth rate of 13% to 15%. Our Q4 2019 calculated current billings did benefit from a few large deals that were invoiced in Q4 this year rather than at their anniversary in Q1 2020. In terms of 2020 profitability, we expect to maintain industry leading margins, leveraging our highly profitable operational model, while preserving the ability to further invest to drive future revenue growth.
We expect full year GAAP EPS in 2020 to be in the range of $1.60 to 1.65 dollars and we expect full year non GAAP EPS in 2020 to be in the range of $2.57 to 2.62 We expect capital expenditures from operations in 2020 to be in the range of $25,000,000 to $30,000,000 and we expect to spend an additional $5,000,000 in the first half 2020 for the build out of our Pune headquarters. For the Q1 of 2020, we expect capital expenditures to be in the range of $8,000,000 to $10,000,000 which includes $3,000,000 for our pruning headquarters. As Philippe mentioned, we look forward to seeing many of you at the analyst luncheon during RSA in San Francisco. With that, Philippe and I are happy to answer any of your questions.
Thank I show our first question comes from Daniel Evans from Wedbush. Please go ahead.
Yes, thanks. Solid quarter and the year. So, Philippe, maybe you can just talk specifically about when you think about what we're seeing on deal scope and size, I mean, you're starting to see more just strategic deals in the pipeline. I know you don't guide to larger deals. Maybe you can just talk about that in terms of just maybe difference to where we are today versus 6, 12 months ago?
Yes. No, we are clearly, as you know, we have a very significant penetration at the very high end of the market with about 70% of the Fortune 100, which have truly standardized on Qualys. And so with these companies, we are seeing by them, it's more and more strategic. Not only vulnerability has been it's now people realize that you've got to absolutely pay attention to vulnerabilities, but just not only across your traditional servers and so forth, but across the entire spectrum. And that's really what makes us significantly strategic.
And of course, the ability to create a global IT asset inventory, which is a foundation, is also very attractive for them. So we are really seeing as more and more and more strategic. And of course, with what is it in our role map like, of course, the SIM, the next generation SIM and EDR, which we are currently building and hoping to deliver to market sometime at the end of this year. That's also make us even more strategic. So as a result of more deployment, then of course, we become more strategic for them.
At the time also, when they have to consolidate their stack, they cannot continue with all that many disjointed enterprise traditional security solution and at the same time moving aggressively into the world of the digital transformation and the world of DevOps. And our product line fits absolutely perfectly the DevOps environment. Now in addition to that, what we see today, and especially at VMDR, has been received. Of course, we have presented VMDR already to many of our customers, and it's extremely well received because it's simplified not only consolidate even further everything into a lot of these applications to one single app with what we call transparent orchestration. So you don't have to add this another solutions like SOAR, it's all done for you.
It's all integrated. It's all seamless. But also, of course, the fact that now we price that on a per asset basis, which is much more interesting for large corporations, which have a very complex environment and global. What we see also very clearly is VMDR make us extremely competitive today at the lower end of the marketplace because again of the packaging, but also of its pricing as well. So we see also a very big demand from VMDR from our mid market and the SMB, SMB business as well.
Okay, great. And just a question for you and Melissa. In terms of your spending, obviously, you've done a great job on margins and just containing costs, which is well known. But as you look ahead, just talk about that balance going to this year in terms of plugging more into sales and marketing, while continuing to focus on, obviously, margins. Just talk about that balance.
And is it different now, just given some of the opportunities? Or maybe just talk about
that. Yes. So the implied margin guide from our EPS guidance is a modest contraction, a little bit over 100 basis points. And we're proud of the fact that we have a highly profitable operational model that allows us to continue to further invest as well as while still maintaining strong margins. So we expect to be investing, frankly, broadly on the technical side as well as, as Philippe mentioned in his prepared remarks, expanding sales and marketing efforts, and we'll be able to do that while still holding margins strong.
And this is because of the model itself. I mean, we have the advantage of being a pure cloud based solution is that, of course, we can make our solution available for trial, at a minimum cost. And that's why we're putting a lot of investment in creating a lot of lead generation campaigns, try and buy. And of course, the installation,
everything is self updating, so you don't need significant expensive you don't need professional services, etcetera, etcetera. So all of
that at the end
makes comes down into
the bottom line. And that's essentially the model. Comes down into the bottom line. And that's essentially the model that we have built and proven over time. I mean, this is not something new.
Awesome. Thanks.
Thank you. Our next question comes from Nick Yako from Cowen and Company. Please go ahead.
Great. Thanks for taking my questions. Fleet, you mentioned increasing your focus on the mid market going forward. Just wondering if you expect to maybe leverage the channel community or partners more so than you have in the past?
That's a good question because we are today, as you very well know, when you have a major computing shift, the channels are the one which takes it on the chain first, and they have to adjust. So what we see today is that a significant renewed interest from some of these traditional channel to really move and becoming MSSP. And so Qualys in that sense, we can enable them become a managed security service providers absolutely very quickly because they don't have to worry about building all this solution we deliver them or made. So yes, in that sense, to answer your question, we see a huge opportunity with managed security service providers to bring our solution to the mid market. They have the customer base typically, especially these large companies.
And so it's just a question of bringing our solution, which are already available and ready made, to that market. So that we see that absolutely.
Okay. That's helpful. And Melissa, could you maybe remind us of the revenue and customer mix between enterprise and mid market today?
Yes, it hasn't moved significantly. It's roughly 20% of the customers and 80% of the revenues, the enterprise, right, because it's bigger dollars.
Okay, great. Thank you.
Thank you. Our next question comes from Melissa Franchi from Morgan Stanley. Please go ahead.
Yes. Thanks for taking my question. I wanted to ask on VMDR. You noted that there is potential within the mid market, low end enterprise, but it seems like it could be compelling for the enterprise base as well. And so what are you expecting in terms of enterprise adoption?
And then I know it's early, but what kind of uplift do you get from the VMDR versus the regular VM sale?
So let me answer the first question. Of course, the second is a bit more complex and I will explain. The first one is we have absolutely significant interest from both the mid market and as well as the large enterprise. It's exactly what they wanted. They have been asking us that for a long time.
And what you have to realize, for us to deliver that was not that easy. That's a major significant engineering effort because on one hand, we had to expand our platform to scale significantly, as we mentioned many times. We currently index 3 trillion data points on Elasticsearch, returning results in 100 milliseconds. And so and expanding to cover not only just the traditional network, but also the cloud and containers and everything. So that was a huge technological effort.
In addition to that, building this best of breed because today, we consider that the application that we have are best of breed because they have the benefit of being able to essentially receive data from multiple sources and correlate that data, so we can essentially eliminate better than anybody false positive and false negative, which is really what makes security application best of breed. And so and now we had built all of that and now what we're doing with VMDR is now suddenly bringing them all together into one single application with a workflow, which are all integrated. That's what we are doing and finishing as we speak. And those 2 have now that one single platform that allows you to one any device that connects instantly, we picked it up. 2nd, we can build from there the global ITSA inventory automatically.
Then from there, we can identify vulnerabilities across that entire hybrid environment. Then we have made significant extension to our prioritization engine, which unlike, as I mentioned in my talk, I said that's solely relating on or depending on CVEs and some kind of scores that are made up, I would say. Now we have a lot of information we can correlate to essentially prioritize those vulnerabilities, which must be absolutely mitigated or remediate 1st. And then, of course, during the remediation, which today we do that with Patch Management and the mitigation very soon with the ability to essentially quarantine the devices, which is about to come in a few weeks. And so we have the complete end to end solution for Vulnerability Management, well beyond what anybody has on the market.
So that's appealing significantly to both markets. So different nature. So for the large enterprises, that packaging that is a different, of course, that they can do. That's why we went to an asset based price, so they don't have to count the number of agents and this and this and that. And for the mid market is the fact that now today, they got an all in one, which as you know there are very little resources and it's also very well priced at the low end.
So that's for the adoptions, which we know today it's going to be significant. And in the EMDR both for now existing customers and the new customers. Now in terms of what it will do in terms of potential of sales, if on one hand, we bundle in VMDR things like Threat Protect, which is the authorization engine. On the other hand, we can see already that, that it will absolutely help us to populate the agent everywhere. Therefore, now increasing the ability to upsell at the endpoint, to upsell FIM, to upsell all these other services, which of course depend on the agent.
And so the net net of all of that, we believe that the EMDR is the foundation fundamentally to change the game. It's a totally game changer and really make Vulnerability Management what it should have been. It has been a long, long road. Today, we have the solution and we believe it's going to allow us to displace, as you know, the vertical management market is the displacement market essentially. So we displace much more easily because we bring more value to the customers, we simplify their lives and as well as expanding our market in the mid market, which is where we typically historically and always competing against the Tenable and the Rapid7, which of course were more low end solution when we were in fact the one having the solution that could scale.
So today we cover with one single solution VMDR from the very, very low end of the marketplace to the very large market. So this is significant.
Okay. Yes, sounds like it. Well, thank you for that. Melissa, I just wanted to follow-up on your comments on investing in sales and marketing next year. I'm wondering if you could talk about how you're investing in the sales part versus marketing and particularly what you're expecting in terms of sales head growth next year?
Thank you.
Yes. So we're happy with our sales force. As we discussed last quarter, we promoted Laurie, our VP of North America as the Head of Worldwide Sales. We have a lot of people in place who are always looking to add here and there, but not significant there's not significant needs to the sales force. And so we look for the right people.
As Philippe mentioned, we've just added significantly on the marketing side. And so there'll be a few places on the sales side to fill in, but nothing significant.
Yes. And you will see more partnerships also essentially what's really becoming I mean, what are really the ideal solutions for partners. I mentioned the MSSPs because today they and also because we are moving into response. And that's the thing that MSSP absolutely needs to really provide a good application is the ability not only to detect, but to respond. So we have expanded significantly our capabilities of responding.
We're going to do more as now our agent, for example, soon will have the capabilities to also being capable of being interventionist, if I will, I don't know the term in English. So you could suddenly remotely remove processes, kill some processes and you could really do microsurgery remotely, which is very important if you want to automate things. So I think we see today and these the partners who have already and then there's quite a few more which are coming our way because they say, we need the scale, we need all of that done for us. We don't have the time to build all of that. And so and we are not competing with them because unlike other companies, as you very well know, like for example Rapid7, which have a managed security service providers, we don't and we will never have one, I can tell you, because it's not really profitable or as profitable, I should say.
So they don't see us as a competing solution. And so they can deliver their service and their additional added value. And what we see also is that they're all looking to our SIEM because the problem they all have with the SIEMs is that they are using existing SIEM, which I'm not going to mention, which are very, very expensive for them and do not scale. So we have Embark already having few of them as our design partner. And I think our SIEM will be another game changer as well, plus the ability to do also a very, very scalable EDR solution at a much lower cost than this existing solution today.
All of that is in the making. As you know, we have built a significant engineering force in India where we have more than 7.50 people now who are moving in May into a brand new headquarter, which is going to allow us. We are in the process, by the way, of expanding to go to be specific, expanding our marketing capabilities, what I call that we are building a marketing platform. So we have built a technical platform. Now we're building a marketing platform in part out of India.
So we could really scale that business and really leverages all the new media. In fact, we just hired a Director of New Media Platform. We're looking we're about to hire a VP of Digital Marketing in India as well. So we're really now gearing up. I've always and I've mentioned that since so many times, instead of trying to grow at any cost before you have the solutions, I've always taken the approach the company have made, which all have been extremely profitable for that reason.
I've been always careful not to put the cart before the horse. And so we've got the horse now. We've got a fantastic cart. Now we're putting the horse and that's more on the marketing. But when you do that, you don't have to spend as much money because the product is packaged and on and on and you have the delivery model.
And that's why we can continue showing good very good margin while expanding our sales and marketing efforts. And I'm going to write a document about that. So to I didn't want to do that until we're there, but I'm going to explain the power of the model that we have really built today, leveraging the cloud, of course, technology.
Great. Thank you very much.
Thank you. Our next question comes from Gur Talpaz from Stifel. Please go ahead.
Okay. Thanks for taking my question. Philippe, I actually want to follow-up on some of your commentary that you just offered. You're pushing into SEM and EDR and those are 2 very large and very significant markets in the enterprise and really kind of across security in general. When you think about your push into these new markets, how do you think about your differentiation, what you're going to bring to the table that's ultimately different than what's already out there?
So it's a very good question. And it's a differentiation at multiple level. So the first one is the scalability, the unique scalability that we have. What we have done, so instead of, for example, depending on an AWS back end and so forth, which of course gives you, of course, instant scalability in a way you don't have to build all that infrastructure yourself. But the problem it gives you is that now you're certainly more much more dependent on them and the pricing structure.
So when we took the other route of really building essentially our own, if you prefer, little AWS, going microservices, bare metal, huge scalability, absolutely building everything ourselves using open source engine. And so that give us offered us unique capabilities. And as you can see because of that, and then the reason is why Google, Microsoft, Oracle, Amazon, they're all using us to secure their own platform. So and what we so we can also put our data centers if we own our platform in Azure, in Amazon anywhere without being dependent as much of their solutions. So we have much more flexibility, which is very important when you look on the global scale.
So that's one element is the scalability. We're far above anybody that we know. The second element is the fact that unlike anybody, we have much more information. We collect the data that they don't. If you look at some EDR solution, the only thing they know is the endpoint.
They have no idea of the rest, of the context and the rest of the environment. And that lends into more false positive etcetera. And then you have the challenge of course of scale and the challenge of remediation. So Qualys has always taken the longer road of architecting things the right way instead of trying to find the shortcuts. And that's why it took us so much time to get there.
But now today, we are almost there. And in fact, we're to discuss that in more detail as well as our Investor Day. And again, we are very confident that we are going to deliver these 2 major new applications, if you prefer, which are essentially extension of the platform. When you look today at an EDR solution, for us, it's an application on the Qualys platform. It's not another point solution.
And that's the problem with all of these other solutions. They're all point solution looking at one single element when we are through very broad platform.
That's very helpful, Felicia. And thanks for that color. Melissa, just one question for you. Last quarter, you touched upon the notion of some changes in competitive pricing dynamics and your ability to sort of match on renewal. Did you see any changes this quarter on that front?
What we talked about last quarter was the fact that in certain cases, we were leveraging our position to be more aggressive. I think the VMDR package itself is going to make us more impenetrable because we're providing all these solutions bundled in a single app. Really, the way I think of it is the end to end life cycle of vulnerability management through remediation. So we think that will provide us a lot of strength.
Yes, it does. And we see that already. And I will not use the term bundle because, yes, it's bundled, but it's more than bundled. As you will see when you see the app itself, it's all integrated in one single app. So it's not really bundling and putting together these different apps that we already have and then giving you a more a better price, but it's essentially putting all of that as one single app.
And that's where we call it transparent orchestration or building orchestration if you prefer. It's all building. So you move from one app to the next, it's all one single thing. And that's the big differentiator. And then you will see that for yourself.
And once the customers which already have seen some of it, but when we start to really market that, you're going to see videos, you're going to see a very big marketing effort to show because the solution will sell itself at the end of the day. When you look at and say, wow, I mean, this is absolutely what we need. I don't need to have that one application and that screenshot and go this year and go there. It's all done for you. And so that's very, very important.
So again, it didn't come just like that. This is the work of many, many, many years of effort of trying to expand the platform, as I said earlier, and building best of breed solutions. And now what we're doing is integrating them, all of them, into one single solution.
It makes a lot of sense. Thank you very much for all the color.
Thank you. Our next question comes from Matt Hedberg from RBC Capital Markets. Please go ahead.
Hey, it's Dan Bergstrom for Matt Hedberg. Thanks for taking our questions. So you've had a number of large agent purchases by the cloud providers in the past. You mentioned the recent partnership with Google to embed the cloud agent into GCP on the call. Can you talk a little bit more about that partnership?
How did it originate? What are you looking for from it? What does it mean from a validation perspective? And then I guess is it live in the marketplace currently?
Yes. So it's not very simply that both Google, Microsoft, Amazon, etcetera, were already using the Qualys Agent for their own needs for securing their own platform. So from there, of course, that means we have the right architecture. I mean, you don't need this kind of company at the scale at which they operate. Of course, you have to have the right platform the right architecture.
And so and you speak of millions of agents here at the end of the day. So for us now, what we did is to now go to their customers and doing exactly what we are doing for them now for their customers. So the answer is yes, I think today is well integrated with Microsoft. I don't know exactly where we are with Google, but I think it's done. But if it's not done now, it's very it will be done that we need to check.
I don't remember. And we're discussing with many other vendors as well in the cloud because today, there is nobody who has the architecture that Qualys has done. And again, remember, these agents and we have patents, by the way, around these agents, so that we build these agents. They didn't come again just a few weeks ago. That was that has been a long time in the making.
And to get the scale to the set of dating capabilities, the fact that they also need to be very secure, all of that is just not easy work. And we've been working at that for many, many, many years now. And starting to have 30,000,000 agents is already and of course, our goal is to have an agent on every endpoint. And now we have now the agent, which we are now rolling out onto the Androids, the mobile platform. And we are our agent now today, very soon, they are going to go on containers as well.
So our agent architecture, if you prefer, again, that's the way we look at it. It essentially spans across all these different environment and also to the OT and IoT environment as well. So we're just at the beginning, and that's what I speak about ubiquity of our agent. We're just at the very, very beginning. But we are the one who really build this agent technology better than anybody else.
And again, we have been working on that. I don't remember exactly the time, but I think our first agent was 2007. I don't remember. It's a long time ago. I would say it's a long time ago so that we've built these agents.
Great. Thanks. And Melissa gross margins were impressive here this quarter above 82%. They've trended higher sequentially through the year, 4 quarters in a row now. Can you talk about what's driving that?
And then maybe any thoughts about how we should think about gross margins with the evolving model here and into calendar year 2020?
Yes, absolutely, Dan. So we're very proud of our robust gross margins, but we did benefit from mix shift to India. We do have a lot of more investment going forward. We're looking at adding some shared platforms potentially in other parts of the world. So I would expect there to be more investment in the cost of revenue lines, putting some downward pressure on gross margin because it is at very high level.
We don't guide to gross margin, so I'm not going to give you a range, but you can imagine that it will stay at best of class, but not necessarily at the current levels. Yes.
We do.
On the
gross margin also the fact that we're re architected and we are benefiting also that significant cost reduction. For example, we have eliminated 70% of our VMware layers and to go bare metal with containers and microservices. So that's the beauty also of that of our engineering driven, if you prefer. We have copies on the what Facebook did and what all these big guys done. So we have not invented anything here, but we have been very good students of how the Google, the Facebook, etcetera, did scale their platform and reduce their cost.
And so that's and we have done our own DevOps, the digital transformation in quality significantly. And so that's a big advantage that we have looking forward and when a lot of our competition has not even started.
Great, very helpful. Thank you.
Thank you. Our next question comes from Howard Schmidt from First Analysis. Please go ahead.
Yes. Thank you for taking my question. Just wanted to follow-up on the prepared comments regarding the technical account reps for TARs, which is kind of new for you last year. How do you assess where you are in their development and the progress seen to date? Just some commentary about that would be appreciated.
Very much, Howard. So that yes, this is something we really again, that's something that I personally am very much involved because it's about scaling not only just every aspect of our business. So this technical account representative for those who may not remember, we've realized that today it's all about making life easy for people to adapt to make your solution not only easy, but that you have all the information at your fingertips. So we build a team of technical account representative in India, which are people that we hire, very junior people, but yet from the highly high good technical schools. And of course, because we have a huge engineering team there, we train them.
They have all the technical resources. And their job is not to sell. Their job is via what we call the Qualys Q agent like in the James Bond movies, Mr. Q. So you have the Q Agent who comes in immediately and is there to help you and behind you have the TARs, technical account representative.
Because there's a huge pool of talent in India that we can attract and the cost is absolutely we pay about $700 a month and but we give them more than that. We give them a career path. So we have a highly skilled, motivated, technical people, which are there to help the customer onboard. And that's all what they do. And now we're putting the systems around in place, so we could automate a lot of that as much as possible, get all the feedback, which goes back into engineering and marketing to understand what the difficulty customers may have in deploying the agent, for example, whatever that is.
So all that information is essentially more and more automated. So we have today a fantastic guy running that team. That team will not report to sales because we don't want to have them being salespeople, but they also are helping us to qualify leads. And then we pass that then automatically to our technique to our what we call our technical account managers, who have the pre and the post sales people, which are now the one which engage the customers to sell them or upsell them. So that's the system again we have put in place.
So again, in India, we can scale. We have about today about a group of about 10 people already, and we can bring it to 100 to 200, whatever the number is. There is the manpower is there. Trying to do that in the U. S.
Is almost impossible, but in California, it's impossible. You could not even keep them even if you would build that. A year later, they will be gone. So I think doing that out of India is very now it's very good. Now it doesn't cover the entire world because you have the issue of the language, but it covers a lot of English speaking countries.
So what we do for Europe, so we do a kind of a hybrid solution where we may do that function with a partner in Europe, which of course is the managed security service. And essentially so but they could benefit of the entire machine that we have put in place.
That very makes sense.
Yes. I hadn't realized the full distinction between them and sales and how they generate the leads. So that's helpful color. Congratulations on a solid year.
Thank you. Thank you.
Thank you. Our next question comes from Sterling Auty from JPMorgan. Please go ahead.
Hi, guys. This is Matt on for Stellan. Thanks for taking our question. So looking at the March guide for revenue, that 14% 14.5% growth, the midpoint of the range is about the same as this past quarter. So does that mean that the seasonality throughout the year is expected to be even quarter to quarter?
Yes. I don't think they're actually related. There's nothing in our business that's changed that our seasonality would be different necessarily than prior years.
Okay. Yes.
And we don't have much seasonality anyway in the web sound, but it's minimum. And remember, for us, we take always we're very pure in the sense that we do not sprinkle we do not sprinkle in our projection any kind of perpetual license. We don't have professional services either. So there's none of that. It's all recurrent, 100% recurrent and which, of course, as you know, it's a little bit harder to really grow a recurrent model.
But on the other hand, it's a much more predictable and more profitable model than pushing and having a kind of a mixed bag. I don't think it's very misleading for the investors, but that's not our case.
Great. Thanks guys. Thank you. Our next question comes from Patrick Colville from Arete Research. Please go ahead.
Hi there. Thank you for taking my question. Can I ask you about CrowdStrike and Tenable? I mean they are articulating more aggressively about their vulnerability management features. And I was wondering whether what you make of those guys and whether you see them as competition or whether they are kind of complementary to Qualys.
Thank you. Thank the
big the big difference between Tenable and Qualys is that essentially they have a very disjointed architecture. So they have the Tenable. Io, which is a cloud based solution. Then they have the Security Center, which is an on premise and other solutions. And these are very different solutions.
So for them, essentially, their biggest challenge that we see ahead for them is essentially they will have to really bring all these different solutions together into one single platform, which is going to really, of course, take time and very expensive. Today, they have been essentially, as many people know, they have been essentially pushing Tenable. Io into their existing customer base. They have a very good customer base with Nessus. They're very loyal, and they're pushing try to push Databel.
Io. They have hired a lot of salespeople in marketing. That's what they do. So for us, I think, VMDR is absolutely, again, a game changer. So we can anticipate that we are now going to be able to compete very well at the lower end of the marketplace.
We see that already happening. And as I mentioned earlier, on the high end of the marketplace, now it becomes very difficult to displace and you cannot play some of the tactics that they did, which is dumping the price because now we offer so much more into one single application. So I think it makes us more inoculated, if you prefer, against this kind of viruses. So that's for Tenable. So we are competitive with them head to head and we offer significantly more than what they do in the world.
So that's for them. Quadstrike is a little bit different. So Quadstrike, as you all know, have done a very good job at essentially cornering that EDR market, which there's so many players. But I think they really did a very good job at essentially differentiating themselves from these other player, a combination of having a very good strong technical team, which really understand the problem and then also creating a managed security service on the top of it, which has been the problem for a lot of these other solutions, because the problem with EDR is that you have all these endpoints which are roaming the world and the 7 seas on the Internet and then suddenly you discover that one of these endpoints is compromised at 2 a. M.
In the morning local time, but know that devices in Singapore. So how do you mitigate, remediate, prevent, quarantine the device? So you need to have people watching these devices. Very few companies are capable to follow their own endpoints everywhere in the world. And so by Overwatch, they really essentially it's a managed I'm quite sorry, they managed security servicing these guys.
And they have of course, it gives them very good revenues growth. The problem with that is that, suddenly, it's very expensive to both on one hand develop your own platform and on the other hand to have a managed security service on the top of it. So you become very dependent on people, which is of course do not scale. Then also their back end is essentially on AWS. So they have essentially AWS, they have Splunk and they have Cassandra as a back end.
So all of that, again, to make scale and the cost, it's very hard to do. We, again, do not depend on all of that. In fact, today, we use the Cassandra back end. We're pumping 1,000,000 of writes per second in our Cassandra back end. We have Elasticsearch, again, 3,000,000,000,000 data points.
So all of that is our own technology. So now the advantage so yes, they are trying to move they of course, they can do Verity Management on the endpoint by just knowing what is the application that you have, but that's not enough. And so of course, you need to have more context about that endpoint to really eliminate all the potential vulnerabilities on that device. So what in fact what we see today happening in many of our large customers, which is interesting, is that they have 2 agents today on their endpoints. They have the Qualys agent and they have the CrowdStrike agent.
And they don't need any other agent because the CrowdStrike agent, of course, provides essentially also antivirus and all these other capabilities. Now we are today working very hard at delivering exactly all the functionalities that Crystrike has on the endpoint. We already have with our IOC 2.2, 2.0. We have threat hunting capabilities, etcetera. So what are we missing?
We're missing an antivirus solution and a few other things. But we have also the back end to our advantage plus the entire context. So that's essentially how we are going to differentiate themselves. But I would say that we'll be by far into their turf far before they can come into ours, unless they start to acquire companies who do what we do, but then they will have to integrate all of that, which is not a walk in the park. So I think this is where we are.
So we are working towards providing that additional functionalities to our customers. And our go to market will be very different is that we do not want and we will not have a managed security service who are going to leverage all the partners that we have and we have most of the managed security service providers of today Qualys customers. And so they are the ones which are going to deliver the service. So we will enable them. So this is fundamentally the difference.
So does that make sense?
Yes.
I mean very clear. And then can I ask a question for Melissa please? The current billings in the quarter was very impressive, 15% growth based on my numbers. You mentioned in your prepared remarks there was a small benefit from large deals closing in the quarter that may have typically closed in the Q1. I mean, can you give us an idea of what the impact on growth or dollars those large deals could have contributed?
Yes. So that's correct. What I talked about in my prepared remarks was the fact that some deals were invoiced in Q4 that should have had their anniversary in Q1. And just as we've been forthcoming when deals flip out of the quarter, we wanted to be transparent when deals move in. Given that there's multiple scenarios when the renewal happens or doesn't happen at the same time as the anniversary of an initial deal, it's really hard to normalize for comparison purposes.
And that's why we point to the trajectory of our revenue our annual revenue guidance as the best proxy for business momentum.
Yes. And I would add one thing because Melissa is using the term that deals slip out of the quarter. This is an enterprise term. Does not apply with us. We really work clearly.
For us, it's well driven by the customers. So it's the customer sometimes and we have some of these deals, which have been flipping from December 31 to January 1, depending on the budget cycle of the customer, which may have changed. So they are the ones requesting that to us. And for us, we don't care because it doesn't impact the revenue. And that's the reason why we always said the way we our billings are not really, really representative of what is happening in the quarter.
So what happened here as mentioned and that's why we disclose whenever when the billings are very strong or very weak, we explain, this is what happened. Sometimes the customers may move the deal. For example, if they early renew or there's so many variables, it doesn't change the revenue, but it's absolutely changed the billing cycle. So that's the very way we build the model, which again, it's an element of our profitability because when we go at the end of this quarter and we've got procurement saying, okay, guys, if you want me to close the deal, you need to give me a better price. So, sorry guys, the renewal is now.
So, we could even shut down the service, but we're not like that. But by the way, we don't really care. So whether we close now, as long as you renew and we don't care. So because it doesn't really impact our revenues and that's what makes us very different from quite a few other companies.
Great. Thank you for taking the questions and see you at RSA.
Okay. Thank you.
Okay. Thank you.
Thank you. I show no further questions in the queue at this time. I'd like to turn the call over to Philippe Courteau, Chairman and CEO, for closing remarks. Please go ahead, sir.
Okay. So thank you very much. And in fact, thank you very much for attending our earnings calls and for your questions. And again, one of the things that I mentioned earlier is that we'd be really happy the next earnings call to discuss about the adoption of the MDR from our existing customers or from as well as from new customers. So looking forward to see you all of you, I hope, if you can make it the RSA.
The 4th Season is a beautiful hotel. There's much less noise there than that RSA. And we have our customers there. Also, if you could attend our event, you would see the VMDR in action. And you could also speak with our customers directly and you're more than welcome to do that.
Okay. So thank you very much.
Thank you.
Ladies and gentlemen, this concludes today's conference call. Thank you for participating. You may now disconnect.