Everyone, and welcome to the Qualys Second Quarter 2019 Earnings Conference Call. This call is being recorded. At this time, all participants are in a listen only mode. Later, we will conduct a question and answer session and instructions for asking a question will be given at that time. I would now like to turn the call over to Vinayak Aral, Vice President, Corporate Development and Investor Relations.
Please go ahead, sir.
Good afternoon, and welcome to Qualys' 2nd quarter 2019 earnings call. Joining me today to discuss our results are Philippe Coteau, our Chairman and CEO and Melissa Fisher, our CFO. Before we get started, I would like to remind you that our remarks today will include forward looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10 Q and 10 ks.
Any forward looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non GAAP financial measures. A reconciliation of GAAP to non GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks and an accompanying investor presentation are available on our website. Starting this quarter, we are also providing a supplemental historical financial spreadsheet for analysts and investors.
With that, I'd like to turn the call over to Philippe.
Thank you, Vinny, and welcome everyone to our Q2 earnings call. Melissa and I are pleased to report another solid quarter in terms of revenue growth and profitability. We're also very pleased to report strong acceleration in our Cloud Agent subscription, with almost 24,000,000 now, 23,600,000 to be precise. As we have discussed before, our cloud agent is the underpinning of 7 secondurity, compliance and IT solutions today: vulnerability management, policy compliance, file integrity monitoring, indication of compromise, Patch Management, asset inventory and the upcoming certificate management and more to come. In 2,008, we were one of the 1st compact provider cloud agent patent application, and our innovation has been recognized by 4 issued patents and one pending continuation application.
The 4 issued patents cover agents, including low footprint hosted agents or hostless agents, which perform full security and compliance assessment of endpoint servers and cumulatively include over 100 claims of varying scope. As previously discussed, our goal is to make our cloud agents ubiquitous. And to that effect, we announced on Monday that we will offer our global IT asset discovery and inventory app to the community as a free service so we can all regain the visibility we lost due to the fragmented nature of IT, rapid growth of IoT and move to the cloud. We will be showcasing this revolutionary offering next week at Black Hat, combined with a major awareness campaign. Since the announcement, we have over 800 sign ups and received outstanding feedback from our existing customers and industry luminaries.
In fact, Global IT Asset Inventory is one of the biggest challenge, if not the biggest, for organization and is a cornerstone of security as you simply cannot effectively secure what you do not know or do not see. With our free service, companies of all sizes can automatically build their global IT asset across on premise, endpoint, clouds, container and mobile and now mobile environments. Including in this free offering is our asset discovery capabilities, namely the passive scanning, that provide instant visibility of any device that connects to the network. Such an integrated offering provides unprecedented and continuous visibility of both known and unknown assets. As organization download our cloud agent for implementing Global IT Asset Inventory, we make it frictionless to subscribe to our paid apps because no additional infrastructure is required.
In addition to the paid solution I previously mentioned, customers utilizing our free asset inventory will have the opportunity to subscribe to additional page features, such as synchronization with the CMDB and full lifecycle software inventory. By distributing this free solution from our platform to generate meaningful demand of our Pays app, we leverage our cloud model, which is a key element of our profitable growth, driving value for both our customers and shareholders. Furthermore, this multi product adoption naturally increases the stickiness of our platform and helps make us impenetrable by our competition, we do not offer the same breadth of solutions. In terms of newer solutions, we saw continued growth this quarter in customers' adoption of our fine integrity monitoring solution, as we have now added incidents reporting, API integration, rule based alerting and event correlation capabilities, as well as created a light version for those requiring compliance only with PCI requirements. In Q2, for example, a large online travel agency selected our FIM solution of a competing point solution in order to effortlessly leverage the Qualys Cloud Agent they had already deployed for vulnerability management and policy compliance.
And now they can have a single pane of view of vulnerabilities, configuration and file integrity. We also have a healthy pipeline in Patch Management, which we released very recently, which enable IT and SecOps teams to quickly target critical common vulnerabilities and exposures, then deploy the patches across endpoint, on premise or cloud assets and verify remediation, all from one console. We continue to make good progress on other global solutions this quarter, including the release of our IOC 2.0 app into general availability, which provides a quantum leap in IOC detection with new detection, investigation and response capabilities that not only identified in nearly real time non IOCs, but also suspicious devices. IOC 2.0 includes enhanced attack detection using commercial file reputation, threat feeds, which extend the detection of attacks often missed by antivirus agents by integrating additional threat integrating additional threat feeds directly into the platform second, a behavior based scoring engine to prioritize malware remediation, which factors in additional behavior attributes, including file analysis, process state and network connection to prioritize response based on how the attack is behaving in the network. 3rd, a new response platform, microservices, allowing analysts to easily configure rules for real time alerting and action using the same query language, QQL, that they already use for 2 second search visibility and finally, API integration with 3rd party SIEMs, threat intelligence platforms, incident handling, response system, security orchestration and automated response platform and IT ticketing system to automate rapid sharing of threat information with security and IT operational platform.
This really brings our IOC 2.0 really as the top solution to identify indication of compromise. And the launch and finally, the launch of our Qualys Canadian Cloud Platform, The addition of these new locations marks another milestone for Qualys' expanding global operation, which now includes 8 locations on 3 continents. We continue to believe that because our cloud based architecture and the priority we made to invest in the extensibility and capabilities of our platform, Qualys is one of the few companies well positioned in the security market evolution. As we highlighted last quarter, we see a new generation of MSSP emerging to address the security needs of small and midsized customers with hybrid environments. That's why Cofar Systems selected Qualys Emergency Management and Continuous Monitoring capabilities this quarter to integrate into their secure cloud automation services.
We invite you to blackout next week to see our new technologies and campaigns. We will hold a product launch for investors and analysts, which will showcase the technology around IOC 2.0 as well as our future data lake solution. As we have discussed, current incident response solutions are quite complex and costly because they require organizations to collect disparate sets of data from multiple vendors and bringing into their SIEMs, which full contextual information. We believe we have a unique advantage in this large market because we already collect and reach, normalize and correlate trillions of data points across on premise, cloud and soon mobile, OT and IoT environment. We're also pleased to welcome Gerard Eshelbeck, a renowned cybersecurity leader, to our advisory board.
Gerard is a former Vice President Security and Privacy Engineering at Google and previously had CTO position at Sophos, Webroot and Qualys. We look forward to leveraging his unique background and extensive experience as we continue to grow the Qualys cloud platform. In conclusion, we are delighted to offer the community a new prescription for security. Accelerating adoption of our cloud agent unlocks a significant revenue opportunity for us and, more importantly, solve painful problem for our customers, including not having clean, uniform data for a view of their global IT asset inventory. The breadth of our solution across environment enable us to offer customers greater visibility, accuracy and scalability while ultimately enabling customers to drastically reduce their overall spend.
With that, I will turn the call to Melissa to discuss our financial results.
Thanks, Philippe, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise. We're delighted with our cloud agent adoption, which lays the foundation for future revenue growth and industry leading profitability. Evidence of our continued progress is also reflected in our accelerated multiproduct adoption and the growth in the number of customers with over $500,000 in revenues as well as our strong gross dollar retention rate, which for enterprise customers with 5 products is 99%. Our Q2 financial and operational highlights include: revenues for the Q2 of 2019 grew 16% to 78,900,000 dollars Platform adoption accelerated as a percentage of enterprise customers with 3 or more Qualys solutions rose to 44% from 37% and the percentage of enterprise customers with 4 more Qualys solutions increased to 24% from 19%.
Cloud Agent subscriptions accelerated to 23,600,000 over the last 12 months, out of which 3,500,000 cloud agents were purchased by a single cloud platform customer. This is up from 17,900,000 for the 12 months ended in Q1 2019. New products released since 2015 contributed approximately 25% of total bookings in the quarter, up from 15%, and our average deal size increased 3% influenced by higher growth in the total number of customer orders. Our scalable platform model continues to drive superior margins and generate significant cash flow. Adjusted EBITDA for the Q2 of 2019 was $33,400,000 representing a 42% margin versus 39%.
Q2 EPS grew 42%, and we generated strong free cash flow for the Q2 of 2019 of $31,000,000 and for the first half of twenty nineteen of $66,300,000 representing year to date growth of 25% over the first half of twenty eighteen. In Q2, we continued to invest the cash we generate from operations back into Qualys, including $5,900,000 on capital expenditures, including principal payments under capital lease obligations and $16,200,000 to repurchase 180 3,948 of our outstanding shares. We have approximately $91,000,000 remaining in our share repurchase authorization. We remain confident in our model driven by our foundation of recurring revenues and expanding suite of applications. We're maintaining the midpoint of our fiscal year 2019 revenue guidance.
Our current fiscal year 2019 revenue guidance is now a range of $321,000,000 to $322,500,000 We are raising fiscal year 2019 non GAAP EPS guidance from a range of $1.89 to $1.94 to a range of $2.03 to $2.07 We are also raising our fiscal year 2019 EBITDA margin expectations to be in the range of 39% to 39.5%. And for the Q3, we expect capital expenditures to be in the range of $5,000,000 to 6,000,000 Cloud Agent subscriptions with our innovative technology demonstrated by the issuance of 4 patents. Looking forward, we see additional opportunity to accelerate cloud agent adoption with the free launch of the Asset Discovery and Inventory app. Our cloud agents make it frictionless to enable many of our paid subscriptions, which provide us the opportunity to accelerate revenue growth as well as expand margins in the future. As Philippe mentioned, we look forward to seeing many of you at Black Hat for a product launch and showcasing our upcoming campaigns in With that, Philippe and I would be happy to answer any of your questions.
Our first question comes from the line of Howard Smith from First Analysis. Your question please.
Yes. Thank you. Congratulations on the solid results. Kind of 2 related questions on go to market strategy. First of all, historically, you've really kind of showed your customers the products and let them adopt it kind of 1 at a time.
You've increasingly been going to try and do some C level selling. And now that you have such a suite and you're getting 5 plus adoptions, where are you on that kind of the C level dictating that where you can in an organization you're going to use Qualys and where are you in terms of it, it's still being almost all bottoms up product by product?
Yes. So essentially yes, yes. So it's a very, very good question. So the fact that launch and then I hope you could be a black hat or you'll see the massive campaign that we're doing. So this is just the beginning of that awareness campaign that we're creating, which, of course, at the present, top bottom up.
But of course, now with the global IT asset inventory, we have what every CIO needs to have. And so we are going 1st, and we've already started to go to our existing customers. And you're going to see a second leg in that campaign, where we're going to have our customers speaking about value that, that global ITSA dispensary brings. And when I say customers, from the very top, and of course, we are going to make that resonate and essentially engage CIOs, which are not Qualys customers. And so that's, of course, the second foot or the second leg, I should say, of our campaign.
So it's all starting.
Great. And then in terms of the cloud agent adoption, is it really they're adopting that as you promote that and then they see the applications that enables and start to increasingly contract for those? Or do you feel the solutions customers are seeing those solutions and saying, now I need that's my excuse to go back and upgrade to the cloud agent?
It depends. It depends. So what we see today is that finally, the customers have been able to break through IT, which didn't want another agent. And now they're really pushing Qualys to essentially, now we say, winnigreal time, that's what the agent does instead of the standard scanning. So they now essentially, we have earned the confidence of our cloud agents.
With that number of cloud agents, there's no more issue. They're very non intrusive. So we're breaking the barrier of the IT resistance. This is what is happening now. And this is for the on premise, if you prefer.
We're moving now more and more onto the endpoints, which in the past were not there, so that's new. The other factor of growth is also on the cloud. We start to see now more and more adoption of our agents in the cloud environment because they're ideal for that as well. So that's the way it starts. And then as you just mentioned, is now customers say, Wait a minute, that agent, I can do this, I can do that.
And there's nothing to really install. It's already installed. Everything is centrally managed, self updating. You don't have to have additional servers. So now, of course, you start to look at the advantage the cost advantage and also the fact that everything comes into one single platform.
If you come at Blackout, I strongly urge you to come and see the demo of our global IT asset inventory. At your fingertips, not only you can, in 400 milliseconds, find any devices on your environment and identified everything in the open ports, everything you can identify everything and as well the capabilities, the indication of compromise and all these additional services, they all come at your fingertips. So that has been the fruit of many, many years of effort. Essentially, we adopted the cloud, as you know, very early. And compared with our traditional competitors, they've got to re architect everything to just catch up to where quality is.
Finally arriving to that to where we wanted to be, and that was a long road, but I think we're very extremely happy.
Our next question comes from the line of Dan Ives from Wedbush. Your question please.
Yes, thanks. Can you
just talk about new products in terms of the trajectory there going into the rest of the year? What type of traction do you guys have factored in there in terms of even quantitatively or qualitatively?
So I think as we mentioned in the press release, our file integrity monitoring, we have added additional bit of the functionalities, is starting to really get very good traction. And now we also believe that with the detection of indication of compromise, we have really brought that at a significant new level. So we are really looking toward that. And of course, our Patch Management is doing really well. We have a really big pent up demand on the Patch Management because, again, everything is out of the same console.
You don't have to deploy another application, and you have the immediacy, which is what we offer. So we're very happy with these new services. I would say, they are coming of age. And of course, we are working on more solutions. We're also very looking forward on indication of compromise.
We're also moving into the endpoint EDR market, and you're going to see a lot of new things coming in 2020. Again, that's one single platform. And that's really the big differentiation we have.
And just to add on to that, so as I mentioned, our new products as percent of bookings were 25% this quarter, which we feel very good about. And we're really excited about the opportunity to accelerate Cloud Agent adoption with the additional features that were added to both STEM and IOC as well as the release of the free asset discoveries and inventory app because as we've said, we've potentially eliminating the resistance from IT and actually providing an incentive for them to download the cloud agent. And then it's frictionless for users to subscribe to additional paid apps. So as I've historically said, we don't assume a material we don't assume contribution into revenues from new solutions that are not materially contributing yet. And to date, most of the new products as a percent of bookings is still cloud agent VM, policy compliance and threat protection, but we see a great opportunity.
Yes. And I will add, our passive scanning, which is essentially the component of our discovery or if you prefer, the direct competition to ForeScout is now in beta, will be GA on September 5 and with the component of our free offering. And then from there, we have a significant upsell, which is the quarantine capabilities, which will be a big upsell. So by giving something of real value to the market, I believe we have created a significant disruption in the market. I'm receiving every hour now messages from industry experts to say, what you have done is fantastic.
And so I think we're very, very happy.
Thank you. Our next question comes from the line of Chris Eberle from Nomura Instinet. Your question please.
Yes. Hey guys, thanks for taking the questions. This quarter, Cloud Agents from a net add perspective seemed like pretty big move relative to the last couple of quarters of just $1,000,000 or so a quarter. Did you guys change anything this quarter that kind of drove that increased adoption? And just the second part of that, once you start to see the cloud agents downloaded, what's the lag time between downloading the agent and then the greater adoption of further applications?
Sure. So we're very excited about how our cloud agent subscriptions with the adoption was this quarter. We actually saw acceleration, as I highlighted in my comments. Out of the ads, dollars 3,500,000 were for a cloud platform customer. But even without that, you would have seen acceleration.
So we really see this, what we offer, taking hold in the marketplace. Our customers purchase the agent in conjunction with the solutions. They're not downloading the agent separately. It comes with a solution that they're using. And the time in terms of adding additional solutions vary.
There are customers who are buying multiple solutions at once, and there's time to add on over time.
Yes. And what we believe is, of course, by having offered a free global asset inventory, this is a godsend for our existing customers, which will love it. But also, it's a very cost effective way of gaining new customers as well because, of course, once they deploy the agent, suddenly, they can immediately try all these additional services and without having to install anything else. And again, installing our agent, by the way, is not difficult at all. And we're putting, by the way, additional packaging to make that much even easier so people know exactly what they need to do.
So we're I mean, we have put a very big effort on the packaging. I've also now a team in India of what we call the technical account representative, which are essentially on boarders, which are technical people, which are there not to sell, but are there to make sure that the customers have the first good experience. And if you have any question, we're also now a robot, which comes automatically as soon as somebody wants to download something, so we can establish the communication with the customer. So as you can see, we've been been behind the scenes, we've been gearing for scale. That's essentially what Qualys is all about.
When you look today at our platform, our platform answers now in 400 milliseconds of query. If you want to know anything about a device, 400 milliseconds later, you've got that. And that's because we have indexed 3.3 trillion data points on our Elasticsearch clusters. We index everything, all the data that we capture. So again, this is all about scale, ease of deployment and as a result of that, frictionless adoption.
And I think we're getting there.
And just to reiterate something Philippe said in his prepared remarks, which is a key thing we've talked about, which is the ability to leverage our platform as a distribution channel is a key element of our profitable growth. And so see the release of the free asset discovery and inventory app as a perfect example of that.
Got it. And can you just update us on the percent of the customer base that's using Cloud Agent today? I think it was at 18% you said last quarter?
Yes. It's still a really meaningful opportunity. It's only in 20 percent as of this quarter. And again, as we've talked about in the past, it's still early in the sense of deployment on the endpoint. So within our within those that 20% of the customer base, still think there's a meaningful opportunity for expansion.
And the free asset inventory and discovery app potentially will accelerate that.
Thank you. Our next question comes from the line of Jonathan Reicher from Baird. Your question, please.
Yes, good afternoon. Melissa, you just mentioned endpoint. And so I'm wondering if you could help us understand maybe some of the obstacles in terms of adoption there. I think you've had an endpoint application for 18 months or so. You can correct me on that.
But just what you're seeing and how much runway? It seems like there's a lot of runway. But I think more importantly, what are the challenges to adoption?
I think the challenges are, I believe, are starting to be behind us, as I mentioned earlier. In the beginning was the fact that if you look at these enterprises, they have like 9 agents agents as an average. Today, we see, interestingly enough, that some companies today have only now reduced that to 2 agents, which is the Crowd agent, the Qualys agent. We have a few examples of those because our agent replaced already quite a few agents already. And so and of course, we are also moving into the CrowdStrike space, as you will see, during the early part of next year as well with the IOC, with the enhancement we made to IOC.
So I think these barriers are now starting to fall down. The fact that especially we're now an agent on all the mobile, which is part of that asset inventory. So in Q4, we're going to invest another very big requirement for customers, having the ability to also look at their mobile devices, essentially tablets and phones. So I think that resistant, which was huge in the past, now today is diminishing. And furthermore, because that our global IT asset inventory serves both the security and the compliance and the IT people, now they have that visibility, the 3 of them, of course, they look at things differently.
But the beauty of our architecture is that we bring all the information into one place. And then from there, you can have the IT view, the security view and the compliance view and out of that one single platform. And that's the big difference again. So I think we're very confident that we are going to see acceleration of our of the Cloud Agent deployment, of course, that global as that free global ITS inventory, including with the passive scanning capabilities, I think is really what we believe will make that happen.
And I guess that leads to my second question, Philippe. The feedback around the global asset discovery and inventory services has always been very strong and there's a clear need in the market for that type of visibility. I'm just trying to understand, it seemed like it was an easy monetization opportunity. So now that you've given it free, what are the specific paid products that we should look to initially is kind of demonstrating the success of that free strategy?
Yes. So that's a very good question. In fact, and this is really at the core of our strategy. On one hand, we know that by giving that free, we really provide a we have a lot of goodwill in our industry because that's a problem which was absolutely has never been really well solved. But the second thing, if you look now from a business model standpoint, if you look today, as I mentioned earlier, currently today, our cloud agent enables 7 different services, and I named them vulnerability management, policy compliance, file integrity monitoring, detection of indication of compromise, etcetera.
So if you look at the cost, so today at large scale, and I'm going to give you numbers like if we are big deployment. So the cost for us to really give the agent free of charge for that global IT asset inventory is about $0.20 In return, the aggregate value of these services will be net again of additional of storing, etcetera, and updates, etcetera, will be about $10 So you have effectively a 50 times, a 50x return on your investment in, I would say, across 3 or 4 years at the most. And so that's, at the end of the day, the potential that we have created for ourselves here with a solution that deploys that instantly provide you value because what's very unique with our Global IHS inventory is that you, the customers, have nothing to do. It's our solution, which automatically categorizes you how many Windows devices you have, how many Mac devices you have, how many database you have, what type of database. You have also the ability to find out of life, all of your Java instances, etcetera.
All of that is at your fingertip. Now we don't give everything free, but we give the core component free so you can have your automatically created your global IT asset inventory in a very continuous way. Every time there's a new change, automatically it's updated. And now you can, for a little bit more dollars, you can now upgrade and synchronize with your CMDB. Today, we have the full two way integration with ServiceNow.
And so our goal here is to become the source of truth. And today and we can earn that. And again, if you could come at Black Hat or is not, we'd be very happy to give you a real live demo of that. You're going to be absolutely floored by how much information we capture, how quick it is and how comprehensive it is.
And just to add on to that, I think from a financial point of view, where you would see that is in you would see that manifest itself in revenue growth. And the reason I say it that way is because the adoption of this free asset discovery and inventory app could accelerate both, what I'll call, older products as well as new. Older because, again, this eliminates the resistance to putting the agent on endpoints and so you could see many companies that haven't yet done VM or policy compliance and the endpoints starting to do that. But then again, it also may propel new solutions being adopted. So we have multiple vectors of revenue growth.
Right. No, that's helpful. Thank you. Thank you very much for the insight.
Thank you. Our next question comes from the line of Nick Yackel from Cowen and Company. Your question please.
Thanks guys. You mentioned a major awareness campaign in the prepared remarks, but are there any more details you can share around just the overall strategy to drive awareness of the free asset inventory app?
Yes. Yes, I could be specific. So when you will arrive at I can tell you that. When you will arrive at in Las Vegas at the airport, you're going to see huge battery everywhere. You're going to go to your taxis.
You're going to see that what we call that new prescription for security. Every you're going to walk through the halls of black hats. You're going to see, of course, again, that campaign is going to arrive into our booth. Another thing that I will mention is that there is also multiple, if you prefer, legs into that campaign. If you read the press release, you will see that the Cloud Security Alliance has essentially endorsed Qualys and are bringing that to the 95,000 members because, again, it's good for the community.
This is just not good for Qualys. It's good for the community. So that's the first part of the campaign. Then from there, we're going to do a lot of I mentioned earlier, we have now a team in India, which can absolutely onboard customers. So we're gearing up for large volume.
I mentioned earlier, the first two days, we have more than 800 sign up essentially to our service. So we're geared to have the technical people behind to ensure that customers are properly onboarded. And we have also made a big effort on the packaging, so they could really see very easily how it is to download the agent, what they need to do, etcetera, etcetera. And of course, after that, we are going to see more lead generation campaign. This is the bottom up.
And there is a question before, and you're going to see us doing now doing seminars, webinar to go. And in fact, we have 1 on Friday starting on Friday with about 100 CIOs and CISOs of the health care industry where we're essentially present and essentially are going to advertise the benefits of that global IT asset inventory. So we can essentially go now today to every CIO in the world, essentially tell them, now with Qualys, you can have the full view of what you have. 2nd, you can have the continuous assessment of the security compliance posture of those assets. You can identify those which are vulnerable to 0 days, those which are compromised, although that we suspect are compromised.
You can essentially quarantine them. And then, of course, you can consolidate your stack, which is what large companies must do now, save significant amount of dollars. And on the top of that, our architecture brings you and helps you to secure your digital transformation as we're doing with Google, with Microsoft, with Oracle. As you know, they're all our customers. We help them secure their own platform, and now we're building that security into their environment for the customers, which we have done extremely well with Microsoft and we're doing that with everybody.
So again, this is that didn't happen in a week. This is 20 years of effort. And we focused not on the growth of the company, we focused on building the platform and essentially building sustainable growth and a highly profitable goal. That's what we went public what we said. And I think throughout the years, we're demonstrating that.
But now today, we've really put the pieces together, and that's where we're going to see very different companies in the months to come.
Okay. Great. And could you discuss that large single cloud agent purchase in terms of the products that customer is deploying? And then maybe as a follow on to that, do you see an opportunity to drive similar sized deals going forward?
Oh, I mean, we don't really disclose really much this kind of things because, as you know, our customers are always a bit leery of telling the world what they do, but this is obviously a big cloud provider, which has now totally adapted the agent to secure their own platform. And now you speak of millions of agents really. And so of course, there's more and more cloud providers and there's more and more of those. But for us, more importantly, is all the business, all these additional services that you can build on the top of it. So again, the beauty of our Cloud Agent now we're so happy that we have these patents around, is that they spawn multiple services and we're just at the beginning when today we have 7, but you can realize that now once you have an agent, of course, we have while moving into OT and IoT as well, You can realize once you have an agent, you can now do enforcement.
You can do you can go into response. It's all about the game today and then second, you need to respond and you need to eliminate the false positives. So the fact that our agent gives us the context in real time is significant and across, again, all these different environment because you cannot today say, oh, I just look at what got at my logs. That doesn't work anymore. You need to really have the complete view.
And so that's, again, not a walk in the park. And this is the reason why we're moving with a data lake because we have a unique advantage of 1, we collect the data. No single no SIM today on the planet collects the data. They got to take the data from multiple different sources, which is very complicated, very expensive and also very difficult to normalize because you don't know if that application tells you about that device. Is that the same device?
You don't know. So the big advantage we have with our architecture, again, is that we have absolutely full contextual value, and that's quite significant. So I think we're entering into a new era of Qualys in which we believe that's what our goal, but I think we're really getting very close.
Okay, great. Thank you.
Thank you. Our next question comes from the line of Erik Suppiger from JMP. Your question please.
Yes, congrats on a good quarter. Couple of questions. 1, who is the asset discovery service That's a good
That's a good question. And by the way, Eric, you remember, you are the one who really you were, in fact, the first one who told us to accelerate the cloud agents, you should really think about giving one of your services free of charge. So it seems that we followed your lead. And in fact, I was absolutely, but I was really waiting. The reason why we didn't move early because I really want I was we were waiting for that cloud agent.
So we needed to create all the libraries and everything so we could automatically create the inventory because telling the customer to do their inventory themselves, that's the problem you have with the CMDB is you've got to do everything yourself. So that's what we waited to have that piece completed and now we have it. So to answer your question, there's a plethora of solutions out there like Flexera, and I can name many, many other ones. You have Armys. You have quite a few.
The problem with all of them is not that they are not good. They do the job, but they are myopic. They only look at a certain part of the environment. And if you take your security hat on, you've got to have the global view. You cannot just say, Oh, I've got that thing, I've got a good view on my windows or I've got my good view on this.
You need to grow these pieces together, which is almost impossible, and the CMDBs cannot really do that. They were never designed for that. So that's really where the difference is. So in terms of, yes, you could on one hand, you could say, Oh, we're giving away what the entire what ForceGuard is doing, we're giving away what Flexera is doing. And you could say maybe this is $500,000,000 if not more.
But look at the leverage that we have, as I was mentioning earlier, with $0.20 then I can get 50 times the return. And the beauty of our solution is that it's all automated. So it's all machines. I don't need a lot of salespeople. I don't need a lot of support people.
I don't need it's all in a platform. So it's a very effective model. And I go back to the early days, a lot of people very few people realize that VeriSign was the granddaddy, I always say that, was the granddaddy of SaaS. They were the first one to have a really cloud distribution model. If you look, I remember because I don't know when I was there.
And what I could see that their salespeople, Telus salespeople could do $4,500,000 a year of renewals. So and in fact, I took some of their models and that's why we had a model which is so effective. You look at their gross margin today, they are at 70%. So because again, they have leveraged the cloud. Now what we do is more complex in a way.
I'm not saying that what they do is simple, but we have much more variables. So of course, I'm not saying that we're going to reach 70% gross margin.
Operating margin.
The operating margin, yes. Top of the margin, sorry. Is that because but I can tell you, we still have under the foot to be capable of leveraging the model again. It's all about the model. And the model is the cloud, the platform is the distribution channel.
And that's where you cut a lot of costs. And that's what the digital transformation is all about, eliminating the middleman and the businesses in between. So there's nothing new here.
Okay. One other question. The cloud hosting provider that took 3,500,000 agents, is that the same one that took 5,000,000 agents about a year
ago? No, no, it's another one.
It's a different one. Okay. If we think about the your cloud agent count in the September quarter, is that going to be a tough comp? Because I think it was the September quarter last year where you had a 5,000,000 you had one customer that took 5,000,000. Is that going to roll off, in which case that Cloud Agent count could come down?
No. I mean, we would assume that they would be renewing. So to your point, we might not be adding $5,000,000 plus in that quarter, but these are based on 12 month rolling subscription.
Yes. And we will differentiate with the free agent. We're going to also make sure that we don't because, of course, we should have a lot of agents as well, which will come from the free service, but we'll make sure that we essentially differentiate Free
versus the paying.
Free versus the paying ones.
Very good. Thank you very
much. Thank you. Our next question comes from the line of Alex Henderson from Needham. Your question please.
Hi guys. So I'm thinking the primary thing that is necessary to get the stock to really have any kind of real acceleration or move in it is the top line growth. You talked about getting to a 20% plus growth rate at some point. The guidance in the back half doesn't look like an acceleration. It actually looks fairly much the consideration of what we've been doing.
So can you talk about a little bit of the pings and pongs relative to what would be necessary to get your growth rate to show an inflection and start to accelerate? And what the headwinds are relative is the macro environment or any other variable holding things back? I assume that that's not the case, but could be. And what is the slope of that acceleration to get to the 20% longer term target? Is it very, very gradual and then a pickup in some later date?
How do we think about
that? Yes. So first yes, no, absolutely. So first, we don't see any headwinds in front of us really. Of course, we need to continue developing product and so forth, but there's nothing that we see as headwind in front of us.
2nd, I just want to reemphasize again the fact that we are absolutely 100% subscription based because when you compare some of our competitors and so forth, when I look at the quarter to quarter growth, which is essentially could be like 3%, 4%, that doesn't generate 30% growth. So where is that coming from? It's coming from, of course, adding a few spoons or sprinkle of perpetual license here and there. And so we don't have any of that. So the result is that for us to pick up growth, essentially, it takes a little bit longer.
And that's essentially the way our model is. But of course, the big advantage is that we are significantly more profitable, and that's something we don't have to do. So it takes a little bit more time. So we needed certain patients, but that's what we have been all along. And I think we're very confident again that we believe that we're going to pick up growth and now with all the things that we have done.
So we have that kind of a pause in our growth because as we discussed last time and the time before is that today, we didn't have these new services mature enough and so forth to really start to contribute to the growth when mature enough and so forth to really start to contribute to the growth when we have a huge installed base, which has been growing very well. But of course, it becomes harder now with just the VM or the policy compliance or the web application scanning to generate accelerated growth We need new services, so we're very happy to see that now today, it's 25% contribution from the new services and this is going to continue. And we always say that look at that adoption. So it's a question of time, but it's there. I mean, there's no question.
And we have very strong loyalty from our customers. The other point, which is significant, we really believe this card agent will make us, what I call, naturally sticky. As you may remember, with customers who have adopted 4 solution, the gross renewal rate is 99%. Those who have adopted 3% is 97%. Those who have 2% is 91%.
So of course, these Cloud Agent, that's 3 global ITs inventory really are going to make us very sticky. So in a way, it makes us immune of some of the tactics of some of our competitors, which drop the price, but they don't have the breadth of solution that we have. So we're not losing our sleep at all.
Yes. And I'll just add on now. To be
clear, your growth rate guidance for the back half of the year is lower than the growth rate guidance in the first half of the year and it's against easier comps. So I'm still wondering why your growth isn't accelerating as opposed to decelerating.
Yes. So Alex, we have a healthy business. We do have a higher negative impact from FX in the second half than we previously expected. We expect the growth rates to be negatively impacted by about 1% each quarter, but we're still maintaining the midpoint of our guidance. And the reason for the growth rates from where we are today versus last year, as Philippe explained, was that as we talked about, our previous growth rate had been bolstered by what we call fractionally priced solutions, for lack of a better term, right?
Cloud Agent for vulnerability management and policy compliance or threat protection that were priced at 20% or 30% of these older products. Now many of the newer we call sort of the new new, the newer solutions coming out are we expect to see deal sizes similar or more than these older products. But today, it's still primarily VM, policy compliance, cloud agent usage and Threat Protection. And so even in and to tie it all back together, even in the 25% of bookings, it's still most the new products in bookings, it's mostly those newer products. That's why we're so excited about the additional features that were added on to FIM and IOC as well as the free release of asset discovery inventory because this potentially will help accelerate both adoption of the cloud agent broadly as well as of these newer solutions where we expect deal sizes to be larger and that they can potentially have a bigger impact on our growth rates.
If I could just extend the question a little bit. So you've given longer term indication of a 20% type growth rate, when do you think you might get there? And do you think 2020 is an accelerated growth rate versus 'nineteen? I mean, those are kind of the basic questions that I think we heard every time we went out on this in the field and talked about the stock.
Right. So we talked about our long term target, which we generally update our model on an annual basis and we'll do so for our Spring Analyst and Investor Day in New York. But the framework hasn't changed, which is, as Philippe referenced, that the total spend per IP could be 10x that of $1 a VM. This does include the paid version
of our
of the free versions of the of asset discovery and inventory, but we're also not expecting all customers to adopt all solutions. In terms of the interim period, we provide guidance for 2020 after Q4 earnings. And so it would be imprudent to provide any direction earlier than that.
All right. Well, thank you very much for the help.
Okay. Thank you.
Thank you. Our next question comes from the line of Keith Weiss from Morgan Stanley. Your question please.
I just want to thank you guys for taking the questions. Throwing in for Melissa Franchi here. One question on kind of OpEx and one on sort of geographies. On the OpEx side of the equation, margins continue to be really impressive and expand really well. And OpEx was to be kind of in line with seasonality, but definitely kind of outperforming target.
And I just wanted to check-in like the outperformance on OpEx, is
that because of kind of
better leverage you're seeing? Or has kind of the spending underpaced your projections of that you weren't able to get salespeople up and running fast enough or you weren't able to or find the salespeople or find the R and D guys. Is there any kind of pent up spending that's helping those operating margins? That's question number 1. And question number 2, if we look at sort of geographic growth on a year to date basis, Europe's been performing really, really well.
It's almost like 30% growth. The U. S. Has been a little bit less well, at about 10% growth. Anything in particular that explains that dichotomy of sort of the much better growth overseas?
So I'll start with the OpEx. Keith, we're very happy to have you. So on the OpEx, so you can see from our guidance, we are guiding to for contracting margins for the second half. So there is an element of spend that is just really a timing issue. So we did come in basically lower in headcount expense and operations and sales and marketing.
Some of that is hires where we didn't find the right person. And so it's we expect to see the hiring pickup on those in the second half. Some of it was also we just spent less on trade shows than we needed and third party consultants and marketing costs. And not to make Philippe blush, but for example, we look at our campaign and a lot of it was driven by our multi talented CEO. So that helps save us dollars, too.
So there's also leverage.
Yes, absolutely. Yes. And on the geography, I mean, this is just a very natural evolution of the market When you have today, of course, we have a very strong penetration in the U. S. As compared to the to Europe.
So what we see in Europe is the natural expansion in Europe of people deploying more of our solutions. And when in the U. S, of course, today, this is where we have the phenomena where essentially we need essentially, the mass is so big, so we need these additional new services to really propel the growth in the U. S. And again, so that's something we again, we're very, very optimistic with our new services and see accelerated adoption.
It took us a little bit longer, of course, to because you need to essentially bring all these new services at the level that we need. It takes time, and we also want to make sure we get the right products. And we don't push solution into our customers. That's also the other very important thing in our model. And I will repeat again, we cannot absolutely if we start to have our customers consuming more, so we don't incentivize our sales force to do bigger deals and what the customer can really swallow.
The reason is because if not, they will not renew at some point in time and then we'll have to push more. And now this is the way enterprise software works. Of course, there's always the music stops at some point in time, but it takes a long time for customer support to suddenly run out of new customers where you can shove it into them and create a lot of the shelfware. Without with a pure subscription model than ours, you will see that much quicker because then they start down selling, which is exactly what you want to avoid. So these are the dynamics essentially.
Our next question comes from the line of Matt Hedberg from RBC Capital Markets.
Melissa, I know you referenced bookings in your prepared remarks and prior calls, but we are getting quite a few questions on short term billings. I think it grew 13% this quarter. Could you talk about sort of the trends in short term deferred? I think it grew a little bit less this quarter sequentially than it did last year. I mean, how should we think about short term deferred as this model progresses and we look for revenue to accelerate?
Yes. Thanks, Matt. So we had a good quarter, and we have a healthy outlook. As we've discussed, deals move in and out all the time. There are multiple scenarios in which the renewal does not happen at the same time as the anniversary date, so it's hard to normalize for comparison purposes, which is why we point to the trajectory of our annual revenue guidance as the best proxy for business momentum because current bookings certainly inform our guidance.
As I mentioned, we do have some FX headwinds, but we're maintaining the midpoint of our guidance. And we're also thinking about introducing ARR next year because it should reduce the volatility you see associated with current billings metric.
Got it. And then maybe, Philippe, thinking about the Capital One breach this week, it looks like it was a misconfigured WAF. I'm sort of curious, can you talk about that as a broader issue? And maybe how you guys can help prevent that from happening to others?
I mean, this is as you know, I think this is a complicated situation here. And because, as you know, there's more there's kind of insider whenever you deal with insider, that's the most difficult thing to combat because they have, of course, inside knowledge of your configuration, and they could either find ways to get credentials they should not have, that's the Snowden case, Or they could essentially find or identify vulnerabilities that because they were just there. And so that's the tricky part. So it's very difficult to combat insider threats, as we all know. So but again, I go back to it's all about hygiene.
So that's where quality shines because we can help you absolutely identify vulnerabilities on your environment at a huge scale across all these different environments. So that's again what's behind the decision that we made to make the global IT incident for a fair charge, discussing with our advisory board, with our large customers. In fact, the idea came as well to make that one free from on one end I mentioned Eric Super Gear would say, by the way, you would adopt. But then we have also the customers telling us, look, this is such a pain point that we encourage you if you could do something here. And that will give you the visibility you need because how could you if you don't know what you have, you cannot even identify the vulnerabilities.
So that's hygiene is that if you look at every if you look at the Verizon breach report, etcetera, yes, we put a lot of these shiny objects around and this and that. But if you don't do your vulnerabilities, if you don't configure your system properly, if you don't know that, that camera, for example, is still connected to your network and anybody can have access to it. And if you don't, then you're going to get bridge, and it's that simple. And it's becoming very critical in our in that environment where now everything is becoming connected with everything, whether you like it or not. And so and we're entering now wait until 5 gs arrives.
Oh my god, this is so that visibility is crucial. Everybody will tell you the experts 100% visibility. On our offering, for example, there's one thing that we surprised to see how many devices connect to your network via Bluetooth. So, of course, we'll introduce that shortly, but you need 100% visibility. And that's the one thing you've got to do.
And then making sure that you are very careful with the people with your contractors and you extend that visibility to your ecosystem as well. So it's a lot of work. I mean, without visibility, you're going to get bridge.
Got it. Thanks a lot.
Thank you. Our next question comes from the line of Rob Owens from KeyBanc Capital. Your question please.
Great. And thanks for taking my question. And Melissa, I appreciate the commentary around short term deferred and deals that move between one quarter and another. But if I look at 3 out of the last 4 quarters, you've grown at this consistent 13% and with the business setting up to inflect to achieve that 2021 target of low to mid-20s growth, at what point do we see that? And does that actually come through in that short term deferred kind of as a velocity based metric?
Yes. Thanks, Rob. So ultimately, 2021 revenue growth will be based on performance bookings performance in 2020. There is the shift flow through in deferred revenue. But as we talked about many times, for example, the correlation between quarterly billings and quarterly bookings is not always the same.
And that's why we're we are looking to improve how we communicate externally with you guys. And as we mentioned, we're thinking about introducing ARR for next year.
Sure. And I understand that, but I mean you've got a 3 out of 4 quarter history of that 13%, which theoretically suggests kind of a downward draft in that revenue. So even over time that becomes an unreliable metric if we look at, again, 3 of the last 4 quarters?
Sorry, I was going to say, I mean, if you look at LTM billings, that's going to be a much closer proxy to LTM bookings because you have much more normalization. And so what we've had today is the fact that our growth has been supported by these fractionally priced solutions as opposed to generating an impact from more of the higher priced solutions, which are things like FIM and IOC, Patch Management, etcetera. And so that's really where the opportunity is as well as, again, as we've talked about expansion onto the endpoints that could fuel even kind of what else are older products in terms of driving future revenue growth.
Our next question comes from the line of Gur Topaz from Stifel. Your question please.
Hi, this is actually Chris Speros on for Gur.
On the call you mentioned that the free asset inventory service already has 800. Can you talk about the makeup of this
group in regards?
It's a mixture. It's a combination of small customers, mid customers and even large customers. So we could give you the breakdown, but we were just at the beginning. So essentially, we're targeting the entire for us, we can serve very small customers. We can serve very, very large customers.
We have the largest customers in the world. I mean, we have got 70% of the Fortune 100 today. So they come from all walks in life. And again, that global light tested inventory is really a need for everybody, the large company because they have no visibility and the small companies because they have only very few people. And so for them to do the cataloging of all their application and what they have, even if they have a small network, they have very little people to do it.
So because you're the poor IT guys, they do IT, they do security in the small companies. Now they have to deal with the cloud and with the mobiles and with this. It's absolutely a nightmare. And so I think that's a godsend for all of them, small or large.
Yes. And that's great color there. But where I was going with that question was, can you just
talk about the makeup of
the group in regard to the proportion that had already deployed the Cloud Agent relative to the proportion that represents net new Cloud Agent deployments?
Well, I would say, in general, the Cloud Agent has been more adopted in the enterprise and SMBSME to date. We don't look at track exactly every quarter where the net new adds are. We kind of look at it overall for the business. But what's this is what's revolutionary about what we're doing with the release of the free asset discovery and inventory app is that, again, it provides an incentive for many prospects in the lower end, let's say, to adopt a cloud agent and then it's frictionless to subscribe to paid applications.
Yes. But
I guess what I'm asking is the percentage of the 800 customers that have signed up, what percentage of this group had already deployed the Cloud Agent and were signing up for the asset inventory versus the percentage of customers that deployment of the asset inventory would need them to deploy the cloud agent?
Got it, got it. That's a great question. We haven't gone through all the data as we just announced it on Monday. So it's something we can get back to you with, Chris.
All right. Thank you, Melissa. I appreciate it.
Our final question for today comes from the line of Sterling Auty from JPMorgan. Your question please.
Yes, thanks. Hi, guys. I want to clarify or understand in terms of the cloud agent, are the cloud agents included just in the core VM pricing? What portion are maybe paid subscription versus what portion are now part of the what appears to be the free program? I want to make sure I'm not mixing apples and oranges here.
Yes. So the numbers that we've released, when we say 23,600,000 Cloud Agent subscriptions, those are all paid subscriptions associated with the product because you don't just subscribe to the agent just for it to be an agent. Now you can use on the VM, you can use what I'll call the traditional scanning technology VM that's not using an agent, right? And you wouldn't for example, you can't do that with endpoints because the laptops leave the network. So if you want to do VM on an endpoint on a laptop, you'd have to use the agent.
And so we have like when I think about our existing customer base, right, we have a lot of customers who are still using traditional scanning and then many of them rolled over a portion or all of their VM subscriptions into using the cloud Ethernet for VM because not only can you extend it to the endpoints, but it also goes in cloud environments and gives you more real time information because you're not just relying on the scanning windows. Let me pause and see if that answers
that makes
sense so far. Yes. That definitely helps. And then in terms of the procurement of the new solutions, is there an expectation of what you think kind of moves first? So is it going to be FIM and then followed by inventory?
Do you think you're going in terms of both the timing of GA as well as the customer traction? Or do you think they're simultaneous in terms of the uplift?
Well, so inventory we announced is going to be GA September 1. SIEM has been out, but we've added new solutions. IOC or adding new features, sorry. IOC, we went into GA with the new features. In terms of, yes, the timing of adoption of like which ones do people subscribe to the most first, it's always difficult to predict because we have no data points yet for newer solutions or not enough substantial, I would say.
Philippe, would you
Yes. And they're all also a little bit different because FIM is more typically for regulated industries rather than because they have to do it. So this is a different rhythm. So they're all a bit different at the end of the day. What we can see today, Patch Management, which is a new service, we have a pretty big demand on Patch Management already.
So I think FIM is taking off. Patch Management will take off. We really believe that this that new generation, that new version of IOC is going to really rock the world because unlike anybody else who can identify suspicious devices, in other words, instead of just the big advantage of our solution of IOC is that as you give us an IOC, instantly we can tell you without scanning anything, just squaring our back end. We can tell you wherever you are compromised. And then because we have classified the matter word into families, we can now identify the family match, which doesn't really give us 100% assurance that this is a real compromise.
But then, of course, with the passive scanning, we can look at what's coming in and out of the device and identify that if this is a behavior which is suspect, then we could absolutely now take action and quarantine, which will come in Q4. And then, of course, not only we can also put the device on watch because, as you know, the matter where it can be dormant. In that sense, you don't see anything. And so we are I think we're bringing IOC to its next level. And so we're very well received by our customers as well.
So I think that will also help the adoption of our agent as well because, again, you need the agent to do these IOCs as well. So we feel we're in good shape.
Thank you. This does conclude the question and answer session of today's program. I'd like to hand the program back to Vinayak Raul for any further remarks.
Thank you all for attending our Q2 2019 earnings call. As Philippe and Melissa mentioned, we are holding a product luncheon for our analysts and investors during Black Hat on Wednesday, August 7, from 11 am to 1 pm, and registration is available on our website. We also look forward to seeing you at Citi's Global Technology Conference in New York in September. Thank you.
Thank you, ladies and gentlemen, for your participation in today's conference. This does conclude the program. You may now disconnect. Good day.