SAC Conference. Today's session is going to be with Qualys. My name is Jonathan Ho, and I'm the analyst for William Blair & Company. With us today are Sumedh Thakar, the CEO, and Joo Mi Kim, the CFO of the company. Before we begin, I'm required to inform you that a complete list of research disclosures is available, as well as conflicts of interest, at our website at www.williamblair.com. We'll have the company present an overview of the business, followed by fireside chat. Sumedh and Joo Mi, I'll hand it over to you just for the overview of Qualys. Thank you.
Thank you very much, Jonathan. Thank you for having us. Qualys, we've been in the business for quite a while. We are cyber risk management for a lot of large companies globally. We started with vulnerability management as an area where we've been helping customers for the last many years. We're one of the first SaaS providers to provide security around that. In the last few years, we have expanded our portfolio into providing broader cyber risk management capabilities to our customers, expanding into remediation, patch management, asset management, and then more recently into overall holistic risk management with the Risk Operations Center, where we help customers collect their risk findings across their multiple products and portfolios and provide them a business-oriented view of their investment in cybersecurity. We've been a profitable company for the last many years, and that's generally what we focus on is profitable growth.
We look forward to continuing our journey into overall cyber risk management and increasing sort of our footprint in that area.
Excellent. Excellent. Just to kind of kick things off, we've seen a lot of changes in the vulnerability management market over the past few years. Can you maybe level set for the audience how vulnerability management is evolving and where the growth opportunities lie in the future for the company?
That's a great question. I think vulnerability management continues to be a cornerstone for any risk management strategy from a cyber perspective. As we saw in the Verizon Data Breach Investigations Report, it continues to be a key vector that attackers leverage to get into systems and a jumping-off point. What we have seen, however, is the last many years as the number of assets and number of software that people are deploying has grown significantly. The number of vulnerabilities that are being detected has also grown exponentially. The challenges that customers have been facing have been evolving in VM.
When we introduced VMDR a few years ago, it was really not so much about how many vulnerabilities you can detect, but how you can very quickly remediate those vulnerabilities because the amount of exploitation time was reducing and attackers have been actively exploiting these vulnerabilities quicker and faster. We were, at the time, we came up with this idea of Patch Management as a way to help expand vulnerability management into the area of remediation, which for us has been very exciting. We saw last year, 2024, Qualys agents deployed 110 million patches for our customers. Clearly, a story that's resonating. I think what has happened now is continued expansion of VM into cloud environment and other environments means that customers today end up with a significantly more number of vulnerabilities than actually the ones that cause risk.
That's where the customers tend to struggle with the plethora of findings that they have and not knowing exactly which ones are causing risk to their business and taking a business-oriented approach towards which ones they should fix, which ones they don't need to fix right now. That's where we're seeing that vulnerability management has been evolving more and more into broader risk management. Customers today really need a way to figure out, of all the millions of findings that they have, which ones actually cause risk to their environment. We just recently, with a customer in a POC, imported almost 65 million findings across their different tools, and only 300,000 of those findings actually had any way for exploitation or any way of being attacked.
Helping customers, for customers, they really want a way to quickly get to that small percentage of findings that actually cause risk and then a way to remediate those risks very quickly. That is kind of how the journey of vulnerability management has continued, where it has expanded in newer infrastructure, while at the same time, prioritization and remediation have become the key focus for vulnerability management.
Excellent. Excellent. On the financial model, can you maybe describe for us what the growth and margin algorithm look like for Qualys moving forward? Specifically, can you help us understand how much of that growth can come from existing versus new customers?
Yeah. For Qualys, historically, most of our growth was driven by our existing customer base. That's due to the fact that we've been focused on introducing new products, expanding our target addressable market. We've seen great success there with 15% of our LTM bookings coming from Patch Management, CSAM. Our new customer, Logoland, actually due to the fact that we've really introduced newer products in addition to Patch Management, CSAM, we've also talked about the ETM. Moving forward, we think, I think for the next couple of years, we still believe that our existing customers will be the primary driver of our growth.
With that said, we are looking to land new logos, and we're seeing some success this year with our new strategy, our new value proposition from a risk operation model perspective, where we're really providing a solution to the customers, not just from identifying vulnerabilities, but really coming up with a true solution that works for the market.
That makes a ton of sense. Maybe switching gears a little bit to sort of the product side of things. When we look at the Enterprise TruRisk solution, what makes up the solution? What challenges are you trying to solve? How does this sort of extend the Qualys story over time?
The real challenges really are, as customers try to figure out when they have a certain amount of budget for cybersecurity, where across their multiple toolset do they need to focus that on? What has in the past been a very best practices-based approach, today more and more CSOs are under question by CFO, by the board to really justify the ROI of cybersecurity. Cybersecurity ROI comes from showcasing how much risk has been reduced. A lot of times, we see that CSOs are struggling even to articulate how much risk they have. If cybersecurity is a risk management exercise, you cannot articulate how much risk to the business you have in terms of how much money you would lose if there is a cyber attack and where should you focus on to reduce that risk of the attack happening.
Today, they have a set of dashboards that give them top 10s from multiple tools, but they can't really articulate what is the potential risk to my retail banking, as an example, across multiple tools. I think the notion that there is a single pane of glass from a single vendor is something that we don't see in the market really happening. Customers still like to empower their teams to pick the best tool for the specific job, maybe for container security, for OT security. It's not the same vendor that is providing them all those capabilities. How can they operationalize the risk management exercise? In the past, we have seen people do that from a SOC perspective, where Security Operations Center were used to operationalize threat hunting and taking action once an attacker is in the environment.
Customers have struggled to really give a holistic view of the risk in a proactive environment where you do not have an attack, but there are so many risk factors. Which ones actually are being actively attacked by attackers? What they are talking about in the dark web? Which ones actually have exploits available? With the Risk Operations Center, what we are seeing is that customers are seeing a need to bring all of their assets together from multiple sources, all their findings together, applying threat intelligence, but applying business context, and then creating remediation and reporting all sort of in one. That is where we introduce the concept of a Risk Operations Center. The ETM, which is Enterprise TruRisk Management, is Qualys' ability to provide a Risk Operations Center to customers where they can, and it is not based on a single vendor.
It's now the ability for us to walk into a customer who has other tools and actually not have a replacement conversation, have a conversation about taking the data from their multiple tools and providing them a higher-level strategic value, which they can create reports that they can take to the board that showcase that X amount of dollars are at risk. What is the current probability of that happening across their multiple toolset? This has really been a game changer from our perspective in the way that customers look at what the Risk Operations Center brings them, rather than just another tool that is giving them top 10s on the specific thing that they are looking at.
For the customers, it's that ability to measure their risk, to be able to communicate it to the board and the CFO, and then the ability to show that ROI, and then the ability to remediate that risk is all operationalized in a single platform while using different tools that they prefer for the specific solutions that they need for the specific infrastructure that they have.
Yeah. It makes a ton of sense that the Qualys story is evolving from point solution to platform and encompassing multiple areas that you can cover as that broader platform opportunity. When we think about sort of platform adoption, how does this compare with what you've seen with something like VMDR, where you've extended the product set? How much of an uplift do you potentially see in deals where customers take on that broader solution?
We're pretty excited that as we went GA a couple of months ago, the adoption that we're seeing in terms of POCs that are ongoing, the number of customers that are engaged, the level within the customer, it's really a lot of the CSOs are themselves engaged in these conversations, which was not necessarily the case in the past when it was just vulnerability management. That has been very encouraging for us. The way we see that is just the way when we came up with VMDR as a game changer, where we evolved vulnerability detection into a broader area of asset management, remediation, et cetera.
We feel like now is a similar evolution that is happening from an industry and platform perspective, where now we are going back to our existing customers who have Qualys and maybe other set of tools and be able to give them and go to all of them and be able to showcase them the higher value of a risk management risk reporting, not talking the language of vulnerabilities, but talking the language of dollars and the business impact, et cetera. That is exciting for us because we can go to all of our existing customers and provide them this sort of a risk management capability, which is resonating well.
It is also helping customers really have the conversation to their board as well, as we saw with the partnership we announced with Diligent, so that board can actually see how the platform adoption is giving them something that is meaningful to them. With that, what we're seeing is that customers are encouraged to then buy additional capabilities from Qualys because they get all of that in a risk view rather than top 10 views that they're getting from different dashboards. We see that is something that is driving our audit compliance capability. It is driving our cloud security capability. It is driving our new TotalAI, which is our AI security. Because the same question comes up, right? If you are going to invest in AI security, how much is the risk from your AI, and how much should you invest in AI security, right?
Because that money is going to come from some other place that you're not going to invest. What we see is that the conversations are leading not only to customers looking at upgrading currently to ETM by bringing additional data for the assets where they have Qualys, but we are also seeing additional assets now coming into Qualys that in the past they were not covering with Qualys because they have another tool, and we do not have to have the replacement conversation. It is also driving more module adoption from Qualys' perspective. It is early days right now, but we are encouraged to see what we are seeing. I think the uplift is not just a linear, another dollar on the dollar, because it is also bringing new assets, and it is also bringing additional module adoption based on where the customer is at.
I think because we've just started down this journey, in the next few quarters, we'll get a better idea of that kind of an uplift. As you can see, it's not just an incremental 10%-15% on the existing. It is really something that can be meaningful, is how we see it over the next few years.
Yeah. With that larger dollar capture, it seems like you're becoming much more strategic to a customer. Can you talk a little bit about how, as the customers expand their adoption of your platform, do they start to also look for additional capabilities? You've spoken about, in particular, the MROC solution and the offerings that are there that you can offer with partners. Can you speak to how managed services are being used by customers and what opportunity that brings to Qualys to engage with those partners?
Yeah, that's a great question. As you have probably seen the last two, three years, partners and pivot to partners is a major part of our strategy, which if you look at the numbers also, we're happy with what we're seeing in terms of our indirect business and how it is growing nicely. Part of the strategy is the introduction of Operations Center. If you look at the MDR side, Security Operations Center have had MDR services, but it is post breach. Somebody's in the network. Let me go find who is in the network. We see similar capabilities can be offered by managed service providers to look at the customer's environment and provide them a risk monitoring service. A risk monitoring service is different than a threat monitoring, which is some attacker is in the environment.
Our partners are excited about bringing new solutions to the market as managed services, where they, of course, see that they make more dollars rather than just resell. We are enabling that, and we do not compete with our partners. We do not offer any services. That is really where the partners see that they can now leverage Qualys to ETM to bring data from their existing solutions that they might have sold to the particular customer in the past and create a new service that they can offer. We believe that this capability and encouraging partners and enabling them to make additional services revenue will then encourage them to take Qualys to more of their existing customers than just the VM capability.
We see that the MROC capability is going to help partners have more conversations about Qualys because they are going to make more services dollars on the solution. We'd also encourage additional module adoption, and they don't have to have a conversation of replacing some of the tools that they might have sold to the customer in the past.
Excellent. Excellent. Just in terms of go-to-market, there's been a significant focus on the channel now, and I think it's over half the deals or close to half the deals right now involve the use of the channel. Where does the mix potentially go from here? Is the channel now being more proactive in terms of bringing you new opportunities? Has it been more sort of just fulfillment or helping you sort of upsell into the existing base? Just trying to understand how the dynamic evolves over time.
Yeah. When we started a couple of years ago, it's been a journey. I think moving to a channel is, of course, a multi-year journey. We did some of the low-hanging fruits initially, just better working with the partners, having resources aligned with them. We have hired more on the account management side from a partner perspective, more training to the partners. We're marketing from the partner perspective. We have been making those investments. We continue to see with MROC that partners will be more encouraged to bring customers to Qualys. We do not necessarily—we're not targeting any specific mix at this point, but we are encouraged to see that over the last few quarters, multiple quarters, consistently, that mix has been changing towards more of the partner side. We expect to continue to see that happen as we invest with our partners.
I think that really is a key part of our go-to-market strategy because with the direct business that we have, we see that as an opportunity to bring more partners to take that direct business with Qualys by bringing additional upsells on those accounts in areas where we may not have the relationship with the existing customer because it's a cloud deal, as an example. We also see that because we are helping them make additional services revenue, this will also encourage partners to bring us net new deals, which will help us with our new business as well. We see across the board that that strategy is going to continue, and we are going to evolve that and invest more in the channel side over the next few years.
We continue to expect to see that mix change, though we're not necessarily targeting a specific mix. We do feel like given the success we're seeing from the partner perspective, we do see partners right now are bringing us now additional deals. They are helping us with upsells, and we expect to double down on that and continue investment in that direction.
What's something that's really positive for us is it is really a long-term strategy that we thought through earlier last year that we thought that it made sense for us to go to partners when it comes to new local acquisitions because of the success rate. They were able to close higher rates of deals that were in play when it came to new local acquisition because instead of our sales reps going out there and saying that we're the vendor of choice and Qualys has the best product, it was much more impactful for our channel partners to go out there and market to the customer base and say that here's why you should go with Qualys for this solution, right?
In addition to that, what we decided to do was really work with partners so that they understand that we have stakes in the game too, as in we're willing to take our existing customers who are currently direct over to the partners if we think that there is a way for us to win with higher upsell, higher spend from the customer base. Naturally, you're going to slowly see that shift more and more going towards indirect versus direct. We expect that to happen. The good thing is we are monitoring our gross margin and potential impact on the unit economics as more of our business shifts to the partner side.
We're holding on to that 84% really high gross margin, and we haven't seen that margin contraction from that side, even though our business has more shifted to the partner.
That is critical for us, the partner strategy in the two areas that we are excited about for growth potential for Qualys in the future. One is cloud, where we are seeing nice traction in early stages with cloud security. That is really where the partners are bringing us to the DevOps teams that we may not have direct access to. We are happy to see that, as well as we see a huge potential for us in the future around the federal business because we have a very small federal presence right now. With our focus on FedRAMP and our investment in the federal side, partners are going to be a key part of making sure that we are expanding well into the federal business as we are waiting for our FedRAMP hire, which should be coming pretty soon.
With that, we will be continuing our partner strategy from a federal perspective, which is, again, a huge area for potential growth for us.
Yeah. Yeah. Can we, with the federal discussion, maybe dig a little bit into that opportunity set? And what does FedRAMP really mean for you? Is this a hunting license? Is this an opportunity to go into a broader set of agencies? I think you've also developed some of your channel resources there too. So can you just give us a bit more detail in terms of your operations there?
Yeah. I think with our investment in federal the last few years, we've been seeing good growth and good success, even though it's smaller numbers initially. Because of FedRAMP moderate, which we got, Qualys has one of the highest number of ATOs. From a FedRAMP perspective, if you go to their website, you will see the number of agencies that actually support Qualys, which is pretty good to see. That has kickstarted our federal journey over the last few years. Now with FedRAMP high, it definitely gives us a higher level of security standards that the federal agencies are looking for. It allows us to expand into additional agencies that require a higher standard from security providers. Once we get that FedRAMP high, that will make us one of the only FedRAMP high vendors that provide vulnerability and patch management in a combined solution.
We're excited to have those conversations. We're already seeing customers waiting to use that as a way to move. Right now, there is a big push from an efficiency perspective in the federal government. We believe that this will be a great opportunity for them to showcase moving away from their existing on-prem sort of old deployment that's not very efficient to a much more nimble FedRAMP high new provider that they can use to show efficiency gains, et cetera. We see potential in that space, and we are going to continue to invest there. FedRAMP high definitely becomes a key point for us just in terms of getting attention and hunting new logos.
I mean, just by definition, given how small our current presence is in the federal, a lot of what we are going to see in the federal is new logos coming our way.
Just quickly, how long does it take to get to FedRAMP high? How much of a barrier to entry? Or can you talk about the complexity of that process?
It's quite painful, but we have made that investment, and it's been going on for the last two, three years. Now, we did start from a base of having FedRAMP moderate, so it was. You see a lot of companies struggle to get that FedRAMP moderate as well because it takes a lot of investment to get your platform to that standard. Now, because we had FedRAMP moderate for many years and we worked to build on top of that, it is not a trivial investment, not just in terms of dollars, but also in terms of time and effort across the group to ensure that all the different requirements are met. We are in progress right now, in process, what they call it. We're looking forward to getting that pretty soon.
Got it. Multiple times during this conversation, you've talked a little bit about your cloud solution and the need for vulnerability management in the cloud. I think in our investor conversations, it's oftentimes confused with CSPM. Can you maybe help us unpack the differences between vulnerability management in the cloud, CSPM, CNAPP? What do these things mean for Qualys, and what does that opportunity set look like for you?
Yeah, that's a great question. If you look at the basics of cybersecurity, there are three key areas that bring risks to any environment. One is vulnerabilities in the software. Second is misconfigurations where the system is not configured correctly, even if there is no vulnerability. The third is identity, where you have an identity that has the wrong access, and somebody can go in and access your information. What we see in the cloud is essentially the same three areas are critical. One aspect of that is the CSPM, which is looking at misconfigurations. However, all the software running in the environment still requires vulnerabilities to be assessed because a CSPM does not give you visibility into software vulnerabilities that an attacker can leverage.
At the same time, also, you need to be able to monitor the identities that have access to data in the cloud. These are three key areas in cloud. To your point, sometimes all of these get confused, and people talk about that. There's a huge acronym soup with CWPP and CSPM and stuff like that. That's why I wanted to break it down. It just comes down to those three basic things. Qualys is being leveraged pretty heavily by customers. In the last count, we had almost 30 million agents in public cloud environments where customers were leveraging Qualys to assess the vulnerabilities of their workload while they might be using either Qualys, or they might be actually using a different tool for CSPM and a different tool for identity management.
We routinely see where customers are using Qualys for the workload in the cloud. In the same account, they might be using Wiz for CSPM, and they might be using some other solution for identity. Now, not only do we have an opportunity to continue to provide cloud-specific security solutions to these customers, but also with ETM and Risk Operations Center, we can actually bring cloud data from multiple different vendors into one view and give them a view of the posture of their cybersecurity posture from a cloud perspective.
Yeah. It makes a ton of sense that you're able to sort of wrap everything together, not just in the cloud, but also in the on-prem world as a single pane of glass to your earlier comments. Maybe just to put everything together, can you help us understand where we are in terms of sales productivity following some of the actions that you've taken over the past few years? What are you happy with? What are you unhappy with at this point? What's sort of left to be done?
What we've done well is really building our relationship with our channel partners and our build of the channel managers internally. We have hired sales reps who are focused on making sure that they prioritize the needs of our partners, whether it's MSSP or VARS. We have also built out our team from a product manager's perspective, making sure that we understand how to go out to the market and showcase what we can actually bring to the customers and the prospects at the end of the day. When it comes to the direct sales reps, though, that's where we feel like we haven't really reached the level of productivity that we had hoped for.
That is part of the reason why we thought that longer term, it makes more sense for us to remove that friction and be working better with partners where they do not feel like they are competing with us. Even though we do have our direct sales reps, they are also working with their channel manager and the partner team as well. It is really one team working together with the support from certain solutions architects, bringing that entire team together so that we can go out and be successful together is our strategy today. I think that right now, it is still early. There are a lot of improvements that we still have to make. We are continuing to hire and recruit. At the end of the day, because of our shift in strategy and focus on channel, it has less to do with headcount per se.
Excellent. Excellent. We've got a couple of minutes left, so I'll open it up for Q&A to the audience. If there's anyone that has a question, just raise your hand, and we'll call on.