Hey everyone. Thanks for joining. I'm Kingsley Crane. I'm a Software Analyst here at Canaccord Genuity. With me we have the Qualys team, we have CEO Sumedh Thakar and CFO Joo Mi Kim. Thanks for being here.
Thank you.
Thank you.
Let's kick it off. Let's start with the recent quarter. You reported strong results last week. What were the key takeaways for you in terms of customer activity, product traction, macro signals?
Yeah, we're pretty pleased with the quarter. I think 10% growth at 45% EBITDA margin was a good quarter for us. Overall, the macro has remained roughly the same as we have seen from Q1. There is continued scrutiny of deals and people taking time to think through on how they want to do larger purchases. For us, being able to move up our net retention rate from 103%- 104% was positive. Overall, we feel like the conversations with our customers in terms of the Risk Operations Center adoption of broader capabilities in vulnerability management beyond scanning have been pretty positive. Good renewal and good traction in customers in the way they look at buying additional capabilities. That's reflected in the NRR. Of course, we still have more work to do on new business, which we're working with our partners on, but overall we're pleased with the quarter.
All right, so you've been vocal about the evolution of vulnerability management, or VM. As you're moving Qualys into a unified platform for risk management, can you help investors understand why that shift resonates with security buyers, and then how that extends your runway to increase existing customer spend?
Yeah, great question. Look, I think as we have seen in the last many years, overall everything is moving digital. Just the breadth of infrastructure and applications people are deploying is significantly more than what has been in the past. As vulnerability detection is creating a significant amount of findings, it is getting to the point where customers cannot really fix everything that is being detected. They need to find the right things that have an impact to the business and prioritize those. We saw that remediation really was the only thing that made you safer. At the end of the day, you could detect and detect and build dashboards, but can you help fix the right things? Five years ago, we were one of the first ones in our segment to really come up with the idea of unified patch management with the same solution.
At the time there was a little bit of like, is this going to work? Given that just in 2024 Qualys agents deployed 110 million patches, it was a great validation that security buyers are looking for remediation capabilities. For us, we saw that the movement towards remediation was important the last few years and now we're seeing that overall there are way too many findings and people really want to be able to prioritize with the budget spend that they have and where they can actually have a measurable impact to their business. While there are a lot of technical findings, people struggle with, what do 10,000 high CV findings mean to my business of $500 million a year? How likely is that that I will lose $10 million a day if an attack happens?
We're seeing that move towards broader vulnerability management adoption from asset management, vulnerability configuration management into more of a broader risk management that is tied to monetary loss that people see. That's kind of where the evolution is happening and we're happy to have been really ahead of that compared to our competition and coming up with patch management and asset management capabilities.
You talked about the number of alerts that organizations are dealing with. There's also just the number of tools that they're trying to integrate in the security stack, and their lists are becoming bloated. We typically hear that buyers are overwhelmed with the number of security companies that they have in their stack. In the context of that, how do you differentiate your consolidation play from, I guess, maybe closer peers like a Tenable or Rapid7, and then bigger picture like CrowdStrike or even Wiz?
Yeah, great. See, look, the evolution of IT infrastructure is going really fast when you move, look from on prem to cloud to virtualization, virtualization to cloud container and then now AI. Customers always have new risks that come up and you always have companies, startups that will respond pretty quickly, maybe come up with a key solution, and that has created that little bit of a bloat in security software where people have gone out and bought a bunch of different tools to address individual capabilities. There is always opportunity for meaningful consolidation in adjacent areas, the way we're doing in vulnerability management overall, consolidating, patching, consolidating, asset management, etc. You also have this overall approach that customers want to take where they want to have certain best of breed solutions that they really want to empower their teams.
As an example, like a code scanning tool, they want to be able to leverage the code scanning tool that they like. They might want to use a specific container security tool because it works best in operationalizing in their environment. I feel like what we're seeing is there is a move to consolidate in adjacencies and adjacent areas within where they want to reduce their tool set. They also want the flexibility to have a singular view of their overall security posture as it ties to the business while maintaining some of the best of breed solutions from different vendors. Instead of sort of like, hey, you have to replace all your tools with a single vendor solution, which when we talk to CISOs, they don't find that very realistic that they're going to really have only one vendor across everything.
That's the dynamics that we're seeing in terms of with our Risk Operations Center approach, really consolidating in areas like cloud security, vulnerability management, patch management, and then while giving the customer the flexibility to be able to pull data from other tools that they might have, very specialized capabilities like IT, IoT or OT environments, etc. to get that singular view.
We've talked a bit about this, but there's always this pendulum between best of breed and platform in security. Identity is becoming more of a battleground right now with Palo Alto acquiring CyberArk. One of the things Nikesh Arora said, whether he means it or not, is that when he sees a market start to inflect, that's when they identify that they want to go after that market and have that become a more meaningful part of their platform. In terms of your business, how do you think about breadth first, depth when building out the platform and when to double down on the existing strengths versus when to expand?
It's a very good question because similar to what I mentioned previously, our conversation with CISOs are. First of all, when you talk about holistic risk management, you have infrastructure security, cloud security, application security, and identity is definitely one area of risk management, right? Like you could have all of your systems fully patched, but if identity is compromised, it still creates the same amount of risk to losing that $100 million as it would if you had a vulnerability, right. There is an overall feeling that you want to have a consolidated review of the risk and the approach that what Qualys is taking based on our conversation with CISOs is that they don't necessarily find that realistic to replace everything that they have with a single vendor. They do feel like there's areas of consolidation the way we're doing with that.
When we talk about the Risk Operations Center, like a formalized risk management process, our Enterprise TruRisk Platform gives them the right flexibility in the mix where they can consolidate in certain areas while keeping the best of breed. The way we are addressing that is at Black Hat we also announced an identity security posture management capability. That capability does not necessarily require the customer to go and replace all their identity security solutions that they already have. However, it actually does plug into the common tools like Okta, et cetera, to pull in identity related risk information and then combine that with cloud security information, with infrastructure security information to give them a singular scoring.
This gives them the flexibility to maintain the best solutions that they would like for identity while giving them the flexibility to be able to see from a broader platform perspective, if there is $100 million at risk, what is the probability of that happening and how much of that risk is really coming from identity versus cloud misconfiguration versus on-prem security. Our approach to platform is giving customers the flexibility to consolidate in certain areas and allow them to plug in the tools that they have rather than going out and saying, you replace everything with my solution and life will be beautiful.
Yeah, yeah. Flexibility, interoperability is really, really important for customers. I'd be remiss if I did not talk about AI. I've lasted five questions. You recently unveiled some agentic AI capabilities to augment the Risk Operations Center. Can you just tell us more about how this could reduce operational overhead and then also potentially reduce mean time to resolution?
Yeah, look, I'm a technologist, been an engineer for many years and stay away from the hype. Sometimes you have the hype that happened with AI and I think generative AI was good as a starting point, but I don't think anybody had the patience to sit there and keep asking questions all day long to get responses. You needed a way to operationalize that. That's really where agentic AI in the last year or so has been very interesting because it really makes generative AI usable and operational in the background. Risk operations is you are taking 10 million findings and figuring out which 20 of those actually are meaningful to your business to prevent a ransomware attack, as an example. That needs a certain amount of work that somebody needs to do. They have to look at the scan data.
They have to look at was it properly scanned, when was it scanned, it's in the last 30 days. How many of these vulnerabilities are actually on assets that are critical. With agentic AI and with the MCP protocol, we really felt like this was a great opportunity to help customers reduce the amount of manual efforts that they were putting in to find out those 20 things that really are meaningful to their business. We created this concept of cyber risk agent and a cyber risk agent marketplace. The idea is that when you go into the Qualys Enterprise TruRisk Platform, you are basically presented with specialized agents that are available that you can drag and drop and you can say, I want a Patch Tuesday agent, I want a ransomware expert agent, I want a malware expert agent. They are very good at doing the task.
Underneath that, they will leverage APIs, applications, other generative AI LLMs, et cetera, to give you an end-to-end outcome. This has been very powerful for our customers in the preview that we just launched where they're able to say, I can take an agent that is an expert provided by Qualys in the marketplace, I can build my own agent. In the future we see the potential of bringing on agents from partners that actually will achieve an outcome. As an example, if you have Zscaler and an outcome of your prioritization needs to be apply a policy, zero trust policy with Zscaler because of the issue with that particular solution, you can really do that.
I do feel like agentic AI is going to be something that every Risk Operations Center is going to need just to really simplify the task and reduce the amount of manual effort that goes in. It's a different approach because now you're seeing the CISOs can see they are augmenting their security risk management team with digital workers, or however you want to call them. You can actually just say, if you look at some of the screenshots, you can actually go and say, I would like to get agent Sarah as part of my team for the next one week so she can really focus on triaging my patches, develop these. That approach has been very positively received by our customers.
This is sort of related to AI and about your work you're speaking about. Joo Mi may have opinions on this as well, but you know, AI talent is expensive. AI is allowing developers to be a lot more productive in terms of code creation or on the agentic side potentially has this digital workforce. I guess within your own business, how do you think about the puts and takes of that cost ballooning on the R&D side or driving efficiency throughout the whole business?
The way I see that is the efficiency that it brings with the business. We use it for coding at times, we're using it for customer support, et cetera. It's just allowing us to scale to do more with the team that we have. If I can get that same developer to be producing more code with the use of AI, or my customer support agents are able to answer the questions pretty quickly, or when we are doing internally, when you look at sales calls and sort of getting a feel of, right, like are the sales guys just happy ears about the deal and dreaming about the deal happening, or is the AI confirming that? I think all of it is just making us more productive.
I see that less about reducing the workforce, more about getting more productivity and being able to do more with that workforce that we have. We definitely see there is a certain amount of hype in things with AI, but there's also use cases with AI that we are leveraging throughout the organization that I think are just helping us be able to do more. If you look at how rapidly we were able to come out with the agentic AI solution when it hit the market, I think that's a testament to the use of our talent with our engineers and AI capabilities that they were able to leverage pretty quickly. Yeah.
If you think about our investment kind of thesis around R&D and sales and marketing in the last two years in 2023 and 2024, part of the reason why R&D expense has grown by less than 5% for both years is because of our heavy engineering force in Pune. We've been able to leverage our entire team in Pune to make sure that we're making progress on the product roadmap in addition to the GTM strategy and executing on that. With that said, in 2025, it's truly been an investment year for us with agentic AI developments as well as our partner first go to market strategy. Our R&D grew by 8% in Q1. That ramped to 15% in Q2. We haven't really seen that. In addition to R&D growing by 15% year over year in Q2, our sales and marketing also grew by 15%.
We are really excited about the opportunities ahead and making sure that we invest ahead of that.
You brought up Pune, so I'm going to skip ahead of that question. You're incredibly profitable. Business rule of 50 plus 40% plus EBITDA margins. 75% of your employees are outside of the U.S., but you've done such a great job finding talent, nourishing talent in those regions, particularly in Pune, which is a significant asset to your business. Any more you can tell us about how you're able to do that year after year?
Yeah, it's been a great investment for us, and it really has allowed us to have scale, to be able to hire talent at scale, to match our vision of all the different things that we have wanted to do. Pune is just one of those university towns where there's a lot of colleges, universities, where we see a lot of people graduating, even from outside of Pune, coming there, graduating. It's grown up as a Silicon Valley hub in India as well. We started there like 12 years ago, and now we're seeing a lot of other companies following that because of the security. When we went there, it was really pretty much Symantec and was the only one out there, but now you pretty much have everybody from CrowdStrike to Symantec, and everybody is there.
It has become, which is good, because it allows us to have good talent availability and a talent pool and developers who are really up to speed around the latest technology that we have been leveraging. That has given us the ability really to do more and scale more and be able to augment our U.S. team with R&D that we can do in different broader areas at the same time. We're pretty happy with how that has worked out for us.
Right. Federal's been a big focus for you recently. You just held your second annual public sector risk conference. Can you tell us more about some of the developments in that area and the Washington D.C. office that can accelerate some of that?
Yeah, great. For the last few years, our federal revenue has been less than 5%. For us, we really see this as a big opportunity for us in the future to grow where in the past the federal government was more about on-prem solutions and data not going out. However, the last few years as they are modernizing their infrastructure, we're seeing the use of FedRAMP. We became FedRAMP moderate like four or five years ago, which has been great for us. We've also really invested, and anybody who's gone through that will know it really takes dedication and investment to get FedRAMP High. We were very excited last week to announce that our platform was able to get FedRAMP High, which means we're the only FedRAMP High platform that can do asset, patch, and vulnerability management as well as cloud, all in a single platform.
With the investment that we are putting, building out a team, we did our conference and timely right now with the focus on government efficiency, we are working with customers in the federal space similar to what we're seeing in the commercial side. They also want to be able to leverage the concept of a Risk Operations Center that is going to take all their findings, triage them down to the 2% that really matter to their mission. In our conversations, we also see that this is an opportunity for leaders in these organizations, agencies to be able to communicate that a way to bring efficient—like you cannot bring more efficiency with the same on-prem tools that you have been using.
If you look at where we have found success in some of the recent ones last few quarters that we've talked about, it is always replacing an on-prem scanner and an on-prem patching solution with a single Qualys solution. At the conference that we had, we talked about the Risk Operations Center for government use and the ability to leverage and move to a FedRAMP High solution with modern capabilities away from on-prem scanners into cloud-based scanners that are FedRAMP High, which gives more flexibility, more efficiency, and more security for these government agencies. We look at this as a growth opportunity for us over the next few years, and we're going to continue to invest in that and build out the team. Now with FedRAMP High, we're excited about the opportunities that it can open up for us over the next few quarters.
Partners are critical to the motion. You also recently launched your Managed Risk Operations Center. Nice list of initial partners: BlueVoyant, GuidePoint, Nethive. Can you tell us about how you think that list may grow, and then how you're helping to foster the development of that platform?
Yeah, look, we believe that for us to bring scale for growth to our business, partners are going to be key. Four years ago we were 60/40, 60% direct, 40% partner. We have done pretty well, I think, to move that mix to 51/49. More partners are, and the partner business is good, it's efficient, it brings good upsells for us, and we have done this well while maintaining our margin as well. We see that as we continue to work with partners, that's going to be the opportunity for Qualys to bring scale to our business, especially as we get into cloud security, et cetera.
However, with partners it's also important that instead of sort of negotiating on, I can give you three more points than the other solution for a resale, we pivot the conversation towards how can these partners get more services business when they're leveraging Qualys compared to just a few points on a dollar when they're selling other solutions. That's where we came up with the concept of a Managed Risk Operations Center. As customers are looking at formalizing the risk management process, because for many years SOC has been what you use for detecting threat after somebody's in your environment, proactive risk management. There is a movement more towards better board reporting, better aligning risk management to the business. However, these customers don't have the expertise to be able to do it themselves.
MROC allows specific partners that we work with closely to provide services like risk quantification, provide services like risk monitoring, risk remediation. We believe that creating a capability where even if the partner has sold a competing solution in the past, they don't need to go and have a replacement conversation, they can actually leverage the Qualys Risk Operations Center and provide MROC services to bring data from other solutions into Qualys and provide services around that. That is exciting for them. Instead of saying a few more cents on a dollar for a resale, if they can make $5 of services for every dollar of Qualys they sell.
That's where the excitement about the MROC has been, is that first of all it allows the partners to go into a very crowded MDR market to come up with a new offering which is around managing risk and risk management, and then they can essentially make more services dollars than just simple resale type opportunities. That's been exciting, and we see that this can get partners excited to bring more business to Qualys and drive scale for us over the next couple of years.
Mi, you've had a really strong first half of the year and a stronger Q2 than we've seen in recent years. How should we think about the cadence of growth in the back half of the year, and anything you can tell us about aspirations to potentially grow 10%+ next year?
Yeah, we had a really strong first half of the year, and we were pleased with the growth primarily driven by our existing customers. I think that we were disappointed a year ago when our net dollar expansion rate continued to decline to 102%. Like Sumedh mentioned, it ticked up to 103%. It's been there for a couple quarters now. We're really pleased to see that tick up to 104% this quarter. What we're seeing for the second half of this year, if you're looking at it from a current billings perspective, it is a tougher compare. We did perform well from a current billing standpoint in the second half of last year. Because of that, the implied growth rate for the second half of this year is going to be more around 5%- 7%. The full year is going to be around 6%- 8%.
That said, we are hoping that it will start re-accelerating with the ramp of the Enterprise TruRisk Management and our newer products with agentic AI feature next year. Because of that, we are continuing to invest in the R&D and sales and marketing front because we see the potential acceleration opportunity into 2026. It's a little too early for us, but our aspiration is to better balance growth and profitability, and the margin contraction will likely continue in the near future. We do see an opportunity to kind of look forward to the margin expansion once this rebalancing of partner versus direct revenue kind of more or less moderates.
It's been really impressive performance. I know we kind of started a little bit late, so is there anything else that you'd like to leave the audience with?
I think we're pretty excited about the opportunities ahead of us, especially when you look at our leverage of the partners, our federal business, and just really new offering with the Risk Operations Center. We know at Black Hat we had set up a mock Risk Operations Center. It was great to see a lot of people lined up to sort of experience that. It's about creating a new category that's resonating well. We're pretty excited about risk management as an area in cybersecurity that actually is providing business outcomes, which would be the differentiator for us. We are going to continue to grow profitably, and that's something that we are very excited about and looking forward to.